PDA

View Full Version : smitfraud-c.toolbar and many virus



Stambo
2006-11-25, 10:06
Hi Team
I really hope someone can help me, I been trying for 3 days to get rid of this thing.
I have run at various stages, in various orders, in safe and standard mode, smitfix, smitrem, spybot, adaware, avg antispyware, avg antivirus, atf cleaner and panda activescan.
All updated where required. I think thats all of them.
Just when I think I have been successful avg antivirus says threat detected.
I use winroute firewall/router, avg antivirus and avg antispyware. I have disconnected home network so kids machines don't get infected but I'll have a riot on my hands before too long if they can't go on the net.

Logfile of HijackThis v1.99.1
Scan saved at 8:58:16 p.m., on 25/11/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\WinRoute\WinRoute Firewall\winroute.exe
C:\Program Files\Dynalink\Adsl\dslstat.exe
C:\Program Files\Dynalink\Adsl\dslagent.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINDOWS\System32\RunDLL32.exe
C:\WINDOWS\System32\CTHELPER.EXE
C:\WINDOWS\System32\rundll32.exe
D:\Program Files\ZEngine\Zboard.exe
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
C:\WINDOWS\system32\NOTEPAD.EXE
D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\WinRoute\WinRoute Firewall\WrCtrl.exe
C:\Documents and Settings\Gerard\Desktop\HiJack\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Tshoot
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &VSAdd-in - {74DD705D-6834-439C-A735-A6DBE2677452} - C:\Program Files\VSAdd-in\VSAdd-in.dll (file missing)
O4 - HKLM\..\Run: [DSLSTATEXE] C:\Program Files\Dynalink\Adsl\dslstat.exe icon
O4 - HKLM\..\Run: [DSLAGENTEXE] C:\Program Files\Dynalink\Adsl\dslagent.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [CAPON] C:\WINDOWS\System32\Spool\Drivers\w32x86\3\CAPONN.EXE
O4 - HKLM\..\Run: [Zboard] D:\Program Files\ZEngine\Zboard.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [WrCtrl] "C:\Program Files\WinRoute\WinRoute Firewall\WrCtrl.exe"
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/binFrameWork/v10/StagingUI.cab46479.cab
O16 - DPF: {1842B0EE-B597-11D4-8997-00104BD12D94} (iCC Class) - http://www.pcpitstop.com/internet/pcpConnCheck.cab
O16 - DPF: {2EB1E425-74DC-4DC0-A9E1-03A4C852E1F2} (CPlayFirstTriJinxControl Object) - http://zone.msn.com/bingame/trix/default/TriJinx.1.0.0.67.cab
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (ZoneBuddy Class) - http://zone.msn.com/BinFrameWork/v10/ZBuddy.cab32846.cab
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/binframework/v10/ZPAChat.cab32846.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1152271545046
O16 - DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} (MJLauncherCtrl Class) - http://zone.msn.com/bingame/chnz/default/mjolauncher.cab
O16 - DPF: {809A6301-7B40-4436-A02C-87B8D3D7D9E3} (ZPA_DMNO Object) - http://zone.msn.com/bingame/zpagames/zpa_dmno.cab42341.cab
O16 - DPF: {80B626D6-BC34-4BCF-B5A1-7149E4FD9CFA} (UnoCtrl Class) - http://zone.msn.com/bingame/zpagames/GAME_UNO1.cab50727.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (StadiumProxy Class) - http://zone.msn.com/binframework/v10/StProxy.cab41227.cab
O16 - DPF: {DAF5D9A2-D982-4671-83E4-0398706A5F6A} (SCEWebLauncherCtl Object) - http://zone.msn.com/bingame/hsol/default/SCEWebLauncher.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/popcaploader_v10.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Kerio WinRoute Firewall (WinRoute) - Kerio Technologies - C:\Program Files\WinRoute\WinRoute Firewall\winroute.exe

Mr_JAk3
2006-11-25, 17:22
Hi Stambo and welcome to Safer Networking Forums :)

You got some infections there...

Please rename HijackThis.exe to Scanner.exe

The post a fresh HijackThis (scanner.exe) log to here

Stambo
2006-11-25, 23:00
New hijackthis (scanner) log as requested.

Logfile of HijackThis v1.99.1
Scan saved at 9:58:44 a.m., on 26/11/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\WinRoute\WinRoute Firewall\winroute.exe
C:\Program Files\Dynalink\Adsl\dslstat.exe
C:\Program Files\Dynalink\Adsl\dslagent.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\CTHELPER.EXE
D:\Program Files\ZEngine\Zboard.exe
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\WinRoute\WinRoute Firewall\WrCtrl.exe
C:\WINDOWS\System32\wuauclt.exe
D:\Program Files\Firefox\firefox.exe
C:\Documents and Settings\Gerard\Desktop\HiJack\scanner.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Tshoot
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: (no name) - {013A653B-49A6-4f76-8B68-E4875EA6BA54} - C:\WINDOWS\System32\oubsweov.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {099D0986-C204-F967-3343-00A64FA96FB9} - C:\Documents and Settings\Gerard\Local Settings\Application Data\vorenbj.dll
O2 - BHO: FlpLauncher Class - {4401FDC3-7996-4774-8D2B-C1AE9CD6CC25} - D:\Program Files\Flipalbum5.5\fplaunch.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: (no name) - {CE00539E-C410-49D0-B842-4738E69612A6} - C:\WINDOWS\System32\vtstt.dll
O2 - BHO: (no name) - {D4FAE274-4AB4-43E4-AD48-0CEA6D6C4F65} - C:\WINDOWS\System32\byxutsq.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &VSAdd-in - {74DD705D-6834-439C-A735-A6DBE2677452} - C:\Program Files\VSAdd-in\VSAdd-in.dll (file missing)
O4 - HKLM\..\Run: [DSLSTATEXE] C:\Program Files\Dynalink\Adsl\dslstat.exe icon
O4 - HKLM\..\Run: [DSLAGENTEXE] C:\Program Files\Dynalink\Adsl\dslagent.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [CAPON] C:\WINDOWS\System32\Spool\Drivers\w32x86\3\CAPONN.EXE
O4 - HKLM\..\Run: [Zboard] D:\Program Files\ZEngine\Zboard.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [WrCtrl] "C:\Program Files\WinRoute\WinRoute Firewall\WrCtrl.exe"
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/binFrameWork/v10/StagingUI.cab46479.cab
O16 - DPF: {1842B0EE-B597-11D4-8997-00104BD12D94} (iCC Class) - http://www.pcpitstop.com/internet/pcpConnCheck.cab
O16 - DPF: {2EB1E425-74DC-4DC0-A9E1-03A4C852E1F2} (CPlayFirstTriJinxControl Object) - http://zone.msn.com/bingame/trix/default/TriJinx.1.0.0.67.cab
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (ZoneBuddy Class) - http://zone.msn.com/BinFrameWork/v10/ZBuddy.cab32846.cab
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/binframework/v10/ZPAChat.cab32846.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1152271545046
O16 - DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} (MJLauncherCtrl Class) - http://zone.msn.com/bingame/chnz/default/mjolauncher.cab
O16 - DPF: {809A6301-7B40-4436-A02C-87B8D3D7D9E3} (ZPA_DMNO Object) - http://zone.msn.com/bingame/zpagames/zpa_dmno.cab42341.cab
O16 - DPF: {80B626D6-BC34-4BCF-B5A1-7149E4FD9CFA} (UnoCtrl Class) - http://zone.msn.com/bingame/zpagames/GAME_UNO1.cab50727.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (StadiumProxy Class) - http://zone.msn.com/binframework/v10/StProxy.cab41227.cab
O16 - DPF: {DAF5D9A2-D982-4671-83E4-0398706A5F6A} (SCEWebLauncherCtl Object) - http://zone.msn.com/bingame/hsol/default/SCEWebLauncher.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/popcaploader_v10.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{624FB182-053D-4CE9-9FBD-F854EF387264}: NameServer = 60.234.1.1 60.234.2.2
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: byxutsq - C:\WINDOWS\SYSTEM32\byxutsq.dll
O20 - Winlogon Notify: vtstt - C:\WINDOWS\System32\vtstt.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: wineak32 - C:\WINDOWS\SYSTEM32\wineak32.dll
O20 - Winlogon Notify: winubg32 - winubg32.dll (file missing)
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Kerio WinRoute Firewall (WinRoute) - Kerio Technologies - C:\Program Files\WinRoute\WinRoute Firewall\winroute.exe

Stambo
2006-11-25, 23:34
Also while I'm offline something appears to try access the internet every 5 minutes.
I get this message.
Cheers
Stambo

Mr_JAk3
2006-11-26, 09:46
Ok let's begin the cleaning process :)

At first, well have to disable AVG Anti-Spyware guard since it may interfere with our cleaning (We can enable it when you're clean)
Open AVG Anti-Spyware
Click Shield
Click under "resident shield is"
Change it to inactive
Close AVG Anti-Spyware

Please download VundoFix.exe (http://www.atribune.org/ccount/click.php?id=4) to your desktop.
Double-click VundoFix.exe to run it.
Click the Scan for Vundo button.
Once it's done scanning, click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will reboot your computer, click OK.
Please post the contents of C:\vundofix.txt and a new HiJackThis log.

Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.

Stambo
2006-11-26, 11:33
Logs as requested
I have been doing some windows updates, then I realised perhaps I should wait till all infections are removed. I hope I haven't caused more problems.

VundoFix V6.2.11

Checking Java version...

Java version is 1.5.0.6

Java version is 1.5.0.8

Java version is 1.5.0.9

Scan started at 10:23:50 p.m. 26/11/2006

Listing files found while scanning....

C:\WINDOWS\System32\ttstv.ini
C:\WINDOWS\System32\ttstv.bak1

Beginning removal...

Attempting to delete C:\WINDOWS\System32\vtstt.dll
C:\WINDOWS\System32\vtstt.dll Has been deleted!

Attempting to delete C:\WINDOWS\System32\ttstv.ini
C:\WINDOWS\System32\ttstv.ini Has been deleted!

Attempting to delete C:\WINDOWS\System32\ttstv.bak1
C:\WINDOWS\System32\ttstv.bak1 Has been deleted!

Performing Repairs to the registry.
Done!


Logfile of HijackThis v1.99.1
Scan saved at 10:28:59 p.m., on 26/11/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Dynalink\Adsl\dslstat.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Dynalink\Adsl\dslagent.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\RunDLL32.exe
C:\WINDOWS\System32\CTHELPER.EXE
C:\Program Files\WinRoute\WinRoute Firewall\winroute.exe
D:\Program Files\ZEngine\Zboard.exe
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\WinRoute\WinRoute Firewall\WrCtrl.exe
C:\WINDOWS\System32\wuauclt.exe
D:\Program Files\Firefox\firefox.exe
C:\Documents and Settings\Gerard\Desktop\HiJack\scanner.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Tshoot
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: (no name) - {013A653B-49A6-4f76-8B68-E4875EA6BA54} - C:\WINDOWS\System32\oubsweov.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {099D0986-C204-F967-3343-00A64FA96FB9} - C:\Documents and Settings\Gerard\Local Settings\Application Data\vorenbj.dll
O2 - BHO: FlpLauncher Class - {4401FDC3-7996-4774-8D2B-C1AE9CD6CC25} - D:\Program Files\Flipalbum5.5\fplaunch.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: (no name) - {D4FAE274-4AB4-43E4-AD48-0CEA6D6C4F65} - C:\WINDOWS\System32\byxutsq.dll
O2 - BHO: (no name) - {E4E6286A-4C2F-48FA-ACBB-970EC4C03647} - C:\WINDOWS\System32\vtstt.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &VSAdd-in - {74DD705D-6834-439C-A735-A6DBE2677452} - C:\Program Files\VSAdd-in\VSAdd-in.dll (file missing)
O4 - HKLM\..\Run: [DSLSTATEXE] C:\Program Files\Dynalink\Adsl\dslstat.exe icon
O4 - HKLM\..\Run: [DSLAGENTEXE] C:\Program Files\Dynalink\Adsl\dslagent.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [CAPON] C:\WINDOWS\System32\Spool\Drivers\w32x86\3\CAPONN.EXE
O4 - HKLM\..\Run: [Zboard] D:\Program Files\ZEngine\Zboard.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [WrCtrl] "C:\Program Files\WinRoute\WinRoute Firewall\WrCtrl.exe"
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/binFrameWork/v10/StagingUI.cab46479.cab
O16 - DPF: {1842B0EE-B597-11D4-8997-00104BD12D94} (iCC Class) - http://www.pcpitstop.com/internet/pcpConnCheck.cab
O16 - DPF: {2EB1E425-74DC-4DC0-A9E1-03A4C852E1F2} (CPlayFirstTriJinxControl Object) - http://zone.msn.com/bingame/trix/default/TriJinx.1.0.0.67.cab
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (ZoneBuddy Class) - http://zone.msn.com/BinFrameWork/v10/ZBuddy.cab32846.cab
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/binframework/v10/ZPAChat.cab32846.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1152271545046
O16 - DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} (MJLauncherCtrl Class) - http://zone.msn.com/bingame/chnz/default/mjolauncher.cab
O16 - DPF: {809A6301-7B40-4436-A02C-87B8D3D7D9E3} (ZPA_DMNO Object) - http://zone.msn.com/bingame/zpagames/zpa_dmno.cab42341.cab
O16 - DPF: {80B626D6-BC34-4BCF-B5A1-7149E4FD9CFA} (UnoCtrl Class) - http://zone.msn.com/bingame/zpagames/GAME_UNO1.cab50727.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (StadiumProxy Class) - http://zone.msn.com/binframework/v10/StProxy.cab41227.cab
O16 - DPF: {DAF5D9A2-D982-4671-83E4-0398706A5F6A} (SCEWebLauncherCtl Object) - http://zone.msn.com/bingame/hsol/default/SCEWebLauncher.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/popcaploader_v10.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{624FB182-053D-4CE9-9FBD-F854EF387264}: NameServer = 60.234.1.1 60.234.2.2
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: byxutsq - C:\WINDOWS\SYSTEM32\byxutsq.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: wineak32 - C:\WINDOWS\SYSTEM32\wineak32.dll
O20 - Winlogon Notify: winubg32 - winubg32.dll (file missing)
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Kerio WinRoute Firewall (WinRoute) - Kerio Technologies - C:\Program Files\WinRoute\WinRoute Firewall\winroute.exe

Mr_JAk3
2006-11-26, 21:47
Hi again :)

Please don't install Service Pack 2 update yet. We can install it when we have got you cleaned...

Before we'll continue I would like you to do something for me...
I need you too upload few malware files for further inspection.

Make your hidden files visible:
Go to My Computer
Select the Tools menu and click Folder Options
Click the View tab.
Checkmark the "Display the contents of system folders"
Under the Hidden files and folders select "Show hidden files and folders"
Uncheck "Hide protected operating system files"
Click Apply and then the OK and close My Computer.
Please go here (http://www.uploadmalware.com/) to upload a suspicious file for analysis.
Enter your username from this forum
Copy and paste the link to this thread
Click "Browse" on the 1. field.
Browse to the following file and click the file with your mouse, press "Open"
C:\WINDOWS\system32\byxutsq.dll
Click "Browse" on the 2. field.
Browse to the following file and click the file with your mouse, press "Open"
C:\WINDOWS\system32\wineak32.dll

In the comments, please mention that I asked you to upload this file
Click on Send File
Please let me know when you have done this and then we'll get you cleaned :bigthumb:

Stambo
2006-11-27, 06:36
Files sent as requested.
:oops: I sent the files before reading that I should enter info to coments field.


Cheers
Stambo

Mr_JAk3
2006-11-27, 11:24
Thanks for the upload :)

Run vundofix again:
Double-click VundoFix.exe to run it.
Click the Scan for Vundo button.
Once the scan is complete, Right Click inside the listbox (white box) and click add more files
Copy&Paste the 3 entries below into the top 3 boxes
C:\WINDOWS\system32\byxutsq.dll
C:\WINDOWS\system32\qstuxyb.*
C:\WINDOWS\system32\wineak32.dll
Click Add Files and Click Close Window
Click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will reboot your computer, click OK.
Please post the contents of C:\vundofix.txt and a new HiJackThis log.

Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.

Stambo
2006-11-27, 11:49
VundoFix V6.2.11

Checking Java version...

Java version is 1.5.0.6

Java version is 1.5.0.8

Java version is 1.5.0.9

Scan started at 10:23:50 p.m. 26/11/2006

Listing files found while scanning....

C:\WINDOWS\System32\ttstv.ini
C:\WINDOWS\System32\ttstv.bak1

Beginning removal...

Attempting to delete C:\WINDOWS\System32\vtstt.dll
C:\WINDOWS\System32\vtstt.dll Has been deleted!

Attempting to delete C:\WINDOWS\System32\ttstv.ini
C:\WINDOWS\System32\ttstv.ini Has been deleted!

Attempting to delete C:\WINDOWS\System32\ttstv.bak1
C:\WINDOWS\System32\ttstv.bak1 Has been deleted!

Performing Repairs to the registry.
Done!

VundoFix V6.2.11

Checking Java version...

Java version is 1.5.0.6

Java version is 1.5.0.8

Java version is 1.5.0.9

Scan started at 10:38:33 p.m. 27/11/2006

Listing files found while scanning....

C:\WINDOWS\System32\hjkkj.ini
C:\WINDOWS\System32\hjkkj.bak1

Beginning removal...

Beginning removal...

Attempting to delete C:\WINDOWS\System32\jkkjh.dll
C:\WINDOWS\System32\jkkjh.dll Has been deleted!

Attempting to delete C:\WINDOWS\System32\hjkkj.ini
C:\WINDOWS\System32\hjkkj.ini Has been deleted!

Attempting to delete C:\WINDOWS\System32\hjkkj.bak1
C:\WINDOWS\System32\hjkkj.bak1 Has been deleted!

Attempting to delete C:\WINDOWS\system32\byxutsq.dll
C:\WINDOWS\system32\byxutsq.dll Has been deleted!

Performing Repairs to the registry.
Done!

Logfile of HijackThis v1.99.1
Scan saved at 10:46:30 p.m., on 27/11/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\WinRoute\WinRoute Firewall\winroute.exe
C:\WINDOWS\System32\ishost.exe
C:\Program Files\Dynalink\Adsl\dslstat.exe
C:\WINDOWS\System32\ismini.exe
C:\Program Files\Dynalink\Adsl\dslagent.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINDOWS\System32\CTHELPER.EXE
C:\WINDOWS\System32\rundll32.exe
D:\Program Files\ZEngine\Zboard.exe
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\Common Files\{D0503DB9-072D-1033-0802-041031020040}\Update.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\WinRoute\WinRoute Firewall\WrCtrl.exe
C:\WINDOWS\System32\wuauclt.exe
D:\Program Files\Firefox\firefox.exe
C:\Documents and Settings\Gerard\Desktop\HiJack\scanner.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Tshoot
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: (no name) - {013A653B-49A6-4f76-8B68-E4875EA6BA54} - C:\WINDOWS\System32\oubsweov.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {099D0986-C204-F967-3343-00A64FA96FB9} - C:\WINDOWS\System32\vorenbj.dll
O2 - BHO: (no name) - {4349A681-38AE-4ACF-9381-EA776242BA1E} - C:\WINDOWS\System32\jkkjh.dll (file missing)
O2 - BHO: FlpLauncher Class - {4401FDC3-7996-4774-8D2B-C1AE9CD6CC25} - D:\Program Files\Flipalbum5.5\fplaunch.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: 888Bar - {C004DEC2-2623-438e-9CA2-C9043AB28508} - C:\PROGRA~1\COMMON~1\{30503~1\888Bar.dll
O2 - BHO: (no name) - {E4E6286A-4C2F-48FA-ACBB-970EC4C03647} - C:\WINDOWS\System32\vtstt.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &VSAdd-in - {74DD705D-6834-439C-A735-A6DBE2677452} - C:\Program Files\VSAdd-in\VSAdd-in.dll (file missing)
O3 - Toolbar: 888Bar - {C004DEC2-2623-438e-9CA2-C9043AB28508} - C:\PROGRA~1\COMMON~1\{30503~1\888Bar.dll
O4 - HKLM\..\Run: [DSLSTATEXE] C:\Program Files\Dynalink\Adsl\dslstat.exe icon
O4 - HKLM\..\Run: [DSLAGENTEXE] C:\Program Files\Dynalink\Adsl\dslagent.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [CAPON] C:\WINDOWS\System32\Spool\Drivers\w32x86\3\CAPONN.EXE
O4 - HKLM\..\Run: [Zboard] D:\Program Files\ZEngine\Zboard.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKLM\..\Run: [vvdkkpe.dll] C:\WINDOWS\System32\rundll32.exe C:\WINDOWS\System32\vvdkkpe.dll,agkxvbc
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [WrCtrl] "C:\Program Files\WinRoute\WinRoute Firewall\WrCtrl.exe"
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/binFrameWork/v10/StagingUI.cab46479.cab
O16 - DPF: {1842B0EE-B597-11D4-8997-00104BD12D94} (iCC Class) - http://www.pcpitstop.com/internet/pcpConnCheck.cab
O16 - DPF: {2EB1E425-74DC-4DC0-A9E1-03A4C852E1F2} (CPlayFirstTriJinxControl Object) - http://zone.msn.com/bingame/trix/default/TriJinx.1.0.0.67.cab
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (ZoneBuddy Class) - http://zone.msn.com/BinFrameWork/v10/ZBuddy.cab32846.cab
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/binframework/v10/ZPAChat.cab32846.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1152271545046
O16 - DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} (MJLauncherCtrl Class) - http://zone.msn.com/bingame/chnz/default/mjolauncher.cab
O16 - DPF: {809A6301-7B40-4436-A02C-87B8D3D7D9E3} (ZPA_DMNO Object) - http://zone.msn.com/bingame/zpagames/zpa_dmno.cab42341.cab
O16 - DPF: {80B626D6-BC34-4BCF-B5A1-7149E4FD9CFA} (UnoCtrl Class) - http://zone.msn.com/bingame/zpagames/GAME_UNO1.cab50727.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (StadiumProxy Class) - http://zone.msn.com/binframework/v10/StProxy.cab41227.cab
O16 - DPF: {DAF5D9A2-D982-4671-83E4-0398706A5F6A} (SCEWebLauncherCtl Object) - http://zone.msn.com/bingame/hsol/default/SCEWebLauncher.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/popcaploader_v10.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{624FB182-053D-4CE9-9FBD-F854EF387264}: NameServer = 60.234.1.1 60.234.2.2
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: wineak32 - C:\WINDOWS\SYSTEM32\wineak32.dll
O20 - Winlogon Notify: winubg32 - winubg32.dll (file missing)
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Kerio WinRoute Firewall (WinRoute) - Kerio Technologies - C:\Program Files\WinRoute\WinRoute Firewall\winroute.exe

Stambo
2006-11-27, 11:52
While taking the steps you gave me AVG antivirus is often coming up with threat detected. I have been clicking move to vault with all of these, I hope this is right.
Cheers
Stambo

Mr_JAk3
2006-11-27, 16:25
Hi again, we'll continue :)

You're not clean yet so that is why AVG is warning you....

You should print these instructions or save these to a text file. Follow these instructions carefully.

Open AVG Anti-Spyware:
On the main screen under Your Computer's security.
Click on Change state next to Resident shield. It should now change to inactive.
Click on Change state next to Automatic updates. It should now change to inactive.
Next to Last Update, click on Update now. (You will need an active internet connection to perform this)
Wait until you see the Update succesfull message.
Right-click the AVG Anti-Spyware Tray Icon and uncheck Start with Windows.
Right-click the AVG Anti-Spyware Tray Icon and select Exit. Confirm by clicking Yes.
If you are having problems with the updater, you can use this link to manually update ewido.
AVG Anti-Spyware manual updates (http://www.ewido.net/en/download/updates/).
Download the Full database to your Desktop or to your usual Download Folder and install it by double clicking the file. Make sure that AVG Anti-Spyware is closed before installing the update.

Download ATF Cleaner (http://www.atribune.org/ccount/click.php?id=1) by Atribune to your desktop.
Do NOT run yet.

Please download the Killbox (http://www.downloads.subratam.org/KillBox.zip).
Unzip it to the desktop but do NOT run it yet.

Make your hidden files visible:
Go to My Computer
Select the Tools menu and click Folder Options
Click the View tab.
Checkmark the "Display the contents of system folders"
Under the Hidden files and folders select "Show hidden files and folders"
Uncheck "Hide protected operating system files"
Click Apply and then the OK and close My Computer.

==================

Open Control Panel -> Add/Remove programs -> Remove all the of the following or similar entries if found:

888Bar
VSAdd-in

and any other programs you didn't install or don't recognize - if your not sure please ask first

Stop the following processes using Task Manager (press ctrl+alt+del, select the Processes tab, highlight the first process in the list and click End Process). Continue through the list (one at a time) until all processes have been ended. If something isn't found, please continue with the next process in the list.

update.exe

Run HijackThis, click Do a system scan only, and check the box next to each of these entries if still present. Close all other windows and press Fix checked. If something isn't there, please continue with the next entry in the list. Fix the O6 entries too if you haven't locked Internet Explorer settings with eg Spybot S&D.

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: (no name) - {013A653B-49A6-4f76-8B68-E4875EA6BA54} - C:\WINDOWS\System32\oubsweov.dll
O2 - BHO: (no name) - {099D0986-C204-F967-3343-00A64FA96FB9} - C:\WINDOWS\System32\vorenbj.dll
O2 - BHO: (no name) - {4349A681-38AE-4ACF-9381-EA776242BA1E} - C:\WINDOWS\System32\jkkjh.dll (file missing)
O2 - BHO: 888Bar - {C004DEC2-2623-438e-9CA2-C9043AB28508} - C:\PROGRA~1\COMMON~1\{30503~1\888Bar.dll
O2 - BHO: (no name) - {E4E6286A-4C2F-48FA-ACBB-970EC4C03647} - C:\WINDOWS\System32\vtstt.dll (file missing)
O3 - Toolbar: &VSAdd-in - {74DD705D-6834-439C-A735-A6DBE2677452} - C:\Program Files\VSAdd-in\VSAdd-in.dll (file missing)
O3 - Toolbar: 888Bar - {C004DEC2-2623-438e-9CA2-C9043AB28508} - C:\PROGRA~1\COMMON~1\{30503~1\888Bar.dll
O4 - HKLM\..\Run: [vvdkkpe.dll] C:\WINDOWS\System32\rundll32.exe C:\WINDOWS\System32\vvdkkpe.dll,agkxvbc
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://zone.msn.com/bingame/popcaploader_v10.cab
O20 - Winlogon Notify: wineak32 - C:\WINDOWS\SYSTEM32\wineak32.dll
O20 - Winlogon Notify: winubg32 - winubg32.dll (file missing)

Please run Killbox.

Select "Delete on Reboot".

Copy the file names below to the clipboard by highlighting them and pressing Control-C:

C:\WINDOWS\System32\oubsweov.dll
C:\WINDOWS\System32\vorenbj.dll
C:\WINDOWS\System32\vvdkkpe.dll
C:\WINDOWS\SYSTEM32\wineak32.dll

Return to Killbox, go to the File menu, and choose "Paste from Clipboard".

Select "All Files".

Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.

If your computer does not restart automatically, please restart it manually.

Restart your computer to the safe mode:
Restart your computer
Start tapping the F8 key when the computer restarts.
When the start menu opens, choose Safe mode
Press Enter. The computer then begins to start in Safe mode.

Go to the My Computer and delete the following folders (if present):
C:\Program Files\Common Files\{D0503DB9-072D-1033-0802-041031020040}
C:\Program Files\Common Files\{30503DB9-072D-1033-0802-041031020040}
C:\Program Files\VSAdd-in

Once in Safe Mode, open the SmitfraudFix folder again and double-click smitfraudfix.cmd
Select option #2 - Clean by typing 2 and press "Enter" to delete infected files.

You will be prompted : "Registry cleaning - Do you want to clean the registry ?"; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.

The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter".

The tool may need to restart your computer to finish the cleaning process; if it doesn't, please restart it into Normal Windows.
A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report into your next reply.
The report can also be found at the root of the system drive, usually at C:\rapport.txt

Warning : running option #2 on a non infected computer will remove your Desktop background.

Restart to the safe mode again.

Run ATF Cleaner Under Main choose: Select All
Click the Empty Selected button.
If you use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.

Close ALL open Windows / Programs / Folders. Please start AVG Anti-Spyware and run a full scan.
Click on Scanner on the toolbar.
Click on the Settings tab.
Under How to act?
Click on Recommended Action and choose Quarantine from the popup menu.
Under How to scan?
All checkboxes should be ticked.
Under Possibly unwanted software:
All checkboxes should be ticked.
Under Reports:
Select Automatically generate report after every scan and uncheck Only if threats were found.
Under What to scan?
Select Scan every file.
Click on the Scan tab.
Click on Complete System Scan to start the scan process.
Let the program scan the machine.
When the scan has finished, follow the instructions below.
IMPORTANT : Don't click on the "Save Scan Report" button before you did hit the "Apply all Actions" button.
Make sure that Set all elements to: shows Quarantine (1), if not click on the link and choose Quarantine from the popup menu. (2)
At the bottom of the window click on the Apply all Actions button. (3)
http://img509.imageshack.us/img509/4851/scanavgjk2.jpg
When done, click the Save Scan Report button. (4)
Click the Save Report as button.
Save the report to your Desktop.
Right-click the AVG Anti-Spyware Tray Icon and select Exit. Confirm by clicking Yes.
Reboot in Normal Mode.

================

When you're ready, please post the following logs to here:
- AVG's report
- a fresh HijackThis log
- contents of C:\Rapport.txt

Stambo
2006-11-27, 23:37
I have done as you asked but with slight difference.
I use firefox browser but when I run ATF Cleaner the option for firefox was greyed out so I could not select it. Instead I turned on firefox option to clear private data on exit. I believe this clears cache, history and temporary files.
I hope this was ok.
AVG no longer detecting threats at this stage, this is good right?? :) :)

---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 10:12:06 a.m. 28/11/2006

+ Scan result:



Nothing found.


::Report end

SmitFraudFix v2.124

Scan done at 9:19:36.60, Tue 28/11/2006
Run from C:\Documents and Settings\Gerard\Desktop\Smitfix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
Fix run in safe mode

»»»»»»»»»»»»»»»»»»»»»»»» Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» Killing process


»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri


»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files

C:\WINDOWS\system32\ishost.exe Deleted
C:\WINDOWS\system32\ismini.exe Deleted

»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files


»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» End

Logfile of HijackThis v1.99.1
Scan saved at 10:22:26 a.m., on 28/11/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\WinRoute\WinRoute Firewall\winroute.exe
C:\Program Files\Dynalink\Adsl\dslstat.exe
C:\Program Files\Dynalink\Adsl\dslagent.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINDOWS\System32\CTHELPER.EXE
C:\WINDOWS\System32\rundll32.exe
D:\Program Files\ZEngine\Zboard.exe
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\WinRoute\WinRoute Firewall\WrCtrl.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\Gerard\Desktop\HiJack\scanner.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Tshoot
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: FlpLauncher Class - {4401FDC3-7996-4774-8D2B-C1AE9CD6CC25} - D:\Program Files\Flipalbum5.5\fplaunch.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [DSLSTATEXE] C:\Program Files\Dynalink\Adsl\dslstat.exe icon
O4 - HKLM\..\Run: [DSLAGENTEXE] C:\Program Files\Dynalink\Adsl\dslagent.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [CAPON] C:\WINDOWS\System32\Spool\Drivers\w32x86\3\CAPONN.EXE
O4 - HKLM\..\Run: [Zboard] D:\Program Files\ZEngine\Zboard.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [WrCtrl] "C:\Program Files\WinRoute\WinRoute Firewall\WrCtrl.exe"
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/binFrameWork/v10/StagingUI.cab46479.cab
O16 - DPF: {1842B0EE-B597-11D4-8997-00104BD12D94} (iCC Class) - http://www.pcpitstop.com/internet/pcpConnCheck.cab
O16 - DPF: {2EB1E425-74DC-4DC0-A9E1-03A4C852E1F2} (CPlayFirstTriJinxControl Object) - http://zone.msn.com/bingame/trix/default/TriJinx.1.0.0.67.cab
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (ZoneBuddy Class) - http://zone.msn.com/BinFrameWork/v10/ZBuddy.cab32846.cab
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/binframework/v10/ZPAChat.cab32846.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1152271545046
O16 - DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} (MJLauncherCtrl Class) - http://zone.msn.com/bingame/chnz/default/mjolauncher.cab
O16 - DPF: {809A6301-7B40-4436-A02C-87B8D3D7D9E3} (ZPA_DMNO Object) - http://zone.msn.com/bingame/zpagames/zpa_dmno.cab42341.cab
O16 - DPF: {80B626D6-BC34-4BCF-B5A1-7149E4FD9CFA} (UnoCtrl Class) - http://zone.msn.com/bingame/zpagames/GAME_UNO1.cab50727.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (StadiumProxy Class) - http://zone.msn.com/binframework/v10/StProxy.cab41227.cab
O16 - DPF: {DAF5D9A2-D982-4671-83E4-0398706A5F6A} (SCEWebLauncherCtl Object) - http://zone.msn.com/bingame/hsol/default/SCEWebLauncher.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{624FB182-053D-4CE9-9FBD-F854EF387264}: NameServer = 60.234.1.1 60.234.2.2
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: wineak32 - wineak32.dll (file missing)
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Kerio WinRoute Firewall (WinRoute) - Kerio Technologies - C:\Program Files\WinRoute\WinRoute Firewall\winroute.exe

Does this mean I clean??
I hope so.
Thank you so much for your help so far, I think I will join the MRU so I can learn to help others. :2thumb:

Cheers
Stambo

Mr_JAk3
2006-11-28, 15:04
Hi again :)

Almost clean...

Nice to hear that you're interested in the university. :)

Fix the following leftover with Hijackhis:
O20 - Winlogon Notify: wineak32 - wineak32.dll (file missing)

Reboot the computer.

1. Download this file - combofix.exe (http://download.bleepingcomputer.com/sUBs/combofix.exe)
2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log in your next reply along with a one more HijackThis log.

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Stambo
2006-11-29, 06:27
Gerard - 06-11-29 17:18:26.29 Service Pack 1
ComboFix 06.11.27W - Running from: "C:\Documents and Settings\Gerard\Desktop"

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\system32\components
C:\Program Files\Common Files\{30503DB9-072E-1033-0802-041031020040}
C:\Program Files\Common Files\{D0503DB9-072E-1033-0802-041031020040}


((((((((((((((((((((((((((((((( Files Created from 2006-10-29 to 2006-11-29 ))))))))))))))))))))))))))))))))))


2006-11-28 09:07 <DIR> d-------- C:\!KillBox
2006-11-26 22:29 40,973 ---hs---- C:\WINDOWS\system32\wvussrs.dll
2006-11-26 22:23 <DIR> d-------- C:\VundoFix Backups
2006-11-26 20:16 68,608 --a------ C:\WINDOWS\system32\mscms.dll
2006-11-26 20:16 316,928 --a------ C:\WINDOWS\system32\zipfldr.dll
2006-11-26 16:44 83,456 --a------ C:\WINDOWS\system32\mtxoci.dll
2006-11-26 16:44 68,608 --a------ C:\WINDOWS\system32\olecli32.dll
2006-11-26 16:44 64,512 --a------ C:\WINDOWS\system32\mtxclu.dll
2006-11-26 16:44 62,464 --a------ C:\WINDOWS\system32\colbact.dll
2006-11-26 16:44 535,552 --a------ C:\WINDOWS\system32\rpcrt4.dll
2006-11-26 16:44 497,152 --a------ C:\WINDOWS\system32\clbcatq.dll
2006-11-26 16:44 38,400 --a------ C:\WINDOWS\system32\grpconv.exe
2006-11-26 16:44 276,992 --a------ C:\WINDOWS\system32\rpcss.dll
2006-11-26 16:44 238,592 --a------ C:\WINDOWS\system32\tapisrv.dll
2006-11-26 16:44 227,328 --a------ C:\WINDOWS\system32\es.dll
2006-11-26 16:44 1,190,400 --a------ C:\WINDOWS\system32\ole32.dll
2006-11-26 16:44 1,179,136 --a------ C:\WINDOWS\system32\comsvcs.dll
2006-11-26 16:08 53,760 --a------ C:\WINDOWS\system32\authz.dll
2006-11-26 16:08 53,248 --a------ C:\WINDOWS\system32\spoolsv.exe
2006-11-26 16:07 82,432 --a------ C:\WINDOWS\system32\fldrclnr.dll
2006-11-26 16:07 700,928 --a------ C:\WINDOWS\system32\sxs.dll
2006-11-26 16:07 594,432 --a------ C:\WINDOWS\system32\xpsp2res.dll
2006-11-26 16:07 16,384 --a------ C:\WINDOWS\system32\linkinfo.dll
2006-11-26 15:57 92,224 --a------ C:\WINDOWS\system32\krnl386.exe
2006-11-26 15:57 35,648 --a------ C:\WINDOWS\system32\ntio411.sys
2006-11-26 15:57 35,424 --a------ C:\WINDOWS\system32\ntio412.sys
2006-11-26 15:57 34,560 --a------ C:\WINDOWS\system32\ntio804.sys
2006-11-26 15:57 34,560 --a------ C:\WINDOWS\system32\ntio404.sys
2006-11-26 15:57 33,840 --a------ C:\WINDOWS\system32\ntio.sys
2006-11-26 15:57 245,760 --a------ C:\WINDOWS\system32\wow32.dll
2006-11-26 15:57 23,040 --a------ C:\WINDOWS\system32\vdmdbg.dll
2006-11-26 15:57 13,312 --a------ C:\WINDOWS\system32\ntvdmd.dll
2006-11-26 12:50 98,304 --a------ C:\WINDOWS\system32\polstore.dll
2006-11-26 12:50 92,160 --a------ C:\WINDOWS\system32\cscdll.dll
2006-11-26 12:50 64,000 --a------ C:\WINDOWS\system32\webclnt.dll
2006-11-26 12:50 364,544 --a------ C:\WINDOWS\system32\ipsmsnap.dll
2006-11-26 12:50 334,848 --a------ C:\WINDOWS\system32\ipsecsnp.dll
2006-11-26 12:50 29,184 --a------ C:\WINDOWS\system32\winipsec.dll
2006-11-26 12:50 257,536 --a------ C:\WINDOWS\system32\oakley.dll
2006-11-26 12:50 159,744 --a------ C:\WINDOWS\system32\ipsecsvc.dll
2006-11-26 12:50 116,736 --a------ C:\WINDOWS\system32\shsvcs.dll
2006-11-25 19:47 1,762 --a------ C:\WINDOWS\system32\tmp.reg
2006-11-25 19:45 593,408 --a------ C:\WINDOWS\system32\h323msp.dll
2006-11-25 19:45 548,352 --a------ C:\WINDOWS\system32\rtcdll.dll
2006-11-25 19:45 439,808 --a------ C:\WINDOWS\system32\ipnathlp.dll
2006-11-25 19:45 36,864 --a------ C:\WINDOWS\system32\mf3216.dll
2006-11-25 16:45 <DIR> d-------- C:\WUTemp
2006-11-25 11:36 <DIR> d-------- C:\WINDOWS\CSC
2006-11-25 06:23 40,973 ---hs---- C:\WINDOWS\system32\hgggfdb.dll
2006-11-23 23:04 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2006-11-23 21:27 93,696 --a------ C:\WINDOWS\system32\oldvvdkkpe.dll
2006-11-23 21:25 3,968 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2006-11-23 20:54 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SecTaskMan
2006-11-23 17:23 <DIR> d-------- C:\WINDOWS\pss
2006-11-22 23:12 76,560 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2006-11-22 23:10 <DIR> d-------- C:\Documents and Settings\Gerard\.housecall6.6
2006-11-22 22:12 <DIR> d-------- C:\Program Files\Shockwave.com
2006-11-22 22:00 <DIR> d-------- C:\Bespelled
2006-11-18 17:58 <DIR> d-------- C:\WINDOWS\system32\appmgmt
2006-11-14 11:55 <DIR> d-------- C:\Documents and Settings\Gerard\Application Data\PlayFirst
2006-11-14 11:55 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\PlayFirst
2006-11-11 18:24 3,968 --a------ C:\WINDOWS\system32\drivers\avgclean.sys
2006-11-11 18:24 18,240 --a------ C:\WINDOWS\system32\drivers\avgmfx86.sys
2006-11-11 14:38 <DIR> d-------- C:\Program Files\Microsoft Visual Studio
2006-11-11 14:38 <DIR> d-------- C:\Program Files\Common Files\designer
2006-11-11 14:27 843,024 --a------ C:\WINDOWS\system32\msjava.dll
2006-11-11 14:27 73,728 --a------ C:\WINDOWS\system32\msjdbc10.dll
2006-11-11 14:27 44,544 --a------ C:\WINDOWS\clspack.exe
2006-11-11 14:27 42,496 --a------ C:\WINDOWS\setdebug.exe
2006-11-11 14:27 361,744 --a------ C:\WINDOWS\system32\javart.dll
2006-11-11 14:27 32,528 --a------ C:\WINDOWS\system32\javaprxy.dll
2006-11-11 14:27 313,856 --a------ C:\WINDOWS\system32\dx3j.dll
2006-11-11 14:27 209,168 --a------ C:\WINDOWS\system32\javacypt.dll
2006-11-11 14:27 207,872 --a------ C:\WINDOWS\system32\vmhelper.dll
2006-11-11 14:27 155,920 --a------ C:\WINDOWS\system32\msawt.dll
2006-11-11 14:27 154,112 --a------ C:\WINDOWS\jview.exe
2006-11-11 14:27 147,456 --a------ C:\WINDOWS\wjview.exe
2006-11-11 14:27 140,048 --a------ C:\WINDOWS\system32\jit.dll
2006-11-11 14:27 14,848 --a------ C:\WINDOWS\system32\jdbgmgr.exe
2006-11-11 14:27 135,168 --a------ C:\WINDOWS\system32\javaee.dll
2006-11-11 14:27 113 --a------ C:\WINDOWS\system32\zonedon.reg
2006-11-11 14:27 113 --a------ C:\WINDOWS\system32\zonedoff.reg
2006-11-11 14:27 103,424 --a------ C:\WINDOWS\extrac32.exe
2006-11-08 22:08 <DIR> d-------- C:\Program Files\DebugMode
2006-11-07 23:39 761,856 --a------ C:\WINDOWS\system32\xvidcore.dll
2006-11-07 23:39 180,224 --a------ C:\WINDOWS\system32\xvidvfw.dll
2006-11-07 23:39 <DIR> d-------- C:\Program Files\XviD
2006-11-05 21:55 <DIR> d-------- C:\Documents and Settings\Gerard\Application Data\EBookSys
2006-11-04 18:41 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\DVD Shrink
2006-11-04 14:51 49,664 --a------ C:\WINDOWS\system32\vfwwdm32.dll
2006-11-04 14:51 46,080 --a------ C:\WINDOWS\system32\drivers\61883.sys
2006-11-04 14:51 36,224 --a------ C:\WINDOWS\system32\drivers\avc.sys
2006-11-04 00:49 <DIR> d-------- C:\Program Files\SmartFTP Client 2.0
2006-11-04 00:49 <DIR> d-------- C:\Documents and Settings\Gerard\Application Data\SmartFTP
2006-11-03 20:19 <DIR> d-------- C:\Program Files\Team Craxtion
2006-11-03 19:38 <DIR> d--h----- C:\WINDOWS\system32\GroupPolicy
2006-11-03 17:50 <DIR> d-------- C:\Program Files\Uniblue
2006-11-03 17:50 <DIR> d-------- C:\Documents and Settings\Gerard\Application Data\Registry Booster


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-11-29 17:18 -------- d-------- C:\Program Files\Common Files
2006-11-28 20:40 -------- d-------- C:\Program Files\Mozilla Thunderbird
2006-11-25 19:45 -------- d-------- C:\Program Files\NetMeeting
2006-11-25 12:33 -------- d-------- C:\Program Files\WinRAR
2006-11-25 12:32 -------- d-------- C:\Program Files\Spybot - Search & Destroy
2006-11-25 12:30 -------- d-------- C:\Program Files\Internet Explorer
2006-11-22 21:43 -------- d-------- C:\Program Files\Java
2006-11-21 21:23 -------- d-------- C:\Documents and Settings\Gerard\Application Data\.gaim
2006-11-19 22:56 -------- d-------- C:\Program Files\GameSpy Arcade
2006-11-19 18:37 -------- d-------- C:\Program Files\Web Publish
2006-11-19 18:37 -------- d-------- C:\Program Files\Common Files\Microsoft Shared
2006-11-18 17:58 -------- d---s---- C:\Documents and Settings\Gerard\Application Data\Microsoft
2006-11-18 17:55 -------- d-------- C:\Documents and Settings\Gerard\Application Data\Hamachi
2006-11-18 17:54 -------- d-------- C:\Program Files\NCH Swift Sound
2006-11-15 20:06 11973 --a------ C:\WINDOWS\system32\drivers\secdrv.sys
2006-11-15 20:03 -------- d--h----- C:\Program Files\InstallShield Installation Information
2006-11-11 23:04 502 --a------ C:\Documents and Settings\Gerard\Application Data\dm.ini
2006-11-11 23:04 1090 --a------ C:\Documents and Settings\Gerard\Application Data\AdobeDLM.log
2006-11-11 18:24 816672 --a------ C:\WINDOWS\system32\drivers\avg7core.sys
2006-11-11 18:24 4960 --a------ C:\WINDOWS\system32\drivers\avgtdi.sys
2006-11-11 18:24 4224 --a------ C:\WINDOWS\system32\drivers\avg7rsw.sys
2006-11-11 18:24 28416 --a------ C:\WINDOWS\system32\drivers\avg7rsxp.sys
2006-10-20 17:44 98304 --a------ C:\WINDOWS\system32\CmdLineExt.dll
2006-10-19 22:43 10578 --a------ C:\WINDOWS\system32\drivers\hamachi.sys
2006-10-16 22:59 21840 --a----t- C:\WINDOWS\system32\SIntfNT.dll
2006-10-16 22:59 17212 --a----t- C:\WINDOWS\system32\SIntf32.dll
2006-10-16 22:59 12067 --a----t- C:\WINDOWS\system32\SIntf16.dll
2006-10-13 17:34 -------- d-------- C:\Documents and Settings\Gerard\Application Data\Ideazon
2006-10-13 17:14 -------- d-------- C:\Program Files\Zone Labs
2006-10-13 17:13 69632 --a------ C:\WINDOWS\system32\odbcconf.exe
2006-10-13 17:13 126976 --a------ C:\WINDOWS\system32\odbcconf.dll
2006-10-05 22:49 -------- d-------- C:\Program Files\Common Files\Wise Installation Wizard
2006-09-30 19:49 -------- d-------- C:\Documents and Settings\Gerard\Application Data\AVG7
2006-09-29 21:57 -------- d-------- C:\Program Files\No-IP
2006-09-24 20:38 73216 --a------ C:\WINDOWS\ST6UNST.EXE
2006-09-24 20:38 245760 --------- C:\WINDOWS\Setup1.exe
2006-09-15 19:10 19 --a------ C:\WINDOWS\TRWINUPD.DLL
2006-09-13 18:09 1110528 --a------ C:\WINDOWS\system32\msxml3.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"CTFMON.EXE"="C:\\WINDOWS\\System32\\ctfmon.exe"
"WrCtrl"="\"C:\\Program Files\\WinRoute\\WinRoute Firewall\\WrCtrl.exe\""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"DSLSTATEXE"="C:\\Program Files\\Dynalink\\Adsl\\dslstat.exe icon"
"DSLAGENTEXE"="C:\\Program Files\\Dynalink\\Adsl\\dslagent.exe"
"AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgcc.exe /STARTUP"
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\System32\\NvCpl.dll,NvStartup"
"nwiz"="nwiz.exe /install"
"NeroFilterCheck"="C:\\WINDOWS\\system32\\NeroCheck.exe"
"NvMediaCenter"="RunDLL32.exe NvMCTray.dll,NvTaskbarInit"
"WINDVDPatch"="CTHELPER.EXE"
"Jet Detection"="\"C:\\Program Files\\Creative\\SBLive\\PROGRAM\\ADGJDet.exe\""
"CAPON"="C:\\WINDOWS\\System32\\Spool\\Drivers\\w32x86\\3\\CAPONN.EXE"
"NWEReboot"=""
"Zboard"="D:\\Program Files\\ZEngine\\Zboard.exe"
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.5.0_09\\bin\\jusched.exe\""
"POINTER"="point32.exe"

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000004

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"CTFMON.EXE"="C:\\WINDOWS\\System32\\CTFMON.EXE"
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"CTFMON.EXE"="C:\\WINDOWS\\System32\\CTFMON.EXE"
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001
"DisableTaskMgr"=dword:00000000

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

Completion time: 06-11-29 17:18:43.68
C:\ComboFix.txt ... 06-11-29 17:18

Logfile of HijackThis v1.99.1
Scan saved at 5:21:03 p.m., on 29/11/2006
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\WinRoute\WinRoute Firewall\winroute.exe
C:\Program Files\Dynalink\Adsl\dslstat.exe
C:\Program Files\Dynalink\Adsl\dslagent.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINDOWS\System32\RunDLL32.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\System32\CTHELPER.EXE
D:\Program Files\ZEngine\Zboard.exe
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
C:\Program Files\Microsoft Hardware\Mouse\point32.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\WinRoute\WinRoute Firewall\WrCtrl.exe
C:\Documents and Settings\Gerard\Desktop\HiJack\scanner.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Tshoot
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: FlpLauncher Class - {4401FDC3-7996-4774-8D2B-C1AE9CD6CC25} - D:\Program Files\Flipalbum5.5\fplaunch.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [DSLSTATEXE] C:\Program Files\Dynalink\Adsl\dslstat.exe icon
O4 - HKLM\..\Run: [DSLAGENTEXE] C:\Program Files\Dynalink\Adsl\dslagent.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [WINDVDPatch] CTHELPER.EXE
O4 - HKLM\..\Run: [Jet Detection] "C:\Program Files\Creative\SBLive\PROGRAM\ADGJDet.exe"
O4 - HKLM\..\Run: [CAPON] C:\WINDOWS\System32\Spool\Drivers\w32x86\3\CAPONN.EXE
O4 - HKLM\..\Run: [Zboard] D:\Program Files\ZEngine\Zboard.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKLM\..\Run: [POINTER] point32.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [WrCtrl] "C:\Program Files\WinRoute\WinRoute Firewall\WrCtrl.exe"
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/binFrameWork/v10/StagingUI.cab46479.cab
O16 - DPF: {1842B0EE-B597-11D4-8997-00104BD12D94} (iCC Class) - http://www.pcpitstop.com/internet/pcpConnCheck.cab
O16 - DPF: {2EB1E425-74DC-4DC0-A9E1-03A4C852E1F2} (CPlayFirstTriJinxControl Object) - http://zone.msn.com/bingame/trix/default/TriJinx.1.0.0.67.cab
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (ZoneBuddy Class) - http://zone.msn.com/BinFrameWork/v10/ZBuddy.cab32846.cab
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/binframework/v10/ZPAChat.cab32846.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1152271545046
O16 - DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} (MJLauncherCtrl Class) - http://zone.msn.com/bingame/chnz/default/mjolauncher.cab
O16 - DPF: {809A6301-7B40-4436-A02C-87B8D3D7D9E3} (ZPA_DMNO Object) - http://zone.msn.com/bingame/zpagames/zpa_dmno.cab42341.cab
O16 - DPF: {80B626D6-BC34-4BCF-B5A1-7149E4FD9CFA} (UnoCtrl Class) - http://zone.msn.com/bingame/zpagames/GAME_UNO1.cab50727.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://cdn2.zone.msn.com/binFramework/v10/ZIntro.cab34246.cab
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (StadiumProxy Class) - http://zone.msn.com/binframework/v10/StProxy.cab41227.cab
O16 - DPF: {DAF5D9A2-D982-4671-83E4-0398706A5F6A} (SCEWebLauncherCtl Object) - http://zone.msn.com/bingame/hsol/default/SCEWebLauncher.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - D:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Kerio WinRoute Firewall (WinRoute) - Kerio Technologies - C:\Program Files\WinRoute\WinRoute Firewall\winroute.exe

Are we there yet?? :) :2thumb:

Cheers
Stambo

Mr_JAk3
2006-11-29, 14:42
Hi again, looks good :)

Delete the following files:

C:\WINDOWS\system32\hgggfdb.dll
C:\WINDOWS\system32\oldvvdkkpe.dll
C:\WINDOWS\system32\wvussrs.dll

There is this one suspicious file that we'll check...

Go to virustotal.com (http://www.virustotal.com)
Click on the Browse button
Browse to the following file: C:\WINDOWS\TRWINUPD.DLL
Click Open and then on Send
Wait for the scan to end.

Copy & Paste the scan results to here.:bigthumb:

Stambo
2006-11-30, 06:17
Hi Mr_JAk3
It's me again :)
Here's the virustotal scan result.

Complete scanning result of "TRWINUPD.DLL", received in VirusTotal at 11.30.2006, 05:10:58 (CET).

Antivirus Version Update Result
AntiVir 7.2.0.46 11.29.2006 no virus found
Authentium 4.93.8 11.30.2006 no virus found
Avast 4.7.892.0 11.29.2006 no virus found
AVG 386 11.30.2006 no virus found
BitDefender 7.2 11.30.2006 no virus found
CAT-QuickHeal 8.00 11.29.2006 no virus found
ClamAV devel-20060426 11.30.2006 no virus found
DrWeb 4.33 11.29.2006 no virus found
eSafe 7.0.14.0 11.28.2006 no virus found
eTrust-InoculateIT 23.73.72 11.29.2006 no virus found
eTrust-Vet 30.3.3221 11.29.2006 no virus found
Ewido 4.0 11.29.2006 no virus found
Fortinet 2.82.0.0 11.30.2006 no virus found
F-Prot 3.16f 11.30.2006 no virus found
F-Prot4 4.2.1.29 11.30.2006 no virus found
Ikarus 0.2.65.0 11.29.2006 no virus found
Kaspersky 4.0.2.24 11.30.2006 no virus found
McAfee 4907 11.29.2006 no virus found
Microsoft 1.1804 11.30.2006 no virus found
NOD32v2 1890 11.30.2006 no virus found
Norman 5.80.02 11.29.2006 no virus found
Panda 9.0.0.4 11.29.2006 no virus found
Prevx1 V2 11.30.2006 no virus found
Sophos 4.11.0 11.16.2006 no virus found
TheHacker 6.0.3.126 11.29.2006 no virus found
UNA 1.83 11.29.2006 no virus found
VBA32 3.11.1 11.30.2006 no virus found
VirusBuster 4.3.15:9 11.29.2006 no virus found

Aditional Information
File size: 19 bytes
MD5: e272fdac7adc1700e370810fe9d58071
SHA1: ca8bbee2a843c5a122346c7e2625b6212763e63a


Cheers
Stambo

Mr_JAk3
2006-11-30, 12:06
Hi again, it is looking clean now :)
The computer is running fine ?

Then the first priority is to visit Windows Update (http://windowsupdate.microsoft.com) and get your system updated
-> At first, install Win XP Service Pack 2 Update
-> Reboot and get back to the Windows Update
-> Install all remaining important updates
(NOTE: You'll propably have to reboot and get back to the update several times before all of them are installed)

You can remove the tools we used.

Now you can make your hidden files hidden again.
Go to My Computer
Select the Tools menu and click Folder Options
Click the View tab.
Checkmark the "Display the contents of system folders"
Under the Hidden files and folders select "Show hidden files and folders"
Check "Hide protected operating system files"
Click Apply and then the OK and close My Computer.

=============

Now that you seem to be clean, please follow these simple steps in order to keep your computer clean and secure:
Clear your system restore (http://www.microsoft.com/windowsxp/using/helpandsupport/learnmore/tips/mcgill1.mspx)
This will clear the system restore folders from possible malware that was left behind during the cleaning process.

Use ATF Cleaner (http://www.atribune.org/ccount/click.php?id=1)
Download and install ATF Cleaner. Clean your temporary files & folders with it regularly.

Use Ad-Aware (http://www.bleepingcomputer.com/forums/?showtutorial=48)
Download and install Ad-Aware. Update it and scan your computer regularly with it.

Use AVG Anti-Spyware (http://www.ewido.net/en/)
Update it and scan your computer regularly with it.

Use Spybot S&D (http://www.bleepingcomputer.com/forums/?showtutorial=43)
Download and install Spybot S&D. Update it and scan your computer regularly with it.

Install SpywareBlaster (http://www.javacoolsoftware.com/spywareblaster.html)
SpywareBlaster will prevent spyware from being installed.

Install MVPS Hosts file (http://mvps.org/winhelp2002/hosts.htm)
This prevents your computer from connecting to harmful sites.

Use Firefox browser (http://www.mozilla.org)
Firefox is faster, safer and better browser than Internet Explorer.

Keep your systen up-to-date (http://windowsupdate.microsoft.com)
Visit Windows Update regularly.

Keep your antivirus and firewall up-to-date
Scan your computer regularly with your antivirus.

Read this article by TonyKlein (http://forums.spybot.info/showthread.php?t=279)
So how did I get infected in the first place?

Stand Up and Be Counted ! (http://www.malwarecomplaints.info/index.php)
The site offers people who have been (or are) victims of malware the opportunity to document their story and, in that way, launch a complaint against the malware and the makers of the malware.


Stay clean and be safe ;)

Stambo
2006-12-01, 07:31
Thank you Mr_JAk3 for your help and patience. I noticed early in the process that you were in Finland, I'm in New Zealand as you probably see. We are 11 hours away in time zone so you sleep during my day and vice versa. Made the process a little longer I guess but we got the in the end.
My computer is working much much better, I don't get any popups, no threat detected messages from avg and my ping in online games is back to what it was when I first got adsl. (most important thing :) :) ).
I am now in the process of downloading and installing updates and I'll be much more carefull what I download. Is there a way that I can download to a secure folder so I can scan before opening files?? I thought before this all happened that downloading a file and scanning it with avg was enough. Silly me:red: .
Anyway once again thanks very very much for your help.
Once I'm all updated I'm going back to school (mru)
Then maybe I can help others the way you have helped me.
Cheers
Stambo

Mr_JAk3
2006-12-01, 09:03
Hi again :)

The main reason why you got infected was that you weren't protected and up-to-date. You had old java and not the latest Windows updates...

Almost forgot, you should remove old Java's Start
Control Panel
Add/Remove Programs
Remove the following J2SE Runtime Environment 5.0 Update 8
J2SE Runtime Environment 5.0 Update 6


Watch what you download and where you download. The Tony Klein's article in my last message contains some good advice.

Nice to hear that you're interested in helping others :)

Stambo
2006-12-06, 10:58
I've done the above and am working through the updates, there's a lot :)
Once again thanks for all your help.

Cheers and Have a Merry Christmas and Happy New Year :bigthumb:
Stambo

Mr_JAk3
2006-12-06, 11:30
That's great news and you're very welcome :D:

As the problem appears to be resolved this topic has been archived.

If you need it re-opened please send a private message (pm) to a forum staff member and provide a link to the thread; this applies only to the original topic starter.

Merry Christmas and Happy New Year to you too :D:

Glad we could help :2thumb: