View Full Version : Need help removing Smitfraud core and other crap
Doom Saber
2007-06-20, 10:24
Hello,
I downloaded a movie file on the web and once I opened it, a crap load of $(*# happened. First, it installed something called outerinfo (which I removed using the uninstall file; I followed an instruction online) and I think spybot got rid of Vundo since VundoFix cannot find anything.
However, i still get pop up adds, which is strange since I thought uninstalling outerinfo would remove it.
I used search and destroy over and over again. The program found that it cannot remove smitfraud-C core service and virtumonde. Please help me remove it.
Below is a log fromHijackthis:
Logfile of HijackThis v1.99.1
Scan saved at 1:20:00 AM, on 6/20/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
E:\WINDOWS\System32\smss.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\system32\spoolsv.exe
E:\WINDOWS\Explorer.EXE
E:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
E:\Program Files\Yahoo!\Antivirus\ISafe.exe
E:\WINDOWS\eHome\ehRecvr.exe
E:\WINDOWS\eHome\ehSched.exe
E:\Program Files\Norton Ghost\Agent\VProSvc.exe
E:\Program Files\Yahoo!\Antivirus\VetMsg.exe
E:\WINDOWS\system32\dllhost.exe
E:\WINDOWS\ehome\ehtray.exe
E:\WINDOWS\system32\RunDll32.exe
E:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
E:\PROGRA~1\Yahoo!\YOP\yop.exe
E:\Program Files\Yahoo!\Antivirus\CAVTray.exe
E:\Program Files\Yahoo!\Antivirus\CAVRID.exe
E:\Program Files\Norton Ghost\Agent\VProTray.exe
E:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
E:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
E:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
E:\Program Files\NCSoft\Launcher\NCLauncher.exe
E:\Program Files\WinPop\winpop.exe
E:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
E:\PROGRA~1\Yahoo!\browser\ycommon.exe
E:\WINDOWS\system32\wuauclt.exe
E:\WINDOWS\eHome\ehmsas.exe
E:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
E:\Program Files\Internet Explorer\IEXPLORE.EXE
E:\WINDOWS\system32\svchost.exe
E:\Documents and Settings\User1\Desktop\VundoFix.exe
I:\hijackthis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://www.yahoo.com/search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by SBC Yahoo! DSL
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - E:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - E:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {2E9D4C81-9F27-4c14-B804-7B0F6BC88A4F} - E:\Program Files\Outerinfo\Outerinfo.dll (file missing)
O2 - BHO: (no name) - {42E87A01-10E0-4A01-B341-FBFEE9710873} - \
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - E:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - E:\PROGRA~1\Yahoo!\Common\yiesrvc.dll
O2 - BHO: (no name) - {80D58424-520F-44D6-9A95-F3542362A71C} - \
O2 - BHO: (no name) - {9bd5e92a-b02d-492f-8b98-4e4e30c173eb} - E:\WINDOWS\system32\yxeufnw.dll
O2 - BHO: (no name) - {DC192567-65F9-4AB6-ADB7-E13575F81726} - E:\WINDOWS\system32\nnnnljg.dll
O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - E:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll
O2 - BHO: (no name) - {FE654E92-9D9D-4654-AAD7-27A9DE810007} - \
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - E:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [ehTray] E:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [PRISMSVR.EXE] "E:\WINDOWS\system32\PRISMSVR.EXE" /APPLY
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [YBrowser] E:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [IPInSightMonitor 01] "E:\Program Files\SBC Yahoo!\Connection Manager\IP InSight\IPMon32.exe"
O4 - HKLM\..\Run: [YOP] E:\PROGRA~1\Yahoo!\YOP\yop.exe /autostart
O4 - HKLM\..\Run: [CaAvTray] "E:\Program Files\Yahoo!\Antivirus\CAVTray.exe"
O4 - HKLM\..\Run: [CAVRID] "E:\Program Files\Yahoo!\Antivirus\CAVRID.exe"
O4 - HKLM\..\Run: [Norton Ghost 12.0] "E:\Program Files\Norton Ghost\Agent\VProTray.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] E:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [NeroFilterCheck] E:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "E:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "E:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [{ZN}] E:\DOCUME~1\User1\LOCALS~1\Temp\thinksnet.exe CHD003
O4 - HKLM\..\RunOnce: [SpybotSnD] "E:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKCU\..\Run: [Yahoo! Pager] "E:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [PlayNC Launcher] E:\Program Files\NCSoft\Launcher\NCLauncher.exe /Minimized
O4 - HKCU\..\Run: [igndlm.exe] h:\Program Files\Download Manager\DLM.exe /windowsstart /startifwork
O4 - HKCU\..\Run: [WebBuying] E:\Program Files\Web Buying\v1.7.4\webbuying.exe
O4 - HKCU\..\Run: [WinPop] E:\Program Files\WinPop\winpop.exe
O4 - Startup: TA_Start.lnk = E:\Documents and Settings\User1\Local Settings\Temp\thinksnet.exe
O9 - Extra button: AT&T Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - E:\PROGRA~1\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .mov: E:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O16 - DPF: Yahoo! Graffiti - http://download2.games.yahoo.com/games/clients/y/grt5_x.cab
O16 - DPF: Yahoo! Word Racer - http://download2.games.yahoo.com/games/clients/y/wt1_x.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - E:\Program Files\Yahoo!\Common\Yinsthelper2007261.dll
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.yahoo.com/ocx/us/yexplorer1_9us.cab
O20 - Winlogon Notify: nnnnljg - E:\WINDOWS\SYSTEM32\nnnnljg.dll
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - E:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - E:\Program Files\Yahoo!\Antivirus\ISafe.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - E:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: LiveUpdate - Symantec Corporation - E:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: NBService - Nero AG - E:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - E:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: Norton Ghost - Symantec Corporation - E:\Program Files\Norton Ghost\Agent\VProSvc.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - E:\Program Files\Yahoo!\Antivirus\VetMsg.exe
Doom Saber
2007-06-21, 01:57
Can anyone help? Thanks
Doom Saber
2007-06-21, 08:09
http://img.photobucket.com/albums/v201/doomsaber/pic.jpg
Hi Doom Saber
Please download VundoFix.exe (http://www.atribune.org/ccount/click.php?id=4) to your desktop.
Double-click VundoFix.exe to run it.
Click the Scan for Vundo button.
Once it's done scanning, click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will reboot your computer, click OK.
Please post the contents of C:\vundofix.txt and a new HiJackThis log in a reply to this thread.
Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears upon rebooting.
1. Download combofix from one of these links:
Link1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link2 (http://www.techsupportforum.com/sectools/sUBs/ComboFix.exe)
2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log in your next reply
Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall
Post:
- a fresh HijackThis log
- combofix report
- vundofix report
Doom Saber
2007-06-26, 01:08
Logfile of HijackThis v1.99.1
Scan saved at 4:07:26 PM, on 6/25/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
E:\WINDOWS\System32\smss.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\system32\spoolsv.exe
E:\WINDOWS\Explorer.EXE
E:\WINDOWS\system32\RunDll32.exe
E:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
E:\PROGRA~1\Yahoo!\YOP\yop.exe
E:\Program Files\Yahoo!\Antivirus\CAVTray.exe
E:\Program Files\Yahoo!\Antivirus\CAVRID.exe
E:\Program Files\Norton Ghost\Agent\VProTray.exe
E:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
E:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
E:\PROGRA~1\Yahoo!\browser\ycommon.exe
E:\Program Files\NCSoft\Launcher\NCLauncher.exe
I:\aawservice.exe
E:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
E:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
E:\Program Files\Yahoo!\Antivirus\ISafe.exe
E:\WINDOWS\eHome\ehRecvr.exe
E:\WINDOWS\eHome\ehSched.exe
E:\Program Files\Norton Ghost\Agent\VProSvc.exe
E:\Program Files\Yahoo!\Antivirus\VetMsg.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\system32\dllhost.exe
I:\Ad-Aware2007.exe
E:\WINDOWS\system32\wuauclt.exe
E:\Program Files\internet explorer\iexplore.exe
E:\WINDOWS\system32\NOTEPAD.EXE
E:\Program Files\internet explorer\iexplore.exe
E:\Documents and Settings\User1\Desktop\HijackThis.exe
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - E:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: (no name) - {00000026-8735-428D-B81F-DD098223B25F} - (no file)
O2 - BHO: (no name) - {00000250-0320-4dd4-be4f-7566d2314352} - (no file)
O2 - BHO: (no name) - {000006b1-19b5-414a-849f-2a3c64ae6939} - (no file)
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - E:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {06dfedaa-6196-11d5-bfc8-00508b4a487d} - (no file)
O2 - BHO: (no name) - {13197ace-6851-45c3-a7ff-c281324d5489} - (no file)
O2 - BHO: (no name) - {2E9D4C81-9F27-4c14-B804-7B0F6BC88A4F} - E:\Program Files\Outerinfo\Outerinfo.dll (file missing)
O2 - BHO: (no name) - {30000273-8230-4dd4-be4f-6889d1e74167} - (no file)
O2 - BHO: (no name) - {42E87A01-10E0-4A01-B341-FBFEE9710873} - \
O2 - BHO: (no name) - {4e1075f4-eec4-4a86-add7-cd5f52858c31} - (no file)
O2 - BHO: (no name) - {4e7bd74f-2b8d-469e-92c6-ce7eb590a94d} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - E:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {53C330D6-A4AB-419B-B45D-FD4411C1FEF4} - (no file)
O2 - BHO: (no name) - {5929cd6e-2062-44a4-b2c5-2c7e78fbab38} - (no file)
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - E:\PROGRA~1\Yahoo!\Common\yiesrvc.dll
O2 - BHO: (no name) - {5dafd089-24b1-4c5e-bd42-8ca72550717b} - (no file)
O2 - BHO: (no name) - {5fa6752a-c4a0-4222-88c2-928ae5ab4966} - (no file)
O2 - BHO: (no name) - {669695bc-a811-4a9d-8cdf-ba8c795f261e} - (no file)
O2 - BHO: (no name) - {80D58424-520F-44D6-9A95-F3542362A71C} - \
O2 - BHO: (no name) - {8674aea0-9d3d-11d9-99dc-00600f9a01f1} - (no file)
O2 - BHO: (no name) - {965a592f-8efa-4250-8630-7960230792f1} - (no file)
O2 - BHO: (no name) - {9bd5e92a-b02d-492f-8b98-4e4e30c173eb} - E:\WINDOWS\system32\yxeufnw.dll
O2 - BHO: (no name) - {b8875bfe-b021-11d4-bfa8-00508b8e9bd3} - (no file)
O2 - BHO: (no name) - {ca1d1b05-9c66-11d5-a009-000103c1e50b} - (no file)
O2 - BHO: (no name) - {cf021f40-3e14-23a5-cba2-717765728274} - (no file)
O2 - BHO: (no name) - {EDA4AEFF-BA3C-4CEB-979A-D0B3F6A6601D} - \
O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - E:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll
O2 - BHO: (no name) - {fc3a74e5-f281-4f10-ae1e-733078684f3c} - (no file)
O2 - BHO: (no name) - {FE654E92-9D9D-4654-AAD7-27A9DE810007} - \
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - E:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [YBrowser] E:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [IPInSightMonitor 01] "E:\Program Files\SBC Yahoo!\Connection Manager\IP InSight\IPMon32.exe"
O4 - HKLM\..\Run: [YOP] E:\PROGRA~1\Yahoo!\YOP\yop.exe /autostart
O4 - HKLM\..\Run: [CaAvTray] "E:\Program Files\Yahoo!\Antivirus\CAVTray.exe"
O4 - HKLM\..\Run: [CAVRID] "E:\Program Files\Yahoo!\Antivirus\CAVRID.exe"
O4 - HKLM\..\Run: [Norton Ghost 12.0] "E:\Program Files\Norton Ghost\Agent\VProTray.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] E:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [NeroFilterCheck] E:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "E:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "E:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] "E:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [PlayNC Launcher] E:\Program Files\NCSoft\Launcher\NCLauncher.exe /Minimized
O4 - HKCU\..\Run: [igndlm.exe] h:\Program Files\Download Manager\DLM.exe /windowsstart /startifwork
O9 - Extra button: AT&T Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - E:\PROGRA~1\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .mov: E:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O16 - DPF: Yahoo! Graffiti - http://download2.games.yahoo.com/games/clients/y/grt5_x.cab
O16 - DPF: Yahoo! Word Racer - http://download2.games.yahoo.com/games/clients/y/wt1_x.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - E:\Program Files\Yahoo!\Common\Yinsthelper2007261.dll
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.yahoo.com/ocx/us/yexplorer1_9us.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - I:\aawservice.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - E:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - E:\Program Files\Yahoo!\Antivirus\ISafe.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - E:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: LiveUpdate - Symantec Corporation - E:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: NBService - Nero AG - E:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - E:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: Norton Ghost - Symantec Corporation - E:\Program Files\Norton Ghost\Agent\VProSvc.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - E:\Program Files\Yahoo!\Antivirus\VetMsg.exe
---------------
VundoFix V6.5.1
Checking Java version...
Java version is 1.5.0.3
Old versions of java are exploitable and should be removed.
Scan started at 12:47:10 AM 6/20/2007
Listing files found while scanning....
No infected files were found.
Beginning removal...
VundoFix V6.5.1
Checking Java version...
Java version is 1.5.0.3
Old versions of java are exploitable and should be removed.
Scan started at 1:13:30 AM 6/20/2007
Listing files found while scanning....
No infected files were found.
VundoFix V6.5.1
Checking Java version...
Java version is 1.5.0.3
Old versions of java are exploitable and should be removed.
Scan started at 12:11:00 AM 6/21/2007
Listing files found while scanning....
No infected files were found.
Beginning removal...
VundoFix V6.5.1
Checking Java version...
Java version is 1.5.0.3
Old versions of java are exploitable and should be removed.
Scan started at 3:50:09 PM 6/25/2007
Listing files found while scanning....
E:\windows\system32\edbnxbcd.exe
Beginning removal...
Attempting to delete E:\windows\system32\edbnxbcd.exe
E:\windows\system32\edbnxbcd.exe Has been deleted!
Performing Repairs to the registry.
Done!
Doom Saber
2007-06-26, 01:09
"User1" - 2007-06-25 15:35:35 - ComboFix 07-06-25.3 - Service Pack 2 NTFS
(((((((((((((((((((((((((((((((((((((((((((( V Log )))))))))))))))))))))))))))))))))))))))))))))))))))))))
E:\WINDOWS\system32\rqrqppo.dll
E:\WINDOWS\system32\ssqrpqr.dll
E:\WINDOWS\system32\opnljkj.dll
E:\WINDOWS\system32\winwky32.dll
E:\WINDOWS\system32\qstwa.bak1
E:\WINDOWS\system32\qstwa.bak2
E:\WINDOWS\system32\qstwa.ini
E:\WINDOWS\system32\qstwa.bak1
E:\WINDOWS\system32\qstwa.bak2
E:\WINDOWS\system32\qstwa.ini
E:\WINDOWS\system32\awtsq.dll
E:\WINDOWS\system32\nnnnljg.dll
* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
E:\DOCUME~1\User1\APPLIC~1.\.rdr.ini
E:\DOCUME~1\User1\Desktop.\internet explorer.lnk
E:\Program Files\Common Files\Yazzle1162OinAdmin.exe
E:\Program Files\Common Files\Yazzle1162OinUninstaller.exe
E:\Program Files\web buying
E:\Program Files\web buying\v1.7.4\wbuninst.exe
E:\Program Files\web buying\v1.7.4\webbuying.exe
E:\Program Files\winpop
E:\Program Files\winpop\UnInstall.exe
E:\Program Files\winpop\winpop.exe
E:\WINDOWS\180ax.exe
E:\WINDOWS\2020search.dll
E:\WINDOWS\2020search2.dll
E:\WINDOWS\764.exe
E:\WINDOWS\7search.dll
E:\WINDOWS\avp.exe
E:\WINDOWS\b122.exe
E:\WINDOWS\bi.dll
E:\WINDOWS\biprep.exe
E:\WINDOWS\bjam.dll
E:\WINDOWS\bokja.exe
E:\WINDOWS\cdsm32.dll
E:\WINDOWS\cfg32o.dll
E:\WINDOWS\cfg32r.dll
E:\WINDOWS\cfg32s.dll
E:\WINDOWS\cs_cache.ini
E:\WINDOWS\flt.dll
E:\WINDOWS\itpb_11.exe
E:\WINDOWS\itpb_3.exe
E:\WINDOWS\mgrs.exe
E:\WINDOWS\mspphe.dll
E:\WINDOWS\mssvr.exe
E:\WINDOWS\pbar.dll
E:\WINDOWS\saiemod.dll
E:\WINDOWS\salm.exe
E:\WINDOWS\satmat.exe
E:\WINDOWS\start.exe
E:\WINDOWS\stcloader.exe
E:\WINDOWS\susp.exe
E:\WINDOWS\swin32.dll
E:\WINDOWS\system32\dnsersnd.dll
E:\WINDOWS\system32\drivers\core.cache.dsk
E:\WINDOWS\system32\drivers\core.sys
E:\WINDOWS\system32\gtv_sd.bin
E:\WINDOWS\system32\ipv6mons.dll
E:\WINDOWS\system32\ldpackage.dll
E:\WINDOWS\system32\model.dat
E:\WINDOWS\system32\msdn_lib.dll
E:\WINDOWS\system32\msixu.dll
E:\WINDOWS\system32\o02PrEz
E:\WINDOWS\system32\o02PrEz\o02PrEz1065.exe
E:\WINDOWS\system32\o05PrEz
E:\WINDOWS\system32\rlls.dll
E:\WINDOWS\system32\rlvknlg.exe
E:\WINDOWS\system32\rlxf.dll
E:\WINDOWS\system32\S2
E:\WINDOWS\system32\S2\mwspasrt83122.exe
E:\WINDOWS\system32\S4
E:\WINDOWS\system32\S4\wen2.exe
E:\WINDOWS\system32\S6
E:\WINDOWS\system32\S7
E:\WINDOWS\system32\silc_dll.dll
E:\WINDOWS\system32\vxddsk.exe
E:\WINDOWS\system32\wer8274.dll
E:\WINDOWS\system32\win
E:\WINDOWS\system32\wml.exe
E:\WINDOWS\system32\wmvds32.dll
E:\WINDOWS\system32\wnsapii.exe
E:\WINDOWS\temp\salm.exe
E:\WINDOWS\uninst2.htm
E:\WINDOWS\unist1.htm
E:\WINDOWS\updatetc.exe
E:\WINDOWS\vcttc012.exe
E:\WINDOWS\voiceip.dll
E:\WINDOWS\wml.exe
E:\WINDOWS\wr.txt
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
-------\LEGACY_CORE
-------\LEGACY_DOMAINSERVICE
-------\core
-------\DomainService
((((((((((((((((((((((((( Files Created from 2007-05-25 to 2007-06-25 )))))))))))))))))))))))))))))))
2007-06-25 15:33 49,152 --a------ E:\WINDOWS\nircmd.exe
2007-06-25 15:08 122,944 --a------ E:\WINDOWS\system32\kdfgjana.exe
2007-06-25 15:05 8,464 --a------ E:\WINDOWS\system32\sporder.dll
2007-06-25 15:05 25,088 --a------ E:\WINDOWS\vxddsk.exe
2007-06-25 15:05 122,944 --a------ E:\WINDOWS\system32\xsxraror.exe
2007-06-25 14:09 <DIR> d-------- E:\DOCUME~1\ALLUSE~1\APPLIC~1\Lavasoft
2007-06-25 14:08 <DIR> d-------- E:\Program Files\Common Files\Wise Installation Wizard
2007-06-25 13:59 2,624 --a------ E:\WINDOWS\system32\edbnxbcd.exe
2007-06-25 13:59 122,944 --a------ E:\WINDOWS\system32\fsdceshn.exe
2007-06-24 17:04 <DIR> d-------- E:\DOCUME~1\User1\APPLIC~1\LEGO Company
2007-06-24 17:04 <DIR> d-------- E:\DOCUME~1\ALLUSE~1\APPLIC~1\Apple Computer
2007-06-20 00:47 <DIR> d-------- E:\VundoFix Backups
2007-06-20 00:29 524,288 --ah----- E:\DOCUME~1\ADMINI~1\NTUSER.DAT
2007-06-20 00:16 3,216 --a------ E:\WINDOWS\system32\tmp.reg
2007-06-20 00:06 53,248 --a------ E:\WINDOWS\system32\Process.exe
2007-06-20 00:06 51,200 --a------ E:\WINDOWS\system32\dumphive.exe
2007-06-20 00:06 288,417 --a------ E:\WINDOWS\system32\SrchSTS.exe
2007-06-19 23:28 <DIR> d-------- E:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-06-19 23:12 172,544 --a------ E:\WINDOWS\system32\yxeufnw.dll
2007-06-19 23:11 <DIR> d-------- E:\Fantastic Four Rise of the Silver Surfer (2007) mVs iNT TELESYNC KvCD Hockney(TUS Release)
2007-06-18 15:09 4,682 --a------ E:\WINDOWS\system32\npptNT2.sys
2007-06-18 13:57 <DIR> d-------- E:\DOCUME~1\User1\APPLIC~1\IGN_DLM
2007-06-18 13:48 <DIR> d-------- E:\Program Files\BitTornado
2007-06-18 13:48 <DIR> d-------- E:\fpfp-spd
2007-06-18 13:48 <DIR> d-------- E:\DOCUME~1\User1\APPLIC~1\.BitTornado
2007-06-18 07:11 <DIR> d-------- E:\Program Files\NCSoft
2007-06-18 07:11 <DIR> d-------- E:\DOCUME~1\User1\APPLIC~1\InstallShield
2007-06-18 06:46 <DIR> d-------- E:\DOCUME~1\User1\APPLIC~1\GetRightToGo
2007-06-17 01:37 <DIR> d-------- E:\Program Files\Advanced GIF Animator
2007-06-15 13:31 <DIR> d-------- E:\DOCUME~1\User1\APPLIC~1\AdobeUM
2007-06-15 12:43 53,248 --a------ E:\WINDOWS\uni_eh43.exe
2007-06-15 12:42 53,248 --a------ E:\WINDOWS\uninst1014.exe
2007-06-14 04:54 163,840 --a------ E:\Program Files\TTC.dll
2007-06-05 12:32 <DIR> d-------- E:\DOCUME~1\ALLUSE~1\APPLIC~1\Nero
2007-06-05 11:08 <DIR> d-------- E:\Program Files\Nero
2007-06-04 15:18 9,344 --a------ E:\WINDOWS\system32\drivers\NSDriver.sys
2007-06-04 15:17 8,320 --a------ E:\WINDOWS\system32\drivers\AWRTRD.sys
2007-06-04 15:14 6,272 --a------ E:\WINDOWS\system32\drivers\AWRTPD.sys
2007-06-04 14:30 <DIR> d-------- E:\DOCUME~1\User1\Shared
2007-06-04 14:30 <DIR> d-------- E:\DOCUME~1\User1\Incomplete
2007-06-04 14:30 <DIR> d-------- E:\DOCUME~1\User1\APPLIC~1\LimeWire
2007-06-04 10:03 <DIR> d-------- E:\DOCUME~1\User1\APPLIC~1\Ahead
2007-06-04 10:03 <DIR> d-------- E:\DOCUME~1\ALLUSE~1\APPLIC~1\Ahead
2007-06-03 21:17 81,768 --a------ E:\WINDOWS\system32\xinput1_3.dll
2007-06-03 21:17 443,752 --a------ E:\WINDOWS\system32\d3dx10_33.dll
2007-06-03 21:17 3,495,784 --a------ E:\WINDOWS\system32\d3dx9_33.dll
2007-06-03 21:17 3,426,072 --a------ E:\WINDOWS\system32\d3dx9_32.dll
2007-06-03 21:17 261,480 --a------ E:\WINDOWS\system32\xactengine2_7.dll
2007-06-03 21:17 255,848 --a------ E:\WINDOWS\system32\xactengine2_6.dll
2007-06-03 21:17 251,672 --a------ E:\WINDOWS\system32\xactengine2_5.dll
2007-06-03 21:17 1,123,696 --a------ E:\WINDOWS\system32\D3DCompiler_33.dll
2007-06-03 21:16 62,744 --a------ E:\WINDOWS\system32\xinput1_2.dll
2007-06-03 21:16 237,848 --a------ E:\WINDOWS\system32\xactengine2_4.dll
2007-06-03 21:16 236,824 --a------ E:\WINDOWS\system32\xactengine2_3.dll
2007-06-03 21:16 2,414,360 --a------ E:\WINDOWS\system32\d3dx9_31.dll
2007-06-03 21:16 2,297,552 --a------ E:\WINDOWS\system32\d3dx9_26.dll
2007-06-03 21:16 15,128 --a------ E:\WINDOWS\system32\x3daudio1_1.dll
2007-06-01 20:07 37,864 --a------ E:\WINDOWS\system32\drivers\v2imount.sys
2007-06-01 20:07 15,664 --a------ E:\WINDOWS\system32\drivers\GEARAspiWDM.sys
2007-06-01 20:07 14,072 --a------ E:\WINDOWS\system32\drivers\vproeventmonitor.sys
2007-06-01 20:07 131,944 --a------ E:\WINDOWS\system32\drivers\symsnap.sys
2007-06-01 20:07 128,104 --a------ E:\WINDOWS\system32\drivers\WimFltr.sys
2007-06-01 20:07 109,360 --a------ E:\WINDOWS\system32\GEARAspi.dll
2007-06-01 20:07 <DIR> d----c--- E:\WINDOWS\system32\DRVSTORE
2007-06-01 20:06 1,060,864 --a------ E:\WINDOWS\system32\MFC71.DLL
2007-06-01 20:06 <DIR> d-------- E:\Program Files\Symantec
2007-06-01 20:06 <DIR> d-------- E:\Program Files\Norton Ghost
2007-05-31 23:52 <DIR> d-------- E:\WINDOWS\system32\appmgmt
2007-05-31 23:48 <DIR> d---s---- E:\DOCUME~1\User1\UserData
2007-05-31 19:09 <DIR> d-------- E:\DOCUME~1\ALLUSE~1\APPLIC~1\Yahoo! Companion
2007-05-31 19:05 74,864 --a------ E:\WINDOWS\system32\VetRedir.dll
2007-05-31 19:05 26,787 --a------ E:\WINDOWS\system32\drivers\vetmonnt.sys
2007-05-31 19:05 <DIR> d-------- E:\DOCUME~1\ALLUSE~1\APPLIC~1\CA
2007-05-31 19:04 95,344 --a------ E:\WINDOWS\system32\ISafeIf.dll
2007-05-31 19:04 74,864 --a------ E:\WINDOWS\system32\iSafProd.dll
2007-05-31 19:04 630,432 --a------ E:\WINDOWS\system32\drivers\VetEFile.sys
2007-05-31 19:04 21,031 --a------ E:\WINDOWS\system32\drivers\Vet-Filt.sys
2007-05-31 19:04 15,735 --a------ E:\WINDOWS\system32\drivers\VetFDDNT.sys
2007-05-31 19:04 15,478 --a------ E:\WINDOWS\system32\drivers\Vet-Rec.sys
2007-05-31 19:04 108,624 --a------ E:\WINDOWS\system32\drivers\VetEBoot.sys
2007-05-31 18:59 <DIR> d-------- E:\DOCUME~1\ALLUSE~1\APPLIC~1\yahoo!
2007-05-31 18:58 89,088 --a------ E:\WINDOWS\system32\ATL71.DLL
2007-05-31 18:49 <DIR> d-------- E:\Program Files\SBC Yahoo!
2007-05-31 18:45 <DIR> d-------- E:\Program Files\2Wire
2007-05-31 18:32 7,552 --a------ E:\WINDOWS\system32\drivers\MSKSSRV.sys
2007-05-31 18:32 60,800 --a------ E:\WINDOWS\system32\drivers\sysaudio.sys
2007-05-31 18:32 60,288 --a------ E:\WINDOWS\system32\drivers\drmk.sys
2007-05-31 18:32 54,272 --a------ E:\WINDOWS\system32\drivers\swmidi.sys
2007-05-31 18:32 52,864 --a------ E:\WINDOWS\system32\drivers\DMusic.sys
2007-05-31 18:32 5,376 --a------ E:\WINDOWS\system32\drivers\MSPCLOCK.sys
2007-05-31 18:32 4,992 --a------ E:\WINDOWS\system32\drivers\MSPQM.sys
2007-05-31 18:32 4,096 --a------ E:\WINDOWS\system32\ksuser.dll
2007-05-31 18:32 2,944 --a------ E:\WINDOWS\system32\drivers\drmkaud.sys
2007-05-31 18:32 145,792 --a------ E:\WINDOWS\system32\drivers\portcls.sys
2007-05-31 18:31 917,504 --a------ E:\WINDOWS\system\cmids3d.dll
2007-05-31 18:31 81,920 --a------ E:\WINDOWS\system32\cmuda.dll
2007-05-31 18:31 743,887 --a------ E:\WINDOWS\system32\drivers\cmuda.sys
2007-05-31 18:31 712,704 --a------ E:\WINDOWS\system32\Audio3D.dll
2007-05-31 18:31 712,704 --a------ E:\WINDOWS\system32\a3d.dll
2007-05-31 18:31 32,768 --a------ E:\WINDOWS\system32\udaprop.dll
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
2007-06-18 20:48:23 -------- d-----w E:\DOCUME~1\User1\APPLIC~1\.BitTornado
2007-05-17 01:19:52 133,168 ----a-w E:\WINDOWS\system32\drivers\imagesrv.sys
2007-05-17 01:19:50 11,568 ----a-w E:\WINDOWS\system32\drivers\imagedrv.sys
2007-05-16 16:42:22 972,336 ----a-w E:\WINDOWS\UNNeroMediaHome.exe
2007-05-15 16:45:14 972,336 ----a-w E:\WINDOWS\UNNeroVision.exe
2007-04-23 23:42:50 972,336 ----a-w E:\WINDOWS\UNRecode.exe
2007-04-13 22:19:52 7,680 ----a-w E:\WINDOWS\system32\lsdelete.exe
2007-04-06 19:27:01 139,264 ----a-w E:\TTC.dll
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{02478D38-C3F9-4EFB-9B51-7695ECA05670}=E:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll [2006-10-26 10:28]
{2E9D4C81-9F27-4c14-B804-7B0F6BC88A4F}=E:\Program Files\Outerinfo\Outerinfo.dll []
{42E87A01-10E0-4A01-B341-FBFEE9710873}=\ [2007-06-25 15:45]
{53707962-6F74-2D53-2644-206D7942484F}=E:\PROGRA~1\SPYBOT~1\SDHelper.dll [2005-05-31 01:04]
{5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897}=E:\PROGRA~1\Yahoo!\Common\yiesrvc.dll [2006-10-31 15:33]
{80D58424-520F-44D6-9A95-F3542362A71C}=\ [2007-06-25 15:45]
{9bd5e92a-b02d-492f-8b98-4e4e30c173eb}=E:\WINDOWS\system32\yxeufnw.dll [2007-06-19 23:12]
{EDA4AEFF-BA3C-4CEB-979A-D0B3F6A6601D}=\ [2007-06-25 15:45]
{F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D}=E:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll [2005-02-03 17:07]
{FE654E92-9D9D-4654-AAD7-27A9DE810007}=\ [2007-06-25 15:45]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Cmaudio"="cmicnfg.cpl" []
"YBrowser"="E:\PROGRA~1\Yahoo!\browser\ybrwicon.exe" [2006-07-21 16:19]
"IPInSightMonitor 01"="E:\Program Files\SBC Yahoo!\Connection Manager\IP InSight\IPMon32.exe" [2003-07-14 12:30]
"YOP"="E:\PROGRA~1\Yahoo!\YOP\yop.exe" [2006-07-21 10:43]
"CaAvTray"="E:\Program Files\Yahoo!\Antivirus\CAVTray.exe" [2007-05-31 19:05]
"CAVRID"="E:\Program Files\Yahoo!\Antivirus\CAVRID.exe" [2007-05-31 19:05]
"Norton Ghost 12.0"="E:\Program Files\Norton Ghost\Agent\VProTray.exe" [2007-03-28 20:41]
"NWEReboot"="" []
"SunJavaUpdateSched"="E:\Program Files\Java\jre1.5.0_03\bin\jusched.exe" [2005-04-13 03:48]
"NeroFilterCheck"="E:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-01 15:57]
"Adobe Photo Downloader"="E:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" [2007-03-09 11:09]
"Adobe Reader Speed Launcher"="E:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 03:06]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Yahoo! Pager"="E:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.exe" [2007-03-01 18:11]
"PlayNC Launcher"="E:\Program Files\NCSoft\Launcher\NCLauncher.exe" [2007-04-17 12:47]
"igndlm.exe"="h:\Program Files\Download Manager\DLM.exe" [2007-03-05 14:57]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"=E:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"=E:\WINDOWS\Resources\Themes\Royale.theme
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\aawservice]
**************************************************************************
catchme 0.3.721 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-06-25 15:45:21
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
Completion time: 2007-06-25 15:47:00 - machine was rebooted
E:\ComboFix-quarantined-files.txt ... 2007-06-25 15:46
--- E O F ---
Hi
Wow, much stuff here.
Open HijackThis, click do a system scan only and checkmark these:
O2 - BHO: (no name) - {00000026-8735-428D-B81F-DD098223B25F} - (no file)
O2 - BHO: (no name) - {00000250-0320-4dd4-be4f-7566d2314352} - (no file)
O2 - BHO: (no name) - {000006b1-19b5-414a-849f-2a3c64ae6939} - (no file)
O2 - BHO: (no name) - {06dfedaa-6196-11d5-bfc8-00508b4a487d} - (no file)
O2 - BHO: (no name) - {13197ace-6851-45c3-a7ff-c281324d5489} - (no file)
O2 - BHO: (no name) - {2E9D4C81-9F27-4c14-B804-7B0F6BC88A4F} - E:\Program Files\Outerinfo\Outerinfo.dll (file missing)
O2 - BHO: (no name) - {30000273-8230-4dd4-be4f-6889d1e74167} - (no file)
O2 - BHO: (no name) - {42E87A01-10E0-4A01-B341-FBFEE9710873} - \
O2 - BHO: (no name) - {4e1075f4-eec4-4a86-add7-cd5f52858c31} - (no file)
O2 - BHO: (no name) - {4e7bd74f-2b8d-469e-92c6-ce7eb590a94d} - (no file)
O2 - BHO: (no name) - {53C330D6-A4AB-419B-B45D-FD4411C1FEF4} - (no file)
O2 - BHO: (no name) - {5929cd6e-2062-44a4-b2c5-2c7e78fbab38} - (no file)
O2 - BHO: (no name) - {5dafd089-24b1-4c5e-bd42-8ca72550717b} - (no file)
O2 - BHO: (no name) - {5fa6752a-c4a0-4222-88c2-928ae5ab4966} - (no file)
O2 - BHO: (no name) - {669695bc-a811-4a9d-8cdf-ba8c795f261e} - (no file)
O2 - BHO: (no name) - {80D58424-520F-44D6-9A95-F3542362A71C} - \
O2 - BHO: (no name) - {8674aea0-9d3d-11d9-99dc-00600f9a01f1} - (no file)
O2 - BHO: (no name) - {965a592f-8efa-4250-8630-7960230792f1} - (no file)
O2 - BHO: (no name) - {9bd5e92a-b02d-492f-8b98-4e4e30c173eb} - E:\WINDOWS\system32\yxeufnw.dll
O2 - BHO: (no name) - {b8875bfe-b021-11d4-bfa8-00508b8e9bd3} - (no file)
O2 - BHO: (no name) - {ca1d1b05-9c66-11d5-a009-000103c1e50b} - (no file)
O2 - BHO: (no name) - {cf021f40-3e14-23a5-cba2-717765728274} - (no file)
O2 - BHO: (no name) - {EDA4AEFF-BA3C-4CEB-979A-D0B3F6A6601D} - \
O2 - BHO: (no name) - {fc3a74e5-f281-4f10-ae1e-733078684f3c} - (no file)
O2 - BHO: (no name) - {FE654E92-9D9D-4654-AAD7-27A9DE810007} - \
Close all windows including browser and press fix checked.
Reboot.
Open notepad and copy/paste the text in the quotebox below into it:
File::
E:\WINDOWS\system32\kdfgjana.exe
E:\WINDOWS\vxddsk.exe
E:\WINDOWS\system32\xsxraror.exe
E:\WINDOWS\system32\edbnxbcd.exe
E:\WINDOWS\system32\fsdceshn.exe
E:\WINDOWS\system32\yxeufnw.dll
Save this as ComboFix-Do.txt
Then drag the ComboFix-Do.txt into ComboFix.exe as you see in the screenshot below.
http://img.photobucket.com/albums/v666/sUBs/Combo-Do.gif
This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThislog.
Doom Saber
2007-06-26, 12:01
"User1" - 2007-06-26 2:57:01 - ComboFix 07-06-26.8 - Service Pack 2 NTFS
Command switches used :: E:\Documents and Settings\User1\Desktop\ComboFix-Do.txt
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
E:\DOCUME~1\User1\APPLIC~1.\.rdr.ini
E:\WINDOWS\system32\yxeufnw.dll
E:\WINDOWS\vxddsk.exe
((((((((((((((((((((((((( Files Created from 2007-05-26 to 2007-06-26 )))))))))))))))))))))))))))))))
2007-06-25 22:33 <DIR> d-------- E:\Program Files\Samsung
2007-06-25 15:33 49,152 --a------ E:\WINDOWS\nircmd.exe
2007-06-25 15:05 8,464 --a------ E:\WINDOWS\system32\sporder.dll
2007-06-25 14:09 <DIR> d-------- E:\DOCUME~1\ALLUSE~1\APPLIC~1\Lavasoft
2007-06-25 14:08 <DIR> d-------- E:\Program Files\Common Files\Wise Installation Wizard
2007-06-24 17:04 <DIR> d-------- E:\DOCUME~1\User1\APPLIC~1\LEGO Company
2007-06-24 17:04 <DIR> d-------- E:\DOCUME~1\ALLUSE~1\APPLIC~1\Apple Computer
2007-06-20 00:47 <DIR> d-------- E:\VundoFix Backups
2007-06-20 00:29 524,288 --ah----- E:\DOCUME~1\ADMINI~1\NTUSER.DAT
2007-06-20 00:16 3,216 --a------ E:\WINDOWS\system32\tmp.reg
2007-06-20 00:06 53,248 --a------ E:\WINDOWS\system32\Process.exe
2007-06-20 00:06 51,200 --a------ E:\WINDOWS\system32\dumphive.exe
2007-06-20 00:06 288,417 --a------ E:\WINDOWS\system32\SrchSTS.exe
2007-06-19 23:28 <DIR> d-------- E:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-06-19 23:11 <DIR> d-------- E:\Fantastic Four Rise of the Silver Surfer (2007) mVs iNT TELESYNC KvCD Hockney(TUS Release)
2007-06-18 15:09 4,682 --a------ E:\WINDOWS\system32\npptNT2.sys
2007-06-18 13:57 <DIR> d-------- E:\DOCUME~1\User1\APPLIC~1\IGN_DLM
2007-06-18 13:48 <DIR> d-------- E:\Program Files\BitTornado
2007-06-18 13:48 <DIR> d-------- E:\fpfp-spd
2007-06-18 13:48 <DIR> d-------- E:\DOCUME~1\User1\APPLIC~1\.BitTornado
2007-06-18 07:11 <DIR> d-------- E:\Program Files\NCSoft
2007-06-18 07:11 <DIR> d-------- E:\DOCUME~1\User1\APPLIC~1\InstallShield
2007-06-18 06:46 <DIR> d-------- E:\DOCUME~1\User1\APPLIC~1\GetRightToGo
2007-06-17 01:37 <DIR> d-------- E:\Program Files\Advanced GIF Animator
2007-06-15 13:31 <DIR> d-------- E:\DOCUME~1\User1\APPLIC~1\AdobeUM
2007-06-15 12:43 53,248 --a------ E:\WINDOWS\uni_eh43.exe
2007-06-15 12:42 53,248 --a------ E:\WINDOWS\uninst1014.exe
2007-06-14 04:54 163,840 --a------ E:\Program Files\TTC.dll
2007-06-05 12:32 <DIR> d-------- E:\DOCUME~1\ALLUSE~1\APPLIC~1\Nero
2007-06-05 11:08 <DIR> d-------- E:\Program Files\Nero
2007-06-04 15:18 9,344 --a------ E:\WINDOWS\system32\drivers\NSDriver.sys
2007-06-04 15:17 8,320 --a------ E:\WINDOWS\system32\drivers\AWRTRD.sys
2007-06-04 15:14 6,272 --a------ E:\WINDOWS\system32\drivers\AWRTPD.sys
2007-06-04 14:30 <DIR> d-------- E:\DOCUME~1\User1\Shared
2007-06-04 14:30 <DIR> d-------- E:\DOCUME~1\User1\Incomplete
2007-06-04 14:30 <DIR> d-------- E:\DOCUME~1\User1\APPLIC~1\LimeWire
2007-06-04 10:03 <DIR> d-------- E:\DOCUME~1\User1\APPLIC~1\Ahead
2007-06-04 10:03 <DIR> d-------- E:\DOCUME~1\ALLUSE~1\APPLIC~1\Ahead
2007-06-03 21:17 81,768 --a------ E:\WINDOWS\system32\xinput1_3.dll
2007-06-03 21:17 443,752 --a------ E:\WINDOWS\system32\d3dx10_33.dll
2007-06-03 21:17 3,495,784 --a------ E:\WINDOWS\system32\d3dx9_33.dll
2007-06-03 21:17 3,426,072 --a------ E:\WINDOWS\system32\d3dx9_32.dll
2007-06-03 21:17 261,480 --a------ E:\WINDOWS\system32\xactengine2_7.dll
2007-06-03 21:17 255,848 --a------ E:\WINDOWS\system32\xactengine2_6.dll
2007-06-03 21:17 251,672 --a------ E:\WINDOWS\system32\xactengine2_5.dll
2007-06-03 21:17 1,123,696 --a------ E:\WINDOWS\system32\D3DCompiler_33.dll
2007-06-03 21:16 62,744 --a------ E:\WINDOWS\system32\xinput1_2.dll
2007-06-03 21:16 237,848 --a------ E:\WINDOWS\system32\xactengine2_4.dll
2007-06-03 21:16 236,824 --a------ E:\WINDOWS\system32\xactengine2_3.dll
2007-06-03 21:16 2,414,360 --a------ E:\WINDOWS\system32\d3dx9_31.dll
2007-06-03 21:16 2,297,552 --a------ E:\WINDOWS\system32\d3dx9_26.dll
2007-06-03 21:16 15,128 --a------ E:\WINDOWS\system32\x3daudio1_1.dll
2007-06-01 20:07 37,864 --a------ E:\WINDOWS\system32\drivers\v2imount.sys
2007-06-01 20:07 15,664 --a------ E:\WINDOWS\system32\drivers\GEARAspiWDM.sys
2007-06-01 20:07 14,072 --a------ E:\WINDOWS\system32\drivers\vproeventmonitor.sys
2007-06-01 20:07 131,944 --a------ E:\WINDOWS\system32\drivers\symsnap.sys
2007-06-01 20:07 128,104 --a------ E:\WINDOWS\system32\drivers\WimFltr.sys
2007-06-01 20:07 109,360 --a------ E:\WINDOWS\system32\GEARAspi.dll
2007-06-01 20:07 <DIR> d----c--- E:\WINDOWS\system32\DRVSTORE
2007-06-01 20:06 1,060,864 --a------ E:\WINDOWS\system32\MFC71.DLL
2007-06-01 20:06 <DIR> d-------- E:\Program Files\Symantec
2007-06-01 20:06 <DIR> d-------- E:\Program Files\Norton Ghost
2007-05-31 23:52 <DIR> d-------- E:\WINDOWS\system32\appmgmt
2007-05-31 23:48 <DIR> d---s---- E:\DOCUME~1\User1\UserData
2007-05-31 19:09 <DIR> d-------- E:\DOCUME~1\ALLUSE~1\APPLIC~1\Yahoo! Companion
2007-05-31 19:05 74,864 --a------ E:\WINDOWS\system32\VetRedir.dll
2007-05-31 19:05 26,787 --a------ E:\WINDOWS\system32\drivers\vetmonnt.sys
2007-05-31 19:05 <DIR> d-------- E:\DOCUME~1\ALLUSE~1\APPLIC~1\CA
2007-05-31 19:04 95,344 --a------ E:\WINDOWS\system32\ISafeIf.dll
2007-05-31 19:04 74,864 --a------ E:\WINDOWS\system32\iSafProd.dll
2007-05-31 19:04 630,432 --a------ E:\WINDOWS\system32\drivers\VetEFile.sys
2007-05-31 19:04 21,031 --a------ E:\WINDOWS\system32\drivers\Vet-Filt.sys
2007-05-31 19:04 15,735 --a------ E:\WINDOWS\system32\drivers\VetFDDNT.sys
2007-05-31 19:04 15,478 --a------ E:\WINDOWS\system32\drivers\Vet-Rec.sys
2007-05-31 19:04 108,624 --a------ E:\WINDOWS\system32\drivers\VetEBoot.sys
2007-05-31 18:59 <DIR> d-------- E:\DOCUME~1\ALLUSE~1\APPLIC~1\yahoo!
2007-05-31 18:58 89,088 --a------ E:\WINDOWS\system32\ATL71.DLL
2007-05-31 18:49 <DIR> d-------- E:\Program Files\SBC Yahoo!
2007-05-31 18:45 <DIR> d-------- E:\Program Files\2Wire
2007-05-31 18:32 7,552 --a------ E:\WINDOWS\system32\drivers\MSKSSRV.sys
2007-05-31 18:32 60,800 --a------ E:\WINDOWS\system32\drivers\sysaudio.sys
2007-05-31 18:32 60,288 --a------ E:\WINDOWS\system32\drivers\drmk.sys
2007-05-31 18:32 54,272 --a------ E:\WINDOWS\system32\drivers\swmidi.sys
2007-05-31 18:32 52,864 --a------ E:\WINDOWS\system32\drivers\DMusic.sys
2007-05-31 18:32 5,376 --a------ E:\WINDOWS\system32\drivers\MSPCLOCK.sys
2007-05-31 18:32 4,992 --a------ E:\WINDOWS\system32\drivers\MSPQM.sys
2007-05-31 18:32 4,096 --a------ E:\WINDOWS\system32\ksuser.dll
2007-05-31 18:32 2,944 --a------ E:\WINDOWS\system32\drivers\drmkaud.sys
2007-05-31 18:32 145,792 --a------ E:\WINDOWS\system32\drivers\portcls.sys
2007-05-31 18:31 917,504 --a------ E:\WINDOWS\system\cmids3d.dll
2007-05-31 18:31 81,920 --a------ E:\WINDOWS\system32\cmuda.dll
2007-05-31 18:31 743,887 --a------ E:\WINDOWS\system32\drivers\cmuda.sys
2007-05-31 18:31 712,704 --a------ E:\WINDOWS\system32\Audio3D.dll
2007-05-31 18:31 712,704 --a------ E:\WINDOWS\system32\a3d.dll
2007-05-31 18:31 32,768 --a------ E:\WINDOWS\system32\udaprop.dll
2007-05-31 18:31 28,672 --a------ E:\WINDOWS\system32\cmirmdrv.dll
2007-05-31 18:31 221,184 --a------ E:\WINDOWS\system32\cmirmdrv.exe
2007-05-31 18:31 1,900,544 --a------ E:\WINDOWS\system32\cmiwcnfg.dll
2007-05-31 18:29 80,896 -ra------ E:\WINDOWS\system32\drivers\NVENET.sys
2007-05-31 18:29 77,824 --a------ E:\WINDOWS\system32\NVUninst.exe
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
2007-06-18 20:48:23 -------- d-----w E:\DOCUME~1\User1\APPLIC~1\.BitTornado
2007-05-17 01:19:52 133,168 ----a-w E:\WINDOWS\system32\drivers\imagesrv.sys
2007-05-17 01:19:50 11,568 ----a-w E:\WINDOWS\system32\drivers\imagedrv.sys
2007-05-16 16:42:22 972,336 ----a-w E:\WINDOWS\UNNeroMediaHome.exe
2007-05-15 16:45:14 972,336 ----a-w E:\WINDOWS\UNNeroVision.exe
2007-04-23 23:42:50 972,336 ----a-w E:\WINDOWS\UNRecode.exe
2007-04-16 21:58:30 1,118,208 ----a-w E:\WINDOWS\system32\NMSDVDXU.dll
2007-04-13 22:19:52 7,680 ----a-w E:\WINDOWS\system32\lsdelete.exe
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
*Note* empty entries & legit default entries are not shown
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{02478D38-C3F9-4EFB-9B51-7695ECA05670}=E:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll [2006-10-26 10:28]
{53707962-6F74-2D53-2644-206D7942484F}=E:\PROGRA~1\SPYBOT~1\SDHelper.dll [2005-05-31 01:04]
{5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897}=E:\PROGRA~1\Yahoo!\Common\yiesrvc.dll [2006-10-31 15:33]
{F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D}=E:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll [2005-02-03 17:07]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Cmaudio"="cmicnfg.cpl" []
"YBrowser"="E:\PROGRA~1\Yahoo!\browser\ybrwicon.exe" [2006-07-21 16:19]
"IPInSightMonitor 01"="E:\Program Files\SBC Yahoo!\Connection Manager\IP InSight\IPMon32.exe" [2003-07-14 12:30]
"YOP"="E:\PROGRA~1\Yahoo!\YOP\yop.exe" [2006-07-21 10:43]
"CaAvTray"="E:\Program Files\Yahoo!\Antivirus\CAVTray.exe" [2007-05-31 19:05]
"CAVRID"="E:\Program Files\Yahoo!\Antivirus\CAVRID.exe" [2007-05-31 19:05]
"Norton Ghost 12.0"="E:\Program Files\Norton Ghost\Agent\VProTray.exe" [2007-03-28 20:41]
"NWEReboot"="" []
"SunJavaUpdateSched"="E:\Program Files\Java\jre1.5.0_03\bin\jusched.exe" [2005-04-13 03:48]
"NeroFilterCheck"="E:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-01 15:57]
"Adobe Photo Downloader"="E:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" [2007-03-09 11:09]
"Adobe Reader Speed Launcher"="E:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 03:06]
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Yahoo! Pager"="E:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.exe" [2007-03-01 18:11]
"PlayNC Launcher"="E:\Program Files\NCSoft\Launcher\NCLauncher.exe" [2007-04-17 12:47]
"igndlm.exe"="h:\Program Files\Download Manager\DLM.exe" [2007-03-05 14:57]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"=E:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"=E:\WINDOWS\Resources\Themes\Royale.theme
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\aawservice]
HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999}
E:\WINDOWS\system32\msorcl32.exe
**************************************************************************
catchme 0.3.721 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-06-26 02:58:31
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
Completion time: 2007-06-26 2:59:08
E:\ComboFix-quarantined-files.txt ... 2007-06-26 02:59
E:\ComboFix2.txt ... 2007-06-25 15:47
--- E O F ---
Logfile of HijackThis v1.99.1
Scan saved at 3:00:18 AM, on 6/26/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Running processes:
E:\WINDOWS\System32\smss.exe
E:\WINDOWS\system32\winlogon.exe
E:\WINDOWS\system32\services.exe
E:\WINDOWS\system32\lsass.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\System32\svchost.exe
E:\WINDOWS\system32\spoolsv.exe
E:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
E:\PROGRA~1\Yahoo!\YOP\yop.exe
E:\Program Files\Yahoo!\Antivirus\CAVTray.exe
E:\Program Files\Yahoo!\Antivirus\CAVRID.exe
E:\Program Files\Norton Ghost\Agent\VProTray.exe
E:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
E:\PROGRA~1\Yahoo!\browser\ycommon.exe
E:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
E:\Program Files\NCSoft\Launcher\NCLauncher.exe
I:\aawservice.exe
E:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
E:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
E:\Program Files\Yahoo!\Antivirus\ISafe.exe
E:\WINDOWS\eHome\ehRecvr.exe
E:\WINDOWS\eHome\ehSched.exe
E:\Program Files\Norton Ghost\Agent\VProSvc.exe
E:\Program Files\Yahoo!\Antivirus\VetMsg.exe
E:\WINDOWS\system32\svchost.exe
E:\WINDOWS\system32\dllhost.exe
E:\WINDOWS\system32\wuauclt.exe
E:\Program Files\internet explorer\iexplore.exe
E:\WINDOWS\explorer.exe
E:\WINDOWS\system32\notepad.exe
E:\Documents and Settings\User1\Desktop\HijackThis.exe
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - E:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - E:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - E:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - E:\PROGRA~1\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - E:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - E:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [YBrowser] E:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [IPInSightMonitor 01] "E:\Program Files\SBC Yahoo!\Connection Manager\IP InSight\IPMon32.exe"
O4 - HKLM\..\Run: [YOP] E:\PROGRA~1\Yahoo!\YOP\yop.exe /autostart
O4 - HKLM\..\Run: [CaAvTray] "E:\Program Files\Yahoo!\Antivirus\CAVTray.exe"
O4 - HKLM\..\Run: [CAVRID] "E:\Program Files\Yahoo!\Antivirus\CAVRID.exe"
O4 - HKLM\..\Run: [Norton Ghost 12.0] "E:\Program Files\Norton Ghost\Agent\VProTray.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] E:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [NeroFilterCheck] E:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [Adobe Photo Downloader] "E:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "E:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] "E:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [PlayNC Launcher] E:\Program Files\NCSoft\Launcher\NCLauncher.exe /Minimized
O4 - HKCU\..\Run: [igndlm.exe] h:\Program Files\Download Manager\DLM.exe /windowsstart /startifwork
O9 - Extra button: AT&T Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - E:\PROGRA~1\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - E:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .mov: E:\Program Files\Internet Explorer\PLUGINS\npqtplugin.dll
O16 - DPF: Yahoo! Graffiti - http://download2.games.yahoo.com/games/clients/y/grt5_x.cab
O16 - DPF: Yahoo! Word Racer - http://download2.games.yahoo.com/games/clients/y/wt1_x.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - E:\Program Files\Yahoo!\Common\Yinsthelper2007261.dll
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.yahoo.com/ocx/us/yexplorer1_9us.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - I:\aawservice.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - E:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - E:\Program Files\Yahoo!\Antivirus\ISafe.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - E:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: LiveUpdate - Symantec Corporation - E:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: NBService - Nero AG - E:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - E:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: Norton Ghost - Symantec Corporation - E:\Program Files\Norton Ghost\Agent\VProSvc.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - E:\Program Files\Yahoo!\Antivirus\VetMsg.exe
Hi
Please make sure that you can view all hidden files. Instructions on how to do this can be found here:
How to see hidden files in Windows (http://www.xtra.co.nz/help/0,,4155-1916458,00.html)
Please click this link-->Jotti (http://virusscan.jotti.org/)
When the jotti page has finished loading, click the Browse button and navigate to the following file and click Submit.
E:\WINDOWS\system32\msorcl32.exe
Please post back the results of the scan in your next post.
If Jotti is busy, try the same at Virustotal: http://www.virustotal.com/flash/index_en.html
Doom Saber
2007-06-26, 20:30
Hello,
I did what was instructed word for word on your last comment, however, my pc doesn't seem to locate
E:\WINDOWS\system32\msorcl32.exe
I even tried searching for it with the explorer option with no sucess.
Instead, I scanned msorcl32.dll using Jotti, which said nothing found on all the things it searched for. However, I am not sure if msorcl32.dll is the right file to scan for and I could have sworn I have used AVG in the past.
Hi
Ok, then that file may not exist at all anymore.
Please do an online scan with Kaspersky Online Scanner (http://www.kaspersky.com/downloads/kws/kavwebscan.html). You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
The program will launch and then start to download the latest definition files.
Once the scanner is installed and the definitions downloaded, click Next.
Now click on Scan Settings
In the scan settings make sure that the following are selected:
o Scan using the following Anti-Virus database:
+ Extended (If available otherwise Standard)
o Scan Options:
+ Scan Archives
+ Scan Mail Bases
Click OK
Now under select a target to scan select My Computer
The scan will take a while so be patient and let it run. Once the scan is complete it will display if your system has been infected.
Now click on the Save as Text button
Save the file to your desktop.
Copy and paste that information in your next post.
Post:
- a fresh HijackThis log
- kaspersky report
Due to the lack of feedback this Topic is closed.
If you need this topic reopened, please request this by sending the moderating team
a PM with the address of the thread. This applies only to the original topic starter.
Everyone else please begin a New Topic.