PDA

View Full Version : Please Help me Remove Malware + Virtumonde



maxh1985
2007-09-27, 23:06
I have followed Tashi's instructions before posting this thread. I have run, Hijack this, Kaspersky, and Spybot S&D in normal and safe mode. Spybot seems to be unable to remove virtumonde. Whenever i try to download a virtumonde remover, the Malware seems to realise i am doing this and stops either the download, or wont let me open the programme entirely. I get rediculous amounts of stupid pop ups constantly and my computer has become very slow. I would greatly appreciate any help any one can give me in getting rid of this filth!!! PS i will have to do a separate thread for the Kaspersky as it wont fit all on one thread

Here follows my Hijack this and Kaspersky logs

Logfile of HijackThis v1.99.1
Scan saved at 20:39:29, on 27/09/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Kontiki\KHost.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\LG PC Suite\LG PC Sync\LGSyncManager.exe
C:\WINDOWS\system32\sistray.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Owner\Local Settings\Temp\Temporary Directory 1 for hijackthis[1].zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [4oD] "C:\Program Files\Kontiki\KHost.exe" -all
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [kdx] C:\Program Files\Kontiki\KHost.exe -all
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: LG SyncManager.lnk = ?
O4 - Global Startup: Utility Tray.lnk = C:\WINDOWS\system32\sistray.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1147166608109
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe

Kaspersky logs on next thread

maxh1985
2007-09-27, 23:09
First half

Friday, September 21, 2007 5:01:42 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 1 (Build 2600)
Kaspersky Online Scanner version: 5.0.93.1
Kaspersky Anti-Virus database last update: 20/09/2007
Kaspersky Anti-Virus database records: 421296


Scan Settings
Scan using the following antivirus database extended
Scan Archives true
Scan Mail Bases true

Scan Target My Computer
C:\
D:\
E:\

Scan Statistics
Total number of scanned objects 82969
Number of viruses found 19
Number of infected objects 77
Number of suspicious objects 5
Duration of the scan process 06:57:44

Infected Object Name Virus Name Last Action
C:\Documents and Settings\All Users\Application Data\Avg7\Log\emc.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log.lck Object is locked skipped

C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\Owner\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\Owner\Local Settings\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\Owner\Local Settings\History\History.IE5\MSHist012007092020070921\index.dat Object is locked skipped

C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\4L2VW96N\PodshowRocks_PSPromo_large[1].flv Object is locked skipped

C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\Owner\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\Owner\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\Owner\UserData\index.dat Object is locked skipped

C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped

C:\System Volume Information\_restore{FF012B5F-6E60-466C-AD66-347A68A2F604}\RP271\A0038135.dll Object is locked skipped

C:\System Volume Information\_restore{FF012B5F-6E60-466C-AD66-347A68A2F604}\RP271\A0038136.dll Object is locked skipped

C:\System Volume Information\_restore{FF012B5F-6E60-466C-AD66-347A68A2F604}\RP271\A0038137.dll Object is locked skipped

C:\System Volume Information\_restore{FF012B5F-6E60-466C-AD66-347A68A2F604}\RP271\A0038138.dll Object is locked skipped

C:\System Volume Information\_restore{FF012B5F-6E60-466C-AD66-347A68A2F604}\RP271\A0038139.dll Object is locked skipped

C:\System Volume Information\_restore{FF012B5F-6E60-466C-AD66-347A68A2F604}\RP271\A0038147.dll Object is locked skipped

C:\System Volume Information\_restore{FF012B5F-6E60-466C-AD66-347A68A2F604}\RP271\A0038148.dll Object is locked skipped

C:\System Volume Information\_restore{FF012B5F-6E60-466C-AD66-347A68A2F604}\RP271\A0038151.exe Object is locked skipped

C:\System Volume Information\_restore{FF012B5F-6E60-466C-AD66-347A68A2F604}\RP271\A0038156.dll Object is locked skipped

C:\System Volume Information\_restore{FF012B5F-6E60-466C-AD66-347A68A2F604}\RP271\A0038189.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.hb skipped

C:\System Volume Information\_restore{FF012B5F-6E60-466C-AD66-347A68A2F604}\RP271\A0038193.dll Suspicious: Packed.Win32.Morphine.a skipped

C:\System Volume Information\_restore{FF012B5F-6E60-466C-AD66-347A68A2F604}\RP271\A0038199.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ki skipped

C:\System Volume Information\_restore{FF012B5F-6E60-466C-AD66-347A68A2F604}\RP271\A0038306.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ki skipped

C:\System Volume Information\_restore{FF012B5F-6E60-466C-AD66-347A68A2F604}\RP272\A0038315.dll Object is locked skipped

C:\System Volume Information\_restore{FF012B5F-6E60-466C-AD66-347A68A2F604}\RP272\A0038316.dll Object is locked skipped

C:\System Volume Information\_restore{FF012B5F-6E60-466C-AD66-347A68A2F604}\RP272\A0038317.dll Object is locked skipped

C:\System Volume Information\_restore{FF012B5F-6E60-466C-AD66-347A68A2F604}\RP272\A0038318.dll Object is locked skipped

C:\System Volume Information\_restore{FF012B5F-6E60-466C-AD66-347A68A2F604}\RP272\A0038319.dll Object is locked skipped

C:\System Volume Information\_restore{FF012B5F-6E60-466C-AD66-347A68A2F604}\RP272\A0038327.dll Object is locked skipped

C:\System Volume Information\_restore{FF012B5F-6E60-466C-AD66-347A68A2F604}\RP272\A0038328.dll Object is locked skipped

C:\System Volume Information\_restore{FF012B5F-6E60-466C-AD66-347A68A2F604}\RP272\A0038331.exe Object is locked skipped

C:\System Volume Information\_restore{FF012B5F-6E60-466C-AD66-347A68A2F604}\RP272\A0038336.dll Object is locked skipped

C:\System Volume Information\_restore{FF012B5F-6E60-466C-AD66-347A68A2F604}\RP272\A0038369.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.hb skipped

C:\System Volume Information\_restore{FF012B5F-6E60-466C-AD66-347A68A2F604}\RP272\A0038373.dll Suspicious: Packed.Win32.Morphine.a skipped

C:\System Volume Information\_restore{FF012B5F-6E60-466C-AD66-347A68A2F604}\RP272\A0038379.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ki skipped

C:\System Volume Information\_restore{FF012B5F-6E60-466C-AD66-347A68A2F604}\RP276\A0039664.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ki skipped

C:\System Volume Information\_restore{FF012B5F-6E60-466C-AD66-347A68A2F604}\RP276\A0039665.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ki skipped

C:\System Volume Information\_restore{FF012B5F-6E60-466C-AD66-347A68A2F604}\RP276\A0039666.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ki skipped

C:\System Volume Information\_restore{FF012B5F-6E60-466C-AD66-347A68A2F604}\RP276\A0039667.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ki skipped

C:\System Volume Information\_restore{FF012B5F-6E60-466C-AD66-347A68A2F604}\RP276\A0039668.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ki skipped

C:\System Volume Information\_restore{FF012B5F-6E60-466C-AD66-347A68A2F604}\RP276\A0039669.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ki skipped

C:\System Volume Information\_restore{FF012B5F-6E60-466C-AD66-347A68A2F604}\RP276\A0039670.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ki skipped

C:\System Volume Information\_restore{FF012B5F-6E60-466C-AD66-347A68A2F604}\RP277\A0039695.dll Object is locked skipped

C:\System Volume Information\_restore{FF012B5F-6E60-466C-AD66-347A68A2F604}\RP284\A0040040.dll Infected: not-a-virus:AdWare.Win32.PurityScan.ak skipped

C:\System Volume Information\_restore{FF012B5F-6E60-466C-AD66-347A68A2F604}\RP284\A0040042.exe Infected: not-a-virus:AdWare.Win32.PurityScan.fn skipped

C:\System Volume Information\_restore{FF012B5F-6E60-466C-AD66-347A68A2F604}\RP284\A0040047.ocx Infected: not-a-virus:AdWare.Win32.MediaMotor.p skipped

C:\System Volume Information\_restore{FF012B5F-6E60-466C-AD66-347A68A2F604}\RP284\A0040048.ocx Infected: Trojan-Dropper.Win32.VB.dq skipped

C:\System Volume Information\_restore{FF012B5F-6E60-466C-AD66-347A68A2F604}\RP284\A0040049.exe Object is locked skipped

C:\System Volume Information\_restore{FF012B5F-6E60-466C-AD66-347A68A2F604}\RP284\A0040053.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.by skipped

C:\System Volume Information\_restore{FF012B5F-6E60-466C-AD66-347A68A2F604}\RP284\A0040054.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.by skipped

C:\System Volume Information\_restore{FF012B5F-6E60-466C-AD66-347A68A2F604}\RP284\A0040055.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.by skipped

C:\System Volume Information\_restore{FF012B5F-6E60-466C-AD66-347A68A2F604}\RP284\A0040056.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.by skipped

C:\System Volume Information\_restore{FF012B5F-6E60-466C-AD66-347A68A2F604}\RP284\A0040057.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.by skipped

C:\System Volume Information\_restore{FF012B5F-6E60-466C-AD66-347A68A2F604}\RP284\A0040058.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.by skipped

C:\System Volume Information\_restore{FF012B5F-6E60-466C-AD66-347A68A2F604}\RP284\A0040059.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.by skipped

C:\System Volume Information\_restore{FF012B5F-6E60-466C-AD66-347A68A2F604}\RP284\A0040060.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.by skipped

C:\System Volume Information\_restore{FF012B5F-6E60-466C-AD66-347A68A2F604}\RP284\A0040061.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.by skipped

C:\System Volume Information\_restore{FF012B5F-6E60-466C-AD66-347A68A2F604}\RP284\A0040069.exe Infected: Trojan-Downloader.Win32.Adload.jm skipped

C:\System Volume Information\_restore{FF012B5F-6E60-466C-AD66-347A68A2F604}\RP284\A0040072.exe/EXE-file/data0002 Infected: Trojan.Win32.Scapur.k skipped

C:\System Volume Information\_restore{FF012B5F-6E60-466C-AD66-347A68A2F604}\RP284\A0040072.exe/EXE-file Infected: Trojan.Win32.Scapur.k skipped

C:\System Volume Information\_restore{FF012B5F-6E60-466C-AD66-347A68A2F604}\RP284\A0040072.exe Embedded EXE: infected - 2 skipped

C:\System Volume Information\_restore{FF012B5F-6E60-466C-AD66-347A68A2F604}\RP284\A0040076.exe/data0002 Infected: Trojan.Win32.Scapur.k skipped

C:\System Volume Information\_restore{FF012B5F-6E60-466C-AD66-347A68A2F604}\RP284\A0040076.exe NSIS: infected - 1 skipped

C:\System Volume Information\_restore{FF012B5F-6E60-466C-AD66-347A68A2F604}\RP284\A0040077.exe/data0002 Infected: Trojan.Win32.Scapur.k skipped

C:\System Volume Information\_restore{FF012B5F-6E60-466C-AD66-347A68A2F604}\RP284\A0040077.exe NSIS: infected - 1 skipped

C:\System Volume Information\_restore{FF012B5F-6E60-466C-AD66-347A68A2F604}\RP284\A0040079.exe/data0002 Infected: Trojan-Downloader.Win32.PurityScan.cq skipped

C:\System Volume Information\_restore{FF012B5F-6E60-466C-AD66-347A68A2F604}\RP284\A0040079.exe NSIS: infected - 1 skipped

C:\System Volume Information\_restore{FF012B5F-6E60-466C-AD66-347A68A2F604}\RP284\A0040081.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab skipped

C:\System Volume Information\_restore{FF012B5F-6E60-466C-AD66-347A68A2F604}\RP284\A0040082.dll Infected: not-a-virus:AdWare.Win32.Look2Me.ab skipped

C:\System Volume Information\_restore{FF012B5F-6E60-466C-AD66-347A68A2F604}\RP284\A0040083.exe/data0002 Infected: not-a-virus:AdWare.Win32.PurityScan.fk skipped

C:\System Volume Information\_restore{FF012B5F-6E60-466C-AD66-347A68A2F604}\RP284\A0040083.exe/data0003 Infected: not-a-virus:AdWare.Win32.PurityScan.bu skipped

C:\System Volume Information\_restore{FF012B5F-6E60-466C-AD66-347A68A2F604}\RP284\A0040083.exe NSIS: infected - 2 skipped

C:\System Volume Information\_restore{FF012B5F-6E60-466C-AD66-347A68A2F604}\RP284\A0040085.exe Infected: not-a-virus:AdWare.Win32.AdURL.c skipped

C:\System Volume Information\_restore{FF012B5F-6E60-466C-AD66-347A68A2F604}\RP285\A0044288.exe Object is locked skipped

C:\System Volume Information\_restore{FF012B5F-6E60-466C-AD66-347A68A2F604}\RP285\A0044290.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.fp skipped

C:\System Volume Information\_restore{FF012B5F-6E60-466C-AD66-347A68A2F604}\RP286\A0045294.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.fp skipped

C:\System Volume Information\_restore{FF012B5F-6E60-466C-AD66-347A68A2F604}\RP286\A0045295.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.hb skipped

C:\System Volume Information\_restore{FF012B5F-6E60-466C-AD66-347A68A2F604}\RP286\A0045306.dll Object is locked skipped

C:\System Volume Information\_restore{FF012B5F-6E60-466C-AD66-347A68A2F604}\RP291\A0045405.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.it skipped

C:\System Volume Information\_restore{FF012B5F-6E60-466C-AD66-347A68A2F604}\RP291\A0045406.dll Object is locked skipped

C:\System Volume Information\_restore{FF012B5F-6E60-466C-AD66-347A68A2F604}\RP292\A0045426.dll Object is locked skipped

C:\System Volume Information\_restore{FF012B5F-6E60-466C-AD66-347A68A2F604}\RP295\A0046691.dll Object is locked skipped

C:\System Volume Information\_restore{FF012B5F-6E60-466C-AD66-347A68A2F604}\RP298\A0048719.dll Object is locked skipped

C:\System Volume Information\_restore{FF012B5F-6E60-466C-AD66-347A68A2F604}\RP300\A0048735.dll Object is locked skipped

C:\System Volume Information\_restore{FF012B5F-6E60-466C-AD66-347A68A2F604}\RP301\A0048819.dll Object is locked skipped

C:\System Volume Information\_restore{FF012B5F-6E60-466C-AD66-347A68A2F604}\RP302\A0048829.dll Object is locked skipped

C:\System Volume Information\_restore{FF012B5F-6E60-466C-AD66-347A68A2F604}\RP303\A0048849.dll Object is locked

maxh1985
2007-09-27, 23:10
:\System Volume Information\_restore{FF012B5F-6E60-466C-AD66-347A68A2F604}\RP304\A0048875.dll Object is locked skipped

C:\System Volume Information\_restore{FF012B5F-6E60-466C-AD66-347A68A2F604}\RP307\A0048902.dll Object is locked skipped

C:\System Volume Information\_restore{FF012B5F-6E60-466C-AD66-347A68A2F604}\RP309\A0048959.dll Object is locked skipped

C:\System Volume Information\_restore{FF012B5F-6E60-466C-AD66-347A68A2F604}\RP311\A0049959.dll Object is locked skipped

C:\System Volume Information\_restore{FF012B5F-6E60-466C-AD66-347A68A2F604}\RP316\A0050052.dll Object is locked skipped

C:\System Volume Information\_restore{FF012B5F-6E60-466C-AD66-347A68A2F604}\RP318\A0050082.dll Object is locked skipped

C:\System Volume Information\_restore{FF012B5F-6E60-466C-AD66-347A68A2F604}\RP318\A0050090.dll Object is locked skipped

C:\System Volume Information\_restore{FF012B5F-6E60-466C-AD66-347A68A2F604}\RP320\A0050116.dll Object is locked skipped

C:\System Volume Information\_restore{FF012B5F-6E60-466C-AD66-347A68A2F604}\RP321\A0050127.dll Object is locked skipped

C:\System Volume Information\_restore{FF012B5F-6E60-466C-AD66-347A68A2F604}\RP322\A0050137.dll Object is locked skipped

C:\System Volume Information\_restore{FF012B5F-6E60-466C-AD66-347A68A2F604}\RP328\A0053771.dll Object is locked skipped

C:\System Volume Information\_restore{FF012B5F-6E60-466C-AD66-347A68A2F604}\RP328\A0053772.dll Object is locked skipped

C:\System Volume Information\_restore{FF012B5F-6E60-466C-AD66-347A68A2F604}\RP328\A0053773.dll Object is locked skipped

C:\System Volume Information\_restore{FF012B5F-6E60-466C-AD66-347A68A2F604}\RP328\A0053774.dll Object is locked skipped

C:\System Volume Information\_restore{FF012B5F-6E60-466C-AD66-347A68A2F604}\RP328\A0053775.exe Object is locked skipped

C:\System Volume Information\_restore{FF012B5F-6E60-466C-AD66-347A68A2F604}\RP328\A0053776.dll Object is locked skipped

C:\System Volume Information\_restore{FF012B5F-6E60-466C-AD66-347A68A2F604}\RP328\A0053777.exe Object is locked skipped

C:\System Volume Information\_restore{FF012B5F-6E60-466C-AD66-347A68A2F604}\RP328\A0053778.exe Object is locked skipped

C:\System Volume Information\_restore{FF012B5F-6E60-466C-AD66-347A68A2F604}\RP328\A0053779.dll Object is locked skipped

C:\System Volume Information\_restore{FF012B5F-6E60-466C-AD66-347A68A2F604}\RP328\A0053780.dll Object is locked skipped

C:\System Volume Information\_restore{FF012B5F-6E60-466C-AD66-347A68A2F604}\RP328\A0053781.exe Object is locked skipped

C:\System Volume Information\_restore{FF012B5F-6E60-466C-AD66-347A68A2F604}\RP328\A0053782.exe Object is locked skipped

C:\System Volume Information\_restore{FF012B5F-6E60-466C-AD66-347A68A2F604}\RP328\A0053783.exe Object is locked skipped

C:\System Volume Information\_restore{FF012B5F-6E60-466C-AD66-347A68A2F604}\RP328\A0053784.dll Object is locked skipped

C:\System Volume Information\_restore{FF012B5F-6E60-466C-AD66-347A68A2F604}\RP328\A0053785.dll Object is locked skipped

C:\System Volume Information\_restore{FF012B5F-6E60-466C-AD66-347A68A2F604}\RP328\A0053786.exe Object is locked skipped

C:\System Volume Information\_restore{FF012B5F-6E60-466C-AD66-347A68A2F604}\RP328\A0053787.dll Object is locked skipped

C:\System Volume Information\_restore{FF012B5F-6E60-466C-AD66-347A68A2F604}\RP328\A0053788.exe Object is locked skipped

C:\System Volume Information\_restore{FF012B5F-6E60-466C-AD66-347A68A2F604}\RP328\A0053789.dll Object is locked skipped

C:\System Volume Information\_restore{FF012B5F-6E60-466C-AD66-347A68A2F604}\RP328\A0053790.dll Object is locked skipped

C:\System Volume Information\_restore{FF012B5F-6E60-466C-AD66-347A68A2F604}\RP328\A0053791.exe Object is locked skipped

C:\System Volume Information\_restore{FF012B5F-6E60-466C-AD66-347A68A2F604}\RP328\A0053792.exe Object is locked skipped

C:\System Volume Information\_restore{FF012B5F-6E60-466C-AD66-347A68A2F604}\RP328\A0053793.exe Object is locked skipped

C:\System Volume Information\_restore{FF012B5F-6E60-466C-AD66-347A68A2F604}\RP328\A0053794.dll Object is locked skipped

C:\System Volume Information\_restore{FF012B5F-6E60-466C-AD66-347A68A2F604}\RP328\A0053795.dll Object is locked skipped

C:\System Volume Information\_restore{FF012B5F-6E60-466C-AD66-347A68A2F604}\RP328\A0053796.exe Object is locked skipped

C:\System Volume Information\_restore{FF012B5F-6E60-466C-AD66-347A68A2F604}\RP328\A0053797.exe Object is locked skipped

C:\System Volume Information\_restore{FF012B5F-6E60-466C-AD66-347A68A2F604}\RP328\A0053798.dll Object is locked skipped

C:\System Volume Information\_restore{FF012B5F-6E60-466C-AD66-347A68A2F604}\RP328\A0053799.dll Object is locked skipped

C:\System Volume Information\_restore{FF012B5F-6E60-466C-AD66-347A68A2F604}\RP328\A0053800.dll Object is locked skipped

C:\System Volume Information\_restore{FF012B5F-6E60-466C-AD66-347A68A2F604}\RP328\A0053801.dll Object is locked skipped

C:\System Volume Information\_restore{FF012B5F-6E60-466C-AD66-347A68A2F604}\RP328\A0053802.dll Object is locked skipped

C:\System Volume Information\_restore{FF012B5F-6E60-466C-AD66-347A68A2F604}\RP328\A0053803.dll Object is locked skipped

C:\System Volume Information\_restore{FF012B5F-6E60-466C-AD66-347A68A2F604}\RP328\A0053804.exe Object is locked skipped

C:\System Volume Information\_restore{FF012B5F-6E60-466C-AD66-347A68A2F604}\RP328\A0053805.exe Object is locked skipped

C:\System Volume Information\_restore{FF012B5F-6E60-466C-AD66-347A68A2F604}\RP328\A0053815.dll Object is locked skipped

C:\System Volume Information\_restore{FF012B5F-6E60-466C-AD66-347A68A2F604}\RP328\A0053816.dll Object is locked skipped

C:\System Volume Information\_restore{FF012B5F-6E60-466C-AD66-347A68A2F604}\RP328\A0053817.dll Object is locked skipped

C:\System Volume Information\_restore{FF012B5F-6E60-466C-AD66-347A68A2F604}\RP328\A0053818.dll Object is locked skipped

C:\System Volume Information\_restore{FF012B5F-6E60-466C-AD66-347A68A2F604}\RP328\A0053819.dll Object is locked skipped

C:\System Volume Information\_restore{FF012B5F-6E60-466C-AD66-347A68A2F604}\RP328\A0053820.dll Object is locked skipped

C:\System Volume Information\_restore{FF012B5F-6E60-466C-AD66-347A68A2F604}\RP328\A0053821.exe Object is locked skipped

C:\System Volume Information\_restore{FF012B5F-6E60-466C-AD66-347A68A2F604}\RP328\A0053822.dll Object is locked skipped

C:\System Volume Information\_restore{FF012B5F-6E60-466C-AD66-347A68A2F604}\RP328\A0053823.dll Object is locked skipped

C:\System Volume Information\_restore{FF012B5F-6E60-466C-AD66-347A68A2F604}\RP328\A0053824.dll Object is locked skipped

C:\System Volume Information\_restore{FF012B5F-6E60-466C-AD66-347A68A2F604}\RP328\A0053825.dll Object is locked skipped

C:\System Volume Information\_restore{FF012B5F-6E60-466C-AD66-347A68A2F604}\RP328\A0053826.exe Object is locked skipped

C:\System Volume Information\_restore{FF012B5F-6E60-466C-AD66-347A68A2F604}\RP328\A0053827.exe Object is locked skipped

C:\System Volume Information\_restore{FF012B5F-6E60-466C-AD66-347A68A2F604}\RP328\A0053828.dll Object is locked skipped

C:\System Volume Information\_restore{FF012B5F-6E60-466C-AD66-347A68A2F604}\RP328\A0053829.dll Object is locked skipped

C:\System Volume Information\_restore{FF012B5F-6E60-466C-AD66-347A68A2F604}\RP328\A0053830.dll Object is locked skipped

C:\System Volume Information\_restore{FF012B5F-6E60-466C-AD66-347A68A2F604}\RP328\A0053831.dll Object is locked skipped

C:\System Volume Information\_restore{FF012B5F-6E60-466C-AD66-347A68A2F604}\RP328\A0053832.dll Object is locked skipped

C:\System Volume Information\_restore{FF012B5F-6E60-466C-AD66-347A68A2F604}\RP328\A0053833.dll Object is locked skipped

C:\System Volume Information\_restore{FF012B5F-6E60-466C-AD66-347A68A2F604}\RP328\A0053834.dll Object is locked skipped

C:\System Volume Information\_restore{FF012B5F-6E60-466C-AD66-347A68A2F604}\RP328\A0053835.dll Object is locked skipped

C:\System Volume Information\_restore{FF012B5F-6E60-466C-AD66-347A68A2F604}\RP328\A0053836.dll Object is locked skipped

C:\System Volume Information\_restore{FF012B5F-6E60-466C-AD66-347A68A2F604}\RP328\A0053837.dll Object is locked skipped

C:\System Volume Information\_restore{FF012B5F-6E60-466C-AD66-347A68A2F604}\RP328\A0053838.dll Object is locked skipped

C:\System Volume Information\_restore{FF012B5F-6E60-466C-AD66-347A68A2F604}\RP328\A0053839.dll Object is locked skipped

C:\System Volume Information\_restore{FF012B5F-6E60-466C-AD66-347A68A2F604}\RP328\A0053840.dll Object is locked skipped

C:\System Volume Information\_restore{FF012B5F-6E60-466C-AD66-347A68A2F604}\RP328\A0053841.dll Object is locked skipped

C:\System Volume Information\_restore{FF012B5F-6E60-466C-AD66-347A68A2F604}\RP328\A0053842.dll Object is locked skipped

C:\System Volume Information\_restore{FF012B5F-6E60-466C-AD66-347A68A2F604}\RP328\A0053843.exe Object is locked skipped

C:\System Volume Information\_restore{FF012B5F-6E60-466C-AD66-347A68A2F604}\RP329\A0053986.exe Infected: Trojan.Win32.Agent.bck skipped

C:\System Volume Information\_restore{FF012B5F-6E60-466C-AD66-347A68A2F604}\RP329\A0053988.exe Infected: Trojan.Win32.Agent.bck skipped

C:\System Volume Information\_restore{FF012B5F-6E60-466C-AD66-347A68A2F604}\RP329\A0053989.exe Infected: Trojan.Win32.Agent.bck skipped

C:\System Volume Information\_restore{FF012B5F-6E60-466C-AD66-347A68A2F604}\RP329\A0053992.exe Infected: Trojan.Win32.Agent.bck skipped

C:\System Volume Information\_restore{FF012B5F-6E60-466C-AD66-347A68A2F604}\RP329\A0053993.exe Infected: Trojan.Win32.Agent.bck skipped

C:\System Volume Information\_restore{FF012B5F-6E60-466C-AD66-347A68A2F604}\RP329\A0053994.exe Infected: Trojan.Win32.Agent.bck skipped

C:\System Volume Information\_restore{FF012B5F-6E60-466C-AD66-347A68A2F604}\RP329\A0053995.exe Infected: Trojan.Win32.Agent.bck skipped

C:\System Volume Information\_restore{FF012B5F-6E60-466C-AD66-347A68A2F604}\RP329\A0053996.exe Infected: Trojan.Win32.Agent.bck skipped

C:\System Volume Information\_restore{FF012B5F-6E60-466C-AD66-347A68A2F604}\RP329\A0053997.exe Infected: Trojan.Win32.Agent.bck skipped

C:\System Volume Information\_restore{FF012B5F-6E60-466C-AD66-347A68A2F604}\RP329\A0053998.exe Infected: Trojan.Win32.Agent.bck skipped

C:\System Volume Information\_restore{FF012B5F-6E60-466C-AD66-347A68A2F604}\RP329\A0053999.exe Infected: Trojan.Win32.Agent.bck skipped

C:\System Volume Information\_restore{FF012B5F-6E60-466C-AD66-347A68A2F604}\RP329\A0054000.exe Infected: Trojan.Win32.Agent.bck skipped

C:\System Volume Information\_restore{FF012B5F-6E60-466C-AD66-347A68A2F604}\RP329\A0054001.exe Infected: Trojan.Win32.Agent.bck skipped

C:\System Volume Information\_restore{FF012B5F-6E60-466C-AD66-347A68A2F604}\RP329\A0054002.exe Infected: Trojan.Win32.Agent.bck skipped

C:\System Volume Information\_restore{FF012B5F-6E60-466C-AD66-347A68A2F604}\RP329\A0054003.exe Infected: Trojan.Win32.Agent.bck skipped

C:\System Volume Information\_restore{FF012B5F-6E60-466C-AD66-347A68A2F604}\RP329\A0054004.exe Infected: Trojan.Win32.Agent.bck skipped

C:\System Volume Information\_restore{FF012B5F-6E60-466C-AD66-347A68A2F604}\RP329\A0054005.exe Infected: Trojan.Win32.Agent.bck skipped

C:\System Volume Information\_restore{FF012B5F-6E60-466C-AD66-347A68A2F604}\RP329\A0054006.exe Infected: Trojan.Win32.Agent.bck skipped

C:\System Volume Information\_restore{FF012B5F-6E60-466C-AD66-347A68A2F604}\RP329\A0054007.exe Infected: Trojan.Win32.Agent.bck skipped

C:\System Volume Information\_restore{FF012B5F-6E60-466C-AD66-347A68A2F604}\RP329\A0054008.exe Infected: Trojan.Win32.Agent.bck skipped

C:\System Volume Information\_restore{FF012B5F-6E60-466C-AD66-347A68A2F604}\RP329\A0054009.exe Infected: Trojan.Win32.Agent.bck skipped

C:\System Volume Information\_restore{FF012B5F-6E60-466C-AD66-347A68A2F604}\RP329\A0054010.exe Infected: Trojan.Win32.Agent.bck skipped

C:\System Volume Information\_restore{FF012B5F-6E60-466C-AD66-347A68A2F604}\RP329\A0054011.exe Infected: Trojan.Win32.Agent.bck skipped

C:\System Volume Information\_restore{FF012B5F-6E60-466C-AD66-347A68A2F604}\RP329\A0054012.exe Infected: Trojan.Win32.Agent.bck skipped

C:\System Volume Information\_restore{FF012B5F-6E60-466C-AD66-347A68A2F604}\RP329\A0054013.exe Infected: Trojan.Win32.Agent.bck skipped

C:\System Volume Information\_restore{FF012B5F-6E60-466C-AD66-347A68A2F604}\RP329\A0054014.exe Infected: Trojan.Win32.Agent.bck skipped

C:\System Volume Information\_restore{FF012B5F-6E60-466C-AD66-347A68A2F604}\RP329\A0054015.exe Infected: Trojan.Win32.Agent.bck skipped

C:\System Volume Information\_restore{FF012B5F-6E60-466C-AD66-347A68A2F604}\RP331\change.log Object is locked skipped

C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped

C:\WINDOWS\SchedLgU.Txt Object is locked skipped

C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped

C:\WINDOWS\Sti_Trace.log Object is locked skipped

C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\default Object is locked skipped

C:\WINDOWS\system32\config\DEFAULT.LOG Object is locked skipped

C:\WINDOWS\system32\config\sam Object is locked skipped

C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped

C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\security Object is locked skipped

C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped

C:\WINDOWS\system32\config\software Object is locked skipped

C:\WINDOWS\system32\config\SOFTWARE.LOG Object is locked skipped

C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\system Object is locked skipped

C:\WINDOWS\system32\config\SYSTEM.LOG Object is locked skipped

C:\WINDOWS\system32\cydmxdnk.exe Infected: Trojan.Win32.Agent.aoy skipped

C:\WINDOWS\system32\dklspjel.dll Suspicious: Packed.Win32.Morphine.a skipped

C:\WINDOWS\system32\h323log.txt Object is locked skipped

C:\WINDOWS\system32\hgggffe.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.it skipped

C:\WINDOWS\system32\mljji.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.fp skipped

C:\WINDOWS\system32\nkbwsjxr.dll Suspicious: Packed.Win32.Morphine.a skipped

C:\WINDOWS\system32\pqxuwpjl.dll Suspicious: Packed.Win32.Morphine.a skipped

C:\WINDOWS\system32\uumqutqs.exe Infected: Trojan.Win32.Agent.bck skipped

C:\WINDOWS\system32\vgejbiss.exe Infected: Trojan.Win32.Agent.bck skipped

C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped

C:\WINDOWS\wiadebug.log Object is locked skipped

C:\WINDOWS\wiaservc.log Object is locked skipped

C:\WINDOWS\WindowsUpdate.log Object is locked skipped

Scan process completed.

Thanks again
Max

shelf life
2007-10-02, 02:25
hi maxh1985,

first i would move hjt out of the temp dir. so it can safely make backups that wont get deleted. you can create a new folder on the dekstop and move it to there.
next you can rename the hjt icon to something else like scanner.exe. then run these two:

try and down load these two:

download and run vundofix.exe:

http://www.atribune.org/ccount/click.php?id=4

* Double-click VundoFix.exe to run it.
* Click the Scan for Vundo button.
* Once it's done scanning, click the Remove Vundo button.
* You will receive a prompt asking if you want to remove the files, click YES
* Once you click yes, your desktop will go blank as it starts removing Vundo.
* When completed, it will prompt that it will reboot your computer, click OK.
* Please post the contents of C:\vundofix.txt and a new HiJackThis log.

Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.
----------------------------------------
Please download ComboFix (by sUBs) from one of the following links:

http://www.techsupportforum.com/sectools/sUBs/ComboFix.exe

http://download.bleepingcomputer.com/sUBs/ComboFix.exe

Save it to the Desktop.
Double-click combofix.exe and follow the prompts.

CAUTION: Do not mouse-click ComboFix's window while it is running.
It may cause it to stall.

When finished, it produces a log.

Please provide the contents of the ComboFix log in your reply.
------------------------------------------
so: run vundofix, combofix and post there logs. post a new hjt log also.

shelf life

maxh1985
2007-10-03, 23:24
Hi Shelf Life,
Thanks so much for getting back to me, i have done everything you explained and here are all the logs came back

Vundofix
VundoFix V6.5.9

Checking Java version...

Java version is 1.5.0.3
Old versions of java are exploitable and should be removed.

Scan started at 19:19:28 03/10/2007

Listing files found while scanning....

C:\windows\system32\dklspjel.dll
C:\WINDOWS\system32\hgggffe.dll
C:\WINDOWS\System32\ijjlm.bak1
C:\WINDOWS\System32\ijjlm.bak2
C:\WINDOWS\System32\ijjlm.ini
C:\WINDOWS\System32\ijjlm.ini2
C:\WINDOWS\System32\ijjlm.tmp
C:\WINDOWS\System32\mljji.dll
C:\windows\system32\nkbwsjxr.dll
C:\windows\system32\pqxuwpjl.dll
C:\WINDOWS\System32\vsjlsfsg.dll

Beginning removal...

Attempting to delete C:\windows\system32\dklspjel.dll
C:\windows\system32\dklspjel.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\hgggffe.dll
C:\WINDOWS\system32\hgggffe.dll Could not be deleted.

Attempting to delete C:\WINDOWS\System32\ijjlm.bak1
C:\WINDOWS\System32\ijjlm.bak1 Has been deleted!

Attempting to delete C:\WINDOWS\System32\ijjlm.bak2
C:\WINDOWS\System32\ijjlm.bak2 Has been deleted!

Attempting to delete C:\WINDOWS\System32\ijjlm.ini
C:\WINDOWS\System32\ijjlm.ini Has been deleted!

Attempting to delete C:\WINDOWS\System32\ijjlm.ini2
C:\WINDOWS\System32\ijjlm.ini2 Has been deleted!

Attempting to delete C:\WINDOWS\System32\ijjlm.tmp
C:\WINDOWS\System32\ijjlm.tmp Has been deleted!

Attempting to delete C:\WINDOWS\System32\mljji.dll
C:\WINDOWS\System32\mljji.dll Could not be deleted.

Attempting to delete C:\windows\system32\nkbwsjxr.dll
C:\windows\system32\nkbwsjxr.dll Has been deleted!

Attempting to delete C:\windows\system32\pqxuwpjl.dll
C:\windows\system32\pqxuwpjl.dll Could not be deleted.

Attempting to delete C:\WINDOWS\System32\vsjlsfsg.dll
C:\WINDOWS\System32\vsjlsfsg.dll Has been deleted!

Performing Repairs to the registry.
Done!

VundoFix V6.5.9

Checking Java version...

Java version is 1.5.0.3
Old versions of java are exploitable and should be removed.

Scan started at 19:39:08 03/10/2007

Listing files found while scanning....

C:\windows\system32\hgggffe.dll
C:\WINDOWS\System32\ijjlm.ini
C:\WINDOWS\System32\ijjlm.ini2
C:\WINDOWS\System32\mljji.dll
C:\windows\system32\pqxuwpjl.dll

Beginning removal...

Attempting to delete C:\windows\system32\hgggffe.dll
C:\windows\system32\hgggffe.dll Could not be deleted.

Attempting to delete C:\WINDOWS\System32\ijjlm.ini
C:\WINDOWS\System32\ijjlm.ini Has been deleted!

Attempting to delete C:\WINDOWS\System32\ijjlm.ini2
C:\WINDOWS\System32\ijjlm.ini2 Has been deleted!

Attempting to delete C:\WINDOWS\System32\mljji.dll
C:\WINDOWS\System32\mljji.dll Has been deleted!

Attempting to delete C:\windows\system32\pqxuwpjl.dll
C:\windows\system32\pqxuwpjl.dll Has been deleted!

Performing Repairs to the registry.
Done!

Beginning removal...

Attempting to delete C:\windows\system32\hgggffe.dll
C:\windows\system32\hgggffe.dll Has been deleted!

Performing Repairs to the registry.
Done!

Combofix log

ComboFix 07-10-03.7 - Owner 2007-10-03 20:43:52.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.1.1252.1.1033.18.47 [GMT 1:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Owner\Start Menu\Programs\Outerinfo
C:\Program Files\Common Files\{C4CBB~1
C:\Program Files\Common Files\{C4CBB~2
C:\Program Files\Common Files\scurit~1
C:\Program Files\Common Files\scurit~1\s?curity\
C:\Program Files\Common Files\tsks~1
C:\WINDOWS\cookies.ini
C:\WINDOWS\keyboard1.dat
C:\WINDOWS\sembly~1
C:\WINDOWS\system32\bmumiogl.exe
C:\WINDOWS\system32\cydmxdnk.exe
C:\WINDOWS\system32\ijqmulbl.ini
C:\WINDOWS\system32\juxuaglo.exe
C:\WINDOWS\system32\jybamqap.exe
C:\WINDOWS\system32\lblumqji.dll
C:\WINDOWS\system32\lblwaqrs.exe
C:\WINDOWS\system32\muajjuws.ini
C:\WINDOWS\system32\nppoffpe.exe
C:\WINDOWS\system32\pbqjbd.dat
C:\WINDOWS\system32\pbqjbd.exe
C:\WINDOWS\system32\pbqjbd_nav.dat
C:\WINDOWS\system32\pbqjbd_navps.dat
C:\WINDOWS\system32\qanohlyp.exe
C:\WINDOWS\system32\rykbqaew.exe
C:\WINDOWS\system32\swujjaum.dll
C:\WINDOWS\system32\tsks~1
C:\WINDOWS\system32\uumqutqs.exe
C:\WINDOWS\system32\vgejbiss.exe
C:\WINDOWS\system32\vwwhequa.exe
C:\WINDOWS\system32\wnsintsv32.exe
C:\WINDOWS\system32\xceagrty.ini
C:\WINDOWS\system32\xpbhbfmi.exe
C:\WINDOWS\system32\ytrgaecx.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


-------\LEGACY_DOMAINSERVICE
-------\DomainService


((((((((((((((((((((((((( Files Created from 2007-09-03 to 2007-10-03 )))))))))))))))))))))))))))))))
.

2007-10-03 20:41 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-10-03 19:19 <DIR> d----c--- C:\VundoFix Backups
2007-09-20 21:01 <DIR> d----c--- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2007-09-20 21:01 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-09-18 23:18 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2007-09-16 22:07 <DIR> d----c--- C:\Documents and Settings\All Users\Application Data\Kontiki
2007-09-16 22:07 <DIR> d-------- C:\Program Files\Kontiki
2007-09-16 22:07 <DIR> d-------- C:\Program Files\Channel4
2007-09-16 22:05 <DIR> d----c--- C:\Documents and Settings\All Users\Application Data\Channel4

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-09-19 00:23 --------- d-------- C:\Program Files\QuickTime
2007-09-18 22:44 --------- d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-09-18 20:24 --------- d--h----- C:\Program Files\InstallShield Installation Information
2007-09-18 20:20 --------- d-------- C:\Program Files\Common Files\Symantec Shared
2007-09-18 18:18 54584 --a------ C:\WINDOWS\system32\drivers\sbapifs.sys
2007-09-17 22:38 --------- d-------- C:\Program Files\Symantec
2007-09-17 22:37 --------- d-------- C:\Documents and Settings\All Users\Application Data\Symantec
2007-09-17 22:33 --------- d-------- C:\Program Files\Norton Internet Security
2007-09-02 12:22 --------- d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-09-02 12:05 --------- d-------- C:\Program Files\Canon
2007-09-01 14:40 --------- d-------- C:\Program Files\Sunbelt Software
2007-08-24 01:00 --------- d-------- C:\Documents and Settings\Owner\Application Data\Ahead
2007-08-22 21:08 --------- d-------- C:\Program Files\Common Files\Ahead
2007-08-22 20:50 --------- d----c--- C:\Documents and Settings\All Users\Application Data\Nero
2007-08-22 20:50 --------- d-------- C:\Program Files\Nero
2007-08-15 21:30 --------- d-------- C:\Program Files\Microsoft CAPICOM 2.1.0.2
2007-08-08 19:25 --------- d-------- C:\Program Files\DivX
2007-08-06 23:06 --------- d----c--- C:\Documents and Settings\Administrator\Application Data\Sunbelt Software
2007-08-05 23:30 --------- d-------- C:\Program Files\Symantec_Client_Security
2007-08-05 23:30 --------- d-------- C:\Program Files\Google
2007-08-05 23:30 --------- d-------- C:\Program Files\ewido anti-malware
2007-08-05 22:12 --------- d-------- C:\Documents and Settings\Owner\Application Data\Sunbelt Software
2007-08-05 21:40 --------- d-------- C:\Program Files\Yahoo!
2007-08-05 21:40 --------- d-------- C:\Program Files\CCleaner
2007-08-05 21:11 --------- d-------- C:\Program Files\Wanadoo
2007-08-05 20:48 --------- d-------- C:\Documents and Settings\Owner\Application Data\Lavasoft
2007-08-05 20:47 --------- d----c--- C:\Documents and Settings\All Users\Application Data\Google
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{33FD8627-CCA7-4A13-9BA3-28D2AA11769A}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{401018F7-D248-FA92-4E10-FC8DB050D4EF}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3F0B732-ADB8-440F-8EA0-8644A6CFF17c}]
C:\WINDOWS\System32\pqxuwpjl.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D7350803-89A5-4B38-A147-54BD52A76386}]
C:\WINDOWS\System32\mljji.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E6C52542-A9CF-4A30-A87E-8CB7137CC28E}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"@"="" []
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-05-31 23:46]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 15:40]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 03:06]
"4oD"="C:\Program Files\Kontiki\KHost.exe" [2007-04-23 11:23]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-09-17 21:30]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"@"="" []
"kdx"="C:\Program Files\Kontiki\KHost.exe" [2007-04-23 11:23]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"Microsoft Telecoms Center"=winrestores.exe
"Symantec NetDriver Warning"=C:\PROGRA~1\SYMNET~1\SNDWarn.exe

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
LG SyncManager.lnk - C:\Program Files\LG PC Suite\LG PC Sync\LGSyncManager.exe [2004-07-16 14:32:56]
Utility Tray.lnk - C:\WINDOWS\system32\sistray.exe [2005-03-11 14:57:31]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
LG SyncManager.lnk - C:\Program Files\LG PC Suite\LG PC Sync\LGSyncManager.exe [2004-07-16 14:32:56]
Utility Tray.lnk - C:\WINDOWS\system32\sistray.exe [2005-03-11 14:57:31]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ddaya]
C:\WINDOWS\System32\ddaya.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Norton AntiVirus Server"=2 (0x2)
"Macromedia Licensing Service"=3 (0x3)
"DefWatch"=2 (0x2)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"taskdir"=C:\WINDOWS\system32\taskdir.exe
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe

S1 mchInjDrv;madCodeHook DLL injection driver;\??\C:\WINDOWS\System32\Drivers\mchInjDrv.sys
S2 SIAODFLO;SIAODFLO;\??\C:\WINDOWS\system32\siaodflo.fsk
S3 FXDRV;FXDRV;\??\E:\Fxdrv.sys
S3 Intels51;Intel(R) 536EP Modem;C:\WINDOWS\System32\DRIVERS\Intels51.sys
S3 k600bus;Sony Ericsson 600i driver (WDM);C:\WINDOWS\System32\DRIVERS\k600bus.sys
S3 k600mdfl;Sony Ericsson 600i USB WMC Modem Filter;C:\WINDOWS\System32\DRIVERS\k600mdfl.sys
S3 k600mdm;Sony Ericsson 600i USB WMC Modem Drivers;C:\WINDOWS\System32\DRIVERS\k600mdm.sys
S3 k600mgmt;Sony Ericsson 600i USB WMC Device Management Drivers;C:\WINDOWS\System32\DRIVERS\k600mgmt.sys
S3 k600obex;Sony Ericsson 600i USB WMC OBEX Interface Drivers;C:\WINDOWS\System32\DRIVERS\k600obex.sys
S3 ZDBRGSYS;ZDBRGSYS NDIS Protocol Driver;\??\C:\WINDOWS\system32\ZDBRGSYS.SYS
S3 ZDPNDIS5;ZDPNDIS5 NDIS Protocol Driver;\??\C:\WINDOWS\system32\ZDPNDIS5.SYS

.
Contents of the 'Scheduled Tasks' folder
"2007-10-03 16:15:14 C:\WINDOWS\Tasks\Symantec NetDetect.job"
.
**************************************************************************

catchme 0.3.1169 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-10-03 20:57:31
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

**************************************************************************
.
Completion time: 2007-10-03 21:02:27 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-10-03 21:01
.
--- E O F ---

Hijack this Log

Logfile of HijackThis v1.99.1
Scan saved at 21:14:54, on 03/10/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Kontiki\KHost.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\LG PC Suite\LG PC Sync\LGSyncManager.exe
C:\WINDOWS\system32\sistray.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Documents and Settings\Owner\Desktop\Hijack this\Temporary Directory 1 for hijackthis[1].zip\HijackThis.exe
C:\WINDOWS\system32\NOTEPAD.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {33FD8627-CCA7-4A13-9BA3-28D2AA11769A} - (no file)
O2 - BHO: (no name) - {401018F7-D248-FA92-4E10-FC8DB050D4EF} - (no file)
O2 - BHO: (no name) - {A3F0B732-ADB8-440F-8EA0-8644A6CFF17c} - C:\WINDOWS\System32\pqxuwpjl.dll (file missing)
O2 - BHO: (no name) - {D7350803-89A5-4B38-A147-54BD52A76386} - C:\WINDOWS\System32\mljji.dll (file missing)
O2 - BHO: (no name) - {E6C52542-A9CF-4A30-A87E-8CB7137CC28E} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [4oD] "C:\Program Files\Kontiki\KHost.exe" -all
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [kdx] C:\Program Files\Kontiki\KHost.exe -all
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: LG SyncManager.lnk = ?
O4 - Global Startup: Utility Tray.lnk = C:\WINDOWS\system32\sistray.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1147166608109
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O20 - Winlogon Notify: ddaya - C:\WINDOWS\System32\ddaya.dll (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe

Hope this is everything you needed,
Thanks Again
Max

shelf life
2007-10-04, 02:00
hi maxh1985,

ok thanks for the info.

start vundofix, in the blank main window right click and select "add more files"

copy/paste this into the first window:
C:\WINDOWS\system32\hgggffe.dll

copy/paste this in the next window:
C:\windows\system32\pqxuwpjl.dll

click the add files button, then close window.
back at the main screen of vundo you should see both the files listed.
click remove vundo.
-------------------
after the reboot run combofix again.
post the combofix log in next reply.

shelf life

maxh1985
2007-10-04, 22:32
Hi Shelf life, thanks for getting back to me again so quickly, here is the next combofix log

ComboFix 07-10-03.7 - Owner 2007-10-04 20:23:12.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.1.1252.1.1033.18.76 [GMT 1:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
.

((((((((((((((((((((((((( Files Created from 2007-09-04 to 2007-10-04 )))))))))))))))))))))))))))))))
.

2007-10-03 20:41 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-10-03 19:19 <DIR> d----c--- C:\VundoFix Backups
2007-09-20 21:01 <DIR> d----c--- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2007-09-20 21:01 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-09-18 23:18 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2007-09-16 22:07 <DIR> d----c--- C:\Documents and Settings\All Users\Application Data\Kontiki
2007-09-16 22:07 <DIR> d-------- C:\Program Files\Kontiki
2007-09-16 22:07 <DIR> d-------- C:\Program Files\Channel4
2007-09-16 22:05 <DIR> d----c--- C:\Documents and Settings\All Users\Application Data\Channel4

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-09-19 00:23 --------- d-------- C:\Program Files\QuickTime
2007-09-18 22:44 --------- d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-09-18 20:24 --------- d--h----- C:\Program Files\InstallShield Installation Information
2007-09-18 20:20 --------- d-------- C:\Program Files\Common Files\Symantec Shared
2007-09-18 18:18 54584 --a------ C:\WINDOWS\system32\drivers\sbapifs.sys
2007-09-17 22:38 --------- d-------- C:\Program Files\Symantec
2007-09-17 22:37 --------- d-------- C:\Documents and Settings\All Users\Application Data\Symantec
2007-09-17 22:33 --------- d-------- C:\Program Files\Norton Internet Security
2007-09-02 12:22 --------- d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-09-02 12:05 --------- d-------- C:\Program Files\Canon
2007-09-01 14:40 --------- d-------- C:\Program Files\Sunbelt Software
2007-08-24 01:00 --------- d-------- C:\Documents and Settings\Owner\Application Data\Ahead
2007-08-22 21:08 --------- d-------- C:\Program Files\Common Files\Ahead
2007-08-22 20:50 --------- d----c--- C:\Documents and Settings\All Users\Application Data\Nero
2007-08-22 20:50 --------- d-------- C:\Program Files\Nero
2007-08-15 21:30 --------- d-------- C:\Program Files\Microsoft CAPICOM 2.1.0.2
2007-08-08 19:25 --------- d-------- C:\Program Files\DivX
2007-08-06 23:06 1055582 ---hs---- C:\WINDOWS\system32\ayadd.ini2
2007-08-06 23:06 1055582 ---hs---- C:\WINDOWS\system32\ayadd.bak2
2007-08-06 23:06 --------- d----c--- C:\Documents and Settings\Administrator\Application Data\Sunbelt Software
2007-08-05 23:30 --------- d-------- C:\Program Files\Symantec_Client_Security
2007-08-05 23:30 --------- d-------- C:\Program Files\Google
2007-08-05 23:30 --------- d-------- C:\Program Files\ewido anti-malware
2007-08-05 22:12 --------- d-------- C:\Documents and Settings\Owner\Application Data\Sunbelt Software
2007-08-05 21:40 --------- d-------- C:\Program Files\Yahoo!
2007-08-05 21:40 --------- d-------- C:\Program Files\CCleaner
2007-08-05 21:11 --------- d-------- C:\Program Files\Wanadoo
2007-08-05 20:48 --------- d-------- C:\Documents and Settings\Owner\Application Data\Lavasoft
2007-08-05 20:47 --------- d----c--- C:\Documents and Settings\All Users\Application Data\Google
2007-08-05 00:22 1055599 ---hs---- C:\WINDOWS\system32\ayadd.bak1
2007-07-30 19:19 92504 --a------ C:\WINDOWS\system32\cdm.dll
2007-07-30 19:19 549720 --a------ C:\WINDOWS\system32\wuapi.dll
2007-07-30 19:19 53080 --a------ C:\WINDOWS\system32\wuauclt.exe
2007-07-30 19:19 43352 --a------ C:\WINDOWS\system32\wups2.dll
2007-07-30 19:19 325976 --a------ C:\WINDOWS\system32\wucltui.dll
2007-07-30 19:19 271224 --a------ C:\WINDOWS\system32\mucltui.dll
2007-07-30 19:19 207736 --a------ C:\WINDOWS\system32\muweb.dll
2007-07-30 19:19 203096 --a------ C:\WINDOWS\system32\wuweb.dll
2007-07-30 19:19 1712984 --a------ C:\WINDOWS\system32\wuaueng.dll
2007-07-30 19:18 33624 --a------ C:\WINDOWS\system32\wups.dll
2007-07-29 19:20 377876 --a------ C:\WINDOWS\system32\qwsfewbm.dll
2007-07-28 15:21 377876 --a------ C:\WINDOWS\system32\qqgujina.dll
2007-07-20 00:57 267112 --a------ C:\WINDOWS\system32\xactengine2_9.dll
2007-07-20 00:54 18280 --a------ C:\WINDOWS\system32\x3daudio1_2.dll
2007-07-19 18:14 444776 --a------ C:\WINDOWS\system32\d3dx10_35.dll
2007-07-19 18:14 3727720 --a------ C:\WINDOWS\system32\d3dx9_35.dll
2007-07-19 18:14 1358192 --a------ C:\WINDOWS\system32\D3DCompiler_35.dll
2007-07-15 14:53 1370654 --ahs---- C:\WINDOWS\Help\sranru.bak2
.

((((((((((((((((((((((((((((( snapshot@2007-10-03_20.59.54.71 )))))))))))))))))))))))))))))))))))))))))
.
-c--a-w 32,768 2007-10-04 18:05:58 C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
-c--a-w 32,768 2007-10-04 18:05:58 C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
----a-w 32,768 2007-10-04 18:05:58 C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
.
-c--a-w 32,768 2007-10-03 16:14:48 C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
-c--a-w 32,768 2007-10-03 16:14:48 C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
-c--a-w 32,768 2007-10-03 16:14:48 C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{33FD8627-CCA7-4A13-9BA3-28D2AA11769A}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{401018F7-D248-FA92-4E10-FC8DB050D4EF}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3F0B732-ADB8-440F-8EA0-8644A6CFF17c}]
C:\WINDOWS\System32\pqxuwpjl.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D7350803-89A5-4B38-A147-54BD52A76386}]
C:\WINDOWS\System32\mljji.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E6C52542-A9CF-4A30-A87E-8CB7137CC28E}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-05-31 23:46]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 15:40]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 03:06]
"4oD"="C:\Program Files\Kontiki\KHost.exe" [2007-04-23 11:23]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-09-17 21:30]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"kdx"="C:\Program Files\Kontiki\KHost.exe" [2007-04-23 11:23]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"Microsoft Telecoms Center"=winrestores.exe
"Symantec NetDriver Warning"=C:\PROGRA~1\SYMNET~1\SNDWarn.exe

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
LG SyncManager.lnk - C:\Program Files\LG PC Suite\LG PC Sync\LGSyncManager.exe [2004-07-16 14:32:56]
Utility Tray.lnk - C:\WINDOWS\system32\sistray.exe [2005-03-11 14:57:31]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
LG SyncManager.lnk - C:\Program Files\LG PC Suite\LG PC Sync\LGSyncManager.exe [2004-07-16 14:32:56]
Utility Tray.lnk - C:\WINDOWS\system32\sistray.exe [2005-03-11 14:57:31]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ddaya]
C:\WINDOWS\System32\ddaya.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Norton AntiVirus Server"=2 (0x2)
"Macromedia Licensing Service"=3 (0x3)
"DefWatch"=2 (0x2)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"taskdir"=C:\WINDOWS\system32\taskdir.exe
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe

S1 mchInjDrv;madCodeHook DLL injection driver;\??\C:\WINDOWS\System32\Drivers\mchInjDrv.sys
S2 SIAODFLO;SIAODFLO;\??\C:\WINDOWS\system32\siaodflo.fsk
S3 FXDRV;FXDRV;\??\E:\Fxdrv.sys
S3 Intels51;Intel(R) 536EP Modem;C:\WINDOWS\System32\DRIVERS\Intels51.sys
S3 k600bus;Sony Ericsson 600i driver (WDM);C:\WINDOWS\System32\DRIVERS\k600bus.sys
S3 k600mdfl;Sony Ericsson 600i USB WMC Modem Filter;C:\WINDOWS\System32\DRIVERS\k600mdfl.sys
S3 k600mdm;Sony Ericsson 600i USB WMC Modem Drivers;C:\WINDOWS\System32\DRIVERS\k600mdm.sys
S3 k600mgmt;Sony Ericsson 600i USB WMC Device Management Drivers;C:\WINDOWS\System32\DRIVERS\k600mgmt.sys
S3 k600obex;Sony Ericsson 600i USB WMC OBEX Interface Drivers;C:\WINDOWS\System32\DRIVERS\k600obex.sys
S3 ZDBRGSYS;ZDBRGSYS NDIS Protocol Driver;\??\C:\WINDOWS\system32\ZDBRGSYS.SYS
S3 ZDPNDIS5;ZDPNDIS5 NDIS Protocol Driver;\??\C:\WINDOWS\system32\ZDPNDIS5.SYS

.
Contents of the 'Scheduled Tasks' folder
"2007-10-04 18:06:20 C:\WINDOWS\Tasks\Symantec NetDetect.job"
.
**************************************************************************

catchme 0.3.1169 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-10-04 20:28:04
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

**************************************************************************
.
Completion time: 2007-10-04 20:29:50
C:\ComboFix-quarantined-files.txt ... 2007-10-04 20:29
C:\ComboFix2.txt ... 2007-10-03 21:02
.
--- E O F ---

Hope thats all ok
Thanks so much again!
Max

maxh1985
2007-10-04, 22:49
One other thing i forgot to mention that i think all this malware might be causing:

When i try to access my firewall settings on my control panel, i just get an error message that sais "due to an unidentified problem Windows cannot display Windows firewall settings", very fustrating! And also since ive got all these infections in my computer, my sound card has all of a sudden stopped working. In control panel, on the sounds and audio devices properies. On the audio tab, my playback device is just greyed out as well as on the volume controls, but when i go to the harware tab, all the devices (audio codecs, audio drivers etc) are all there and it states that all these devices are working properly.
I have already de-installed and re-installed the software for the sound card but still nothing!
Was wondering if you had any ideas?

Thank you so much for your time
Max

shelf life
2007-10-05, 00:04
hi maxh1985,

few more things to do:

Copy the contents of the code box below and paste it into a blank notepad, then save it to your desktop as;

Filename: CFScript.txt
Save As Type: All Files (*.*)



[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3F0B732-ADB8-440F-8EA0-8644A6CFF17c}]
C:\WINDOWS\System32\pqxuwpjl.dll

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D7350803-89A5-4B38-A147-54BD52A76386}]
C:\WINDOWS\System32\mljji.dll


Close all other windows and programs. using the mouse button drag the CFScript.txt you just saved on your desktop onto the ComboFix icon and release the mouse button. Combofix should run and may reboot the computer when it's done. A log will open when it's complete. Post the contents of that log,
----------------------------
Download SmitfraudFix (by S!Ri) to your Desktop:

http://www.bleepingcomputer.com/files/smitfraudfix.php


Extract all the files to your Destop. A folder named SmitfraudFix will be created on your Desktop.
Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Select option #1 - Search by typing 1 and press Enter

This program will scan large amounts of files on your computer for known patterns so please be patient while it works. It will create a file named: c:\rapport.txt

stop at this point and post a HijackThis log along with the contents of the c:\rapport.txt.

Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
------------------------------
post the new combo log and the smitfraud log please.

shelf life

maxh1985
2007-10-08, 23:42
Hi Shelflife,
Did exactly as you said and here are the new Combo and Smit fraud logs followed by the latest Hijack this.

Thank you very much

ComboFix 07-10-03.7 - Owner 2007-10-08 21:22:55.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.1.1252.1.1033.18.49 [GMT 1:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Owner\Desktop\CFScript.txt
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2007-09-08 to 2007-10-08 )))))))))))))))))))))))))))))))
.

2007-10-03 20:41 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-10-03 19:19 <DIR> d----c--- C:\VundoFix Backups
2007-09-20 21:01 <DIR> d----c--- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2007-09-20 21:01 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-09-18 23:18 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2007-09-16 22:07 <DIR> d----c--- C:\Documents and Settings\All Users\Application Data\Kontiki
2007-09-16 22:07 <DIR> d-------- C:\Program Files\Kontiki
2007-09-16 22:07 <DIR> d-------- C:\Program Files\Channel4
2007-09-16 22:05 <DIR> d----c--- C:\Documents and Settings\All Users\Application Data\Channel4

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-09-19 00:23 --------- d-------- C:\Program Files\QuickTime
2007-09-18 22:44 --------- d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-09-18 20:24 --------- d--h----- C:\Program Files\InstallShield Installation Information
2007-09-18 20:20 --------- d-------- C:\Program Files\Common Files\Symantec Shared
2007-09-18 18:18 54584 --a------ C:\WINDOWS\system32\drivers\sbapifs.sys
2007-09-17 22:38 --------- d-------- C:\Program Files\Symantec
2007-09-17 22:37 --------- d-------- C:\Documents and Settings\All Users\Application Data\Symantec
2007-09-17 22:33 --------- d-------- C:\Program Files\Norton Internet Security
2007-09-02 12:22 --------- d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-09-02 12:05 --------- d-------- C:\Program Files\Canon
2007-09-01 14:40 --------- d-------- C:\Program Files\Sunbelt Software
2007-08-24 01:00 --------- d-------- C:\Documents and Settings\Owner\Application Data\Ahead
2007-08-22 21:08 --------- d-------- C:\Program Files\Common Files\Ahead
2007-08-22 20:50 --------- d----c--- C:\Documents and Settings\All Users\Application Data\Nero
2007-08-22 20:50 --------- d-------- C:\Program Files\Nero
2007-08-15 21:30 --------- d-------- C:\Program Files\Microsoft CAPICOM 2.1.0.2
2007-08-08 19:25 --------- d-------- C:\Program Files\DivX
2007-07-15 14:53 1370654 --ahs---- C:\WINDOWS\Help\sranru.bak2
.

((((((((((((((((((((((((((((( snapshot@2007-10-03_20.59.54.71 )))))))))))))))))))))))))))))))))))))))))
.
-c--a-w 32,768 2007-10-08 20:18:13 C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
-c--a-w 32,768 2007-10-08 20:18:13 C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
----a-w 32,768 2007-10-08 20:18:13 C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
.
-c--a-w 32,768 2007-10-03 16:14:48 C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
-c--a-w 32,768 2007-10-03 16:14:48 C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
-c--a-w 32,768 2007-10-03 16:14:48 C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{33FD8627-CCA7-4A13-9BA3-28D2AA11769A}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{401018F7-D248-FA92-4E10-FC8DB050D4EF}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A3F0B732-ADB8-440F-8EA0-8644A6CFF17c}]
C:\WINDOWS\System32\pqxuwpjl.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D7350803-89A5-4B38-A147-54BD52A76386}]
C:\WINDOWS\System32\mljji.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E6C52542-A9CF-4A30-A87E-8CB7137CC28E}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-05-31 23:46]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 15:40]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 03:06]
"4oD"="C:\Program Files\Kontiki\KHost.exe" [2007-04-23 11:23]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-09-17 21:30]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"kdx"="C:\Program Files\Kontiki\KHost.exe" [2007-04-23 11:23]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"Microsoft Telecoms Center"=winrestores.exe
"Symantec NetDriver Warning"=C:\PROGRA~1\SYMNET~1\SNDWarn.exe

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
LG SyncManager.lnk - C:\Program Files\LG PC Suite\LG PC Sync\LGSyncManager.exe [2004-07-16 14:32:56]
Utility Tray.lnk - C:\WINDOWS\system32\sistray.exe [2005-03-11 14:57:31]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
LG SyncManager.lnk - C:\Program Files\LG PC Suite\LG PC Sync\LGSyncManager.exe [2004-07-16 14:32:56]
Utility Tray.lnk - C:\WINDOWS\system32\sistray.exe [2005-03-11 14:57:31]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ddaya]
C:\WINDOWS\System32\ddaya.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Norton AntiVirus Server"=2 (0x2)
"Macromedia Licensing Service"=3 (0x3)
"DefWatch"=2 (0x2)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"taskdir"=C:\WINDOWS\system32\taskdir.exe
"ctfmon.exe"=C:\WINDOWS\system32\ctfmon.exe


.
Contents of the 'Scheduled Tasks' folder
"2007-10-08 20:18:15 C:\WINDOWS\Tasks\Symantec NetDetect.job"
.
**************************************************************************

catchme 0.3.1169 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-10-08 21:27:54
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

**************************************************************************
.
Completion time: 2007-10-08 21:30:32
C:\ComboFix-quarantined-files.txt ... 2007-10-08 21:29
C:\ComboFix2.txt ... 2007-10-04 20:29
C:\ComboFix3.txt ... 2007-10-03 21:02
.
--- E O F ---

SmitFraudFix v2.239

Scan done at 21:36:58.40, 08/10/2007
Run from C:\Documents and Settings\Owner\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» Process

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Kontiki\KHost.exe
C:\Program Files\LG PC Suite\LG PC Sync\LGSyncManager.exe
C:\WINDOWS\system32\sistray.exe
C:\WINDOWS\explorer.exe
C:\Program Files\internet explorer\iexplore.exe
C:\WINDOWS\system32\cmd.exe

»»»»»»»»»»»»»»»»»»»»»»»» hosts


»»»»»»»»»»»»»»»»»»»»»»»» C:\


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS

C:\WINDOWS\adware-sheriff-box.gif FOUND !
C:\WINDOWS\adware-sheriff-header.gif FOUND !
C:\WINDOWS\antispylab-logo.gif FOUND !
C:\WINDOWS\blue-bg.gif FOUND !
C:\WINDOWS\buy-now-btn.gif FOUND !
C:\WINDOWS\close-bar.gif FOUND !
C:\WINDOWS\corner-left.gif FOUND !
C:\WINDOWS\corner-right.gif FOUND !
C:\WINDOWS\facts.gif FOUND !
C:\WINDOWS\footer.giff FOUND !
C:\WINDOWS\free-scan-btn.gif FOUND !
C:\WINDOWS\h-line-gradient.gif FOUND !
C:\WINDOWS\header-bg.gif FOUND !
C:\WINDOWS\infected.gif FOUND !
C:\WINDOWS\info.gif FOUND !
C:\WINDOWS\no-icon.gif FOUND !
C:\WINDOWS\reg-freeze-box.gif FOUND !
C:\WINDOWS\reg-freeze-header.gif FOUND !
C:\WINDOWS\remove-spyware-btn.gif FOUND !
C:\WINDOWS\spyware-sheriff-header.gif FOUND !
C:\WINDOWS\spyware-sheriff-box.gif FOUND !
C:\WINDOWS\star.gif FOUND !
C:\WINDOWS\star-grey.gif FOUND !
C:\WINDOWS\true-stories.gif FOUND !
C:\WINDOWS\warning-bar-ico.gif FOUND !
C:\WINDOWS\win-sec-center-logo.gif FOUND !
C:\WINDOWS\windows-compatible.gif FOUND !
C:\WINDOWS\yes-icon.gif FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Owner


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Owner\Application Data


»»»»»»»»»»»»»»»»»»»»»»»» Start Menu


»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\Owner\FAVORI~1


»»»»»»»»»»»»»»»»»»»»»»»» Desktop


»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files


»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="http://www.erowid.org/culture/art/artists_b/images/archive/brown_luke_fungalinguistic.jpg"
"SubscribedURL"="http://www.erowid.org/culture/art/artists_b/images/archive/brown_luke_fungalinguistic.jpg"
"FriendlyName"=""

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\1]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"

»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]


»»»»»»»»»»»»»»»»»»»»»»»» Rustock



»»»»»»»»»»»»»»»»»»»»»»»» DNS

Description: WLAN 802.11g USB2.0 Adapter #5 - Packet Scheduler Miniport
DNS Server Search Order: 192.168.0.1

HKLM\SYSTEM\CCS\Services\Tcpip\..\{9C878D14-ED0D-4F77-88D4-9EA6248E2671}: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CCS\Services\Tcpip\..\{B3A88227-B3D6-40BA-8466-A1C346C9C919}: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CS2\Services\Tcpip\..\{9C878D14-ED0D-4F77-88D4-9EA6248E2671}: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CS2\Services\Tcpip\..\{B3A88227-B3D6-40BA-8466-A1C346C9C919}: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CS3\Services\Tcpip\..\{B3A88227-B3D6-40BA-8466-A1C346C9C919}: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=192.168.0.1


»»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection


»»»»»»»»»»»»»»»»»»»»»»»» End


Logfile of HijackThis v1.99.1
Scan saved at 21:38:25, on 08/10/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Kontiki\KHost.exe
C:\Program Files\LG PC Suite\LG PC Sync\LGSyncManager.exe
C:\WINDOWS\system32\sistray.exe
C:\WINDOWS\explorer.exe
C:\Program Files\internet explorer\iexplore.exe
C:\WINDOWS\notepad.exe
C:\Documents and Settings\Owner\Desktop\Hijack this\Temporary Directory 1 for hijackthis[1].zip\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {33FD8627-CCA7-4A13-9BA3-28D2AA11769A} - (no file)
O2 - BHO: (no name) - {401018F7-D248-FA92-4E10-FC8DB050D4EF} - (no file)
O2 - BHO: (no name) - {A3F0B732-ADB8-440F-8EA0-8644A6CFF17c} - C:\WINDOWS\System32\pqxuwpjl.dll (file missing)
O2 - BHO: (no name) - {D7350803-89A5-4B38-A147-54BD52A76386} - C:\WINDOWS\System32\mljji.dll (file missing)
O2 - BHO: (no name) - {E6C52542-A9CF-4A30-A87E-8CB7137CC28E} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [4oD] "C:\Program Files\Kontiki\KHost.exe" -all
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [kdx] C:\Program Files\Kontiki\KHost.exe -all
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: LG SyncManager.lnk = ?
O4 - Global Startup: Utility Tray.lnk = C:\WINDOWS\system32\sistray.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1147166608109
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O20 - Winlogon Notify: ddaya - C:\WINDOWS\System32\ddaya.dll (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe

shelf life
2007-10-09, 01:36
hi maxh1985,

ok good. time to run the part (the clean) of smiftfraud. best to do it in safe mode, so i would copy/paste the rest of this into notepad and save it somewhere so you can find and read it in safe mode. the part after you use hjt:

but before you boot into safe mode you can use hjt first, then go into safe mode:

scan with HJT, put a checkmark beside the items below, close all windows and click fix checked.

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)

O2 - BHO: (no name) - {33FD8627-CCA7-4A13-9BA3-28D2AA11769A} - (no file)

O2 - BHO: (no name) - {401018F7-D248-FA92-4E10-FC8DB050D4EF} - (no file
)
O2 - BHO: (no name) - {A3F0B732-ADB8-440F-8EA0-8644A6CFF17c} - C:\WINDOWS\System32\pqxuwpjl.dll (file missing)

O2 - BHO: (no name) - {D7350803-89A5-4B38-A147-54BD52A76386} - C:\WINDOWS\System32\mljji.dll (file missing)

O2 - BHO: (no name) - {E6C52542-A9CF-4A30-A87E-8CB7137CC28E} - (no file)

O20 - Winlogon Notify: ddaya - C:\WINDOWS\System32\ddaya.dll (file missing)
-----------------------------------------------
safe mode part:

Reboot your computer in Safe Mode.

* If the computer is running, shut down Windows, and then turn off the power.
* Wait 30 seconds, and then turn the computer on.
* Start tapping the F8 key. The Windows Advanced Options Menu appears. If you begin tapping the F8 key too soon, some computers display a "keyboard error" message. To resolve this, restart the computer and try again.
* Ensure that the Safe Mode option(usually the first option on the list) is selected.
* Press Enter. The computer then begins to start in Safe mode.
* Login on your usual account.

______________________________

Open the SmitfraudFix Folder, then double-click smitfraudfix.cmd file to start the tool.
Select option #2 - Clean by typing 2 and press Enter.
Wait for the tool to complete and disk cleanup to finish.
You will be prompted : "Registry cleaning - Do you want to clean the registry ?" answer Yes by typing Y and hit Enter.

The tool will also check if wininet.dll is infected. If a clean version is found, you will be prompted to replace wininet.dll. Answer Yes to the question "Replace infected file ?" by typing Y and hit Enter.

A reboot may be needed to finish the cleaning process, if you computer does not restart automatically please do it yourself manually. Reboot in Safe Mode.

The tool will create a log named rapport.txt in the root of your drive, eg: Local Disk C: or partition where your operating system is installed. Please post that log along with all others requested in your next reply.

shelf life

maxh1985
2007-10-09, 23:14
Hello to you again,
Ran HJT and removed the files you mentioned and ran clean on Smitfraud in Safemode, it didnt mention anything about about rebooting afterwards so just rebooted in normal mode after the clean.

Here is the log

SmitFraudFix v2.239

Scan done at 20:33:00.73, 09/10/2007
Run from C:\Documents and Settings\Owner\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in safe mode

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» Killing process


»»»»»»»»»»»»»»»»»»»»»»»» hosts

127.0.0.1 localhost

»»»»»»»»»»»»»»»»»»»»»»»» Winsock2 Fix

S!Ri's WS2Fix: LSP not Found.


»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files

C:\WINDOWS\adware-sheriff-box.gif Deleted
C:\WINDOWS\adware-sheriff-header.gif Deleted
C:\WINDOWS\antispylab-logo.gif Deleted
C:\WINDOWS\blue-bg.gif Deleted
C:\WINDOWS\buy-now-btn.gif Deleted
C:\WINDOWS\close-bar.gif Deleted
C:\WINDOWS\corner-left.gif Deleted
C:\WINDOWS\corner-right.gif Deleted
C:\WINDOWS\facts.gif Deleted
C:\WINDOWS\footer.gif Deleted
C:\WINDOWS\free-scan-btn.gif Deleted
C:\WINDOWS\h-line-gradient.gif Deleted
C:\WINDOWS\header-bg.gif Deleted
C:\WINDOWS\infected.gif Deleted
C:\WINDOWS\info.gif Deleted
C:\WINDOWS\no-icon.gif Deleted
C:\WINDOWS\reg-freeze-box.gif Deleted
C:\WINDOWS\reg-freeze-header.gif Deleted
C:\WINDOWS\remove-spyware-btn.gif Deleted
C:\WINDOWS\spyware-sheriff-header.gif Deleted
C:\WINDOWS\spyware-sheriff-box.gif Deleted
C:\WINDOWS\star.gif Deleted
C:\WINDOWS\star-grey.gif Deleted
C:\WINDOWS\true-stories.gif Deleted
C:\WINDOWS\warning-bar-ico.gif Deleted
C:\WINDOWS\win-sec-center-logo.gif Deleted
C:\WINDOWS\windows-compatible.gif Deleted
C:\WINDOWS\yes-icon.gif Deleted

»»»»»»»»»»»»»»»»»»»»»»»» DNS

HKLM\SYSTEM\CCS\Services\Tcpip\..\{9C878D14-ED0D-4F77-88D4-9EA6248E2671}: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CCS\Services\Tcpip\..\{B3A88227-B3D6-40BA-8466-A1C346C9C919}: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CS2\Services\Tcpip\..\{9C878D14-ED0D-4F77-88D4-9EA6248E2671}: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CS2\Services\Tcpip\..\{B3A88227-B3D6-40BA-8466-A1C346C9C919}: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CS3\Services\Tcpip\..\{B3A88227-B3D6-40BA-8466-A1C346C9C919}: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=192.168.0.1
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=192.168.0.1


»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]


»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» End

Many thanks
Max

shelf life
2007-10-10, 01:49
hi maxh1985,

ok looks good. can you post one last hjt log. looks like we are about finished.

shelf life

maxh1985
2007-10-10, 21:39
Good evening Shelflife,

Here is latest HJT log.

ps im still unable to get any further with the sound card and firewall problems that i mentioned in the earlier post. Was wondering if you had any suggestions?

Thank you, i appreciate this so much, this computer was making my life a mysery, was so close to throwing it out the window! but youve improved it so much, i dont get any more pop ups and its alot faster now!

Max

Logfile of HijackThis v1.99.1
Scan saved at 19:31:31, on 10/10/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\LG PC Suite\LG PC Sync\LGSyncManager.exe
C:\WINDOWS\system32\sistray.exe
C:\PROGRA~1\Grisoft\AVG7\avgw.exe
C:\Program Files\internet explorer\iexplore.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Owner\Desktop\Hijack this\Temporary Directory 1 for hijackthis[1].zip\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: LG SyncManager.lnk = ?
O4 - Global Startup: Utility Tray.lnk = C:\WINDOWS\system32\sistray.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {5F8469B4-B055-49DD-83F7-62B522420ECC} (Facebook Photo Uploader Control) - http://upload.facebook.com/controls/FacebookPhotoUploader.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1147166608109
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe

shelf life
2007-10-11, 02:20
hi maxh1985,

oh yea, forgot normally i dont go back and read the previous page everytime.

firewall:
some links, read through carefully first before trying any of them.

http://windowsxp.mvps.org/sharedaccess.htm

http://support.microsoft.com/kb/920074

http://www.md4pc.com/questions/88.htm
-------------------------------
you have on board sound, built into board? or a pci card.
one way to tell:
pci card the colored jacks would be left to right straight across.(parallel) built in: the colored jacks would be up and down(vertical).
any yellow exclamation points in device manager under audio device?

shelf life

maxh1985
2007-10-11, 22:20
Hi shelf life,
The coloured jaks in the back of my tower for the sound go across horizontaly from left to right. When i go to the device manager and look at my sound devices there are no yellow exclamation marks. It just gives a list:Audio Codecs
Legacy Audio Drivers
Legacy Video Capture Devices
Media Control Devices
Video Codecs

It has little speaker icons by each device. Its so annoying becuase the status on each sais 'this device is working properly' and i have already de-installed and re-installed the software for it. My computer just makes the bleeping sound for the error messages, and when i try to play music for example, i get a message that sais i do not have an audio device selected. The volume controls etc are all greyed out.

Thanks for the firewall links will check them out.

Is that all for the Malware and Virtumonde stuff?
Really appreciate all of your help.

Max

shelf life
2007-10-12, 03:21
hi,



Is that all for the Malware and Virtumonde stuff? yes, we can make new restore points
like this:

One of the features of Windows ME or XP is the System Restore option, however if a malware infects a computer with this operating system it can be backed up in the System Restore folder. Therefore, clearing the restore points is agood idea after malware is removed.

To reset your restore points, please note that you will need to log into your computer with an account which has full administrator access. You will know if the account has administrator access because you will be able to see the System Restore tab. If the tab is missing, you are logged in under a limited account.

(winXP)

1. Turn off System Restore. (deletes old possibly infected restore point)
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

2. Reboot.

3. Turn ON System Restore.(new restore points on a clean system)
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK, then reboot

How to Turn On and Turn Off System Restore in Windows XP
http://support.microsoft.com/default.aspx?scid=kb;en-us;310405
-------------------------------------------------------------
for the sound: go to start>run and type in the window: services.msc then click ok. windows service panel will open. under the name column look for: Windows audio. right click and select> properties. make sure the service startup type is:Automatic
and the Service Status is: Started

shelf life

maxh1985
2007-10-15, 16:20
Hi Shelf life,
Have just completed all the restore point stuff,
On my services window in the windows audio properties it sais the start up type is automatic and the service status is started. Very strange indeed!
Thanks again
Max

shelf life
2007-10-16, 00:18
hi maxh1985,

you reinstalled the software for your sound card, what about the drivers for it/ after thinking about it saying if the ports go left to right that menas its a pci card may not be true. a smaller footprint case could show this and have on board drivers. the first thing is to determine if you have a onboard built in to board chip. one way other than software is to vist the computers manuf. website and look based on your make/model. no makes or names under the device manager, right click>properties.
you might also get some info from running dxdiag

start>run>type in the window dxdiag check the tabs across the top.

shelf life