PDA

View Full Version : Trojan fakealert, Virtumonde and security toolbar... how to get rid of them?


tallmark19
2007-11-08, 02:07
By downloading Limeware I think I got some file extra that now is showing strange security alerts and makes my life complicated by pop-ups and slow performance of all programs. I have tried a lot of cleaners (CCleaner, Spybot, Counterspy and some online cleaners). Most of them find following features: Trojan fakealert, Virtumonde, virtumonde.generic and Security toolbar.desctopscam. After each run of cleaners the problem files seem to be removed, but after restarting the system they are back. And everything starts from beginning. i tried to delete some of those files manually, but guess that was not vise action. Can someone help by advising what to do? :sad:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:43:03 AM, on 11/9/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\S24EvMon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\CA\eTrust Antivirus\InoRpc.exe
C:\Program Files\CA\eTrust Antivirus\InoRT.exe
C:\Program Files\CA\eTrust Antivirus\InoTask.exe
C:\WINDOWS\System32\RegSrvc.exe
C:\PROGRA~1\CA\SHARED~1\SCANEN~1\InoDist.exe
C:\Program Files\Sunbelt Software\CounterSpy\SBCSSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\rainlendar\Rainlendar.exe
C:\Documents and Settings\###\Desktop\HiJackThis.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\###\Desktop\HiJackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {28c90531-9ccb-407e-9533-0234747ae540} - C:\WINDOWS\system32\dynupaal.dll (file missing)
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: (no name) - {35AB92FE-F820-47D4-88AB-93AE491B773C} - (no file)
O2 - BHO: (no name) - {400F5A33-C391-48F0-B6F3-870D00213E68} - C:\WINDOWS\system32\xxwvs.dll
O2 - BHO: (no name) - {46052F86-0617-4CFC-9961-2A8EA7849B7F} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {56A80D77-D674-49BC-ADD5-B179CE239635} - (no file)
O2 - BHO: (no name) - {5EF5D4AE-710F-4DD9-8DB2-BAB1AAFA12E4} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {96A96250-CABD-433E-8335-96B41129BE75} - (no file)
O2 - BHO: (no name) - {A95B2816-1D7E-4561-A202-68C0DE02353A} - C:\WINDOWS\system32\iozpvgvz.dll (file missing)
O2 - BHO: (no name) - {BCC73622-F72D-4277-803C-D65565A0947F} - C:\WINDOWS\system32\wvututq.dll
O2 - BHO: {39b25d9e-f654-e728-ae64-d295dee584ac} - {ca485eed-592d-46ea-827e-456fe9d52b93} - C:\WINDOWS\system32\ebefpihl.dll
O4 - HKUS\S-1-5-18\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'Default user')
O4 - Startup: Shortcut to Rainlendar.lnk = C:\Program Files\rainlendar\Rainlendar.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O11 - Options group: [JAVA_IBM] Java (IBM)
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1180570546740
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: bcrvicxe - bcrvicxe.dll (file missing)
O20 - Winlogon Notify: iozpvgvz - iozpvgvz.dll (file missing)
O20 - Winlogon Notify: kpxbeglx - kpxbeglx.dll (file missing)
O20 - Winlogon Notify: wvututq - C:\WINDOWS\SYSTEM32\wvututq.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\system32\ibmpmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: eTrust Antivirus RPC Server (InoRPC) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoRpc.exe
O23 - Service: eTrust Antivirus Realtime Server (InoRT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoRT.exe
O23 - Service: eTrust Antivirus Job Server (InoTask) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoTask.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\System32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\System32\S24EvMon.exe
O23 - Service: Sunbelt CounterSpy Antispyware (SBCSSvc) - Sunbelt Software - C:\Program Files\Sunbelt Software\CounterSpy\SBCSSvc.exe

--
End of file - 6268 bytes
ken545
2007-11-08, 02:46
Hello tallmark19

Welcome to Safer Networking.

Please read Before YouPost (http://forums.spybot.info/showthread.php?t=288)
That said, All advice given by anyone volunteering here, is taken at own risk.
While best efforts are made to assist in removing infections safely, unexpected stuff can happen.

Sorry your having problems, lets get you cleaned up, first we need to have Hijackthis in its own folder, go to your C:\ drive and create a new folder and name it Hijackthis, go to where you have HJT installed and right click on it ( looks like a man with a spyglass ) select CUT, go to the new folder you just created and right click inside that folder and select Paste.


Run both these tools, I need to see the reports.

Download ComboFix from Here (http://www.techsupportforum.com/sectools/sUBs/ComboFix.exe) or Here (http://download.bleepingcomputer.com/sUBs/ComboFix.exe) to your Desktop.

Double click combofix.exe and follow the prompts.
When finished, it shall produce a log for you. Post the Combofix log and a HiJackthis log in your next reply

Note: Do not mouseclick combofix's window while its running. That may cause it to stall



Download VundoFix (http://www.atribune.org/ccount/click.php?id=4 ) to your desktop

Double-click VundoFix.exe to run it.
Click the Scan for Vundo button.
Once it's done scanning, click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will reboot your computer, click OK.
Please post the contents of C:\vundofix.txt and a new HiJackThis log in a reply to this thread.

Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears upon rebooting.



Before you post a new HJT log do this ( I know I am driving you crazy but there is reason for it ) go to the new folder you just created C:\Hijackthis\Hijackthis.exe Right click on the the little man with a spyglass and rename it to Scanner.exe


I need to see the Combofix log, the Vundo log and a new HJT log with it renamed please.
tallmark19
2007-11-08, 09:40
Thanks for helping.
Here are the reports u asked for (hijackthis report comes in next post). what should i do next?


ComboFix 07-11-08.1 - ### 2007-11-09 8:05:38.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.436 [GMT 0:00]
Running from: C:\Documents and Settings\###\Desktop\ComboFix.exe
.

Unable to gain System Privileges

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data.\salesmonitor
C:\Documents and Settings\All Users\Start Menu\Live Safety Center.lnk
C:\Documents and Settings\All Users\Start Menu\Online Security Guide.lnk
C:\Documents and Settings\###\Favorites\Online Security Guide.lnk
C:\Documents and Settings\###\ResErrors.log
C:\WINDOWS\cookies.ini
C:\WINDOWS\system32\bcrvicxe.dllbox
C:\WINDOWS\system32\charset.dll
C:\WINDOWS\system32\svwxx.bak1
C:\WINDOWS\system32\svwxx.bak2
C:\WINDOWS\system32\svwxx.ini
C:\WINDOWS\system32\xxwvs.dll
C:\z.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_DOMAINSERVICE
-------\LEGACY_FMTR
-------\DomainService


((((((((((((((((((((((((( Files Created from 2007-10-09 to 2007-11-09 )))))))))))))))))))))))))))))))
.

2007-11-09 07:56 86,080 --a------ C:\WINDOWS\system32\gvmiliyu.dll
2007-11-09 07:53 80,448 --a------ C:\WINDOWS\system32\mjgnkhxj.dll
2007-11-09 07:52 <DIR> d-------- C:\Hijackthis
2007-11-09 07:50 145,984 --a------ C:\WINDOWS\system32\xgfnuxmv.dll
2007-11-09 07:44 71,232 --a------ C:\WINDOWS\system32\nexxawso.exe
2007-11-08 22:40 3,650 --a------ C:\WINDOWS\system32\tmp.reg
2007-11-08 22:39 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2007-11-08 22:39 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2007-11-08 22:39 53,248 --a------ C:\WINDOWS\system32\Process.exe
2007-11-08 22:39 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2007-11-08 22:39 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2007-11-08 19:34 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-11-08 19:34 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2007-11-07 18:38 79,936 --a------ C:\WINDOWS\system32\ebefpihl.dll
2007-11-07 18:35 86,080 --a------ C:\WINDOWS\system32\mlemprdx.dll
2007-11-07 18:35 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-11-07 18:30 0 --a------ C:\WINDOWS\system32\SBRC.dat
2007-11-07 18:29 145,984 --a------ C:\WINDOWS\system32\hcwagqvx.dll
2007-11-07 18:26 71,232 --a------ C:\WINDOWS\system32\jarebjuo.exe
2007-11-07 14:51 5,094,435 --a------ C:\WINDOWS\system32\SBSP.dat
2007-11-07 14:35 145,984 --a------ C:\WINDOWS\system32\jnxyhtdn.dll
2007-11-06 18:30 81,472 --a------ C:\WINDOWS\system32\ykqojwjc.dll
2007-11-06 18:27 71,232 --a------ C:\WINDOWS\system32\fweeyann.exe
2007-11-05 18:27 83,008 --a------ C:\WINDOWS\system32\exyiuqus.dll
2007-11-04 07:34 <DIR> d-------- C:\WINDOWS\BDOSCAN8
2007-11-04 00:34 385 --a------ C:\WINDOWS\system32\SBFC.dat
2007-11-04 00:26 15,544 --a------ C:\WINDOWS\system32\drivers\sbhr.sys
2007-11-04 00:25 <DIR> d-------- C:\Documents and Settings\###\Application Data\Sunbelt Software
2007-11-04 00:25 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Sunbelt Software
2007-11-04 00:19 <DIR> d-------- C:\Program Files\Sunbelt Software
2007-11-04 00:17 11,254 --a------ C:\WINDOWS\system32\locate.com
2007-11-03 22:47 <DIR> d-------- C:\Program Files\Yahoo!
2007-11-03 22:46 <DIR> d-------- C:\Program Files\CCleaner
2007-11-03 22:08 1,152 --a------ C:\WINDOWS\system32\windrv.sys
2007-11-03 20:42 786 --a------ C:\3284.bat
2007-11-03 20:31 <DIR> d-------- C:\Documents and Settings\###\Application Data\PC Tools
2007-11-03 20:16 786 --a------ C:\9048.bat
2007-11-03 19:57 786 --a------ C:\8142.bat
2007-11-03 18:45 1,060,864 --a------ C:\WINDOWS\system32\mfc71.dll
2007-11-03 18:45 89,088 --a------ C:\WINDOWS\system32\atl71.dll
2007-11-03 18:45 24,064 --a------ C:\WINDOWS\system32\msxml3a.dll
2007-11-03 17:46 <DIR> d-------- C:\Virtual
2007-11-03 17:31 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\BufferZone
2007-11-03 17:30 <DIR> d-------- C:\WINDOWS\E4153266612C460FAB94C9DB6802459A.TMP
2007-11-03 17:18 147,456 --a------ C:\WINDOWS\system32\vbzip10.dll
2007-11-03 17:15 35,328 --a------ C:\WINDOWS\system32\wvututq.dll
2007-11-03 17:15 0 --a------ C:\z.dat
2007-11-03 14:23 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2007-11-03 14:23 626,688 --a------ C:\WINDOWS\system32\msvcr80.dll
2007-10-26 07:31 <DIR> d-------- C:\Program Files\Common Files\xing shared
2007-10-25 13:15 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\FLEXnet
2007-10-25 12:31 2,463,976 --a------ C:\WINDOWS\system32\NPSWF32.dll
2007-10-25 12:31 190,696 --a------ C:\WINDOWS\system32\NPSWF32_FlashUtil.exe
2007-10-25 12:29 <DIR> d-------- C:\Program Files\Bonjour
2007-10-25 12:17 <DIR> d-------- C:\Program Files\Common Files\Macrovision Shared
2007-10-25 11:14 <DIR> d-------- C:\Program Files\Microsoft Office Live
2007-10-25 10:26 53,248 --a------ C:\WINDOWS\bdoscandel.exe
2007-10-20 12:15 <DIR> d-------- C:\Documents and Settings\###\Incomplete
2007-10-20 12:14 <DIR> d-------- C:\Program Files\LimeWire
2007-10-20 11:42 <DIR> d-------- C:\Documents and Settings\###\Application Data\Microsoft Web Folders
2007-10-18 17:55 <DIR> d-------- C:\Documents and Settings\###\Application Data\Adssite Advanced Toolbar
2007-10-18 15:32 <DIR> d-------- C:\Documents and Settings\###\Shared
2007-10-18 15:32 <DIR> d-------- C:\Documents and Settings\###\Application Data\LimeWire
2007-10-10 15:16 582,656 --------- C:\WINDOWS\system32\dllcache\rpcrt4.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-08 22:57 --------- d-----w C:\Documents and Settings\###\Application Data\Skype
2007-11-05 17:43 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-11-04 09:46 22 ----a-w C:\WINDOWS\Fonts\a.zip
2007-11-03 22:08 --------- d-----w C:\Program Files\Common Files\Download Manager
2007-10-26 07:31 --------- d-----w C:\Program Files\Common Files\Real
2007-10-26 07:30 499,712 ----a-w C:\WINDOWS\system32\msvcp71.dll
2007-10-26 07:30 348,160 ----a-w C:\WINDOWS\system32\msvcr71.dll
2007-10-25 22:37 --------- d-----w C:\Program Files\Common Files\Adobe
2007-10-22 12:23 --------- d-----w C:\Program Files\Java
2007-10-20 11:42 --------- d-----w C:\Program Files\microsoft frontpage
2007-10-19 11:36 --------- d-----w C:\Program Files\rainlendar
2007-10-19 11:30 --------- d-----w C:\Program Files\iTunes
2007-10-19 11:27 --------- d-----w C:\Program Files\Digital Line Detect
2007-10-05 21:12 --------- d-----w C:\Program Files\Picasa2
2007-10-04 10:11 --------- d-----w C:\Program Files\RealPlayer
2007-09-27 07:42 --------- d-----w C:\Program Files\Real
2007-09-18 19:18 --------- d-----w C:\Program Files\Windows Media Connect 2
2007-09-18 19:02 --------- d-----w C:\Program Files\Skype
2007-09-11 09:30 --------- d-----w C:\Documents and Settings\###\Application Data\Chessmaster Challenge
2007-09-11 09:27 --------- d-----w C:\Documents and Settings\All Users\Application Data\Trymedia
2007-08-27 11:26 27,120 ----a-w C:\WINDOWS\system32\SBBD.exe
2007-08-26 07:42 60,416 ----a-w C:\WINDOWS\system32\rbap350.dll
2007-08-26 07:42 54,784 ----a-w C:\WINDOWS\system32\RBQT350.DLL
2007-08-26 07:42 39,936 ----a-w C:\WINDOWS\system32\RBShell350.dll
2007-08-26 07:42 25,600 ----a-w C:\WINDOWS\system32\ecryptstrong.dll
2007-08-26 07:42 18,944 ----a-w C:\WINDOWS\system32\ecrypt.dll
2007-08-26 07:42 170,496 ----a-w C:\WINDOWS\system32\plugin.dll
2007-08-21 06:15 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
2007-08-21 06:15 683,520 ------w C:\WINDOWS\system32\dllcache\inetcomm.dll
2007-08-20 10:04 824,832 ------w C:\WINDOWS\system32\dllcache\wininet.dll
2007-08-20 10:04 671,232 ------w C:\WINDOWS\system32\dllcache\mstime.dll
2007-08-20 10:04 63,488 ------w C:\WINDOWS\system32\dllcache\icardie.dll
2007-08-20 10:04 6,058,496 ------w C:\WINDOWS\system32\dllcache\ieframe.dll
2007-08-20 10:04 52,224 ------w C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2007-08-20 10:04 477,696 ------w C:\WINDOWS\system32\dllcache\mshtmled.dll
2007-08-20 10:04 459,264 ------w C:\WINDOWS\system32\dllcache\msfeeds.dll
2007-08-20 10:04 44,544 ------w C:\WINDOWS\system32\dllcache\iernonce.dll
2007-08-20 10:04 384,512 ------w C:\WINDOWS\system32\dllcache\iedkcs32.dll
2007-08-20 10:04 383,488 ------w C:\WINDOWS\system32\dllcache\ieapfltr.dll
2007-08-20 10:04 3,584,512 ------w C:\WINDOWS\system32\dllcache\mshtml.dll
2007-08-20 10:04 27,648 ------w C:\WINDOWS\system32\dllcache\jsproxy.dll
2007-08-20 10:04 267,776 ------w C:\WINDOWS\system32\dllcache\iertutil.dll
2007-08-20 10:04 232,960 ------w C:\WINDOWS\system32\dllcache\webcheck.dll
2007-08-20 10:04 230,400 ------w C:\WINDOWS\system32\dllcache\ieaksie.dll
2007-08-20 10:04 214,528 ------w C:\WINDOWS\system32\dllcache\dxtrans.dll
2007-08-20 10:04 193,024 ------w C:\WINDOWS\system32\dllcache\msrating.dll
2007-08-20 10:04 153,088 ------w C:\WINDOWS\system32\dllcache\ieakeng.dll
2007-08-20 10:04 132,608 ------w C:\WINDOWS\system32\dllcache\extmgr.dll
2007-08-20 10:04 124,928 ------w C:\WINDOWS\system32\dllcache\advpack.dll
2007-08-20 10:04 105,984 ------w C:\WINDOWS\system32\dllcache\url.dll
2007-08-20 10:04 102,400 ------w C:\WINDOWS\system32\dllcache\occache.dll
2007-08-20 10:04 1,152,000 ------w C:\WINDOWS\system32\dllcache\urlmon.dll
2007-08-17 10:21 625,152 ------w C:\WINDOWS\system32\dllcache\iexplore.exe
2007-08-17 10:20 63,488 ------w C:\WINDOWS\system32\dllcache\ie4uinit.exe
2007-08-17 10:20 13,824 ------w C:\WINDOWS\system32\dllcache\ieudinit.exe
2007-08-17 07:34 161,792 ------w C:\WINDOWS\system32\dllcache\ieakui.dll
2007-05-31 03:19 37,873,216 ----a-w C:\Program Files\iTunesSetup.exe
2006-03-20 13:37 5,689,344 ----a-w C:\Program Files\mplayerc.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{28c90531-9ccb-407e-9533-0234747ae540}]
C:\WINDOWS\system32\dynupaal.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{35AB92FE-F820-47D4-88AB-93AE491B773C}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{46052F86-0617-4CFC-9961-2A8EA7849B7F}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{56A80D77-D674-49BC-ADD5-B179CE239635}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5EF5D4AE-710F-4DD9-8DB2-BAB1AAFA12E4}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{96A96250-CABD-433E-8335-96B41129BE75}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{BCC73622-F72D-4277-803C-D65565A0947F}]
2007-11-03 17:15 35328 --a------ C:\WINDOWS\system32\wvututq.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{d4b2e330-f3b9-4f7d-884f-9b05ff03332c}]
2007-11-09 07:53 80448 --a------ C:\WINDOWS\system32\mjgnkhxj.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"001b5e8e"="C:\WINDOWS\system32\gvmiliyu.dll" [2007-11-09 07:56]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 07:56]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"Picasa Media Detector"=C:\Program Files\Picasa2\PicasaMediaDetector.exe

C:\Documents and Settings\###\Start Menu\Programs\Startup\
Shortcut to Rainlendar.lnk - C:\Program Files\rainlendar\Rainlendar.exe [2007-05-31 02:32:17]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2007-05-30 22:22:16]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-02-17 14:05:56]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{BCC73622-F72D-4277-803C-D65565A0947F}"= C:\WINDOWS\system32\wvututq.dll [2007-11-03 17:15 35328]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\bcrvicxe]
bcrvicxe.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\iozpvgvz]
iozpvgvz.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\kpxbeglx]
kpxbeglx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\wvututq]
wvututq.dll 2007-11-03 17:15 35328 C:\WINDOWS\system32\wvututq.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\xxwvs.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"SNM"=C:\Program Files\SpyNoMore\SNM.exe /startup

R0 SBHR;SBHR;C:\WINDOWS\system32\drivers\sbhr.sys
R1 TPPWR;TPPWR;C:\WINDOWS\system32\drivers\Tppwr.sys
R2 ousbehci;OrangeWare USB Enhanced Host Controller Service;C:\WINDOWS\system32\Drivers\ousbehci.sys
R3 ousb2hub;OrangeWare USB 2.0 Root Hub Support;C:\WINDOWS\system32\DRIVERS\ousb2hub.sys
R3 SBAPIFS;SBAPIFS;\??\C:\WINDOWS\system32\drivers\sbapifs.sys
S3 SNP2STD;USB2.0 PC Camera (SNP2STD);C:\WINDOWS\system32\DRIVERS\snp2sxp.sys

*Newly Created Service* - SBAPIFS
.
Contents of the 'Scheduled Tasks' folder
"2007-10-06 07:11:02 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
"2007-05-30 22:20:26 C:\WINDOWS\Tasks\BMMTask.job"
.
**************************************************************************

catchme 0.3.1250 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-09 08:19:37
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-11-09 8:23:16 - machine was rebooted
.
--- E O F ---





VundoFix V6.5.11

Checking Java version...

Scan started at 08:26:39 2007-11-09

Listing files found while scanning....

No infected files were found.
tallmark19
2007-11-08, 09:42
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 08:31, on 2007-11-09
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\S24EvMon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\CA\eTrust Antivirus\InoRpc.exe
C:\Program Files\CA\eTrust Antivirus\InoRT.exe
C:\Program Files\CA\eTrust Antivirus\InoTask.exe
C:\WINDOWS\System32\RegSrvc.exe
C:\Program Files\Sunbelt Software\CounterSpy\SBCSSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\rainlendar\Rainlendar.exe
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Hijackthis\scanner.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {28c90531-9ccb-407e-9533-0234747ae540} - C:\WINDOWS\system32\dynupaal.dll (file missing)
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: (no name) - {35AB92FE-F820-47D4-88AB-93AE491B773C} - (no file)
O2 - BHO: (no name) - {46052F86-0617-4CFC-9961-2A8EA7849B7F} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {56A80D77-D674-49BC-ADD5-B179CE239635} - (no file)
O2 - BHO: (no name) - {5EF5D4AE-710F-4DD9-8DB2-BAB1AAFA12E4} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {96A96250-CABD-433E-8335-96B41129BE75} - (no file)
O2 - BHO: (no name) - {BCC73622-F72D-4277-803C-D65565A0947F} - C:\WINDOWS\system32\wvututq.dll
O2 - BHO: {c23330ff-50b9-f488-d7f4-9b3f033e2b4d} - {d4b2e330-f3b9-4f7d-884f-9b05ff03332c} - C:\WINDOWS\system32\mjgnkhxj.dll
O4 - HKLM\..\Run: [001b5e8e] rundll32.exe "C:\WINDOWS\system32\gvmiliyu.dll",b
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'Default user')
O4 - Startup: Shortcut to Rainlendar.lnk = C:\Program Files\rainlendar\Rainlendar.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O11 - Options group: [JAVA_IBM] Java (IBM)
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1180570546740
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: bcrvicxe - bcrvicxe.dll (file missing)
O20 - Winlogon Notify: iozpvgvz - iozpvgvz.dll (file missing)
O20 - Winlogon Notify: kpxbeglx - kpxbeglx.dll (file missing)
O20 - Winlogon Notify: wvututq - C:\WINDOWS\SYSTEM32\wvututq.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\system32\ibmpmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: eTrust Antivirus RPC Server (InoRPC) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoRpc.exe
O23 - Service: eTrust Antivirus Realtime Server (InoRT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoRT.exe
O23 - Service: eTrust Antivirus Job Server (InoTask) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoTask.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\System32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\System32\S24EvMon.exe
O23 - Service: Sunbelt CounterSpy Antispyware (SBCSSvc) - Sunbelt Software - C:\Program Files\Sunbelt Software\CounterSpy\SBCSSvc.exe

--
End of file - 6327 bytes
ken545
2007-11-08, 10:56
Good Morning,

Your doing well :bigthumb: Almost home.

Open Notepad and copy all the text inside the quote box by highlighting it all and pressing CTRL C on your keyboard, then paste it into Notepad



files::
C:\WINDOWS\system32\gvmiliyu.dll
C:\WINDOWS\system32\mjgnkhxj.dll
C:\WINDOWS\system32\nexxawso.exe
C:\WINDOWS\system32\wvututq.dll
C:\WINDOWS\system32\xgfnuxmv.dll
C:\WINDOWS\system32\xxwvs.dll



Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{28c90531-9ccb-407e-9533-0234747ae540}]
C:\WINDOWS\system32\dynupaal.dll

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{35AB92FE-F820-47D4-88AB-93AE491B773C}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{46052F86-0617-4CFC-9961-2A8EA7849B7F}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{56A80D77-D674-49BC-ADD5-B179CE239635}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5EF5D4AE-710F-4DD9-8DB2-BAB1AAFA12E4}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{96A96250-CABD-433E-8335-96B41129BE75}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{BCC73622-F72D-4277-803C-D65565A0947F}]
2007-11-03 17:15 35328 --a------ C:\WINDOWS\system32\wvututq.dll

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{d4b2e330-f3b9-4f7d-884f-9b05ff03332c}]
2007-11-09 07:53 80448 --a------ C:\WINDOWS\system32\mjgnkhxj.dll

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"001b5e8e"="C:\WINDOWS\system32\gvmiliyu.dll" [2007-11-09 07:56]

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{BCC73622-F72D-4277-803C-D65565A0947F}"= C:\WINDOWS\system32\wvututq.dll [2007-11-03 17:15 35328]

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\bcrvicxe]
bcrvicxe.dll

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\iozpvgvz]
iozpvgvz.dll

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\kpxbeglx]
kpxbeglx.dll

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\wvututq]
wvututq.dll 2007-11-03 17:15 35328 C:\WINDOWS\system32\wvututq.dll


Save this as CFScript to your desktop.

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

http://i24.photobucket.com/albums/c30/ken545/CFScript.gif



This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.




Download CCleaner from here (http://www.ccleaner.com/) to clean temp files from your computer.

Double click on the file to start the installation of the program.
Select your language and click OK, then next.
Read the license agreement and click I Agree.
Click next to use the default install location. Click Install then finish to complete installation.
Double click the CCleaner shortcut on the desktop to start the program.
On the "Windows" tab, under "Internet Explorer," uncheck "Cookies" if you do not want them deleted. (If deleted, you will likely need to reenter your passwords at all sites where a cookie is used to recognize you when you visit).
If you use either the Firefox or Mozilla browsers, the box to uncheck for "Cookies" is on the Applications tab, under Firefox/Mozilla.
Click on the "Options" icon at the left side of the window, then click on "Advanced."
deselect "Only delete files in Windows Temp folders older than 48 hours."
Click on the "Cleaner" icon on the left side of the window, then click Run Cleaner to run the program.
Caution: It is not recommended that you use the "Issues" feature unless you are very familiar with the registry as it has been known to find legitimate items.
After CCleaner has completed its process, click Exit.

*NOTE* CCleaner deletes EVERYTHING out of temp/temporary folders. If you have anything in a temp folder, back it up or move it to a permanent folder prior to running CCleaner!



Let me see the new Combofix log and new HJT log please
tallmark19
2007-11-08, 11:57
Here are the new reports. what should i do next?

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:52, on 2007-11-09
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\CA\eTrust Antivirus\InoRpc.exe
C:\Program Files\CA\eTrust Antivirus\InoRT.exe
C:\Program Files\CA\eTrust Antivirus\InoTask.exe
C:\WINDOWS\System32\RegSrvc.exe
C:\Program Files\Sunbelt Software\CounterSpy\SBCSSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\rainlendar\Rainlendar.exe
C:\WINDOWS\System32\svchost.exe
C:\Hijackthis\scanner.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.tvnet.lv/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {BCC73622-F72D-4277-803C-D65565A0947F} - C:\WINDOWS\system32\wvututq.dll
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'Default user')
O4 - Startup: Shortcut to Rainlendar.lnk = C:\Program Files\rainlendar\Rainlendar.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O11 - Options group: [JAVA_IBM] Java (IBM)
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1180570546740
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: wvututq - C:\WINDOWS\SYSTEM32\wvututq.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\system32\ibmpmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: eTrust Antivirus RPC Server (InoRPC) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoRpc.exe
O23 - Service: eTrust Antivirus Realtime Server (InoRT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoRT.exe
O23 - Service: eTrust Antivirus Job Server (InoTask) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoTask.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\System32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\System32\S24EvMon.exe
O23 - Service: Sunbelt CounterSpy Antispyware (SBCSSvc) - Sunbelt Software - C:\Program Files\Sunbelt Software\CounterSpy\SBCSSvc.exe

--
End of file - 5514 bytes



ComboFix 07-11-08.1 - ### 2007-11-09 10:12:56.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.403 [GMT 0:00]
Running from: C:\Documents and Settings\###\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\###\Desktop\CFScript.txt
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\edeeg.ini
C:\WINDOWS\system32\geede.dll

.
((((((((((((((((((((((((( Files Created from 2007-10-09 to 2007-11-09 )))))))))))))))))))))))))))))))
.

2007-11-09 08:26 <DIR> d-------- C:\VundoFix Backups
2007-11-09 07:56 86,080 --a------ C:\WINDOWS\system32\gvmiliyu.dll
2007-11-09 07:53 80,448 --a------ C:\WINDOWS\system32\mjgnkhxj.dll
2007-11-09 07:52 <DIR> d-------- C:\Hijackthis
2007-11-09 07:50 145,984 --a------ C:\WINDOWS\system32\xgfnuxmv.dll
2007-11-09 07:44 71,232 --a------ C:\WINDOWS\system32\nexxawso.exe
2007-11-08 22:40 3,650 --a------ C:\WINDOWS\system32\tmp.reg
2007-11-08 22:39 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2007-11-08 22:39 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2007-11-08 22:39 53,248 --a------ C:\WINDOWS\system32\Process.exe
2007-11-08 22:39 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2007-11-08 22:39 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2007-11-08 19:34 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-11-08 19:34 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2007-11-07 18:38 79,936 --a------ C:\WINDOWS\system32\ebefpihl.dll
2007-11-07 18:35 86,080 --a------ C:\WINDOWS\system32\mlemprdx.dll
2007-11-07 18:35 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-11-07 18:30 2,624 --a------ C:\WINDOWS\system32\SBRC.dat
2007-11-07 18:29 145,984 --a------ C:\WINDOWS\system32\hcwagqvx.dll
2007-11-07 18:26 71,232 --a------ C:\WINDOWS\system32\jarebjuo.exe
2007-11-07 14:35 145,984 --a------ C:\WINDOWS\system32\jnxyhtdn.dll
2007-11-06 18:30 81,472 --a------ C:\WINDOWS\system32\ykqojwjc.dll
2007-11-06 18:27 71,232 --a------ C:\WINDOWS\system32\fweeyann.exe
2007-11-05 18:27 83,008 --a------ C:\WINDOWS\system32\exyiuqus.dll
2007-11-04 07:34 <DIR> d-------- C:\WINDOWS\BDOSCAN8
2007-11-04 00:26 15,544 --a------ C:\WINDOWS\system32\drivers\sbhr.sys
2007-11-04 00:25 <DIR> d-------- C:\Documents and Settings\###\Application Data\Sunbelt Software
2007-11-04 00:25 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Sunbelt Software
2007-11-04 00:19 <DIR> d-------- C:\Program Files\Sunbelt Software
2007-11-04 00:17 11,254 --a------ C:\WINDOWS\system32\locate.com
2007-11-03 22:47 <DIR> d-------- C:\Program Files\Yahoo!
2007-11-03 22:46 <DIR> d-------- C:\Program Files\CCleaner
2007-11-03 22:08 1,152 --a------ C:\WINDOWS\system32\windrv.sys
2007-11-03 20:42 786 --a------ C:\3284.bat
2007-11-03 20:31 <DIR> d-------- C:\Documents and Settings\###\Application Data\PC Tools
2007-11-03 20:16 786 --a------ C:\9048.bat
2007-11-03 19:57 786 --a------ C:\8142.bat
2007-11-03 18:45 1,060,864 --a------ C:\WINDOWS\system32\mfc71.dll
2007-11-03 18:45 89,088 --a------ C:\WINDOWS\system32\atl71.dll
2007-11-03 18:45 24,064 --a------ C:\WINDOWS\system32\msxml3a.dll
2007-11-03 17:46 <DIR> d-------- C:\Virtual
2007-11-03 17:31 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\BufferZone
2007-11-03 17:30 <DIR> d-------- C:\WINDOWS\E4153266612C460FAB94C9DB6802459A.TMP
2007-11-03 17:18 147,456 --a------ C:\WINDOWS\system32\vbzip10.dll
2007-11-03 17:15 35,328 --a------ C:\WINDOWS\system32\wvututq.dll
2007-11-03 17:15 0 --a------ C:\z.dat
2007-11-03 14:23 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2007-11-03 14:23 626,688 --a------ C:\WINDOWS\system32\msvcr80.dll
2007-10-26 07:31 <DIR> d-------- C:\Program Files\Common Files\xing shared
2007-10-25 13:15 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\FLEXnet
2007-10-25 12:31 2,463,976 --a------ C:\WINDOWS\system32\NPSWF32.dll
2007-10-25 12:31 190,696 --a------ C:\WINDOWS\system32\NPSWF32_FlashUtil.exe
2007-10-25 12:29 <DIR> d-------- C:\Program Files\Bonjour
2007-10-25 12:17 <DIR> d-------- C:\Program Files\Common Files\Macrovision Shared
2007-10-25 11:14 <DIR> d-------- C:\Program Files\Microsoft Office Live
2007-10-25 10:26 53,248 --a------ C:\WINDOWS\bdoscandel.exe
2007-10-20 12:15 <DIR> d-------- C:\Documents and Settings\###\Incomplete
2007-10-20 12:14 <DIR> d-------- C:\Program Files\LimeWire
2007-10-20 11:42 <DIR> d-------- C:\Documents and Settings\###\Application Data\Microsoft Web Folders
2007-10-18 17:55 <DIR> d-------- C:\Documents and Settings\###\Application Data\Adssite Advanced Toolbar
2007-10-18 15:32 <DIR> d-------- C:\Documents and Settings\###\Shared
2007-10-18 15:32 <DIR> d-------- C:\Documents and Settings\###\Application Data\LimeWire
2007-10-10 15:16 582,656 --------- C:\WINDOWS\system32\dllcache\rpcrt4.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-08 22:57 --------- d-----w C:\Documents and Settings\###\Application Data\Skype
2007-11-05 17:43 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-11-04 09:46 22 ----a-w C:\WINDOWS\Fonts\a.zip
2007-11-03 22:08 --------- d-----w C:\Program Files\Common Files\Download Manager
2007-10-26 07:31 --------- d-----w C:\Program Files\Common Files\Real
2007-10-26 07:30 499,712 ----a-w C:\WINDOWS\system32\msvcp71.dll
2007-10-26 07:30 348,160 ----a-w C:\WINDOWS\system32\msvcr71.dll
2007-10-25 22:37 --------- d-----w C:\Program Files\Common Files\Adobe
2007-10-22 12:23 --------- d-----w C:\Program Files\Java
2007-10-20 11:42 --------- d-----w C:\Program Files\microsoft frontpage
2007-10-19 11:36 --------- d-----w C:\Program Files\rainlendar
2007-10-19 11:30 --------- d-----w C:\Program Files\iTunes
2007-10-19 11:27 --------- d-----w C:\Program Files\Digital Line Detect
2007-10-05 21:12 --------- d-----w C:\Program Files\Picasa2
2007-10-04 10:11 --------- d-----w C:\Program Files\RealPlayer
2007-09-27 07:42 --------- d-----w C:\Program Files\Real
2007-09-18 19:18 --------- d-----w C:\Program Files\Windows Media Connect 2
2007-09-18 19:02 --------- d-----w C:\Program Files\Skype
2007-09-11 09:30 --------- d-----w C:\Documents and Settings\###\Application Data\Chessmaster Challenge
2007-09-11 09:27 --------- d-----w C:\Documents and Settings\All Users\Application Data\Trymedia
2007-08-27 11:26 27,120 ----a-w C:\WINDOWS\system32\SBBD.exe
2007-08-26 07:42 60,416 ----a-w C:\WINDOWS\system32\rbap350.dll
2007-08-26 07:42 54,784 ----a-w C:\WINDOWS\system32\RBQT350.DLL
2007-08-26 07:42 39,936 ----a-w C:\WINDOWS\system32\RBShell350.dll
2007-08-26 07:42 25,600 ----a-w C:\WINDOWS\system32\ecryptstrong.dll
2007-08-26 07:42 18,944 ----a-w C:\WINDOWS\system32\ecrypt.dll
2007-08-26 07:42 170,496 ----a-w C:\WINDOWS\system32\plugin.dll
2007-08-21 06:15 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
2007-08-21 06:15 683,520 ------w C:\WINDOWS\system32\dllcache\inetcomm.dll
2007-08-20 10:04 824,832 ------w C:\WINDOWS\system32\dllcache\wininet.dll
2007-08-20 10:04 671,232 ------w C:\WINDOWS\system32\dllcache\mstime.dll
2007-08-20 10:04 63,488 ------w C:\WINDOWS\system32\dllcache\icardie.dll
2007-08-20 10:04 6,058,496 ------w C:\WINDOWS\system32\dllcache\ieframe.dll
2007-08-20 10:04 52,224 ------w C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2007-08-20 10:04 477,696 ------w C:\WINDOWS\system32\dllcache\mshtmled.dll
2007-08-20 10:04 459,264 ------w C:\WINDOWS\system32\dllcache\msfeeds.dll
2007-08-20 10:04 44,544 ------w C:\WINDOWS\system32\dllcache\iernonce.dll
2007-08-20 10:04 384,512 ------w C:\WINDOWS\system32\dllcache\iedkcs32.dll
2007-08-20 10:04 383,488 ------w C:\WINDOWS\system32\dllcache\ieapfltr.dll
2007-08-20 10:04 3,584,512 ------w C:\WINDOWS\system32\dllcache\mshtml.dll
2007-08-20 10:04 27,648 ------w C:\WINDOWS\system32\dllcache\jsproxy.dll
2007-08-20 10:04 267,776 ------w C:\WINDOWS\system32\dllcache\iertutil.dll
2007-08-20 10:04 232,960 ------w C:\WINDOWS\system32\dllcache\webcheck.dll
2007-08-20 10:04 230,400 ------w C:\WINDOWS\system32\dllcache\ieaksie.dll
2007-08-20 10:04 214,528 ------w C:\WINDOWS\system32\dllcache\dxtrans.dll
2007-08-20 10:04 193,024 ------w C:\WINDOWS\system32\dllcache\msrating.dll
2007-08-20 10:04 153,088 ------w C:\WINDOWS\system32\dllcache\ieakeng.dll
2007-08-20 10:04 132,608 ------w C:\WINDOWS\system32\dllcache\extmgr.dll
2007-08-20 10:04 124,928 ------w C:\WINDOWS\system32\dllcache\advpack.dll
2007-08-20 10:04 105,984 ------w C:\WINDOWS\system32\dllcache\url.dll
2007-08-20 10:04 102,400 ------w C:\WINDOWS\system32\dllcache\occache.dll
2007-08-20 10:04 1,152,000 ------w C:\WINDOWS\system32\dllcache\urlmon.dll
2007-08-17 10:21 625,152 ------w C:\WINDOWS\system32\dllcache\iexplore.exe
2007-08-17 10:20 63,488 ------w C:\WINDOWS\system32\dllcache\ie4uinit.exe
2007-08-17 10:20 13,824 ------w C:\WINDOWS\system32\dllcache\ieudinit.exe
2007-08-17 07:34 161,792 ------w C:\WINDOWS\system32\dllcache\ieakui.dll
2007-05-31 03:19 37,873,216 ----a-w C:\Program Files\iTunesSetup.exe
2006-03-20 13:37 5,689,344 ----a-w C:\Program Files\mplayerc.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{BCC73622-F72D-4277-803C-D65565A0947F}]
2007-11-03 17:15 35328 --a------ C:\WINDOWS\system32\wvututq.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 07:56]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"Picasa Media Detector"=C:\Program Files\Picasa2\PicasaMediaDetector.exe

C:\Documents and Settings\###\Start Menu\Programs\Startup\
Shortcut to Rainlendar.lnk - C:\Program Files\rainlendar\Rainlendar.exe [2007-05-31 02:32:17]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2007-05-30 22:22:16]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-02-17 14:05:56]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{BCC73622-F72D-4277-803C-D65565A0947F}"= C:\WINDOWS\system32\wvututq.dll [2007-11-03 17:15 35328]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\wvututq]
wvututq.dll 2007-11-03 17:15 35328 C:\WINDOWS\system32\wvututq.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\geede.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"SNM"=C:\Program Files\SpyNoMore\SNM.exe /startup

R0 SBHR;SBHR;C:\WINDOWS\system32\drivers\sbhr.sys
R1 TPPWR;TPPWR;C:\WINDOWS\system32\drivers\Tppwr.sys
R2 ousbehci;OrangeWare USB Enhanced Host Controller Service;C:\WINDOWS\system32\Drivers\ousbehci.sys
R3 ousb2hub;OrangeWare USB 2.0 Root Hub Support;C:\WINDOWS\system32\DRIVERS\ousb2hub.sys
R3 SBAPIFS;SBAPIFS;\??\C:\WINDOWS\system32\drivers\sbapifs.sys
S3 SNP2STD;USB2.0 PC Camera (SNP2STD);C:\WINDOWS\system32\DRIVERS\snp2sxp.sys

*Newly Created Service* - SBAPIFS
.
Contents of the 'Scheduled Tasks' folder
"2007-10-06 07:11:02 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
"2007-05-30 22:20:26 C:\WINDOWS\Tasks\BMMTask.job"
.
**************************************************************************

catchme 0.3.1250 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-09 10:45:17
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-11-09 10:47:54 - machine was rebooted
.
--- E O F ---
ken545
2007-11-08, 12:55
Some of the files were not removed , so do this.

Download OTMoveIt (http://download.bleepingcomputer.com/oldtimer/OTMoveIt.exe) and save it to your desktop

Open OTMoveIt.exe.
In the left pane where it says: "Paste List of Files/Folders to be Moved", copy and paste the files in the quote box including the full path



C:\WINDOWS\system32\geede.dll
C:\WINDOWS\system32\gvmiliyu.dll
C:\WINDOWS\system32\wvututq.dll
C:\WINDOWS\system32\mjgnkhxj.dll
C:\WINDOWS\system32\xgfnuxmv.dll
C:\WINDOWS\system32\nexxawso.exe
C:\WINDOWS\system32\mlemprdx.dll
C:\WINDOWS\system32\hcwagqvx.dll
C:\WINDOWS\system32\jarebjuo.exe
C:\WINDOWS\system32\jnxyhtdn.dll
C:\WINDOWS\system32\ykqojwjc.dll
C:\WINDOWS\system32\fweeyann.exe
C:\WINDOWS\system32\exyiuqus.dll

Then click the MoveIt button below.
In case you get a "Bad Image" error, just click OK at the promt. It will move the file anyway.
When done, it will create a log (********_******.log -- * stands for date and time) in next folder: C:\_OTMoveIt\MovedFiles.
Copy and paste this log in your next reply.




Open Notepad and copy all the text inside the quote box by highlighting it all and pressing CTRL C on your keyboard, then paste it into Notepad



Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{BCC73622-F72D-4277-803C-D65565A0947F}]
2007-11-03 17:15 35328 --a------ C:\WINDOWS\system32\wvututq.dll

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{BCC73622-F72D-4277-803C-D65565A0947F}"= C:\WINDOWS\system32\wvututq.dll [2007-11-03 17:15 35328]

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\wvututq]
wvututq.dll 2007-11-03 17:15 35328 C:\WINDOWS\system32\wvututq.dll]

Save this as CFScript to your desktop.

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

http://i24.photobucket.com/albums/c30/ken545/CFScript.gif



This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.


Post the log from OtMoveIt and the new Combofix log and a new HJT log please
tallmark19
2007-11-08, 14:40
here are the reports u asked:

ComboFix 07-11-08.1 - ### 2007-11-09 13:20:02.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.457 [GMT 0:00]
Running from: C:\Documents and Settings\###\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\###\Desktop\CFScript.txt
* Created a new restore point
.

Unable to gain System Privileges

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\ddaax.dll
C:\WINDOWS\system32\xaadd.bak1
C:\WINDOWS\system32\xaadd.ini

.
((((((((((((((((((((((((( Files Created from 2007-10-09 to 2007-11-09 )))))))))))))))))))))))))))))))
.

2007-11-09 08:26 <DIR> d-------- C:\VundoFix Backups
2007-11-09 07:52 <DIR> d-------- C:\Hijackthis
2007-11-08 22:40 3,650 --a------ C:\WINDOWS\system32\tmp.reg
2007-11-08 22:39 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2007-11-08 22:39 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2007-11-08 22:39 53,248 --a------ C:\WINDOWS\system32\Process.exe
2007-11-08 22:39 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2007-11-08 22:39 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2007-11-08 19:34 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-11-08 19:34 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2007-11-07 18:38 79,936 --a------ C:\WINDOWS\system32\ebefpihl.dll
2007-11-07 18:35 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-11-07 18:30 2,624 --a------ C:\WINDOWS\system32\SBRC.dat
2007-11-04 07:34 <DIR> d-------- C:\WINDOWS\BDOSCAN8
2007-11-04 00:26 15,544 --a------ C:\WINDOWS\system32\drivers\sbhr.sys
2007-11-04 00:25 <DIR> d-------- C:\Documents and Settings\###\Application Data\Sunbelt Software
2007-11-04 00:25 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Sunbelt Software
2007-11-04 00:19 <DIR> d-------- C:\Program Files\Sunbelt Software
2007-11-04 00:17 11,254 --a------ C:\WINDOWS\system32\locate.com
2007-11-03 22:47 <DIR> d-------- C:\Program Files\Yahoo!
2007-11-03 22:46 <DIR> d-------- C:\Program Files\CCleaner
2007-11-03 22:08 1,152 --a------ C:\WINDOWS\system32\windrv.sys
2007-11-03 20:42 786 --a------ C:\3284.bat
2007-11-03 20:31 <DIR> d-------- C:\Documents and Settings\###\Application Data\PC Tools
2007-11-03 20:16 786 --a------ C:\9048.bat
2007-11-03 19:57 786 --a------ C:\8142.bat
2007-11-03 18:45 1,060,864 --a------ C:\WINDOWS\system32\mfc71.dll
2007-11-03 18:45 89,088 --a------ C:\WINDOWS\system32\atl71.dll
2007-11-03 18:45 24,064 --a------ C:\WINDOWS\system32\msxml3a.dll
2007-11-03 17:46 <DIR> d-------- C:\Virtual
2007-11-03 17:31 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\BufferZone
2007-11-03 17:30 <DIR> d-------- C:\WINDOWS\E4153266612C460FAB94C9DB6802459A.TMP
2007-11-03 17:18 147,456 --a------ C:\WINDOWS\system32\vbzip10.dll
2007-11-03 17:15 35,328 --a------ C:\WINDOWS\system32\wvututq.dll
2007-11-03 17:15 0 --a------ C:\z.dat
2007-11-03 14:23 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2007-11-03 14:23 626,688 --a------ C:\WINDOWS\system32\msvcr80.dll
2007-10-26 07:31 <DIR> d-------- C:\Program Files\Common Files\xing shared
2007-10-25 13:15 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\FLEXnet
2007-10-25 12:31 2,463,976 --a------ C:\WINDOWS\system32\NPSWF32.dll
2007-10-25 12:31 190,696 --a------ C:\WINDOWS\system32\NPSWF32_FlashUtil.exe
2007-10-25 12:29 <DIR> d-------- C:\Program Files\Bonjour
2007-10-25 12:17 <DIR> d-------- C:\Program Files\Common Files\Macrovision Shared
2007-10-25 11:14 <DIR> d-------- C:\Program Files\Microsoft Office Live
2007-10-25 10:26 53,248 --a------ C:\WINDOWS\bdoscandel.exe
2007-10-20 12:15 <DIR> d-------- C:\Documents and Settings\###\Incomplete
2007-10-20 12:14 <DIR> d-------- C:\Program Files\LimeWire
2007-10-20 11:42 <DIR> d-------- C:\Documents and Settings\###\Application Data\Microsoft Web Folders
2007-10-18 17:55 <DIR> d-------- C:\Documents and Settings\###\Application Data\Adssite Advanced Toolbar
2007-10-18 15:32 <DIR> d-------- C:\Documents and Settings\###\Shared
2007-10-18 15:32 <DIR> d-------- C:\Documents and Settings\###\Application Data\LimeWire
2007-10-10 15:16 582,656 --------- C:\WINDOWS\system32\dllcache\rpcrt4.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-09 12:54 --------- d-----w C:\Documents and Settings\###\Application Data\Skype
2007-11-05 17:43 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-11-04 09:46 22 ----a-w C:\WINDOWS\Fonts\a.zip
2007-11-03 22:08 --------- d-----w C:\Program Files\Common Files\Download Manager
2007-10-26 07:31 --------- d-----w C:\Program Files\Common Files\Real
2007-10-26 07:30 499,712 ----a-w C:\WINDOWS\system32\msvcp71.dll
2007-10-26 07:30 348,160 ----a-w C:\WINDOWS\system32\msvcr71.dll
2007-10-25 22:37 --------- d-----w C:\Program Files\Common Files\Adobe
2007-10-22 12:23 --------- d-----w C:\Program Files\Java
2007-10-20 11:42 --------- d-----w C:\Program Files\microsoft frontpage
2007-10-19 11:36 --------- d-----w C:\Program Files\rainlendar
2007-10-19 11:30 --------- d-----w C:\Program Files\iTunes
2007-10-19 11:27 --------- d-----w C:\Program Files\Digital Line Detect
2007-10-05 21:12 --------- d-----w C:\Program Files\Picasa2
2007-10-04 10:11 --------- d-----w C:\Program Files\RealPlayer
2007-09-27 07:42 --------- d-----w C:\Program Files\Real
2007-09-18 19:18 --------- d-----w C:\Program Files\Windows Media Connect 2
2007-09-18 19:02 --------- d-----w C:\Program Files\Skype
2007-09-11 09:30 --------- d-----w C:\Documents and Settings\###\Application Data\Chessmaster Challenge
2007-09-11 09:27 --------- d-----w C:\Documents and Settings\All Users\Application Data\Trymedia
2007-08-27 11:26 27,120 ----a-w C:\WINDOWS\system32\SBBD.exe
2007-08-26 07:42 60,416 ----a-w C:\WINDOWS\system32\rbap350.dll
2007-08-26 07:42 54,784 ----a-w C:\WINDOWS\system32\RBQT350.DLL
2007-08-26 07:42 39,936 ----a-w C:\WINDOWS\system32\RBShell350.dll
2007-08-26 07:42 25,600 ----a-w C:\WINDOWS\system32\ecryptstrong.dll
2007-08-26 07:42 18,944 ----a-w C:\WINDOWS\system32\ecrypt.dll
2007-08-26 07:42 170,496 ----a-w C:\WINDOWS\system32\plugin.dll
2007-08-21 06:15 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
2007-08-21 06:15 683,520 ------w C:\WINDOWS\system32\dllcache\inetcomm.dll
2007-08-20 10:04 824,832 ------w C:\WINDOWS\system32\dllcache\wininet.dll
2007-08-20 10:04 671,232 ------w C:\WINDOWS\system32\dllcache\mstime.dll
2007-08-20 10:04 63,488 ------w C:\WINDOWS\system32\dllcache\icardie.dll
2007-08-20 10:04 6,058,496 ------w C:\WINDOWS\system32\dllcache\ieframe.dll
2007-08-20 10:04 52,224 ------w C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2007-08-20 10:04 477,696 ------w C:\WINDOWS\system32\dllcache\mshtmled.dll
2007-08-20 10:04 459,264 ------w C:\WINDOWS\system32\dllcache\msfeeds.dll
2007-08-20 10:04 44,544 ------w C:\WINDOWS\system32\dllcache\iernonce.dll
2007-08-20 10:04 384,512 ------w C:\WINDOWS\system32\dllcache\iedkcs32.dll
2007-08-20 10:04 383,488 ------w C:\WINDOWS\system32\dllcache\ieapfltr.dll
2007-08-20 10:04 3,584,512 ------w C:\WINDOWS\system32\dllcache\mshtml.dll
2007-08-20 10:04 27,648 ------w C:\WINDOWS\system32\dllcache\jsproxy.dll
2007-08-20 10:04 267,776 ------w C:\WINDOWS\system32\dllcache\iertutil.dll
2007-08-20 10:04 232,960 ------w C:\WINDOWS\system32\dllcache\webcheck.dll
2007-08-20 10:04 230,400 ------w C:\WINDOWS\system32\dllcache\ieaksie.dll
2007-08-20 10:04 214,528 ------w C:\WINDOWS\system32\dllcache\dxtrans.dll
2007-08-20 10:04 193,024 ------w C:\WINDOWS\system32\dllcache\msrating.dll
2007-08-20 10:04 153,088 ------w C:\WINDOWS\system32\dllcache\ieakeng.dll
2007-08-20 10:04 132,608 ------w C:\WINDOWS\system32\dllcache\extmgr.dll
2007-08-20 10:04 124,928 ------w C:\WINDOWS\system32\dllcache\advpack.dll
2007-08-20 10:04 105,984 ------w C:\WINDOWS\system32\dllcache\url.dll
2007-08-20 10:04 102,400 ------w C:\WINDOWS\system32\dllcache\occache.dll
2007-08-20 10:04 1,152,000 ------w C:\WINDOWS\system32\dllcache\urlmon.dll
2007-08-17 10:21 625,152 ------w C:\WINDOWS\system32\dllcache\iexplore.exe
2007-08-17 10:20 63,488 ------w C:\WINDOWS\system32\dllcache\ie4uinit.exe
2007-08-17 10:20 13,824 ------w C:\WINDOWS\system32\dllcache\ieudinit.exe
2007-08-17 07:34 161,792 ------w C:\WINDOWS\system32\dllcache\ieakui.dll
2007-05-31 03:19 37,873,216 ----a-w C:\Program Files\iTunesSetup.exe
2006-03-20 13:37 5,689,344 ----a-w C:\Program Files\mplayerc.exe
.

((((((((((((((((((((((((((((( snapshot@2007-11-09_ 8.21.42.52 )))))))))))))))))))))))))))))))))))))))))
.
- 2007-09-08 07:22:23 102,400 ----a-r C:\WINDOWS\Installer\{B8A204BC-7177-470E-BBDD-47256D05B325}\iTunesIco.exe
+ 2007-11-09 11:31:43 102,400 ----a-r C:\WINDOWS\Installer\{B8A204BC-7177-470E-BBDD-47256D05B325}\iTunesIco.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{BCC73622-F72D-4277-803C-D65565A0947F}]
2007-11-03 17:15 35328 --a------ C:\WINDOWS\system32\wvututq.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-09-07 15:55]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 07:56]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"Picasa Media Detector"=C:\Program Files\Picasa2\PicasaMediaDetector.exe

C:\Documents and Settings\###\Start Menu\Programs\Startup\
Shortcut to Rainlendar.lnk - C:\Program Files\rainlendar\Rainlendar.exe [2007-05-31 02:32:17]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2007-05-30 22:22:16]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-02-17 14:05:56]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{BCC73622-F72D-4277-803C-D65565A0947F}"= C:\WINDOWS\system32\wvututq.dll [2007-11-03 17:15 35328]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\wvututq]
wvututq.dll 2007-11-03 17:15 35328 C:\WINDOWS\system32\wvututq.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\ddaax.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"SNM"=C:\Program Files\SpyNoMore\SNM.exe /startup

R0 SBHR;SBHR;C:\WINDOWS\system32\drivers\sbhr.sys
R1 TPPWR;TPPWR;C:\WINDOWS\system32\drivers\Tppwr.sys
R2 ousbehci;OrangeWare USB Enhanced Host Controller Service;C:\WINDOWS\system32\Drivers\ousbehci.sys
R3 ousb2hub;OrangeWare USB 2.0 Root Hub Support;C:\WINDOWS\system32\DRIVERS\ousb2hub.sys
R3 SBAPIFS;SBAPIFS;\??\C:\WINDOWS\system32\drivers\sbapifs.sys
S3 SNP2STD;USB2.0 PC Camera (SNP2STD);C:\WINDOWS\system32\DRIVERS\snp2sxp.sys

*Newly Created Service* - SBAPIFS
.
Contents of the 'Scheduled Tasks' folder
"2007-10-06 07:11:02 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
"2007-05-30 22:20:26 C:\WINDOWS\Tasks\BMMTask.job"
.
**************************************************************************

catchme 0.3.1250 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-09 13:30:27
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-11-09 13:33:48 - machine was rebooted
.
--- E O F ---


File/Folder C:\WINDOWS\system32\geede.dll not found.
DllUnregisterServer procedure not found in C:\WINDOWS\system32\gvmiliyu.dll
C:\WINDOWS\system32\gvmiliyu.dll NOT unregistered.
C:\WINDOWS\system32\gvmiliyu.dll moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\system32\wvututq.dll
C:\WINDOWS\system32\wvututq.dll NOT unregistered.
File move failed. C:\WINDOWS\system32\wvututq.dll scheduled to be moved on reboot.
DllUnregisterServer procedure not found in C:\WINDOWS\system32\mjgnkhxj.dll
C:\WINDOWS\system32\mjgnkhxj.dll NOT unregistered.
C:\WINDOWS\system32\mjgnkhxj.dll moved successfully.
C:\WINDOWS\system32\xgfnuxmv.dll unregistered successfully.
C:\WINDOWS\system32\xgfnuxmv.dll moved successfully.
C:\WINDOWS\system32\nexxawso.exe moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\system32\mlemprdx.dll
C:\WINDOWS\system32\mlemprdx.dll NOT unregistered.
C:\WINDOWS\system32\mlemprdx.dll moved successfully.
C:\WINDOWS\system32\hcwagqvx.dll unregistered successfully.
C:\WINDOWS\system32\hcwagqvx.dll moved successfully.
C:\WINDOWS\system32\jarebjuo.exe moved successfully.
C:\WINDOWS\system32\jnxyhtdn.dll unregistered successfully.
C:\WINDOWS\system32\jnxyhtdn.dll moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\system32\ykqojwjc.dll
C:\WINDOWS\system32\ykqojwjc.dll NOT unregistered.
C:\WINDOWS\system32\ykqojwjc.dll moved successfully.
C:\WINDOWS\system32\fweeyann.exe moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\system32\exyiuqus.dll
C:\WINDOWS\system32\exyiuqus.dll NOT unregistered.
C:\WINDOWS\system32\exyiuqus.dll moved successfully.

Created on 11-09-2007 12:54:06
tallmark19
2007-11-08, 14:41
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 13:41, on 2007-11-09
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\S24EvMon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\CA\eTrust Antivirus\InoRpc.exe
C:\Program Files\CA\eTrust Antivirus\InoRT.exe
C:\Program Files\CA\eTrust Antivirus\InoTask.exe
C:\WINDOWS\System32\RegSrvc.exe
C:\Program Files\Sunbelt Software\CounterSpy\SBCSSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\rainlendar\Rainlendar.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Hijackthis\scanner.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.tvnet.lv/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {BCC73622-F72D-4277-803C-D65565A0947F} - C:\WINDOWS\system32\wvututq.dll
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'Default user')
O4 - Startup: Shortcut to Rainlendar.lnk = C:\Program Files\rainlendar\Rainlendar.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O11 - Options group: [JAVA_IBM] Java (IBM)
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1180570546740
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: wvututq - C:\WINDOWS\SYSTEM32\wvututq.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\system32\ibmpmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: eTrust Antivirus RPC Server (InoRPC) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoRpc.exe
O23 - Service: eTrust Antivirus Realtime Server (InoRT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoRT.exe
O23 - Service: eTrust Antivirus Job Server (InoTask) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoTask.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\System32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\System32\S24EvMon.exe
O23 - Service: Sunbelt CounterSpy Antispyware (SBCSSvc) - Sunbelt Software - C:\Program Files\Sunbelt Software\CounterSpy\SBCSSvc.exe

--
End of file - 5846 bytes
ken545
2007-11-08, 19:00
This file loves us, it doesn't want to leave.:red:
C:\WINDOWS\SYSTEM32\wvututq.dll


1. Please download The Avenger (http://swandog46.geekstogo.com/avenger.zip) by Swandog46 to your Desktop. Click on Avenger.zip to open the file Extract avenger.exe to your desktop

2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):



Files to Delete:
C:\WINDOWS\SYSTEM32\wvututq.dll


Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

3. Now, start The Avenger program by clicking on its icon on your desktop.
Under "Script file to execute" choose "Input Script Manually".
Now click on the Magnifying Glass icon which will open a new window titled "View/edit script"
Paste the text copied to clipboard into this window by pressing (Ctrl+V).
Click Done
Now click on the Green Light to begin execution of the script
Answer "Yes" twice when prompted.
4. The Avenger will automatically do the following:
It will Restart your computer. ( In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.)
On reboot, it will briefly open a black command window on your desktop, this is normal.
After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
5. Please copy/paste the content of c:\avenger.txt into your reply along with a fresh HJT log by using Add/Reply


Boot to safemode to remove these with HJT as something in normal windows is preventing there deletions.

To Enter Safemode

Go to Start> Shut off your Computer> Restart
As the computer starts to boot-up, Tap the F8 KEY somewhat rapidly,
this will bring up a menu.
Use the Up and Down Arrow Keys to scroll up to Safemode
Then press the Enter Key on your Keyboard

Tutorial if you need it How to boot into Safemode (http://www.bleepingcomputer.com/tutorials/tutorial61.html)


Remove these with HJT.

O2 - BHO: (no name) - {BCC73622-F72D-4277-803C-D65565A0947F} - C:\WINDOWS\system32\wvututq.dll

O20 - Winlogon Notify: wvututq - C:\WINDOWS\SYSTEM32\wvututq.dll



Reboot and post the Avenger log and a New HJT log please
tallmark19
2007-11-08, 20:34
if this file is missing now from the reports, does it mean my "baby" is clean and safe again?


Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\hcvetewp

*******************

Script file located at: \??\C:\Documents and Settings\ssxnfjl^.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

File C:\WINDOWS\SYSTEM32\wvututq.dll deleted successfully.

Completed script processing.

*******************

Finished! Terminate.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19:23, on 2007-11-09
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Safe mode

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Sunbelt Software\CounterSpy\SBCSSvc.exe
C:\WINDOWS\Explorer.EXE
C:\Hijackthis\scanner.exe
C:\WINDOWS\system32\ctfmon.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.tvnet.lv/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: (no name) - {409D9C01-8333-4656-B1B7-1D7D672873F5} - C:\WINDOWS\system32\sstro.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'Default user')
O4 - Startup: Shortcut to Rainlendar.lnk = C:\Program Files\rainlendar\Rainlendar.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O11 - Options group: [JAVA_IBM] Java (IBM)
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1180570546740
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\system32\ibmpmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: eTrust Antivirus RPC Server (InoRPC) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoRpc.exe
O23 - Service: eTrust Antivirus Realtime Server (InoRT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoRT.exe
O23 - Service: eTrust Antivirus Job Server (InoTask) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoTask.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\System32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\System32\S24EvMon.exe
O23 - Service: Sunbelt CounterSpy Antispyware (SBCSSvc) - Sunbelt Software - C:\Program Files\Sunbelt Software\CounterSpy\SBCSSvc.exe

--
End of file - 5054 bytes
tallmark19
2007-11-08, 23:06
uhhh, seems nothing is over as all the row is back... starting pop-ups and ending with some really frustrating Security alerts at the bottom and Security toolbar at IE... :sad:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 22:04, on 2007-11-08
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\S24EvMon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\CA\eTrust Antivirus\InoRpc.exe
C:\Program Files\CA\eTrust Antivirus\InoRT.exe
C:\Program Files\CA\eTrust Antivirus\InoTask.exe
C:\WINDOWS\System32\RegSrvc.exe
C:\Program Files\Sunbelt Software\CounterSpy\SBCSSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\rainlendar\Rainlendar.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Program Files\Macromedia\Fireworks 4\Fireworks 4.exe
C:\Program Files\iTunes\iTunes.exe
C:\WINDOWS\system32\xvmauxkc.exe
C:\WINDOWS\system32\rundll32.exe
C:\Hijackthis\scanner.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.tvnet.lv/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {A95B2816-1D7E-4561-A202-68C0DE02353A} - C:\WINDOWS\system32\zhzdgcfc.dll
O2 - BHO: (no name) - {FCA952DB-A2F1-4C78-893A-E523ED310353} - C:\WINDOWS\system32\sstro.dll
O3 - Toolbar: Security Toolbar - {11A69AE4-FBED-4832-A2BF-45AF82825583} - C:\WINDOWS\system32\zhzdgcfc.dll
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'Default user')
O4 - Startup: Shortcut to Rainlendar.lnk = C:\Program Files\rainlendar\Rainlendar.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O11 - Options group: [JAVA_IBM] Java (IBM)
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1180570546740
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: zhzdgcfc - C:\WINDOWS\SYSTEM32\zhzdgcfc.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: DomainService - - C:\WINDOWS\system32\xvmauxkc.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\system32\ibmpmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: eTrust Antivirus RPC Server (InoRPC) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoRpc.exe
O23 - Service: eTrust Antivirus Realtime Server (InoRT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoRT.exe
O23 - Service: eTrust Antivirus Job Server (InoTask) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoTask.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\System32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\System32\S24EvMon.exe
O23 - Service: Sunbelt CounterSpy Antispyware (SBCSSvc) - Sunbelt Software - C:\Program Files\Sunbelt Software\CounterSpy\SBCSSvc.exe

--
End of file - 6409 bytes
ken545
2007-11-09, 00:28
Your log looks a lot better but is far from clean, what you have is a Vundo trojan infection and this most times is pretty straight forward removing it. Lets go back and try again, what I need you to do is to delete Combofix and Vundo fix and download them again as they are updated on a regular basis.

Download VundoFix (http://www.atribune.org/ccount/click.php?id=4 ) to your desktop

Double-click VundoFix.exe to run it.
Click the Scan for Vundo button.
Once it's done scanning, click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will reboot your computer, click OK.
Please post the contents of C:\vundofix.txt and a new HiJackThis log in a reply to this thread.

Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears upon rebooting.



We also need to rescan with Combofix as you have a marker in your log for CMD service that may be letting this garbage in and Combofix will remove it.

Download ComboFix from Here (http://www.techsupportforum.com/sectools/sUBs/ComboFix.exe) or Here (http://download.bleepingcomputer.com/sUBs/ComboFix.exe) to your Desktop.

Double click combofix.exe and follow the prompts.
When finished, it shall produce a log for you. Post the Combofix log and a HiJackthis log in your next reply

Note: Do not mouseclick combofix's window while its running. That may cause it to stall



Let me see the Vundofix log , the Combofix log and a new HJT log please
tallmark19
2007-11-09, 01:12
VundoFix V6.5.11

Checking Java version...

Scan started at 23:46:03 2007-11-08

Listing files found while scanning....

C:\WINDOWS\system32\zhzdgcfc.dll

Beginning removal...

Attempting to delete C:\WINDOWS\system32\zhzdgcfc.dll
C:\WINDOWS\system32\zhzdgcfc.dll Could not be deleted.

Performing Repairs to the registry.
Done!

Beginning removal...

Attempting to delete C:\WINDOWS\system32\zhzdgcfc.dll
C:\WINDOWS\system32\zhzdgcfc.dll Has been deleted!

Performing Repairs to the registry.
Done!



ComboFix 07-11-08.1 - ### 2007-11-08 23:57:35.5 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.448 [GMT 0:00]
Running from: C:\Documents and Settings\###\Desktop\ComboFix.exe
.

Unable to gain System Privileges

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Start Menu\Live Safety Center.lnk
C:\Documents and Settings\All Users\Start Menu\Online Security Guide.lnk
C:\Documents and Settings\###\Desktop\Live Safety Center.lnk
C:\Documents and Settings\###\Desktop\Online Security Guide.lnk
C:\Documents and Settings\###\Favorites\Online Security Guide.lnk
C:\WINDOWS\system32\ortss.bak2
C:\WINDOWS\system32\ortss.ini
C:\WINDOWS\system32\sstro.dll
C:\WINDOWS\system32\zhzdgcfc.dllbox

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_DOMAINSERVICE
-------\DomainService


((((((((((((((((((((((((( Files Created from 2007-10-09 to 2007-11-09 )))))))))))))))))))))))))))))))
.

2007-11-09 19:09 60,416 --a------ C:\WINDOWS\system32\drivers\gc^pbfmp.sys
2007-11-09 08:26 <DIR> d-------- C:\VundoFix Backups
2007-11-09 07:52 <DIR> d-------- C:\Hijackthis
2007-11-08 23:50 24,576 --a------ C:\WINDOWS\system32\VundoFixSVC.exe
2007-11-08 22:40 3,650 --a------ C:\WINDOWS\system32\tmp.reg
2007-11-08 22:39 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2007-11-08 22:39 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2007-11-08 22:39 53,248 --a------ C:\WINDOWS\system32\Process.exe
2007-11-08 22:39 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2007-11-08 22:39 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2007-11-08 22:10 86,080 --a------ C:\WINDOWS\system32\qcygelof.dll
2007-11-08 22:07 80,448 --a------ C:\WINDOWS\system32\xeaptnlp.dll
2007-11-08 22:01 145,984 --a------ C:\WINDOWS\system32\njnfbfru.dll
2007-11-08 21:58 71,232 --a------ C:\WINDOWS\system32\xvmauxkc.exe
2007-11-08 19:34 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-11-08 19:34 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2007-11-07 18:38 79,936 --a------ C:\WINDOWS\system32\ebefpihl.dll
2007-11-07 18:35 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-11-07 18:30 2,624 --a------ C:\WINDOWS\system32\SBRC.dat
2007-11-04 07:34 <DIR> d-------- C:\WINDOWS\BDOSCAN8
2007-11-04 00:26 15,544 --a------ C:\WINDOWS\system32\drivers\sbhr.sys
2007-11-04 00:25 <DIR> d-------- C:\Documents and Settings\###\Application Data\Sunbelt Software
2007-11-04 00:25 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Sunbelt Software
2007-11-04 00:19 <DIR> d-------- C:\Program Files\Sunbelt Software
2007-11-04 00:17 11,254 --a------ C:\WINDOWS\system32\locate.com
2007-11-03 22:47 <DIR> d-------- C:\Program Files\Yahoo!
2007-11-03 22:46 <DIR> d-------- C:\Program Files\CCleaner
2007-11-03 22:08 1,152 --a------ C:\WINDOWS\system32\windrv.sys
2007-11-03 20:42 786 --a------ C:\3284.bat
2007-11-03 20:31 <DIR> d-------- C:\Documents and Settings\###\Application Data\PC Tools
2007-11-03 20:16 786 --a------ C:\9048.bat
2007-11-03 19:57 786 --a------ C:\8142.bat
2007-11-03 18:45 1,060,864 --a------ C:\WINDOWS\system32\mfc71.dll
2007-11-03 18:45 89,088 --a------ C:\WINDOWS\system32\atl71.dll
2007-11-03 18:45 24,064 --a------ C:\WINDOWS\system32\msxml3a.dll
2007-11-03 17:46 <DIR> d-------- C:\Virtual
2007-11-03 17:31 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\BufferZone
2007-11-03 17:30 <DIR> d-------- C:\WINDOWS\E4153266612C460FAB94C9DB6802459A.TMP
2007-11-03 17:18 147,456 --a------ C:\WINDOWS\system32\vbzip10.dll
2007-11-03 17:15 0 --a------ C:\z.dat
2007-11-03 14:23 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2007-11-03 14:23 626,688 --a------ C:\WINDOWS\system32\msvcr80.dll
2007-10-26 07:31 <DIR> d-------- C:\Program Files\Common Files\xing shared
2007-10-25 13:15 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\FLEXnet
2007-10-25 12:31 2,463,976 --a------ C:\WINDOWS\system32\NPSWF32.dll
2007-10-25 12:31 190,696 --a------ C:\WINDOWS\system32\NPSWF32_FlashUtil.exe
2007-10-25 12:29 <DIR> d-------- C:\Program Files\Bonjour
2007-10-25 12:17 <DIR> d-------- C:\Program Files\Common Files\Macrovision Shared
2007-10-25 11:14 <DIR> d-------- C:\Program Files\Microsoft Office Live
2007-10-25 10:26 53,248 --a------ C:\WINDOWS\bdoscandel.exe
2007-10-20 12:15 <DIR> d-------- C:\Documents and Settings\###\Incomplete
2007-10-20 12:14 <DIR> d-------- C:\Program Files\LimeWire
2007-10-20 11:42 <DIR> d-------- C:\Documents and Settings\###\Application Data\Microsoft Web Folders
2007-10-18 17:55 <DIR> d-------- C:\Documents and Settings\###\Application Data\Adssite Advanced Toolbar
2007-10-18 15:32 <DIR> d-------- C:\Documents and Settings\###\Shared
2007-10-18 15:32 <DIR> d-------- C:\Documents and Settings\###\Application Data\LimeWire
2007-10-10 15:16 582,656 --------- C:\WINDOWS\system32\dllcache\rpcrt4.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-08 22:20 --------- d-----w C:\Documents and Settings\###\Application Data\Skype
2007-11-05 17:43 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-11-04 09:46 22 ----a-w C:\WINDOWS\Fonts\a.zip
2007-11-03 22:08 --------- d-----w C:\Program Files\Common Files\Download Manager
2007-10-26 07:31 --------- d-----w C:\Program Files\Common Files\Real
2007-10-25 22:37 --------- d-----w C:\Program Files\Common Files\Adobe
2007-10-22 12:23 --------- d-----w C:\Program Files\Java
2007-10-20 11:42 --------- d-----w C:\Program Files\microsoft frontpage
2007-10-19 11:36 --------- d-----w C:\Program Files\rainlendar
2007-10-19 11:30 --------- d-----w C:\Program Files\iTunes
2007-10-19 11:27 --------- d-----w C:\Program Files\Digital Line Detect
2007-10-05 21:12 --------- d-----w C:\Program Files\Picasa2
2007-10-04 10:11 --------- d-----w C:\Program Files\RealPlayer
2007-09-27 07:42 --------- d-----w C:\Program Files\Real
2007-09-18 19:18 --------- d-----w C:\Program Files\Windows Media Connect 2
2007-09-18 19:02 --------- d-----w C:\Program Files\Skype
2007-09-11 09:30 --------- d-----w C:\Documents and Settings\###\Application Data\Chessmaster Challenge
2007-09-11 09:27 --------- d-----w C:\Documents and Settings\All Users\Application Data\Trymedia
2007-05-31 03:19 37,873,216 ----a-w C:\Program Files\iTunesSetup.exe
2006-03-20 13:37 5,689,344 ----a-w C:\Program Files\mplayerc.exe
.

((((((((((((((((((((((((((((( snapshot@2007-11-09_ 8.21.42.52 )))))))))))))))))))))))))))))))))))))))))
.
- 2007-09-08 07:22:23 102,400 ----a-r C:\WINDOWS\Installer\{B8A204BC-7177-470E-BBDD-47256D05B325}\iTunesIco.exe
+ 2007-11-09 11:31:43 102,400 ----a-r C:\WINDOWS\Installer\{B8A204BC-7177-470E-BBDD-47256D05B325}\iTunesIco.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{eda2d6ca-916b-4f12-a141-11533b61fdb4}]
2007-11-08 22:07 80448 --a------ C:\WINDOWS\system32\xeaptnlp.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-09-07 15:55]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-10-26 07:30]
"001b5e8e"="C:\WINDOWS\system32\qcygelof.dll" [2007-11-08 22:10]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 07:56]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"Picasa Media Detector"=C:\Program Files\Picasa2\PicasaMediaDetector.exe

C:\Documents and Settings\###\Start Menu\Programs\Startup\
Shortcut to Rainlendar.lnk - C:\Program Files\rainlendar\Rainlendar.exe [2007-05-31 02:32:17]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2007-05-30 22:22:16]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-02-17 14:05:56]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\sstro.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"SNM"=C:\Program Files\SpyNoMore\SNM.exe /startup

R0 SBHR;SBHR;C:\WINDOWS\system32\drivers\sbhr.sys
R1 TPPWR;TPPWR;C:\WINDOWS\system32\drivers\Tppwr.sys
R2 ousbehci;OrangeWare USB Enhanced Host Controller Service;C:\WINDOWS\system32\Drivers\ousbehci.sys
R3 ousb2hub;OrangeWare USB 2.0 Root Hub Support;C:\WINDOWS\system32\DRIVERS\ousb2hub.sys
R3 SBAPIFS;SBAPIFS;\??\C:\WINDOWS\system32\drivers\sbapifs.sys
S3 SNP2STD;USB2.0 PC Camera (SNP2STD);C:\WINDOWS\system32\DRIVERS\snp2sxp.sys

*Newly Created Service* - SBAPIFS
.
Contents of the 'Scheduled Tasks' folder
"2007-10-06 07:11:02 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
"2007-05-30 22:20:26 C:\WINDOWS\Tasks\BMMTask.job"
.
**************************************************************************

catchme 0.3.1250 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-09 00:06:35
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-11-09 0:09:27 - machine was rebooted
.
--- E O F ---
tallmark19
2007-11-09, 01:13
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 00:10, on 2007-11-09
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\S24EvMon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\CA\eTrust Antivirus\InoRpc.exe
C:\Program Files\CA\eTrust Antivirus\InoRT.exe
C:\Program Files\CA\eTrust Antivirus\InoTask.exe
C:\WINDOWS\System32\RegSrvc.exe
C:\Program Files\Sunbelt Software\CounterSpy\SBCSSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\rainlendar\Rainlendar.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Hijackthis\scanner.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.tvnet.lv/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: {4bdf16b3-3511-141a-21f4-b619ac6d2ade} - {eda2d6ca-916b-4f12-a141-11533b61fdb4} - C:\WINDOWS\system32\xeaptnlp.dll
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [001b5e8e] rundll32.exe "C:\WINDOWS\system32\qcygelof.dll",b
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'Default user')
O4 - Startup: Shortcut to Rainlendar.lnk = C:\Program Files\rainlendar\Rainlendar.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O11 - Options group: [JAVA_IBM] Java (IBM)
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1180570546740
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\system32\ibmpmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: eTrust Antivirus RPC Server (InoRPC) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoRpc.exe
O23 - Service: eTrust Antivirus Realtime Server (InoRT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoRT.exe
O23 - Service: eTrust Antivirus Job Server (InoTask) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoTask.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\System32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\System32\S24EvMon.exe
O23 - Service: Sunbelt CounterSpy Antispyware (SBCSSvc) - Sunbelt Software - C:\Program Files\Sunbelt Software\CounterSpy\SBCSSvc.exe

--
End of file - 5881 bytes
ken545
2007-11-09, 03:50
Open up Vundofix and click on Scan for Vundo, when its done, right click inside the box and copy and paste these in.
C:\WINDOWS\system32\xvmauxkc.exe
C:\WINDOWS\system32\xeaptnlp.dll
C:\WINDOWS\system32\sstro.dll
C:\WINDOWS\system32\qcygelof.dll
C:\WINDOWS\system32\njnfbfru.dll

Then click on Remove Vundo.


Open Hijackthis and remove these entries.
O2 - BHO: {4bdf16b3-3511-141a-21f4-b619ac6d2ade} - {eda2d6ca-916b-4f12-a141-11533b61fdb4} - C:\WINDOWS\system32\xeaptnlp.dll
O4 - HKLM\..\Run: [001b5e8e] rundll32.exe "C:\WINDOWS\system32\qcygelof.dll",b





REGEDIT4

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{eda2d6ca-916b-4f12-a141-11533b61fdb4}]
2007-11-08 22:07 80448 --a------ C:\WINDOWS\system32\xeaptnlp.dll


Copy the entire contents inside the Quote box and Paste it into Notepad ( this will only work with Notepad ) name the file Regfix.reg and in the drop down box, save it as All Files. Save it to your desktop. Then Rightclick on the Regfix.reg file and click on Merge, when it asks you to merge with the Registry, say yes.

If you saved the file correctly it should look like this http://i24.photobucket.com/albums/c30/ken545/reg.jpg


Let me see the new Vundolog and a New HJT log please
tallmark19
2007-11-09, 09:09
Morning,

one of the files u listed could not be found... (the sstro.dll)


VundoFix V6.5.11

Checking Java version...

Scan started at 07:44:26 2007-11-09

Listing files found while scanning....

No infected files were found.


Beginning removal...

Attempting to delete C:\WINDOWS\system32\njnfbfru.dll
C:\WINDOWS\system32\njnfbfru.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\qcygelof.dll
C:\WINDOWS\system32\qcygelof.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\xeaptnlp.dll
C:\WINDOWS\system32\xeaptnlp.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\xvmauxkc.exe
C:\WINDOWS\system32\xvmauxkc.exe Has been deleted!

Performing Repairs to the registry.
Done!


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 08:01, on 2007-11-09
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\ibmpmsvc.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\S24EvMon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\CA\eTrust Antivirus\InoRpc.exe
C:\Program Files\CA\eTrust Antivirus\InoRT.exe
C:\Program Files\CA\eTrust Antivirus\InoTask.exe
C:\WINDOWS\System32\RegSrvc.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Sunbelt Software\CounterSpy\SBCSSvc.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\rainlendar\Rainlendar.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Hijackthis\scanner.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.tvnet.lv/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://go.microsoft.com/fwlink/?LinkId=74005
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'Default user')
O4 - Startup: Shortcut to Rainlendar.lnk = C:\Program Files\rainlendar\Rainlendar.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O11 - Options group: [JAVA_IBM] Java (IBM)
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1180570546740
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: IBM PM Service (IBMPMSVC) - Unknown owner - C:\WINDOWS\system32\ibmpmsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: eTrust Antivirus RPC Server (InoRPC) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoRpc.exe
O23 - Service: eTrust Antivirus Realtime Server (InoRT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoRT.exe
O23 - Service: eTrust Antivirus Job Server (InoTask) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust Antivirus\InoTask.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: RegSrvc - Intel Corporation - C:\WINDOWS\System32\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\WINDOWS\System32\S24EvMon.exe
O23 - Service: Sunbelt CounterSpy Antispyware (SBCSSvc) - Sunbelt Software - C:\Program Files\Sunbelt Software\CounterSpy\SBCSSvc.exe

--
End of file - 5642 bytes


btw - on my desktop already for some time new folder "backups" with 1 kb files has been created. is that ok?
ken545
2007-11-09, 13:25
Wahoo , your log is clean :bigthumb: You did very well. Whats the name of the backup folder, does it just say backups? Open it and see whats inside.



Go to Start > Run and copy and paste ComboFix /u into the box
Make sure there's a space between Combofix and /
Then hit enter.


This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

You can also drag Vundofix to the trash.


Your Java is out of date and leaving your system vulnerable.
Go to your Add-Remove Programs in the Control Panel and uninstall any previous versions of Java (J2SE Runtime Environment)
It should have an icon next to it:
http://users.telenet.be/bluepatchy/miekiemoes/images/javaicon.jpg
Select it and click Remove.
Reboot your system.
Then go to the Sun Microsystems (http://www.java.com/en/download/manual.jsp) and install the update
Java Runtime Environment Version 6 Update 3 <--This is what you need to download and install.
If you chose the online installation, it will prompt you to run the program.
If you chose the offline installation, you will be prompted to save the file and you can run it from wherever you saved it.
Then after install you can verify your installation here Sun Java Verify (http://www.java.com/en/download/manual.jsp)
I like to to do the offline installation and save the setup file in case I may need it in the future



How are things running now??
tallmark19
2007-11-11, 00:47
Hurreeeeee, it really works much faster now and haven't seen any of the side effects anymore. Thank you so much for helping. ;)
ken545
2007-11-11, 07:00
Thats great, glad things are better for you :bigthumb:



Malware Complaints (http://malwarecomplaints.info/index.php)
Are you mad ? I mean really mad, seething mad, so mad your ready to spit, mad that you have taken your hard earned dollars to buy a computer only to have some Miscredents, Dirt Bags and Cyber Criminals install a malicious program on your computer without your knowledge or consent. You can post your complaint at the above site. If you live in the U.S.A. you can also report your grievance to your State Attorney Generals Office and the Federal Trade Commission's Bureau of Consumer Protection.


How did I get infected in the first place ? Read these links and find out how to prevent getting infected again.
Tutorial for System Restore (http://www.bleepingcomputer.com/tutorials/tutorial56.html) <-- Do this first to prevent yourself from being reinfected.
WhattheTech (http://forums.whatthetech.com/So_how_did_I_get_infected_in_the_first_place_t57817.html)
TonyKlein CastleCops (http://www.castlecops.com/postlite7736-.html)
Grinler BleepingComputer (http://www.bleepingcomputer.com/forums/topic2520.html)
Geeks To Go (http://www.geekstogo.com/forum/index.php?autocom=custom&page=How_did_I)
Dslreports (http://www.dslreports.com/faq/10002)




Here are some free programs to install, these are must haves to help keep you secure

Spybot Search and Destroy 1.5 (http://www.safer-networking.org/en/download/)
Check for Updates/ Immunize and run a Full System Scan on a regular basis.

Spyware Blaster (http://www.javacoolsoftware.com/spywareblaster.html) It will prevent most spyware from ever being installed.

Spyware Guard (http://www.javacoolsoftware.com/spywareguard.html) It offers realtime protection from spyware installation attempts.

Win Patrol (http://www.winpatrol.com/download.html) This program will warn you when any changes are being made to your system and give
you the option to deny the change.

IE-Spyad (http://forums.windowsforum.org/index.php?showtopic=6640)
IE-Spyad places over 4000 web sites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads
(cookies etc) from the sites listed, although you will still be able to connect to the sites.

Firefox 2.0 (http://www.mozilla.org/products/firefox/) It has more features and is a lot more secure than IE. It is a very easy and
painless download and install, it will no way interfere with IE, you can use them both.

Zone Alarm (http://www.pcworld.com/downloads/file_description/0,fid,7228,00.asp) Here is a free Firewall from Zone Labs, I
wouldn't access the internet without it.



Glad we could help

Safe Surfn
Ken