PDA

View Full Version : Smitfraud-C.Toolbar888 - Pls assist...



fozcore
2007-01-08, 13:47
I have reviewed many posts about other people dealing with this malware, but I can't seem to remove it despite following the same steps...

Have ran SmitFraud Fix, Spybot & Dr.Web Cureit. Have Process Explorer. Despite removing the malware and other trojans, everytime I reboot they keep coming back...


HJT log below;
Logfile of HijackThis v1.99.1
Scan saved at 10:33:42 PM, on 8/01/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
C:\Program Files\Executive Software\Diskeeper\DkService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymSCUI.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\HPQ\HP Wireless Assistant\HP Wireless Assistant.exe
C:\Program Files\Windows Media Connect 2\WMCCFG.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\WINDOWS\tsnp2std.exe
C:\WINDOWS\vsnp2std.exe
C:\Program Files\XoftSpySE\xoftspy.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\HPQ\SHARED\HPQWMI.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Java\jre1.5.0\bin\jusched.exe
C:\WINDOWS\system32\igfxtray.exe
C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Messenger\msmsgs.exe
C:\DOCUME~1\Fozcore\MYDOCU~1\MBOLS~1\taskmgr.exe
C:\Program Files\Common Files\??mantec\?ttrib.exe
C:\WINDOWS\TEMP\winF0.tmp.exe
C:\Documents and Settings\Fozcore\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com.au
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.yahoo.com.au
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_AU&c=Q105&bd=presario&pf=laptop
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - {7769951E-7E89-7E0C-8F7A-7D129046B6C6} - C:\WINDOWS\system32\bieqtbax.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] C:\Program Files\Analog Devices\SoundMAX\Smax4.exe /tray
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] "%ProgramFiles%\HPQ\HP Wireless Assistant\HP Wireless Assistant.exe"
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [ChangeResolution] C:\hp\bin\ChangeResolution.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [Windows Media Connect 2] "C:\Program Files\Windows Media Connect 2\WMCCFG.exe" /StartQuiet
O4 - HKLM\..\Run: [tsnp2std] C:\WINDOWS\tsnp2std.exe
O4 - HKLM\..\Run: [snp2std] C:\WINDOWS\vsnp2std.exe
O4 - HKLM\..\Run: [XoftSpySE] C:\Program Files\XoftSpySE\xoftspy.exe -s
O4 - HKLM\..\Run: [DllRunning] rundll32.exe "C:\WINDOWS\system32\jodgyyac.dll",setvm
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0\bin\jusched.exe
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [eabconfg.cpl] C:\Program Files\HPQ\Quick Launch Buttons\EabServr.exe /Start
O4 - HKLM\..\Run: [DiskeeperSystray] "C:\Program Files\Executive Software\Diskeeper\DkIcon.exe"
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [{2AEBA8E6-06C1-1033-0602-05122220002c}] "C:\Program Files\Common Files\{2AEBA8E6-06C1-1033-0602-05122220002c}\Update.exe" mc-110-12-0000272
O4 - HKLM\..\Run: [CTDrive] rundll32.exe C:\WINDOWS\system32\drvrun.dll,startup
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Snte] "C:\DOCUME~1\Fozcore\MYDOCU~1\MBOLS~1\taskmgr.exe" -vt yazb
O4 - HKCU\..\Run: [Boew] C:\Program Files\Common Files\??mantec\?ttrib.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_AU&c=Q105&bd=presario&pf=laptop
O16 - DPF: {11818680-FCF6-11D0-9808-0800092A4865} (Adobe Form Control) - http://www.ato.gov.au/formflow/codebase/FormCtl.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1123073661546
O16 - DPF: {CDDCFBB3-4D93-11D2-B1A9-00A0C9B742BE} (Adobe Script Object) - http://www.ato.gov.au/formflow/codebase/scriptobject.cab
O16 - DPF: {EF2FB80F-0975-408E-A871-B00CC863478A} (Adobe Soft Font Installer) - http://www.ato.gov.au/formflow/codebase/fontinstaller.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{358D9C5B-2723-4F3B-BF75-813E2E202DA6}: NameServer = 80.251.80.8
O17 - HKLM\System\CCS\Services\Tcpip\..\{3E16CC10-267D-4380-9EC2-5A04992E7AE8}: NameServer = 80.251.80.8
O17 - HKLM\System\CCS\Services\Tcpip\..\{5C73DA55-4859-43E0-B73B-8CC848EA4DBF}: NameServer = 80.251.80.8
O17 - HKLM\System\CCS\Services\Tcpip\..\{6BD192C2-1BD5-46B6-A86A-45372A83F620}: NameServer = 80.251.80.8
O17 - HKLM\System\CCS\Services\Tcpip\..\{841CF124-6236-4819-B90B-D2F551337EAF}: NameServer = 80.251.80.8
O17 - HKLM\System\CCS\Services\Tcpip\..\{BD2977E2-221E-4D77-B40A-AD019AA0FBE4}: NameServer = 80.251.80.8
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: COM+ Messages - Unknown owner - C:\WINDOWS\system32\svchosts.exe" -e mc-110-12-0000272 (file missing)
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\Diskeeper\DkService.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\SHARED\HPQWMI.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe


SmitFraudFix v2.132

Scan done at 22:44:07.20, Mon 08/01/2007
Run from C:\Documents and Settings\Fozcore\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» Killing process


»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files


»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» End

pskelley
2007-01-10, 17:32
Welcome to the forum, I understand removing this junk can be frustrating. It looks like OIN/PurityScan adware and some others are still there. Please see this information that is Pinned to the top of the forum where you posted, it appears you missed:
"BEFORE you POST" -Preliminary Steps
http://forums.spybot.info/showthread.php?t=288

Make sure you have completed all of those instruction, run the free online antivirus scan and save the results to the Desktop in case I need them.

Thanks to sUBs and anyone who helped with this fix.

1. Download ComboFix.exe using either of these links:

* bleepingcomputer.com
http://download.bleepingcomputer.com/sUBs/combofix.exe
* techsupportforum.com
http://www.techsupportforum.com/sectools/combofix.exe
2. Double click on combofix.exe & follow the prompts.

3. When finished, it shall produce a log for you. Post that log & a fresh HJT log in your next reply

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

If the log is large You might need to post half in one reply half in another.

You have AVG Anti-Spyware 7.5 onboard, after you run combofix, follow the directions in this link:
http://forums.security-central.us/showthread.php?t=3165

Rewstart the computer and post the combofix log, the scan results from AVG AS and a new HJT log.

Thanks

fozcore
2007-01-14, 14:53
Thanks for the response...did as you said, and here are the logs below...

ComboFixLog...
"Fozcore" - 07-01-14 22:36:20 Service Pack 2
ComboFix 07-01-14.2 - Running from: "C:\Documents and Settings\Fozcore\Desktop"

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\DOCUME~1\Fozcore\Application Data\Microsoft\2236.dat
C:\Program Files\Common Files\{2AEBA~2
C:\Program Files\Common Files\{2AEBA~1
C:\Program Files\Common Files\{3AEBA~1
~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ Purity ~ ~ ~ ~ ~ ~ ~ ~~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~
Folders Quarantined:
C:\qoobox\purity\Program Files\Common Files\ASKS~1
C:\qoobox\purity\Program Files\Common Files\MANTEC~1
C:\qoobox\purity\Program Files\Common Files\SSEMBL~1
C:\qoobox\purity\WINDOWS\SCURIT~1
C:\qoobox\purity\WINDOWS\system32\ICROSO~1


((((((((((((((((((((((((((((((( Files Created from 2006-12-14 to 2007-01-14 ))))))))))))))))))))))))))))))))))


2007-01-14 18:28 <DIR> d-------- C:\HJT
2007-01-12 07:53 118,804 --a------ C:\WINDOWS\system32\vviskkkc.dll
2007-01-12 07:48 <DIR> d-------- C:\WINDOWS\CAVTemp
2007-01-11 07:53 483,967 ---hs---- C:\WINDOWS\system32\jjkmp.bak2
2007-01-10 20:43 22,541 ---hs---- C:\WINDOWS\system32\pmnmmmk.dll
2007-01-10 07:23 1,021,504 --a------ C:\WINDOWS\system32\vete.dll
2007-01-10 07:09 484,515 ---hs---- C:\WINDOWS\system32\jjkmp.bak1
2007-01-10 07:09 277,044 ---hs---- C:\WINDOWS\system32\pmkjj.dll
2007-01-10 07:08 22,541 ---hs---- C:\WINDOWS\system32\xxyaxuv.dll
2007-01-10 06:55 <DIR> d-------- C:\Bluetooth
2007-01-09 23:37 <DIR> d-------- C:\DOCUME~1\Fozcore\Application Data\MailFrontier
2007-01-09 22:55 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-01-09 22:50 77,824 --a------ C:\WINDOWS\system32\driverif.dll
2007-01-09 22:50 657,168 --a------ C:\WINDOWS\system32\imsinstall.dll
2007-01-09 22:50 645,904 --a------ C:\WINDOWS\system32\drivers\vetmonnt.sys
2007-01-09 22:50 59,152 --a------ C:\WINDOWS\zllsputility.exe
2007-01-09 22:50 21,605 --a------ C:\WINDOWS\system32\drivers\vet-filt.sys
2007-01-09 22:50 2,807,560 --a------ C:\WINDOWS\system32\imslsp.dll
2007-01-09 22:50 15,668 --a------ C:\WINDOWS\system32\drivers\vet-rec.sys
2007-01-09 22:50 12,288 --a------ C:\WINDOWS\system32\vetntmsg.dll
2007-01-09 22:50 115,088 --a------ C:\WINDOWS\system32\drivers\vetfddnt.sys
2007-01-09 22:50 11,264 --a------ C:\WINDOWS\system32\SpOrder.dll
2007-01-09 22:50 <DIR> d-------- C:\WINDOWS\system32\ZoneLabs
2007-01-09 22:49 <DIR> d-------- C:\WINDOWS\Internet Logs
2007-01-09 22:45 33,280 --a------ C:\WINDOWS\system32\rundll32.exe
2007-01-09 20:59 22,541 ---hs---- C:\WINDOWS\system32\iifffed.dll
2007-01-09 07:55 22,541 ---hs---- C:\WINDOWS\system32\efcyvtu.dll
2007-01-09 07:52 494,204 ---hs---- C:\WINDOWS\system32\utstv.bak1
2007-01-08 21:48 <DIR> d-------- C:\DOCUME~1\Fozcore\DoctorWeb
2007-01-08 21:31 22,541 ---hs---- C:\WINDOWS\system32\wvuutuv.dll
2007-01-07 20:44 22,541 ---hs---- C:\WINDOWS\system32\hggghhg.dll
2007-01-07 12:21 22,541 ---hs---- C:\WINDOWS\system32\qomnmnn.dll
2007-01-07 12:06 5,994 --a------ C:\WINDOWS\system32\tmp.reg
2007-01-07 11:02 515,071 ---hs---- C:\WINDOWS\system32\bccdd.bak1
2007-01-06 21:26 22,541 ---hs---- C:\WINDOWS\system32\yayaayw.dll
2007-01-05 00:22 <DIR> d-------- C:\!KillBox
2007-01-01 14:48 16,896 --a------ C:\WINDOWS\system32\winopn32.dll
2006-12-30 18:12 <DIR> d-------- C:\2001 Maniacs
2006-12-21 08:51 <DIR> d-------- C:\Program Files\Everstrike Software
2006-12-21 08:51 <DIR> d-------- C:\Program Files\Common Files\Everstrike Software


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2007-01-14 22:39 -------- d---s---- C:\DOCUME~1\Fozcore\Application Data\microsoft
2007-01-14 22:19 -------- d-------- C:\Program Files\mozilla firefox
2007-01-12 21:49 -------- d-------- C:\DOCUME~1\Fozcore\Application Data\adobe
2007-01-12 19:18 -------- d-------- C:\Program Files\xoftspyse
2007-01-10 07:10 -------- d-------- C:\Program Files\symantec
2007-01-10 07:10 -------- d-------- C:\Program Files\Common Files\symantec shared
2006-12-29 00:22 -------- d-------- C:\DOCUME~1\Fozcore\Application Data\sony
2006-12-29 00:19 -------- d-------- C:\DOCUME~1\Fozcore\Application Data\publish providers
2006-12-02 15:51 -------- d-------- C:\Program Files\grisoft
2006-12-02 12:02 -------- d-------- C:\Program Files\registryfix
2006-12-02 11:52 -------- d-------- C:\Program Files\soulseek
2006-11-30 17:16 -------- d--h----- C:\Program Files\installshield installation information
2006-11-30 17:16 -------- d-------- C:\Program Files\Common Files\snp2std


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"SoundMAXPnP"="C:\\Program Files\\Analog Devices\\SoundMAX\\SMax4PNP.exe"
"SoundMAX"="C:\\Program Files\\Analog Devices\\SoundMAX\\Smax4.exe /tray"
"Cpqset"="C:\\Program Files\\HPQ\\Default Settings\\cpqset.exe"
"IMJPMIG8.1"="\"C:\\WINDOWS\\IME\\imjp8_1\\IMJPMIG.EXE\" /Spoil /RemAdvDef /Migration32"
"IMEKRMIG6.1"="C:\\WINDOWS\\ime\\imkr6_1\\IMEKRMIG.EXE"
"MSPY2002"="C:\\WINDOWS\\system32\\IME\\PINTLGNT\\ImScInst.exe /SYNC"
"PHIME2002A"="C:\\WINDOWS\\system32\\IME\\TINTLGNT\\TINTSETP.EXE /IMEName"
"ChangeResolution"="C:\\hp\\bin\\ChangeResolution.exe"
"XoftSpySE"="C:\\Program Files\\XoftSpySE\\xoftspy.exe -s"
"PHIME2002ASync"="C:\\WINDOWS\\system32\\IME\\TINTLGNT\\TINTSETP.EXE /SYNC"
"HotKeysCmds"="C:\\WINDOWS\\system32\\hkcmd.exe"
"Zone Labs Client"="C:\\Program Files\\Zone Labs\\ZoneAlarm\\zlclient.exe"
"ccApp"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\""
"Apoint"="C:\\Program Files\\Apoint2K\\Apoint.exe"
"AGRSMMSG"="AGRSMMSG.exe"
"hpWirelessAssistant"="\"%ProgramFiles%\\HPQ\\HP Wireless Assistant\\HP Wireless Assistant.exe\""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Avp monitor]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="svchost"
"hkey"="HKCU"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ControlPanel]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="cmd32"
"hkey"="HKLM"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Key]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="18"
"hkey"="HKCU"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpySheriff]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="SpySheriff"
"hkey"="HKCU"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdateManager]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="sgtray"
"hkey"="HKLM"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinMedia]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="mphj35373593"
"hkey"="HKCU"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"
"{71B45E0D-2FD2-4EA6-91FD-A0AFEB696BD0}"=""

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\pmkjj
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\qomnmnn
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winopn32

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"


[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0
Usnsvc REG_MULTI_SZ usnsvc\0\0



Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\Spybot - Search & Destroy - Scheduled Task.job
C:\WINDOWS\tasks\XoftSpySE.job

Completion time: 07-01-14 22:41:49

fozcore
2007-01-14, 14:54
AVG AS Log..

---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 11:37:19 PM 14/01/2007

+ Scan result:



C:\System Volume Information\_restore{A80475B6-CF6D-4B3A-BD21-B16C67DB5304}\RP340\A0062690.exe -> Adware.MaxSearch : Cleaned.
C:\System Volume Information\_restore{A80475B6-CF6D-4B3A-BD21-B16C67DB5304}\RP339\A0062630.dll -> Adware.PurityScan : Cleaned.
C:\!KillBox\system.dll -> Adware.Softomate : Cleaned.
C:\!KillBox\system.dll( 1) -> Adware.Softomate : Cleaned.
C:\!KillBox\{2AEBA8E6-06C1-1033-0602-05122220003d}\system.dll -> Adware.Softomate : Cleaned.
C:\RECYCLER\S-1-5-18\Dc1\system.dll -> Adware.Softomate : Cleaned.
C:\RECYCLER\S-1-5-18\Dc3\system.dll -> Adware.Softomate : Cleaned.
C:\System Volume Information\_restore{A80475B6-CF6D-4B3A-BD21-B16C67DB5304}\RP340\A0062707.dll -> Adware.Softomate : Cleaned.
C:\System Volume Information\_restore{A80475B6-CF6D-4B3A-BD21-B16C67DB5304}\RP340\A0062829.exe -> Adware.Softomate : Cleaned.
C:\System Volume Information\_restore{A80475B6-CF6D-4B3A-BD21-B16C67DB5304}\RP341\A0062900.dll -> Adware.Softomate : Cleaned.
C:\System Volume Information\_restore{A80475B6-CF6D-4B3A-BD21-B16C67DB5304}\RP341\A0062901.dll -> Adware.Softomate : Cleaned.
C:\System Volume Information\_restore{A80475B6-CF6D-4B3A-BD21-B16C67DB5304}\RP341\A0062902.exe -> Adware.Softomate : Cleaned.
C:\System Volume Information\_restore{A80475B6-CF6D-4B3A-BD21-B16C67DB5304}\RP341\A0063030.dll -> Adware.Softomate : Cleaned.
C:\System Volume Information\_restore{A80475B6-CF6D-4B3A-BD21-B16C67DB5304}\RP341\A0063031.exe -> Adware.Softomate : Cleaned.
C:\System Volume Information\_restore{A80475B6-CF6D-4B3A-BD21-B16C67DB5304}\RP341\A0063032.dll -> Adware.Softomate : Cleaned.
C:\System Volume Information\_restore{A80475B6-CF6D-4B3A-BD21-B16C67DB5304}\RP340\A0062685.exe -> Dialer.IDialer.m : Cleaned.
C:\System Volume Information\_restore{A80475B6-CF6D-4B3A-BD21-B16C67DB5304}\RP340\A0062686.exe -> Dialer.IDialer.m : Cleaned.
C:\System Volume Information\_restore{A80475B6-CF6D-4B3A-BD21-B16C67DB5304}\RP340\A0062687.exe -> Dialer.IDialer.m : Cleaned.
C:\System Volume Information\_restore{A80475B6-CF6D-4B3A-BD21-B16C67DB5304}\RP340\A0062688.exe -> Dialer.IDialer.m : Cleaned.
C:\System Volume Information\_restore{A80475B6-CF6D-4B3A-BD21-B16C67DB5304}\RP340\A0062692.exe -> Dialer.IDialer.m : Cleaned.
C:\System Volume Information\_restore{A80475B6-CF6D-4B3A-BD21-B16C67DB5304}\RP340\A0062693.exe -> Dialer.IDialer.m : Cleaned.
C:\System Volume Information\_restore{A80475B6-CF6D-4B3A-BD21-B16C67DB5304}\RP340\A0062695.exe -> Dialer.IDialer.m : Cleaned.
C:\System Volume Information\_restore{A80475B6-CF6D-4B3A-BD21-B16C67DB5304}\RP340\A0062696.exe -> Dialer.IDialer.m : Cleaned.
C:\System Volume Information\_restore{A80475B6-CF6D-4B3A-BD21-B16C67DB5304}\RP340\A0062697.exe -> Dialer.IDialer.m : Cleaned.
C:\System Volume Information\_restore{A80475B6-CF6D-4B3A-BD21-B16C67DB5304}\RP341\A0062920.exe -> Dialer.IDialer.m : Cleaned.
C:\System Volume Information\_restore{A80475B6-CF6D-4B3A-BD21-B16C67DB5304}\RP341\A0062924.exe -> Dialer.IDialer.m : Cleaned.
C:\System Volume Information\_restore{A80475B6-CF6D-4B3A-BD21-B16C67DB5304}\RP341\A0062925.exe -> Dialer.IDialer.m : Cleaned.
C:\System Volume Information\_restore{A80475B6-CF6D-4B3A-BD21-B16C67DB5304}\RP341\A0062926.exe -> Dialer.IDialer.m : Cleaned.
C:\System Volume Information\_restore{A80475B6-CF6D-4B3A-BD21-B16C67DB5304}\RP341\A0062927.exe -> Dialer.IDialer.m : Cleaned.
C:\System Volume Information\_restore{A80475B6-CF6D-4B3A-BD21-B16C67DB5304}\RP341\A0062928.exe -> Dialer.IDialer.m : Cleaned.
C:\System Volume Information\_restore{A80475B6-CF6D-4B3A-BD21-B16C67DB5304}\RP341\A0062929.exe -> Dialer.IDialer.m : Cleaned.
C:\System Volume Information\_restore{A80475B6-CF6D-4B3A-BD21-B16C67DB5304}\RP341\A0062930.exe -> Dialer.IDialer.m : Cleaned.
C:\System Volume Information\_restore{A80475B6-CF6D-4B3A-BD21-B16C67DB5304}\RP341\A0062931.exe -> Dialer.IDialer.m : Cleaned.
C:\System Volume Information\_restore{A80475B6-CF6D-4B3A-BD21-B16C67DB5304}\RP341\A0062932.exe -> Dialer.IDialer.m : Cleaned.
C:\System Volume Information\_restore{A80475B6-CF6D-4B3A-BD21-B16C67DB5304}\RP341\A0062933.exe -> Dialer.IDialer.m : Cleaned.
C:\System Volume Information\_restore{A80475B6-CF6D-4B3A-BD21-B16C67DB5304}\RP341\A0062934.exe -> Dialer.IDialer.m : Cleaned.
C:\System Volume Information\_restore{A80475B6-CF6D-4B3A-BD21-B16C67DB5304}\RP341\A0062935.exe -> Dialer.IDialer.m : Cleaned.
C:\System Volume Information\_restore{A80475B6-CF6D-4B3A-BD21-B16C67DB5304}\RP341\A0062936.exe -> Dialer.IDialer.m : Cleaned.
C:\System Volume Information\_restore{A80475B6-CF6D-4B3A-BD21-B16C67DB5304}\RP341\A0062937.exe -> Dialer.IDialer.m : Cleaned.
C:\System Volume Information\_restore{A80475B6-CF6D-4B3A-BD21-B16C67DB5304}\RP341\A0062938.exe -> Dialer.IDialer.m : Cleaned.
C:\System Volume Information\_restore{A80475B6-CF6D-4B3A-BD21-B16C67DB5304}\RP341\A0062939.exe -> Dialer.IDialer.m : Cleaned.
C:\System Volume Information\_restore{A80475B6-CF6D-4B3A-BD21-B16C67DB5304}\RP341\A0062949.exe -> Dialer.IDialer.m : Cleaned.
C:\System Volume Information\_restore{A80475B6-CF6D-4B3A-BD21-B16C67DB5304}\RP341\A0062951.exe -> Dialer.IDialer.m : Cleaned.
C:\System Volume Information\_restore{A80475B6-CF6D-4B3A-BD21-B16C67DB5304}\RP341\A0062952.exe -> Dialer.IDialer.m : Cleaned.
C:\System Volume Information\_restore{A80475B6-CF6D-4B3A-BD21-B16C67DB5304}\RP341\A0062954.exe -> Dialer.IDialer.m : Cleaned.
C:\System Volume Information\_restore{A80475B6-CF6D-4B3A-BD21-B16C67DB5304}\RP341\A0062955.exe -> Dialer.IDialer.m : Cleaned.
C:\System Volume Information\_restore{A80475B6-CF6D-4B3A-BD21-B16C67DB5304}\RP341\A0062956.exe -> Dialer.IDialer.m : Cleaned.
C:\System Volume Information\_restore{A80475B6-CF6D-4B3A-BD21-B16C67DB5304}\RP341\A0062957.exe -> Dialer.IDialer.m : Cleaned.
C:\System Volume Information\_restore{A80475B6-CF6D-4B3A-BD21-B16C67DB5304}\RP341\A0062958.exe -> Dialer.IDialer.m : Cleaned.
C:\System Volume Information\_restore{A80475B6-CF6D-4B3A-BD21-B16C67DB5304}\RP341\A0062959.exe -> Dialer.IDialer.m : Cleaned.
C:\System Volume Information\_restore{A80475B6-CF6D-4B3A-BD21-B16C67DB5304}\RP341\A0062960.exe -> Dialer.IDialer.m : Cleaned.
C:\System Volume Information\_restore{A80475B6-CF6D-4B3A-BD21-B16C67DB5304}\RP341\A0062961.exe -> Dialer.IDialer.m : Cleaned.
C:\System Volume Information\_restore{A80475B6-CF6D-4B3A-BD21-B16C67DB5304}\RP341\A0062962.exe -> Dialer.IDialer.m : Cleaned.
C:\System Volume Information\_restore{A80475B6-CF6D-4B3A-BD21-B16C67DB5304}\RP341\A0062963.exe -> Dialer.IDialer.m : Cleaned.
C:\System Volume Information\_restore{A80475B6-CF6D-4B3A-BD21-B16C67DB5304}\RP341\A0062964.exe -> Dialer.IDialer.m : Cleaned.
C:\System Volume Information\_restore{A80475B6-CF6D-4B3A-BD21-B16C67DB5304}\RP341\A0062965.exe -> Dialer.IDialer.m : Cleaned.
C:\System Volume Information\_restore{A80475B6-CF6D-4B3A-BD21-B16C67DB5304}\RP341\A0062966.exe -> Dialer.IDialer.m : Cleaned.
C:\System Volume Information\_restore{A80475B6-CF6D-4B3A-BD21-B16C67DB5304}\RP341\A0062967.exe -> Dialer.IDialer.m : Cleaned.
C:\System Volume Information\_restore{A80475B6-CF6D-4B3A-BD21-B16C67DB5304}\RP341\A0062968.exe -> Dialer.IDialer.m : Cleaned.
C:\System Volume Information\_restore{A80475B6-CF6D-4B3A-BD21-B16C67DB5304}\RP341\A0062969.exe -> Dialer.IDialer.m : Cleaned.
C:\System Volume Information\_restore{A80475B6-CF6D-4B3A-BD21-B16C67DB5304}\RP341\A0062970.exe -> Dialer.IDialer.m : Cleaned.
C:\System Volume Information\_restore{A80475B6-CF6D-4B3A-BD21-B16C67DB5304}\RP341\A0062971.exe -> Dialer.IDialer.m : Cleaned.
C:\System Volume Information\_restore{A80475B6-CF6D-4B3A-BD21-B16C67DB5304}\RP341\A0062972.exe -> Dialer.IDialer.m : Cleaned.
C:\System Volume Information\_restore{A80475B6-CF6D-4B3A-BD21-B16C67DB5304}\RP341\A0062973.exe -> Dialer.IDialer.m : Cleaned.
C:\System Volume Information\_restore{A80475B6-CF6D-4B3A-BD21-B16C67DB5304}\RP341\A0062974.exe -> Dialer.IDialer.m : Cleaned.
C:\System Volume Information\_restore{A80475B6-CF6D-4B3A-BD21-B16C67DB5304}\RP341\A0062975.exe -> Dialer.IDialer.m : Cleaned.
C:\System Volume Information\_restore{A80475B6-CF6D-4B3A-BD21-B16C67DB5304}\RP341\A0062976.exe -> Dialer.IDialer.m : Cleaned.
C:\System Volume Information\_restore{A80475B6-CF6D-4B3A-BD21-B16C67DB5304}\RP341\A0062977.exe -> Dialer.IDialer.m : Cleaned.
C:\System Volume Information\_restore{A80475B6-CF6D-4B3A-BD21-B16C67DB5304}\RP341\A0062978.exe -> Dialer.IDialer.m : Cleaned.
C:\System Volume Information\_restore{A80475B6-CF6D-4B3A-BD21-B16C67DB5304}\RP341\A0062979.exe -> Dialer.IDialer.m : Cleaned.
C:\System Volume Information\_restore{A80475B6-CF6D-4B3A-BD21-B16C67DB5304}\RP341\A0062980.exe -> Dialer.IDialer.m : Cleaned.
C:\System Volume Information\_restore{A80475B6-CF6D-4B3A-BD21-B16C67DB5304}\RP341\A0062981.exe -> Dialer.IDialer.m : Cleaned.
C:\System Volume Information\_restore{A80475B6-CF6D-4B3A-BD21-B16C67DB5304}\RP341\A0062982.exe -> Dialer.IDialer.m : Cleaned.
C:\System Volume Information\_restore{A80475B6-CF6D-4B3A-BD21-B16C67DB5304}\RP341\A0062983.exe -> Dialer.IDialer.m : Cleaned.
C:\System Volume Information\_restore{A80475B6-CF6D-4B3A-BD21-B16C67DB5304}\RP341\A0062984.exe -> Dialer.IDialer.m : Cleaned.
C:\System Volume Information\_restore{A80475B6-CF6D-4B3A-BD21-B16C67DB5304}\RP341\A0062985.exe -> Dialer.IDialer.m : Cleaned.
C:\System Volume Information\_restore{A80475B6-CF6D-4B3A-BD21-B16C67DB5304}\RP341\A0062986.exe -> Dialer.IDialer.m : Cleaned.
C:\System Volume Information\_restore{A80475B6-CF6D-4B3A-BD21-B16C67DB5304}\RP341\A0062987.exe -> Dialer.IDialer.m : Cleaned.
C:\System Volume Information\_restore{A80475B6-CF6D-4B3A-BD21-B16C67DB5304}\RP341\A0062988.exe -> Dialer.IDialer.m : Cleaned.
C:\System Volume Information\_restore{A80475B6-CF6D-4B3A-BD21-B16C67DB5304}\RP341\A0062989.exe -> Dialer.IDialer.m : Cleaned.
C:\System Volume Information\_restore{A80475B6-CF6D-4B3A-BD21-B16C67DB5304}\RP341\A0062990.exe -> Dialer.IDialer.m : Cleaned.
C:\System Volume Information\_restore{A80475B6-CF6D-4B3A-BD21-B16C67DB5304}\RP341\A0062991.exe -> Dialer.IDialer.m : Cleaned.
C:\System Volume Information\_restore{A80475B6-CF6D-4B3A-BD21-B16C67DB5304}\RP341\A0062992.exe -> Dialer.IDialer.m : Cleaned.
C:\System Volume Information\_restore{A80475B6-CF6D-4B3A-BD21-B16C67DB5304}\RP341\A0062993.exe -> Dialer.IDialer.m : Cleaned.
C:\System Volume Information\_restore{A80475B6-CF6D-4B3A-BD21-B16C67DB5304}\RP341\A0062994.exe -> Dialer.IDialer.m : Cleaned.
C:\System Volume Information\_restore{A80475B6-CF6D-4B3A-BD21-B16C67DB5304}\RP341\A0062995.exe -> Dialer.IDialer.m : Cleaned.
C:\System Volume Information\_restore{A80475B6-CF6D-4B3A-BD21-B16C67DB5304}\RP341\A0062996.exe -> Dialer.IDialer.m : Cleaned.
C:\System Volume Information\_restore{A80475B6-CF6D-4B3A-BD21-B16C67DB5304}\RP341\A0062997.exe -> Dialer.IDialer.m : Cleaned.
C:\System Volume Information\_restore{A80475B6-CF6D-4B3A-BD21-B16C67DB5304}\RP341\A0062998.exe -> Dialer.IDialer.m : Cleaned.
C:\System Volume Information\_restore{A80475B6-CF6D-4B3A-BD21-B16C67DB5304}\RP341\A0062999.exe -> Dialer.IDialer.m : Cleaned.
C:\System Volume Information\_restore{A80475B6-CF6D-4B3A-BD21-B16C67DB5304}\RP341\A0063000.exe -> Dialer.IDialer.m : Cleaned.
C:\System Volume Information\_restore{A80475B6-CF6D-4B3A-BD21-B16C67DB5304}\RP341\A0063001.exe -> Dialer.IDialer.m : Cleaned.
C:\System Volume Information\_restore{A80475B6-CF6D-4B3A-BD21-B16C67DB5304}\RP341\A0063002.exe -> Dialer.IDialer.m : Cleaned.
C:\System Volume Information\_restore{A80475B6-CF6D-4B3A-BD21-B16C67DB5304}\RP341\A0063003.exe -> Dialer.IDialer.m : Cleaned.
C:\System Volume Information\_restore{A80475B6-CF6D-4B3A-BD21-B16C67DB5304}\RP341\A0063004.exe -> Dialer.IDialer.m : Cleaned.
C:\System Volume Information\_restore{A80475B6-CF6D-4B3A-BD21-B16C67DB5304}\RP341\A0063005.exe -> Dialer.IDialer.m : Cleaned.
C:\System Volume Information\_restore{A80475B6-CF6D-4B3A-BD21-B16C67DB5304}\RP341\A0063006.exe -> Dialer.IDialer.m : Cleaned.
C:\System Volume Information\_restore{A80475B6-CF6D-4B3A-BD21-B16C67DB5304}\RP341\A0063007.exe -> Dialer.IDialer.m : Cleaned.
C:\System Volume Information\_restore{A80475B6-CF6D-4B3A-BD21-B16C67DB5304}\RP341\A0063008.exe -> Dialer.IDialer.m : Cleaned.
C:\System Volume Information\_restore{A80475B6-CF6D-4B3A-BD21-B16C67DB5304}\RP341\A0063009.exe -> Dialer.IDialer.m : Cleaned.
C:\System Volume Information\_restore{A80475B6-CF6D-4B3A-BD21-B16C67DB5304}\RP341\A0063010.exe -> Dialer.IDialer.m : Cleaned.
C:\System Volume Information\_restore{A80475B6-CF6D-4B3A-BD21-B16C67DB5304}\RP341\A0063011.exe -> Dialer.IDialer.m : Cleaned.
C:\System Volume Information\_restore{A80475B6-CF6D-4B3A-BD21-B16C67DB5304}\RP341\A0063012.exe -> Dialer.IDialer.m : Cleaned.
C:\System Volume Information\_restore{A80475B6-CF6D-4B3A-BD21-B16C67DB5304}\RP341\A0063013.exe -> Dialer.IDialer.m : Cleaned.
C:\System Volume Information\_restore{A80475B6-CF6D-4B3A-BD21-B16C67DB5304}\RP341\A0063014.exe -> Dialer.IDialer.m : Cleaned.
C:\System Volume Information\_restore{A80475B6-CF6D-4B3A-BD21-B16C67DB5304}\RP341\A0063015.exe -> Dialer.IDialer.m : Cleaned.
C:\System Volume Information\_restore{A80475B6-CF6D-4B3A-BD21-B16C67DB5304}\RP341\A0063016.exe -> Dialer.IDialer.m : Cleaned.
C:\System Volume Information\_restore{A80475B6-CF6D-4B3A-BD21-B16C67DB5304}\RP341\A0063017.exe -> Dialer.IDialer.m : Cleaned.
C:\System Volume Information\_restore{A80475B6-CF6D-4B3A-BD21-B16C67DB5304}\RP341\A0063018.exe -> Dialer.IDialer.m : Cleaned.
C:\System Volume Information\_restore{A80475B6-CF6D-4B3A-BD21-B16C67DB5304}\RP341\A0063019.exe -> Dialer.IDialer.m : Cleaned.
C:\System Volume Information\_restore{A80475B6-CF6D-4B3A-BD21-B16C67DB5304}\RP341\A0063020.exe -> Dialer.IDialer.m : Cleaned.
C:\System Volume Information\_restore{A80475B6-CF6D-4B3A-BD21-B16C67DB5304}\RP341\A0063021.exe -> Dialer.IDialer.m : Cleaned.
C:\System Volume Information\_restore{A80475B6-CF6D-4B3A-BD21-B16C67DB5304}\RP341\A0063022.exe -> Dialer.IDialer.m : Cleaned.
C:\System Volume Information\_restore{A80475B6-CF6D-4B3A-BD21-B16C67DB5304}\RP341\A0063023.exe -> Dialer.IDialer.m : Cleaned.
C:\System Volume Information\_restore{A80475B6-CF6D-4B3A-BD21-B16C67DB5304}\RP341\A0063024.exe -> Dialer.IDialer.m : Cleaned.
C:\System Volume Information\_restore{A80475B6-CF6D-4B3A-BD21-B16C67DB5304}\RP341\A0063025.exe -> Dialer.IDialer.m : Cleaned.
C:\System Volume Information\_restore{A80475B6-CF6D-4B3A-BD21-B16C67DB5304}\RP340\A0062778.exe -> Downloader.Agent.bca : Cleaned.
C:\System Volume Information\_restore{A80475B6-CF6D-4B3A-BD21-B16C67DB5304}\RP340\A0062796.exe -> Downloader.Agent.bca : Cleaned.
C:\System Volume Information\_restore{A80475B6-CF6D-4B3A-BD21-B16C67DB5304}\RP341\A0062922.exe -> Downloader.Agent.bdr : Cleaned.
C:\System Volume Information\_restore{A80475B6-CF6D-4B3A-BD21-B16C67DB5304}\RP341\A0062943.exe -> Downloader.Agent.bdr : Cleaned.
C:\System Volume Information\_restore{A80475B6-CF6D-4B3A-BD21-B16C67DB5304}\RP340\A0062689.exe -> Downloader.PurityScan.dc : Cleaned.
C:\System Volume Information\_restore{A80475B6-CF6D-4B3A-BD21-B16C67DB5304}\RP341\A0062918.exe -> Downloader.PurityScan.dc : Cleaned.
C:\System Volume Information\_restore{A80475B6-CF6D-4B3A-BD21-B16C67DB5304}\RP341\A0062945.exe -> Downloader.PurityScan.dc : Cleaned.
C:\Documents and Settings\Fozcore\Shared\WinCDG Pro v2.02-CD+G Karaoke, VCD Karaoke, CD Audio, MP3+G, WMA+G,Karaoke Media File, and general Multimedia File Player progr.ZIP/ls_wcdgp202/patch.exe -> Not-A-Virus.VirTool.Win32.AvSpoffer.a : Cleaned.
C:\Documents and Settings\Fozcore\Shared\WinCDG Pro v2.02-CD+G Karaoke, VCD Karaoke, CD Audio, MP3+G, WMA+G,Karaoke Media File, and general Multimedia File Player.zip/ls_wcdgp202/patch.exe -> Not-A-Virus.VirTool.Win32.AvSpoffer.a : Cleaned.
:mozilla.66:C:\Documents and Settings\Fozcore\Application Data\Mozilla\Firefox\Profiles\fx7v31ad.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Fozcore\Cookies\fozcore@cpvfeed[2].txt -> TrackingCookie.Cpvfeed : Cleaned.
:mozilla.15:C:\Documents and Settings\Fozcore\Application Data\Mozilla\Firefox\Profiles\fx7v31ad.default\cookies.txt -> TrackingCookie.Reliablestats : Cleaned.
:mozilla.16:C:\Documents and Settings\Fozcore\Application Data\Mozilla\Firefox\Profiles\fx7v31ad.default\cookies.txt -> TrackingCookie.Reliablestats : Cleaned.
:mozilla.17:C:\Documents and Settings\Fozcore\Application Data\Mozilla\Firefox\Profiles\fx7v31ad.default\cookies.txt -> TrackingCookie.Reliablestats : Cleaned.
:mozilla.18:C:\Documents and Settings\Fozcore\Application Data\Mozilla\Firefox\Profiles\fx7v31ad.default\cookies.txt -> TrackingCookie.Reliablestats : Cleaned.
C:\WINDOWS\system32\winopn32.dll -> Trojan.Agent.cvt : Cleaned.
C:\System Volume Information\_restore{A80475B6-CF6D-4B3A-BD21-B16C67DB5304}\RP341\A0062917.exe -> Trojan.Agent.vg : Cleaned.
C:\System Volume Information\_restore{A80475B6-CF6D-4B3A-BD21-B16C67DB5304}\RP341\A0062944.exe -> Trojan.Agent.vg : Cleaned.
C:\System Volume Information\_restore{A80475B6-CF6D-4B3A-BD21-B16C67DB5304}\RP340\A0062752.exe -> Trojan.Small : Cleaned.


::Report end

fozcore
2007-01-14, 14:55
HJT Log..
Logfile of HijackThis v1.99.1
Scan saved at 11:43:50 PM, on 14/01/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
C:\Program Files\Executive Software\Diskeeper\DkService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\ZoneLabs\isafe.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\PROGRA~1\ZONELA~1\ZONEAL~1\MAILFR~1\mantispm.exe
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com.au
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.yahoo.com.au
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_AU&c=Q105&bd=presario&pf=laptop
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] C:\Program Files\Analog Devices\SoundMAX\Smax4.exe /tray
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [ChangeResolution] C:\hp\bin\ChangeResolution.exe
O4 - HKLM\..\Run: [XoftSpySE] C:\Program Files\XoftSpySE\xoftspy.exe -s
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] "%ProgramFiles%\HPQ\HP Wireless Assistant\HP Wireless Assistant.exe"
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_AU&c=Q105&bd=presario&pf=laptop
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {11818680-FCF6-11D0-9808-0800092A4865} (Adobe Form Control) - http://www.ato.gov.au/formflow/codebase/FormCtl.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1123073661546
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {CDDCFBB3-4D93-11D2-B1A9-00A0C9B742BE} (Adobe Script Object) - http://www.ato.gov.au/formflow/codebase/scriptobject.cab
O16 - DPF: {EF2FB80F-0975-408E-A871-B00CC863478A} (Adobe Soft Font Installer) - http://www.ato.gov.au/formflow/codebase/fontinstaller.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{358D9C5B-2723-4F3B-BF75-813E2E202DA6}: NameServer = 80.251.80.8
O17 - HKLM\System\CCS\Services\Tcpip\..\{3E16CC10-267D-4380-9EC2-5A04992E7AE8}: NameServer = 80.251.80.8
O17 - HKLM\System\CCS\Services\Tcpip\..\{5C73DA55-4859-43E0-B73B-8CC848EA4DBF}: NameServer = 80.251.80.8
O17 - HKLM\System\CCS\Services\Tcpip\..\{6BD192C2-1BD5-46B6-A86A-45372A83F620}: NameServer = 80.251.80.8
O17 - HKLM\System\CCS\Services\Tcpip\..\{841CF124-6236-4819-B90B-D2F551337EAF}: NameServer = 80.251.80.8
O17 - HKLM\System\CCS\Services\Tcpip\..\{BD2977E2-221E-4D77-B40A-AD019AA0FBE4}: NameServer = 80.251.80.8
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
O23 - Service: CA ISafe (CAISafe) - Computer Associates International, Inc. - C:\WINDOWS\system32\ZoneLabs\isafe.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\Diskeeper\DkService.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\SHARED\HPQWMI.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

pskelley
2007-01-14, 15:32
Looks like we have a hidden Vundo infection. Often it takes Vundofix several attempts to locate and delete all vundo files. Watch the Vundofix report, when all files it has located "have been deleted", then reboot the computer and post the Vundofix results for me to view.

Thanks to Atribune and any others who helped with this fix.

Please download VundoFix.exe (http://www.atribune.org/ccount/click.php?id=4) to your desktop
Double-click VundoFix.exe to run it.
Click the Scan for Vundo button.
Once it's done scanning, click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will reboot your computer, click OK.
Please post the contents of C:\vundofix.txt and a new HiJackThis log in a reply to this thread.Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears upon rebooting.

If there is a file VundoFix doesn't find we need it submitted. Please submit
the files to upload malware http://www.uploadmalware.com

Thanks

fozcore
2007-01-15, 14:10
Thanks again for your assistance...

The VundoFix log...

VundoFix V6.3.2

Checking Java version...

Scan started at 9:22:18 PM 15/01/2007

Listing files found while scanning....

C:\WINDOWS\system32\ckkksivv.ini
C:\WINDOWS\system32\dimukjhc.dll
C:\WINDOWS\system32\efcyvtu.dll
C:\WINDOWS\system32\hggghhg.dll
C:\WINDOWS\system32\hqaabfmq.ini
C:\WINDOWS\system32\iifffed.dll
C:\WINDOWS\system32\jjkmp.bak1
C:\WINDOWS\system32\jjkmp.bak2
C:\WINDOWS\system32\jjkmp.ini
C:\WINDOWS\system32\pmkjj.dll
C:\WINDOWS\system32\pmnmmmk.dll
C:\WINDOWS\system32\qmfbaaqh.dll
C:\WINDOWS\system32\qomnmnn.dll
C:\WINDOWS\system32\vviskkkc.dll
C:\WINDOWS\system32\wvuutuv.dll
C:\WINDOWS\system32\xxyaxuv.dll
C:\WINDOWS\system32\yayaayw.dll

Beginning removal...

Attempting to delete C:\WINDOWS\system32\ckkksivv.ini
C:\WINDOWS\system32\ckkksivv.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\efcyvtu.dll
C:\WINDOWS\system32\efcyvtu.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\hggghhg.dll
C:\WINDOWS\system32\hggghhg.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\hqaabfmq.ini
C:\WINDOWS\system32\hqaabfmq.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\iifffed.dll
C:\WINDOWS\system32\iifffed.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\jjkmp.bak1
C:\WINDOWS\system32\jjkmp.bak1 Has been deleted!

Attempting to delete C:\WINDOWS\system32\jjkmp.bak2
C:\WINDOWS\system32\jjkmp.bak2 Has been deleted!

Attempting to delete C:\WINDOWS\system32\jjkmp.ini
C:\WINDOWS\system32\jjkmp.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\pmkjj.dll
C:\WINDOWS\system32\pmkjj.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\pmnmmmk.dll
C:\WINDOWS\system32\pmnmmmk.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\qmfbaaqh.dll
C:\WINDOWS\system32\qmfbaaqh.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\qomnmnn.dll
C:\WINDOWS\system32\qomnmnn.dll Could not be deleted.

Attempting to delete C:\WINDOWS\system32\vviskkkc.dll
C:\WINDOWS\system32\vviskkkc.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\wvuutuv.dll
C:\WINDOWS\system32\wvuutuv.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\xxyaxuv.dll
C:\WINDOWS\system32\xxyaxuv.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\yayaayw.dll
C:\WINDOWS\system32\yayaayw.dll Has been deleted!

Performing Repairs to the registry.
Done!

VundoFix V6.3.2

Checking Java version...

Scan started at 9:45:19 PM 15/01/2007

Listing files found while scanning....

C:\WINDOWS\system32\dimukjhc.dll
C:\WINDOWS\system32\edeeg.ini
C:\WINDOWS\system32\geede.dll
C:\WINDOWS\system32\qomnmnn.dll

Beginning removal...

Attempting to delete C:\WINDOWS\system32\edeeg.ini
C:\WINDOWS\system32\edeeg.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\geede.dll
C:\WINDOWS\system32\geede.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\qomnmnn.dll
C:\WINDOWS\system32\qomnmnn.dll Has been deleted!

Performing Repairs to the registry.
Done!

VundoFix V6.3.2

Checking Java version...

Scan started at 10:20:21 PM 15/01/2007

Listing files found while scanning....

C:\WINDOWS\system32\dimukjhc.dll

Beginning removal...

Performing Repairs to the registry.
Done!



the latest HJT log is...

Logfile of HijackThis v1.99.1
Scan saved at 11:05:35 PM, on 15/01/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
C:\Program Files\Executive Software\Diskeeper\DkService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\ZoneLabs\isafe.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
C:\WINDOWS\system32\hkcmd.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Apoint2K\Apoint.exe
C:\Program Files\Apoint2K\Apntex.exe
C:\PROGRA~1\ZONELA~1\ZONEAL~1\MAILFR~1\mantispm.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com.au
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.yahoo.com.au
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_AU&c=Q105&bd=presario&pf=laptop
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: (no name) - {146B008E-21D3-449F-92BA-CAD885B8AF64} - C:\WINDOWS\system32\pmkjj.dll (file missing)
O2 - BHO: (no name) - {3B107112-A971-499A-8234-90C40965D667} - C:\WINDOWS\system32\ddccb.dll (file missing)
O2 - BHO: (no name) - {3FF0B62F-6C26-4E2B-A2FD-662F32B62A0A} - C:\WINDOWS\system32\vtstu.dll (file missing)
O2 - BHO: (no name) - {71B45E0D-2FD2-4EA6-91FD-A0AFEB696BD0} - C:\WINDOWS\system32\qomnmnn.dll (file missing)
O2 - BHO: (no name) - {7DA39570-5FD2-4f18-94B4-20730CB3F727} - C:\WINDOWS\system32\dimukjhc.dll (file missing)
O2 - BHO: (no name) - {E6C32278-7420-41F4-8471-C6E1D702F267} - C:\WINDOWS\system32\geede.dll (file missing)
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe
O4 - HKLM\..\Run: [SoundMAX] C:\Program Files\Analog Devices\SoundMAX\Smax4.exe /tray
O4 - HKLM\..\Run: [Cpqset] C:\Program Files\HPQ\Default Settings\cpqset.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [ChangeResolution] C:\hp\bin\ChangeResolution.exe
O4 - HKLM\..\Run: [XoftSpySE] C:\Program Files\XoftSpySE\xoftspy.exe -s
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Zone Labs Client] C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [hpWirelessAssistant] "%ProgramFiles%\HPQ\HP Wireless Assistant\HP Wireless Assistant.exe"
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://ie.redirect.hp.com/svs/rdr?TYPE=3&tp=iehome&locale=EN_AU&c=Q105&bd=presario&pf=laptop
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {11818680-FCF6-11D0-9808-0800092A4865} (Adobe Form Control) - http://www.ato.gov.au/formflow/codebase/FormCtl.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1123073661546
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {CDDCFBB3-4D93-11D2-B1A9-00A0C9B742BE} (Adobe Script Object) - http://www.ato.gov.au/formflow/codebase/scriptobject.cab
O16 - DPF: {EF2FB80F-0975-408E-A871-B00CC863478A} (Adobe Soft Font Installer) - http://www.ato.gov.au/formflow/codebase/fontinstaller.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{358D9C5B-2723-4F3B-BF75-813E2E202DA6}: NameServer = 80.251.80.8
O17 - HKLM\System\CCS\Services\Tcpip\..\{3E16CC10-267D-4380-9EC2-5A04992E7AE8}: NameServer = 80.251.80.8
O17 - HKLM\System\CCS\Services\Tcpip\..\{5C73DA55-4859-43E0-B73B-8CC848EA4DBF}: NameServer = 80.251.80.8
O17 - HKLM\System\CCS\Services\Tcpip\..\{6BD192C2-1BD5-46B6-A86A-45372A83F620}: NameServer = 80.251.80.8
O17 - HKLM\System\CCS\Services\Tcpip\..\{841CF124-6236-4819-B90B-D2F551337EAF}: NameServer = 80.251.80.8
O17 - HKLM\System\CCS\Services\Tcpip\..\{BD2977E2-221E-4D77-B40A-AD019AA0FBE4}: NameServer = 80.251.80.8
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: winopn32 - winopn32.dll (file missing)
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
O23 - Service: CA ISafe (CAISafe) - Computer Associates International, Inc. - C:\WINDOWS\system32\ZoneLabs\isafe.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\Diskeeper\DkService.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\SHARED\HPQWMI.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

pskelley
2007-01-15, 14:58
Thanks for returning your information, does this item look like something you know: O4 - HKLM\..\Run: [ChangeResolution] C:\hp\bin\ChangeResolution.exe
Looks like HP but I wish to be sure. If you do not know then scan the file here: http://virusscan.jotti.org/

You had a nasty Vundo infection. It looks like the Vundofix got it all. Let's clean like this:

1) Please download ATF Cleaner by Atribune
http://www.atribune.org/content/view/25/2/
Save it to your Desktop. We will use this later.

2) AVG Anti-Spyware 7.5: Deactivate the Resident Shield
- Before proceeding, deactivate the "Resident Shield" as this may prevent changes to the registry.
- To do this, click "Change State" to the right of the Resident Shield option in the main window.
- You will clearly see the status change to Inactive if you have done this correctly.

3) Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:

O2 - BHO: (no name) - {146B008E-21D3-449F-92BA-CAD885B8AF64} - C:\WINDOWS\system32\pmkjj.dll (file missing)
O2 - BHO: (no name) - {3B107112-A971-499A-8234-90C40965D667} - C:\WINDOWS\system32\ddccb.dll (file missing)
O2 - BHO: (no name) - {3FF0B62F-6C26-4E2B-A2FD-662F32B62A0A} - C:\WINDOWS\system32\vtstu.dll (file missing)
O2 - BHO: (no name) - {71B45E0D-2FD2-4EA6-91FD-A0AFEB696BD0} - C:\WINDOWS\system32\qomnmnn.dll (file missing)
O2 - BHO: (no name) - {71B45E0D-2FD2-4EA6-91FD-A0AFEB696BD0} - C:\WINDOWS\system32\qomnmnn.dll (file missing)
O2 - BHO: (no name) - {E6C32278-7420-41F4-8471-C6E1D702F267} - C:\WINDOWS\system32\geede.dll (file missing)
O20 - Winlogon Notify: winopn32 - winopn32.dll (file missing)

Close all programs but HJT and all browser windows, then click on "Fix Checked"

4) Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

Reboot

Turn ON System Restore,
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK.

Run ATF Cleaner
Double-click ATF-Cleaner.exe to run the program.
Click Select All found at the bottom of the list.
Click the Empty Selected button.
Click Exit on the Main menu to close the program.

5) Your Java program is out of date and may be the reason you were infected? See this information:
http://forums.spybot.info/showpost.php?p=12880&postcount=2
C:\Program Files\Java\jre1.5.0\ <<< out of date
Download the newest version and uninstall all old versions in Add Remove Programs.

Restart your computer and run another AVG Anti-Spyware scan. When you finish, save the scan report and restart the computer again so the changes go into effect. Now scan and post a new HJT log along with the AVG Anti-Spyware scan report and some feedback from you about how the computer is running.

Cheers...Phil

tashi
2007-01-23, 19:51
fozcore, how is it going. :)

tashi
2007-01-30, 00:31
This topic is closed due to lack of a response. :sad: Thanks Phil. :)

If you need it re-opened please send me a private message (pm) and provide a link to the thread. Applies only to the original poster, anyone else with similar problems please start a new topic.