PDA

View Full Version : Smitfraud, Virtumonde...other probably



Xaphire
2007-06-11, 23:39
I need help cleaning my system up!

eTrust Anti-Virus Web Scanner Log:
cnte-dhncgts.jar-2529c97d-49e9d65c.zip>BnnnnBaa.class Java/ByteVerify!exploit infected C:\Documents and Settings\Aaron\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\
cnte-dhncgts.jar-2529c97d-49e9d65c.zip>VaannnaaBaa.class Java/ByteVerify!exploit infected C:\Documents and Settings\Aaron\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\
auwhxfgn.dll Win32/Vundo!generic infected C:\WINDOWS\system32\
ayqliwsk.dll Win32/Vundo.CR infected C:\WINDOWS\system32\
dlwgnnde.dll Win32/Vundo!generic infected C:\WINDOWS\system32\
fekylrke.dll Win32/Vundo!generic infected C:\WINDOWS\system32\
fggawphb.dll Win32/Vundo!generic infected C:\WINDOWS\system32\
ixumbjsk.dll Win32/Vundo!generic infected C:\WINDOWS\system32\
kbgmejgt.dll Win32/Vundo!generic infected C:\WINDOWS\system32\
kobvcpfr.dll Win32/Darksma!generic infected C:\WINDOWS\system32\
mtxuwpcy.dll Win32/Vundo!generic infected C:\WINDOWS\system32\
npggmqny.dll Win32/Vundo!generic infected C:\WINDOWS\system32\
qyxlhtpj.dll Win32/Vundo!generic infected C:\WINDOWS\system32\
schvusdd.dll Win32/Vundo!generic infected C:\WINDOWS\system32\
senrgpwr.dll Win32/Vundo!generic infected C:\WINDOWS\system32\
urqonom.dll Win32/Chisyne!generic infected C:\WINDOWS\system32\
vdfifxfk.dll Win32/Vundo!generic infected C:\WINDOWS\system32\
vtutu.dll Win32/Vundo!generic infected C:\WINDOWS\system32\
wxydnfcn.dll Win32/Vundo!generic infected C:\WINDOWS\system32\
xgtyhpkl.dll Win32/Vundo!generic infected C:\WINDOWS\system32\
xvyapawx.dll Win32/Darksma.AZ infected C:\WINDOWS\system32\
ypavcqfi.dll Win32/Vundo!generic infected C:\WINDOWS\system32\


HijackThisLog:

Logfile of HijackThis v1.99.1
Scan saved at 5:39:02 PM, on 6/11/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16441)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\system32\j9231133.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Digital Media Reader\shwicon2k.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\Sony\CONNECTAutoUpdate\CONNECTScheduler.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?linkid=677
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
O1 - Hosts: localhost 127.0.0.1
O3 - Toolbar: (no name) - {53E0B6E8-A51D-448B-B692-40B67B285543} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SunKist] C:\Program Files\Digital Media Reader\shwicon2k.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [CONNECTScheduler] "C:\Program Files\Sony\CONNECTAutoUpdate\CONNECTScheduler.exe" /RUN_SCHEDULER
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [ATIPTA] atiptaxx.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [GPLv3] rundll32.exe "C:\WINDOWS\system32\rnxxwscf.dll",realset
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [UnSpyPC] "C:\Program Files\UnSpyPC\UnSpyPC.exe"
O4 - HKCU\..\Run: [SpyMarshal] C:\Program Files\SpyMarshal\SpyMarshal.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized
O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{24E757F6-73FC-44B4-82AB-8809D857ACEA}: NameServer = 85.255.116.117,85.255.112.190
O17 - HKLM\System\CCS\Services\Tcpip\..\{7D62D919-5B8E-469E-A7F6-6E93A29EDD7F}: NameServer = 85.255.116.117,85.255.112.190
O17 - HKLM\System\CCS\Services\Tcpip\..\{AC9D2290-111C-4921-A025-2ECC3040356E}: NameServer = 85.255.116.117,85.255.112.190
O17 - HKLM\System\CS1\Services\Tcpip\..\{24E757F6-73FC-44B4-82AB-8809D857ACEA}: NameServer = 85.255.116.117,85.255.112.190
O17 - HKLM\System\CS2\Services\Tcpip\..\{24E757F6-73FC-44B4-82AB-8809D857ACEA}: NameServer = 85.255.116.117,85.255.112.190
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: dns cache reader (DNSCacheReader) - Unknown owner - C:\WINDOWS\system32\j9231133.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Sony SCSI Helper Service - Sony Corporation - C:\Program Files\Common Files\Sony Shared\Fsk\SonySCSIHelperService.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe

Xaphire
2007-06-11, 23:48
After reading a few of the other posts, I've downloaded VundoFix.

Running that right now, will post new logs ASAP

Xaphire
2007-06-12, 01:11
New logs:

eTrust Virus Scan

(These are post-VundoFix, the files still showed, but they're in the back up folder - Also, I ran the clean function this run and nothing could be cleaned.)

cnte-dhncgts.jar-2529c97d-49e9d65c.zip>BnnnnBaa.class Java/ByteVerify!exploit infected C:\Documents and Settings\Aaron\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\
cnte-dhncgts.jar-2529c97d-49e9d65c.zip>VaannnaaBaa.class Java/ByteVerify!exploit infected C:\Documents and Settings\Aaron\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\
auwhxfgn.dll.bad Win32/Vundo!generic infected C:\VundoFix Backups\
ayqliwsk.dll.bad Win32/Vundo.CR infected C:\VundoFix Backups\
dlwgnnde.dll.bad Win32/Vundo!generic infected C:\VundoFix Backups\
fekylrke.dll.bad Win32/Vundo!generic infected C:\VundoFix Backups\
fggawphb.dll.bad Win32/Vundo!generic infected C:\VundoFix Backups\
ixumbjsk.dll.bad Win32/Vundo!generic infected C:\VundoFix Backups\
kbgmejgt.dll.bad Win32/Vundo!generic infected C:\VundoFix Backups\
kobvcpfr.dll.bad Win32/Darksma!generic infected C:\VundoFix Backups\
mtxuwpcy.dll.bad Win32/Vundo!generic infected C:\VundoFix Backups\
npggmqny.dll.bad Win32/Vundo!generic infected C:\VundoFix Backups\
qyxlhtpj.dll.bad Win32/Vundo!generic infected C:\VundoFix Backups\
schvusdd.dll.bad Win32/Vundo!generic infected C:\VundoFix Backups\
senrgpwr.dll.bad Win32/Vundo!generic infected C:\VundoFix Backups\
urqonom.dll.bad Win32/Chisyne!generic infected C:\VundoFix Backups\
vdfifxfk.dll.bad Win32/Vundo!generic infected C:\VundoFix Backups\
vtutu.dll.bad Win32/Vundo!generic infected C:\VundoFix Backups\
wxydnfcn.dll.bad Win32/Vundo!generic infected C:\VundoFix Backups\
xgtyhpkl.dll.bad Win32/Vundo!generic infected C:\VundoFix Backups\
xvyapawx.dll.bad Win32/Darksma.AZ infected C:\VundoFix Backups\
ypavcqfi.dll.bad Win32/Vundo!generic infected C:\VundoFix Backups\

HijackThisLog

Logfile of HijackThis v1.99.1
Scan saved at 7:11:22 PM, on 6/11/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16441)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Digital Media Reader\shwicon2k.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\Sony\CONNECTAutoUpdate\CONNECTScheduler.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?linkid=677
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
O1 - Hosts: localhost 127.0.0.1
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {2115A559-EFFA-461D-8BEB-865CA4F509Df} - C:\WINDOWS\system32\wthvqxxs.dll
O2 - BHO: (no name) - {39D72957-8E2D-4B3F-9F1A-4B6E98EB9DD4} - C:\WINDOWS\system32\mljjg.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5AF4416F-CB69-42A9-AA66-497DB7B2A60B} - C:\WINDOWS\system32\vtutu.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: (no name) - {D379F00F-37E7-4DD7-B730-16D2E016E7FA} - C:\WINDOWS\system32\sstqn.dll (file missing)
O2 - BHO: (no name) - {DC3E5A16-C974-40AA-8DDB-3C2C294BCC7C} - C:\WINDOWS\system32\mllml.dll (file missing)
O2 - BHO: (no name) - {E12BFF69-38A7-406e-A8EF-2738107A7831} - C:\WINDOWS\system32\iqqbsasd.dll (file missing)
O3 - Toolbar: (no name) - {53E0B6E8-A51D-448B-B692-40B67B285543} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SunKist] C:\Program Files\Digital Media Reader\shwicon2k.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [CONNECTScheduler] "C:\Program Files\Sony\CONNECTAutoUpdate\CONNECTScheduler.exe" /RUN_SCHEDULER
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [ATIPTA] atiptaxx.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [GPLv3] rundll32.exe "C:\WINDOWS\system32\rnxxwscf.dll",realset
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [UnSpyPC] "C:\Program Files\UnSpyPC\UnSpyPC.exe"
O4 - HKCU\..\Run: [SpyMarshal] C:\Program Files\SpyMarshal\SpyMarshal.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized
O4 - Startup: LimeWire On Startup.lnk = C:\Program Files\LimeWire\LimeWire.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{24E757F6-73FC-44B4-82AB-8809D857ACEA}: NameServer = 85.255.116.117,85.255.112.190
O17 - HKLM\System\CCS\Services\Tcpip\..\{7D62D919-5B8E-469E-A7F6-6E93A29EDD7F}: NameServer = 85.255.116.117,85.255.112.190
O17 - HKLM\System\CCS\Services\Tcpip\..\{AC9D2290-111C-4921-A025-2ECC3040356E}: NameServer = 85.255.116.117,85.255.112.190
O17 - HKLM\System\CS1\Services\Tcpip\..\{24E757F6-73FC-44B4-82AB-8809D857ACEA}: NameServer = 85.255.116.117,85.255.112.190
O17 - HKLM\System\CS2\Services\Tcpip\..\{24E757F6-73FC-44B4-82AB-8809D857ACEA}: NameServer = 85.255.116.117,85.255.112.190
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: mljjg - C:\WINDOWS\system32\mljjg.dll (file missing)
O20 - Winlogon Notify: mllml - C:\WINDOWS\system32\mllml.dll (file missing)
O20 - Winlogon Notify: sstqn - C:\WINDOWS\system32\sstqn.dll (file missing)
O20 - Winlogon Notify: WB - C:\Program Files\Stardock\Object Desktop\ThemeManager\fastload.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: dns cache reader (DNSCacheReader) - Unknown owner - C:\WINDOWS\system32\j9231133.exe (file missing)
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Sony SCSI Helper Service - Sony Corporation - C:\Program Files\Common Files\Sony Shared\Fsk\SonySCSIHelperService.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe

Xaphire
2007-06-12, 16:58
Just realized I forgot to post the VundoFix.txt

VundoFix V6.5.0

Checking Java version...

Java version is 1.5.0.11

Scan started at 5:45:47 PM 6/11/2007

Listing files found while scanning....

C:\WINDOWS\system32\abwsmbob.dll
C:\windows\system32\auwhxfgn.dll
C:\windows\system32\ayqliwsk.dll
C:\windows\system32\dlwgnnde.dll
C:\windows\system32\fekylrke.dll
C:\windows\system32\fggawphb.dll
C:\WINDOWS\system32\gjjlm.bak1
C:\WINDOWS\system32\gjjlm.bak2
C:\WINDOWS\system32\gjjlm.ini
C:\WINDOWS\system32\ignjmdni.dll
C:\windows\system32\ixumbjsk.dll
C:\windows\system32\j9231133.exe
C:\windows\system32\kbgmejgt.dll
C:\WINDOWS\system32\kobvcpfr.dll
C:\windows\system32\kswilqya.ini
C:\WINDOWS\system32\mjbbtpbn.dll
C:\WINDOWS\system32\mljjg.dll
C:\WINDOWS\system32\mllml.dll
C:\windows\system32\mtxuwpcy.dll
C:\windows\system32\ncykgjbs.exe
C:\WINDOWS\system32\njwfjcph.dll
C:\windows\system32\npggmqny.dll
C:\windows\system32\odvtybau.ini
C:\windows\system32\qyxlhtpj.dll
C:\windows\system32\schvusdd.dll
C:\windows\system32\senrgpwr.dll
C:\WINDOWS\system32\sstqn.dll
C:\windows\system32\uabytvdo.dll
C:\WINDOWS\system32\urqonom.dll
C:\windows\system32\ututv.bak1
C:\windows\system32\ututv.bak2
C:\windows\system32\ututv.ini
C:\windows\system32\vdfifxfk.dll
C:\windows\system32\vhufokuo.exe
C:\WINDOWS\system32\vtutu.dll
C:\windows\system32\wxydnfcn.dll
C:\windows\system32\xgtyhpkl.dll
C:\WINDOWS\system32\xvyapawx.dll
C:\windows\system32\ypavcqfi.dll

Beginning removal...

Attempting to delete C:\windows\system32\auwhxfgn.dll
C:\windows\system32\auwhxfgn.dll Has been deleted!

Attempting to delete C:\windows\system32\ayqliwsk.dll
C:\windows\system32\ayqliwsk.dll Has been deleted!

Attempting to delete C:\windows\system32\dlwgnnde.dll
C:\windows\system32\dlwgnnde.dll Has been deleted!

Attempting to delete C:\windows\system32\fekylrke.dll
C:\windows\system32\fekylrke.dll Has been deleted!

Attempting to delete C:\windows\system32\fggawphb.dll
C:\windows\system32\fggawphb.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\gjjlm.bak1
C:\WINDOWS\system32\gjjlm.bak1 Has been deleted!

Attempting to delete C:\WINDOWS\system32\gjjlm.bak2
C:\WINDOWS\system32\gjjlm.bak2 Has been deleted!

Attempting to delete C:\WINDOWS\system32\gjjlm.ini
C:\WINDOWS\system32\gjjlm.ini Has been deleted!

Attempting to delete C:\windows\system32\ixumbjsk.dll
C:\windows\system32\ixumbjsk.dll Has been deleted!

Attempting to delete C:\windows\system32\j9231133.exe
C:\windows\system32\j9231133.exe Could not be deleted.

Attempting to delete C:\windows\system32\kbgmejgt.dll
C:\windows\system32\kbgmejgt.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\kobvcpfr.dll
C:\WINDOWS\system32\kobvcpfr.dll Has been deleted!

Attempting to delete C:\windows\system32\kswilqya.ini
C:\windows\system32\kswilqya.ini Has been deleted!

Attempting to delete C:\windows\system32\mtxuwpcy.dll
C:\windows\system32\mtxuwpcy.dll Has been deleted!

Attempting to delete C:\windows\system32\ncykgjbs.exe
C:\windows\system32\ncykgjbs.exe Has been deleted!

Attempting to delete C:\WINDOWS\system32\njwfjcph.dll
C:\WINDOWS\system32\njwfjcph.dll Has been deleted!

Attempting to delete C:\windows\system32\npggmqny.dll
C:\windows\system32\npggmqny.dll Has been deleted!

Attempting to delete C:\windows\system32\odvtybau.ini
C:\windows\system32\odvtybau.ini Has been deleted!

Attempting to delete C:\windows\system32\qyxlhtpj.dll
C:\windows\system32\qyxlhtpj.dll Has been deleted!

Attempting to delete C:\windows\system32\schvusdd.dll
C:\windows\system32\schvusdd.dll Has been deleted!

Attempting to delete C:\windows\system32\senrgpwr.dll
C:\windows\system32\senrgpwr.dll Has been deleted!

Attempting to delete C:\windows\system32\uabytvdo.dll
C:\windows\system32\uabytvdo.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\urqonom.dll
C:\WINDOWS\system32\urqonom.dll Could not be deleted.

Attempting to delete C:\windows\system32\ututv.bak1
C:\windows\system32\ututv.bak1 Has been deleted!

Attempting to delete C:\windows\system32\ututv.bak2
C:\windows\system32\ututv.bak2 Has been deleted!

Attempting to delete C:\windows\system32\ututv.ini
C:\windows\system32\ututv.ini Has been deleted!

Attempting to delete C:\windows\system32\vdfifxfk.dll
C:\windows\system32\vdfifxfk.dll Has been deleted!

Attempting to delete C:\windows\system32\vhufokuo.exe
C:\windows\system32\vhufokuo.exe Has been deleted!

Attempting to delete C:\WINDOWS\system32\vtutu.dll
C:\WINDOWS\system32\vtutu.dll Could not be deleted.

Attempting to delete C:\windows\system32\wxydnfcn.dll
C:\windows\system32\wxydnfcn.dll Has been deleted!

Attempting to delete C:\windows\system32\xgtyhpkl.dll
C:\windows\system32\xgtyhpkl.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\xvyapawx.dll
C:\WINDOWS\system32\xvyapawx.dll Has been deleted!

Attempting to delete C:\windows\system32\ypavcqfi.dll
C:\windows\system32\ypavcqfi.dll Has been deleted!

Performing Repairs to the registry.
Done!

Beginning removal...

Attempting to delete C:\windows\system32\j9231133.exe
C:\windows\system32\j9231133.exe Could not be deleted.

Attempting to delete C:\WINDOWS\system32\urqonom.dll
C:\WINDOWS\system32\urqonom.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\vtutu.dll
C:\WINDOWS\system32\vtutu.dll Has been deleted!

Performing Repairs to the registry.
Done!

VundoFix V6.5.0

Checking Java version...

Java version is 1.5.0.11

Scan started at 5:55:39 PM 6/11/2007

Listing files found while scanning....

C:\windows\system32\j9231133.exe
C:\WINDOWS\system32\lmllm.bak1
C:\WINDOWS\system32\lmllm.bak2
C:\WINDOWS\system32\lmllm.ini
C:\WINDOWS\system32\mljjg.dll
C:\WINDOWS\system32\mllml.dll
C:\WINDOWS\system32\sstqn.dll

Beginning removal...

Attempting to delete C:\windows\system32\j9231133.exe
C:\windows\system32\j9231133.exe Could not be deleted.

Attempting to delete C:\WINDOWS\system32\lmllm.bak1
C:\WINDOWS\system32\lmllm.bak1 Has been deleted!

Attempting to delete C:\WINDOWS\system32\lmllm.bak2
C:\WINDOWS\system32\lmllm.bak2 Has been deleted!

Attempting to delete C:\WINDOWS\system32\lmllm.ini
C:\WINDOWS\system32\lmllm.ini Has been deleted!

Performing Repairs to the registry.
Done!

Beginning removal...

Attempting to delete C:\windows\system32\j9231133.exe
C:\windows\system32\j9231133.exe Could not be deleted.

Performing Repairs to the registry.
Done!

VundoFix V6.5.0

Checking Java version...

Java version is 1.5.0.11

Scan started at 6:04:28 PM 6/11/2007

Listing files found while scanning....

C:\windows\system32\j9231133.exe
C:\WINDOWS\system32\mljjg.dll
C:\WINDOWS\system32\mllml.dll
C:\WINDOWS\system32\nqtss.bak1
C:\WINDOWS\system32\nqtss.bak2
C:\WINDOWS\system32\nqtss.ini
C:\WINDOWS\system32\nqtss.tmp
C:\WINDOWS\system32\sstqn.dll

Beginning removal...

Attempting to delete C:\windows\system32\j9231133.exe
C:\windows\system32\j9231133.exe Has been deleted!

Attempting to delete C:\WINDOWS\system32\nqtss.bak1
C:\WINDOWS\system32\nqtss.bak1 Has been deleted!

Attempting to delete C:\WINDOWS\system32\nqtss.bak2
C:\WINDOWS\system32\nqtss.bak2 Has been deleted!

Attempting to delete C:\WINDOWS\system32\nqtss.ini
C:\WINDOWS\system32\nqtss.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\nqtss.tmp
C:\WINDOWS\system32\nqtss.tmp Has been deleted!

Performing Repairs to the registry.
Done!

VundoFix V6.5.0

Checking Java version...

Java version is 1.5.0.11

Scan started at 7:12:51 PM 6/11/2007

Listing files found while scanning....

C:\WINDOWS\system32\mljjg.dll
C:\WINDOWS\system32\mllml.dll
C:\WINDOWS\system32\sstqn.dll

Beginning removal...

Performing Repairs to the registry.
Done!

VundoFix V6.5.0

Checking Java version...

Java version is 1.5.0.11

Scan started at 10:17:25 PM 6/11/2007

Listing files found while scanning....

No infected files were found.

Xaphire
2007-06-13, 16:31
it's been two days.... ; ;

Mr_JAk3
2007-06-14, 22:21
Hello and welcome to the Forums :)

You're infected.

You may want to print out these instructions for reference, since you will have to restart your computer during the fix.

Please download FixWareout from one of these sites:
http://downloads.subratam.org/Fixwareout.exe
http://www.bleepingcomputer.com/files/lonny/Fixwareout.exe

Save it to your desktop and run it. Click Next, then Install, then make sure "Run fixit" is checked and click Finish. The fix will begin; follow the prompts. You will be asked to reboot your computer; please do so. Your system may take longer than usual to load; this is normal.

At the end of the fix, you may need to restart your computer again.

Finally, please post a fresh HijackThis log, along with the contents of the logfile C:\fixwareout\report.txt


1. Download this file - combofix.exe (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Xaphire
2007-06-15, 06:40
report.txt from: Fixwareout.exe


Fixwareout Last edited 5/15/2007
Post this report in the forums please
...
»»»»»Prerun check
HKLM\SOFTWARE\~\Winlogon\ "System"="csily.exe"

»»»»»

»»»»» Postrun check
HKLM\SOFTWARE\~\Winlogon\ "system"=""
....
....
»»»»» Misc files.
....
»»»»» Checking for older varients.
....

Search five digit cs, dm, kd, jb, other, files.
The following files NEED TO BE SUBMITTED to one of the following URL'S for further inspection.


Click browse, find the file then click submit.
http://www.virustotal.com/flash/index_en.html
Or http://virusscan.jotti.org/

»»»»» Other

»»»»» Current runs
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPLpr"="C:\\Program Files\\Synaptics\\SynTP\\SynTPLpr.exe"
"SynTPEnh"="C:\\Program Files\\Synaptics\\SynTP\\SynTPEnh.exe"
"SunKist"="C:\\Program Files\\Digital Media Reader\\shwicon2k.exe"
"HP Software Update"="C:\\Program Files\\HP\\HP Software Update\\HPWuSchd2.exe"
"DAEMON Tools"="\"C:\\Program Files\\DAEMON Tools\\daemon.exe\" -lang 1033"
"CONNECTScheduler"="\"C:\\Program Files\\Sony\\CONNECTAutoUpdate\\CONNECTScheduler.exe\" /RUN_SCHEDULER"
"Adobe Photo Downloader"="\"C:\\Program Files\\Adobe\\Photoshop Album Starter Edition\\3.0\\Apps\\apdproxy.exe\""
"ATIPTA"="atiptaxx.exe"
"AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgcc.exe /STARTUP"
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.6.0_01\\bin\\jusched.exe\""
"!AVG Anti-Spyware"="\"C:\\Program Files\\Grisoft\\AVG Anti-Spyware 7.5\\avgas.exe\" /minimized"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
"msnmsgr"="\"C:\\Program Files\\MSN Messenger\\msnmsgr.exe\" /background"
....
Hosts file was reset, If you use a custom hosts file please replace it
»»»»» End report »»»»»

Logfile of HijackThis v1.99.1
Scan saved at 12:40:18 AM, on 6/15/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Digital Media Reader\shwicon2k.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\Sony\CONNECTAutoUpdate\CONNECTScheduler.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?linkid=677
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [SunKist] C:\Program Files\Digital Media Reader\shwicon2k.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKLM\..\Run: [CONNECTScheduler] "C:\Program Files\Sony\CONNECTAutoUpdate\CONNECTScheduler.exe" /RUN_SCHEDULER
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [ATIPTA] atiptaxx.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: Add to Windows &Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{24E757F6-73FC-44B4-82AB-8809D857ACEA}: NameServer = 207.68.160.190 194.25.2.129 208.67.222.222 ,207.68.160.190 194.25.2.129 208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\..\{AC9D2290-111C-4921-A025-2ECC3040356E}: NameServer = 207.68.160.190 194.25.2.129 208.67.222.222 ,207.68.160.190 194.25.2.129 208.67.222.222
O17 - HKLM\System\CS1\Services\Tcpip\..\{24E757F6-73FC-44B4-82AB-8809D857ACEA}: NameServer = 207.68.160.190 194.25.2.129 208.67.222.222 ,207.68.160.190 194.25.2.129 208.67.222.222
O17 - HKLM\System\CS2\Services\Tcpip\..\{24E757F6-73FC-44B4-82AB-8809D857ACEA}: NameServer = 207.68.160.190 194.25.2.129 208.67.222.222 ,207.68.160.190 194.25.2.129 208.67.222.222
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: dns cache reader (DNSCacheReader) - Unknown owner - C:\WINDOWS\system32\j9231133.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Sony SCSI Helper Service - Sony Corporation - C:\Program Files\Common Files\Sony Shared\Fsk\SonySCSIHelperService.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe

Xaphire
2007-06-15, 06:49
ComboFix 07-06-13.3 - C:\Documents and Settings\Aaron\Desktop\ComboFix.exe
"Aaron" - 2007-06-15 0:43:42 - Service Pack 2 NTFS


((((((((((((((((((((((((( Files Created from 2007-05-15 to 2007-06-15 )))))))))))))))))))))))))))))))


2007-06-15 00:34 7,616 --a------ C:\dnsbak.reg
2007-06-13 18:49 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-06-12 11:00 49,152 --a------ C:\WINDOWS\nircmd.exe
2007-06-11 22:12 2,560 --a------ C:\WINDOWS\_MSRSTRT.EXE
2007-06-11 20:27 <DIR> d-------- C:\Program Files\Continuum
2007-06-11 15:56 <DIR> d-------- C:\Hijackthis
2007-06-10 09:23 <DIR> d-------- C:\Program Files\iPod
2007-06-10 09:22 <DIR> d-------- C:\Program Files\iTunes
2007-05-29 16:35 <DIR> d-------- C:\DOCUME~1\Aaron\APPLIC~1\dvdcss
2007-05-28 19:48 <DIR> d-------- C:\Program Files\Mage Calculator
2007-05-20 16:27 81,768 --a------ C:\WINDOWS\system32\xinput1_3.dll
2007-05-20 16:27 443,752 --a------ C:\WINDOWS\system32\d3dx10_33.dll
2007-05-20 16:27 3,495,784 --a------ C:\WINDOWS\system32\d3dx9_33.dll
2007-05-20 16:27 3,426,072 --a------ C:\WINDOWS\system32\d3dx9_32.dll
2007-05-20 16:27 261,480 --a------ C:\WINDOWS\system32\xactengine2_7.dll
2007-05-20 16:27 255,848 --a------ C:\WINDOWS\system32\xactengine2_6.dll
2007-05-20 16:27 251,672 --a------ C:\WINDOWS\system32\xactengine2_5.dll
2007-05-20 16:27 1,123,696 --a------ C:\WINDOWS\system32\D3DCompiler_33.dll
2007-05-20 16:26 62,744 --a------ C:\WINDOWS\system32\xinput1_2.dll
2007-05-20 16:26 237,848 --a------ C:\WINDOWS\system32\xactengine2_4.dll
2007-05-20 16:26 236,824 --a------ C:\WINDOWS\system32\xactengine2_3.dll
2007-05-20 16:26 2,414,360 --a------ C:\WINDOWS\system32\d3dx9_31.dll
2007-05-20 16:26 2,297,552 --a------ C:\WINDOWS\system32\d3dx9_26.dll
2007-05-20 16:26 15,128 --a------ C:\WINDOWS\system32\x3daudio1_1.dll
2007-05-20 16:22 <DIR> d--h----- C:\WINDOWS\msdownld.tmp


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-06-15 00:13:11 -------- d-----r C:\Program Files\World of Warcraft
2007-06-13 21:33:24 -------- d-----w C:\Program Files\Windows Media Connect 2
2007-06-12 01:13:38 -------- d-----w C:\Program Files\Google
2007-05-22 17:26:26 1,890 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
2007-05-22 17:25:46 56 --sha-r C:\WINDOWS\system32\C3700FCD9C.sys
2007-05-16 15:12:02 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
2007-05-12 20:52:44 -------- d-----w C:\DOCUME~1\Aaron\APPLIC~1\cYo
2007-05-12 20:51:20 -------- d-----w C:\Program Files\ComicRack
2007-05-10 20:02:09 -------- d-----w C:\Program Files\Microsoft CAPICOM 2.1.0.2
2007-05-06 18:44:28 -------- d-----w C:\Program Files\QuickTime
2007-05-06 18:20:33 -------- d-----w C:\Program Files\Apple Software Update
2007-04-25 19:25:57 -------- d-----w C:\Program Files\MSN Messenger
2007-04-25 14:21:15 144,896 ----a-w C:\WINDOWS\system32\schannel.dll
2007-04-18 16:12:23 2,854,400 ----a-w C:\WINDOWS\system32\msi.dll
2007-04-17 01:47:36 33,624 ----a-w C:\WINDOWS\system32\wups.dll
2007-04-17 01:45:54 1,710,936 ----a-w C:\WINDOWS\system32\wuaueng.dll
2007-04-17 01:45:48 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll
2007-04-17 01:45:42 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll
2007-04-17 01:45:36 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll
2007-04-17 01:45:28 92,504 ----a-w C:\WINDOWS\system32\cdm.dll
2007-04-17 01:45:20 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe
2007-04-17 01:45:20 43,352 ----a-w C:\WINDOWS\system32\wups2.dll
2007-04-17 01:44:20 271,224 ----a-w C:\WINDOWS\system32\mucltui.dll
2007-04-17 01:44:18 208,248 ----a-w C:\WINDOWS\system32\muweb.dll
2007-04-15 13:23:17 -------- d-----w C:\Program Files\Windows Live Toolbar
2007-04-15 13:13:00 -------- d-----w C:\Program Files\Online Services
2007-04-15 05:30:12 -------- d-----w C:\Program Files\Stardock
2007-03-17 13:43:01 292,864 ----a-w C:\WINDOWS\system32\winsrv.dll


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}=C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll [2006-01-12 20:38]
{53707962-6F74-2D53-2644-206D7942484F}=C:\PROGRA~1\SPYBOT~1\SDHelper.dll [2005-05-31 01:04]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}=C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll [2007-03-14 03:43]
{9030D464-4C02-4ABF-8ECC-5164760863C6}=C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2006-08-31 20:33]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPLpr"="C:\Program Files\Synaptics\SynTP\SynTPLpr.exe" [2004-10-08 15:44]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2004-10-08 15:43]
"SunKist"="C:\Program Files\Digital Media Reader\shwicon2k.exe" [2004-05-26 18:57]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2005-05-12 00:12]
"DAEMON Tools"="C:\Program Files\DAEMON Tools\daemon.exe" [2005-12-10 11:57]
"CONNECTScheduler"="C:\Program Files\Sony\CONNECTAutoUpdate\CONNECTScheduler.exe" [2006-03-22 22:00]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-06 23:46]
"ATIPTA"="atiptaxx.exe" [2006-02-21 22:05 C:\WINDOWS\system32\atiptaxx.exe]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe" [2007-04-20 15:57]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2006-06-27 08:41]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-04-27 09:41]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-06-01 16:51]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" [2007-03-14 03:43]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-14 17:41]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 09:00]
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" [2007-01-19 12:54]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll" [2007-05-30 09:29]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\AVG Anti-Spyware Driver]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\AVG Anti-Spyware Guard]



Contents of the 'Scheduled Tasks' folder
2007-06-10 09:58:03 C:\WINDOWS\tasks\AppleSoftwareUpdate.job

**************************************************************************

catchme 0.3.721 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-06-15 00:47:34
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

**************************************************************************

Completion time: 2007-06-15 0:48:32

--- E O F ---

Mr_JAk3
2007-06-15, 22:16
Hi again, we'll continue :)

You should print these instructions or save these to a text file. Follow these instructions carefully.

open AVG Anti-Spyware:
On the main screen under Your Computer's security.
Click on Change state next to Resident shield. It should now change to inactive.
Click on Change state next to Automatic updates. It should now change to inactive.
Next to Last Update, click on Update now. (You will need an active internet connection to perform this)
Wait until you see the Update succesfull message.
Right-click the AVG Anti-Spyware Tray Icon and uncheck Start with Windows.
Right-click the AVG Anti-Spyware Tray Icon and select Exit. Confirm by clicking Yes.
If you are having problems with the updater, you can use this link to manually update ewido.
AVG Anti-Spyware manual updates (http://www.ewido.net/en/download/updates/).
Download the Full database to your Desktop or to your usual Download Folder and install it by double clicking the file. Make sure that AVG Anti-Spyware is closed before installing the update.

Download ATF Cleaner (http://www.atribune.org/ccount/click.php?id=1) by Atribune to your desktop.
Do NOT run yet.

==================

Disable the bad service
Start
Run
Type services.msc to the field and press enter.
A window opens, scroll down to dns cache reader (DNSCacheReader)
Rightclick it and choose Stop
Then choose Properties
Set Startup to Disabled
Click Apply and OK.

Then, open HijackThis.
Open the Misc Tools section
Delete an NT service
Copy the following line to the box and press OK; DNSCacheReader
Answer Yes
Close HIjackThis

Now lets check some settings on your system.
(2000/XP) Only
In the windows control panel. If you are using Windows XP's Category View, select the Network and Internet Connections category otherwise double click on Network Connections. Then right click on your default connection, usually local area connection for cable and dsl, and left click on properties. Click the Networking tab. Double-click on the Internet Protocol (TCP/IP) item and select the radio dial that says Obtain DNS servers automatically
Press OK twice to get out of the properties screen and reboot if it asks.
That option might not be avaiable on some systems
Next Go start run type cmd and hit OK
type
ipconfig /flushdns
then hit enter, type exit hit enter
(that space between g and / is needed)

Restart your computer to the safe mode:
Restart your computer
Start tapping the F8 key when the computer restarts.
When the start menu opens, choose Safe mode
Press Enter. The computer then begins to start in Safe mode.

Go to the My Computer and delete the following files (if present):
C:\WINDOWS\system32\j9231133.exe

Run ATF Cleaner Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.

Close ALL open Windows / Programs / Folders. Please start AVG Anti-Spyware and run a full scan.
Click on Scanner on the toolbar.
Click on the Settings tab.
Under How to act?
Click on Recommended Action and choose Quarantine from the popup menu.
Under How to scan?
All checkboxes should be ticked.
Under Possibly unwanted software:
All checkboxes should be ticked.
Under Reports:
Select Automatically generate report after every scan and uncheck Only if threats were found.
Under What to scan?
Select Scan every file.
Click on the Scan tab.
Click on Complete System Scan to start the scan process.
Let the program scan the machine.
When the scan has finished, follow the instructions below.
IMPORTANT : Don't click on the "Save Scan Report" button before you did hit the "Apply all Actions" button.
Make sure that Set all elements to: shows Quarantine (1), if not click on the link and choose Quarantine from the popup menu. (2)
At the bottom of the window click on the Apply all Actions button. (3)
http://img509.imageshack.us/img509/4851/scanavgjk2.jpg
When done, click the Save Scan Report button. (4)
Click the Save Report as button.
Save the report to your Desktop.
Right-click the AVG Anti-Spyware Tray Icon and select Exit. Confirm by clicking Yes.
Reboot in Normal Mode.

================

When you're ready, please post the following logs to here:
- AVG's report
- a fresh HijackThis log

tashi
2007-06-27, 05:11
Due to lack of a response, this topic has been archived.

If you need it re-opened please send me a private message (pm) and provide a link to the thread. Applies only to the original poster, anyone else with similar problems please start a new topic.