PDA

View Full Version : Smitfraud - Vundo - Browser Hijacked



tickedntroubled
2007-06-28, 00:48
Thankful for any help ahead of time
I got nailed yesterday: Antispysolutions - bogus spyware removeal tool poped off system tray - Desktop turned red - Browser totally hijacked

I have installed and run Spybot S&D and several other A/V and Spyware removal tools. In regular and Safe Modes
Things were looking up and I'm almost back to normal.
I still have IE opening windows on its own even when it wasn't already running.

Constantly blocking TMP##.dlls from adding as IE addins

Last S&D:
Still have registry entry for:
Smitfraud-C.Toolbar888

Still have cookies for:
CasaleMedia
DoubleClick
FastClick
K2L
ReliableStats
SystemDoctor2006
TagASaurus
Winsoftware
ZQest.K8L

Where do I go from here?

Logfile of HijackThis v1.99.1
Scan saved at 2:24:36 PM, on 6/27/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\hpzipm12.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\Program Files\VIA\RAID\raid_tool.exe
C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\WINDOWS\system32\notepad.exe
C:\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/news/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: msdn_lib.msdn_hlp - {38847C4B-1AB1-4A47-9026-9A6CF7B43D31} - C:\WINDOWS\system32\msdn_lib.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {60AC95CF-7549-4A1F-A163-283DE18E837F} - C:\WINDOWS\system32\geedc.dll (file missing)
O2 - BHO: (no name) - {7687A342-43CA-4369-A31C-48E27236CADA} - C:\Program Files\Internet Explorer\hotezyko83122.dll
O2 - BHO: BHOAd - {85589B5D-D53D-4237-A677-46B82EA275F3} - C:\WINDOWS\xmlhelper2.dll (file missing)
O2 - BHO: (no name) - {98115429-36ab-4468-9fc5-5c1152e16b67} - C:\WINDOWS\system32\C_2api.dll
O2 - BHO: (no name) - {DC192567-65F9-4AB6-ADB7-E13575F81726} - C:\WINDOWS\system32\cbxyvur.dll (file missing)
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] "nwiz.exe" /install
O4 - HKLM\..\Run: [NvMediaCenter] "RUNDLL32.EXE" C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] "rundll32.exe" bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [HPUsageTracking] "C:\Program Files\HP\HP UT\bin\hppusg.exe" "C:\Program Files\HP\HP UT\"
O4 - HKLM\..\Run: [vqhkljsA] C:\WINDOWS\vqhkljsA.exe
O4 - HKLM\..\Run: [{0F-FE-E5-55-ZN}] C:\windows\system32\msdsregp.exe SKY003
O4 - HKLM\..\Run: [uwas7cw] "C:\Program Files\Common Files\WinAntiSpyware 2007\uwas7cw.exe" -c
O4 - HKLM\..\Run: [p328d32] C:\WINDOWS\p328d32
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [lanmanwrk.exe] C:\WINDOWS\System32\lanmanwrk.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [TomcatStartup 2.5] "C:\Program Files\Hewlett-Packard\Toolbox\hpbpsttp.exe"
O4 - HKLM\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe /startintray
O4 - HKLM\..\Run: [winehq.org] rundll32.exe "C:\WINDOWS\khghef.dll",realset
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_5 -reboot 1
O4 - HKCU\..\Run: [autoload] C:\WINDOWS\system32\drivers\svchost.exe
O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: VIA RAID TOOL.lnk = C:\Program Files\VIA\RAID\raid_tool.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/eBay_Enhanced_Picture_Control_v1-0-3-48.cab
O16 - DPF: {60EFC337-15C2-4369-B2A0-3429B071D8B8} (Hewlett-Packard Printer Diagnostics) - http://h50203.www5.hp.com/HPISWeb/Customer/cabs/HPISWebManager.CAB
O18 - Filter: text/html - (no CLSID) - (no file)
O20 - Winlogon Notify: cbxyvur - cbxyvur.dll (file missing)
O20 - Winlogon Notify: C_2api - C:\WINDOWS\SYSTEM32\C_2api.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: DomainService - Unknown owner - C:\Documents and Settings\Jerry\Application Data\tmp8D.tmp.exe (file missing)
O23 - Service: Net Agent - Unknown owner - C:\WINDOWS\dls0523pmw.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\hpzipm12.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

Angelfire777
2007-06-28, 13:42
Hello and welcome to Safer Networking Forums!

You're quite infected there..

*Click Start > Control Panel > Add or Remove Programs and uninstall the items I listed in bold if found.

WinAntispyware 2007

Reboot.

Download combofix.exe (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)

1. Save it to your desktop.
2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log in your next reply along with a fresh HijackThis log.

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

tickedntroubled
2007-06-28, 19:29
Thank you much for helping me with this problem=-)

"WinAntispyware 2007" Was not in my add remove (Previously uninstalled)

Downloaded & ran Combofix - System froze when it tryed to reboot but seems to have worked once manual reboot.

Here are the logs - thanks again

"Jerry" - 2007-06-28 8:53:36 - ComboFix 07-06-27.7 - Service Pack 2 NTFS


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\DOCUME~1\ALLUSE~1\APPLIC~1.\salesmonitor
C:\DOCUME~1\Jerry\APPLIC~1.\.rdr.ini
C:\DOCUME~1\Jerry\APPLIC~1\tmp49.tmp.exe
C:\DOCUME~1\Jerry\APPLIC~1\tmp64.tmp.exe
C:\DOCUME~1\Jerry\APPLIC~1\tmp7F.tmp.exe
C:\DOCUME~1\Jerry\APPLIC~1\tmpB5.tmp.exe
C:\DOCUME~1\Jerry\APPLIC~1\tmpCC.tmp.exe
C:\DOCUME~1\Jerry\APPLIC~1\tmpE2.tmp.exe
C:\DOCUME~1\Jerry\APPLIC~1\tmpE3.tmp.exe
C:\DOCUME~1\Jerry\Desktop\internet.lnk
C:\Documents and Settings\Jerry.\err.log
C:\Documents and Settings\Jerry.\iswiz.exe
C:\temp\0b9
C:\temp\0b9\tmpTF.log
C:\temp\iee
C:\temp\iee\tmpZTF.log
C:\temp\tn3
C:\WINDOWS\180ax.exe
C:\WINDOWS\764.exe
C:\WINDOWS\7search.dll
C:\WINDOWS\bi.dll
C:\WINDOWS\biprep.exe
C:\WINDOWS\bokja.exe
C:\WINDOWS\cdsm32.dll
C:\WINDOWS\cs_cache.ini
C:\WINDOWS\flt.dll
C:\WINDOWS\mspphe.dll
C:\WINDOWS\mssvr.exe
C:\WINDOWS\pbar.dll
C:\WINDOWS\saiemod.dll
C:\WINDOWS\salm.exe
C:\WINDOWS\satmat.exe
C:\WINDOWS\swin32.dll
C:\WINDOWS\system32\drivers\fopn.sys
C:\WINDOWS\system32\gtv_sd.bin
C:\WINDOWS\system32\iepref32.dll
C:\WINDOWS\system32\lanmandrv.sys
C:\WINDOWS\system32\lanmanwrk.exe
C:\WINDOWS\system32\msixu.dll
C:\WINDOWS\system32\o02PrEz
C:\WINDOWS\system32\o05PrEz
C:\WINDOWS\system32\ocxloader.exe
C:\WINDOWS\system32\qmopt.dll
C:\WINDOWS\system32\vxddsk.exe
C:\WINDOWS\system32\W1
C:\WINDOWS\system32\W2
C:\WINDOWS\system32\W2\mwspasrt83122.exe
C:\WINDOWS\system32\W3
C:\WINDOWS\system32\W3\626wr.exe
C:\WINDOWS\system32\W4
C:\WINDOWS\system32\W5
C:\WINDOWS\system32\wer8274.dll
C:\WINDOWS\system32\win
C:\WINDOWS\system32\wml.exe
C:\WINDOWS\temp\salm.exe
C:\WINDOWS\updatetc.exe
C:\WINDOWS\voiceip.dll
C:\WINDOWS\wml.exe
C:\WINDOWS\wr.txt


((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


-------\LEGACY_DOMAINSERVICE
-------\LEGACY_LANMANDRV
-------\LEGACY_NET_AGENT
-------\LEGACY_WINDOWS_OVERLAY_COMPONENTS
-------\DomainService
-------\lanmandrv
-------\Net Agent


((((((((((((((((((((((((( Files Created from 2007-05-28 to 2007-06-28 )))))))))))))))))))))))))))))))


2007-06-28 08:53 49,152 --a------ C:\WINDOWS\nircmd.exe
2007-06-27 15:43 59,427 --a------ C:\WINDOWS\system32\tmpCC.tmp.dll
2007-06-27 15:43 134,917 --a------ C:\WINDOWS\efdefg.dll
2007-06-27 15:28 59,427 --a------ C:\WINDOWS\system32\tmpB5.tmp.dll
2007-06-27 15:04 <DIR> d-------- C:\Program Files\SpywareBlaster
2007-06-27 14:54 59,427 --a------ C:\WINDOWS\system32\tmp7F.tmp.dll
2007-06-27 14:33 59,427 --a------ C:\WINDOWS\system32\tmp64.tmp.dll
2007-06-27 13:46 59,427 --a------ C:\WINDOWS\system32\tmp49.tmp.dll
2007-06-27 13:07 <DIR> d-------- C:\Program Files\MSXML 4.0
2007-06-27 12:42 59,427 --a------ C:\WINDOWS\system32\tmp5E.tmp.dll
2007-06-27 11:14 95,872 --a------ C:\WINDOWS\system32\AvastSS.scr
2007-06-27 11:14 94,552 --a------ C:\WINDOWS\system32\drivers\aswmon2.sys
2007-06-27 11:14 85,952 --a------ C:\WINDOWS\system32\drivers\aswmon.sys
2007-06-27 11:14 43,176 --a------ C:\WINDOWS\system32\drivers\aswTdi.sys
2007-06-27 11:14 26,888 --a------ C:\WINDOWS\system32\drivers\aavmker4.sys
2007-06-27 11:14 23,416 --a------ C:\WINDOWS\system32\drivers\aswRdr.sys
2007-06-27 11:13 745,600 --a------ C:\WINDOWS\system32\aswBoot.exe
2007-06-27 11:13 <DIR> d-------- C:\Program Files\Alwil Software
2007-06-27 10:48 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-06-27 10:28 <DIR> d-------- C:\hijackthis
2007-06-27 10:25 53,248 --a------ C:\WINDOWS\system32\Process.exe
2007-06-27 10:25 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2007-06-27 10:25 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2007-06-27 10:10 3,424 --a------ C:\WINDOWS\system32\tmp.reg
2007-06-27 10:03 <DIR> d-------- C:\VundoFix Backups
2007-06-26 19:18 <DIR> d-------- C:\DOCUME~1\NETWOR~1\APPLIC~1\Webroot
2007-06-26 18:55 <DIR> d-------- C:\WINDOWS\system32\drivers\_quar
2007-06-26 18:51 59,480 --a------ C:\WINDOWS\system32\tmpE3.tmp.dll
2007-06-26 18:19 23,864 --a------ C:\WINDOWS\system32\drivers\sskbfd.sys
2007-06-26 18:19 21,816 --a------ C:\WINDOWS\system32\drivers\sshrmd.sys
2007-06-26 18:19 20,280 --a------ C:\WINDOWS\system32\drivers\SSFS0BB8.sys
2007-06-26 18:19 160,056 --a------ C:\WINDOWS\system32\drivers\ssidrv.sys
2007-06-26 18:19 1,520,952 --a------ C:\WINDOWS\WRSetup.dll
2007-06-26 18:19 <DIR> d-------- C:\Program Files\Webroot
2007-06-26 18:19 <DIR> d-------- C:\DOCUME~1\LOCALS~1\APPLIC~1\Webroot
2007-06-26 18:19 <DIR> d-------- C:\DOCUME~1\Jerry\APPLIC~1\Webroot
2007-06-26 18:19 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Webroot
2007-06-26 18:18 164 --a------ C:\install.dat
2007-06-26 18:05 <DIR> d-------- C:\Program Files\Lavasoft
2007-06-26 18:05 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Lavasoft
2007-06-26 18:04 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-06-26 17:56 47,849 --a------ C:\WINDOWS\system32\cjpeg.exe
2007-06-26 17:56 25 --a------ C:\WINDOWS\system32\ielog.dll
2007-06-26 17:56 19,224 --a------ C:\WINDOWS\system32\qmggjjod.exe
2007-06-26 17:45 38,126 --a------ C:\WINDOWS\system32\C_2api.dll
2007-06-26 17:45 19,224 --a------ C:\WINDOWS\system32\qmmlnfbb.exe
2007-06-26 17:45 16,323 --a------ C:\DOCUME~1\Jerry\svchost.exe
2007-06-26 11:21 <DIR> d-------- C:\Program Files\Windows Defender
2007-06-26 10:35 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-06-26 10:33 4 --a------ C:\WINDOWS\system32\stfv.bin
2007-06-26 10:16 0 --a------ C:\DOCUME~1\Jerry\win.exe
2007-06-26 10:15 16,640 --a------ C:\WINDOWS\vxddsk.exe
2007-06-26 10:15 12 --a------ C:\WINDOWS\system32\sl.bin
2007-06-26 10:15 0 --a------ C:\DOCUME~1\Jerry\install.exe
2007-06-26 10:14 245,739 --a------ C:\DOCUME~1\Jerry\Setup164.exe
2007-06-26 10:14 14,390 --a------ C:\WINDOWS\e4fyztf8.exe
2007-06-26 08:22 8,464 --a------ C:\WINDOWS\system32\sporder.dll
2007-06-19 13:52 <DIR> d-------- C:\Program Files\Need2Find
2007-06-19 13:51 10 --a------ C:\WINDOWS\smdat32m.sys
2007-06-19 13:51 <DIR> d-------- C:\Program Files\Kazaa
2007-06-15 12:43 53,248 --a------ C:\WINDOWS\uni_eh43.exe
2007-06-15 12:42 53,248 --a------ C:\WINDOWS\uninst1014.exe
2007-06-13 08:23 <DIR> d-------- C:\DOCUME~1\Jerry\Jerry & Ken pics
2007-06-13 08:23 <DIR> d-------- C:\DOCUME~1\Jerry\Howard & Dan pics
2007-06-04 15:18 9,344 --a------ C:\WINDOWS\system32\drivers\NSDriver.sys
2007-06-04 15:17 8,320 --a------ C:\WINDOWS\system32\drivers\AWRTRD.sys
2007-06-04 15:14 6,272 --a------ C:\WINDOWS\system32\drivers\AWRTPD.sys


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-06-27 20:22:40 -------- d-----w C:\Program Files\Online Services
2007-06-27 00:35:41 -------- d-----w C:\Program Files\Microsoft IntelliPoint
2007-06-19 20:52:39 -------- d--h--w C:\Program Files\InstallShield Installation Information
2007-05-16 15:12:02 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
2007-05-14 16:14:34 -------- d-----w C:\Program Files\Common Files\Firstlogic
2007-04-25 14:21:15 144,896 ----a-w C:\WINDOWS\system32\schannel.dll
2007-04-18 16:12:23 2,854,400 ----a-w C:\WINDOWS\system32\msi.dll
2007-04-17 05:47:36 33,624 ----a-w C:\WINDOWS\system32\wups.dll
2007-04-17 05:45:54 1,710,936 ----a-w C:\WINDOWS\system32\wuaueng.dll
2007-04-17 05:45:48 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll
2007-04-17 05:45:42 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll
2007-04-17 05:45:28 92,504 ----a-w C:\WINDOWS\system32\cdm.dll
2007-04-17 05:45:20 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe
2007-04-17 05:45:20 43,352 ----a-w C:\WINDOWS\system32\wups2.dll
2007-04-17 05:43:44 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll
2007-04-13 22:19:52 7,680 ----a-w C:\WINDOWS\system32\lsdelete.exe


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}=C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll [2005-09-23 21:12]
{38847C4B-1AB1-4A47-9026-9A6CF7B43D31}=C:\WINDOWS\system32\msdn_lib.dll []
{53707962-6F74-2D53-2644-206D7942484F}=C:\PROGRA~1\SPYBOT~1\SDHelper.dll [2005-05-31 01:04]
{60AC95CF-7549-4A1F-A163-283DE18E837F}=C:\WINDOWS\system32\geedc.dll []
{7687A342-43CA-4369-A31C-48E27236CADA}=C:\Program Files\Internet Explorer\hotezyko83122.dll [2007-06-18 11:59]
{85589B5D-D53D-4237-A677-46B82EA275F3}=C:\WINDOWS\xmlhelper2.dll []
{98115429-36ab-4468-9fc5-5c1152e16b67}=C:\WINDOWS\system32\C_2api.dll [2007-06-26 17:45]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"nwiz"="nwiz.exe" [2005-01-10 09:32 C:\WINDOWS\system32\nwiz.exe]
"IntelliPoint"="C:\Program Files\Microsoft IntelliPoint\point32.exe" [2004-06-03 01:50]
"BluetoothAuthenticationAgent"="rundll32.exe" [2004-08-04 05:00 C:\WINDOWS\system32\rundll32.exe]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2005-02-17 00:11]
"@"="" []
"HPUsageTracking"="C:\Program Files\HP\HP UT\bin\hppusg.exe" [2005-02-07 11:10]
"uwas7cw"="C:\Program Files\Common Files\WinAntiSpyware 2007\uwas7cw.exe" []
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 19:20]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 02:25]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-04-30 08:42]
"TomcatStartup 2.5"="C:\Program Files\Hewlett-Packard\Toolbox\hpbpsttp.exe" [2004-11-12 10:57]
"SpySweeper"="C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" [2007-06-21 18:57]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2005-08-18 11:49]
"autoload"="C:\WINDOWS\system32\drivers\svchost.exe" []
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2005-05-31 01:04]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll" [2007-05-30 05:29]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\cbxyvur]
cbxyvur.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\C_2api]
C_2api.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\aawservice]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\AVG Anti-Spyware Driver]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\AVG Anti-Spyware Guard]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\WebrootSpySweeperService]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs BthServ


HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{F146C9B1-VMVQ-A9RC-NUFL-D02300B4E999}
C:\WINDOWS\system32\tmrsrv32.exe

Contents of the 'Scheduled Tasks' folder
2007-06-28 15:52:41 C:\WINDOWS\tasks\MP Scheduled Scan.job

**************************************************************************

catchme 0.3.721 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-06-28 09:02:56
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\BTHPORT\Parameters\Services\{00001000-0000-1000-8000-00805f9b34fb}]


[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\BTHPORT\Parameters\Services\{00001115-0000-1000-8000-00805f9b34fb}]


Completion time: 2007-06-28 9:04:39
C:\ComboFix-quarantined-files.txt ... 2007-06-28 09:04

--- E O F ---





Logfile of HijackThis v1.99.1
Scan saved at 9:09:13 AM, on 6/28/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\hpzipm12.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\PROGRA~1\HEWLET~1\Toolbox\STATUS~1\STATUS~1.EXE
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Hewlett-Packard\Toolbox\jre\bin\javaw.exe
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Jerry\Desktop\tech tools\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/news/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: msdn_lib.msdn_hlp - {38847C4B-1AB1-4A47-9026-9A6CF7B43D31} - C:\WINDOWS\system32\msdn_lib.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {60AC95CF-7549-4A1F-A163-283DE18E837F} - C:\WINDOWS\system32\geedc.dll (file missing)
O2 - BHO: (no name) - {7687A342-43CA-4369-A31C-48E27236CADA} - C:\Program Files\Internet Explorer\hotezyko83122.dll
O2 - BHO: BHOAd - {85589B5D-D53D-4237-A677-46B82EA275F3} - C:\WINDOWS\xmlhelper2.dll (file missing)
O2 - BHO: (no name) - {98115429-36ab-4468-9fc5-5c1152e16b67} - C:\WINDOWS\system32\C_2api.dll
O4 - HKLM\..\Run: [nwiz] "nwiz.exe" /install
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] "rundll32.exe" bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [HPUsageTracking] "C:\Program Files\HP\HP UT\bin\hppusg.exe" "C:\Program Files\HP\HP UT\"
O4 - HKLM\..\Run: [uwas7cw] "C:\Program Files\Common Files\WinAntiSpyware 2007\uwas7cw.exe" -c
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [TomcatStartup 2.5] "C:\Program Files\Hewlett-Packard\Toolbox\hpbpsttp.exe"
O4 - HKLM\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe /startintray
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] "RUNDLL32.EXE" C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_5 -reboot 1
O4 - HKCU\..\Run: [autoload] C:\WINDOWS\system32\drivers\svchost.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe"
O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: VIA RAID TOOL.lnk = C:\Program Files\VIA\RAID\raid_tool.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/eBay_Enhanced_Picture_Control_v1-0-3-48.cab
O16 - DPF: {60EFC337-15C2-4369-B2A0-3429B071D8B8} (Hewlett-Packard Printer Diagnostics) - http://h50203.www5.hp.com/HPISWeb/Customer/cabs/HPISWebManager.CAB
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1182981048531
O20 - Winlogon Notify: cbxyvur - cbxyvur.dll (file missing)
O20 - Winlogon Notify: C_2api - C:\WINDOWS\SYSTEM32\C_2api.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\hpzipm12.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

Angelfire777
2007-06-30, 06:06
Hi, an expert would like to take a look at one of the infected files you have..

*Open notepad.
Copy and paste the text inside the Code Box below into Notepad
Choose File > Save As and under "Save as type", choose "All Files".
Type upload.bat in the File name and save it to your desktop.


@echo off
For %%g in (
C:\WINDOWS\system32\C_2api.dll
) do (
catchme -l nul -c %%g "%%~g.vir"
catchme -l nul -k "%%~g.vir"
if exist "%%~g.vir" del /a/f "%%~g.vir"
)>nul 2>&1
echo.Please submit the file, catchme.zip located on Desktop to this address: http://www.bleepingcomputer.com/submit-malware.php?channel=4
pause
exit

Double click upload.bat then follow the instructions for uploading catchme.zip

Please inform me when you are finished so we may continue cleaning your machine.

tickedntroubled
2007-07-02, 18:41
Thanks again for your continuing help

Update:
1)I did as instructed in your last post
2)I have done nothing else on this computer to try cleaning things up because I want to make sure I'm not messing you up by doing things you have not requested.
3) Latest HJT Follows

Logfile of HijackThis v1.99.1
Scan saved at 8:39:30 AM, on 7/2/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\hpzipm12.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\PROGRA~1\HEWLET~1\Toolbox\STATUS~1\STATUS~1.EXE
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\VIA\RAID\raid_tool.exe
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\Hewlett-Packard\Toolbox\jre\bin\javaw.exe
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\Program Files\internet explorer\iexplore.exe
C:\Documents and Settings\Jerry\Desktop\tech tools\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/news/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: msdn_lib.msdn_hlp - {38847C4B-1AB1-4A47-9026-9A6CF7B43D31} - C:\WINDOWS\system32\msdn_lib.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {60AC95CF-7549-4A1F-A163-283DE18E837F} - C:\WINDOWS\system32\geedc.dll (file missing)
O2 - BHO: (no name) - {7687A342-43CA-4369-A31C-48E27236CADA} - C:\Program Files\Internet Explorer\hotezyko83122.dll
O2 - BHO: BHOAd - {85589B5D-D53D-4237-A677-46B82EA275F3} - C:\WINDOWS\xmlhelper2.dll (file missing)
O2 - BHO: (no name) - {98115429-36ab-4468-9fc5-5c1152e16b67} - C:\WINDOWS\system32\C_2api.dll
O2 - BHO: (no name) - {DC192567-65F9-4AB6-ADB7-E13575F81726} - (no file)
O4 - HKLM\..\Run: [nwiz] "nwiz.exe" /install
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] "rundll32.exe" bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [HPUsageTracking] "C:\Program Files\HP\HP UT\bin\hppusg.exe" "C:\Program Files\HP\HP UT\"
O4 - HKLM\..\Run: [uwas7cw] "C:\Program Files\Common Files\WinAntiSpyware 2007\uwas7cw.exe" -c
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] "RUNDLL32.EXE" C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [TomcatStartup 2.5] "C:\Program Files\Hewlett-Packard\Toolbox\hpbpsttp.exe"
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_5 -reboot 1
O4 - HKCU\..\Run: [autoload] C:\WINDOWS\system32\drivers\svchost.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe"
O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: VIA RAID TOOL.lnk = C:\Program Files\VIA\RAID\raid_tool.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/eBay_Enhanced_Picture_Control_v1-0-3-48.cab
O16 - DPF: {60EFC337-15C2-4369-B2A0-3429B071D8B8} (Hewlett-Packard Printer Diagnostics) - http://h50203.www5.hp.com/HPISWeb/Customer/cabs/HPISWebManager.CAB
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1182981048531
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O20 - Winlogon Notify: cbxyvur - cbxyvur.dll (file missing)
O20 - Winlogon Notify: C_2api - C:\WINDOWS\SYSTEM32\C_2api.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\hpzipm12.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

Angelfire777
2007-07-03, 13:05
Hi,

*Click Start > Control Panel > Add or Remove Programs and uninstall the item in bold if found.

Need2Find


*Please download KaazaBegone (http://www.bleepingcomputer.com/files/Merijn/kazaabegone.zip)

Create a new folder in your desktop, name it Kazaabegone.

Extract all the files of the zip files to the newly created folder on your desktop.

Navigate to the KazaaBegone folder then double click Kazaabegone.exe and let it remove Kazaa and all of its components.

Note: In case you use Kazaa, we need to remove it because the program itself is infected and if we don't remove it, the infections you have will only return..

Reboot.



Please download VundoFix.exe (http://www.atribune.org/ccount/click.php?id=4) to your desktop.

Note: If you still have vundofix in your machine, you need not download vundofix anymore.

Double-click VundoFix.exe to run it.
Click the Scan for Vundo button.
Once the scan is complete, Right Click inside the listbox (white box) and click add more files.
Copy&Paste the entry below into the top box.


C:\WINDOWS\SYSTEM32\C_2api.dll


Click Add Files and click Close Window.
Click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES.
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will shutdown your computer, click OK.
Turn your computer back on.
Please post the contents of C:\vundofix.txt

_______________

We need to temporarily disable Spybot's TeaTimer, it may stop our fix.

Disable Spybot's TeaTimer. This is a two step process.
First:
- Right click Spybot in the System Tray (looks like a calendar with a padlock symbol)
- Choose Exit Spybot S&D Resident
Second:
- Open Spybot S&D
- Click Mode, check Advanced Mode
- Go To Left Panel, Click Tools, then also in left panel, click Resident
- If your firewall raises a question, say OK
- Uncheck the box labeled Resident Tea-Timer and OK any prompts.
- Use File, Exit to terminate Spybot
- Reboot your machine for the changes to take effect.

Open HijackThis > choose Scan Only > Place a checkmark in the boxes beside these entries in bold.

O2 - BHO: msdn_lib.msdn_hlp - {38847C4B-1AB1-4A47-9026-9A6CF7B43D31} - C:\WINDOWS\system32\msdn_lib.dll (file missing)
O2 - BHO: (no name) - {60AC95CF-7549-4A1F-A163-283DE18E837F} - C:\WINDOWS\system32\geedc.dll (file missing)
O2 - BHO: (no name) - {7687A342-43CA-4369-A31C-48E27236CADA} - C:\Program Files\Internet Explorer\hotezyko83122.dll
O2 - BHO: BHOAd - {85589B5D-D53D-4237-A677-46B82EA275F3} - C:\WINDOWS\xmlhelper2.dll (file missing)
O2 - BHO: (no name) - {98115429-36ab-4468-9fc5-5c1152e16b67} - C:\WINDOWS\system32\C_2api.dll
O2 - BHO: (no name) - {DC192567-65F9-4AB6-ADB7-E13575F81726} - (no file)
O4 - HKLM\..\Run: "C:\Program Files\Common Files\WinAntiSpyware 2007\uwas7cw.exe" -c
O4 - HKCU\..\Run: [autoload] C:\WINDOWS\system32\drivers\svchost.exe
O20 - Winlogon Notify: cbxyvur - cbxyvur.dll (file missing)
O20 - Winlogon Notify: C_2api - C:\WINDOWS\SYSTEM32\C_2api.dll


Close your browsers and all open windows except for HijackThis, then click "Fix checked". Exit HijackThis.

[u]Combofix Deletions
Right click on your desktop, select "new" then choose "New text Document"
Name it as "Combofix-Do"
Copy and paste the text inside the code box below to Combofix-Do.txt


File::
C:\WINDOWS\system32\tmpCC.tmp.dll
C:\WINDOWS\efdefg.dll
C:\WINDOWS\system32\tmpB5.tmp.dll
C:\WINDOWS\system32\tmp7F.tmp.dll
C:\WINDOWS\system32\tmp64.tmp.dll
C:\WINDOWS\system32\tmp49.tmp.dll
C:\WINDOWS\system32\tmp5E.tmp.dll
C:\WINDOWS\system32\tmpE3.tmp.dll
C:\WINDOWS\system32\cjpeg.exe
C:\WINDOWS\system32\ielog.dll
C:\WINDOWS\system32\qmggjjod.exe
C:\WINDOWS\system32\qmmlnfbb.exe
C:\DOCUME~1\Jerry\svchost.exe
C:\DOCUME~1\Jerry\win.exe
C:\WINDOWS\system32\sl.bin
C:\WINDOWS\system32\stfv.bin
C:\DOCUME~1\Jerry\install.exe
C:\DOCUME~1\Jerry\Setup164.exe
C:\WINDOWS\e4fyztf8.exe
C:\WINDOWS\uni_eh43.exe
C:\WINDOWS\uninst1014.exe
C:\WINDOWS\smdat32m.sys
C:\Program Files\Internet Explorer\hotezyko83122.dll
C:\Program Files\Common Files\WinAntiSpyware 2007
C:\WINDOWS\system32\drivers\svchost.exe
C:\WINDOWS\system32\tmrsrv32.exe

Folder::
C:\Program Files\Kazaa
C:\Program Files\Need2Find
Save it.
Drag and drop Combofix-do.txt to your copy of combofix.
You can take a look at the image below if you're unsure on how to do it.
http://img407.imageshack.us/img407/4396/combodomm9.gif
Combofix wil restart your machine then it will produce a log afterwards.
Please post the contents of that log, vundofix.txt, hijackthis log and a description on how your machine is running.

tickedntroubled
2007-07-06, 20:39
Still thanking you...:beerbeerb:

Things are looking up...
No more weird errors as desktop loads on bootup.
All the alerts from Anti-spyware, Antivirus, Firewall seem to be legitamate programs.

:scratch:I Do have some concerns with the following items from HJTlog??

O2 - BHO: (no name) - {38847C4B-1AB1-4A47-9026-9A6CF7B43D31} - (no file)
O2 - BHO: (no name) - {60AC95CF-7549-4A1F-A163-283DE18E837F} - (no file)
O2 - BHO: (no name) - {7687A342-43CA-4369-A31C-48E27236CADA} - (no file)
O2 - BHO: (no name) - {85589B5D-D53D-4237-A677-46B82EA275F3} - (no file)
O2 - BHO: (no name) - {98115429-36ab-4468-9fc5-5c1152e16b67} - (no file)
O2 - BHO: (no name) - {DC192567-65F9-4AB6-ADB7-E13575F81726} - (no file)

O20 - Winlogon Notify: cbxyvur - C:\WINDOWS\
O20 - Winlogon Notify: C_2api - C:\WINDOWS\

What do you think?


Below are my logs from Combofix, Vundofix and HJthis

"Jerry" - 2007-07-03 13:58:36 - ComboFix 07-06-27.7 - Service Pack 2 NTFS
Command switches used :: C:\Documents and Settings\Jerry\Desktop\Combofix-D0.txt


((((((((((((((((((((((((( Files Created from 2007-06-03 to 2007-07-03 )))))))))))))))))))))))))))))))


2007-07-02 13:21 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\MailFrontier
2007-07-02 13:20 75,932 --a------ C:\WINDOWS\system32\drivers\klick.dat
2007-07-02 13:20 75,248 --a------ C:\WINDOWS\zllsputility.exe
2007-07-02 13:20 74,396 --a------ C:\WINDOWS\system32\drivers\klin.dat
2007-07-02 13:20 4,212 ---h----- C:\WINDOWS\system32\zllictbl.dat
2007-07-02 13:20 174,112 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2007-07-02 13:20 110,360 --a------ C:\WINDOWS\system32\drivers\kl1.sys
2007-07-02 13:19 1,086,952 --a------ C:\WINDOWS\system32\zpeng24.dll
2007-07-02 13:19 <DIR> d-------- C:\WINDOWS\system32\ZoneLabs
2007-07-02 13:17 <DIR> d-------- C:\WINDOWS\Internet Logs
2007-06-28 08:53 49,152 --a------ C:\WINDOWS\nircmd.exe
2007-06-27 15:43 59,427 --a------ C:\WINDOWS\system32\tmpCC.tmp.dll
2007-06-27 15:43 134,917 --a------ C:\WINDOWS\efdefg.dll
2007-06-27 15:28 59,427 --a------ C:\WINDOWS\system32\tmpB5.tmp.dll
2007-06-27 15:04 <DIR> d-------- C:\Program Files\SpywareBlaster
2007-06-27 14:54 59,427 --a------ C:\WINDOWS\system32\tmp7F.tmp.dll
2007-06-27 14:33 59,427 --a------ C:\WINDOWS\system32\tmp64.tmp.dll
2007-06-27 13:46 59,427 --a------ C:\WINDOWS\system32\tmp49.tmp.dll
2007-06-27 13:07 <DIR> d-------- C:\Program Files\MSXML 4.0
2007-06-27 12:42 59,427 --a------ C:\WINDOWS\system32\tmp5E.tmp.dll
2007-06-27 11:14 95,872 --a------ C:\WINDOWS\system32\AvastSS.scr
2007-06-27 11:14 94,552 --a------ C:\WINDOWS\system32\drivers\aswmon2.sys
2007-06-27 11:14 85,952 --a------ C:\WINDOWS\system32\drivers\aswmon.sys
2007-06-27 11:14 43,176 --a------ C:\WINDOWS\system32\drivers\aswTdi.sys
2007-06-27 11:14 26,888 --a------ C:\WINDOWS\system32\drivers\aavmker4.sys
2007-06-27 11:14 23,416 --a------ C:\WINDOWS\system32\drivers\aswRdr.sys
2007-06-27 11:13 745,600 --a------ C:\WINDOWS\system32\aswBoot.exe
2007-06-27 11:13 <DIR> d-------- C:\Program Files\Alwil Software
2007-06-27 10:48 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-06-27 10:28 <DIR> d-------- C:\hijackthis
2007-06-27 10:25 53,248 --a------ C:\WINDOWS\system32\Process.exe
2007-06-27 10:25 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2007-06-27 10:25 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2007-06-27 10:10 3,424 --a------ C:\WINDOWS\system32\tmp.reg
2007-06-27 10:03 <DIR> d-------- C:\VundoFix Backups
2007-06-26 19:18 <DIR> d-------- C:\DOCUME~1\NETWOR~1\APPLIC~1\Webroot
2007-06-26 18:55 <DIR> d-------- C:\WINDOWS\system32\drivers\_quar
2007-06-26 18:51 59,480 --a------ C:\WINDOWS\system32\tmpE3.tmp.dll
2007-06-26 18:19 23,864 --a------ C:\WINDOWS\system32\drivers\sskbfd.sys
2007-06-26 18:19 21,816 --a------ C:\WINDOWS\system32\drivers\sshrmd.sys
2007-06-26 18:19 20,280 --a------ C:\WINDOWS\system32\drivers\SSFS0BB8.sys
2007-06-26 18:19 160,056 --a------ C:\WINDOWS\system32\drivers\ssidrv.sys
2007-06-26 18:19 1,520,952 --a------ C:\WINDOWS\WRSetup.dll
2007-06-26 18:19 <DIR> d-------- C:\Program Files\Webroot
2007-06-26 18:19 <DIR> d-------- C:\DOCUME~1\LOCALS~1\APPLIC~1\Webroot
2007-06-26 18:19 <DIR> d-------- C:\DOCUME~1\Jerry\APPLIC~1\Webroot
2007-06-26 18:19 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Webroot
2007-06-26 18:18 164 --a------ C:\install.dat
2007-06-26 18:05 <DIR> d-------- C:\Program Files\Lavasoft
2007-06-26 18:05 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Lavasoft
2007-06-26 18:04 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-06-26 17:56 47,849 --a------ C:\WINDOWS\system32\cjpeg.exe
2007-06-26 17:56 25 --a------ C:\WINDOWS\system32\ielog.dll
2007-06-26 17:56 19,224 --a------ C:\WINDOWS\system32\qmggjjod.exe
2007-06-26 17:45 19,224 --a------ C:\WINDOWS\system32\qmmlnfbb.exe
2007-06-26 17:45 16,323 --a------ C:\DOCUME~1\Jerry\svchost.exe
2007-06-26 11:21 <DIR> d-------- C:\Program Files\Windows Defender
2007-06-26 10:35 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-06-26 10:33 4 --a------ C:\WINDOWS\system32\stfv.bin
2007-06-26 10:16 0 --a------ C:\DOCUME~1\Jerry\win.exe
2007-06-26 10:15 16,640 --a------ C:\WINDOWS\vxddsk.exe
2007-06-26 10:15 12 --a------ C:\WINDOWS\system32\sl.bin
2007-06-26 10:15 0 --a------ C:\DOCUME~1\Jerry\install.exe
2007-06-26 10:14 245,739 --a------ C:\DOCUME~1\Jerry\Setup164.exe
2007-06-26 10:14 14,390 --a------ C:\WINDOWS\e4fyztf8.exe
2007-06-26 08:22 8,464 --a------ C:\WINDOWS\system32\sporder.dll
2007-06-15 12:43 53,248 --a------ C:\WINDOWS\uni_eh43.exe
2007-06-15 12:42 53,248 --a------ C:\WINDOWS\uninst1014.exe
2007-06-13 08:23 <DIR> d-------- C:\DOCUME~1\Jerry\Jerry & Ken pics
2007-06-13 08:23 <DIR> d-------- C:\DOCUME~1\Jerry\Howard & Dan pics
2007-06-04 15:18 9,344 --a------ C:\WINDOWS\system32\drivers\NSDriver.sys
2007-06-04 15:17 8,320 --a------ C:\WINDOWS\system32\drivers\AWRTRD.sys
2007-06-04 15:14 6,272 --a------ C:\WINDOWS\system32\drivers\AWRTPD.sys


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-07-02 23:45:23 -------- d-----w C:\Program Files\Online Services
2007-06-27 00:35:41 -------- d-----w C:\Program Files\Microsoft IntelliPoint
2007-06-19 20:52:39 -------- d--h--w C:\Program Files\InstallShield Installation Information
2007-05-16 15:12:02 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
2007-05-14 16:14:34 -------- d-----w C:\Program Files\Common Files\Firstlogic
2007-04-25 14:21:15 144,896 ----a-w C:\WINDOWS\system32\schannel.dll
2007-04-18 16:12:23 2,854,400 ----a-w C:\WINDOWS\system32\msi.dll
2007-04-17 05:47:36 33,624 ----a-w C:\WINDOWS\system32\wups.dll
2007-04-17 05:45:54 1,710,936 ----a-w C:\WINDOWS\system32\wuaueng.dll
2007-04-17 05:45:48 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll
2007-04-17 05:45:42 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll
2007-04-17 05:45:28 92,504 ----a-w C:\WINDOWS\system32\cdm.dll
2007-04-17 05:45:20 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe
2007-04-17 05:45:20 43,352 ----a-w C:\WINDOWS\system32\wups2.dll
2007-04-17 05:43:44 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll
2007-04-13 22:19:52 7,680 ----a-w C:\WINDOWS\system32\lsdelete.exe


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}=C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll [2005-09-23 21:12]
{53707962-6F74-2D53-2644-206D7942484F}=C:\PROGRA~1\SPYBOT~1\SDHelper.dll [2005-05-31 01:04]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"nwiz"="nwiz.exe" [2005-01-10 09:32 C:\WINDOWS\system32\nwiz.exe]
"IntelliPoint"="C:\Program Files\Microsoft IntelliPoint\point32.exe" [2004-06-03 01:50]
"BluetoothAuthenticationAgent"="rundll32.exe" [2004-08-04 05:00 C:\WINDOWS\system32\rundll32.exe]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2005-02-17 00:11]
"@"="" []
"HPUsageTracking"="C:\Program Files\HP\HP UT\bin\hppusg.exe" [2005-02-07 11:10]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 19:20]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 02:25]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-04-30 08:42]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-06-21 21:54]
"TomcatStartup 2.5"="C:\Program Files\Hewlett-Packard\Toolbox\hpbpsttp.exe" [2004-11-12 10:57]
"SpySweeper"="C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" [2007-06-21 18:57]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2005-08-18 11:49]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll" [2007-05-30 05:29]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\aawservice]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\AVG Anti-Spyware Driver]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\AVG Anti-Spyware Guard]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\WebrootSpySweeperService]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs BthServ


HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{F146C9B1-VMVQ-A9RC-NUFL-D02300B4E999}
C:\WINDOWS\system32\tmrsrv32.exe

Contents of the 'Scheduled Tasks' folder
2007-07-03 20:48:25 C:\WINDOWS\tasks\MP Scheduled Scan.job

**************************************************************************

catchme 0.3.721 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-07-03 14:01:24
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\BTHPORT\Parameters\Services\{00001000-0000-1000-8000-00805f9b34fb}]


[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\BTHPORT\Parameters\Services\{00001115-0000-1000-8000-00805f9b34fb}]


Completion time: 2007-07-03 14:02:38
C:\ComboFix-quarantined-files.txt ... 2007-07-03 14:02
C:\ComboFix2.txt ... 2007-06-28 09:04

--- E O F ---







VundoFix V6.5.1

Checking Java version...

Sun Java not detected
Scan started at 10:03:13 AM 6/27/2007

Listing files found while scanning....

C:\WINDOWS\system32\cdeeg.bak1
C:\WINDOWS\system32\cdeeg.bak2
C:\WINDOWS\system32\cdeeg.ini
C:\WINDOWS\system32\geedc.dll

Beginning removal...

Attempting to delete C:\WINDOWS\system32\cdeeg.bak1
C:\WINDOWS\system32\cdeeg.bak1 Has been deleted!

Attempting to delete C:\WINDOWS\system32\cdeeg.bak2
C:\WINDOWS\system32\cdeeg.bak2 Has been deleted!

Attempting to delete C:\WINDOWS\system32\cdeeg.ini
C:\WINDOWS\system32\cdeeg.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\geedc.dll
C:\WINDOWS\system32\geedc.dll Has been deleted!

Performing Repairs to the registry.
Done!

VundoFix V6.5.1

Checking Java version...

Sun Java not detected
Scan started at 10:06:48 AM 6/27/2007

Listing files found while scanning....

No infected files were found.


VundoFix V6.5.4

Checking Java version...

Sun Java not detected
Scan started at 1:14:53 PM 7/3/2007

Listing files found while scanning....

No infected files were found.


VundoFix V6.5.4

Checking Java version...

Sun Java not detected
Scan started at 1:27:00 PM 7/3/2007

Listing files found while scanning....


VundoFix V6.5.4

Checking Java version...

Sun Java not detected
Scan started at 1:32:51 PM 7/3/2007

Listing files found while scanning....

No infected files were found.


Beginning removal...

Performing Repairs to the registry.
Done!








Logfile of HijackThis v1.99.1
Scan saved at 9:59:11 AM, on 7/6/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\hpzipm12.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\VIA\RAID\raid_tool.exe
C:\PROGRA~1\HEWLET~1\Toolbox\STATUS~1\STATUS~1.EXE
C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
C:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\Hewlett-Packard\Toolbox\jre\bin\javaw.exe
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\Program Files\internet explorer\iexplore.exe
C:\Documents and Settings\Jerry\Desktop\tech tools\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.comcast.net/news/
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {38847C4B-1AB1-4A47-9026-9A6CF7B43D31} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {60AC95CF-7549-4A1F-A163-283DE18E837F} - (no file)
O2 - BHO: (no name) - {7687A342-43CA-4369-A31C-48E27236CADA} - (no file)
O2 - BHO: (no name) - {85589B5D-D53D-4237-A677-46B82EA275F3} - (no file)
O2 - BHO: (no name) - {98115429-36ab-4468-9fc5-5c1152e16b67} - (no file)
O2 - BHO: (no name) - {DC192567-65F9-4AB6-ADB7-E13575F81726} - (no file)
O4 - HKLM\..\Run: [nwiz] "nwiz.exe" /install
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] "rundll32.exe" bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [HPUsageTracking] "C:\Program Files\HP\HP UT\bin\hppusg.exe" "C:\Program Files\HP\HP UT\"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [NvCplDaemon] "RUNDLL32.EXE" C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [TomcatStartup 2.5] "C:\Program Files\Hewlett-Packard\Toolbox\hpbpsttp.exe"
O4 - HKLM\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe /startintray
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_5 -reboot 1
O4 - HKCU\..\Run: [SpybotSD TeaTimer] "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe"
O4 - Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: VIA RAID TOOL.lnk = C:\Program Files\VIA\RAID\raid_tool.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex/eBay_Enhanced_Picture_Control_v1-0-3-48.cab
O16 - DPF: {60EFC337-15C2-4369-B2A0-3429B071D8B8} (Hewlett-Packard Printer Diagnostics) - http://h50203.www5.hp.com/HPISWeb/Customer/cabs/HPISWebManager.CAB
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1182981048531
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O20 - Winlogon Notify: cbxyvur - C:\WINDOWS\
O20 - Winlogon Notify: C_2api - C:\WINDOWS\
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: WRNotifier - C:\WINDOWS\SYSTEM32\WRLogonNTF.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\hpzipm12.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

Angelfire777
2007-07-07, 06:49
Hi,


I Do have some concerns with the following items from HJTlog??

Those are leftover registry entries that we'll be taking care of.

We need to temporarily disable Spybot's TeaTimer, it may stop our fix.

Disable Spybot's TeaTimer. This is a two step process.
First:
- Right click Spybot in the System Tray (looks like a calendar with a padlock symbol)
- Choose Exit Spybot S&D Resident
Second:
- Open Spybot S&D
- Click Mode, check Advanced Mode
- Go To Left Panel, Click Tools, then also in left panel, click Resident
- If your firewall raises a question, say OK
- Uncheck the box labeled Resident Tea-Timer and OK any prompts.
- Use File, Exit to terminate Spybot
- Reboot your machine for the changes to take effect.

*You need To disable Windows Defender temporarily, it can stop our fix. Please Re-enable it after your system is clean.

Open Microsoft Windows Defender. Click Start > Programs > Windows Defender
Click on Tools > General Settings
Under Real-time Protection options, unselect the turn on real-time protection check box.
Click Save

After all of the fixes are complete it is very important that you enable Real-time Protection again.

*You need To disable SpySweeper temporarily, it can stop our fix. Please Re-enable SpySweeper after your system is clean.

Open it click > Options over to the left then > Program Options > Uncheck "Start Spy Sweeper at Windows startup".
Over to the left, click "Shields."
Click the "Internet Explorer" tab and uncheck all there.
Click the "Windows System" tab and uncheck all there.
Click the "Host File" tab and uncheck all there.
Click the "Startup Programs" tab and uncheck "Startup Items Shield".


*Open HijackThis > choose Scan Only > Place a checkmark in the boxes beside these entries in bold.

O2 - BHO: (no name) - {38847C4B-1AB1-4A47-9026-9A6CF7B43D31} - (no file)
O2 - BHO: (no name) - {60AC95CF-7549-4A1F-A163-283DE18E837F} - (no file)
O2 - BHO: (no name) - {7687A342-43CA-4369-A31C-48E27236CADA} - (no file)
O2 - BHO: (no name) - {85589B5D-D53D-4237-A677-46B82EA275F3} - (no file)
O2 - BHO: (no name) - {98115429-36ab-4468-9fc5-5c1152e16b67} - (no file)
O2 - BHO: (no name) - {DC192567-65F9-4AB6-ADB7-E13575F81726} - (no file)
O20 - Winlogon Notify: cbxyvur - C:\WINDOWS\
O20 - Winlogon Notify: C_2api - C:\WINDOWS\

Close your browsers and all open windows except for HijackThis, then click "Fix checked". Exit HijackThis.
_______________

The combofix deletions was unsuccesful because a wrong name was used. I asked you to name the text file combofix-do and I think you accidentally named it combofix-d0 (you used a zero instead of an o).. If combofix-d0 is still in your desktop, rename it to combofix-do then drag and drop combofix-do to your copy of combofix. Please post a fresh HijackThis log and the combofix log created on your next reply.

tashi
2007-07-12, 10:31
How is it going tickedntroubled. :)

Angelfire777
2007-07-15, 15:18
Due to lack of feedback, this thread is now closed.

If you wish to reopen this topic, please pm me or a moderator so it could be unlocked for you. Please include the original link for this topic in your pm.

This only applies to the original topic starter. Everyone, please start a new topic.

Angelfire777
2007-07-18, 11:48
Unlocked by request of original topic starter.

Hi,

If you're going away like perhaps for vacation, please notify us if you have time so we'll know.

Please post all the logs required.

tashi
2007-07-26, 00:14
tickedntroubled, you asked for the topic to be re-opened, still with us?

tashi
2007-07-28, 08:30
This topic has been archived.