It's that virtumonde [Archive] - Safer-Networking Forums

View Full Version : It's that virtumonde

dude234543

2007-10-24, 20:12

Ok, so spybot is picking up virtumonde.generic, and it won't go away. Here's a logfile, please help me with it! Thank you!

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:06, on 2007-10-24
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\cisvc.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\70bee86dd2b52f0c3f60c71113182f25\update\update.exe
C:\WINDOWS\System32\taskmgr.exe
E:\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://sympatico.msn.ca/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: (no name) - {182B90A3-F372-438A-800C-6814B4DE417B} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {7C7DA6DD-F154-4F98-84E8-D0C32F9CE1D2} - (no file)
O2 - BHO: (no name) - {FB802D3B-319A-49E3-910C-4FED939E7E2F} - (no file)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Antispy] C:\Program Files\Defender Pro\AntiSpy\Dpas.exe startup
O4 - HKLM\..\Run: [BigDogPath] C:\WINDOWS\VM_STI.EXE Webbo Digital Camera
O4 - HKLM\..\Run: [jxnbaefd] RUNDLL32.EXE w01c37a1.dll,n 002baefb0000000a01c37a1
O4 - HKLM\..\RunOnce: [Spybot - Search & Destroy] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKLM\..\RunOnce: [SpybotDeletingA6116] command /c del "C:\WINDOWS\system32\wlhext.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingC5599] cmd /c del "C:\WINDOWS\system32\wlhext.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingA1340] command /c del "C:\WINDOWS\system32\whwfaxui.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingC150] cmd /c del "C:\WINDOWS\system32\whwfaxui.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingA254] command /c del "C:\WINDOWS\system32\wfnsrv.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingC135] cmd /c del "C:\WINDOWS\system32\wfnsrv.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingA9236] command /c del "C:\WINDOWS\system32\wbhext.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingC9821] cmd /c del "C:\WINDOWS\system32\wbhext.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingA8373] command /c del "C:\WINDOWS\system32\tUpi32.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingC8974] cmd /c del "C:\WINDOWS\system32\tUpi32.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingA9599] command /c del "C:\WINDOWS\system32\STDisply.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingC9688] cmd /c del "C:\WINDOWS\system32\STDisply.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingA1445] command /c del "C:\WINDOWS\system32\sindcmsg.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingC8695] cmd /c del "C:\WINDOWS\system32\sindcmsg.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingA8646] command /c del "C:\WINDOWS\system32\sfredir.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingC8344] cmd /c del "C:\WINDOWS\system32\sfredir.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingA1509] command /c del "C:\WINDOWS\system32\sdi.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingC1889] cmd /c del "C:\WINDOWS\system32\sdi.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingA877] command /c del "C:\WINDOWS\system32\rvchost.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingC5165] cmd /c del "C:\WINDOWS\system32\rvchost.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingA5162] command /c del "C:\WINDOWS\system32\pwwrprof.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingC9533] cmd /c del "C:\WINDOWS\system32\pwwrprof.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingA5663] command /c del "C:\WINDOWS\system32\pcapi.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingC7157] cmd /c del "C:\WINDOWS\system32\pcapi.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingA1954] command /c del "C:\WINDOWS\system32\p88q0il5e8q.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingC3728] cmd /c del "C:\WINDOWS\system32\p88q0il5e8q.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingA8069] command /c del "C:\WINDOWS\system32\oyengl.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingC2622] cmd /c del "C:\WINDOWS\system32\oyengl.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingA9454] command /c del "C:\WINDOWS\system32\mvn0l95m1.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingC3586] cmd /c del "C:\WINDOWS\system32\mvn0l95m1.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingA6830] command /c del "C:\WINDOWS\system32\muobjs.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingC9423] cmd /c del "C:\WINDOWS\system32\muobjs.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingA4514] command /c del "C:\WINDOWS\system32\mord2x40.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingC7257] cmd /c del "C:\WINDOWS\system32\mord2x40.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingA2685] command /c del "C:\WINDOWS\system32\MMHTML.DLL_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingC6376] cmd /c del "C:\WINDOWS\system32\MMHTML.DLL_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingA81] command /c del "C:\WINDOWS\system32\mcvideo.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingC3483] cmd /c del "C:\WINDOWS\system32\mcvideo.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingA9272] command /c del "C:\WINDOWS\system32\mbmtapi.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingC4687] cmd /c del "C:\WINDOWS\system32\mbmtapi.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingA325] command /c del "C:\WINDOWS\system32\LXCMP11n.DLL_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingC2777] cmd /c del "C:\WINDOWS\system32\LXCMP11n.DLL_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingA8399] command /c del "C:\WINDOWS\system32\lv4u09h9e.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingC9824] cmd /c del "C:\WINDOWS\system32\lv4u09h9e.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingA9916] command /c del "C:\WINDOWS\system32\LSCMP11n.DLL_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingC4463] cmd /c del "C:\WINDOWS\system32\LSCMP11n.DLL_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingA9395] command /c del "C:\WINDOWS\system32\lgtga11n.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingC3159] cmd /c del "C:\WINDOWS\system32\lgtga11n.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingA6434] command /c del "C:\WINDOWS\system32\kqymgr.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingC2067] cmd /c del "C:\WINDOWS\system32\kqymgr.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingA5858] command /c del "C:\WINDOWS\system32\kodmac.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingC611] cmd /c del "C:\WINDOWS\system32\kodmac.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingA3130] command /c del "C:\WINDOWS\system32\kldda.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingC3811] cmd /c del "C:\WINDOWS\system32\kldda.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingA1928] command /c del "C:\WINDOWS\system32\kddir.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingC4682] cmd /c del "C:\WINDOWS\system32\kddir.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingA2894] command /c del "C:\WINDOWS\system32\eovfw.dll_old"
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [IpWins] C:\Program Files\Ipwindows\ipwins.exe
O4 - HKCU\..\RunOnce: [SpybotDeletingB6712] command /c del "C:\WINDOWS\system32\wlhext.dll_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingD3947] cmd /c del "C:\WINDOWS\system32\wlhext.dll_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingB2901] command /c del "C:\WINDOWS\system32\whwfaxui.dll_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingD3552] cmd /c del "C:\WINDOWS\system32\whwfaxui.dll_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingB6575] command /c del "C:\WINDOWS\system32\wfnsrv.dll_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingD4534] cmd /c del "C:\WINDOWS\system32\wfnsrv.dll_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingB4063] command /c del "C:\WINDOWS\system32\wbhext.dll_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingD974] cmd /c del "C:\WINDOWS\system32\wbhext.dll_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingB1293] command /c del "C:\WINDOWS\system32\tUpi32.dll_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingD3246] cmd /c del "C:\WINDOWS\system32\tUpi32.dll_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingB7067] command /c del "C:\WINDOWS\system32\STDisply.dll_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingD9187] cmd /c del "C:\WINDOWS\system32\STDisply.dll_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingB9982] command /c del "C:\WINDOWS\system32\sindcmsg.dll_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingD8878] cmd /c del "C:\WINDOWS\system32\sindcmsg.dll_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingB7545] command /c del "C:\WINDOWS\system32\sfredir.dll_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingD1411] cmd /c del "C:\WINDOWS\system32\sfredir.dll_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingB4841] command /c del "C:\WINDOWS\system32\sdi.dll_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingD2794] cmd /c del "C:\WINDOWS\system32\sdi.dll_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingB2481] command /c del "C:\WINDOWS\system32\rvchost.dll_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingD35] cmd /c del "C:\WINDOWS\system32\rvchost.dll_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingB4939] command /c del "C:\WINDOWS\system32\pwwrprof.dll_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingD4268] cmd /c del "C:\WINDOWS\system32\pwwrprof.dll_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingB30] command /c del "C:\WINDOWS\system32\pcapi.dll_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingD6971] cmd /c del "C:\WINDOWS\system32\pcapi.dll_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingB9824] command /c del "C:\WINDOWS\system32\p88q0il5e8q.dll_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingD7268] cmd /c del "C:\WINDOWS\system32\p88q0il5e8q.dll_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingB3898] command /c del "C:\WINDOWS\system32\oyengl.dll_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingD4544] cmd /c del "C:\WINDOWS\system32\oyengl.dll_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingB2281] command /c del "C:\WINDOWS\system32\mvn0l95m1.dll_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingD902] cmd /c del "C:\WINDOWS\system32\mvn0l95m1.dll_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingB8445] command /c del "C:\WINDOWS\system32\muobjs.dll_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingD3153] cmd /c del "C:\WINDOWS\system32\muobjs.dll_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingB7108] command /c del "C:\WINDOWS\system32\mord2x40.dll_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingD3933] cmd /c del "C:\WINDOWS\system32\mord2x40.dll_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingB4943] command /c del "C:\WINDOWS\system32\MMHTML.DLL_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingD6909] cmd /c del "C:\WINDOWS\system32\MMHTML.DLL_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingB5778] command /c del "C:\WINDOWS\system32\mcvideo.dll_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingD2952] cmd /c del "C:\WINDOWS\system32\mcvideo.dll_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingB3985] command /c del "C:\WINDOWS\system32\mbmtapi.dll_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingD9391] cmd /c del "C:\WINDOWS\system32\mbmtapi.dll_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingB316] command /c del "C:\WINDOWS\system32\LXCMP11n.DLL_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingD7504] cmd /c del "C:\WINDOWS\system32\LXCMP11n.DLL_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingB7181] command /c del "C:\WINDOWS\system32\lv4u09h9e.dll_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingD5131] cmd /c del "C:\WINDOWS\system32\lv4u09h9e.dll_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingB8764] command /c del "C:\WINDOWS\system32\LSCMP11n.DLL_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingD8145] cmd /c del "C:\WINDOWS\system32\LSCMP11n.DLL_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingB7922] command /c del "C:\WINDOWS\system32\lgtga11n.dll_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingD6505] cmd /c del "C:\WINDOWS\system32\lgtga11n.dll_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingB1398] command /c del "C:\WINDOWS\system32\kqymgr.dll_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingD1894] cmd /c del "C:\WINDOWS\system32\kqymgr.dll_old"
O4 - HKCU\..\Policies\Explorer\Run: [{0816A5B9-0682-1033-0223-041113020001}] "C:\Program Files\Common Files\{0816A5B9-0682-1033-0223-041113020001}\Update.exe" mc-110-12-0000137
O4 - HKCU\..\Policies\Explorer\Run: [{0816A5B9-0683-1033-0223-041113020001}] "C:\Program Files\Common Files\{0816A5B9-0683-1033-0223-041113020001}\Update.exe" mc-110-12-0000137
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Policies\Explorer\Run: [{0816A5B9-0683-1033-0223-041113020001}] "C:\Program Files\Common Files\{0816A5B9-0683-1033-0223-041113020001}\Update.exe" mc-110-12-0000137 (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\Policies\Explorer\Run: [{0816A5B9-0683-1033-0223-041113020001}] "C:\Program Files\Common Files\{0816A5B9-0683-1033-0223-041113020001}\Update.exe" mc-110-12-0000137 (User 'Default user')
O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearch.html?p=ZUxdm082YYCA
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {00000000-0000-0000-0000-000320050660} -
O16 - DPF: {00000000-0000-0000-0000-000330050660} -
O16 - DPF: {00000000-0709-0000-0000-000330050660} -
O16 - DPF: {00001000-0709-0000-0000-000330050660} -
O16 - DPF: {00330010-0000-0000-0000-000020060010} -
O16 - DPF: {00330010-0000-0000-0000-000020160010} -
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2D2BEE6E-3C9A-4D58-B9EC-458EDB28D0F6} - http://www.drivecleaner.com/.freeware/installdrivecleanerstart.cab
O16 - DPF: {4AD73894-A895-4FC2-B233-299867E08753} -
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} -
O16 - DPF: {8C875948-9C60-4381-9248-0DF180542D53} -
O16 - DPF: {A1426AC5-8CE5-4A00-B71E-011D35709AC6} -
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/controls/msnchat45.cab
O20 - Winlogon Notify: khhhg - C:\WINDOWS\
O20 - Winlogon Notify: Setup - C:\WINDOWS\
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Client IP-IPX - Unknown owner - C:\WINDOWS\
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

--
End of file - 18012 bytes

katana

2007-10-25, 00:58

Hello and welcome to the forums

My name is Katana and I will be helping you to remove any infection(s) that you may have.

Please observe these rules while we work:
1. If you don't know, stop and ask! Don't keep going on.
2. Please reply to this thread. Do not start a new topic.
3. Please continue to respond until I give you the "All Clear"
(Just because you can't see a problem doesn't mean it isn't there)

If you can do those three things, everything should go smoothly :D
======================================

Well you do seem to have a lot going on in that log :)
First off please reboot, so that Spybot can have a go at removing some of the rubbish.
Is there a reason why you have not updated to XP service Pack 2 ??

Next:-
Download and Run ComboFix

Download Combofix from one of the two links below :

http://download.bleepingcomputer.com/sUBs/ComboFix.exe
http://www.techsupportforum.com/sectools/sUBs/ComboFix.exe

Then double click combofix.exe & follow the prompts.
When finished, it will produce a log for you. Post that log in your next reply

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Please post the ComboFix log along with a fresh HJT log in your reply.

dude234543

2007-10-25, 20:02

Ok, here it is:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:44:27 AM, on 10/25/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\SoftwareDistribution\Download\S-1-5-18\74eac9a4b069a45e3e4e8d162f3dd349\update\update.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Defender Pro\AntiSpy\Dpas.exe
C:\WINDOWS\VM_STI.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINDOWS\explorer.exe
E:\HiJackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://sympatico.msn.ca/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://g.msn.com/0SEENUS/SAOS01?FORM=TOOLBR
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {7C7DA6DD-F154-4F98-84E8-D0C32F9CE1D2} - (no file)
O2 - BHO: (no name) - {FB802D3B-319A-49E3-910C-4FED939E7E2F} - (no file)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Pa&nicware Pop-Up Stopper Basic - {B1E741E7-1E77-40D4-9FD8-51949B9CCBD0} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Antispy] C:\Program Files\Defender Pro\AntiSpy\Dpas.exe startup
O4 - HKLM\..\Run: [BigDogPath] C:\WINDOWS\VM_STI.EXE Webbo Digital Camera
O4 - HKLM\..\Run: [AAWTray] C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe (User 'Default user')
O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearch.html?p=ZUxdm082YYCA
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {00000000-0000-0000-0000-000320050660} -
O16 - DPF: {00000000-0000-0000-0000-000330050660} -
O16 - DPF: {00000000-0709-0000-0000-000330050660} -
O16 - DPF: {00001000-0709-0000-0000-000330050660} -
O16 - DPF: {00330010-0000-0000-0000-000020060010} -
O16 - DPF: {00330010-0000-0000-0000-000020160010} -
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {2D2BEE6E-3C9A-4D58-B9EC-458EDB28D0F6} - http://www.drivecleaner.com/.freeware/installdrivecleanerstart.cab
O16 - DPF: {4AD73894-A895-4FC2-B233-299867E08753} -
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} -
O16 - DPF: {A1426AC5-8CE5-4A00-B71E-011D35709AC6} -
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://chat.msn.com/controls/msnchat45.cab
O20 - Winlogon Notify: khhhg - C:\WINDOWS\
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

--
End of file - 6732 bytes

ComboFix 07-10-23.1 - Owner 2007-10-25 8:59:47.2 - NTFSx86
Script execution time was exceeded on script "C:\ComboFix\osid.vbs".
Script execution was terminated.
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\guard.tmp
.
---- Previous Run -------
.
C:\Documents and Settings\Girly\Desktop\internet.lnk
C:\Documents and Settings\Girly\Start Menu\Programs\Startup\think-adz.lnk
C:\Documents and Settings\Guest\Start Menu\Programs\Startup\think-adz.lnk
C:\Documents and Settings\Owner\Application Data\Dxccwrd.dll
C:\Documents and Settings\Owner\Application Data\Dxcdmns.dll
C:\Documents and Settings\Owner\Application Data\Dxcknwrd.dll
C:\Documents and Settings\Owner\Application Data\Dxcuknwrd.dll
C:\Documents and Settings\Owner\Application Data\ICROSO~1
C:\Program Files\Common Files\{0816A~1
C:\Program Files\Common Files\{0816A~2
C:\Program Files\Common Files\{3816A~1
C:\Program Files\Common Files\{3816A~2
C:\Program Files\myglobalsearch
C:\Program Files\outlook
C:\Program Files\sstem~1
C:\Program Files\sstem~1\s?stem\
C:\WINDOWS\Downloaded Program Files\UERS_0001_NI531020NetInstaller.exe
C:\WINDOWS\system32\amsfwbqo.ini
C:\WINDOWS\system32\aza2l51o1.dll
C:\WINDOWS\system32\bund1
C:\WINDOWS\system32\bund1\temp.txt
C:\WINDOWS\system32\d6j0lg1m16.dll
C:\WINDOWS\system32\dxskperf.dll
C:\WINDOWS\system32\f4l0le3m1h.dll
C:\WINDOWS\system32\g440lehm1h4a.dll
C:\WINDOWS\system32\ghhhk.bak1
C:\WINDOWS\system32\ghhhk.bak2
C:\WINDOWS\system32\ghhhk.ini
C:\WINDOWS\system32\ghhhk.ini2
C:\WINDOWS\system32\ghhhk.tmp
C:\WINDOWS\system32\guard.tmp
C:\WINDOWS\system32\n4p4le7q1h.dll
C:\WINDOWS\system32\nR6qlaj51do.dll
C:\WINDOWS\system32\oqbwfsma.dll
C:\WINDOWS\system32\SC2EVNT1.DLL
C:\WINDOWS\system32\svchosts.lzma
C:\WINDOWS\system32\wcpsu.exe
C:\WINDOWS\system32\zxdnt3d.cfg

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_CLIENT_IP-IPX
-------\LEGACY_CMDSERVICE
-------\LEGACY_WINDOWS_OVERLAY_COMPONENTS
-------\Client IP-IPX

((((((((((((((((((((((((( Files Created from 2007-09-25 to 2007-10-25 )))))))))))))))))))))))))))))))
.

2007-10-24 10:09 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-10-23 14:33 <DIR> d-------- C:\Program Files\Lavasoft
2007-10-23 13:40 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\AVG7
2007-10-23 13:39 33,792 --a------ C:\WINDOWS\system32\drivers\disk.sys
2007-10-23 12:07 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-10-22 08:52 <DIR> d-------- C:\Documents and Settings\Owner\Application Data\AVG7
2007-10-22 08:51 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2007-10-22 08:51 499,712 --a------ C:\WINDOWS\system32\msvcp71.dll
2007-10-22 08:51 348,160 --a------ C:\WINDOWS\system32\msvcr71.dll
2007-10-15 00:08 <DIR> d-------- C:\Documents and Settings\Girly\Application Data\Apple Computer
2007-10-14 22:32 <DIR> d-------- C:\Documents and Settings\Girly\Application Data\Nova Development
2007-10-14 20:22 49,664 --a------ C:\WINDOWS\system32\vfwwdm32.dll
2007-10-14 20:22 45,568 --a------ C:\WINDOWS\system32\iyuv_32.dll
2007-10-14 20:22 8,192 --a------ C:\WINDOWS\system32\tsbyuv.dll
2007-10-13 13:34 134,272 --a------ C:\WINDOWS\system32\drivers\portcls.sys
2007-10-13 13:34 57,856 --a------ C:\WINDOWS\system32\drivers\drmk.sys
2007-10-13 13:25 28,160 --a------ C:\WINDOWS\system32\drivers\usbccgp.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-10-23 17:03 --------- d-----w C:\Program Files\BearShare
2007-10-22 15:56 --------- d-----w C:\Program Files\Ulfky
2007-03-06 08:52 225,280 ----a-w C:\Program Files\Uninstall My Global Search Bar.dll
2006-06-07 17:55 3,753 ----a-w C:\Program Files\html2.htm
2006-06-07 17:55 3,626 ----a-w C:\Program Files\html1.htm
2006-03-03 22:25 66 ----a-w C:\Documents and Settings\Owner\Application Data\SQSDMTST.SYS
2003-03-07 04:17 2,765 ----a-w C:\Program Files\Common Files\AutoUpdate.rtf
2003-01-27 18:50 1,000,448 ----a-w C:\Program Files\Common Files\AutoUpdate.exe
2004-06-27 16:52:24 32 --sha-w C:\WINDOWS\{5B932F79-4D56-4330-86BC-5503B85B00E1}.dat
2007-02-07 03:06:02 6,560 --sha-w C:\WINDOWS\system32\ssstv.bak1
2007-02-23 07:11:53 732,283 --sha-w C:\WINDOWS\system32\ssstv.bak2
2004-06-27 16:52:24 32 --sha-w C:\WINDOWS\system32\{6E604437-A603-4A9A-8007-42F2960609EE}.dat
2005-07-29 22:24:26 472 --sha-r C:\WINDOWS\Vy5YUA\pVcsoE.vbs
.

((((((((((((((((((((((((((((( snapshot@2007-10-25_ 8.57.25.41 )))))))))))))))))))))))))))))))))))))))))
.
- 2007-10-25 15:53:01 16,384 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
+ 2007-10-25 16:13:01 16,384 ----a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
- 2007-10-25 15:53:01 16,384 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2007-10-25 16:13:01 16,384 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2007-10-25 15:53:01 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2007-10-25 16:13:01 32,768 ----a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
- 2007-10-25 15:36:29 245,760 ----a-w C:\WINDOWS\system32\config\systemprofile\ntuser.dat
+ 2007-10-25 15:59:42 245,760 ----a-w C:\WINDOWS\system32\config\systemprofile\ntuser.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{182B90A3-F372-438A-800C-6814B4DE417B}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7C7DA6DD-F154-4F98-84E8-D0C32F9CE1D2}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FB802D3B-319A-49E3-910C-4FED939E7E2F}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"@"="" []
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2005-09-18 14:04]
"SSC_UserPrompt"="C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe" [2004-11-02 15:59]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2005-12-26 12:53]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2004-12-18 00:20]
"ccRegVfy"="C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe" [2003-12-02 15:11]
"Antispy"="C:\Program Files\Defender Pro\AntiSpy\Dpas.exe" [2004-06-01 03:59]
"BigDogPath"="C:\WINDOWS\VM_STI.exe" [2003-01-21 15:19]
"AAWTray"="C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe" [2007-08-08 15:53]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"@"="" []
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\ypager.exe" [2005-08-31 11:54]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2007-08-31 16:46]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-11-15 15:18]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"ALUAlert"=C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\khhhg]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\Setup]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"cmdService"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"BigDogPath"=C:\WINDOWS\VM_STI.EXE Webbo Digital Camera
"Antispy"=C:\Program Files\Defender Pro\AntiSpy\Dpas.exe startup
"AAWTray"=C:\Program Files\Lavasoft\Ad-Aware 2007\AAWTray.exe

.
Contents of the 'Scheduled Tasks' folder
"2005-09-27 03:09:13 C:\WINDOWS\Tasks\Norton AntiVirus - scan 1.job"
"2007-06-02 03:22:15 C:\WINDOWS\Tasks\Norton AntiVirus - Scan my computer.job"
- C:\PROGRA~1\NORTON~1\NAVW32.exe
"2007-10-24 18:00:01 C:\WINDOWS\Tasks\StartSC.job"
- C:\PROGRA~1\TDDOWN~1\TDDAInter.exe
"2007-10-25 16:13:03 C:\WINDOWS\Tasks\Symantec NetDetect.job"
.
**************************************************************************

catchme 0.3.1232 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-10-25 09:13:15
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

**************************************************************************
.
Completion time: 2007-10-25 9:17:29 - machine was rebooted
.
--- E O F ---

katana

2007-10-25, 20:44

Is there a reason why you have not updated to Service Pack 2 ???

Disable Teatimer
First step: Right-click the Spybot Icon in the System Tray (looks like a blue/white calendar with a padlock symbol)
If you have the new version 1.5, Click once on Resident Protection, then Right click the Spybot icon again and make sure Resident Protection is now Unchecked. The Spybot icon in the System tray should now be now colorless.
If you have Version 1.4, Click on Exit Spybot S&D Resident Second step, For Either Version : Open Spybot S&D
Click Mode, choose Advanced Mode
Go To the bottom of the Vertical Panel on the Left, Click Tools
then, also in left panel, click Resident shows a red/white shield.
If your firewall raises a question, say OK
In the Resident protection status frame, Uncheck the box labeled Resident "Tea-Timer"(Protection of over-all system settings) active
OK any prompts.
Use File, Exit to terminate Spybot
Reboot your machine for the changes to take effect.

You are running MyWebSearch (or MyBar). Although not technically malware, it is thought to be bad by many experts and it will bring malware with it. There are safer alternatives available such as the Google toolbar (http://toolbar.google.com/T4/). My Web Search also known as the My Way Speedbar is the Internet Explorer toolbar part of the Fun Web Products suite of utilities such as Smiley Central, Cursor Mania, My Mail Stationary, My Mail Signature, PopSwatter, Popular Screensavers, and the My Way website portal. The toolbar allows easy access to search engine results and a 404 Error Redirector called My Total Search among other things to your browser. This is not to be confused with the IBIS Web Search toolbar. MyWay is a search toolbar that installs into Internet Explorer and Netscape Navigator, adding search functions and popup blocking. It reports your surfing activity anonymously to MyWay affiliates, helping them to serve targeted advertising to you. As a BHO, MyWay shares the memory that your browser uses, detects events, creates additional windows while you are surfing, and monitors your activity. When a new browser window is opened, MyWay will send a configuration request about 5k in size.

Although none of these products claim to be spyware, they do slow your computer down. All of the products use cookies to track usage, although they claim not to use cookies or anything else to track personally identifiable information. That being said, I would still recommend uninstalling the toolbar and other Fun Web Products if you feel your computer runs better without them. They are found by most spyware removal tools such as Spybot Search and Destroy, Lavasoft Ad-Aware, although they are deemed spyware safe by Aluria Software who created a Spyware SAFE Certification.

IMPORTANT I notice there are signs of one or more P2P (Person to Person) File Sharing Programs on your computer.

BearShare

I'd like you to read the Guidelines for P2P Programs (http://forums.spybot.info/showthread.php?t=282) where we explain why it's not a good idea to have them.

My recommendation is you go to Control Panel > Add/Remove Programs and uninstall the programs listed above (in red).
Please note: you must NOT use this whilst we are cleaning your machine.

Custom CFScript

Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:

DirLook::
C:\Program Files\Ulfky

File::
C:\WINDOWS\system32\ssstv.bak1
C:\WINDOWS\system32\ssstv.bak2
C:\Program Files\Uninstall My Global Search Bar.dll

Folder::

Registry::
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{182B90A3-F372-438A-800C-6814B4DE417B}]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{7C7DA6DD-F154-4F98-84E8-D0C32F9CE1D2}]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{FB802D3B-319A-49E3-910C-4FED939E7E2F}]

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\khhhg]
Save this as CFScript.txt and place it on your desktop.

http://img.photobucket.com/albums/v666/sUBs/CFScript.gif

Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
When finished, it will produce a log for you. Copy and paste the contents of the log in your next reply.

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.

Submit a File For Analysis
We need to have the files below Scanned by Uploading them/it to Jotti

Please visit Jotti (http://virusscan.jotti.org/)
Copy/paste the the following file path into the window
C:\Program Files\html2.htm
Click Submit/Send File
Please post back, to let me know the results.

Please do the same for the following file
C:\Program Files\html1.htm
C:\Program Files\Common Files\AutoUpdate.rtf
C:\Program Files\Common Files\AutoUpdate.exe
C:\WINDOWS\{5B932F79-4D56-4330-86BC-5503B85B00E1}.dat
C:\WINDOWS\system32\{6E604437-A603-4A9A-8007-42F2960609EE}.dat
C:\WINDOWS\Vy5YUA\pVcsoE.vbs

If Jotti is too busy please try Virustotal (http://www.virustotal.com/en/indexf.html)

Fix With HJT
Close all other windows and then start HiJack This
Click Do A System Scan Only
When it has finished scanning put a check next to the following lines (if still present)

O2 - BHO: (no name) - {7C7DA6DD-F154-4F98-84E8-D0C32F9CE1D2} - (no file)
O2 - BHO: (no name) - {FB802D3B-319A-49E3-910C-4FED939E7E2F} - (no file)
O3 - Toolbar: Pa&nicware Pop-Up Stopper Basic - {B1E741E7-1E77-40D4-9FD8-51949B9CCBD0} - (no file)

O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearc...p=ZUxdm082YYCA

O16 - DPF: {00000000-0000-0000-0000-000320050660} -
O16 - DPF: {00000000-0000-0000-0000-000330050660} -
O16 - DPF: {00000000-0709-0000-0000-000330050660} -
O16 - DPF: {00001000-0709-0000-0000-000330050660} -
O16 - DPF: {00330010-0000-0000-0000-000020060010} -
O16 - DPF: {00330010-0000-0000-0000-000020160010} -
O16 - DPF: {2D2BEE6E-3C9A-4D58-B9EC-458EDB28D0F6} - http://www.drivecleaner.com/.freewar...eanerstart.cab
O16 - DPF: {4AD73894-A895-4FC2-B233-299867E08753} -
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} -
O16 - DPF: {A1426AC5-8CE5-4A00-B71E-011D35709AC6} -

O20 - Winlogon Notify: khhhg - C:\WINDOWS\
- Close ALL open windows (especially Internet Explorer!)-
Now click Fix checked
Click yes to any prompts
Close HijackThis

Logs/Information to Post in Reply
Please post the following logs/Information in your reply

ComboFix Log
A fresh HJT log
Jotti/ Virus Total results
Service Pack 2 ???

katana

2007-10-29, 21:23

Do you still need help ?

tashi

2007-11-07, 06:12

dude234543, due to lack of a response to your helper, this topic has been archived.

If you wish for it to be re-opened, please send me a private message (pm) and provide a link to the thread.

Applies only to the original poster, anyone else with similar problems please start a new topic.

Thank you katana.