tiny.bi virtumonde never ending problem

**desidesidesi** · 2007-10-16, 04:09

**************************************************************************
catchme 0.3.1169 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-10-15 19:43:30
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
Completion time: 2007-10-15 19:44:56 - machine was rebooted
--- E O F ---
Thanks a lot for your help again....

**Mr_JAk3** · 2007-10-16, 20:38

Hi, the story continues

Backup Your Registry with ERUNT:

Download erunt.zip to your Desktop from here:
http://aumha.org/downloads/erunt.zip
Right-click erunt.zip, select Extract All... and follow the prompts to extract ERUNT to a new folder on your Desktop
Inside the new folder, double-click ERUNT.exe to start the program
OK all the prompts to back up your registry to the default location.

Note: to restore your registry, go to the backup folder and start ERDNT.exe

Open Notepad (NOT WORDPAD!) and copy the following lines from the quote box below into a new document, leaving a blank line at the end. (don't forget to copy and paste the word REGEDIT4) :

REGEDIT4

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"=hex(7):6d,73,76,31,5f,30,00,00

Make sure there are NO blank lines before REGEDIT4
Make sure there IS one blank line at the end of the file.

Save the document to your desktop as Fix.reg and filetype: All Files
Go to your desktop and double click on the file to run Fix.reg and when it asks you if you want to merge the contents to the registry, click yes/ok.

Open notepad and copy/paste the text in the quotebox below into it:

Code:

Folder::
C:\WINDOWS\system32\ss1
C:\WINDOWS\system32\rv2
C:\WINDOWS\system32\pa12
C:\WINDOWS\system32\bbc1
C:\WINDOWS\system32\vMW02a
C:\Temp\xOe

File::
C:\WINDOWS\system32\khmapfis.exe
C:\WINDOWS\system32\caqdbfdx.exe
C:\WINDOWS\system32\ntuctcdt.dll
C:\WINDOWS\system32\qjbikffd.exe
C:\WINDOWS\system32\xhmxjuki.exe
C:\WINDOWS\system32\ygjoyuke.exe
C:\WINDOWS\system32\wvusp.dll
C:\WINDOWS\system32\eehhk.bak1
C:\WINDOWS\system32\eehhk.bak2
C:\WINDOWS\system32\eehhk.ini2

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{25E98CCF-D634-44CB-9178-A5636C935B7A}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2A55EC8E-8A74-40BE-B1C4-5DBC39C42596}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{338AB37B-6DA0-402C-A07D-83108D44407E}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{41FAB8A7-5E30-4DFE-BEA8-DB1DF5D9A9F4}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{57D7CFF6-71A8-4BE6-8695-FD6807E0F8D6}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B76E26BB-7615-4CFD-9DC7-28652269575D}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{BB582215-C72F-411F-AD4B-40F9BC02BD33}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E4ABB2F3-617F-4A3C-9056-09C598E21E56}]

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\efcyaww]

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\hggedcy]
hggedcy.dll

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\jkkjhee]

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\khhee]

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\lcnxrgkf]

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\mljggfd]

Save this as "CFScript"

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.

Please download the following program and save it to your desktop:

http://noahdfear.geekstogo.com/FindAWF.exe

Once downloaded, double-click on the file to run it. Press Any key. Then select the option 1 by pressing 1 and then enter. When it is done there will be a file called awf.txt on your desktop. Please post the contents of that file as a reply to this topic.

Run FindAWF.exe again. Press Any key. Then select the option 3 by pressing 3 and then enter. A file named folders should open. Please post the contents of that file as a reply to this topic.

**desidesidesi** · 2007-10-17, 02:31

ComboFix 07-10-12.4 - sat 2007-10-16 20:06:26.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.284 [GMT -4:00]
Running from: C:\Documents and Settings\sat\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\sat\Desktop\CFScript.txt
* Created a new restore point

FILE::
C:\WINDOWS\system32\caqdbfdx.exe
C:\WINDOWS\system32\eehhk.bak1
C:\WINDOWS\system32\eehhk.bak2
C:\WINDOWS\system32\eehhk.ini2
C:\WINDOWS\system32\khmapfis.exe
C:\WINDOWS\system32\ntuctcdt.dll
C:\WINDOWS\system32\qjbikffd.exe
C:\WINDOWS\system32\wvusp.dll
C:\WINDOWS\system32\xhmxjuki.exe
C:\WINDOWS\system32\ygjoyuke.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Temp\xOe
C:\Temp\xOe\tOasF.log
C:\WINDOWS\system32\bbc1
C:\WINDOWS\system32\bbc1\bsasven2.exe
C:\WINDOWS\system32\caqdbfdx.exe
C:\WINDOWS\system32\eehhk.bak1
C:\WINDOWS\system32\eehhk.bak2
C:\WINDOWS\system32\eehhk.ini2
C:\WINDOWS\system32\khmapfis.exe
C:\WINDOWS\system32\ntuctcdt.dll
C:\WINDOWS\system32\pa12
C:\WINDOWS\system32\qjbikffd.exe
C:\WINDOWS\system32\rv2
C:\WINDOWS\system32\rv2\gcbb83122.exe
C:\WINDOWS\system32\ss1
C:\WINDOWS\system32\ss1\rw1002bc.exe
C:\WINDOWS\system32\vMW02a
C:\WINDOWS\system32\vMW02a\vMW02a1065.exe
C:\WINDOWS\system32\xhmxjuki.exe
C:\WINDOWS\system32\ygjoyuke.exe

.
((((((((((((((((((((((((( Files Created from 2007-09-17 to 2007-10-17 )))))))))))))))))))))))))))))))
.

2007-10-15 19:19 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-10-11 22:09 <DIR> d-------- C:\Program Files\Skype
2007-10-11 22:09 <DIR> d-------- C:\Program Files\Common Files\Skype
2007-10-10 19:58 <DIR> d-------- C:\Program Files\SpywareGuard
2007-10-10 19:55 <DIR> d-------- C:\Program Files\SpywareBlaster
2007-10-09 21:29 <DIR> d-------- C:\Program Files\Trend Micro
2007-10-09 18:51 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-10-09 18:51 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2007-10-09 17:55 582,656 --------- C:\WINDOWS\system32\dllcache\rpcrt4.dll
2007-10-08 21:46 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Yahoo! Companion
2007-10-07 11:47 <DIR> d-------- C:\Program Files\Temporary
2007-10-06 23:28 <DIR> d-------- C:\WINDOWS\system32\bak
2007-09-30 23:13 95,608 --a------ C:\WINDOWS\system32\AvastSS.scr
2007-09-30 23:13 94,416 --a------ C:\WINDOWS\system32\drivers\aswmon2.sys
2007-09-30 23:13 92,848 --a------ C:\WINDOWS\system32\drivers\aswmon.sys
2007-09-30 23:13 42,912 --a------ C:\WINDOWS\system32\drivers\aswTdi.sys
2007-09-30 23:13 26,624 --a------ C:\WINDOWS\system32\drivers\aavmker4.sys
2007-09-30 23:13 23,152 --a------ C:\WINDOWS\system32\drivers\aswRdr.sys
2007-09-30 23:12 <DIR> d-------- C:\Program Files\Alwil Software
2007-09-30 23:12 801,144 --a------ C:\WINDOWS\system32\aswBoot.exe
2007-09-26 20:11 <DIR> d-------- C:\Program Files\Error Repair Professional
2007-09-17 19:41 <DIR> d-------- C:\Shantul

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-10-15 14:35 --------- d-----w C:\Program Files\Spyware Doctor
2007-10-15 03:37 --------- d-----w C:\Program Files\Nortel Networks
2007-10-14 23:41 --------- d-----w C:\Documents and Settings\sat\Application Data\Skype
2007-10-14 03:47 --------- d-----w C:\Documents and Settings\All Users\Application Data\Google Updater
2007-10-12 02:10 --------- d-----w C:\Documents and Settings\All Users\Application Data\Skype
2007-10-10 01:26 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-10-09 02:26 --------- d--h--r C:\Documents and Settings\sat\Application Data\yahoo!
2007-10-09 02:06 --------- d-----w C:\Program Files\Symantec
2007-10-09 02:05 --------- d-----w C:\Documents and Settings\All Users\Application Data\McAfee.com
2007-10-09 02:02 --------- d-----w C:\Program Files\Orb Networks
2007-10-07 03:35 --------- d-----w C:\Program Files\Apoint
2007-09-27 01:23 --------- d-----w C:\Program Files\Windows Live Safety Center
2007-09-26 14:03 --------- d-----w C:\Documents and Settings\sat\Application Data\Juniper Networks
2007-09-26 14:03 --------- d-----w C:\Documents and Settings\All Users\Application Data\Juniper Networks
2007-09-19 03:34 --------- d-----w C:\Program Files\SightSpeed
2007-09-13 20:14 --------- d-----w C:\Program Files\Common Files\xing shared
2007-09-13 20:14 --------- d-----w C:\Program Files\Common Files\Real
2007-09-08 06:28 --------- d-----w C:\Documents and Settings\sat\Application Data\FlashSpring2
2007-09-08 06:25 --------- d-----w C:\Program Files\FlashSpring Pro 2
2007-09-08 06:25 --------- d-----w C:\Program Files\Common Files\CPS Labs Ltd
2007-08-29 21:47 --------- d-----w C:\Program Files\Picasa2
2007-08-29 04:24 --------- d-----w C:\Documents and Settings\sat\Application Data\Uniblue
2007-08-27 19:43 --------- d-----w C:\Program Files\Common Files\Adobe
2007-08-23 15:33 --------- d-----w C:\WINDOWS\system32\config\systemprofile\Application Data\PC Tools
2007-08-23 15:33 --------- d-----w C:\WINDOWS\system32\config\systemprofile\Application Data\PC Tools
2007-03-21 01:18 42,368 ----a-w C:\Documents and Settings\sat\Application Data\GDIPFONTCACHEV1.DAT
2006-10-01 05:32:17 88 --sh--r C:\WINDOWS\system32\94AFA728EC.sys
2007-02-23 01:30:03 104 --sh--r C:\WINDOWS\system32\EC28A7AF94.sys
2007-02-23 01:30:06 7,308 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((( snapshot@2007-10-15_19.44.17.01 )))))))))))))))))))))))))))))))))))))))))
.
+ 2005-10-20 16:02:28 163,328 ----a-w C:\WINDOWS\erdnt\10-16-2007\ERDNT.EXE
+ 2007-10-16 23:57:52 5,894,144 ----a-w C:\WINDOWS\erdnt\10-16-2007\Users\00000001\NTUSER.DAT
+ 2007-10-16 23:57:52 258,048 ----a-w C:\WINDOWS\erdnt\10-16-2007\Users\00000002\UsrClass.dat
+ 2007-10-17 00:10:32 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_3fc.dat
.
((((((((((((((((((((((((((((((((((((((((((((( AWF ))))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.
----a-w 79,224 2007-09-06 10:06:09 C:\Program Files\Alwil Software\Avast4\bak\ashDisp.exe
----a-w 79,224 2007-09-06 10:06:09 C:\Program Files\Alwil Software\Avast4\ashDisp.exe

----a-r 176,128 2005-10-07 12:13:38 C:\Program Files\Apoint\bak\Apoint.exe
----a-w 27,660 2007-10-07 03:33:22 C:\Program Files\Apoint\Apoint.exe

----a-w 344,064 2005-11-11 01:05:00 C:\Program Files\ATI Technologies\ATI Control Panel\bak\atiptaxx.exe
----a-w 27,660 2007-10-07 03:33:22 C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe

----a-w 185,632 2007-09-13 20:13:31 C:\Program Files\Common Files\Real\Update_OB\bak\realsched.exe
----a-w 27,660 2007-10-07 03:33:22 C:\Program Files\Common Files\Real\Update_OB\realsched.exe

----a-w 4,662,776 2006-12-01 02:49:04 C:\Program Files\Yahoo!\Messenger\bak\YAHOOM~1.EXE

----a-w 15,360 2004-08-04 11:00:00 C:\WINDOWS\system32\bak\ctfmon.exe
----a-w 15,360 2004-08-04 11:00:00 C:\WINDOWS\system32\ctfmon.exe

----a-w 122,941 2005-05-31 09:33:00 C:\WINDOWS\system32\dla\bak\tfswctrl.exe
----a-w 27,660 2007-10-07 03:33:22 C:\WINDOWS\system32\dla\tfswctrl.exe

.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Apoint"="C:\Program Files\Apoint\Apoint.exe" [2007-10-06 23:33]
"Dell Wireless Manager UI"="C:\WINDOWS\system32\WLTRAY" []
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2007-10-06 23:33]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2007-10-06 23:33]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-10-06 23:33]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-09-01 15:57]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 07:00]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2007-08-30 17:43]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\mljggfd]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PCANotify]
PCANotify.dll 2001-11-02 11:50 24636 C:\WINDOWS\system32\PCANotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdauxservice"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sdcoreservice"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^America Online 9.0 Tray Icon.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\America Online 9.0 Tray Icon.lnk
backup=C:\WINDOWS\pss\America Online 9.0 Tray Icon.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk
backup=C:\WINDOWS\pss\Digital Line Detect.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Google Updater.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Google Updater.lnk
backup=C:\WINDOWS\pss\Google Updater.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Printkey2000.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Printkey2000.lnk
backup=C:\WINDOWS\pss\Printkey2000.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^sat^Start Menu^Programs^Startup^SpywareGuard.lnk]
path=C:\Documents and Settings\sat\Start Menu\Programs\Startup\SpywareGuard.lnk
backup=C:\WINDOWS\pss\SpywareGuard.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
"C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\avast!]
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Corel Photo Downloader]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Creative WebCam Tray]
"C:\Program Files\Creative\Shared Files\CamTray.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CreativeTaskScheduler]
"C:\Program Files\Creative\Shared Files\CTSched.exe" /logon

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DellSupport]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DMXLauncher]
C:\Program Files\Dell\Media Experience\DMXLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDLauncher]
"C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\eFax 4.2]
"C:\Program Files\eFax Messenger 4.2\J2GDllCmd.exe" /R

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Desktop Search]
"C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\googletalk]
"C:\Program Files\Google\Google Talk\googletalk.exe" /autostart

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
"c:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
"C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"C:\Program Files\iTunes\iTunesHelper.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCAgentExe]
c:\PROGRA~1\mcafee.com\agent\mcagent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCUpdateExe]
c:\PROGRA~1\mcafee.com\agent\mcupdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MimBoot]
C:\PROGRA~1\MUSICM~1\MUSICM~3\mimboot.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MPFExe]
C:\PROGRA~1\McAfee.com\PERSON~1\MpfTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSKAGENTEXE]
C:\PROGRA~1\McAfee\SPAMKI~1\MskAgent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSKDetectorExe]
C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
"C:\Program Files\MSN Messenger\msnmsgr.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OASClnt]
C:\Program Files\McAfee.com\VSO\oasclnt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Orb]
"C:\Program Files\Orb Networks\Orb\bin\OrbTray.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Picasa Media Detector]
C:\Program Files\Picasa2\PicasaMediaDetector.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
"C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VirusScan Online]
C:\Program Files\McAfee.com\VSO\mcvsshld.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VSOCheckTask]
"C:\PROGRA~1\McAfee.com\VSO\mcmnhdlr.exe" /checktask

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
C:\Program Files\Winamp\winampa.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
"C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"Skype"="C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized

R1 HFCore;HFCore;\??\C:\WINDOWS\system32\drivers\HFCore.sys
R3 Eacfilt;Eacfilt Miniport;C:\WINDOWS\system32\DRIVERS\eacfilt.sys
R3 IPSECSHM;Nortel IPSECSHM Adapter;C:\WINDOWS\system32\DRIVERS\ipsecw2k.sys
S2 IPSECEXT;Nortel Extranet Access Protocol;C:\WINDOWS\system32\DRIVERS\ipsecw2k.sys
S3 ExtranetAccess;Contivity VPN Service;"C:\Program Files\Nortel Networks\Extranet_serv.exe"
S3 SPCA508A;Micro WebCam;C:\WINDOWS\system32\DRIVERS\SPCA508A.SYS
S3 V0250Dev;Live! Cam Notebook Pro;C:\WINDOWS\system32\DRIVERS\V0250Dev.sys

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{2e465b92-016c-11dc-a541-444553544200}]
Auto\command - BootIO.exe
AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL BootIO.exe

.
Contents of the 'Scheduled Tasks' folder
"2007-03-06 11:35:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2007-09-27 13:06:00 C:\WINDOWS\Tasks\Uniblue SpeedUpMyPC Nag.job"
- C:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe
"2007-08-11 01:22:29 C:\WINDOWS\Tasks\Uniblue SpeedUpMyPC.job"
- C:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe
.
**************************************************************************

catchme 0.3.1169 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-10-16 20:10:59
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-10-16 20:13:30 - machine was rebooted
.
--- E O F ---

**desidesidesi** · 2007-10-17, 02:39

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:35:48 PM, on 10/16/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Apoint\Apoint.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spyware Doctor\svcntaux.exe
C:\Program Files\Spyware Doctor\swdsvc.exe
C:\Program Files\Spyware Doctor\SDTrayApp.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
c:\program files\internet explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\skanneri.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.yahoo.com/search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/.../www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/.../www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/...ch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/.../www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/.../www.yahoo.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll (disabled by BHODemon)
O2 - BHO: (no name) - {25E98CCF-D634-44CB-9178-A5636C935B7A} - (no file)
O2 - BHO: (no name) - {2A55EC8E-8A74-40BE-B1C4-5DBC39C42596} - (no file)
O2 - BHO: (no name) - {338AB37B-6DA0-402C-A07D-83108D44407E} - (no file)
O2 - BHO: (no name) - {41FAB8A7-5E30-4DFE-BEA8-DB1DF5D9A9F4} - (no file)
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {57D7CFF6-71A8-4BE6-8695-FD6807E0F8D6} - (no file)
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar5.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.615.5858\swg.dll
O2 - BHO: (no name) - {B76E26BB-7615-4CFD-9DC7-28652269575D} - (no file)
O2 - BHO: CBrowserHelperObject Object - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\Program Files\GoogleAFE\GoogleAE.dll
O2 - BHO: (no name) - {E4ABB2F3-617F-4A3C-9056-09C598E21E56} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar5.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [Dell Wireless Manager UI] C:\WINDOWS\system32\WLTRAY
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SDTray] "C:\Program Files\Spyware Doctor\SDTrayApp.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.doginhispen.com
O15 - Trusted Zone: *.whataboutadog.com
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english...an_unicode.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {3BA494B1-D507-4C11-9BDA-D47E1A65DFCF} (Confidence Online for Web Applications) - https://access.thehartford.com/llcli...ava+AXXPEE.dll
O16 - DPF: {3EA4FA88-E0BE-419A-A732-9B79B87A6ED0} (CTVUAxCtrl Object) - http://dl.tvunetworks.com/TVUAx.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www1.snapfish.com/SnapfishActivia.cab
O16 - DPF: {474F00F5-3853-492C-AC3A-476512BBC336} (UploadListView Class) - http://picasaweb.google.com/s/v/13.8/uploader2.cab
O16 - DPF: {57B2CA01-6C40-44BB-9FCC-BFA7FADAA6E3} (SightSpeedWebImpl Class) - http://images.sightspeed.com/files/s...am_install.exe
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/res...scbase2474.cab
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAV...oadManager.ocx
O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} (JuniperSetupSP1 Control) - https://access.thehartford.com/dana-...erSetupSP1.cab
O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.aol.com/downloads/...ampx_en_dl.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O20 - Winlogon Notify: efcyaww - C:\WINDOWS\
O20 - Winlogon Notify: hggedcy - C:\WINDOWS\
O20 - Winlogon Notify: jkkjhee - C:\WINDOWS\
O20 - Winlogon Notify: khhee - C:\WINDOWS\
O20 - Winlogon Notify: lcnxrgkf - C:\WINDOWS\
O20 - Winlogon Notify: mljggfd - C:\WINDOWS\
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Contivity VPN Service (ExtranetAccess) - Nortel Networks NA, Inc. - C:\Program Files\Nortel Networks\Extranet_serv.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe

--
End of file - 10769 bytes

**desidesidesi** · 2007-10-17, 02:49

Find AWF report by noahdfear ©2006
Version 1.40

The current date is: Tue 10/16/2007
The current time is: 20:42:34.07

bak folders found
~~~~~~~~~~~

Directory of C:\PROGRA~1\APOINT\BAK

10/07/2005 08:13 AM 176,128 Apoint.exe
1 File(s) 176,128 bytes

Directory of C:\WINDOWS\SYSTEM32\BAK

08/04/2004 07:00 AM 15,360 ctfmon.exe
1 File(s) 15,360 bytes

Directory of C:\PROGRA~1\ALWILS~1\AVAST4\BAK

09/06/2007 06:06 AM 79,224 ashDisp.exe
1 File(s) 79,224 bytes

Directory of C:\PROGRA~1\ATITEC~1\ATICON~1\BAK

11/10/2005 09:05 PM 344,064 atiptaxx.exe
1 File(s) 344,064 bytes

Directory of C:\PROGRA~1\YAHOO!\MESSEN~1\BAK

11/30/2006 10:49 PM 4,662,776 YAHOOM~1.EXE
1 File(s) 4,662,776 bytes

Directory of C:\WINDOWS\SYSTEM32\DLA\BAK

05/31/2005 05:33 AM 122,941 tfswctrl.exe
1 File(s) 122,941 bytes

Directory of C:\PROGRA~1\COMMON~1\REAL\UPDATE~1\BAK

09/13/2007 04:13 PM 185,632 realsched.exe
1 File(s) 185,632 bytes

Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~

27660 Oct 6 2007 "C:\Program Files\Apoint\Apoint.exe"
176128 Oct 7 2005 "C:\drivers\mouse\onboard\Apoint.exe"
176128 Oct 7 2005 "C:\Program Files\Apoint\bak\Apoint.exe"
15360 Aug 4 2004 "C:\WINDOWS\system32\ctfmon.exe"
15360 Aug 4 2004 "C:\WINDOWS\system32\bak\ctfmon.exe"
79224 Sep 6 2007 "C:\Program Files\Alwil Software\Avast4\ashDisp.exe"
79224 Sep 6 2007 "C:\Program Files\Alwil Software\Avast4\bak\ashDisp.exe"
27660 Oct 6 2007 "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
344064 Nov 10 2005 "C:\Program Files\ATI Technologies\ATI Control Panel\bak\atiptaxx.exe"
4670704 Aug 30 2007 "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe"
4662776 Nov 30 2006 "C:\Program Files\Yahoo!\Messenger\bak\YAHOOM~1.EXE"
27660 Oct 6 2007 "C:\WINDOWS\system32\dla\tfswctrl.exe"
122941 May 31 2005 "C:\Program Files\Sonic\DLA\install\tfswctrl.exe"
122941 May 31 2005 "C:\WINDOWS\system32\dla\bak\tfswctrl.exe"
27660 Oct 6 2007 "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"
185632 Sep 13 2007 "C:\Program Files\Common Files\Real\Update_OB\bak\realsched.exe"

end of report

**desidesidesi** · 2007-10-17, 02:51

Copy the list of folders to be removed then click BELOW THE LINE
and paste the list by pressing Ctrl+V

IMPORTANT - REMOVE ALL QUOTES !! No Filenames and no trailing slash!

When done, close this file and click YES to save the changes.

_________________________________________________
Thank you very much once again.

**Mr_JAk3** · 2007-10-17, 21:22

Hi again, we'll continue

You should print these instructions or save these to a text file. Follow these instructions carefully.

Download ATF Cleaner by Atribune to your desktop.
Do NOT run yet.

==================

Run HijackThis, click Do a system scan only, and check the box next to each of these entries if still present. Close all other windows and press Fix checked. If something isn't there, please continue with the next entry in the list.

O2 - BHO: (no name) - {25E98CCF-D634-44CB-9178-A5636C935B7A} - (no file)
O2 - BHO: (no name) - {2A55EC8E-8A74-40BE-B1C4-5DBC39C42596} - (no file)
O2 - BHO: (no name) - {338AB37B-6DA0-402C-A07D-83108D44407E} - (no file)
O2 - BHO: (no name) - {41FAB8A7-5E30-4DFE-BEA8-DB1DF5D9A9F4} - (no file)
O2 - BHO: (no name) - {57D7CFF6-71A8-4BE6-8695-FD6807E0F8D6} - (no file)
O2 - BHO: (no name) - {B76E26BB-7615-4CFD-9DC7-28652269575D} - (no file)
O2 - BHO: (no name) - {E4ABB2F3-617F-4A3C-9056-09C598E21E56} - (no file)
O20 - Winlogon Notify: efcyaww - C:\WINDOWS\
O20 - Winlogon Notify: hggedcy - C:\WINDOWS\
O20 - Winlogon Notify: jkkjhee - C:\WINDOWS\
O20 - Winlogon Notify: khhee - C:\WINDOWS\
O20 - Winlogon Notify: lcnxrgkf - C:\WINDOWS\
O20 - Winlogon Notify: mljggfd - C:\WINDOWS\

Restart your computer to the safe mode:

Restart your computer
Start tapping the F8 key when the computer restarts.
When the start menu opens, choose Safe mode
Press Enter. The computer then begins to start in Safe mode.

Go to Start >Run and type "Notepad" without the quotes
Copy the text from the quotebox to Notepad.
Go to the menu at the top of the Notepad file and Save as:

Name the file replace.bat
Save as Type: All files
Select the desktop icon on the left to save it on the desktop.

Double click on replace.bat and let it run.

if exist "C:\Program Files\Alwil Software\Avast4\ashDisp.exe" del /q "C:\Program Files\Alwil Software\Avast4\ashDisp.exe"
copy /y "C:\Program Files\Alwil Software\Avast4\bak\ashDisp.exe" "C:\Program Files\Alwil Software\Avast4\ashDisp.exe"
if exist "C:\Program Files\Apoint\Apoint.exe" del /q "C:\Program Files\Apoint\Apoint.exe"
copy /y "C:\Program Files\Apoint\bak\Apoint.exe" "C:\Program Files\Apoint\Apoint.exe"
if exist "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" del /q "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
copy /y "C:\Program Files\ATI Technologies\ATI Control Panel\bak\atiptaxx.exe" "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
if exist "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" del /q "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"
copy /y "C:\Program Files\Common Files\Real\Update_OB\bak\realsched.exe" "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"
if exist "C:\Program Files\Yahoo!\Messenger\YAHOOM~1.EXE" del /q "C:\Program Files\Yahoo!\Messenger\YAHOOM~1.EXE"
copy /y "C:\Program Files\Yahoo!\Messenger\bak\YAHOOM~1.EXE" "C:\Program Files\Yahoo!\Messenger\YAHOOM~1.EXE"
if exist "C:\WINDOWS\system32\ctfmon.exe" del /q "C:\WINDOWS\system32\ctfmon.exe"
copy /y "C:\WINDOWS\system32\bak\ctfmon.exe" "C:\WINDOWS\system32\ctfmon.exe"
if exist "C:\WINDOWS\system32\dla\tfswctrl.exe" del /q "C:\WINDOWS\system32\dla\tfswctrl.exe"
copy /y "C:\WINDOWS\system32\dla\bak\tfswctrl.exe" "C:\WINDOWS\system32\dla\tfswctrl.exe"

Run ATF Cleaner

Under Main choose: Select All
Click the Empty Selected button.

If you use Firefox browser

Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser

Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.

Restart the computer

Run FixAWF again. Then select the option 1 by pressing 1 and then enter. When it is done there will be a file called awf.txt on your desktop. Please post the contents of that file as a reply to this topic.

================

When you're ready, please post the following logs to here:
- a fresh HijackThis log
- awf.txt

**desidesidesi** · 2007-10-18, 04:21

Hi Mr. Jak3. Thanks for your patience and support. Its truly appreciated. Here is the HJT log after doing everything.
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:05:20 PM, on 10/17/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Apoint\Apoint.exe
C:\WINDOWS\system32\WLTRAY.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Apoint\HidFind.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32Info.exe
C:\Program Files\Trend Micro\HijackThis\skanneri.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.yahoo.com/search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/.../www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/.../www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/...ch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/.../www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/.../www.yahoo.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll (disabled by BHODemon)
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar5.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.615.5858\swg.dll
O2 - BHO: CBrowserHelperObject Object - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - c:\Program Files\GoogleAFE\GoogleAE.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar5.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [Dell Wireless Manager UI] C:\WINDOWS\system32\WLTRAY
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_03\bin\npjpi142_03.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.doginhispen.com
O15 - Trusted Zone: *.whataboutadog.com
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english...an_unicode.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {3BA494B1-D507-4C11-9BDA-D47E1A65DFCF} (Confidence Online for Web Applications) - https://access.thehartford.com/llcli...ava+AXXPEE.dll
O16 - DPF: {3EA4FA88-E0BE-419A-A732-9B79B87A6ED0} (CTVUAxCtrl Object) - http://dl.tvunetworks.com/TVUAx.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www1.snapfish.com/SnapfishActivia.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/res...scbase2474.cab
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAV...oadManager.ocx
O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} (JuniperSetupSP1 Control) - https://access.thehartford.com/dana-...erSetupSP1.cab
O16 - DPF: {FE0BD779-44EE-4A4B-AA2E-743C63F2E5E6} (IWinAmpActiveX Class) - http://pdl.stream.aol.com/downloads/...ampx_en_dl.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Contivity VPN Service (ExtranetAccess) - Nortel Networks NA, Inc. - C:\Program Files\Nortel Networks\Extranet_serv.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NICCONFIGSVC - Dell Inc. - C:\Program Files\Dell\NICCONFIGSVC\NICCONFIGSVC.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe
O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe

--
End of file - 9444 bytes

**desidesidesi** · 2007-10-18, 04:22

Find AWF report by noahdfear ©2006
Version 1.40

The current date is: Wed 10/17/2007
The current time is: 22:02:28.35

bak folders found
~~~~~~~~~~~

Directory of C:\PROGRA~1\APOINT\BAK

10/07/2005 08:13 AM 176,128 Apoint.exe
1 File(s) 176,128 bytes

Directory of C:\WINDOWS\SYSTEM32\BAK

08/04/2004 07:00 AM 15,360 ctfmon.exe
1 File(s) 15,360 bytes

Directory of C:\PROGRA~1\ALWILS~1\AVAST4\BAK

09/06/2007 06:06 AM 79,224 ashDisp.exe
1 File(s) 79,224 bytes

Directory of C:\PROGRA~1\ATITEC~1\ATICON~1\BAK

11/10/2005 09:05 PM 344,064 atiptaxx.exe
1 File(s) 344,064 bytes

Directory of C:\PROGRA~1\YAHOO!\MESSEN~1\BAK

11/30/2006 10:49 PM 4,662,776 YAHOOM~1.EXE
1 File(s) 4,662,776 bytes

Directory of C:\WINDOWS\SYSTEM32\DLA\BAK

05/31/2005 05:33 AM 122,941 tfswctrl.exe
1 File(s) 122,941 bytes

Directory of C:\PROGRA~1\COMMON~1\REAL\UPDATE~1\BAK

09/13/2007 04:13 PM 185,632 realsched.exe
1 File(s) 185,632 bytes

Duplicate files of bak directory contents
~~~~~~~~~~~~~~~~~~~~~~~

176128 Oct 7 2005 "C:\Program Files\Apoint\Apoint.exe"
176128 Oct 7 2005 "C:\drivers\mouse\onboard\Apoint.exe"
176128 Oct 7 2005 "C:\Program Files\Apoint\bak\Apoint.exe"
15360 Aug 4 2004 "C:\WINDOWS\system32\ctfmon.exe"
15360 Aug 4 2004 "C:\WINDOWS\system32\bak\ctfmon.exe"
79224 Sep 6 2007 "C:\Program Files\Alwil Software\Avast4\ashDisp.exe"
79224 Sep 6 2007 "C:\Program Files\Alwil Software\Avast4\bak\ashDisp.exe"
344064 Nov 10 2005 "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
344064 Nov 10 2005 "C:\Program Files\ATI Technologies\ATI Control Panel\bak\atiptaxx.exe"
4662776 Nov 30 2006 "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe"
4662776 Nov 30 2006 "C:\Program Files\Yahoo!\Messenger\bak\YAHOOM~1.EXE"
122941 May 31 2005 "C:\WINDOWS\system32\dla\tfswctrl.exe"
122941 May 31 2005 "C:\Program Files\Sonic\DLA\install\tfswctrl.exe"
122941 May 31 2005 "C:\WINDOWS\system32\dla\bak\tfswctrl.exe"
185632 Sep 13 2007 "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"
185632 Sep 13 2007 "C:\Program Files\Common Files\Real\Update_OB\bak\realsched.exe"

end of report

**Mr_JAk3** · 2007-10-18, 19:02

Ok very good.

Open notepad and copy/paste the text in the quotebox below into it:

Code:

Folder::
C:\Program Files\Apoint\bak
C:\WINDOWS\system32\bak
C:\Program Files\Alwil Software\Avast4\bak
C:\Program Files\ATI Technologies\ATI Control Panel\bak
C:\Program Files\Yahoo!\Messenger\bak
C:\WINDOWS\system32\dla\bak
C:\Program Files\Common Files\Real\Update_OB\bak

Save this as "CFScript"

This will start ComboFix again. After reboot, (in case it asks to reboot)-

Download Dr.Web CureIt to the desktop -> ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe

Restart your computer to the safe mode:

Restart your computer
Start tapping the F8 key when the computer restarts.
When the start menu opens, choose Safe mode
Press Enter. The computer then begins to start in Safe mode.

Run a scan with Dr.Web CureIt

Doubleclick the drweb-cureit.exe file and Allow to run the express scan
This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
Once the short scan has finished, you should now mark the drives that you want to scan.
Select all drives. A red dot shows which drives have been chosen.
Click the green arrow at the right, and the scan will start.
Click 'Yes to all' if it asks if you want to cure/move the file.
When the scan has finished, look if you can click next icon next to the files found
If so, click it and then click the next icon right below and select Move incurable
After the scan, in the menu, click file and choose save report list
Save the report to your desktop. The report will be called DrWeb.csv
Close Dr.Web Cureit.
Reboot the computer in Normal Mode,
Post the Cure-it report and a fresh HijackThis log along with the ComboFix log

Thread: tiny.bi virtumonde never ending problem

Thread Tools

Display

combo fix log..continuation.

combo fix new log

HJT Oct. 16 2007

AWF Option 1 Oct. 16

AWF Option 3 Oct. 16

HJT Oct. 17

AWF Oct. 17

Posting Permissions