Could anyone help me with some annoying spywares? [Archive]

View Full Version : Could anyone help me with some annoying spywares?

hoatrant

2007-07-28, 01:00

My girlfriend accidently download some spywares: WebBuyingAssistance, TagASaurus, DoubleClick and Zedo. It has been 3 days reading a lot of info about this issue, but I still can't remove them. Could you help me, Spyware master ?

Here is HiJackthis Log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:19:54 AM, on 7/27/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Canon\CAL\CALMAIN.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
C:\WINDOWS\system32\dllhost.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.byuh.edu/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/...//www.yahoo.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: (no name) - {2d14fd7f-a599-4f6e-a13f-5796b4e60a95} - C:\WINDOWS\system32\dpghnla.dll
O2 - BHO: (no name) - {3964D8D6-86D0-493A-B460-A805B5401114} - C:\WINDOWS\system32\ddcdbcc.dll
O2 - BHO: IE PopUp-Killer - {49E0E0F0-5C30-11D4-945D-000000000003} - C:\PROGRA~1\Ashampoo\ASHAMP~1\PopUp.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O3 - Toolbar: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~2\MEGAUP~1.DLL
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [YSearchProtection] C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [Ashampoo PopUpBlocker] C:\Program Files\Ashampoo\Ashampoo WinOptimizer Platinum 3\PopUpKiller.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Download Link Using Mega Manager... - C:\Program Files\Megaupload\Mega Manager\mm_file.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {9819CC0E-9669-4D01-9CD7-2C66DA43AC6C} - (no file)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {001EE746-A1F9-460E-80AD-269E088D6A01} (Infotl Control) - http://site.ebrary.com/lib/byuhawaii/suppo...s/ebraryRdr.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/Facebo...otoUploader.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1185038690140
O20 - Winlogon Notify: ddcdbcc - C:\WINDOWS\SYSTEM32\ddcdbcc.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe

--
End of file - 8351 bytes

hoatrant

2007-07-28, 01:02

And here is Combofix log:

"Hoa To" - 2007-07-27 11:28:56 [GMT -10:00] - ComboFix 07-07-24 - Service Pack 2 NTFS

((((((((((((((((((((((((( Files Created from 2007-06-27 to 2007-07-27 )))))))))))))))))))))))))))))))

2007-07-27 10:27 <DIR> d-------- C:\Program Files\Common Files\Scanner
2007-07-27 07:40 2,560 --a------ C:\WINDOWS\system32\tmp.reg
2007-07-26 20:49 <DIR> d-------- C:\Program Files\Trend Micro
2007-07-26 20:03 <DIR> d-------- C:\Program Files\Ashampoo
2007-07-26 14:21 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-07-26 09:16 95,872 --a------ C:\WINDOWS\system32\AvastSS.scr
2007-07-26 09:16 94,552 --a------ C:\WINDOWS\system32\drivers\aswmon2.sys
2007-07-26 09:16 85,952 --a------ C:\WINDOWS\system32\drivers\aswmon.sys
2007-07-26 09:16 745,600 --a------ C:\WINDOWS\system32\aswBoot.exe
2007-07-26 09:16 43,176 --a------ C:\WINDOWS\system32\drivers\aswTdi.sys
2007-07-26 09:16 26,888 --a------ C:\WINDOWS\system32\drivers\aavmker4.sys
2007-07-26 09:16 23,416 --a------ C:\WINDOWS\system32\drivers\aswRdr.sys
2007-07-26 09:16 <DIR> d-------- C:\Program Files\Alwil Software
2007-07-26 09:02 <DIR> d-------- C:\Program Files\EAdwareRemoval
2007-07-26 09:02 <DIR> d-------- C:\AdwareRemovalBin
2007-07-25 23:31 <DIR> d-------- C:\Program Files\Windows Defender
2007-07-25 22:34 31,254 --a------ C:\WINDOWS\system32\ssqppmk.dll
2007-07-25 22:25 31,254 --a------ C:\WINDOWS\system32\efcaaax.dll
2007-07-25 22:22 31,254 --a------ C:\WINDOWS\system32\byxxusq.dll
2007-07-25 22:20 636,352 -r-hs---- C:\WINDOWS\xqaodorA.exe
2007-07-25 22:20 54,784 --a------ C:\WINDOWS\xqaodor.exe
2007-07-25 22:20 31,254 --a------ C:\WINDOWS\system32\efedcbb.dll
2007-07-25 22:20 171,520 --a------ C:\WINDOWS\system32\dpghnla.dll
2007-07-25 22:19 31,254 --a------ C:\WINDOWS\system32\ddcdbcc.dll
2007-07-21 22:27 271,224 --a------ C:\WINDOWS\system32\mucltui.dll
2007-07-21 07:36 <DIR> d-------- C:\Program Files\Microsoft CAPICOM 2.1.0.2
2007-07-17 22:10 <DIR> d-------- C:\Program Files\iTunes
2007-07-17 22:10 <DIR> d-------- C:\Program Files\iPod
2007-07-17 22:09 <DIR> d-------- C:\Program Files\Common Files\Apple
2007-07-17 21:36 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Apple
2007-07-13 11:41 <DIR> d-------- C:\WINDOWS\NV540372.TMP
2007-07-13 11:39 8 --a------ C:\WINDOWS\system32\nvModes.dat
2007-07-13 11:38 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\nView_Profiles
2007-07-13 11:34 <DIR> d-------- C:\WINDOWS\system32\EVGA
2007-07-13 11:33 323,584 --a------ C:\WINDOWS\system32\nvwrspt.dll
2007-07-13 11:33 319,488 --a------ C:\WINDOWS\system32\nvwrsptb.dll
2007-07-13 11:33 319,488 --a------ C:\WINDOWS\system32\nvwrsnl.dll
2007-07-13 11:33 315,392 --a------ C:\WINDOWS\system32\nvwrsru.dll
2007-07-13 11:33 303,104 --a------ C:\WINDOWS\system32\nvwrstr.dll
2007-07-13 11:33 303,104 --a------ C:\WINDOWS\system32\nvwrssl.dll
2007-07-13 11:33 299,008 --a------ C:\WINDOWS\system32\nvwrssk.dll
2007-07-13 11:33 299,008 --a------ C:\WINDOWS\system32\nvwrsno.dll
2007-07-13 11:33 294,912 --a------ C:\WINDOWS\system32\nvwrssv.dll
2007-07-13 11:33 294,912 --a------ C:\WINDOWS\system32\nvwrspl.dll
2007-07-13 11:33 274,432 --a------ C:\WINDOWS\system32\nvrsnl.dll
2007-07-13 11:33 270,336 --a------ C:\WINDOWS\system32\nvrspt.dll
2007-07-13 11:33 266,240 --a------ C:\WINDOWS\system32\nvrsru.dll
2007-07-13 11:33 266,240 --a------ C:\WINDOWS\system32\nvrsptb.dll
2007-07-13 11:33 262,144 --a------ C:\WINDOWS\system32\nvrsko.dll
2007-07-13 11:33 258,048 --a------ C:\WINDOWS\system32\nvrssk.dll
2007-07-13 11:33 253,952 --a------ C:\WINDOWS\system32\nvrstr.dll
2007-07-13 11:33 253,952 --a------ C:\WINDOWS\system32\nvrssv.dll
2007-07-13 11:33 253,952 --a------ C:\WINDOWS\system32\nvrssl.dll
2007-07-13 11:33 253,952 --a------ C:\WINDOWS\system32\nvrspl.dll
2007-07-13 11:33 253,952 --a------ C:\WINDOWS\system32\nvrsno.dll
2007-07-13 11:33 225,280 --a------ C:\WINDOWS\system32\nvrszhc.dll
2007-07-13 11:33 196,608 --a------ C:\WINDOWS\system32\nvwrsko.dll
2007-07-13 11:33 167,936 --a------ C:\WINDOWS\system32\nvwrszht.dll
2007-07-13 11:33 163,840 --a------ C:\WINDOWS\system32\nvwrszhc.dll
2007-07-13 11:33 122,880 --a------ C:\WINDOWS\system32\nvrszht.dll
2007-07-13 11:32 958,464 --a------ C:\WINDOWS\system32\nvmobls.dll
2007-07-13 11:32 928,096 --a------ C:\WINDOWS\system32\nvucode.bin
2007-07-13 11:32 815,104 --a------ C:\WINDOWS\system32\nvcplui.exe
2007-07-13 11:32 81,920 --a------ C:\WINDOWS\system32\nvwddi.dll
2007-07-13 11:32 81,920 --a------ C:\WINDOWS\system32\nvmctray.dll
2007-07-13 11:32 8,425,472 --a------ C:\WINDOWS\system32\nvcpl.dll
2007-07-13 11:32 6,660,096 --a------ C:\WINDOWS\system32\nvoglnt.dll
2007-07-13 11:32 5,718,016 --a------ C:\WINDOWS\system32\nvdisps.dll
2007-07-13 11:32 5,251,072 --a------ C:\WINDOWS\system32\nvdispsr.dll
2007-07-13 11:32 466,944 --a------ C:\WINDOWS\system32\nvshell.dll
2007-07-13 11:32 458,752 --a------ C:\WINDOWS\system32\nvmccssr.dll
2007-07-13 11:32 45,056 --a------ C:\WINDOWS\system32\nvmccsrs.dll
2007-07-13 11:32 442,368 --a------ C:\WINDOWS\system32\nvappbar.exe
2007-07-13 11:32 425,984 --a------ C:\WINDOWS\system32\keystone.exe
2007-07-13 11:32 36,352 --a------ C:\WINDOWS\system32\nvcodins.dll
2007-07-13 11:32 36,352 --a------ C:\WINDOWS\system32\nvcod.dll
2007-07-13 11:32 356,352 --a------ C:\WINDOWS\system32\nvudisp.exe
2007-07-13 11:32 335,872 --a------ C:\WINDOWS\system32\nvwrses.dll
2007-07-13 11:32 335,872 --a------ C:\WINDOWS\system32\nvwrsel.dll
2007-07-13 11:32 335,872 --a------ C:\WINDOWS\system32\nvapi.dll
2007-07-13 11:32 327,680 --a------ C:\WINDOWS\system32\nvwrsfr.dll
2007-07-13 11:32 327,680 --a------ C:\WINDOWS\system32\nvwrsesm.dll
2007-07-13 11:32 327,680 --a------ C:\WINDOWS\system32\nvrshe.dll
2007-07-13 11:32 327,680 --a------ C:\WINDOWS\system32\nvrsar.dll
2007-07-13 11:32 323,584 --a------ C:\WINDOWS\system32\nvwrsit.dll
2007-07-13 11:32 315,392 --a------ C:\WINDOWS\system32\nvwrshu.dll
2007-07-13 11:32 311,296 --a------ C:\WINDOWS\system32\nvwrsde.dll
2007-07-13 11:32 307,200 --a------ C:\WINDOWS\system32\nvexpbar.dll
2007-07-13 11:32 303,104 --a------ C:\WINDOWS\system32\nvwrsfi.dll
2007-07-13 11:32 3,620,864 --a------ C:\WINDOWS\system32\nvvitvsr.dll
2007-07-13 11:32 3,391,488 --a------ C:\WINDOWS\system32\nvvitvs.dll
2007-07-13 11:32 3,235,840 --a------ C:\WINDOWS\system32\nvgamesr.dll
2007-07-13 11:32 3,145,728 --a------ C:\WINDOWS\system32\nvgames.dll
2007-07-13 11:32 294,912 --a------ C:\WINDOWS\system32\nvwrsda.dll
2007-07-13 11:32 286,720 --a------ C:\WINDOWS\system32\nvwrseng.dll
2007-07-13 11:32 286,720 --a------ C:\WINDOWS\system32\nvwrscs.dll
2007-07-13 11:32 286,720 --a------ C:\WINDOWS\system32\nvnt4cpl.dll
2007-07-13 11:32 282,624 --a------ C:\WINDOWS\system32\nvwrsar.dll
2007-07-13 11:32 282,624 --a------ C:\WINDOWS\system32\nvrsfr.dll
2007-07-13 11:32 282,624 --a------ C:\WINDOWS\system32\nvrses.dll

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-07-27 20:27:12 -------- d-----w C:\Program Files\Yahoo!
2007-07-26 19:55:22 -------- d-----w C:\Program Files\Windows Plus
2007-07-26 19:54:43 -------- d-----w C:\Program Files\mtd2002
2007-07-26 19:05:49 -------- d-----w C:\Program Files\ACD Systems
2007-07-26 19:05:48 -------- d-----w C:\Program Files\Common Files\ACD Systems
2007-07-18 18:31:34 107,888 ----a-w C:\WINDOWS\system32\CmdLineExt.dll
2007-07-18 07:38:02 -------- d-----w C:\Program Files\QuickTime
2007-07-18 07:36:18 -------- d-----w C:\Program Files\Apple Software Update
2007-07-17 08:06:22 -------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2007-07-15 00:42:21 22,328 ----a-w C:\WINDOWS\system32\drivers\PnkBstrK.sys
2007-07-15 00:42:13 103,736 ----a-w C:\WINDOWS\system32\PnkBstrB.exe
2007-07-13 21:34:21 -------- d--h--w C:\Program Files\InstallShield Installation Information
2007-07-13 09:51:11 -------- d-----w C:\Program Files\EA GAMES
2007-07-08 00:26:08 -------- d-----w C:\Program Files\Symantec
2007-07-08 00:26:08 -------- d-----w C:\Program Files\Common Files\Symantec Shared
2007-07-07 00:56:09 -------- d-----w C:\DOCUME~1\HOATO~1\APPLIC~1\DMCache
2007-06-24 08:19:33 -------- d--h--r C:\DOCUME~1\HOATO~1\APPLIC~1\SecuROM
2007-06-24 03:11:08 -------- d-----w C:\Program Files\Ubisoft
2007-06-24 03:10:43 -------- d-----w C:\DOCUME~1\HOATO~1\APPLIC~1\InstallShield
2007-05-16 15:12:02 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
2007-05-12 19:04:35 63,040 ----a-w C:\WINDOWS\system32\PnkBstrA.exe
2006-08-14 11:48:38 88 --sh--r C:\WINDOWS\system32\5AA1F40D02.sys
2006-08-14 11:48:47 3,350 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2d14fd7f-a599-4f6e-a13f-5796b4e60a95}]
2007-07-25 22:20 171520 --a------ C:\WINDOWS\system32\dpghnla.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3964D8D6-86D0-493A-B460-A805B5401114}]
2007-07-25 22:19 31254 --a------ C:\WINDOWS\system32\ddcdbcc.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SigmatelSysTrayApp"="stsystra.exe" [2005-03-22 11:20 C:\WINDOWS\stsystra.exe]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2005-08-05 16:05]
"ISUSPM Startup"="C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 05:44]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 05:44]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2006-07-06 04:04]
"nwiz"="nwiz.exe" [2007-03-07 08:49 C:\WINDOWS\system32\nwiz.exe]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-06-29 06:24]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-07-10 09:18]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-04-30 05:42]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-06-14 18:32]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe" [2005-12-16 12:57]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 00:00]
"YSearchProtection"="C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe" [2007-03-28 12:10]
"Yahoo! Pager"="C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.exe" [2007-03-27 15:22]
"Ashampoo PopUpBlocker"="C:\Program Files\Ashampoo\Ashampoo WinOptimizer Platinum 3\PopUpKiller.exe" [2004-02-03 14:13]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 20:05:26]
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2006-06-28 04:50:03]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"=C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"=C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{3964D8D6-86D0-493A-B460-A805B5401114}"= C:\WINDOWS\system32\ddcdbcc.dll [2007-07-25 22:19 31254]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ddcdbcc]
ddcdbcc.dll 2007-07-25 22:19 31254 C:\WINDOWS\system32\ddcdbcc.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DMXLauncher]
C:\Program Files\Dell\Media Experience\DMXLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dvd43]
C:\Program Files\dvd43\dvd43_tray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EA Core]
"C:\Program Files\Electronic Arts\EA Link\Core.exe" -silent

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Desktop Search]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IDMan]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Internet Download Accelerator]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"C:\Program Files\iTunes\iTunesHelper.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCAgentExe]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MCUpdateExe]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MPFExe]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSKAGENTEXE]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSKDetectorExe]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mtd2002Svr]
"C:\Program Files\mtd2002"\mtdserver.exe -f

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OASClnt]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Picasa Media Detector]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
"C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
"C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VirusScan Online]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VSOCheckTask]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
"C:\Program Files\Windows Defender\MSASCui.exe" -hide

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
"C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet

R1 DLACDBHM;DLACDBHM;C:\WINDOWS\system32\Drivers\DLACDBHM.SYS
R1 DLARTL_N;DLARTL_N;C:\WINDOWS\system32\Drivers\DLARTL_N.SYS
R2 DLABOIOM;DLABOIOM;C:\WINDOWS\system32\DLA\DLABOIOM.SYS
R2 DLADResN;DLADResN;C:\WINDOWS\system32\DLA\DLADResN.SYS
R2 DLAIFS_M;DLAIFS_M;C:\WINDOWS\system32\DLA\DLAIFS_M.SYS
R2 DLAOPIOM;DLAOPIOM;C:\WINDOWS\system32\DLA\DLAOPIOM.SYS
R2 DLAPoolM;DLAPoolM;C:\WINDOWS\system32\DLA\DLAPoolM.SYS
R2 DLAUDF_M;DLAUDF_M;C:\WINDOWS\system32\DLA\DLAUDF_M.SYS
R2 DLAUDFAM;DLAUDFAM;C:\WINDOWS\system32\DLA\DLAUDFAM.SYS
R2 DRVNDDM;DRVNDDM;C:\WINDOWS\system32\Drivers\DRVNDDM.SYS
R2 ehRecvr;Media Center Receiver Service;C:\WINDOWS\eHome\ehRecvr.exe
R2 ehSched;Media Center Scheduler Service;C:\WINDOWS\eHome\ehSched.exe
R2 McrdSvc;Media Center Extender Service;C:\WINDOWS\ehome\mcrdsvc.exe
R3 dvd43llh;dvd43llh;C:\WINDOWS\system32\DRIVERS\dvd43llh.sys
R3 E100B;Intel® PRO Network Connection Driver;C:\WINDOWS\system32\DRIVERS\e100b325.sys
R3 HidUsb;Microsoft HID Class Driver;C:\WINDOWS\system32\DRIVERS\hidusb.sys
R3 Pcouffin;Low level access layer for CD devices;C:\WINDOWS\system32\Drivers\Pcouffin.sys
R3 STHDA;SigmaTel High Definition Audio CODEC;C:\WINDOWS\system32\drivers\sthda.sys
R3 usbehci;Microsoft USB 2.0 Enhanced Host Controller Miniport Driver;C:\WINDOWS\system32\DRIVERS\usbehci.sys
R3 usbhub;Microsoft USB Standard Hub Driver;C:\WINDOWS\system32\DRIVERS\usbhub.sys
R3 USBSTOR;USB Mass Storage Driver;C:\WINDOWS\system32\DRIVERS\USBSTOR.SYS
R3 usbuhci;Microsoft USB Universal Host Controller Miniport Driver;C:\WINDOWS\system32\DRIVERS\usbuhci.sys
S2 Fax;Fax;C:\WINDOWS\system32\fxssvc.exe
S3 MHN;MHN;C:\WINDOWS\System32\svchost.exe -k netsvcs
S3 MHNDRV;MHN driver;C:\WINDOWS\system32\DRIVERS\mhndrv.sys
S3 snpstd;USB PC Camera;C:\WINDOWS\system32\DRIVERS\snpstd.sys
S3 usbscan;USB Scanner Driver;C:\WINDOWS\system32\DRIVERS\usbscan.sys
S3 wanatw;WAN Miniport (ATW);C:\WINDOWS\system32\DRIVERS\wanatw4.sys
S4 agpCPQ;Compaq AGP Bus Filter;C:\WINDOWS\system32\DRIVERS\agpCPQ.sys

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}]
AutoRun\command- E:\setup.exe

Contents of the 'Scheduled Tasks' folder
2007-07-24 00:30:00 C:\WINDOWS\tasks\AppleSoftwareUpdate.job
2007-07-27 20:33:54 C:\WINDOWS\tasks\MP Scheduled Scan.job

**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-07-27 11:29:56
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden registry entries ...

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\ComputerDescriptions]
"<!#$\xb7?$\xc6\3$\30"=""
"<!#$\xb7?$\xb7?h\30"="tt"

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-07-27 11:31:23
C:\ComboFix-quarantined-files.txt ... 2007-07-27 11:31
C:\ComboFix2.txt ... 2007-07-27 11:04
C:\ComboFix3.txt ... 2007-07-26 21:35

--- E O F ---

Thank you so much!

Hoa Tran

pskelley

2007-07-28, 05:07

Welcome to Safer Networking, I wish to be sure you have viewed and understand this information.
"BEFORE you POST" (READ this Procedure before Requesting Assistance)
http://forums.spybot.info/showthread.php?t=288
All advice given is taken at your own risk.
Please make sure you have read this information so we are on the same page.

The items you mention sound like cookies to me, if Spybot S&D is finding them, make sure you version is up to date and that your are fully immunized. Run Spybot according to the instructions in the information I posted.

Now having said that, you have a Vundo infection and it is a bit more serious. Read and follow the instructions:

Thanks to Atribune and any others who helped with this fix.

Please understand these hackers can call there junk anything they wish. Vundofix may not know the files at first, but it will learn. You want to run the fix until you see all Vundo files say: "Has been deleted"

Please download VundoFix.exe (http://www.atribune.org/ccount/click.php?id=4) to your desktop
Double-click VundoFix.exe to run it.
Click the Scan for Vundo button.
Once it's done scanning, click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will reboot your computer, click OK.
Please post the contents of C:\vundofix.txt and a new HiJackThislogin a reply to this thread.Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears upon rebooting.

If there is a file VundoFix doesn't find we need it submitted. Please submit
the files to upload malware http://www.uploadmalware.com

Thanks

tashi

2007-08-04, 01:19

Due to lack of a response to helper this topic has been archived.

If you need it re-opened please send me a private message (pm) and provide a link to the thread. Applies only to the original poster, anyone else with similar problems please start a new topic.