cant remove the virtomunde

elmoisevil · Sep 26, 2007

ive had this virus for about four days. when i first got it it loaded my computer with virus, spyware and tracking cookies. i first relised it when explore crashed (this was the first time it crashed in the computers history) then the com laged and other stuff happend. i had run all of my spyware and my anti virus and it all detected virus. i reacted by deleteing all infected files, running ccleaner, disconecting the com from my network and running all my defences. but after all that i cept on getting the virtomunde virus come up but this was only on ss&d. i have run ss&d about 7 times and each time it has come up with virtomunde with one or three traces.

Virtumonde: User settings (Registry key, nothing done)
HKEY_USERS\S-1-5-21-602162358-152049171-854245398-1005\Software\Microsoft\rdfa

Virtumonde: Settings (Registry key, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\aoprndtws

Virtumonde: Settings (Registry key, nothing done)
HKEY_USERS\S-1-5-21-602162358-152049171-854245398-1005\Software\Microsoft\aldd

--- Spybot - Search & Destroy version: 1.4 (build: 20050523) ---

2005-05-31 blindman.exe (1.0.0.1)
2005-05-31 SpybotSD.exe (1.4.0.3)
2005-05-31 TeaTimer.exe (1.4.0.2)
2006-11-13 unins000.exe (51.41.0.0)
2005-05-31 Update.exe (1.4.0.0)
2007-05-23 advcheck.dll (1.5.3.0)
2005-05-31 aports.dll (2.1.0.0)
2005-05-31 borlndmm.dll (7.0.4.453)
2005-05-31 delphimm.dll (7.0.4.453)
2005-05-31 SDHelper.dll (1.4.0.0)
2007-07-31 Tools.dll (2.1.2.0)
2005-05-31 UnzDll.dll (1.73.1.1)
2005-05-31 ZipDll.dll (1.73.2.0)
2007-09-12 Includes\Cookies.sbi (*)
2007-07-25 Includes\Dialer.sbi (*)
2007-09-12 Includes\DialerC.sbi (*)
2007-08-29 Includes\Hijackers.sbi (*)
2007-09-12 Includes\HijackersC.sbi (*)
2007-07-25 Includes\Keyloggers.sbi (*)
2007-09-12 Includes\KeyloggersC.sbi (*)
2007-09-12 Includes\Malware.sbi (*)
2007-09-12 Includes\MalwareC.sbi (*)
2007-09-05 Includes\PUPS.sbi (*)
2007-09-12 Includes\PUPSC.sbi (*)
2007-09-12 Includes\Revision.sbi (*)
2007-05-30 Includes\Security.sbi (*)
2007-09-12 Includes\SecurityC.sbi (*)
2007-09-12 Includes\Spybots.sbi (*)
2007-09-12 Includes\SpybotsC.sbi (*)
2007-08-21 Includes\Tracks.uti
2007-09-12 Includes\Trojans.sbi (*)
2007-09-12 Includes\TrojansC.sbi (*)
2007-06-06 Plugins\TCPIPAddress.dll

any help would do

Markka · Sep 26, 2007

Hello

Click here to download HijackThis and save it to your desktop.
Double-click on HJTInstall.exe to run it.
HJTInstall.exe will install HijackThis to here C:\Program Files\Trend Micro\HijackThis
Click install
HJTInstall.exe will create an icon to your desktop.
When the installation is ready, it will start HijackThis.
When HijackThis is opened, click Do a system scan and save a logfile.
Post the HijackThis log here.
Do not fix anything with HijackThis, until I tell to you!

elmoisevil · Sep 27, 2007

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:53:16 PM, on 27/09/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\CA\eTrust Vet Antivirus\ISafe.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\SanDisk\Sansa Updater\SansaSvr.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\CA\eTrust Vet Antivirus\VetMsg.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\CA\eTrust Vet Antivirus\CAVRID.exe
C:\Program Files\CA\eTrust Vet Antivirus\CAVTray.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\QuickTime\QuickTimePlayer.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://intranet.iona.qld.edu.au/start/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.iona.qld.edu.au/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = mozilla firefox
R3 - URLSearchHook: (no name) - - (no file)
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\eTrust Vet Antivirus\CAVRID.exe"
O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\CA\eTrust Vet Antivirus\CAVTray.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SearchIndexer] rundll32.exe "C:\WINDOWS\system32\ydhixebl.dll",sitypnow
O4 - HKLM\..\Run: [AAWTray] C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Save Flash In This Page by Flash Saver - C:\PROGRA~1\FLASHS~1\save.htm
O8 - Extra context menu item: &Search - ?p=ZN
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Flash Saver - {09EA1F80-F40A-11D1-B792-444553540001} - C:\PROGRA~1\FLASHS~1\save.htm
O9 - Extra 'Tools' menuitem: Flash Saver - {09EA1F80-F40A-11D1-B792-444553540001} - C:\PROGRA~1\FLASHS~1\save.htm
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Sean Stuf\Start Menu\Programs\IMVU\Run IMVU.lnk (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {7584C670-2274-4EFB-B00B-D6AABA6D3850} (Microsoft RDP Client Control (redist)) - http://tsm.iona.qld.edu.au/tsweb/msrdp.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Vet Antivirus\ISafe.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Sansa Updater Service (SansaService) - Unknown owner - C:\Program Files\SanDisk\Sansa Updater\SansaSvr.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Vet Antivirus\VetMsg.exe

--
End of file - 6391 bytes

Markka · Sep 27, 2007

Hello

Rename HijackThis.exe to Scanner.exe by doing the following;

Navigate to here; C:\Program Files\Trend Micro\HijackThis
Right-click on the HijackThis.exe
Choose from the pull-down menu; "Rename"
And now Rename HijackThis.exe to Scanner.exe
When you've renamed HijackThis, then open it..
Take a fresh HijackThis log (Do a system scan and save a log file)
Post the fresh HijackThis log to here.

elmoisevil · Sep 28, 2007

hi
ive got the system scan
thanx for helping me

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:20:11 PM, on 28/09/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\CA\eTrust Vet Antivirus\ISafe.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\SanDisk\Sansa Updater\SansaSvr.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\CA\eTrust Vet Antivirus\VetMsg.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\CA\eTrust Vet Antivirus\CAVRID.exe
C:\Program Files\CA\eTrust Vet Antivirus\CAVTray.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\QuickTime\QuickTimePlayer.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Program Files\Trend Micro\HijackThis\scanner.exe.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://intranet.iona.qld.edu.au/start/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.iona.qld.edu.au/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = mozilla firefox
R3 - URLSearchHook: (no name) - - (no file)
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: (no name) - {15E9FB1E-A19F-4746-851B-F67FE1A3AC58} - C:\WINDOWS\system32\urqqo.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {64B94229-7967-860A-A0C2-034C02BA876B} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {837B45D6-BF85-457D-AABF-6D2E7815F791} - C:\WINDOWS\system32\khffgfc.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\eTrust Vet Antivirus\CAVRID.exe"
O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\CA\eTrust Vet Antivirus\CAVTray.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SearchIndexer] rundll32.exe "C:\WINDOWS\system32\ydhixebl.dll",sitypnow
O4 - HKLM\..\Run: [AAWTray] C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Save Flash In This Page by Flash Saver - C:\PROGRA~1\FLASHS~1\save.htm
O8 - Extra context menu item: &Search - ?p=ZN
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Flash Saver - {09EA1F80-F40A-11D1-B792-444553540001} - C:\PROGRA~1\FLASHS~1\save.htm
O9 - Extra 'Tools' menuitem: Flash Saver - {09EA1F80-F40A-11D1-B792-444553540001} - C:\PROGRA~1\FLASHS~1\save.htm
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Sean Stuf\Start Menu\Programs\IMVU\Run IMVU.lnk (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {7584C670-2274-4EFB-B00B-D6AABA6D3850} (Microsoft RDP Client Control (redist)) - http://tsm.iona.qld.edu.au/tsweb/msrdp.cab
O20 - Winlogon Notify: khffgfc - C:\WINDOWS\SYSTEM32\khffgfc.dll
O20 - Winlogon Notify: winemx32 - winemx32.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Vet Antivirus\ISafe.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Sansa Updater Service (SansaService) - Unknown owner - C:\Program Files\SanDisk\Sansa Updater\SansaSvr.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Vet Antivirus\VetMsg.exe

--
End of file - 7251 bytes

Markka · Sep 29, 2007

Hello

Please download VundoFix.exe to your desktop.

Double-click VundoFix.exe to run it.
Click the Scan for Vundo button.
Once it's done scanning, click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will reboot your computer, click OK.
Please post the contents of C:\vundofix.txt and a new HiJackThis log.

Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.

elmoisevil · Sep 29, 2007

hi
my com is in a loop. its trying to remove the file but it need to reset so when i reset it starts up with vundofix and i follow the instructions and it repeats itself .

the only file left on vundofix is:
C:\windows\system32\khffgfc.dll

Markka · Sep 29, 2007

Hi,

please post these logs contents of C:\vundofix.txt and a new HiJackThis log. :bigthumb:

elmoisevil · Sep 29, 2007

ive got the logs u want

here is the only thing detected by vandofix
C:\windows\system32\khffgfc.dll

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:15:41 PM, on 29/09/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\CA\eTrust Vet Antivirus\ISafe.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\SanDisk\Sansa Updater\SansaSvr.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\CA\eTrust Vet Antivirus\CAVRID.exe
C:\Program Files\CA\eTrust Vet Antivirus\CAVTray.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\CA\eTrust Vet Antivirus\VetMsg.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Messenger\MSMSGS.EXE
C:\Documents and Settings\Sean Stuf\Desktop\VundoFix.exe
C:\Program Files\Trend Micro\HijackThis\hijackthis.exe.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://intranet.iona.qld.edu.au/start/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.iona.qld.edu.au/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = mozilla firefox
R3 - URLSearchHook: (no name) - - (no file)
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\eTrust Vet Antivirus\CAVRID.exe"
O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\CA\eTrust Vet Antivirus\CAVTray.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AAWTray] C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Save Flash In This Page by Flash Saver - C:\PROGRA~1\FLASHS~1\save.htm
O8 - Extra context menu item: &Search - ?p=ZN
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Flash Saver - {09EA1F80-F40A-11D1-B792-444553540001} - C:\PROGRA~1\FLASHS~1\save.htm
O9 - Extra 'Tools' menuitem: Flash Saver - {09EA1F80-F40A-11D1-B792-444553540001} - C:\PROGRA~1\FLASHS~1\save.htm
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Sean Stuf\Start Menu\Programs\IMVU\Run IMVU.lnk (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {7584C670-2274-4EFB-B00B-D6AABA6D3850} (Microsoft RDP Client Control (redist)) - http://tsm.iona.qld.edu.au/tsweb/msrdp.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Vet Antivirus\ISafe.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Sansa Updater Service (SansaService) - Unknown owner - C:\Program Files\SanDisk\Sansa Updater\SansaSvr.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Vet Antivirus\VetMsg.exe

--
End of file - 6294 bytes

elmoisevil · Sep 29, 2007

srry took awhile to find the log

VundoFix V6.1.6

Checking Java version...

Java version is 1.5.0.3

Java version is 1.5.0.6

Scan started at 2:41:20 PM 13/11/2006

Listing files found while scanning....

VundoFix V6.5.9

Checking Java version...

Java version is 1.5.0.3
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.6
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.9
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.11

Scan started at 4:48:04 PM 29/09/2007

Listing files found while scanning....

C:\windows\system32\drvgaxr.dll
C:\windows\system32\fcccdeb.dll
C:\WINDOWS\system32\khffgfc.dll
C:\WINDOWS\system32\lbexihdy.ini
C:\WINDOWS\system32\ydhixebl.dll

Beginning removal...

Attempting to delete C:\windows\system32\drvgaxr.dll
C:\windows\system32\drvgaxr.dll Has been deleted!

Attempting to delete C:\windows\system32\fcccdeb.dll
C:\windows\system32\fcccdeb.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\khffgfc.dll
C:\WINDOWS\system32\khffgfc.dll Could not be deleted.

Attempting to delete C:\WINDOWS\system32\lbexihdy.ini
C:\WINDOWS\system32\lbexihdy.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\ydhixebl.dll
C:\WINDOWS\system32\ydhixebl.dll Could not be deleted.

Performing Repairs to the registry.
Done!

Beginning removal...

VundoFix V6.5.9

Checking Java version...

Java version is 1.5.0.3
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.6
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.9
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.11

Scan started at 5:00:05 PM 29/09/2007

Listing files found while scanning....

C:\windows\system32\khffgfc.dll

Beginning removal...

Attempting to delete C:\windows\system32\khffgfc.dll
C:\windows\system32\khffgfc.dll Could not be deleted.

Performing Repairs to the registry.
Done!

VundoFix V6.5.9

Checking Java version...

Java version is 1.5.0.3
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.6
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.9
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.11

Scan started at 5:04:53 PM 29/09/2007

Listing files found while scanning....

C:\windows\system32\khffgfc.dll

Beginning removal...

Attempting to delete C:\windows\system32\khffgfc.dll
C:\windows\system32\khffgfc.dll Could not be deleted.

Performing Repairs to the registry.
Done!

VundoFix V6.5.9

Checking Java version...

Java version is 1.5.0.3
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.6
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.9
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.11

Scan started at 5:22:34 PM 29/09/2007

Listing files found while scanning....

C:\windows\system32\khffgfc.dll

Beginning removal...

Attempting to delete C:\windows\system32\khffgfc.dll
C:\windows\system32\khffgfc.dll Could not be deleted.

Performing Repairs to the registry.
Done!

VundoFix V6.5.9

Checking Java version...

Java version is 1.5.0.3
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.6
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.9
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.11

Scan started at 6:07:54 PM 29/09/2007

Listing files found while scanning....

C:\windows\system32\khffgfc.dll

elmoisevil · Sep 29, 2007

i saw the thing about the java and i have already uninstalled them

Markka · Sep 29, 2007

Hello

Double-click VundoFix.exe to run it.
Click Scan for Vundo button.
Once the scan is complete, Right Click inside the listbox (white box) and click add more files
Copy&Paste the 1 entry below into the top 1 box
- C:\windows\system32\khffgfc.dll
Click Add Files and Click Close Window
Click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will shutdown your computer, click OK.
Turn your computer back on.
Please post the contents of C:\vundofix.txt and a new HiJackThis log.

elmoisevil · Sep 30, 2007

hi
its taken longer then i thorght

VundoFix V6.1.6

Checking Java version...

Java version is 1.5.0.3

Java version is 1.5.0.6

Scan started at 2:41:20 PM 13/11/2006

Listing files found while scanning....

VundoFix V6.5.9

Checking Java version...

Java version is 1.5.0.3
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.6
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.9
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.11

Scan started at 4:48:04 PM 29/09/2007

Listing files found while scanning....

C:\windows\system32\drvgaxr.dll
C:\windows\system32\fcccdeb.dll
C:\WINDOWS\system32\khffgfc.dll
C:\WINDOWS\system32\lbexihdy.ini
C:\WINDOWS\system32\ydhixebl.dll

Beginning removal...

Attempting to delete C:\windows\system32\drvgaxr.dll
C:\windows\system32\drvgaxr.dll Has been deleted!

Attempting to delete C:\windows\system32\fcccdeb.dll
C:\windows\system32\fcccdeb.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\khffgfc.dll
C:\WINDOWS\system32\khffgfc.dll Could not be deleted.

Attempting to delete C:\WINDOWS\system32\lbexihdy.ini
C:\WINDOWS\system32\lbexihdy.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\ydhixebl.dll
C:\WINDOWS\system32\ydhixebl.dll Could not be deleted.

Performing Repairs to the registry.
Done!

Beginning removal...

VundoFix V6.5.9

Checking Java version...

Java version is 1.5.0.3
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.6
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.9
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.11

Scan started at 5:00:05 PM 29/09/2007

Listing files found while scanning....

C:\windows\system32\khffgfc.dll

Beginning removal...

Attempting to delete C:\windows\system32\khffgfc.dll
C:\windows\system32\khffgfc.dll Could not be deleted.

Performing Repairs to the registry.
Done!

VundoFix V6.5.9

Checking Java version...

Java version is 1.5.0.3
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.6
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.9
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.11

Scan started at 5:04:53 PM 29/09/2007

Listing files found while scanning....

C:\windows\system32\khffgfc.dll

Beginning removal...

Attempting to delete C:\windows\system32\khffgfc.dll
C:\windows\system32\khffgfc.dll Could not be deleted.

Performing Repairs to the registry.
Done!

VundoFix V6.5.9

Checking Java version...

Java version is 1.5.0.3
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.6
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.9
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.11

Scan started at 5:22:34 PM 29/09/2007

Listing files found while scanning....

C:\windows\system32\khffgfc.dll

Beginning removal...

Attempting to delete C:\windows\system32\khffgfc.dll
C:\windows\system32\khffgfc.dll Could not be deleted.

Performing Repairs to the registry.
Done!

VundoFix V6.5.9

Checking Java version...

Java version is 1.5.0.3
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.6
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.9
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.11

Scan started at 6:07:54 PM 29/09/2007

Listing files found while scanning....

C:\windows\system32\khffgfc.dll

VundoFix V6.5.9

Checking Java version...

Java version is 1.5.0.6
Old versions of java are exploitable and should be removed.

Scan started at 6:43:17 PM 29/09/2007

Listing files found while scanning....

C:\windows\system32\khffgfc.dll

Beginning removal...

Attempting to delete C:\windows\system32\khffgfc.dll
C:\windows\system32\khffgfc.dll Could not be deleted.

Performing Repairs to the registry.
Done!

VundoFix V6.5.9

Checking Java version...

Java version is 1.5.0.6
Old versions of java are exploitable and should be removed.

Scan started at 6:50:06 PM 29/09/2007

Listing files found while scanning....

C:\windows\system32\khffgfc.dll

VundoFix V6.5.9

Checking Java version...

Java version is 1.5.0.6
Old versions of java are exploitable and should be removed.

Scan started at 7:17:36 PM 29/09/2007

Listing files found while scanning....

C:\windows\system32\khffgfc.dll

Beginning removal...

Beginning removal...

VundoFix V6.5.9

Checking Java version...

Java version is 1.5.0.6
Old versions of java are exploitable and should be removed.

Scan started at 12:48:08 PM 30/09/2007

Listing files found while scanning....

C:\windows\system32\khffgfc.dll

VundoFix V6.5.9

Checking Java version...

Java version is 1.5.0.6
Old versions of java are exploitable and should be removed.

Scan started at 12:50:57 PM 30/09/2007

Listing files found while scanning....

C:\windows\system32\khffgfc.dll

Beginning removal...

Attempting to delete C:\windows\system32\khffgfc.dll
C:\windows\system32\khffgfc.dll Could not be deleted.

Attempting to delete C:\windows\system32\khffgfc.dll
C:\windows\system32\khffgfc.dll Could not be deleted.

Performing Repairs to the registry.
Done!

Beginning removal...

Attempting to delete C:\windows\system32\khffgfc.dll
C:\windows\system32\khffgfc.dll Could not be deleted.

Attempting to delete C:\windows\system32\khffgfc.dll
C:\windows\system32\khffgfc.dll Could not be deleted.

Performing Repairs to the registry.
Done!

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:11:05 PM, on 30/09/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\CA\eTrust Vet Antivirus\CAVRID.exe
C:\Program Files\CA\eTrust Vet Antivirus\CAVTray.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Messenger\MSMSGS.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\CA\eTrust Vet Antivirus\ISafe.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\SanDisk\Sansa Updater\SansaSvr.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\CA\eTrust Vet Antivirus\VetMsg.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\hijackthis.exe.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://intranet.iona.qld.edu.au/start/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.iona.qld.edu.au/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = mozilla firefox
R3 - URLSearchHook: (no name) - - (no file)
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\eTrust Vet Antivirus\CAVRID.exe"
O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\CA\eTrust Vet Antivirus\CAVTray.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AAWTray] C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Save Flash In This Page by Flash Saver - C:\PROGRA~1\FLASHS~1\save.htm
O8 - Extra context menu item: &Search - ?p=ZN
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Flash Saver - {09EA1F80-F40A-11D1-B792-444553540001} - C:\PROGRA~1\FLASHS~1\save.htm
O9 - Extra 'Tools' menuitem: Flash Saver - {09EA1F80-F40A-11D1-B792-444553540001} - C:\PROGRA~1\FLASHS~1\save.htm
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Sean Stuf\Start Menu\Programs\IMVU\Run IMVU.lnk (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {7584C670-2274-4EFB-B00B-D6AABA6D3850} (Microsoft RDP Client Control (redist)) - http://tsm.iona.qld.edu.au/tsweb/msrdp.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Vet Antivirus\ISafe.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Sansa Updater Service (SansaService) - Unknown owner - C:\Program Files\SanDisk\Sansa Updater\SansaSvr.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Vet Antivirus\VetMsg.exe

--
End of file - 5871 bytes

Markka · Sep 30, 2007

Hello

Disable Teatimer:

1) Run Spybot-S&D
2) Go to the Mode menu, and make sure "Advanced Mode" is selected
3) On the left hand side, choose Tools -> Resident
4) Uncheck "Resident TeaTimer" and OK any prompts
5) Restart your computer.
______________

1. Download this file - combofix.exe
2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall!
__________________

Open HijackThis, Click Do a system scan only, checkmark these. Then close all other windows except HijackThis and press fix checked.

R3 - URLSearchHook: (no name) - - (no file)
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
_______________

Please download ATF-cleaner and save it to your desktop.

Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.

If you use Firefox browser:
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser:
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.

____________________

Kaspersky online scanner works only with Internet Explorer!

Please run an online scanner with Kaspersky Online Scanner. You will be prompted to install an ActiveX component from Kaspersky, Click Yes.

The program will launch and then start to download the latest definition files.
Once the scanner is installed and the definitions downloaded, click Next.
Now click on Scan Settings
In the scan settings make sure that the following are selected:

o Scan using the following Anti-Virus database:

+ Extended (If available otherwise Standard)

o Scan Options:

+ Scan Archives
+ Scan Mail Bases
Click OK
Now under select a target to scan select My Computer
The scan will take a while so be patient and let it run. Once the scan is complete it will display if your system has been infected.
Now click on the Save as Text button
Save the file to your desktop.
Copy and paste that information in your next post.

____________________

Post:
- A fresh HijackThis log
- Contents of C:\ComboFix.txt
- Kaspersky's report

elmoisevil · Oct 1, 2007

ive got the scan reports u wanted but it wouldnt fit into a single reply and i am short of time so i made a word doc with all the info in the the report

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:58:23 PM, on 1/10/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\CA\eTrust Vet Antivirus\ISafe.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\SanDisk\Sansa Updater\SansaSvr.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\CA\eTrust Vet Antivirus\VetMsg.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
C:\Program Files\CA\eTrust Vet Antivirus\CAVRID.exe
C:\Program Files\CA\eTrust Vet Antivirus\CAVTray.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\MSMSGS.EXE
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Trend Micro\HijackThis\hijackthis.exe.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://intranet.iona.qld.edu.au/start/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.iona.qld.edu.au/
O2 - BHO: (no name) - {14043F22-D133-4751-BE0A-7C27B5262C4F} - (no file)
O2 - BHO: (no name) - {302E68B6-1226-45F0-9047-CBA6808EF844} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {64B94229-7967-860A-A0C2-034C02BA876B} - (no file)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {BCBC0F4A-70DD-434E-BC90-2FBDB048BAB3} - (no file)
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\eTrust Vet Antivirus\CAVRID.exe"
O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\CA\eTrust Vet Antivirus\CAVTray.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AAWTray] C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Save Flash In This Page by Flash Saver - C:\PROGRA~1\FLASHS~1\save.htm
O8 - Extra context menu item: &Search - ?p=ZN
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Flash Saver - {09EA1F80-F40A-11D1-B792-444553540001} - C:\PROGRA~1\FLASHS~1\save.htm
O9 - Extra 'Tools' menuitem: Flash Saver - {09EA1F80-F40A-11D1-B792-444553540001} - C:\PROGRA~1\FLASHS~1\save.htm
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Sean Stuf\Start Menu\Programs\IMVU\Run IMVU.lnk (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {7584C670-2274-4EFB-B00B-D6AABA6D3850} (Microsoft RDP Client Control (redist)) - http://tsm.iona.qld.edu.au/tsweb/msrdp.cab
O20 - Winlogon Notify: winemx32 - winemx32.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Vet Antivirus\ISafe.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Sansa Updater Service (SansaService) - Unknown owner - C:\Program Files\SanDisk\Sansa Updater\SansaSvr.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Vet Antivirus\VetMsg.exe

--
End of file - 6149 bytes

ComboFix 07-09-21.2 - "Sean Stuf" 2007-10-01 15:00:18.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.223 [GMT 10:00]
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\check_LSA7.txt
C:\Program Files\nulidqzq
C:\Program Files\nulidqzq\favylinw.dll
C:\Program Files\SecCenter
C:\Program Files\SecCenter\scprot4.exe.bak
C:\Program Files\video access activex object
C:\WINDOWS\system32\bupncxrg.exe
C:\WINDOWS\system32\fogqyujx.ini
C:\WINDOWS\system32\khffgfc.dll
C:\WINDOWS\system32\majshbbo.exe
C:\WINDOWS\system32\urqqo.dll
C:\WINDOWS\system32\xjuyqgof.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

-------\LEGACY_DOMAINSERVICE

((((((((((((((((((((((((( Files Created from 2007-09-01 to 2007-10-01 )))))))))))))))))))))))))))))))
.

2007-10-01 10:52 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-09-27 12:52 <DIR> d-------- C:\Program Files\Trend Micro
2007-09-26 17:20 <DIR> d-------- C:\Program Files\Lavasoft
2007-09-26 17:20 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Lavasoft
2007-09-25 15:06 84,032 --a------ C:\WINDOWS\system32\ydhixebl.dll
2007-09-23 10:25 714,027 --ahs---- C:\WINDOWS\system32\oqqru.bak2
2007-09-22 12:55 5,632 --a--c--- C:\WINDOWS\system32\dllcache\smimsgif.dll
2007-09-22 12:55 5,632 --a--c--- C:\WINDOWS\system32\dllcache\smierrsy.dll
2007-09-22 12:55 18,944 --a--c--- C:\WINDOWS\system32\dllcache\simptcp.dll
2007-09-22 12:55 18,944 --a------ C:\WINDOWS\system32\simptcp.dll
2007-09-22 12:55 15,872 --a--c--- C:\WINDOWS\system32\dllcache\smierrsm.dll
2007-09-22 12:55 10,240 --a--c--- C:\WINDOWS\system32\dllcache\snmpstup.dll
2007-09-22 12:28 <DIR> d-------- C:\Program Files\Ancient Conquest
2007-09-22 11:59 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\YoYoGames
2007-09-22 11:51 6,448 --ahs---- C:\WINDOWS\system32\oqqru.bak1
2007-09-18 20:25 <DIR> d-------- C:\Program Files\Game_Maker7
2007-09-07 20:15 <DIR> d-------- C:\WINDOWS\.jagex_cache_32

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-09-26 22:10 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-09-26 17:19 --------- d-------- C:\DOCUME~1\SEANST~1\APPLIC~1\Lavasoft
2007-09-26 17:18 --------- d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-09-20 17:50 --------- d-------- C:\Program Files\Game_Maker6
2007-09-17 17:27 --------- d-------- C:\Program Files\Flash Saver
2007-09-17 17:23 --------- d--h----- C:\Program Files\InstallShield Installation Information
2007-09-17 16:47 --------- d-------- C:\Program Files\WinAce
2007-09-16 13:13 --------- d-------- C:\Program Files\Google
2007-09-16 10:56 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Google
2007-09-15 09:45 --------- d-------- C:\Program Files\themexp
2007-08-31 19:33 --------- d-------- C:\DOCUME~1\SEANST~1\APPLIC~1\Google
2007-08-29 19:55 --------- d-------- C:\DOCUME~1\SEANST~1\APPLIC~1\Seven Zip
2007-08-29 19:17 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Office Genuine Advantage
2007-08-26 11:21 32768 --a------ C:\WINDOWS\system32\1stscrhook.dll
2007-08-14 23:16 --------- d-------- C:\Program Files\decomp
2007-08-11 15:30 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Protexis
2007-08-07 13:58 8320 --a------ C:\WINDOWS\system32\drivers\AWRTRD.sys
2007-08-07 13:56 9344 --a------ C:\WINDOWS\system32\drivers\NSDriver.sys
2007-07-30 19:19 92504 --a------ C:\WINDOWS\system32\cdm.dll
2007-07-30 19:19 549720 --a------ C:\WINDOWS\system32\wuapi.dll
2007-07-30 19:19 53080 --a------ C:\WINDOWS\system32\wuauclt.exe
2007-07-30 19:19 43352 --a------ C:\WINDOWS\system32\wups2.dll
2007-07-30 19:19 325976 --a------ C:\WINDOWS\system32\wucltui.dll
2007-07-30 19:19 271224 --a------ C:\WINDOWS\system32\mucltui.dll
2007-07-30 19:19 207736 --a------ C:\WINDOWS\system32\muweb.dll
2007-07-30 19:19 203096 --a------ C:\WINDOWS\system32\wuweb.dll
2007-07-30 19:19 1712984 --a------ C:\WINDOWS\system32\wuaueng.dll
2007-07-30 19:18 33624 --a------ C:\WINDOWS\system32\wups.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{14043F22-D133-4751-BE0A-7C27B5262C4F}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{302E68B6-1226-45F0-9047-CBA6808EF844}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{64B94229-7967-860A-A0C2-034C02BA876B}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{BCBC0F4A-70DD-434E-BC90-2FBDB048BAB3}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LVCOMS"="C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE" [2001-09-24 09:39]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2005-04-01 16:16]
"SoundMan"="SOUNDMAN.EXE" []
"CAVRID"="C:\Program Files\CA\eTrust Vet Antivirus\CAVRID.exe" [2005-10-27 15:55]
"CaAvTray"="C:\Program Files\CA\eTrust Vet Antivirus\CAVTray.exe" [2005-10-27 15:55]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-07-13 15:06]
"AAWTray"="C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe" [2007-08-08 15:53]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 12:54]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56]
"MSMSGS"="C:\Program Files\Messenger\MSMSGS.exe" [2004-10-14 02:24]

C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 04:01:04]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winemx32]
winemx32.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"InCD"=C:\Program Files\ahead\InCD\InCD.exe
"NeroCheck"=C:\WINDOWS\system32\NeroCheck.exe
"NvCplDaemon"=RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
"NvMediaCenter"=RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
"nwiz"=nwiz.exe /install
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" -atboottime

R0 BsStor;InCD Storage Helper Driver;C:\WINDOWS\system32\DRIVERS\bsstor.sys
R3 WmBEnum;Logitech Virtual Bus Enumerator Driver;C:\WINDOWS\system32\drivers\WmBEnum.sys
R3 WmXlCore;Logitech WingMan Translation Layer Driver;C:\WINDOWS\system32\drivers\WmXlCore.sys
S1 lusbaudio;Logitech USB Microphone;C:\WINDOWS\system32\drivers\lvsound2.sys
S3 nocashio;nocashio;C:\WINDOWS\system32\drivers\nocashio.sys
S3 QCEmerald;Logitech QuickCam Web(PID_0850);C:\WINDOWS\system32\DRIVERS\LVCE.sys
S3 WmFilter;Logitech WingMan HID Filter Driver;C:\WINDOWS\system32\drivers\WmFilter.sys
S3 WmVirHid;Logitech Virtual Hid Device Driver;C:\WINDOWS\system32\drivers\WmVirHid.sys
S4 BsUDF;InCD UDF Driver;C:\WINDOWS\system32\drivers\BsUDF.sys

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b69e00e0-97b8-11da-8974-0030180bfa08}]
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL \Launch_seminar_series_menu.htm

.
**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-10-01 15:52:55
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-10-01 15:55:35 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-10-01 15:55
.
--- E O F ---

elmoisevil · Oct 1, 2007

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:58:23 PM, on 1/10/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\CA\eTrust Vet Antivirus\ISafe.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\SanDisk\Sansa Updater\SansaSvr.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\CA\eTrust Vet Antivirus\VetMsg.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
C:\Program Files\CA\eTrust Vet Antivirus\CAVRID.exe
C:\Program Files\CA\eTrust Vet Antivirus\CAVTray.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\MSMSGS.EXE
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Trend Micro\HijackThis\hijackthis.exe.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://intranet.iona.qld.edu.au/start/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.iona.qld.edu.au/
O2 - BHO: (no name) - {14043F22-D133-4751-BE0A-7C27B5262C4F} - (no file)
O2 - BHO: (no name) - {302E68B6-1226-45F0-9047-CBA6808EF844} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {64B94229-7967-860A-A0C2-034C02BA876B} - (no file)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {BCBC0F4A-70DD-434E-BC90-2FBDB048BAB3} - (no file)
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\eTrust Vet Antivirus\CAVRID.exe"
O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\CA\eTrust Vet Antivirus\CAVTray.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AAWTray] C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Save Flash In This Page by Flash Saver - C:\PROGRA~1\FLASHS~1\save.htm
O8 - Extra context menu item: &Search - ?p=ZN
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Flash Saver - {09EA1F80-F40A-11D1-B792-444553540001} - C:\PROGRA~1\FLASHS~1\save.htm
O9 - Extra 'Tools' menuitem: Flash Saver - {09EA1F80-F40A-11D1-B792-444553540001} - C:\PROGRA~1\FLASHS~1\save.htm
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Sean Stuf\Start Menu\Programs\IMVU\Run IMVU.lnk (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {7584C670-2274-4EFB-B00B-D6AABA6D3850} (Microsoft RDP Client Control (redist)) - http://tsm.iona.qld.edu.au/tsweb/msrdp.cab
O20 - Winlogon Notify: winemx32 - winemx32.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Vet Antivirus\ISafe.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Sansa Updater Service (SansaService) - Unknown owner - C:\Program Files\SanDisk\Sansa Updater\SansaSvr.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Vet Antivirus\VetMsg.exe

--
End of file - 6149 bytes

ComboFix 07-09-21.2 - "Sean Stuf" 2007-10-01 15:00:18.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.223 [GMT 10:00]
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\check_LSA7.txt
C:\Program Files\nulidqzq
C:\Program Files\nulidqzq\favylinw.dll
C:\Program Files\SecCenter
C:\Program Files\SecCenter\scprot4.exe.bak
C:\Program Files\video access activex object
C:\WINDOWS\system32\bupncxrg.exe
C:\WINDOWS\system32\fogqyujx.ini
C:\WINDOWS\system32\khffgfc.dll
C:\WINDOWS\system32\majshbbo.exe
C:\WINDOWS\system32\urqqo.dll
C:\WINDOWS\system32\xjuyqgof.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

-------\LEGACY_DOMAINSERVICE

((((((((((((((((((((((((( Files Created from 2007-09-01 to 2007-10-01 )))))))))))))))))))))))))))))))
.

2007-10-01 10:52 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-09-27 12:52 <DIR> d-------- C:\Program Files\Trend Micro
2007-09-26 17:20 <DIR> d-------- C:\Program Files\Lavasoft
2007-09-26 17:20 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Lavasoft
2007-09-25 15:06 84,032 --a------ C:\WINDOWS\system32\ydhixebl.dll
2007-09-23 10:25 714,027 --ahs---- C:\WINDOWS\system32\oqqru.bak2
2007-09-22 12:55 5,632 --a--c--- C:\WINDOWS\system32\dllcache\smimsgif.dll
2007-09-22 12:55 5,632 --a--c--- C:\WINDOWS\system32\dllcache\smierrsy.dll
2007-09-22 12:55 18,944 --a--c--- C:\WINDOWS\system32\dllcache\simptcp.dll
2007-09-22 12:55 18,944 --a------ C:\WINDOWS\system32\simptcp.dll
2007-09-22 12:55 15,872 --a--c--- C:\WINDOWS\system32\dllcache\smierrsm.dll
2007-09-22 12:55 10,240 --a--c--- C:\WINDOWS\system32\dllcache\snmpstup.dll
2007-09-22 12:28 <DIR> d-------- C:\Program Files\Ancient Conquest
2007-09-22 11:59 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\YoYoGames
2007-09-22 11:51 6,448 --ahs---- C:\WINDOWS\system32\oqqru.bak1
2007-09-18 20:25 <DIR> d-------- C:\Program Files\Game_Maker7
2007-09-07 20:15 <DIR> d-------- C:\WINDOWS\.jagex_cache_32

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-09-26 22:10 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-09-26 17:19 --------- d-------- C:\DOCUME~1\SEANST~1\APPLIC~1\Lavasoft
2007-09-26 17:18 --------- d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-09-20 17:50 --------- d-------- C:\Program Files\Game_Maker6
2007-09-17 17:27 --------- d-------- C:\Program Files\Flash Saver
2007-09-17 17:23 --------- d--h----- C:\Program Files\InstallShield Installation Information
2007-09-17 16:47 --------- d-------- C:\Program Files\WinAce
2007-09-16 13:13 --------- d-------- C:\Program Files\Google
2007-09-16 10:56 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Google
2007-09-15 09:45 --------- d-------- C:\Program Files\themexp
2007-08-31 19:33 --------- d-------- C:\DOCUME~1\SEANST~1\APPLIC~1\Google
2007-08-29 19:55 --------- d-------- C:\DOCUME~1\SEANST~1\APPLIC~1\Seven Zip
2007-08-29 19:17 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Office Genuine Advantage
2007-08-26 11:21 32768 --a------ C:\WINDOWS\system32\1stscrhook.dll
2007-08-14 23:16 --------- d-------- C:\Program Files\decomp
2007-08-11 15:30 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Protexis
2007-08-07 13:58 8320 --a------ C:\WINDOWS\system32\drivers\AWRTRD.sys
2007-08-07 13:56 9344 --a------ C:\WINDOWS\system32\drivers\NSDriver.sys
2007-07-30 19:19 92504 --a------ C:\WINDOWS\system32\cdm.dll
2007-07-30 19:19 549720 --a------ C:\WINDOWS\system32\wuapi.dll
2007-07-30 19:19 53080 --a------ C:\WINDOWS\system32\wuauclt.exe
2007-07-30 19:19 43352 --a------ C:\WINDOWS\system32\wups2.dll
2007-07-30 19:19 325976 --a------ C:\WINDOWS\system32\wucltui.dll
2007-07-30 19:19 271224 --a------ C:\WINDOWS\system32\mucltui.dll
2007-07-30 19:19 207736 --a------ C:\WINDOWS\system32\muweb.dll
2007-07-30 19:19 203096 --a------ C:\WINDOWS\system32\wuweb.dll
2007-07-30 19:19 1712984 --a------ C:\WINDOWS\system32\wuaueng.dll
2007-07-30 19:18 33624 --a------ C:\WINDOWS\system32\wups.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{14043F22-D133-4751-BE0A-7C27B5262C4F}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{302E68B6-1226-45F0-9047-CBA6808EF844}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{64B94229-7967-860A-A0C2-034C02BA876B}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{BCBC0F4A-70DD-434E-BC90-2FBDB048BAB3}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LVCOMS"="C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE" [2001-09-24 09:39]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2005-04-01 16:16]
"SoundMan"="SOUNDMAN.EXE" []
"CAVRID"="C:\Program Files\CA\eTrust Vet Antivirus\CAVRID.exe" [2005-10-27 15:55]
"CaAvTray"="C:\Program Files\CA\eTrust Vet Antivirus\CAVTray.exe" [2005-10-27 15:55]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-07-13 15:06]
"AAWTray"="C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe" [2007-08-08 15:53]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 12:54]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56]
"MSMSGS"="C:\Program Files\Messenger\MSMSGS.exe" [2004-10-14 02:24]

C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 04:01:04]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winemx32]
winemx32.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"InCD"=C:\Program Files\ahead\InCD\InCD.exe
"NeroCheck"=C:\WINDOWS\system32\NeroCheck.exe
"NvCplDaemon"=RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
"NvMediaCenter"=RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
"nwiz"=nwiz.exe /install
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" -atboottime

R0 BsStor;InCD Storage Helper Driver;C:\WINDOWS\system32\DRIVERS\bsstor.sys
R3 WmBEnum;Logitech Virtual Bus Enumerator Driver;C:\WINDOWS\system32\drivers\WmBEnum.sys
R3 WmXlCore;Logitech WingMan Translation Layer Driver;C:\WINDOWS\system32\drivers\WmXlCore.sys
S1 lusbaudio;Logitech USB Microphone;C:\WINDOWS\system32\drivers\lvsound2.sys
S3 nocashio;nocashio;C:\WINDOWS\system32\drivers\nocashio.sys
S3 QCEmerald;Logitech QuickCam Web(PID_0850);C:\WINDOWS\system32\DRIVERS\LVCE.sys
S3 WmFilter;Logitech WingMan HID Filter Driver;C:\WINDOWS\system32\drivers\WmFilter.sys
S3 WmVirHid;Logitech Virtual Hid Device Driver;C:\WINDOWS\system32\drivers\WmVirHid.sys
S4 BsUDF;InCD UDF Driver;C:\WINDOWS\system32\drivers\BsUDF.sys

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b69e00e0-97b8-11da-8974-0030180bfa08}]
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL \Launch_seminar_series_menu.htm

.
**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-10-01 15:52:55
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-10-01 15:55:35 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-10-01 15:55
.
--- E O F ---

elmoisevil · Oct 1, 2007

C:\Documents and Settings\user\Application Data\Microsoft\MSN Messenger\820966976\Winks3\TFR4F.dat Object is locked skipped

C:\Documents and Settings\user\Application Data\Microsoft\MSN Messenger\820966976\Winks3\TFR51.dat Object is locked skipped

C:\Documents and Settings\user\Application Data\Microsoft\MSN Messenger\820966976\Winks3\TFR53.dat Object is locked skipped

C:\Documents and Settings\user\Application Data\Microsoft\MSN Messenger\820966976\Winks3\TFR55.dat Object is locked skipped

C:\Documents and Settings\user\Application Data\Microsoft\MSN Messenger\820966976\Winks3\TFR57.dat Object is locked skipped

C:\Documents and Settings\user\Application Data\Microsoft\MSN Messenger\820966976\Winks3\TFR59.dat Object is locked skipped

C:\Documents and Settings\user\Application Data\Microsoft\MSN Messenger\820966976\Winks3\TFR5B.dat Object is locked skipped

C:\Documents and Settings\user\Application Data\Microsoft\MSN Messenger\820966976\Winks3\TFR5D.dat Object is locked skipped

C:\Documents and Settings\user\Application Data\Microsoft\MSN Messenger\820966976\Winks3\TFR5F.dat Object is locked skipped

C:\Documents and Settings\user\Application Data\Microsoft\Office\Access10.pip Object is locked skipped

C:\Documents and Settings\user\Application Data\Microsoft\Office\adhoc.rcd Object is locked skipped

C:\Documents and Settings\user\Application Data\Microsoft\Office\Excel10.pip Object is locked skipped

C:\Documents and Settings\user\Application Data\Microsoft\Office\fbcF.tmp Object is locked skipped

C:\Documents and Settings\user\Application Data\Microsoft\Office\FP10.pip Object is locked skipped

C:\Documents and Settings\user\Application Data\Microsoft\Office\Graph10.pip Object is locked skipped

C:\Documents and Settings\user\Application Data\Microsoft\Office\Imagin10.pip Object is locked skipped

C:\Documents and Settings\user\Application Data\Microsoft\Office\MSO1025.acl Object is locked skipped

C:\Documents and Settings\user\Application Data\Microsoft\Office\MSO1033.acl Object is locked skipped

C:\Documents and Settings\user\Application Data\Microsoft\Office\MSO2057.acl Object is locked skipped

C:\Documents and Settings\user\Application Data\Microsoft\Office\MSO3081.acl Object is locked skipped

C:\Documents and Settings\user\Application Data\Microsoft\Office\MSOut10.pip Object is locked skipped

C:\Documents and Settings\user\Application Data\Microsoft\Office\Organi10.pip Object is locked skipped

C:\Documents and Settings\user\Application Data\Microsoft\Office\PowerP10.pip Object is locked skipped

C:\Documents and Settings\user\Application Data\Microsoft\Office\Recent\Application 12 April.LNK Object is locked skipped

C:\Documents and Settings\user\Application Data\Microsoft\Office\Recent\Application 12 March.LNK Object is locked skipped

C:\Documents and Settings\user\Application Data\Microsoft\Office\Recent\Application 17 April.LNK Object is locked skipped

C:\Documents and Settings\user\Application Data\Microsoft\Office\Recent\Application 19 March.LNK Object is locked skipped

C:\Documents and Settings\user\Application Data\Microsoft\Office\Recent\Application 2 April.LNK Object is locked skipped

C:\Documents and Settings\user\Application Data\Microsoft\Office\Recent\Application 26 Feb.LNK Object is locked skipped

C:\Documents and Settings\user\Application Data\Microsoft\Office\Recent\Application 27 March.LNK Object is locked skipped

C:\Documents and Settings\user\Application Data\Microsoft\Office\Recent\Application 5 March.LNK Object is locked skipped

C:\Documents and Settings\user\Application Data\Microsoft\Office\Recent\Application 9 April.LNK Object is locked skipped

C:\Documents and Settings\user\Application Data\Microsoft\Office\Recent\Budget.xls.LNK Object is locked skipped

C:\Documents and Settings\user\Application Data\Microsoft\Office\Recent\Business Relations.LNK Object is locked skipped

C:\Documents and Settings\user\Application Data\Microsoft\Office\Recent\Cashflow(1).xls.LNK Object is locked skipped

C:\Documents and Settings\user\Application Data\Microsoft\Office\Recent\Cashflow.xls.LNK Object is locked skipped

C:\Documents and Settings\user\Application Data\Microsoft\Office\Recent\CSI3KMC7.LNK Object is locked skipped

C:\Documents and Settings\user\Application Data\Microsoft\Office\Recent\Dixon.doc.LNK Object is locked skipped

C:\Documents and Settings\user\Application Data\Microsoft\Office\Recent\files on www.timmys.com.au.url Object is locked skipped

C:\Documents and Settings\user\Application Data\Microsoft\Office\Recent\flightcosts.xls.LNK Object is locked skipped

C:\Documents and Settings\user\Application Data\Microsoft\Office\Recent\Gianni.doc.LNK Object is locked skipped

C:\Documents and Settings\user\Application Data\Microsoft\Office\Recent\goodkarma[1].pps.LNK Object is locked skipped

C:\Documents and Settings\user\Application Data\Microsoft\Office\Recent\index.dat Object is locked skipped

C:\Documents and Settings\user\Application Data\Microsoft\Office\Recent\jobdoc on www.jobs.qld.gov.au.url Object is locked skipped

C:\Documents and Settings\user\Application Data\Microsoft\Office\Recent\JuniorOfficePerson.doc.LNK Object is locked skipped

C:\Documents and Settings\user\Application Data\Microsoft\Office\Recent\JuniorTraineeDixon.doc.LNK Object is locked skipped

C:\Documents and Settings\user\Application Data\Microsoft\Office\Recent\Letterhead.bmp.LNK Object is locked skipped

C:\Documents and Settings\user\Application Data\Microsoft\Office\Recent\MASTERApplication.doc.LNK Object is locked skipped

C:\Documents and Settings\user\Application Data\Microsoft\Office\Recent\menu.doc.url Object is locked skipped

C:\Documents and Settings\user\Application Data\Microsoft\Office\Recent\My Documents.LNK Object is locked skipped

C:\Documents and Settings\user\Application Data\Microsoft\Office\Recent\My Pictures.LNK Object is locked skipped

C:\Documents and Settings\user\Application Data\Microsoft\Office\Recent\OfficeJuniorCBDlawfirm1.doc.LNK Object is locked skipped

C:\Documents and Settings\user\Application Data\Microsoft\Office\Recent\OfficeJuniorCBDlawfirm2.doc.LNK Object is locked skipped

C:\Documents and Settings\user\Application Data\Microsoft\Office\Recent\OfficeJuniorNorthside.doc.LNK Object is locked skipped

C:\Documents and Settings\user\Application Data\Microsoft\Office\Recent\OfficeJuniorSouthside.doc.LNK Object is locked skipped

C:\Documents and Settings\user\Application Data\Microsoft\Office\Recent\ProjectedBudget13.11.xls.LNK Object is locked skipped

C:\Documents and Settings\user\Application Data\Microsoft\Office\Recent\RiskAnalysis(1).xls.LNK Object is locked skipped

C:\Documents and Settings\user\Application Data\Microsoft\Office\Recent\RiskAnalysis-AV.xls.LNK Object is locked skipped

C:\Documents and Settings\user\Application Data\Microsoft\Office\Recent\Savings.xls.LNK Object is locked skipped

C:\Documents and Settings\user\Application Data\Microsoft\Office\Recent\Sean's Documents.LNK Object is locked skipped

C:\Documents and Settings\user\Application Data\Microsoft\Office\Recent\sgpapi8-ZNPLUE-1168572210584.gif.LNK Object is locked skipped

C:\Documents and Settings\user\Application Data\Microsoft\Office\Recent\Sponsorship.LNK Object is locked skipped

C:\Documents and Settings\user\Application Data\Microsoft\Office\Recent\Stories.LNK Object is locked skipped

C:\Documents and Settings\user\Application Data\Microsoft\Office\Recent\test.jpg.LNK Object is locked skipped

C:\Documents and Settings\user\Application Data\Microsoft\Office\Recent\Travel.LNK Object is locked skipped

C:\Documents and Settings\user\Application Data\Microsoft\Office\Recent\Work&Finance.LNK Object is locked skipped

C:\Documents and Settings\user\Application Data\Microsoft\Office\Scanni10.pip Object is locked skipped

C:\Documents and Settings\user\Application Data\Microsoft\Office\VB10.pip Object is locked skipped

C:\Documents and Settings\user\Application Data\Microsoft\Office\Word10.pip Object is locked skipped

C:\Documents and Settings\user\Application Data\Microsoft\Office\Wordma10.pip Object is locked skipped

C:\Documents and Settings\user\Application Data\Microsoft\Outlook\outcmd.dat Object is locked skipped

C:\Documents and Settings\user\Application Data\Microsoft\Outlook\Outlook.FAV Object is locked skipped

C:\Documents and Settings\user\Application Data\Microsoft\Outlook\Outlook.NK2 Object is locked skipped

C:\Documents and Settings\user\Application Data\Microsoft\Outlook\Outlook.srs Object is locked skipped

C:\Documents and Settings\user\Application Data\Microsoft\PowerPoint\PPT10.pcb Object is locked skipped

C:\Documents and Settings\user\Application Data\Microsoft\Proof\CUSTOM.DIC Object is locked skipped

C:\Documents and Settings\user\Application Data\Microsoft\Protect\CREDHIST Object is locked skipped

C:\Documents and Settings\user\Application Data\Microsoft\Protect\S-1-5-21-602162358-152049171-854245398-1003\03a1bd72-09d5-4814-b5f1-827abc828b00 Object is locked skipped

C:\Documents and Settings\user\Application Data\Microsoft\Protect\S-1-5-21-602162358-152049171-854245398-1003\1187cb48-7f2a-4b6d-ad23-0598d3008a55 Object is locked skipped

C:\Documents and Settings\user\Application Data\Microsoft\Protect\S-1-5-21-602162358-152049171-854245398-1003\683cf20a-9a49-481b-80a3-14e2daf759fb Object is locked skipped

C:\Documents and Settings\user\Application Data\Microsoft\Protect\S-1-5-21-602162358-152049171-854245398-1003\95177035-227e-43dd-84ed-2469781094e4 Object is locked skipped

C:\Documents and Settings\user\Application Data\Microsoft\Protect\S-1-5-21-602162358-152049171-854245398-1003\b92b3240-8325-4c71-9ecb-96e54f970397 Object is locked skipped

C:\Documents and Settings\user\Application Data\Microsoft\Protect\S-1-5-21-602162358-152049171-854245398-1003\cf8a0bac-fc8a-48ea-b387-9ef2022ff3e7 Object is locked skipped

C:\Documents and Settings\user\Application Data\Microsoft\Protect\S-1-5-21-602162358-152049171-854245398-1003\d0ba8dc1-70b9-4a1d-9577-48eaadace90a Object is locked skipped

C:\Documents and Settings\user\Application Data\Microsoft\Protect\S-1-5-21-602162358-152049171-854245398-1003\d9c83579-cd03-490f-abcb-08b90b78f802 Object is locked skipped

C:\Documents and Settings\user\Application Data\Microsoft\Protect\S-1-5-21-602162358-152049171-854245398-1003\e4231594-8d90-43e5-9373-07e099f10996 Object is locked skipped

C:\Documents and Settings\user\Application Data\Microsoft\Protect\S-1-5-21-602162358-152049171-854245398-1003\effc1a67-1d68-4d03-98b1-78f7bd23b928 Object is locked skipped

C:\Documents and Settings\user\Application Data\Microsoft\Protect\S-1-5-21-602162358-152049171-854245398-1003\Preferred Object is locked skipped

C:\Documents and Settings\user\Application Data\Microsoft\Signatures\Jessica.htm Object is locked skipped

C:\Documents and Settings\user\Application Data\Microsoft\Speech\Files\UserLexicons\SP_ED05823CA7FF430EB1C5758C6FCE1502.dat Object is locked skipped

C:\Documents and Settings\user\Application Data\Microsoft\Templates\Normal.dot Object is locked skipped

C:\Documents and Settings\user\Application Data\Microsoft\Themes\copy-of-cypress2\copy-of-cypress2.elm Object is locked skipped

C:\Documents and Settings\user\Application Data\Microsoft\Themes\copy-of-cypress2\copy-of-cypress2.inf Object is locked skipped

C:\Documents and Settings\user\Application Data\Microsoft\Themes\themes.inf Object is locked skipped

C:\Documents and Settings\user\Application Data\Microsoft\Windows\Themes\Custom.theme Object is locked skipped

C:\Documents and Settings\user\Application Data\MSN6\msndata.dat Object is locked skipped

C:\Documents and Settings\user\Application Data\SpamBlockerUtility\eskin\empty_bg_st.htm Object is locked skipped

C:\Documents and Settings\user\Application Data\SpamBlockerUtility\eskin\FileManager.txt Object is locked skipped

C:\Documents and Settings\user\Application Data\SpamBlockerUtility\SpamBlockerUtility.log Object is locked skipped

C:\Documents and Settings\user\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility\dynamic\1065003.sdf Object is locked skipped

C:\Documents and Settings\user\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility\dynamic\2208948.sdf Object is locked skipped

C:\Documents and Settings\user\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility\dynamic\3786236.sdf Object is locked skipped

C:\Documents and Settings\user\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility\dynamic\830364.sdf Object is locked skipped

C:\Documents and Settings\user\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility\dynamic\890068.sdf Object is locked skipped

C:\Documents and Settings\user\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility\dynamic\ASPL1.dat Object is locked skipped

C:\Documents and Settings\user\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility\dynamic\domains.txt Object is locked skipped

C:\Documents and Settings\user\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility\dynamic\hstat\3520.dat Object is locked skipped

C:\Documents and Settings\user\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility\dynamic\TooltipXML\13546 Object is locked skipped

C:\Documents and Settings\user\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility\dynamic\TooltipXML\15162 Object is locked skipped

C:\Documents and Settings\user\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility\dynamic\TooltipXML\251438 Object is locked skipped

C:\Documents and Settings\user\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility\dynamic\TooltipXML\25469 Object is locked skipped

C:\Documents and Settings\user\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility\dynamic\TooltipXML\27503 Object is locked skipped

C:\Documents and Settings\user\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility\dynamic\TooltipXML\29297 Object is locked skipped

C:\Documents and Settings\user\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility\dynamic\TooltipXML\34186 Object is locked skipped

C:\Documents and Settings\user\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility\dynamic\TooltipXML\35047 Object is locked skipped

C:\Documents and Settings\user\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility\dynamic\TooltipXML\4382 Object is locked skipped

C:\Documents and Settings\user\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility\dynamic\TooltipXML\45833 Object is locked skipped

C:\Documents and Settings\user\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility\dynamic\TooltipXML\45837 Object is locked skipped

C:\Documents and Settings\user\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility\dynamic\TooltipXML\61779 Object is locked skipped

C:\Documents and Settings\user\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility\dynamic\TooltipXML\61837 Object is locked skipped

C:\Documents and Settings\user\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility\dynamic\TooltipXML\64517 Object is locked skipped

C:\Documents and Settings\user\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility\dynamic\TooltipXML\73840 Object is locked skipped

C:\Documents and Settings\user\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility\dynamic\TooltipXML\90358 Object is locked skipped

C:\Documents and Settings\user\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility\dynamic\TooltipXML\94407 Object is locked skipped

C:\Documents and Settings\user\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility\dynamic\TooltipXML\99795 Object is locked skipped

C:\Documents and Settings\user\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility\dynamic\ustat\3520.dat Object is locked skipped

C:\Documents and Settings\user\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility\static\1\ads.cdf Object is locked skipped

C:\Documents and Settings\user\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility\static\1\btntrans.idx Object is locked skipped

C:\Documents and Settings\user\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility\static\1\btntrans1.dat Object is locked skipped

C:\Documents and Settings\user\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility\static\1\business_promo.htm Object is locked skipped

C:\Documents and Settings\user\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility\static\1\buttondir.txt Object is locked skipped

C:\Documents and Settings\user\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility\static\1\components.cdf Object is locked skipped

C:\Documents and Settings\user\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility\static\1\default.cdf Object is locked skipped

C:\Documents and Settings\user\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility\static\1\Default_bidz.mnu Object is locked skipped

C:\Documents and Settings\user\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility\static\1\Default_bidz1.mnu Object is locked skipped

C:\Documents and Settings\user\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility\static\1\Default_bidz10.mnu Object is locked skipped

C:\Documents and Settings\user\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility\static\1\Default_bidz11.mnu Object is locked skipped

C:\Documents and Settings\user\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility\static\1\Default_bidz12.mnu Object is locked skipped

C:\Documents and Settings\user\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility\static\1\Default_bidz13.mnu Object is locked skipped

C:\Documents and Settings\user\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility\static\1\Default_bidz14.mnu Object is locked skipped

C:\Documents and Settings\user\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility\static\1\Default_bidz15.mnu Object is locked skipped

C:\Documents and Settings\user\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility\static\1\Default_bidz16.mnu Object is locked skipped

C:\Documents and Settings\user\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility\static\1\Default_bidz17.mnu Object is locked skipped

C:\Documents and Settings\user\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility\static\1\Default_bidz18.mnu Object is locked skipped

C:\Documents and Settings\user\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility\static\1\Default_bidz19.mnu Object is locked skipped

C:\Documents and Settings\user\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility\static\1\Default_bidz2.mnu Object is locked skipped

elmoisevil · Oct 1, 2007

srry skip that last one
i dont know how to send you the other online av scanner thing it over 2mill characters

Markka · Oct 1, 2007

Hello

Open HijackThis, Click Do a system scan only, checkmark these. Then close all other windows except HijackThis and press fix checked.

O2 - BHO: (no name) - {14043F22-D133-4751-BE0A-7C27B5262C4F} - (no file)
O2 - BHO: (no name) - {302E68B6-1226-45F0-9047-CBA6808EF844} - (no file)
O2 - BHO: (no name) - {64B94229-7967-860A-A0C2-034C02BA876B} - (no file)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {BCBC0F4A-70DD-434E-BC90-2FBDB048BAB3} - (no file)
O20 - Winlogon Notify: winemx32 - winemx32.dll (file missing)
__________________

Open notepad and copy/paste the text in the quotebox below into it:

File::
C:\WINDOWS\system32\ydhixebl.dll
C:\WINDOWS\system32\oqqru.bak1
C:\WINDOWS\system32\oqqru.bak2

Save this as CFScript.txt

Then drag the CFScript.txt into ComboFix.exe as you see in the screenshot below.

This will start ComboFix again.
_________________

Let's forget Kaspersky online scanner and replace it with Dr.Web CureIt:

Please Download Dr.Web CureIt and save it to your desktop.

Run a scan with Dr.Web CureIt

Doubleclick the drweb-cureit.exe file and Allow to run the express scan
This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
Once the short scan has finished, you should now mark the drives that you want to scan.
Select all drives. A red dot shows which drives have been chosen.
Click the green arrow at the right, and the scan will start.
Click 'Yes to all' if it asks if you want to cure/move the file.
When the scan has finished, look if you can click next icon next to the files found
If so, click it and then click the next icon right below and select Move incurable
After the scan, in the menu, click file and choose save report list
Save the report to your desktop. The report will be called DrWeb.csv
Close Dr.Web Cureit.

______________

Post:
- A fresh HijackThis log
- Logfile of ComboFix
- Report of Dr.Web Cureit

elmoisevil · Oct 2, 2007

ive got what u wanted

ComboFix 07-10-02.2 - Sean Stuf 2007-10-02 13:29:14.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.276 [GMT 10:00]
Running from: C:\Documents and Settings\Sean Stuf\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Sean Stuf\Desktop\CFScript.txt
* Created a new restore point

FILE::
C:\WINDOWS\system32\ydhixebl.dll
C:\WINDOWS\system32\oqqru.bak1
C:\WINDOWS\system32\oqqru.bak2
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\oqqru.bak1
C:\WINDOWS\system32\oqqru.bak2
C:\WINDOWS\system32\ydhixebl.dll

.
((((((((((((((((((((((((( Files Created from 2007-09-02 to 2007-10-02 )))))))))))))))))))))))))))))))
.

2007-10-02 10:28 <DIR> d-------- C:\Documents and Settings\Sean Stuf\DoctorWeb
2007-10-01 16:05 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-10-01 16:05 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2007-10-01 10:52 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-09-27 12:52 <DIR> d-------- C:\Program Files\Trend Micro
2007-09-26 17:20 <DIR> d-------- C:\Program Files\Lavasoft
2007-09-26 17:20 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-09-22 12:55 5,632 --a--c--- C:\WINDOWS\system32\dllcache\smimsgif.dll
2007-09-22 12:55 5,632 --a--c--- C:\WINDOWS\system32\dllcache\smierrsy.dll
2007-09-22 12:55 18,944 --a--c--- C:\WINDOWS\system32\dllcache\simptcp.dll
2007-09-22 12:55 18,944 --a------ C:\WINDOWS\system32\simptcp.dll
2007-09-22 12:55 15,872 --a--c--- C:\WINDOWS\system32\dllcache\smierrsm.dll
2007-09-22 12:55 10,240 --a--c--- C:\WINDOWS\system32\dllcache\snmpstup.dll
2007-09-22 12:28 <DIR> d-------- C:\Program Files\Ancient Conquest
2007-09-22 11:59 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\YoYoGames
2007-09-18 20:25 <DIR> d-------- C:\Program Files\Game_Maker7
2007-09-07 20:15 <DIR> d-------- C:\WINDOWS\.jagex_cache_32

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-09-26 22:10 --------- d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-09-26 17:19 --------- d-------- C:\Documents and Settings\Sean Stuf\Application Data\Lavasoft
2007-09-26 17:18 --------- d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-09-20 17:50 --------- d-------- C:\Program Files\Game_Maker6
2007-09-17 17:27 --------- d-------- C:\Program Files\Flash Saver
2007-09-17 17:23 --------- d--h----- C:\Program Files\InstallShield Installation Information
2007-09-17 16:47 --------- d-------- C:\Program Files\WinAce
2007-09-16 13:13 --------- d-------- C:\Program Files\Google
2007-09-16 10:56 --------- d-------- C:\Documents and Settings\All Users\Application Data\Google
2007-09-15 09:45 --------- d-------- C:\Program Files\themexp
2007-08-31 19:33 --------- d-------- C:\Documents and Settings\Sean Stuf\Application Data\Google
2007-08-29 19:55 --------- d-------- C:\Documents and Settings\Sean Stuf\Application Data\Seven Zip
2007-08-29 19:17 --------- d-------- C:\Documents and Settings\All Users\Application Data\Office Genuine Advantage
2007-08-26 11:21 32768 --a------ C:\WINDOWS\system32\1stscrhook.dll
2007-08-14 23:16 --------- d-------- C:\Program Files\decomp
2007-08-11 15:30 --------- d-------- C:\Documents and Settings\All Users\Application Data\Protexis
2007-08-07 13:58 8320 --a------ C:\WINDOWS\system32\drivers\AWRTRD.sys
2007-08-07 13:56 9344 --a------ C:\WINDOWS\system32\drivers\NSDriver.sys
2007-07-30 19:19 92504 --a------ C:\WINDOWS\system32\cdm.dll
2007-07-30 19:19 549720 --a------ C:\WINDOWS\system32\wuapi.dll
2007-07-30 19:19 53080 --a------ C:\WINDOWS\system32\wuauclt.exe
2007-07-30 19:19 43352 --a------ C:\WINDOWS\system32\wups2.dll
2007-07-30 19:19 325976 --a------ C:\WINDOWS\system32\wucltui.dll
2007-07-30 19:19 271224 --a------ C:\WINDOWS\system32\mucltui.dll
2007-07-30 19:19 207736 --a------ C:\WINDOWS\system32\muweb.dll
2007-07-30 19:19 203096 --a------ C:\WINDOWS\system32\wuweb.dll
2007-07-30 19:19 1712984 --a------ C:\WINDOWS\system32\wuaueng.dll
2007-07-30 19:18 33624 --a------ C:\WINDOWS\system32\wups.dll
.

((((((((((((((((((((((((((((( snapshot_2007-10-01_155421.06 )))))))))))))))))))))))))))))))))))))))))
.
----a-w 135,168 2007-09-27 23:06:08 C:\WINDOWS\catchme.exe
----a-w 135,168 2007-07-11 15:22:00 C:\WINDOWS\system32\java.exe
----a-w 135,168 2007-07-11 15:22:04 C:\WINDOWS\system32\javaw.exe
----a-w 139,264 2007-07-11 16:22:38 C:\WINDOWS\system32\javaws.exe
----a-w 844,800 2007-07-22 08:39:27 C:\WINDOWS\system32\swreg.exe
----a-w 213,048 2005-05-24 01:27:16 C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavss.dll
----a-w 94,208 2007-09-07 01:29:00 C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavuninstall.exe
----a-w 946,176 2007-09-07 01:29:00 C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavwebscan.dll
----atw 16,384 2007-10-02 03:35:34 C:\WINDOWS\Temp\Perflib_Perfdata_624.dat
.
----a-w 109,056 2007-07-19 14:47:22 C:\WINDOWS\catchme.exe
----a-w 279,552 2007-07-22 08:39:27 C:\WINDOWS\system32\swreg.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LVCOMS"="C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE" [2001-09-24 09:39]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2005-04-01 16:16]
"SoundMan"="SOUNDMAN.EXE" []
"CAVRID"="C:\Program Files\CA\eTrust Vet Antivirus\CAVRID.exe" [2005-10-27 15:55]
"CaAvTray"="C:\Program Files\CA\eTrust Vet Antivirus\CAVTray.exe" [2005-10-27 15:55]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-07-13 15:06]
"AAWTray"="C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe" [2007-08-08 15:53]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 04:00]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 12:54]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56]
"MSMSGS"="C:\Program Files\Messenger\MSMSGS.exe" [2004-10-14 02:24]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 04:01:04]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 04:01:04]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"InCD"=C:\Program Files\ahead\InCD\InCD.exe
"NeroCheck"=C:\WINDOWS\system32\NeroCheck.exe
"NvCplDaemon"=RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
"NvMediaCenter"=RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
"nwiz"=nwiz.exe /install
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" -atboottime

R0 BsStor;InCD Storage Helper Driver;C:\WINDOWS\system32\DRIVERS\bsstor.sys
R3 WmBEnum;Logitech Virtual Bus Enumerator Driver;C:\WINDOWS\system32\drivers\WmBEnum.sys
R3 WmXlCore;Logitech WingMan Translation Layer Driver;C:\WINDOWS\system32\drivers\WmXlCore.sys
S1 lusbaudio;Logitech USB Microphone;C:\WINDOWS\system32\drivers\lvsound2.sys
S3 nocashio;nocashio;C:\WINDOWS\system32\drivers\nocashio.sys
S3 QCEmerald;Logitech QuickCam Web(PID_0850);C:\WINDOWS\system32\DRIVERS\LVCE.sys
S3 WmFilter;Logitech WingMan HID Filter Driver;C:\WINDOWS\system32\drivers\WmFilter.sys
S3 WmVirHid;Logitech Virtual Hid Device Driver;C:\WINDOWS\system32\drivers\WmVirHid.sys
S4 BsUDF;InCD UDF Driver;C:\WINDOWS\system32\drivers\BsUDF.sys

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b69e00e0-97b8-11da-8974-0030180bfa08}]
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL \Launch_seminar_series_menu.htm

.
**************************************************************************

catchme 0.3.1169 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-10-02 13:39:26
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-10-02 13:44:02 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-10-02 13:43
C:\ComboFix2.txt ... 2007-10-01 15:55
.
--- E O F ---

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:46:32 PM, on 2/10/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\CA\eTrust Vet Antivirus\ISafe.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\SanDisk\Sansa Updater\SansaSvr.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\CA\eTrust Vet Antivirus\VetMsg.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
C:\Program Files\CA\eTrust Vet Antivirus\CAVRID.exe
C:\Program Files\CA\eTrust Vet Antivirus\CAVTray.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\MSMSGS.EXE
C:\Program Files\Trend Micro\HijackThis\hijackthis.exe.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://intranet.iona.qld.edu.au/start/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.iona.qld.edu.au/
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\eTrust Vet Antivirus\CAVRID.exe"
O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\CA\eTrust Vet Antivirus\CAVTray.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AAWTray] C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Save Flash In This Page by Flash Saver - C:\PROGRA~1\FLASHS~1\save.htm
O8 - Extra context menu item: &Search - ?p=ZN
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Flash Saver - {09EA1F80-F40A-11D1-B792-444553540001} - C:\PROGRA~1\FLASHS~1\save.htm
O9 - Extra 'Tools' menuitem: Flash Saver - {09EA1F80-F40A-11D1-B792-444553540001} - C:\PROGRA~1\FLASHS~1\save.htm
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Sean Stuf\Start Menu\Programs\IMVU\Run IMVU.lnk (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {7584C670-2274-4EFB-B00B-D6AABA6D3850} (Microsoft RDP Client Control (redist)) - http://tsm.iona.qld.edu.au/tsweb/msrdp.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Vet Antivirus\ISafe.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Sansa Updater Service (SansaService) - Unknown owner - C:\Program Files\SanDisk\Sansa Updater\SansaSvr.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Vet Antivirus\VetMsg.exe

--
End of file - 6307 bytes

RegUBP2b-Sean Stuf.reg;C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Snapshots2;Trojan.StartPage.1505;Deleted.;
favylinw.dll.vir;C:\qoobox\Quarantine\C\Program Files\nulidqzq;Trojan.DownLoader.33219;Deleted.;
bupncxrg.exe.vir;C:\qoobox\Quarantine\C\WINDOWS\system32;Trojan.EzulaAd;Deleted.;
majshbbo.exe.vir;C:\qoobox\Quarantine\C\WINDOWS\system32;Trojan.EzulaAd;Deleted.;
A0234642.exe;C:\System Volume Information\_restore{7A419944-3525-4EB5-BBEF-634413EBFA65}\RP673;Trojan.EzulaAd;Deleted.;
A0240426.exe;C:\System Volume Information\_restore{7A419944-3525-4EB5-BBEF-634413EBFA65}\RP686;Trojan.EzulaAd;Deleted.;
A0240427.exe;C:\System Volume Information\_restore{7A419944-3525-4EB5-BBEF-634413EBFA65}\RP686;Trojan.EzulaAd;Deleted.;
A0240428.dll;C:\System Volume Information\_restore{7A419944-3525-4EB5-BBEF-634413EBFA65}\RP686;Trojan.DownLoader.33219;Deleted.;
A0240474.reg;C:\System Volume Information\_restore{7A419944-3525-4EB5-BBEF-634413EBFA65}\RP687;Trojan.StartPage.1505;Deleted.;

cant remove the virtomunde

New member

Guest

New member

Guest

New member

Guest

New member

Guest

New member

New member

New member

Guest

New member

Guest

New member

New member

New member

New member

Guest

New member