PDA

View Full Version : cant remove the virtomunde



elmoisevil
2007-09-26, 11:58
ive had this virus for about four days. when i first got it it loaded my computer with virus, spyware and tracking cookies. i first relised it when explore crashed (this was the first time it crashed in the computers history) then the com laged and other stuff happend. i had run all of my spyware and my anti virus and it all detected virus. i reacted by deleteing all infected files, running ccleaner, disconecting the com from my network and running all my defences. but after all that i cept on getting the virtomunde virus come up but this was only on ss&d. i have run ss&d about 7 times and each time it has come up with virtomunde with one or three traces.




Virtumonde: User settings (Registry key, nothing done)
HKEY_USERS\S-1-5-21-602162358-152049171-854245398-1005\Software\Microsoft\rdfa

Virtumonde: Settings (Registry key, nothing done)
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\aoprndtws

Virtumonde: Settings (Registry key, nothing done)
HKEY_USERS\S-1-5-21-602162358-152049171-854245398-1005\Software\Microsoft\aldd


--- Spybot - Search & Destroy version: 1.4 (build: 20050523) ---

2005-05-31 blindman.exe (1.0.0.1)
2005-05-31 SpybotSD.exe (1.4.0.3)
2005-05-31 TeaTimer.exe (1.4.0.2)
2006-11-13 unins000.exe (51.41.0.0)
2005-05-31 Update.exe (1.4.0.0)
2007-05-23 advcheck.dll (1.5.3.0)
2005-05-31 aports.dll (2.1.0.0)
2005-05-31 borlndmm.dll (7.0.4.453)
2005-05-31 delphimm.dll (7.0.4.453)
2005-05-31 SDHelper.dll (1.4.0.0)
2007-07-31 Tools.dll (2.1.2.0)
2005-05-31 UnzDll.dll (1.73.1.1)
2005-05-31 ZipDll.dll (1.73.2.0)
2007-09-12 Includes\Cookies.sbi (*)
2007-07-25 Includes\Dialer.sbi (*)
2007-09-12 Includes\DialerC.sbi (*)
2007-08-29 Includes\Hijackers.sbi (*)
2007-09-12 Includes\HijackersC.sbi (*)
2007-07-25 Includes\Keyloggers.sbi (*)
2007-09-12 Includes\KeyloggersC.sbi (*)
2007-09-12 Includes\Malware.sbi (*)
2007-09-12 Includes\MalwareC.sbi (*)
2007-09-05 Includes\PUPS.sbi (*)
2007-09-12 Includes\PUPSC.sbi (*)
2007-09-12 Includes\Revision.sbi (*)
2007-05-30 Includes\Security.sbi (*)
2007-09-12 Includes\SecurityC.sbi (*)
2007-09-12 Includes\Spybots.sbi (*)
2007-09-12 Includes\SpybotsC.sbi (*)
2007-08-21 Includes\Tracks.uti
2007-09-12 Includes\Trojans.sbi (*)
2007-09-12 Includes\TrojansC.sbi (*)
2007-06-06 Plugins\TCPIPAddress.dll

any help would do

Markka
2007-09-26, 15:26
Hello :)


Click here (http://www.trendsecure.com/portal/en-US/threat_analytics/HJTInstall.exe) to download HijackThis and save it to your desktop.
Double-click on HJTInstall.exe to run it.
HJTInstall.exe will install HijackThis to here C:\Program Files\Trend Micro\HijackThis
Click install
HJTInstall.exe will create an icon to your desktop.
When the installation is ready, it will start HijackThis.
When HijackThis is opened, click Do a system scan and save a logfile.
Post the HijackThis log here.
Do not fix anything with HijackThis, until I tell to you!

elmoisevil
2007-09-27, 05:54
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:53:16 PM, on 27/09/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\CA\eTrust Vet Antivirus\ISafe.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\SanDisk\Sansa Updater\SansaSvr.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\CA\eTrust Vet Antivirus\VetMsg.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\CA\eTrust Vet Antivirus\CAVRID.exe
C:\Program Files\CA\eTrust Vet Antivirus\CAVTray.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\QuickTime\QuickTimePlayer.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://intranet.iona.qld.edu.au/start/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.iona.qld.edu.au/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = mozilla firefox
R3 - URLSearchHook: (no name) - - (no file)
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\eTrust Vet Antivirus\CAVRID.exe"
O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\CA\eTrust Vet Antivirus\CAVTray.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SearchIndexer] rundll32.exe "C:\WINDOWS\system32\ydhixebl.dll",sitypnow
O4 - HKLM\..\Run: [AAWTray] C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Save Flash In This Page by Flash Saver - C:\PROGRA~1\FLASHS~1\save.htm
O8 - Extra context menu item: &Search - ?p=ZN
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Flash Saver - {09EA1F80-F40A-11D1-B792-444553540001} - C:\PROGRA~1\FLASHS~1\save.htm
O9 - Extra 'Tools' menuitem: Flash Saver - {09EA1F80-F40A-11D1-B792-444553540001} - C:\PROGRA~1\FLASHS~1\save.htm
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Sean Stuf\Start Menu\Programs\IMVU\Run IMVU.lnk (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {7584C670-2274-4EFB-B00B-D6AABA6D3850} (Microsoft RDP Client Control (redist)) - http://tsm.iona.qld.edu.au/tsweb/msrdp.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Vet Antivirus\ISafe.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Sansa Updater Service (SansaService) - Unknown owner - C:\Program Files\SanDisk\Sansa Updater\SansaSvr.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Vet Antivirus\VetMsg.exe

--
End of file - 6391 bytes

Markka
2007-09-27, 20:38
Hello :)

Rename HijackThis.exe to Scanner.exe by doing the following;

Navigate to here; C:\Program Files\Trend Micro\HijackThis
Right-click on the HijackThis.exe
Choose from the pull-down menu; "Rename"
And now Rename HijackThis.exe to Scanner.exe
When you've renamed HijackThis, then open it..
Take a fresh HijackThis log (Do a system scan and save a log file)
Post the fresh HijackThis log to here.

elmoisevil
2007-09-28, 05:22
hi
ive got the system scan
thanx for helping me

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:20:11 PM, on 28/09/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\CA\eTrust Vet Antivirus\ISafe.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\SanDisk\Sansa Updater\SansaSvr.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\CA\eTrust Vet Antivirus\VetMsg.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\CA\eTrust Vet Antivirus\CAVRID.exe
C:\Program Files\CA\eTrust Vet Antivirus\CAVTray.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\QuickTime\QuickTimePlayer.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Program Files\Trend Micro\HijackThis\scanner.exe.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://intranet.iona.qld.edu.au/start/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.iona.qld.edu.au/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = mozilla firefox
R3 - URLSearchHook: (no name) - - (no file)
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: (no name) - {15E9FB1E-A19F-4746-851B-F67FE1A3AC58} - C:\WINDOWS\system32\urqqo.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {64B94229-7967-860A-A0C2-034C02BA876B} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {837B45D6-BF85-457D-AABF-6D2E7815F791} - C:\WINDOWS\system32\khffgfc.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\eTrust Vet Antivirus\CAVRID.exe"
O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\CA\eTrust Vet Antivirus\CAVTray.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SearchIndexer] rundll32.exe "C:\WINDOWS\system32\ydhixebl.dll",sitypnow
O4 - HKLM\..\Run: [AAWTray] C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Save Flash In This Page by Flash Saver - C:\PROGRA~1\FLASHS~1\save.htm
O8 - Extra context menu item: &Search - ?p=ZN
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Flash Saver - {09EA1F80-F40A-11D1-B792-444553540001} - C:\PROGRA~1\FLASHS~1\save.htm
O9 - Extra 'Tools' menuitem: Flash Saver - {09EA1F80-F40A-11D1-B792-444553540001} - C:\PROGRA~1\FLASHS~1\save.htm
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Sean Stuf\Start Menu\Programs\IMVU\Run IMVU.lnk (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {7584C670-2274-4EFB-B00B-D6AABA6D3850} (Microsoft RDP Client Control (redist)) - http://tsm.iona.qld.edu.au/tsweb/msrdp.cab
O20 - Winlogon Notify: khffgfc - C:\WINDOWS\SYSTEM32\khffgfc.dll
O20 - Winlogon Notify: winemx32 - winemx32.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Vet Antivirus\ISafe.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Sansa Updater Service (SansaService) - Unknown owner - C:\Program Files\SanDisk\Sansa Updater\SansaSvr.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Vet Antivirus\VetMsg.exe

--
End of file - 7251 bytes

Markka
2007-09-29, 09:21
Hello :)

Please download VundoFix.exe (http://www.atribune.org/ccount/click.php?id=4) to your desktop.
Double-click VundoFix.exe to run it.
Click the Scan for Vundo button.
Once it's done scanning, click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will reboot your computer, click OK.
Please post the contents of C:\vundofix.txt and a new HiJackThis log.

Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.

elmoisevil
2007-09-29, 10:18
hi
my com is in a loop. its trying to remove the file but it need to reset so when i reset it starts up with vundofix and i follow the instructions and it repeats itself .

the only file left on vundofix is:
C:\windows\system32\khffgfc.dll

Markka
2007-09-29, 10:46
Hi,

please post these logs contents of C:\vundofix.txt and a new HiJackThis log. :bigthumb:

elmoisevil
2007-09-29, 11:21
ive got the logs u want

here is the only thing detected by vandofix
C:\windows\system32\khffgfc.dll




Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:15:41 PM, on 29/09/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\CA\eTrust Vet Antivirus\ISafe.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\SanDisk\Sansa Updater\SansaSvr.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\CA\eTrust Vet Antivirus\CAVRID.exe
C:\Program Files\CA\eTrust Vet Antivirus\CAVTray.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\CA\eTrust Vet Antivirus\VetMsg.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Messenger\MSMSGS.EXE
C:\Documents and Settings\Sean Stuf\Desktop\VundoFix.exe
C:\Program Files\Trend Micro\HijackThis\hijackthis.exe.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://intranet.iona.qld.edu.au/start/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.iona.qld.edu.au/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = mozilla firefox
R3 - URLSearchHook: (no name) - - (no file)
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\eTrust Vet Antivirus\CAVRID.exe"
O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\CA\eTrust Vet Antivirus\CAVTray.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AAWTray] C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Save Flash In This Page by Flash Saver - C:\PROGRA~1\FLASHS~1\save.htm
O8 - Extra context menu item: &Search - ?p=ZN
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Flash Saver - {09EA1F80-F40A-11D1-B792-444553540001} - C:\PROGRA~1\FLASHS~1\save.htm
O9 - Extra 'Tools' menuitem: Flash Saver - {09EA1F80-F40A-11D1-B792-444553540001} - C:\PROGRA~1\FLASHS~1\save.htm
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Sean Stuf\Start Menu\Programs\IMVU\Run IMVU.lnk (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {7584C670-2274-4EFB-B00B-D6AABA6D3850} (Microsoft RDP Client Control (redist)) - http://tsm.iona.qld.edu.au/tsweb/msrdp.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Vet Antivirus\ISafe.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Sansa Updater Service (SansaService) - Unknown owner - C:\Program Files\SanDisk\Sansa Updater\SansaSvr.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Vet Antivirus\VetMsg.exe

--
End of file - 6294 bytes

elmoisevil
2007-09-29, 11:26
srry took awhile to find the log

VundoFix V6.1.6

Checking Java version...

Java version is 1.5.0.3

Java version is 1.5.0.6

Scan started at 2:41:20 PM 13/11/2006

Listing files found while scanning....


VundoFix V6.5.9

Checking Java version...

Java version is 1.5.0.3
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.6
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.9
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.11

Scan started at 4:48:04 PM 29/09/2007

Listing files found while scanning....

C:\windows\system32\drvgaxr.dll
C:\windows\system32\fcccdeb.dll
C:\WINDOWS\system32\khffgfc.dll
C:\WINDOWS\system32\lbexihdy.ini
C:\WINDOWS\system32\ydhixebl.dll

Beginning removal...

Attempting to delete C:\windows\system32\drvgaxr.dll
C:\windows\system32\drvgaxr.dll Has been deleted!

Attempting to delete C:\windows\system32\fcccdeb.dll
C:\windows\system32\fcccdeb.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\khffgfc.dll
C:\WINDOWS\system32\khffgfc.dll Could not be deleted.

Attempting to delete C:\WINDOWS\system32\lbexihdy.ini
C:\WINDOWS\system32\lbexihdy.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\ydhixebl.dll
C:\WINDOWS\system32\ydhixebl.dll Could not be deleted.

Performing Repairs to the registry.
Done!

Beginning removal...

VundoFix V6.5.9

Checking Java version...

Java version is 1.5.0.3
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.6
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.9
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.11

Scan started at 5:00:05 PM 29/09/2007

Listing files found while scanning....

C:\windows\system32\khffgfc.dll

Beginning removal...

Attempting to delete C:\windows\system32\khffgfc.dll
C:\windows\system32\khffgfc.dll Could not be deleted.

Performing Repairs to the registry.
Done!

VundoFix V6.5.9

Checking Java version...

Java version is 1.5.0.3
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.6
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.9
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.11

Scan started at 5:04:53 PM 29/09/2007

Listing files found while scanning....

C:\windows\system32\khffgfc.dll

Beginning removal...

Attempting to delete C:\windows\system32\khffgfc.dll
C:\windows\system32\khffgfc.dll Could not be deleted.

Performing Repairs to the registry.
Done!

VundoFix V6.5.9

Checking Java version...

Java version is 1.5.0.3
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.6
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.9
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.11

Scan started at 5:22:34 PM 29/09/2007

Listing files found while scanning....

C:\windows\system32\khffgfc.dll

Beginning removal...

Attempting to delete C:\windows\system32\khffgfc.dll
C:\windows\system32\khffgfc.dll Could not be deleted.

Performing Repairs to the registry.
Done!

VundoFix V6.5.9

Checking Java version...

Java version is 1.5.0.3
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.6
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.9
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.11

Scan started at 6:07:54 PM 29/09/2007

Listing files found while scanning....

C:\windows\system32\khffgfc.dll

elmoisevil
2007-09-29, 11:36
i saw the thing about the java and i have already uninstalled them

Markka
2007-09-29, 19:44
Hello :)

Double-click VundoFix.exe to run it.
Click Scan for Vundo button.
Once the scan is complete, Right Click inside the listbox (white box) and click add more files
Copy&Paste the 1 entry below into the top 1 box

C:\windows\system32\khffgfc.dll

Click Add Files and Click Close Window
Click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will shutdown your computer, click OK.
Turn your computer back on.
Please post the contents of C:\vundofix.txt and a new HiJackThis log.

elmoisevil
2007-09-30, 06:13
hi
its taken longer then i thorght


VundoFix V6.1.6

Checking Java version...

Java version is 1.5.0.3

Java version is 1.5.0.6

Scan started at 2:41:20 PM 13/11/2006

Listing files found while scanning....


VundoFix V6.5.9

Checking Java version...

Java version is 1.5.0.3
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.6
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.9
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.11

Scan started at 4:48:04 PM 29/09/2007

Listing files found while scanning....

C:\windows\system32\drvgaxr.dll
C:\windows\system32\fcccdeb.dll
C:\WINDOWS\system32\khffgfc.dll
C:\WINDOWS\system32\lbexihdy.ini
C:\WINDOWS\system32\ydhixebl.dll

Beginning removal...

Attempting to delete C:\windows\system32\drvgaxr.dll
C:\windows\system32\drvgaxr.dll Has been deleted!

Attempting to delete C:\windows\system32\fcccdeb.dll
C:\windows\system32\fcccdeb.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\khffgfc.dll
C:\WINDOWS\system32\khffgfc.dll Could not be deleted.

Attempting to delete C:\WINDOWS\system32\lbexihdy.ini
C:\WINDOWS\system32\lbexihdy.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\ydhixebl.dll
C:\WINDOWS\system32\ydhixebl.dll Could not be deleted.

Performing Repairs to the registry.
Done!

Beginning removal...

VundoFix V6.5.9

Checking Java version...

Java version is 1.5.0.3
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.6
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.9
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.11

Scan started at 5:00:05 PM 29/09/2007

Listing files found while scanning....

C:\windows\system32\khffgfc.dll

Beginning removal...

Attempting to delete C:\windows\system32\khffgfc.dll
C:\windows\system32\khffgfc.dll Could not be deleted.

Performing Repairs to the registry.
Done!

VundoFix V6.5.9

Checking Java version...

Java version is 1.5.0.3
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.6
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.9
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.11

Scan started at 5:04:53 PM 29/09/2007

Listing files found while scanning....

C:\windows\system32\khffgfc.dll

Beginning removal...

Attempting to delete C:\windows\system32\khffgfc.dll
C:\windows\system32\khffgfc.dll Could not be deleted.

Performing Repairs to the registry.
Done!

VundoFix V6.5.9

Checking Java version...

Java version is 1.5.0.3
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.6
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.9
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.11

Scan started at 5:22:34 PM 29/09/2007

Listing files found while scanning....

C:\windows\system32\khffgfc.dll

Beginning removal...

Attempting to delete C:\windows\system32\khffgfc.dll
C:\windows\system32\khffgfc.dll Could not be deleted.

Performing Repairs to the registry.
Done!

VundoFix V6.5.9

Checking Java version...

Java version is 1.5.0.3
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.6
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.9
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.11

Scan started at 6:07:54 PM 29/09/2007

Listing files found while scanning....

C:\windows\system32\khffgfc.dll

VundoFix V6.5.9

Checking Java version...

Java version is 1.5.0.6
Old versions of java are exploitable and should be removed.

Scan started at 6:43:17 PM 29/09/2007

Listing files found while scanning....

C:\windows\system32\khffgfc.dll

Beginning removal...

Attempting to delete C:\windows\system32\khffgfc.dll
C:\windows\system32\khffgfc.dll Could not be deleted.

Performing Repairs to the registry.
Done!

VundoFix V6.5.9

Checking Java version...

Java version is 1.5.0.6
Old versions of java are exploitable and should be removed.

Scan started at 6:50:06 PM 29/09/2007

Listing files found while scanning....

C:\windows\system32\khffgfc.dll

VundoFix V6.5.9

Checking Java version...

Java version is 1.5.0.6
Old versions of java are exploitable and should be removed.

Scan started at 7:17:36 PM 29/09/2007

Listing files found while scanning....

C:\windows\system32\khffgfc.dll

Beginning removal...

Beginning removal...

VundoFix V6.5.9

Checking Java version...

Java version is 1.5.0.6
Old versions of java are exploitable and should be removed.

Scan started at 12:48:08 PM 30/09/2007

Listing files found while scanning....

C:\windows\system32\khffgfc.dll

VundoFix V6.5.9

Checking Java version...

Java version is 1.5.0.6
Old versions of java are exploitable and should be removed.

Scan started at 12:50:57 PM 30/09/2007

Listing files found while scanning....

C:\windows\system32\khffgfc.dll

Beginning removal...

Attempting to delete C:\windows\system32\khffgfc.dll
C:\windows\system32\khffgfc.dll Could not be deleted.

Attempting to delete C:\windows\system32\khffgfc.dll
C:\windows\system32\khffgfc.dll Could not be deleted.

Performing Repairs to the registry.
Done!

Beginning removal...

Attempting to delete C:\windows\system32\khffgfc.dll
C:\windows\system32\khffgfc.dll Could not be deleted.

Attempting to delete C:\windows\system32\khffgfc.dll
C:\windows\system32\khffgfc.dll Could not be deleted.

Performing Repairs to the registry.
Done!


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:11:05 PM, on 30/09/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\CA\eTrust Vet Antivirus\CAVRID.exe
C:\Program Files\CA\eTrust Vet Antivirus\CAVTray.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Messenger\MSMSGS.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\CA\eTrust Vet Antivirus\ISafe.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\SanDisk\Sansa Updater\SansaSvr.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\CA\eTrust Vet Antivirus\VetMsg.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\hijackthis.exe.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://intranet.iona.qld.edu.au/start/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.iona.qld.edu.au/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = mozilla firefox
R3 - URLSearchHook: (no name) - - (no file)
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\eTrust Vet Antivirus\CAVRID.exe"
O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\CA\eTrust Vet Antivirus\CAVTray.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AAWTray] C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Save Flash In This Page by Flash Saver - C:\PROGRA~1\FLASHS~1\save.htm
O8 - Extra context menu item: &Search - ?p=ZN
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Flash Saver - {09EA1F80-F40A-11D1-B792-444553540001} - C:\PROGRA~1\FLASHS~1\save.htm
O9 - Extra 'Tools' menuitem: Flash Saver - {09EA1F80-F40A-11D1-B792-444553540001} - C:\PROGRA~1\FLASHS~1\save.htm
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Sean Stuf\Start Menu\Programs\IMVU\Run IMVU.lnk (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {7584C670-2274-4EFB-B00B-D6AABA6D3850} (Microsoft RDP Client Control (redist)) - http://tsm.iona.qld.edu.au/tsweb/msrdp.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Vet Antivirus\ISafe.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Sansa Updater Service (SansaService) - Unknown owner - C:\Program Files\SanDisk\Sansa Updater\SansaSvr.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Vet Antivirus\VetMsg.exe

--
End of file - 5871 bytes

Markka
2007-09-30, 20:40
Hello :)

Disable Teatimer:

1) Run Spybot-S&D
2) Go to the Mode menu, and make sure "Advanced Mode" is selected
3) On the left hand side, choose Tools -> Resident
4) Uncheck "Resident TeaTimer" and OK any prompts
5) Restart your computer.
______________

1. Download this file - combofix.exe (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall!
__________________

Open HijackThis, Click Do a system scan only, checkmark these. Then close all other windows except HijackThis and press fix checked.


R3 - URLSearchHook: (no name) - - (no file)
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
_______________

Please download ATF-cleaner (http://www.atribune.org/ccount/click.php?id=1) and save it to your desktop.
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.

If you use Firefox browser:

Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser:

Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.
____________________

Kaspersky online scanner works only with Internet Explorer!

Please run an online scanner with Kaspersky Online Scanner (http://www.kaspersky.com/downloads/kws/kavwebscan.html). You will be prompted to install an ActiveX component from Kaspersky, Click Yes.
The program will launch and then start to download the latest definition files.
Once the scanner is installed and the definitions downloaded, click Next.
Now click on Scan Settings
In the scan settings make sure that the following are selected:

o Scan using the following Anti-Virus database:

+ Extended (If available otherwise Standard)

o Scan Options:

+ Scan Archives
+ Scan Mail Bases

Click OK
Now under select a target to scan select My Computer
The scan will take a while so be patient and let it run. Once the scan is complete it will display if your system has been infected.
Now click on the Save as Text button
Save the file to your desktop.
Copy and paste that information in your next post.
____________________

Post:
- A fresh HijackThis log
- Contents of C:\ComboFix.txt
- Kaspersky's report

elmoisevil
2007-10-01, 12:07
ive got the scan reports u wanted but it wouldnt fit into a single reply and i am short of time so i made a word doc with all the info in the the report

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:58:23 PM, on 1/10/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\CA\eTrust Vet Antivirus\ISafe.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\SanDisk\Sansa Updater\SansaSvr.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\CA\eTrust Vet Antivirus\VetMsg.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
C:\Program Files\CA\eTrust Vet Antivirus\CAVRID.exe
C:\Program Files\CA\eTrust Vet Antivirus\CAVTray.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\MSMSGS.EXE
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Trend Micro\HijackThis\hijackthis.exe.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://intranet.iona.qld.edu.au/start/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.iona.qld.edu.au/
O2 - BHO: (no name) - {14043F22-D133-4751-BE0A-7C27B5262C4F} - (no file)
O2 - BHO: (no name) - {302E68B6-1226-45F0-9047-CBA6808EF844} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {64B94229-7967-860A-A0C2-034C02BA876B} - (no file)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {BCBC0F4A-70DD-434E-BC90-2FBDB048BAB3} - (no file)
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\eTrust Vet Antivirus\CAVRID.exe"
O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\CA\eTrust Vet Antivirus\CAVTray.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AAWTray] C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Save Flash In This Page by Flash Saver - C:\PROGRA~1\FLASHS~1\save.htm
O8 - Extra context menu item: &Search - ?p=ZN
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Flash Saver - {09EA1F80-F40A-11D1-B792-444553540001} - C:\PROGRA~1\FLASHS~1\save.htm
O9 - Extra 'Tools' menuitem: Flash Saver - {09EA1F80-F40A-11D1-B792-444553540001} - C:\PROGRA~1\FLASHS~1\save.htm
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Sean Stuf\Start Menu\Programs\IMVU\Run IMVU.lnk (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {7584C670-2274-4EFB-B00B-D6AABA6D3850} (Microsoft RDP Client Control (redist)) - http://tsm.iona.qld.edu.au/tsweb/msrdp.cab
O20 - Winlogon Notify: winemx32 - winemx32.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Vet Antivirus\ISafe.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Sansa Updater Service (SansaService) - Unknown owner - C:\Program Files\SanDisk\Sansa Updater\SansaSvr.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Vet Antivirus\VetMsg.exe

--
End of file - 6149 bytes

ComboFix 07-09-21.2 - "Sean Stuf" 2007-10-01 15:00:18.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.223 [GMT 10:00]
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\check_LSA7.txt
C:\Program Files\nulidqzq
C:\Program Files\nulidqzq\favylinw.dll
C:\Program Files\SecCenter
C:\Program Files\SecCenter\scprot4.exe.bak
C:\Program Files\video access activex object
C:\WINDOWS\system32\bupncxrg.exe
C:\WINDOWS\system32\fogqyujx.ini
C:\WINDOWS\system32\khffgfc.dll
C:\WINDOWS\system32\majshbbo.exe
C:\WINDOWS\system32\urqqo.dll
C:\WINDOWS\system32\xjuyqgof.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


-------\LEGACY_DOMAINSERVICE


((((((((((((((((((((((((( Files Created from 2007-09-01 to 2007-10-01 )))))))))))))))))))))))))))))))
.

2007-10-01 10:52 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-09-27 12:52 <DIR> d-------- C:\Program Files\Trend Micro
2007-09-26 17:20 <DIR> d-------- C:\Program Files\Lavasoft
2007-09-26 17:20 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Lavasoft
2007-09-25 15:06 84,032 --a------ C:\WINDOWS\system32\ydhixebl.dll
2007-09-23 10:25 714,027 --ahs---- C:\WINDOWS\system32\oqqru.bak2
2007-09-22 12:55 5,632 --a--c--- C:\WINDOWS\system32\dllcache\smimsgif.dll
2007-09-22 12:55 5,632 --a--c--- C:\WINDOWS\system32\dllcache\smierrsy.dll
2007-09-22 12:55 18,944 --a--c--- C:\WINDOWS\system32\dllcache\simptcp.dll
2007-09-22 12:55 18,944 --a------ C:\WINDOWS\system32\simptcp.dll
2007-09-22 12:55 15,872 --a--c--- C:\WINDOWS\system32\dllcache\smierrsm.dll
2007-09-22 12:55 10,240 --a--c--- C:\WINDOWS\system32\dllcache\snmpstup.dll
2007-09-22 12:28 <DIR> d-------- C:\Program Files\Ancient Conquest
2007-09-22 11:59 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\YoYoGames
2007-09-22 11:51 6,448 --ahs---- C:\WINDOWS\system32\oqqru.bak1
2007-09-18 20:25 <DIR> d-------- C:\Program Files\Game_Maker7
2007-09-07 20:15 <DIR> d-------- C:\WINDOWS\.jagex_cache_32

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-09-26 22:10 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-09-26 17:19 --------- d-------- C:\DOCUME~1\SEANST~1\APPLIC~1\Lavasoft
2007-09-26 17:18 --------- d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-09-20 17:50 --------- d-------- C:\Program Files\Game_Maker6
2007-09-17 17:27 --------- d-------- C:\Program Files\Flash Saver
2007-09-17 17:23 --------- d--h----- C:\Program Files\InstallShield Installation Information
2007-09-17 16:47 --------- d-------- C:\Program Files\WinAce
2007-09-16 13:13 --------- d-------- C:\Program Files\Google
2007-09-16 10:56 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Google
2007-09-15 09:45 --------- d-------- C:\Program Files\themexp
2007-08-31 19:33 --------- d-------- C:\DOCUME~1\SEANST~1\APPLIC~1\Google
2007-08-29 19:55 --------- d-------- C:\DOCUME~1\SEANST~1\APPLIC~1\Seven Zip
2007-08-29 19:17 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Office Genuine Advantage
2007-08-26 11:21 32768 --a------ C:\WINDOWS\system32\1stscrhook.dll
2007-08-14 23:16 --------- d-------- C:\Program Files\decomp
2007-08-11 15:30 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Protexis
2007-08-07 13:58 8320 --a------ C:\WINDOWS\system32\drivers\AWRTRD.sys
2007-08-07 13:56 9344 --a------ C:\WINDOWS\system32\drivers\NSDriver.sys
2007-07-30 19:19 92504 --a------ C:\WINDOWS\system32\cdm.dll
2007-07-30 19:19 549720 --a------ C:\WINDOWS\system32\wuapi.dll
2007-07-30 19:19 53080 --a------ C:\WINDOWS\system32\wuauclt.exe
2007-07-30 19:19 43352 --a------ C:\WINDOWS\system32\wups2.dll
2007-07-30 19:19 325976 --a------ C:\WINDOWS\system32\wucltui.dll
2007-07-30 19:19 271224 --a------ C:\WINDOWS\system32\mucltui.dll
2007-07-30 19:19 207736 --a------ C:\WINDOWS\system32\muweb.dll
2007-07-30 19:19 203096 --a------ C:\WINDOWS\system32\wuweb.dll
2007-07-30 19:19 1712984 --a------ C:\WINDOWS\system32\wuaueng.dll
2007-07-30 19:18 33624 --a------ C:\WINDOWS\system32\wups.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{14043F22-D133-4751-BE0A-7C27B5262C4F}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{302E68B6-1226-45F0-9047-CBA6808EF844}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{64B94229-7967-860A-A0C2-034C02BA876B}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{BCBC0F4A-70DD-434E-BC90-2FBDB048BAB3}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LVCOMS"="C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE" [2001-09-24 09:39]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2005-04-01 16:16]
"SoundMan"="SOUNDMAN.EXE" []
"CAVRID"="C:\Program Files\CA\eTrust Vet Antivirus\CAVRID.exe" [2005-10-27 15:55]
"CaAvTray"="C:\Program Files\CA\eTrust Vet Antivirus\CAVTray.exe" [2005-10-27 15:55]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-07-13 15:06]
"AAWTray"="C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe" [2007-08-08 15:53]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 12:54]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56]
"MSMSGS"="C:\Program Files\Messenger\MSMSGS.exe" [2004-10-14 02:24]

C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 04:01:04]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winemx32]
winemx32.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"InCD"=C:\Program Files\ahead\InCD\InCD.exe
"NeroCheck"=C:\WINDOWS\system32\NeroCheck.exe
"NvCplDaemon"=RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
"NvMediaCenter"=RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
"nwiz"=nwiz.exe /install
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" -atboottime

R0 BsStor;InCD Storage Helper Driver;C:\WINDOWS\system32\DRIVERS\bsstor.sys
R3 WmBEnum;Logitech Virtual Bus Enumerator Driver;C:\WINDOWS\system32\drivers\WmBEnum.sys
R3 WmXlCore;Logitech WingMan Translation Layer Driver;C:\WINDOWS\system32\drivers\WmXlCore.sys
S1 lusbaudio;Logitech USB Microphone;C:\WINDOWS\system32\drivers\lvsound2.sys
S3 nocashio;nocashio;C:\WINDOWS\system32\drivers\nocashio.sys
S3 QCEmerald;Logitech QuickCam Web(PID_0850);C:\WINDOWS\system32\DRIVERS\LVCE.sys
S3 WmFilter;Logitech WingMan HID Filter Driver;C:\WINDOWS\system32\drivers\WmFilter.sys
S3 WmVirHid;Logitech Virtual Hid Device Driver;C:\WINDOWS\system32\drivers\WmVirHid.sys
S4 BsUDF;InCD UDF Driver;C:\WINDOWS\system32\drivers\BsUDF.sys


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b69e00e0-97b8-11da-8974-0030180bfa08}]
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL \Launch_seminar_series_menu.htm

.
**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-10-01 15:52:55
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-10-01 15:55:35 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-10-01 15:55
.
--- E O F ---

elmoisevil
2007-10-01, 12:08
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:58:23 PM, on 1/10/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\CA\eTrust Vet Antivirus\ISafe.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\SanDisk\Sansa Updater\SansaSvr.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\CA\eTrust Vet Antivirus\VetMsg.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
C:\Program Files\CA\eTrust Vet Antivirus\CAVRID.exe
C:\Program Files\CA\eTrust Vet Antivirus\CAVTray.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\MSMSGS.EXE
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Trend Micro\HijackThis\hijackthis.exe.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://intranet.iona.qld.edu.au/start/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.iona.qld.edu.au/
O2 - BHO: (no name) - {14043F22-D133-4751-BE0A-7C27B5262C4F} - (no file)
O2 - BHO: (no name) - {302E68B6-1226-45F0-9047-CBA6808EF844} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {64B94229-7967-860A-A0C2-034C02BA876B} - (no file)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {BCBC0F4A-70DD-434E-BC90-2FBDB048BAB3} - (no file)
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\eTrust Vet Antivirus\CAVRID.exe"
O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\CA\eTrust Vet Antivirus\CAVTray.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AAWTray] C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Save Flash In This Page by Flash Saver - C:\PROGRA~1\FLASHS~1\save.htm
O8 - Extra context menu item: &Search - ?p=ZN
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Flash Saver - {09EA1F80-F40A-11D1-B792-444553540001} - C:\PROGRA~1\FLASHS~1\save.htm
O9 - Extra 'Tools' menuitem: Flash Saver - {09EA1F80-F40A-11D1-B792-444553540001} - C:\PROGRA~1\FLASHS~1\save.htm
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Sean Stuf\Start Menu\Programs\IMVU\Run IMVU.lnk (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {7584C670-2274-4EFB-B00B-D6AABA6D3850} (Microsoft RDP Client Control (redist)) - http://tsm.iona.qld.edu.au/tsweb/msrdp.cab
O20 - Winlogon Notify: winemx32 - winemx32.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Vet Antivirus\ISafe.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Sansa Updater Service (SansaService) - Unknown owner - C:\Program Files\SanDisk\Sansa Updater\SansaSvr.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Vet Antivirus\VetMsg.exe

--
End of file - 6149 bytes

ComboFix 07-09-21.2 - "Sean Stuf" 2007-10-01 15:00:18.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.223 [GMT 10:00]
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\check_LSA7.txt
C:\Program Files\nulidqzq
C:\Program Files\nulidqzq\favylinw.dll
C:\Program Files\SecCenter
C:\Program Files\SecCenter\scprot4.exe.bak
C:\Program Files\video access activex object
C:\WINDOWS\system32\bupncxrg.exe
C:\WINDOWS\system32\fogqyujx.ini
C:\WINDOWS\system32\khffgfc.dll
C:\WINDOWS\system32\majshbbo.exe
C:\WINDOWS\system32\urqqo.dll
C:\WINDOWS\system32\xjuyqgof.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


-------\LEGACY_DOMAINSERVICE


((((((((((((((((((((((((( Files Created from 2007-09-01 to 2007-10-01 )))))))))))))))))))))))))))))))
.

2007-10-01 10:52 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-09-27 12:52 <DIR> d-------- C:\Program Files\Trend Micro
2007-09-26 17:20 <DIR> d-------- C:\Program Files\Lavasoft
2007-09-26 17:20 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Lavasoft
2007-09-25 15:06 84,032 --a------ C:\WINDOWS\system32\ydhixebl.dll
2007-09-23 10:25 714,027 --ahs---- C:\WINDOWS\system32\oqqru.bak2
2007-09-22 12:55 5,632 --a--c--- C:\WINDOWS\system32\dllcache\smimsgif.dll
2007-09-22 12:55 5,632 --a--c--- C:\WINDOWS\system32\dllcache\smierrsy.dll
2007-09-22 12:55 18,944 --a--c--- C:\WINDOWS\system32\dllcache\simptcp.dll
2007-09-22 12:55 18,944 --a------ C:\WINDOWS\system32\simptcp.dll
2007-09-22 12:55 15,872 --a--c--- C:\WINDOWS\system32\dllcache\smierrsm.dll
2007-09-22 12:55 10,240 --a--c--- C:\WINDOWS\system32\dllcache\snmpstup.dll
2007-09-22 12:28 <DIR> d-------- C:\Program Files\Ancient Conquest
2007-09-22 11:59 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\YoYoGames
2007-09-22 11:51 6,448 --ahs---- C:\WINDOWS\system32\oqqru.bak1
2007-09-18 20:25 <DIR> d-------- C:\Program Files\Game_Maker7
2007-09-07 20:15 <DIR> d-------- C:\WINDOWS\.jagex_cache_32

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-09-26 22:10 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-09-26 17:19 --------- d-------- C:\DOCUME~1\SEANST~1\APPLIC~1\Lavasoft
2007-09-26 17:18 --------- d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-09-20 17:50 --------- d-------- C:\Program Files\Game_Maker6
2007-09-17 17:27 --------- d-------- C:\Program Files\Flash Saver
2007-09-17 17:23 --------- d--h----- C:\Program Files\InstallShield Installation Information
2007-09-17 16:47 --------- d-------- C:\Program Files\WinAce
2007-09-16 13:13 --------- d-------- C:\Program Files\Google
2007-09-16 10:56 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Google
2007-09-15 09:45 --------- d-------- C:\Program Files\themexp
2007-08-31 19:33 --------- d-------- C:\DOCUME~1\SEANST~1\APPLIC~1\Google
2007-08-29 19:55 --------- d-------- C:\DOCUME~1\SEANST~1\APPLIC~1\Seven Zip
2007-08-29 19:17 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Office Genuine Advantage
2007-08-26 11:21 32768 --a------ C:\WINDOWS\system32\1stscrhook.dll
2007-08-14 23:16 --------- d-------- C:\Program Files\decomp
2007-08-11 15:30 --------- d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Protexis
2007-08-07 13:58 8320 --a------ C:\WINDOWS\system32\drivers\AWRTRD.sys
2007-08-07 13:56 9344 --a------ C:\WINDOWS\system32\drivers\NSDriver.sys
2007-07-30 19:19 92504 --a------ C:\WINDOWS\system32\cdm.dll
2007-07-30 19:19 549720 --a------ C:\WINDOWS\system32\wuapi.dll
2007-07-30 19:19 53080 --a------ C:\WINDOWS\system32\wuauclt.exe
2007-07-30 19:19 43352 --a------ C:\WINDOWS\system32\wups2.dll
2007-07-30 19:19 325976 --a------ C:\WINDOWS\system32\wucltui.dll
2007-07-30 19:19 271224 --a------ C:\WINDOWS\system32\mucltui.dll
2007-07-30 19:19 207736 --a------ C:\WINDOWS\system32\muweb.dll
2007-07-30 19:19 203096 --a------ C:\WINDOWS\system32\wuweb.dll
2007-07-30 19:19 1712984 --a------ C:\WINDOWS\system32\wuaueng.dll
2007-07-30 19:18 33624 --a------ C:\WINDOWS\system32\wups.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{14043F22-D133-4751-BE0A-7C27B5262C4F}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{302E68B6-1226-45F0-9047-CBA6808EF844}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{64B94229-7967-860A-A0C2-034C02BA876B}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{BCBC0F4A-70DD-434E-BC90-2FBDB048BAB3}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LVCOMS"="C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE" [2001-09-24 09:39]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2005-04-01 16:16]
"SoundMan"="SOUNDMAN.EXE" []
"CAVRID"="C:\Program Files\CA\eTrust Vet Antivirus\CAVRID.exe" [2005-10-27 15:55]
"CaAvTray"="C:\Program Files\CA\eTrust Vet Antivirus\CAVTray.exe" [2005-10-27 15:55]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-07-13 15:06]
"AAWTray"="C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe" [2007-08-08 15:53]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 12:54]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56]
"MSMSGS"="C:\Program Files\Messenger\MSMSGS.exe" [2004-10-14 02:24]

C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 04:01:04]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winemx32]
winemx32.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"InCD"=C:\Program Files\ahead\InCD\InCD.exe
"NeroCheck"=C:\WINDOWS\system32\NeroCheck.exe
"NvCplDaemon"=RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
"NvMediaCenter"=RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
"nwiz"=nwiz.exe /install
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" -atboottime

R0 BsStor;InCD Storage Helper Driver;C:\WINDOWS\system32\DRIVERS\bsstor.sys
R3 WmBEnum;Logitech Virtual Bus Enumerator Driver;C:\WINDOWS\system32\drivers\WmBEnum.sys
R3 WmXlCore;Logitech WingMan Translation Layer Driver;C:\WINDOWS\system32\drivers\WmXlCore.sys
S1 lusbaudio;Logitech USB Microphone;C:\WINDOWS\system32\drivers\lvsound2.sys
S3 nocashio;nocashio;C:\WINDOWS\system32\drivers\nocashio.sys
S3 QCEmerald;Logitech QuickCam Web(PID_0850);C:\WINDOWS\system32\DRIVERS\LVCE.sys
S3 WmFilter;Logitech WingMan HID Filter Driver;C:\WINDOWS\system32\drivers\WmFilter.sys
S3 WmVirHid;Logitech Virtual Hid Device Driver;C:\WINDOWS\system32\drivers\WmVirHid.sys
S4 BsUDF;InCD UDF Driver;C:\WINDOWS\system32\drivers\BsUDF.sys


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b69e00e0-97b8-11da-8974-0030180bfa08}]
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL \Launch_seminar_series_menu.htm

.
**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-10-01 15:52:55
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-10-01 15:55:35 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-10-01 15:55
.
--- E O F ---

elmoisevil
2007-10-01, 12:10
C:\Documents and Settings\user\Application Data\Microsoft\MSN Messenger\820966976\Winks3\TFR4F.dat Object is locked skipped

C:\Documents and Settings\user\Application Data\Microsoft\MSN Messenger\820966976\Winks3\TFR51.dat Object is locked skipped

C:\Documents and Settings\user\Application Data\Microsoft\MSN Messenger\820966976\Winks3\TFR53.dat Object is locked skipped

C:\Documents and Settings\user\Application Data\Microsoft\MSN Messenger\820966976\Winks3\TFR55.dat Object is locked skipped

C:\Documents and Settings\user\Application Data\Microsoft\MSN Messenger\820966976\Winks3\TFR57.dat Object is locked skipped

C:\Documents and Settings\user\Application Data\Microsoft\MSN Messenger\820966976\Winks3\TFR59.dat Object is locked skipped

C:\Documents and Settings\user\Application Data\Microsoft\MSN Messenger\820966976\Winks3\TFR5B.dat Object is locked skipped

C:\Documents and Settings\user\Application Data\Microsoft\MSN Messenger\820966976\Winks3\TFR5D.dat Object is locked skipped

C:\Documents and Settings\user\Application Data\Microsoft\MSN Messenger\820966976\Winks3\TFR5F.dat Object is locked skipped

C:\Documents and Settings\user\Application Data\Microsoft\Office\Access10.pip Object is locked skipped

C:\Documents and Settings\user\Application Data\Microsoft\Office\adhoc.rcd Object is locked skipped

C:\Documents and Settings\user\Application Data\Microsoft\Office\Excel10.pip Object is locked skipped

C:\Documents and Settings\user\Application Data\Microsoft\Office\fbcF.tmp Object is locked skipped

C:\Documents and Settings\user\Application Data\Microsoft\Office\FP10.pip Object is locked skipped

C:\Documents and Settings\user\Application Data\Microsoft\Office\Graph10.pip Object is locked skipped

C:\Documents and Settings\user\Application Data\Microsoft\Office\Imagin10.pip Object is locked skipped

C:\Documents and Settings\user\Application Data\Microsoft\Office\MSO1025.acl Object is locked skipped

C:\Documents and Settings\user\Application Data\Microsoft\Office\MSO1033.acl Object is locked skipped

C:\Documents and Settings\user\Application Data\Microsoft\Office\MSO2057.acl Object is locked skipped

C:\Documents and Settings\user\Application Data\Microsoft\Office\MSO3081.acl Object is locked skipped

C:\Documents and Settings\user\Application Data\Microsoft\Office\MSOut10.pip Object is locked skipped

C:\Documents and Settings\user\Application Data\Microsoft\Office\Organi10.pip Object is locked skipped

C:\Documents and Settings\user\Application Data\Microsoft\Office\PowerP10.pip Object is locked skipped

C:\Documents and Settings\user\Application Data\Microsoft\Office\Recent\Application 12 April.LNK Object is locked skipped

C:\Documents and Settings\user\Application Data\Microsoft\Office\Recent\Application 12 March.LNK Object is locked skipped

C:\Documents and Settings\user\Application Data\Microsoft\Office\Recent\Application 17 April.LNK Object is locked skipped

C:\Documents and Settings\user\Application Data\Microsoft\Office\Recent\Application 19 March.LNK Object is locked skipped

C:\Documents and Settings\user\Application Data\Microsoft\Office\Recent\Application 2 April.LNK Object is locked skipped

C:\Documents and Settings\user\Application Data\Microsoft\Office\Recent\Application 26 Feb.LNK Object is locked skipped

C:\Documents and Settings\user\Application Data\Microsoft\Office\Recent\Application 27 March.LNK Object is locked skipped

C:\Documents and Settings\user\Application Data\Microsoft\Office\Recent\Application 5 March.LNK Object is locked skipped

C:\Documents and Settings\user\Application Data\Microsoft\Office\Recent\Application 9 April.LNK Object is locked skipped

C:\Documents and Settings\user\Application Data\Microsoft\Office\Recent\Budget.xls.LNK Object is locked skipped

C:\Documents and Settings\user\Application Data\Microsoft\Office\Recent\Business Relations.LNK Object is locked skipped

C:\Documents and Settings\user\Application Data\Microsoft\Office\Recent\Cashflow(1).xls.LNK Object is locked skipped

C:\Documents and Settings\user\Application Data\Microsoft\Office\Recent\Cashflow.xls.LNK Object is locked skipped

C:\Documents and Settings\user\Application Data\Microsoft\Office\Recent\CSI3KMC7.LNK Object is locked skipped

C:\Documents and Settings\user\Application Data\Microsoft\Office\Recent\Dixon.doc.LNK Object is locked skipped

C:\Documents and Settings\user\Application Data\Microsoft\Office\Recent\files on www.timmys.com.au.url Object is locked skipped

C:\Documents and Settings\user\Application Data\Microsoft\Office\Recent\flightcosts.xls.LNK Object is locked skipped

C:\Documents and Settings\user\Application Data\Microsoft\Office\Recent\Gianni.doc.LNK Object is locked skipped

C:\Documents and Settings\user\Application Data\Microsoft\Office\Recent\goodkarma[1].pps.LNK Object is locked skipped

C:\Documents and Settings\user\Application Data\Microsoft\Office\Recent\index.dat Object is locked skipped

C:\Documents and Settings\user\Application Data\Microsoft\Office\Recent\jobdoc on www.jobs.qld.gov.au.url Object is locked skipped

C:\Documents and Settings\user\Application Data\Microsoft\Office\Recent\JuniorOfficePerson.doc.LNK Object is locked skipped

C:\Documents and Settings\user\Application Data\Microsoft\Office\Recent\JuniorTraineeDixon.doc.LNK Object is locked skipped

C:\Documents and Settings\user\Application Data\Microsoft\Office\Recent\Letterhead.bmp.LNK Object is locked skipped

C:\Documents and Settings\user\Application Data\Microsoft\Office\Recent\MASTERApplication.doc.LNK Object is locked skipped

C:\Documents and Settings\user\Application Data\Microsoft\Office\Recent\menu.doc.url Object is locked skipped

C:\Documents and Settings\user\Application Data\Microsoft\Office\Recent\My Documents.LNK Object is locked skipped

C:\Documents and Settings\user\Application Data\Microsoft\Office\Recent\My Pictures.LNK Object is locked skipped

C:\Documents and Settings\user\Application Data\Microsoft\Office\Recent\OfficeJuniorCBDlawfirm1.doc.LNK Object is locked skipped

C:\Documents and Settings\user\Application Data\Microsoft\Office\Recent\OfficeJuniorCBDlawfirm2.doc.LNK Object is locked skipped

C:\Documents and Settings\user\Application Data\Microsoft\Office\Recent\OfficeJuniorNorthside.doc.LNK Object is locked skipped

C:\Documents and Settings\user\Application Data\Microsoft\Office\Recent\OfficeJuniorSouthside.doc.LNK Object is locked skipped

C:\Documents and Settings\user\Application Data\Microsoft\Office\Recent\ProjectedBudget13.11.xls.LNK Object is locked skipped

C:\Documents and Settings\user\Application Data\Microsoft\Office\Recent\RiskAnalysis(1).xls.LNK Object is locked skipped

C:\Documents and Settings\user\Application Data\Microsoft\Office\Recent\RiskAnalysis-AV.xls.LNK Object is locked skipped

C:\Documents and Settings\user\Application Data\Microsoft\Office\Recent\Savings.xls.LNK Object is locked skipped

C:\Documents and Settings\user\Application Data\Microsoft\Office\Recent\Sean's Documents.LNK Object is locked skipped

C:\Documents and Settings\user\Application Data\Microsoft\Office\Recent\sgpapi8-ZNPLUE-1168572210584.gif.LNK Object is locked skipped

C:\Documents and Settings\user\Application Data\Microsoft\Office\Recent\Sponsorship.LNK Object is locked skipped

C:\Documents and Settings\user\Application Data\Microsoft\Office\Recent\Stories.LNK Object is locked skipped

C:\Documents and Settings\user\Application Data\Microsoft\Office\Recent\test.jpg.LNK Object is locked skipped

C:\Documents and Settings\user\Application Data\Microsoft\Office\Recent\Travel.LNK Object is locked skipped

C:\Documents and Settings\user\Application Data\Microsoft\Office\Recent\Work&Finance.LNK Object is locked skipped

C:\Documents and Settings\user\Application Data\Microsoft\Office\Scanni10.pip Object is locked skipped

C:\Documents and Settings\user\Application Data\Microsoft\Office\VB10.pip Object is locked skipped

C:\Documents and Settings\user\Application Data\Microsoft\Office\Word10.pip Object is locked skipped

C:\Documents and Settings\user\Application Data\Microsoft\Office\Wordma10.pip Object is locked skipped

C:\Documents and Settings\user\Application Data\Microsoft\Outlook\outcmd.dat Object is locked skipped

C:\Documents and Settings\user\Application Data\Microsoft\Outlook\Outlook.FAV Object is locked skipped

C:\Documents and Settings\user\Application Data\Microsoft\Outlook\Outlook.NK2 Object is locked skipped

C:\Documents and Settings\user\Application Data\Microsoft\Outlook\Outlook.srs Object is locked skipped

C:\Documents and Settings\user\Application Data\Microsoft\PowerPoint\PPT10.pcb Object is locked skipped

C:\Documents and Settings\user\Application Data\Microsoft\Proof\CUSTOM.DIC Object is locked skipped

C:\Documents and Settings\user\Application Data\Microsoft\Protect\CREDHIST Object is locked skipped

C:\Documents and Settings\user\Application Data\Microsoft\Protect\S-1-5-21-602162358-152049171-854245398-1003\03a1bd72-09d5-4814-b5f1-827abc828b00 Object is locked skipped

C:\Documents and Settings\user\Application Data\Microsoft\Protect\S-1-5-21-602162358-152049171-854245398-1003\1187cb48-7f2a-4b6d-ad23-0598d3008a55 Object is locked skipped

C:\Documents and Settings\user\Application Data\Microsoft\Protect\S-1-5-21-602162358-152049171-854245398-1003\683cf20a-9a49-481b-80a3-14e2daf759fb Object is locked skipped

C:\Documents and Settings\user\Application Data\Microsoft\Protect\S-1-5-21-602162358-152049171-854245398-1003\95177035-227e-43dd-84ed-2469781094e4 Object is locked skipped

C:\Documents and Settings\user\Application Data\Microsoft\Protect\S-1-5-21-602162358-152049171-854245398-1003\b92b3240-8325-4c71-9ecb-96e54f970397 Object is locked skipped

C:\Documents and Settings\user\Application Data\Microsoft\Protect\S-1-5-21-602162358-152049171-854245398-1003\cf8a0bac-fc8a-48ea-b387-9ef2022ff3e7 Object is locked skipped

C:\Documents and Settings\user\Application Data\Microsoft\Protect\S-1-5-21-602162358-152049171-854245398-1003\d0ba8dc1-70b9-4a1d-9577-48eaadace90a Object is locked skipped

C:\Documents and Settings\user\Application Data\Microsoft\Protect\S-1-5-21-602162358-152049171-854245398-1003\d9c83579-cd03-490f-abcb-08b90b78f802 Object is locked skipped

C:\Documents and Settings\user\Application Data\Microsoft\Protect\S-1-5-21-602162358-152049171-854245398-1003\e4231594-8d90-43e5-9373-07e099f10996 Object is locked skipped

C:\Documents and Settings\user\Application Data\Microsoft\Protect\S-1-5-21-602162358-152049171-854245398-1003\effc1a67-1d68-4d03-98b1-78f7bd23b928 Object is locked skipped

C:\Documents and Settings\user\Application Data\Microsoft\Protect\S-1-5-21-602162358-152049171-854245398-1003\Preferred Object is locked skipped

C:\Documents and Settings\user\Application Data\Microsoft\Signatures\Jessica.htm Object is locked skipped

C:\Documents and Settings\user\Application Data\Microsoft\Speech\Files\UserLexicons\SP_ED05823CA7FF430EB1C5758C6FCE1502.dat Object is locked skipped

C:\Documents and Settings\user\Application Data\Microsoft\Templates\Normal.dot Object is locked skipped

C:\Documents and Settings\user\Application Data\Microsoft\Themes\copy-of-cypress2\copy-of-cypress2.elm Object is locked skipped

C:\Documents and Settings\user\Application Data\Microsoft\Themes\copy-of-cypress2\copy-of-cypress2.inf Object is locked skipped

C:\Documents and Settings\user\Application Data\Microsoft\Themes\themes.inf Object is locked skipped

C:\Documents and Settings\user\Application Data\Microsoft\Windows\Themes\Custom.theme Object is locked skipped

C:\Documents and Settings\user\Application Data\MSN6\msndata.dat Object is locked skipped

C:\Documents and Settings\user\Application Data\SpamBlockerUtility\eskin\empty_bg_st.htm Object is locked skipped

C:\Documents and Settings\user\Application Data\SpamBlockerUtility\eskin\FileManager.txt Object is locked skipped

C:\Documents and Settings\user\Application Data\SpamBlockerUtility\SpamBlockerUtility.log Object is locked skipped

C:\Documents and Settings\user\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility\dynamic\1065003.sdf Object is locked skipped

C:\Documents and Settings\user\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility\dynamic\2208948.sdf Object is locked skipped

C:\Documents and Settings\user\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility\dynamic\3786236.sdf Object is locked skipped

C:\Documents and Settings\user\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility\dynamic\830364.sdf Object is locked skipped

C:\Documents and Settings\user\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility\dynamic\890068.sdf Object is locked skipped

C:\Documents and Settings\user\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility\dynamic\ASPL1.dat Object is locked skipped

C:\Documents and Settings\user\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility\dynamic\domains.txt Object is locked skipped

C:\Documents and Settings\user\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility\dynamic\hstat\3520.dat Object is locked skipped

C:\Documents and Settings\user\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility\dynamic\TooltipXML\13546 Object is locked skipped

C:\Documents and Settings\user\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility\dynamic\TooltipXML\15162 Object is locked skipped

C:\Documents and Settings\user\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility\dynamic\TooltipXML\251438 Object is locked skipped

C:\Documents and Settings\user\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility\dynamic\TooltipXML\25469 Object is locked skipped

C:\Documents and Settings\user\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility\dynamic\TooltipXML\27503 Object is locked skipped

C:\Documents and Settings\user\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility\dynamic\TooltipXML\29297 Object is locked skipped

C:\Documents and Settings\user\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility\dynamic\TooltipXML\34186 Object is locked skipped

C:\Documents and Settings\user\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility\dynamic\TooltipXML\35047 Object is locked skipped

C:\Documents and Settings\user\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility\dynamic\TooltipXML\4382 Object is locked skipped

C:\Documents and Settings\user\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility\dynamic\TooltipXML\45833 Object is locked skipped

C:\Documents and Settings\user\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility\dynamic\TooltipXML\45837 Object is locked skipped

C:\Documents and Settings\user\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility\dynamic\TooltipXML\61779 Object is locked skipped

C:\Documents and Settings\user\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility\dynamic\TooltipXML\61837 Object is locked skipped

C:\Documents and Settings\user\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility\dynamic\TooltipXML\64517 Object is locked skipped

C:\Documents and Settings\user\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility\dynamic\TooltipXML\73840 Object is locked skipped

C:\Documents and Settings\user\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility\dynamic\TooltipXML\90358 Object is locked skipped

C:\Documents and Settings\user\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility\dynamic\TooltipXML\94407 Object is locked skipped

C:\Documents and Settings\user\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility\dynamic\TooltipXML\99795 Object is locked skipped

C:\Documents and Settings\user\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility\dynamic\ustat\3520.dat Object is locked skipped

C:\Documents and Settings\user\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility\static\1\ads.cdf Object is locked skipped

C:\Documents and Settings\user\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility\static\1\btntrans.idx Object is locked skipped

C:\Documents and Settings\user\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility\static\1\btntrans1.dat Object is locked skipped

C:\Documents and Settings\user\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility\static\1\business_promo.htm Object is locked skipped

C:\Documents and Settings\user\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility\static\1\buttondir.txt Object is locked skipped

C:\Documents and Settings\user\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility\static\1\components.cdf Object is locked skipped

C:\Documents and Settings\user\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility\static\1\default.cdf Object is locked skipped

C:\Documents and Settings\user\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility\static\1\Default_bidz.mnu Object is locked skipped

C:\Documents and Settings\user\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility\static\1\Default_bidz1.mnu Object is locked skipped

C:\Documents and Settings\user\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility\static\1\Default_bidz10.mnu Object is locked skipped

C:\Documents and Settings\user\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility\static\1\Default_bidz11.mnu Object is locked skipped

C:\Documents and Settings\user\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility\static\1\Default_bidz12.mnu Object is locked skipped

C:\Documents and Settings\user\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility\static\1\Default_bidz13.mnu Object is locked skipped

C:\Documents and Settings\user\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility\static\1\Default_bidz14.mnu Object is locked skipped

C:\Documents and Settings\user\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility\static\1\Default_bidz15.mnu Object is locked skipped

C:\Documents and Settings\user\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility\static\1\Default_bidz16.mnu Object is locked skipped

C:\Documents and Settings\user\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility\static\1\Default_bidz17.mnu Object is locked skipped

C:\Documents and Settings\user\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility\static\1\Default_bidz18.mnu Object is locked skipped

C:\Documents and Settings\user\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility\static\1\Default_bidz19.mnu Object is locked skipped

C:\Documents and Settings\user\Application Data\SpamBlockerUtility\v3.0\SpamBlockerUtility\static\1\Default_bidz2.mnu Object is locked skipped

elmoisevil
2007-10-01, 12:14
srry skip that last one
i dont know how to send you the other online av scanner thing it over 2mill characters

Markka
2007-10-01, 16:55
Hello :)

Open HijackThis, Click Do a system scan only, checkmark these. Then close all other windows except HijackThis and press fix checked.

O2 - BHO: (no name) - {14043F22-D133-4751-BE0A-7C27B5262C4F} - (no file)
O2 - BHO: (no name) - {302E68B6-1226-45F0-9047-CBA6808EF844} - (no file)
O2 - BHO: (no name) - {64B94229-7967-860A-A0C2-034C02BA876B} - (no file)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {BCBC0F4A-70DD-434E-BC90-2FBDB048BAB3} - (no file)
O20 - Winlogon Notify: winemx32 - winemx32.dll (file missing)
__________________

Open notepad and copy/paste the text in the quotebox below into it:



File::
C:\WINDOWS\system32\ydhixebl.dll
C:\WINDOWS\system32\oqqru.bak1
C:\WINDOWS\system32\oqqru.bak2



Save this as CFScript.txt

Then drag the CFScript.txt into ComboFix.exe as you see in the screenshot below.

http://img.photobucket.com/albums/v666/sUBs/CFScript.gif

This will start ComboFix again.
_________________

Let's forget Kaspersky online scanner and replace it with Dr.Web CureIt:

Please Download Dr.Web CureIt (ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe) and save it to your desktop.

Run a scan with Dr.Web CureIt Doubleclick the drweb-cureit.exe file and Allow to run the express scan
This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
Once the short scan has finished, you should now mark the drives that you want to scan.
Select all drives. A red dot shows which drives have been chosen.
Click the green arrow at the right, and the scan will start.
Click 'Yes to all' if it asks if you want to cure/move the file.

When the scan has finished, look if you can click next icon next to the files found http://users.telenet.be/bluepatchy/miekiemoes/images/check.gif
If so, click it and then click the next icon right below and select Move incurable
After the scan, in the menu, click file and choose save report list
Save the report to your desktop. The report will be called DrWeb.csv
Close Dr.Web Cureit.
______________

Post:
- A fresh HijackThis log
- Logfile of ComboFix
- Report of Dr.Web Cureit

elmoisevil
2007-10-02, 06:49
ive got what u wanted

ComboFix 07-10-02.2 - Sean Stuf 2007-10-02 13:29:14.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.276 [GMT 10:00]
Running from: C:\Documents and Settings\Sean Stuf\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Sean Stuf\Desktop\CFScript.txt
* Created a new restore point

FILE::
C:\WINDOWS\system32\ydhixebl.dll
C:\WINDOWS\system32\oqqru.bak1
C:\WINDOWS\system32\oqqru.bak2
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\oqqru.bak1
C:\WINDOWS\system32\oqqru.bak2
C:\WINDOWS\system32\ydhixebl.dll

.
((((((((((((((((((((((((( Files Created from 2007-09-02 to 2007-10-02 )))))))))))))))))))))))))))))))
.

2007-10-02 10:28 <DIR> d-------- C:\Documents and Settings\Sean Stuf\DoctorWeb
2007-10-01 16:05 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-10-01 16:05 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2007-10-01 10:52 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-09-27 12:52 <DIR> d-------- C:\Program Files\Trend Micro
2007-09-26 17:20 <DIR> d-------- C:\Program Files\Lavasoft
2007-09-26 17:20 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-09-22 12:55 5,632 --a--c--- C:\WINDOWS\system32\dllcache\smimsgif.dll
2007-09-22 12:55 5,632 --a--c--- C:\WINDOWS\system32\dllcache\smierrsy.dll
2007-09-22 12:55 18,944 --a--c--- C:\WINDOWS\system32\dllcache\simptcp.dll
2007-09-22 12:55 18,944 --a------ C:\WINDOWS\system32\simptcp.dll
2007-09-22 12:55 15,872 --a--c--- C:\WINDOWS\system32\dllcache\smierrsm.dll
2007-09-22 12:55 10,240 --a--c--- C:\WINDOWS\system32\dllcache\snmpstup.dll
2007-09-22 12:28 <DIR> d-------- C:\Program Files\Ancient Conquest
2007-09-22 11:59 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\YoYoGames
2007-09-18 20:25 <DIR> d-------- C:\Program Files\Game_Maker7
2007-09-07 20:15 <DIR> d-------- C:\WINDOWS\.jagex_cache_32

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-09-26 22:10 --------- d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-09-26 17:19 --------- d-------- C:\Documents and Settings\Sean Stuf\Application Data\Lavasoft
2007-09-26 17:18 --------- d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-09-20 17:50 --------- d-------- C:\Program Files\Game_Maker6
2007-09-17 17:27 --------- d-------- C:\Program Files\Flash Saver
2007-09-17 17:23 --------- d--h----- C:\Program Files\InstallShield Installation Information
2007-09-17 16:47 --------- d-------- C:\Program Files\WinAce
2007-09-16 13:13 --------- d-------- C:\Program Files\Google
2007-09-16 10:56 --------- d-------- C:\Documents and Settings\All Users\Application Data\Google
2007-09-15 09:45 --------- d-------- C:\Program Files\themexp
2007-08-31 19:33 --------- d-------- C:\Documents and Settings\Sean Stuf\Application Data\Google
2007-08-29 19:55 --------- d-------- C:\Documents and Settings\Sean Stuf\Application Data\Seven Zip
2007-08-29 19:17 --------- d-------- C:\Documents and Settings\All Users\Application Data\Office Genuine Advantage
2007-08-26 11:21 32768 --a------ C:\WINDOWS\system32\1stscrhook.dll
2007-08-14 23:16 --------- d-------- C:\Program Files\decomp
2007-08-11 15:30 --------- d-------- C:\Documents and Settings\All Users\Application Data\Protexis
2007-08-07 13:58 8320 --a------ C:\WINDOWS\system32\drivers\AWRTRD.sys
2007-08-07 13:56 9344 --a------ C:\WINDOWS\system32\drivers\NSDriver.sys
2007-07-30 19:19 92504 --a------ C:\WINDOWS\system32\cdm.dll
2007-07-30 19:19 549720 --a------ C:\WINDOWS\system32\wuapi.dll
2007-07-30 19:19 53080 --a------ C:\WINDOWS\system32\wuauclt.exe
2007-07-30 19:19 43352 --a------ C:\WINDOWS\system32\wups2.dll
2007-07-30 19:19 325976 --a------ C:\WINDOWS\system32\wucltui.dll
2007-07-30 19:19 271224 --a------ C:\WINDOWS\system32\mucltui.dll
2007-07-30 19:19 207736 --a------ C:\WINDOWS\system32\muweb.dll
2007-07-30 19:19 203096 --a------ C:\WINDOWS\system32\wuweb.dll
2007-07-30 19:19 1712984 --a------ C:\WINDOWS\system32\wuaueng.dll
2007-07-30 19:18 33624 --a------ C:\WINDOWS\system32\wups.dll
.

((((((((((((((((((((((((((((( snapshot_2007-10-01_155421.06 )))))))))))))))))))))))))))))))))))))))))
.
----a-w 135,168 2007-09-27 23:06:08 C:\WINDOWS\catchme.exe
----a-w 135,168 2007-07-11 15:22:00 C:\WINDOWS\system32\java.exe
----a-w 135,168 2007-07-11 15:22:04 C:\WINDOWS\system32\javaw.exe
----a-w 139,264 2007-07-11 16:22:38 C:\WINDOWS\system32\javaws.exe
----a-w 844,800 2007-07-22 08:39:27 C:\WINDOWS\system32\swreg.exe
----a-w 213,048 2005-05-24 01:27:16 C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavss.dll
----a-w 94,208 2007-09-07 01:29:00 C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavuninstall.exe
----a-w 946,176 2007-09-07 01:29:00 C:\WINDOWS\system32\Kaspersky Lab\Kaspersky Online Scanner\kavwebscan.dll
----atw 16,384 2007-10-02 03:35:34 C:\WINDOWS\Temp\Perflib_Perfdata_624.dat
.
----a-w 109,056 2007-07-19 14:47:22 C:\WINDOWS\catchme.exe
----a-w 279,552 2007-07-22 08:39:27 C:\WINDOWS\system32\swreg.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"LVCOMS"="C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE" [2001-09-24 09:39]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2005-04-01 16:16]
"SoundMan"="SOUNDMAN.EXE" []
"CAVRID"="C:\Program Files\CA\eTrust Vet Antivirus\CAVRID.exe" [2005-10-27 15:55]
"CaAvTray"="C:\Program Files\CA\eTrust Vet Antivirus\CAVTray.exe" [2005-10-27 15:55]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-07-13 15:06]
"AAWTray"="C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe" [2007-08-08 15:53]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 04:00]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 12:54]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56]
"MSMSGS"="C:\Program Files\Messenger\MSMSGS.exe" [2004-10-14 02:24]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 04:01:04]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 04:01:04]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"InCD"=C:\Program Files\ahead\InCD\InCD.exe
"NeroCheck"=C:\WINDOWS\system32\NeroCheck.exe
"NvCplDaemon"=RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
"NvMediaCenter"=RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
"nwiz"=nwiz.exe /install
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" -atboottime

R0 BsStor;InCD Storage Helper Driver;C:\WINDOWS\system32\DRIVERS\bsstor.sys
R3 WmBEnum;Logitech Virtual Bus Enumerator Driver;C:\WINDOWS\system32\drivers\WmBEnum.sys
R3 WmXlCore;Logitech WingMan Translation Layer Driver;C:\WINDOWS\system32\drivers\WmXlCore.sys
S1 lusbaudio;Logitech USB Microphone;C:\WINDOWS\system32\drivers\lvsound2.sys
S3 nocashio;nocashio;C:\WINDOWS\system32\drivers\nocashio.sys
S3 QCEmerald;Logitech QuickCam Web(PID_0850);C:\WINDOWS\system32\DRIVERS\LVCE.sys
S3 WmFilter;Logitech WingMan HID Filter Driver;C:\WINDOWS\system32\drivers\WmFilter.sys
S3 WmVirHid;Logitech Virtual Hid Device Driver;C:\WINDOWS\system32\drivers\WmVirHid.sys
S4 BsUDF;InCD UDF Driver;C:\WINDOWS\system32\drivers\BsUDF.sys


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{b69e00e0-97b8-11da-8974-0030180bfa08}]
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL \Launch_seminar_series_menu.htm

.
**************************************************************************

catchme 0.3.1169 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-10-02 13:39:26
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-10-02 13:44:02 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-10-02 13:43
C:\ComboFix2.txt ... 2007-10-01 15:55
.
--- E O F ---

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:46:32 PM, on 2/10/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\CA\eTrust Vet Antivirus\ISafe.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\SanDisk\Sansa Updater\SansaSvr.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\CA\eTrust Vet Antivirus\VetMsg.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
C:\Program Files\CA\eTrust Vet Antivirus\CAVRID.exe
C:\Program Files\CA\eTrust Vet Antivirus\CAVTray.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\MSMSGS.EXE
C:\Program Files\Trend Micro\HijackThis\hijackthis.exe.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://intranet.iona.qld.edu.au/start/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.iona.qld.edu.au/
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\eTrust Vet Antivirus\CAVRID.exe"
O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\CA\eTrust Vet Antivirus\CAVTray.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AAWTray] C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Save Flash In This Page by Flash Saver - C:\PROGRA~1\FLASHS~1\save.htm
O8 - Extra context menu item: &Search - ?p=ZN
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Flash Saver - {09EA1F80-F40A-11D1-B792-444553540001} - C:\PROGRA~1\FLASHS~1\save.htm
O9 - Extra 'Tools' menuitem: Flash Saver - {09EA1F80-F40A-11D1-B792-444553540001} - C:\PROGRA~1\FLASHS~1\save.htm
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Sean Stuf\Start Menu\Programs\IMVU\Run IMVU.lnk (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {7584C670-2274-4EFB-B00B-D6AABA6D3850} (Microsoft RDP Client Control (redist)) - http://tsm.iona.qld.edu.au/tsweb/msrdp.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Vet Antivirus\ISafe.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Sansa Updater Service (SansaService) - Unknown owner - C:\Program Files\SanDisk\Sansa Updater\SansaSvr.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Vet Antivirus\VetMsg.exe

--
End of file - 6307 bytes

RegUBP2b-Sean Stuf.reg;C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Snapshots2;Trojan.StartPage.1505;Deleted.;
favylinw.dll.vir;C:\qoobox\Quarantine\C\Program Files\nulidqzq;Trojan.DownLoader.33219;Deleted.;
bupncxrg.exe.vir;C:\qoobox\Quarantine\C\WINDOWS\system32;Trojan.EzulaAd;Deleted.;
majshbbo.exe.vir;C:\qoobox\Quarantine\C\WINDOWS\system32;Trojan.EzulaAd;Deleted.;
A0234642.exe;C:\System Volume Information\_restore{7A419944-3525-4EB5-BBEF-634413EBFA65}\RP673;Trojan.EzulaAd;Deleted.;
A0240426.exe;C:\System Volume Information\_restore{7A419944-3525-4EB5-BBEF-634413EBFA65}\RP686;Trojan.EzulaAd;Deleted.;
A0240427.exe;C:\System Volume Information\_restore{7A419944-3525-4EB5-BBEF-634413EBFA65}\RP686;Trojan.EzulaAd;Deleted.;
A0240428.dll;C:\System Volume Information\_restore{7A419944-3525-4EB5-BBEF-634413EBFA65}\RP686;Trojan.DownLoader.33219;Deleted.;
A0240474.reg;C:\System Volume Information\_restore{7A419944-3525-4EB5-BBEF-634413EBFA65}\RP687;Trojan.StartPage.1505;Deleted.;

Markka
2007-10-02, 20:39
Hello :)

Delete this folder: (Using Windows Explorer: Windows key +E)

C:\qoobox
______________

Disable system restore:
Right click on my computer icon
Choose properties
Click on system restore tab
Select Turn off System Restore
Click apply and click OK
Reboot!

Enable system restore:
Right click on my computer icon
Choose properties
Click on system restore tab
un-check Turn off System Restore
Click apply and click OK
Reboot!
_______________

Please post a fresh HijackThis log :thumbup:

elmoisevil
2007-10-03, 02:41
here is the log and am i nealy clean


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:38:33 AM, on 3/10/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\CA\eTrust Vet Antivirus\ISafe.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\SanDisk\Sansa Updater\SansaSvr.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\CA\eTrust Vet Antivirus\VetMsg.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
C:\Program Files\CA\eTrust Vet Antivirus\CAVRID.exe
C:\Program Files\CA\eTrust Vet Antivirus\CAVTray.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\MSMSGS.EXE
C:\Program Files\Trend Micro\HijackThis\hijackthis.exe.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://intranet.iona.qld.edu.au/start/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.iona.qld.edu.au/
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [LVCOMS] C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\CA\eTrust Vet Antivirus\CAVRID.exe"
O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\CA\eTrust Vet Antivirus\CAVTray.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AAWTray] C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &Save Flash In This Page by Flash Saver - C:\PROGRA~1\FLASHS~1\save.htm
O8 - Extra context menu item: &Search - ?p=ZN
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Flash Saver - {09EA1F80-F40A-11D1-B792-444553540001} - C:\PROGRA~1\FLASHS~1\save.htm
O9 - Extra 'Tools' menuitem: Flash Saver - {09EA1F80-F40A-11D1-B792-444553540001} - C:\PROGRA~1\FLASHS~1\save.htm
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Sean Stuf\Start Menu\Programs\IMVU\Run IMVU.lnk (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {7584C670-2274-4EFB-B00B-D6AABA6D3850} (Microsoft RDP Client Control (redist)) - http://tsm.iona.qld.edu.au/tsweb/msrdp.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Vet Antivirus\ISafe.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Sansa Updater Service (SansaService) - Unknown owner - C:\Program Files\SanDisk\Sansa Updater\SansaSvr.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Vet Antivirus\VetMsg.exe

--
End of file - 6307 bytes

Markka
2007-10-04, 07:37
Hello :)

Now you can remove the combofix.exe

Enable Teatimer:

1) Run Spybot-S&D
2) Go to the Mode menu, and make sure "Advanced Mode" is selected
3) On the left hand side, choose Tools -> Resident
4) Check "Resident TeaTimer" and OK any prompts
5) Restart your computer.
____________________


HjT-log is clean! How is your computer running now?

Now that you are clean, please follow these simple steps in order to keep your computer clean and secure:

You can remove all tools we used.

Disable and Enable System Restore. - If you are using Windows ME or XP then you should disable and re-enable system restore to make sure there are no infected files found in a restore point.

You can find instructions on how to enable and reenable system restore here:

Windows XP System Restore Guide (http://www.bleepingcomputer.com/forums/tutorial56.html)

Reenable system restore with instructions from tutorial above

Make your Internet Explorer more secure - This can be done by following these simple instructions:
From within Internet Explorer click on the Tools menu and then click on Options.
Click once on the Security tab
Click once on the Internet icon so it becomes highlighted.
Click once on the Custom Level button.
Change the Download signed ActiveX controls to Prompt

Change the Download unsigned ActiveX controls to Disable

Change the Initialize and script ActiveX controls not marked as safe to Disable

Change the Installation of desktop items to Prompt

Change the Launching programs and files in an IFRAME to Prompt

Change the Navigate sub-frames across different domains to Prompt

When all these settings have been made, click on the OK button.

If it prompts you as to whether or not you want to save the settings, press the Yes button.
Next press the Apply button and then the OK to exit the Internet Properties page.


Update your AntiVirus Software - It is imperitive that you update your Antivirus software at least once a week (Even more if you wish). If you do not update your antivirus software then it will not be able to catch any of the new variants that may come out.


Use a Firewall - I can not stress how important it is that you use a Firewall on your computer. Without a firewall your computer is succeptible to being hacked and taken over. I am very serious about this and see it happen almost every day with my clients. Simply using a Firewall in its default configuration can lower your risk greatly.

For a tutorial on Firewalls and a listing of some available ones see the link below:

Understanding and Using Firewalls (http://www.bleepingcomputer.com/tutorials/tutorial60.html)


Visit Microsoft's Windows Update Site Frequently - It is important that you visit http://www.windowsupdate.com (http://www.windowsupdate.com) regularly. This will ensure your computer has always the latest security updates available installed on your computer. If there are new updates to install, install them immediately, reboot your computer, and revisit the site until there are no more critical updates.


Install Ad-Aware - Install and download Ad-Aware. ou should also scan your computer with program on a regular basis just as you would an antivirus software in conjunction with Spybot.

A tutorial on installing & using this product can be found here:

Using Ad-aware to remove Spyware, Malware, & Hijackers from Your Computer (http://www.bleepingcomputer.com/forums/?showtutorial=48)


Instructions for - Ad-aware (http://www.bleepingcomputer.com/forums/?showtutorial=43)


Install SpywareBlaster - SpywareBlaster will added a large list of programs and sites into your Internet Explorer settings that will protect you from running and downloading known malicious programs.

A tutorial on installing & using this product can be found here:

Using SpywareBlaster to protect your computer from Spyware and Malware (http://www.bleepingcomputer.com/tutorials/tutorial49.html)


Update all these programs regularly - Make sure you update all the programs I have listed regularly. Without regular updates you WILL NOT be protected when new malicious programs are released.
Follow this list and your potential for being infected again will reduce dramatically.

Here are some additional utilities that will enhance your safety

IE/Spyad (http://www.spywarewarrior.com/uiuc/resource.htm) <= IE/Spyad places over 4000 websites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites.
MVPS Hosts file (http://mvps.org/winhelp2002/hosts.htm) <= The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your coputer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer
Google Toolbar (http://toolbar.google.com/) <= Get the free google toolbar to help stop pop up windows.
Comodo BOCLEAN (http://www.comodo.com/boclean/boclean.html) <= Stop identity thieves from getting personal information. Instantly detects well over 1,000,000 unique, variant and repack malware in total. And it's free.
Winpatrol (http://www.winpatrol.com/) <= Download and install the free version of Winpatrol. a tutorial for this product is located here:
Using Winpatrol to protect your computer from malicious software (http://www.winpatrol.com/features.html)

Stand Up and Be Counted ---> Malware Complaints (http://www.malwarecomplaints.info/index.php) <--- where you can make difference!

The site offers people who have been (or are) victims of malware the opportunity to document their story and, in that way, launch a complaint against the malware and the makers of the malware.

Also, please read this great article by Tony Klein So How Did I Get Infected In First Place (http://castlecops.com/postlite7736-.html)

Happy surfing and stay clean!

elmoisevil
2007-10-04, 08:33
hi
thank you my com is running faster then it has for months it is still a little slow at the beginning but thats might have somthing to do with teatimer and my AV starting up. my com has also stoped asking for an internet connection like when it had the infections. also im using so software like Atf and cureit in my weekly inspections.

my protection
Vet AV
spybot search & destroy
Ad-Aware 2007
AVG
Cureit

i have taken your advice and made my settings higher + i now have a downlode file that i can cheack all my recent downloads before opening them

Markka
2007-10-04, 08:37
You're welcome! :bigthumb:

elmoisevil
2007-10-04, 09:08
may i ask
wat dose combofix do? :bigthumb:
and how did u learn how to remove these virus im am a beginner game programmer and im trying to learn script we may do diffrent thing but is there any pointers i can follow

Markka
2007-10-04, 16:27
Hello :)


wat dose combofix do?
Combofix removed bad files ;)


and how did u learn how to remove these virus im am a beginner game programmer and im trying to learn script we may do diffrent thing but is there any pointers i can follow
As I said in my first post "In training at Malware Removal"
And that means I'm learning there how to remove viruses and what tools need to use and etc..