PDA

View Full Version : pop ups, trojan.vundo



agohel1
2007-06-09, 17:47
i have macaffe and it says i have vundo and i tried to solve it by this software that runs a scan and removes it but it didnt i ran a spybot scan(not in safe mode) but i could not do an online scan


HJT Log This was before i ran the spybot scan

Logfile of HijackThis v1.99.1
Scan saved at 2:15:43 PM, on 6/8/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16441)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\Ati2evxx.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\system32\DVDRAMSV.exe
D:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
D:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
d:\program files\common files\mcafee\mna\mcnasvc.exe
D:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
D:\PROGRA~1\McAfee\MSC\mcpromgr.exe
d:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
D:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
D:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
D:\Program Files\McAfee\MPF\MPFSrv.exe
D:\WINDOWS\system32\HPZipm12.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\Ati2evxx.exe
D:\WINDOWS\Explorer.EXE
d:\PROGRA~1\mcafee.com\agent\mcagent.exe
d:\PROGRA~1\mcafee\VIRUSS~1\mcvsshld.exe
D:\Program Files\VIA\VIAudioi\SBADeck\ADeck.exe
D:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
D:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
D:\Program Files\HP\HP Software Update\HPWuSchd2.exe
D:\Program Files\QuickTime\qttask.exe
D:\Program Files\iTunesHelper.exe
D:\WINDOWS\system32\ctfmon.exe
D:\Program Files\iPod\bin\iPodService.exe
D:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\MSOffice\Office\FINDFAST.EXE
D:\WINDOWS\system32\RAMASST.exe
D:\WINDOWS\FSScrCtl.exe
D:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
D:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
D:\Program Files\HP\Digital Imaging\Product Assistant\bin\hprblog.exe
D:\Program Files\Mozilla Firefox\firefox.exe
D:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
D:\Program Files\Internet Explorer\iexplore.exe
D:\Documents and Settings\Ashish\Desktop\hjt\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ijji.com/index.nhn
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - D:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [AudioDeck] D:\Program Files\VIA\VIAudioi\SBADeck\ADeck.exe 1
O4 - HKLM\..\Run: [NeroFilterCheck] D:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "D:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [GrooveMonitor] "D:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [HP Software Update] D:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "D:\Program Files\iTunesHelper.exe"
O4 - HKLM\..\Run: [j8261131] rundll32 D:\WINDOWS\system32\j8261131.dll sook
O4 - HKLM\..\Run: [ApachInc] rundll32.exe "D:\WINDOWS\system32\syjacebb.dll",realset
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "D:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [ctfmon.exe] D:\WINDOWS\system32\ctfmon.exe
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = D:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Startup: Screen Saver Control.lnk = D:\WINDOWS\FSScrCtl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = D:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = D:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Microsoft Office Fast Start.lnk = C:\MSOffice\Office\FASTBOOT.EXE
O4 - Global Startup: Microsoft Office Find Fast Indexer.lnk = C:\MSOffice\Office\FINDFAST.EXE
O4 - Global Startup: Microsoft Office Shortcut Bar.lnk = C:\MSOffice\Office\MSOFFICE.EXE
O4 - Global Startup: RAMASST.lnk = D:\WINDOWS\system32\RAMASST.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - D:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - D:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - D:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://atv.disney.go.com/global/download/otoy/OTOYAX29b.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - D:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - D:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - D:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - D:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - D:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - D:\WINDOWS\system32\ati2sgag.exe
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - D:\WINDOWS\system32\DVDRAMSV.exe
O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - D:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
O23 - Service: iPod Service - Apple Inc. - D:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - D:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - D:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - D:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - d:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - D:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - D:\PROGRA~1\McAfee\MSC\mcpromgr.exe
O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - d:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - D:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - D:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - D:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: Pml Driver HPZ12 - HP - D:\WINDOWS\system32\HPZipm12.exe


Thank you

miekiemoes
2007-06-09, 18:23
Hello,

* Download Combofix (http://download.bleepingcomputer.com/sUBs/ComboFix.exe) to your desktop.
Doubleclick combofix.exe
Follow the prompts.
Don't click on the window while the fix is running, because that will cause your system to hang.

When finished and after reboot (in case it asks to reboot), it should open a log, combofix.txt.
Post this log in your next reply together with a new hijackthislog.
Do NOT post the ComboFix-quarantined-files.txt - unless I ask you to.

agohel1
2007-06-09, 19:20
Combo Fix Log

"Ashish" - 2007-06-09 12:13:36 Service Pack 2 NTFS
ComboFix 07-06-3B - Running from: "D:\Documents and Settings\Ashish\Desktop\"


((((((((((((((((((((((((( Files Created from 2007-05-09 to 2007-06-09 )))))))))))))))))))))))))))))))


2007-06-09 11:21 <DIR> d-------- D:\VundoFix Backups
2007-06-08 22:49 524,288 --ah----- D:\DOCUME~1\ADMINI~1\NTUSER.DAT
2007-06-08 22:38 57,344 --a------ D:\DOCUME~1\ALLUSE~1\APPLIC~1\vajmfsjo.exe
2007-06-08 14:06 <DIR> d-------- D:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-06-07 11:55 58,420 --a------ D:\WINDOWS\system32\nxifictj.dll
2007-06-06 16:28 55,316 --a------ D:\WINDOWS\system32\scgmebhm.dll
2007-06-06 16:08 55,316 --a------ D:\WINDOWS\system32\mcivwlqx.dll
2007-06-05 12:01 2,580 --a------ D:\WINDOWS\system32\ootinlnm.exe
2007-06-05 11:13 131,124 --a------ D:\WINDOWS\system32\syjacebb.dll
2007-06-05 11:01 131,124 --a------ D:\WINDOWS\system32\bihlfiif.dll
2007-06-04 22:21 2,580 --a------ D:\WINDOWS\system32\xxdphqqh.exe
2007-06-04 22:20 131,124 --a------ D:\WINDOWS\system32\fsfuwfuq.dll
2007-06-04 18:59 131,124 --a------ D:\WINDOWS\system32\lrkchxtr.dll
2007-06-04 18:56 2,580 --a------ D:\WINDOWS\system32\dditevlc.exe
2007-06-04 18:51 <DIR> d-------- D:\WINDOWS\system32\SoftwareDistribution
2007-06-01 23:46 131,124 --a------ D:\WINDOWS\system32\qleuxoqm.dll
2007-06-01 23:40 2,580 --a------ D:\WINDOWS\system32\xyjvswme.exe
2007-05-22 23:24 <DIR> d-------- D:\spoolerlogs
2007-05-22 19:56 <DIR> d-------- D:\DOCUME~1\Ashish\APPLIC~1\McAfee
2007-05-20 14:59 <DIR> d-------- D:\WINDOWS\SxsCaPendDel
2007-05-16 16:45 4,682 --a------ D:\WINDOWS\system32\npptNT2.sys
2007-05-16 16:44 <DIR> d--h----- D:\WINDOWS\HUL
2007-05-16 16:36 <DIR> d-------- D:\DOCUME~1\Ashish\APPLIC~1\InstallShield
2007-05-14 20:21 <DIR> d-------- D:\Program Files\3DGroove
2007-05-14 20:19 <DIR> dr-h----- D:\DOCUME~1\Pooja\APPLIC~1\yahoo!
2007-05-09 17:58 <DIR> d-------- D:\Program Files\Microsoft CAPICOM 2.1.0.2


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-06-08 22:19:54 -------- d-----w D:\Program Files\HP
2007-06-08 21:15:56 139,264 ----a-w D:\WINDOWS\system32\hpzjrd01.dll
2007-05-16 20:37:48 -------- d--h--w D:\Program Files\InstallShield Installation Information
2007-05-14 19:27:38 -------- d-----w D:\DOCUME~1\Ashish\APPLIC~1\teamspeak2
2007-05-11 00:21:23 -------- d-----w D:\Program Files\Wolfenstein - Enemy Territory
2007-05-05 00:05:43 -------- d-----w D:\Program Files\iTunesMiniPlayer.Resources
2007-05-05 00:05:43 -------- d-----w D:\Program Files\iTunesHelper.Resources
2007-05-05 00:05:43 -------- d-----w D:\Program Files\iTunes.Resources
2007-05-05 00:05:37 -------- d-----w D:\Program Files\iPod
2007-05-05 00:05:37 -------- d-----w D:\Program Files\CD Configuration
2007-05-05 00:03:49 -------- d-----w D:\Program Files\QuickTime
2007-05-03 23:32:51 29,184 ----a-w D:\WINDOWS\system32\sstunst2.exe
2007-05-03 23:32:48 249,344 ----a-w D:\WINDOWS\FSScrCtl.exe
2007-05-03 23:30:08 -------- d-----w D:\Program Files\Freeze.com
2007-05-03 10:31:29 -------- d-----w D:\Program Files\Ligos
2007-05-03 09:50:52 -------- d-----w D:\Program Files\GameSpy Arcade
2007-05-03 02:32:35 593 ----a-w D:\WINDOWS\eReg.dat
2007-05-03 00:53:53 12,464 ----a-w D:\WINDOWS\system32\drivers\secdrv.sys
2007-05-02 21:13:58 -------- d-----w D:\Program Files\EA Games
2007-04-29 01:08:14 -------- d-----w D:\DOCUME~1\Ashish\APPLIC~1\HP
2007-04-28 18:01:58 -------- d-----w D:\DOCUME~1\Ashish\APPLIC~1\GetRightToGo
2007-04-28 17:52:32 -------- d-----w D:\DOCUME~1\Ashish\APPLIC~1\Lavasoft
2007-04-27 15:25:58 90,112 ----a-w D:\Program Files\iTunesKeyboardCompatibility.dll
2007-04-27 15:25:58 257,088 ----a-w D:\Program Files\iTunesHelper.exe
2007-04-27 15:25:58 232,960 ----a-w D:\Program Files\iTunesOutlookAddIn.dll
2007-04-27 15:25:58 132,672 ----a-w D:\Program Files\iTunesMiniPlayer.dll
2007-04-27 15:25:58 108,608 ----a-w D:\Program Files\iTunesAdmin.dll
2007-04-27 15:25:54 14,672,448 ----a-w D:\Program Files\iTunes.exe
2007-04-27 15:25:52 630,784 ----a-w D:\Program Files\iPodUpdaterExt.dll
2007-04-27 15:25:52 438,272 ----a-w D:\Program Files\CDDBControlApple.dll
2007-04-26 21:43:13 664 ----a-w D:\WINDOWS\system32\d3d9caps.dat
2007-04-24 20:49:12 -------- d-----w D:\DOCUME~1\Ashish\APPLIC~1\Apple Computer
2007-04-23 19:59:37 -------- d-----w D:\DOCUME~1\Ashish\APPLIC~1\Skaya
2007-04-22 01:33:16 16 ----a-w D:\WINDOWS\popcinfo.dat
2007-04-22 01:30:36 720,896 ----a-w D:\WINDOWS\iun6002ev.exe
2007-04-21 20:10:56 -------- d-----w D:\DOCUME~1\Ashish\APPLIC~1\vlc
2007-04-21 02:18:57 36,734 ----a-w D:\WINDOWS\system32\OggDSuninst.exe
2007-04-21 01:07:27 -------- d-----w D:\DOCUME~1\Ashish\APPLIC~1\Groupworld
2007-04-19 00:35:22 -------- d-----w D:\DOCUME~1\Ashish\APPLIC~1\Ahead
2007-04-18 22:55:07 -------- d-----w D:\DOCUME~1\Ashish\APPLIC~1\Help
2007-04-18 16:12:23 2,854,400 ----a-w D:\WINDOWS\system32\msi.dll
2007-04-17 02:47:36 33,624 ----a-w D:\WINDOWS\system32\wups.dll
2007-04-17 02:45:54 1,710,936 ----a-w D:\WINDOWS\system32\wuaueng.dll
2007-04-17 02:45:48 549,720 ----a-w D:\WINDOWS\system32\wuapi.dll
2007-04-17 02:45:42 325,976 ----a-w D:\WINDOWS\system32\wucltui.dll
2007-04-17 02:45:36 203,096 ----a-w D:\WINDOWS\system32\wuweb.dll
2007-04-17 02:45:28 92,504 ----a-w D:\WINDOWS\system32\cdm.dll
2007-04-17 02:45:20 53,080 ----a-w D:\WINDOWS\system32\wuauclt.exe
2007-04-17 02:45:20 43,352 ----a-w D:\WINDOWS\system32\wups2.dll
2007-04-17 02:44:20 271,224 ----a-w D:\WINDOWS\system32\mucltui.dll
2007-04-17 02:44:18 208,248 ----a-w D:\WINDOWS\system32\muweb.dll
2007-04-16 23:18:01 -------- d-----w D:\Program Files\MTV Networks
2007-04-15 19:04:57 -------- d--h--r D:\DOCUME~1\Ashish\APPLIC~1\yahoo!
2007-04-04 03:39:03 88,424 ----a-w D:\WINDOWS\hpoins06.dat
2007-03-27 19:39:42 1,396,033 --sha-w D:\WINDOWS\system32\poppo.ini2
2007-03-26 21:55:39 1,394,006 --sha-w D:\WINDOWS\system32\poppo.bak2
2007-03-25 19:32:47 1,233,962 --sha-w D:\WINDOWS\system32\poppo.bak1
2007-03-25 18:41:31 405,504 ----a-w D:\WINDOWS\system32\DVDTool.exe
2007-03-25 18:41:31 233,472 ----a-w D:\WINDOWS\system32\DVDTools.dll
2007-03-25 18:41:31 155,648 ----a-w D:\WINDOWS\system32\RAMASST.exe
2007-03-25 18:41:31 135,168 ----a-w D:\WINDOWS\system32\DVDMenu.dll
2007-03-25 18:41:31 110,592 ----a-w D:\WINDOWS\system32\DVDRAMSV.exe
2007-03-24 01:44:20 1,168 ----a-w D:\WINDOWS\mozver.dat
2007-03-24 01:35:21 0 ----a-w D:\WINDOWS\nsreg.dat
2007-03-24 00:47:34 21,640 ----a-w D:\WINDOWS\system32\emptyregdb.dat
2007-03-17 13:43:01 292,864 ----a-w D:\WINDOWS\system32\winsrv.dll


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{02478D38-C3F9-4EFB-9B51-7695ECA05670}=D:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll [2006-10-26 10:28]
{5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897}=D:\Program Files\Yahoo!\Common\yiesrvc.dll [2006-10-31 15:29]
{72853161-30C5-4D22-B7F9-0BBC1D38A37E}=D:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL [2006-10-27 00:48]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}=D:\Program Files\Java\jre1.6.0_01\bin\ssv.dll [2007-03-14 03:43]
{7DB2D5A0-7241-4E79-B68D-6309F01C5231}=d:\program files\mcafee\virusscan\scriptcl.dll [2006-12-22 17:02]
{E12BFF69-38A7-406e-A8EF-2738107A7831}=D:\WINDOWS\system32\nxifictj.dll [2007-06-07 11:55]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AudioDeck"="D:\Program Files\VIA\VIAudioi\SBADeck\ADeck.exe" [2006-11-02 16:57]
"SunJavaUpdateSched"="D:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" [2007-03-14 03:43]
"GrooveMonitor"="D:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 00:47]
"HP Software Update"="D:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2005-05-11 23:12]
"QuickTime Task"="D:\Program Files\QuickTime\qttask.exe" [2007-04-27 09:41]
"iTunesHelper"="D:\Program Files\iTunesHelper.exe" [2007-04-27 11:25]
"Adobe Reader Speed Launcher"="D:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 03:06]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="D:\WINDOWS\system32\ctfmon.exe" [2004-08-04 03:56]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{B5A7F190-DDA6-4420-B3BA-52453494E6CD}"="D:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL" [2006-10-27 00:48]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\iifgebb]
iifgebb.dll

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost *netsvcs*


Contents of the 'Scheduled Tasks' folder
2007-05-17 11:31:07 D:\WINDOWS\tasks\AppleSoftwareUpdate.job
2007-03-24 01:29:55 D:\WINDOWS\tasks\McDefragTask.job
2007-04-01 05:00:01 D:\WINDOWS\tasks\McQcTask.job

**************************************************************************

catchme 0.3.692 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-06-09 12:16:15
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-06-09 12:17:30
D:\ComboFix-quarantined-files.txt ... 2007-06-09 12:17

--- E O F ---




HJT Log

Logfile of HijackThis v1.99.1
Scan saved at 12:21:34 PM, on 6/9/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16441)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\Ati2evxx.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\system32\DVDRAMSV.exe
D:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
D:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
d:\program files\common files\mcafee\mna\mcnasvc.exe
D:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
D:\PROGRA~1\McAfee\MSC\mcpromgr.exe
d:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
D:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
D:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
D:\Program Files\McAfee\MPF\MPFSrv.exe
D:\WINDOWS\system32\HPZipm12.exe
D:\WINDOWS\system32\Ati2evxx.exe
D:\WINDOWS\System32\svchost.exe
D:\ComboFix\32683.cfexe
d:\PROGRA~1\mcafee.com\agent\mcagent.exe
D:\Program Files\VIA\VIAudioi\SBADeck\ADeck.exe
D:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
D:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
D:\Program Files\HP\HP Software Update\HPWuSchd2.exe
D:\Program Files\iTunesHelper.exe
D:\WINDOWS\system32\ctfmon.exe
D:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\MSOffice\Office\FINDFAST.EXE
D:\WINDOWS\system32\RAMASST.exe
D:\WINDOWS\FSScrCtl.exe
D:\Program Files\iPod\bin\iPodService.exe
D:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
D:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
D:\WINDOWS\explorer.exe
D:\WINDOWS\system32\notepad.exe
D:\Program Files\Mozilla Firefox\firefox.exe
D:\Documents and Settings\Ashish\Desktop\hjt\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ijji.com/index.nhn
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - D:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {3D4DB4A3-59F4-4514-B9C7-D42C03753DD8} - (no file)
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - D:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - D:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - d:\program files\mcafee\virusscan\scriptcl.dll
O2 - BHO: (no name) - {84E44A83-9BCC-4F38-A008-8FE2FA20BCC5} - (no file)
O2 - BHO: (no name) - {D9D4B49F-4942-4843-93D6-06D316B009D9} - (no file)
O2 - BHO: (no name) - {E12BFF69-38A7-406e-A8EF-2738107A7831} - D:\WINDOWS\system32\nxifictj.dll
O2 - BHO: (no name) - {F6F054F7-44A5-47CE-8AAF-4F69FE1A769E} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - D:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [AudioDeck] D:\Program Files\VIA\VIAudioi\SBADeck\ADeck.exe 1
O4 - HKLM\..\Run: [SunJavaUpdateSched] "D:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [GrooveMonitor] "D:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [HP Software Update] D:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "D:\Program Files\iTunesHelper.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "D:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [ctfmon.exe] D:\WINDOWS\system32\ctfmon.exe
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = D:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Startup: Screen Saver Control.lnk = D:\WINDOWS\FSScrCtl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = D:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = D:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Microsoft Office Fast Start.lnk = C:\MSOffice\Office\FASTBOOT.EXE
O4 - Global Startup: Microsoft Office Find Fast Indexer.lnk = C:\MSOffice\Office\FINDFAST.EXE
O4 - Global Startup: Microsoft Office Shortcut Bar.lnk = C:\MSOffice\Office\MSOFFICE.EXE
O4 - Global Startup: RAMASST.lnk = D:\WINDOWS\system32\RAMASST.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - D:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - D:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - D:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://atv.disney.go.com/global/download/otoy/OTOYAX29b.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - D:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - D:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - D:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL
O20 - Winlogon Notify: iifgebb - iifgebb.dll (file missing)
O20 - Winlogon Notify: WgaLogon - D:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - D:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - D:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - D:\WINDOWS\system32\ati2sgag.exe
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - D:\WINDOWS\system32\DVDRAMSV.exe
O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - D:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
O23 - Service: iPod Service - Apple Inc. - D:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - D:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - D:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - D:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - d:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - D:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - D:\PROGRA~1\McAfee\MSC\mcpromgr.exe
O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - d:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - D:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - D:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - D:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: Pml Driver HPZ12 - HP - D:\WINDOWS\system32\HPZipm12.exe

miekiemoes
2007-06-09, 19:42
Hi,

Please reboot first before proceeding with next instructions, because I see Combofix never finished and is still running.
So reboot first.

After reboot,

Open notepad and copy/paste the text in the quotebox below into it:


File::
D:\DOCUME~1\ALLUSE~1\APPLIC~1\vajmfsjo.exe
D:\WINDOWS\system32\nxifictj.dll
D:\WINDOWS\system32\scgmebhm.dll
D:\WINDOWS\system32\mcivwlqx.dll
D:\WINDOWS\system32\ootinlnm.exe
D:\WINDOWS\system32\syjacebb.dll
D:\WINDOWS\system32\bihlfiif.dll
D:\WINDOWS\system32\xxdphqqh.exe
D:\WINDOWS\system32\fsfuwfuq.dll
D:\WINDOWS\system32\lrkchxtr.dll
D:\WINDOWS\system32\dditevlc.exe
D:\WINDOWS\system32\qleuxoqm.dll
D:\WINDOWS\system32\xyjvswme.exe
D:\WINDOWS\system32\poppo.ini2
D:\WINDOWS\system32\poppo.bak2
D:\WINDOWS\system32\poppo.bak1

Folder::
D:\VundoFix Backups

Registry::
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{E12BFF69-38A7-406e-A8EF-2738107A7831}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{3D4DB4A3-59F4-4514-B9C7-D42C03753DD8}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{84E44A83-9BCC-4F38-A008-8FE2FA20BCC5}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{D9D4B49F-4942-4843-93D6-06D316B009D9}]
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{F6F054F7-44A5-47CE-8AAF-4F69FE1A769E}]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\iifgebb]



Save this as ComboFix-Do.txt

Then drag the ComboFix-Do.txt into ComboFix.exe as you see in the screenshot below.

http://img.photobucket.com/albums/v666/sUBs/Combo-Do.gif

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThislog.

agohel1
2007-06-09, 20:03
Combo Fix Log

"Ashish" - 2007-06-09 12:50:26 Service Pack 2 NTFS
Command switches used :: ""D:\Documents and Settings\Ashish\Desktop\ComboFix-Do.txt""


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


D:\DOCUME~1\ALLUSE~1\APPLIC~1\vajmfsjo.exe
D:\VundoFix Backups
D:\WINDOWS\system32\bihlfiif.dll
D:\WINDOWS\system32\dditevlc.exe
D:\WINDOWS\system32\fsfuwfuq.dll
D:\WINDOWS\system32\lrkchxtr.dll
D:\WINDOWS\system32\mcivwlqx.dll
D:\WINDOWS\system32\nxifictj.dll
D:\WINDOWS\system32\ootinlnm.exe
D:\WINDOWS\system32\poppo.bak1
D:\WINDOWS\system32\poppo.bak2
D:\WINDOWS\system32\poppo.ini2
D:\WINDOWS\system32\qleuxoqm.dll
D:\WINDOWS\system32\scgmebhm.dll
D:\WINDOWS\system32\syjacebb.dll
D:\WINDOWS\system32\xxdphqqh.exe
D:\WINDOWS\system32\xyjvswme.exe


((((((((((((((((((((((((( Files Created from 2007-05-09 to 2007-06-09 )))))))))))))))))))))))))))))))


2007-06-09 12:17 49,152 --a------ D:\WINDOWS\nircmd.exe
2007-06-08 22:49 524,288 --ah----- D:\DOCUME~1\ADMINI~1\NTUSER.DAT
2007-06-08 14:06 <DIR> d-------- D:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-06-04 18:51 <DIR> d-------- D:\WINDOWS\system32\SoftwareDistribution
2007-05-22 23:24 <DIR> d-------- D:\spoolerlogs
2007-05-22 19:56 <DIR> d-------- D:\DOCUME~1\Ashish\APPLIC~1\McAfee
2007-05-20 14:59 <DIR> d-------- D:\WINDOWS\SxsCaPendDel
2007-05-16 16:45 4,682 --a------ D:\WINDOWS\system32\npptNT2.sys
2007-05-16 16:44 <DIR> d--h----- D:\WINDOWS\HUL
2007-05-16 16:36 <DIR> d-------- D:\DOCUME~1\Ashish\APPLIC~1\InstallShield
2007-05-14 20:21 <DIR> d-------- D:\Program Files\3DGroove
2007-05-14 20:19 <DIR> dr-h----- D:\DOCUME~1\Pooja\APPLIC~1\yahoo!
2007-05-09 17:58 <DIR> d-------- D:\Program Files\Microsoft CAPICOM 2.1.0.2


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-06-08 22:19:54 -------- d-----w D:\Program Files\HP
2007-06-08 21:15:56 139,264 ----a-w D:\WINDOWS\system32\hpzjrd01.dll
2007-05-16 20:37:48 -------- d--h--w D:\Program Files\InstallShield Installation Information
2007-05-14 19:27:38 -------- d-----w D:\DOCUME~1\Ashish\APPLIC~1\teamspeak2
2007-05-11 00:21:23 -------- d-----w D:\Program Files\Wolfenstein - Enemy Territory
2007-05-05 00:05:43 -------- d-----w D:\Program Files\iTunesMiniPlayer.Resources
2007-05-05 00:05:43 -------- d-----w D:\Program Files\iTunesHelper.Resources
2007-05-05 00:05:43 -------- d-----w D:\Program Files\iTunes.Resources
2007-05-05 00:05:37 -------- d-----w D:\Program Files\iPod
2007-05-05 00:05:37 -------- d-----w D:\Program Files\CD Configuration
2007-05-05 00:03:49 -------- d-----w D:\Program Files\QuickTime
2007-05-03 23:32:51 29,184 ----a-w D:\WINDOWS\system32\sstunst2.exe
2007-05-03 23:32:48 249,344 ----a-w D:\WINDOWS\FSScrCtl.exe
2007-05-03 23:30:08 -------- d-----w D:\Program Files\Freeze.com
2007-05-03 10:31:29 -------- d-----w D:\Program Files\Ligos
2007-05-03 09:50:52 -------- d-----w D:\Program Files\GameSpy Arcade
2007-05-03 02:32:35 593 ----a-w D:\WINDOWS\eReg.dat
2007-05-03 00:53:53 12,464 ----a-w D:\WINDOWS\system32\drivers\secdrv.sys
2007-05-02 21:13:58 -------- d-----w D:\Program Files\EA Games
2007-04-29 01:08:14 -------- d-----w D:\DOCUME~1\Ashish\APPLIC~1\HP
2007-04-28 18:01:58 -------- d-----w D:\DOCUME~1\Ashish\APPLIC~1\GetRightToGo
2007-04-28 17:52:32 -------- d-----w D:\DOCUME~1\Ashish\APPLIC~1\Lavasoft
2007-04-27 15:25:58 90,112 ----a-w D:\Program Files\iTunesKeyboardCompatibility.dll
2007-04-27 15:25:58 257,088 ----a-w D:\Program Files\iTunesHelper.exe
2007-04-27 15:25:58 232,960 ----a-w D:\Program Files\iTunesOutlookAddIn.dll
2007-04-27 15:25:58 132,672 ----a-w D:\Program Files\iTunesMiniPlayer.dll
2007-04-27 15:25:58 108,608 ----a-w D:\Program Files\iTunesAdmin.dll
2007-04-27 15:25:54 14,672,448 ----a-w D:\Program Files\iTunes.exe
2007-04-27 15:25:52 630,784 ----a-w D:\Program Files\iPodUpdaterExt.dll
2007-04-27 15:25:52 438,272 ----a-w D:\Program Files\CDDBControlApple.dll
2007-04-26 21:43:13 664 ----a-w D:\WINDOWS\system32\d3d9caps.dat
2007-04-24 20:49:12 -------- d-----w D:\DOCUME~1\Ashish\APPLIC~1\Apple Computer
2007-04-23 19:59:37 -------- d-----w D:\DOCUME~1\Ashish\APPLIC~1\Skaya
2007-04-22 01:33:16 16 ----a-w D:\WINDOWS\popcinfo.dat
2007-04-22 01:30:36 720,896 ----a-w D:\WINDOWS\iun6002ev.exe
2007-04-21 20:10:56 -------- d-----w D:\DOCUME~1\Ashish\APPLIC~1\vlc
2007-04-21 02:18:57 36,734 ----a-w D:\WINDOWS\system32\OggDSuninst.exe
2007-04-21 01:07:27 -------- d-----w D:\DOCUME~1\Ashish\APPLIC~1\Groupworld
2007-04-19 00:35:22 -------- d-----w D:\DOCUME~1\Ashish\APPLIC~1\Ahead
2007-04-18 22:55:07 -------- d-----w D:\DOCUME~1\Ashish\APPLIC~1\Help
2007-04-18 16:12:23 2,854,400 ----a-w D:\WINDOWS\system32\msi.dll
2007-04-17 02:47:36 33,624 ----a-w D:\WINDOWS\system32\wups.dll
2007-04-17 02:45:54 1,710,936 ----a-w D:\WINDOWS\system32\wuaueng.dll
2007-04-17 02:45:48 549,720 ----a-w D:\WINDOWS\system32\wuapi.dll
2007-04-17 02:45:42 325,976 ----a-w D:\WINDOWS\system32\wucltui.dll
2007-04-17 02:45:36 203,096 ----a-w D:\WINDOWS\system32\wuweb.dll
2007-04-17 02:45:28 92,504 ----a-w D:\WINDOWS\system32\cdm.dll
2007-04-17 02:45:20 53,080 ----a-w D:\WINDOWS\system32\wuauclt.exe
2007-04-17 02:45:20 43,352 ----a-w D:\WINDOWS\system32\wups2.dll
2007-04-17 02:44:20 271,224 ----a-w D:\WINDOWS\system32\mucltui.dll
2007-04-17 02:44:18 208,248 ----a-w D:\WINDOWS\system32\muweb.dll
2007-04-16 23:18:01 -------- d-----w D:\Program Files\MTV Networks
2007-04-15 19:04:57 -------- d--h--r D:\DOCUME~1\Ashish\APPLIC~1\yahoo!
2007-04-04 03:39:03 88,424 ----a-w D:\WINDOWS\hpoins06.dat
2007-03-25 18:41:31 405,504 ----a-w D:\WINDOWS\system32\DVDTool.exe
2007-03-25 18:41:31 233,472 ----a-w D:\WINDOWS\system32\DVDTools.dll
2007-03-25 18:41:31 155,648 ----a-w D:\WINDOWS\system32\RAMASST.exe
2007-03-25 18:41:31 135,168 ----a-w D:\WINDOWS\system32\DVDMenu.dll
2007-03-25 18:41:31 110,592 ----a-w D:\WINDOWS\system32\DVDRAMSV.exe
2007-03-24 01:44:20 1,168 ----a-w D:\WINDOWS\mozver.dat
2007-03-24 01:35:21 0 ----a-w D:\WINDOWS\nsreg.dat
2007-03-24 00:47:34 21,640 ----a-w D:\WINDOWS\system32\emptyregdb.dat
2007-03-17 13:43:01 292,864 ----a-w D:\WINDOWS\system32\winsrv.dll


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{02478D38-C3F9-4EFB-9B51-7695ECA05670}=D:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll [2006-10-26 10:28]
{5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897}=D:\Program Files\Yahoo!\Common\yiesrvc.dll [2006-10-31 15:29]
{72853161-30C5-4D22-B7F9-0BBC1D38A37E}=D:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL [2006-10-27 00:48]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}=D:\Program Files\Java\jre1.6.0_01\bin\ssv.dll [2007-03-14 03:43]
{7DB2D5A0-7241-4E79-B68D-6309F01C5231}=d:\program files\mcafee\virusscan\scriptcl.dll [2006-12-22 17:02]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AudioDeck"="D:\Program Files\VIA\VIAudioi\SBADeck\ADeck.exe" [2006-11-02 16:57]
"SunJavaUpdateSched"="D:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" [2007-03-14 03:43]
"GrooveMonitor"="D:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 00:47]
"HP Software Update"="D:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2005-05-11 23:12]
"QuickTime Task"="D:\Program Files\QuickTime\qttask.exe" [2007-04-27 09:41]
"iTunesHelper"="D:\Program Files\iTunesHelper.exe" [2007-04-27 11:25]
"Adobe Reader Speed Launcher"="D:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 03:06]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="D:\WINDOWS\system32\ctfmon.exe" [2004-08-04 03:56]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{B5A7F190-DDA6-4420-B3BA-52453494E6CD}"="D:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL" [2006-10-27 00:48]

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost *netsvcs*


Contents of the 'Scheduled Tasks' folder
2007-05-17 11:31:07 D:\WINDOWS\tasks\AppleSoftwareUpdate.job
2007-03-24 01:29:55 D:\WINDOWS\tasks\McDefragTask.job
2007-04-01 05:00:01 D:\WINDOWS\tasks\McQcTask.job

**************************************************************************

catchme 0.3.692 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-06-09 12:52:49
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-06-09 12:53:53
D:\ComboFix-quarantined-files.txt ... 2007-06-09 12:53
D:\ComboFix2.txt ... 2007-06-09 12:17

--- E O F ---



HJT Log



Logfile of HijackThis v1.99.1
Scan saved at 1:05:14 PM, on 6/9/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16441)

Running processes:
D:\WINDOWS\System32\smss.exe
D:\WINDOWS\system32\winlogon.exe
D:\WINDOWS\system32\services.exe
D:\WINDOWS\system32\lsass.exe
D:\WINDOWS\system32\Ati2evxx.exe
D:\WINDOWS\system32\svchost.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\spoolsv.exe
D:\WINDOWS\system32\DVDRAMSV.exe
D:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
D:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
d:\program files\common files\mcafee\mna\mcnasvc.exe
D:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
D:\PROGRA~1\McAfee\MSC\mcpromgr.exe
d:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
D:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
D:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
D:\Program Files\McAfee\MPF\MPFSrv.exe
D:\WINDOWS\system32\HPZipm12.exe
D:\WINDOWS\System32\svchost.exe
D:\WINDOWS\system32\Ati2evxx.exe
d:\PROGRA~1\mcafee.com\agent\mcagent.exe
D:\Program Files\VIA\VIAudioi\SBADeck\ADeck.exe
D:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
D:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
D:\Program Files\HP\HP Software Update\HPWuSchd2.exe
D:\Program Files\QuickTime\qttask.exe
D:\Program Files\iTunesHelper.exe
D:\WINDOWS\system32\ctfmon.exe
D:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\MSOffice\Office\FINDFAST.EXE
D:\WINDOWS\system32\RAMASST.exe
D:\WINDOWS\FSScrCtl.exe
D:\Program Files\iPod\bin\iPodService.exe
D:\Program Files\Mozilla Firefox\firefox.exe
D:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe
D:\Program Files\HP\Digital Imaging\bin\hpqimzone.exe
D:\WINDOWS\explorer.exe
D:\WINDOWS\system32\notepad.exe
D:\Documents and Settings\Ashish\Desktop\hjt\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ijji.com/index.nhn
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - D:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - D:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - D:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - D:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - D:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: scriptproxy - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - d:\program files\mcafee\virusscan\scriptcl.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - D:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [AudioDeck] D:\Program Files\VIA\VIAudioi\SBADeck\ADeck.exe 1
O4 - HKLM\..\Run: [SunJavaUpdateSched] "D:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [GrooveMonitor] "D:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [HP Software Update] D:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [QuickTime Task] "D:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "D:\Program Files\iTunesHelper.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "D:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [ctfmon.exe] D:\WINDOWS\system32\ctfmon.exe
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = D:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Startup: Screen Saver Control.lnk = D:\WINDOWS\FSScrCtl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = D:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = D:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Microsoft Office Fast Start.lnk = C:\MSOffice\Office\FASTBOOT.EXE
O4 - Global Startup: Microsoft Office Find Fast Indexer.lnk = C:\MSOffice\Office\FINDFAST.EXE
O4 - Global Startup: Microsoft Office Shortcut Bar.lnk = C:\MSOffice\Office\MSOFFICE.EXE
O4 - Global Startup: RAMASST.lnk = D:\WINDOWS\system32\RAMASST.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://D:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - D:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - D:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - D:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - D:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - D:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - D:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} (Groove Control) - http://atv.disney.go.com/global/download/otoy/OTOYAX29b.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - D:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - D:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - D:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL
O20 - Winlogon Notify: WgaLogon - D:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - D:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - D:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - D:\WINDOWS\system32\ati2sgag.exe
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - D:\WINDOWS\system32\DVDRAMSV.exe
O23 - Service: McAfee E-mail Proxy (Emproxy) - McAfee, Inc. - D:\PROGRA~1\COMMON~1\McAfee\EmProxy\emproxy.exe
O23 - Service: iPod Service - Apple Inc. - D:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee HackerWatch Service - McAfee, Inc. - D:\Program Files\Common Files\McAfee\HackerWatch\HWAPI.exe
O23 - Service: McAfee Update Manager (mcmispupdmgr) - McAfee, Inc. - D:\PROGRA~1\McAfee\MSC\mcupdmgr.exe
O23 - Service: McAfee Services (mcmscsvc) - McAfee, Inc. - D:\PROGRA~1\McAfee\MSC\mcmscsvc.exe
O23 - Service: McAfee Network Agent (McNASvc) - McAfee, Inc. - d:\program files\common files\mcafee\mna\mcnasvc.exe
O23 - Service: McAfee Scanner (McODS) - McAfee, Inc. - D:\PROGRA~1\McAfee\VIRUSS~1\mcods.exe
O23 - Service: McAfee Protection Manager (mcpromgr) - McAfee, Inc. - D:\PROGRA~1\McAfee\MSC\mcpromgr.exe
O23 - Service: McAfee Redirector Service (McRedirector) - McAfee, Inc. - d:\PROGRA~1\COMMON~1\mcafee\redirsvc\redirsvc.exe
O23 - Service: McAfee Real-time Scanner (McShield) - McAfee, Inc. - D:\PROGRA~1\McAfee\VIRUSS~1\mcshield.exe
O23 - Service: McAfee SystemGuards (McSysmon) - McAfee, Inc. - D:\PROGRA~1\McAfee\VIRUSS~1\mcsysmon.exe
O23 - Service: McAfee Personal Firewall Service (MpfService) - McAfee, Inc. - D:\Program Files\McAfee\MPF\MPFSrv.exe
O23 - Service: Pml Driver HPZ12 - HP - D:\WINDOWS\system32\HPZipm12.exe

miekiemoes
2007-06-09, 20:36
Hi,

Delete next folder: D:\Qoobox

Next time, be careful with screensavers from Freeze.com and anywhere else, because that's most probably how you got infected. This since some of these screensavers are bundled with the malware you were dealing with.

Let me know in your next reply how things are now.

agohel1
2007-06-10, 00:14
i did what you said and then ran scans with mcaffe, spybot, and adaware and the most it caught was tracking cookies

everything seems to be running smoothly

so thank you very much i greatly appreciate your help :bigthumb: :cool:

miekiemoes
2007-06-10, 00:20
Hi,

Please don't worry about tracking cookies. You'll always get them and they will always return. This just depends what sites you visit.
Everyone has them. They are even present on the MSN startpage, Yahoo startpage...
You may also want to read next:
http://www.spywareinfo.com/articles/cookies/
http://www.mvps.org/winhelp2002/cookies.htm

If you want to manage your cookies you can use next programs:

For Internet explorer: CookieWall (http://www.analogx.com/contents/download/network/cookie.htm)

For Firefox: CookieSafe (https://addons.mozilla.org/en-US/firefox/addon/2497)

Keep in mind that you're not supposed to block every cookie, because some cookies are required.
Most people don't use an additional cookie manager, because it may be annoying in some cases to manually filter all cookies in the beginning, so they clean their cookies once in a while via the "clean cookies" option in their browser settings.

Good to hear everything is ok again. Glad I could help. :)

Please read my Prevention page (http://users.telenet.be/bluepatchy/miekiemoes/prevention.html) with lots of info and tips how to prevent this in the future.
And if you want to improve speed/system performance after malware removal, take a look here (http://users.telenet.be/bluepatchy/miekiemoes/slowcomputer.html).

Happy Surfing again!