can not remove Trojan.Nebular

**phone222** · 2007-02-11, 13:08

First of all thank you for your good forums, i've been trying to remove some virus infecting my computer manually and have been so far unsuccessful. i tried to delete Trojan.Nebular but i couldn't, so i did what may be you need to help me. thank you very very very much

**phone222** · 2007-02-11, 13:09

SmitFraudFix v2.141

Scan done at 15:39:32.40, Sun 02/11/2007
Run from C:\Documents and Settings\S\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» hosts

»»»»»»»»»»»»»»»»»»»»»»»» C:\

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32

C:\WINDOWS\system32\drvlog.dll FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32\LogFiles

»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\S

»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\S\Application Data

»»»»»»»»»»»»»»»»»»»»»»»» Start Menu

»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\S\FAVORI~1

»»»»»»»»»»»»»»»»»»»»»»»» Desktop

»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files

»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys

»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""

»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""

»»»»»»»»»»»»»»»»»»»»»»»» pe386-msguard-lzx32-huy32

»»»»»»»»»»»»»»»»»»»»»»»» Scanning wininet.dll infection

»»»»»»»»»»»»»»»»»»»»»»»» End

**phone222** · 2007-02-11, 13:13

"S" - 07-02-11 16:00:30 Service Pack 2
ComboFix 07-02-08.2 - Running from: "C:\Documents and Settings\S\Desktop\test"

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

C:\Program Files\Common Files\Yazzle1162OinAdmin.exe
C:\Program Files\Common Files\Yazzle1162OinUninstaller.exe
~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ Purity ~ ~ ~ ~ ~ ~ ~ ~~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~
Folders Quarantined:
C:\qoobox\purity\Program Files\YMANTE~1
C:\qoobox\purity\Program Files\YMANTE~1\svchost.exe
C:\qoobox\purity\Program Files\YMANTE~1\?ymantec

((((((((((((((((((((((((((((((( Files Created from 2007-01-11 to 2007-02-11 ))))))))))))))))))))))))))))))))))

2007-02-11 02:10 93,696 --a------ C:\WINDOWS\system32\drvlog.dll
2007-02-11 01:40 1,923,079 --a------ C:\WINDOWS\system32\SBSP.dat
2007-02-10 00:54 79,360 --a------ C:\WINDOWS\system32\swxcacls.exe
2007-02-10 00:54 53,248 --a------ C:\WINDOWS\system32\Process.exe
2007-02-10 00:54 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2007-02-10 00:54 40,960 --a------ C:\WINDOWS\system32\swsc.exe
2007-02-10 00:54 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2007-02-10 00:54 135,168 --a------ C:\WINDOWS\system32\swreg.exe
2007-02-10 00:52 <DIR> d-------- C:\DOCUME~1\ADMINI~1\SmitfraudFix
2007-02-10 00:51 <DIR> d-------- C:\HJT
2007-02-09 23:50 313 --a------ C:\WINDOWS\system32\SBRC.dat
2007-02-09 23:50 153 --a------ C:\WINDOWS\system32\SBFC.dat
2007-02-09 21:21 93,696 --a------ C:\WINDOWS\system32\drvjad.dll
2007-02-06 21:02 <DIR> d-------- C:\DOCUME~1\S\Application Data\InterVideo
2007-02-05 02:05 11,169 --a------ C:\WINDOWS\msvrc20.dll
2007-02-05 02:05 <DIR> d-------- C:\Program Files\IObit
2007-02-05 01:05 <DIR> d-------- C:\DOCUME~1\S\Application Data\Uniblue
2007-02-04 00:28 <DIR> d-------- C:\Program Files\MSN Messenger
2007-02-02 22:36 <DIR> d-------- C:\Program Files\SymNetDrv
2007-02-02 22:19 91,904 --a------ C:\WINDOWS\system32\S32EVNT1.DLL
2007-02-02 22:19 124,016 --a------ C:\WINDOWS\system32\drivers\SYMEVENT.SYS
2007-02-02 19:43 57,344 --a------ C:\WINDOWS\system32\otzups.dll
2007-02-02 19:42 17,408 --------- C:\WINDOWS\system32\wineij32.dll
2007-02-02 06:28 <DIR> d-------- C:\Program Files\Al-Ufuq Internet Timer
2007-02-02 06:26 <DIR> d-------- C:\Program Files\Realtek
2007-02-02 06:26 <DIR> d-------- C:\Program Files\PhotoFiltre
2007-02-02 06:18 <DIR> d-------- C:\Program Files\Symantec
2007-02-02 05:17 <DIR> d-------- C:\Program Files\Norton AntiVirus
2007-02-02 04:42 <DIR> d-------- C:\Program Files\Symantec(2)
2007-02-02 04:42 <DIR> d-------- C:\Program Files\Norton AntiVirus(2)
2007-02-02 04:16 <DIR> d-------- C:\Program Files\Windows Installer Clean Up
2007-02-02 03:21 <DIR> d-------- C:\Program Files\Innovative Solutions
2007-02-02 01:55 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\Application Data\Windows Genuine Advantage
2007-02-02 00:47 884,736 --a------ C:\WINDOWS\system32\msimsg.dll
2007-02-02 00:47 78,848 --a------ C:\WINDOWS\system32\msiexec.exe
2007-02-02 00:47 271,360 --a------ C:\WINDOWS\system32\msihnd.dll
2007-02-02 00:47 2,890,240 --a------ C:\WINDOWS\system32\msi.dll
2007-02-02 00:47 15,360 --a------ C:\WINDOWS\system32\msisip.dll
2007-02-01 23:36 <DIR> d-------- C:\Program Files\Xinox Software
2007-01-31 23:24 262,144 --a------ C:\DOCUME~1\ALLUSE~1\ntuser.dat
2007-01-31 23:23 4,194,304 --a------ C:\DOCUME~1\S\ntuser.dat
2007-01-31 23:23 229,376 --a------ C:\DOCUME~1\LOCALS~1\ntuser.dat
2007-01-31 21:17 <DIR> d-------- C:\WINDOWS\SxsCaPendDel
2007-01-31 19:12 47,399 --a------ C:\WINDOWS\BricoPackUninst.cmd
2007-01-31 19:10 2,130 --a------ C:\WINDOWS\BricoPackFoldersDelete.cmd
2007-01-31 19:09 <DIR> d-------- C:\WINDOWS\BricoPacks
2007-01-22 01:03 <DIR> d-------- C:\Program Files\MSXML 4.0
2007-01-20 22:52 <DIR> d--h----- C:\WINDOWS\$hf_mig$
2007-01-20 22:52 <DIR> d-------- C:\WINDOWS\system32\PreInstall
2007-01-20 19:23 <DIR> d-------- C:\WINDOWS\system32\SoftwareDistribution
2007-01-20 01:48 <DIR> d--h----- C:\WINDOWS\PIF
2007-01-20 01:14 10,344 --a------ C:\WINDOWS\system32\drivers\symlcbrd.sys
2007-01-19 12:53 51,056 --a------ C:\WINDOWS\system32\sirenacm.dll
2007-01-18 21:00 258,048 --a------ C:\WINDOWS\ctpu.exe
2007-01-18 21:00 196,608 --a------ C:\WINDOWS\ResEnu.PPC.dll
2007-01-18 21:00 <DIR> d-------- C:\Program Files\BEIKS
2007-01-17 16:55 8,704 --a------ C:\WINDOWS\system32\kbdjpn.dll
2007-01-17 16:55 8,192 --a------ C:\WINDOWS\system32\kbdkor.dll
2007-01-17 16:55 6,144 --a------ C:\WINDOWS\system32\kbd106.dll
2007-01-17 16:55 6,144 --a------ C:\WINDOWS\system32\kbd101c.dll
2007-01-17 16:55 6,144 --a------ C:\WINDOWS\system32\kbd101b.dll
2007-01-17 16:55 5,632 --a------ C:\WINDOWS\system32\kbd103.dll
2007-01-12 02:17 <DIR> d-------- C:\Program Files\Infosoft
2007-01-11 01:03 <DIR> d-------- C:\WINDOWS\system32\LogFiles

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-02-11 15:51 -------- d-------- C:\Program Files\golden al-wafi translator
2007-02-02 22:41 -------- d-------- C:\Program Files\Common Files\symantec shared
2007-02-02 06:15 -------- d---s---- C:\DOCUME~1\S\Application Data\microsoft
2007-02-02 06:11 -------- d-------- C:\Program Files\ea sports
2007-02-02 06:00 -------- d-------- C:\Program Files\mozilla firefox
2007-02-01 23:54 -------- d--h----- C:\Program Files\installshield installation information
2007-01-31 19:12 218624 --a------ C:\WINDOWS\system32\uxtheme.dll
2007-01-23 19:40 -------- d-------- C:\Program Files\messenger
2007-01-22 20:57 -------- d-------- C:\DOCUME~1\S\Application Data\adobe
2007-01-10 23:43 -------- d-------- C:\DOCUME~1\S\Application Data\google
2007-01-10 23:42 -------- d-------- C:\Program Files\google
2007-01-09 20:16 -------- d-------- C:\Program Files\nobrand
2007-01-08 23:54 -------- d-------- C:\Program Files\pcpitstop
2007-01-06 20:31 -------- d-------- C:\DOCUME~1\S\Application Data\symantec
2007-01-06 20:12 1060864 --a------ C:\WINDOWS\system32\mfc71.dll
2007-01-06 20:12 1047552 --a------ C:\WINDOWS\system32\mfc71u.dll
2007-01-05 13:20 -------- d-------- C:\DOCUME~1\S\Application Data\ahead
2007-01-03 00:40 -------- d-------- C:\DOCUME~1\S\Application Data\nokia multimedia player
2006-12-27 00:40 286720 --------- C:\WINDOWS\setup1.exe
2006-12-25 00:31 -------- d-------- C:\DOCUME~1\S\Application Data\cowon
2006-12-25 00:28 -------- d-------- C:\Program Files\winamp
2006-12-25 00:28 -------- d-------- C:\Program Files\dalel2
2006-12-25 00:10 -------- d-------- C:\Program Files\Common Files\acd systems
2006-12-24 23:51 -------- d-------- C:\DOCUME~1\S\Application Data\macromedia
2006-12-24 21:48 -------- d-------- C:\DOCUME~1\S\Application Data\nokia
2006-12-24 21:48 -------- d-------- C:\DOCUME~1\S\Application Data\datalayer
2006-12-24 21:46 -------- d-------- C:\Program Files\nokia
2006-12-24 21:46 -------- d-------- C:\Program Files\Common Files\pcsuite
2006-12-24 21:46 -------- d-------- C:\Program Files\Common Files\nokia
2006-12-24 21:46 -------- d-------- C:\DOCUME~1\S\Application Data\pc suite
2006-12-23 18:35 -------- d-------- C:\DOCUME~1\S\Application Data\sun
2006-12-23 15:01 -------- d-------- C:\DOCUME~1\S\Application Data\adobeum
2006-12-23 00:57 -------- d-------- C:\DOCUME~1\S\Application Data\ulead systems
2006-12-23 00:37 30 --a------ C:\WINDOWS\popcinfo.dat
2006-12-22 23:09 -------- d-------- C:\DOCUME~1\S\Application Data\acd systems
2006-12-22 19:54 -------- d-------- C:\Program Files\Common Files\speechengines
2006-12-22 19:54 -------- d-------- C:\Program Files\Common Files\odbc
2006-12-22 19:53 62 --ahs---- C:\DOCUME~1\S\Application Data\desktop.ini
2006-12-22 18:40 73216 --------- C:\WINDOWS\st6unst.exe
2006-12-22 18:40 -------- d-------- C:\Program Files\divxcodec
2006-12-22 18:31 4096 --a------ C:\WINDOWS\d3dx.dat
2006-12-22 18:31 -------- d-------- C:\Program Files\real
2006-12-22 18:30 -------- d-------- C:\Program Files\macromedia
2006-12-22 18:28 -------- d-------- C:\Program Files\dap
2006-12-22 18:27 50688 --a------ C:\WINDOWS\system32\wbhelp2.dll
2006-12-22 18:17 -------- d-------- C:\Program Files\microsoft works
2006-12-22 18:17 -------- d-------- C:\Program Files\microsoft activesync
2006-12-22 18:16 -------- d-------- C:\Program Files\microsoft.net
2006-12-22 18:08 -------- d-------- C:\Program Files\yahoo!
2006-12-22 18:04 2301 --a------ C:\WINDOWS\mozver.dat
2006-12-22 18:04 -------- d-------- C:\DOCUME~1\S\Application Data\mozilla
2006-12-22 17:48 -------- d-------- C:\Program Files\ulead systems
2006-12-22 17:48 -------- d-------- C:\Program Files\Common Files\ulead systems
2006-12-22 17:48 -------- d-------- C:\Program Files\Common Files\installshield
2006-12-22 17:47 -------- d-------- C:\Program Files\swishmax
2006-12-22 17:46 -------- d-------- C:\DOCUME~1\S\Application Data\real
2006-12-22 17:44 -------- d-------- C:\Program Files\Common Files\xing shared
2006-12-22 17:44 -------- d-------- C:\Program Files\Common Files\real
2006-12-22 17:42 -------- d-------- C:\Program Files\Common Files\ahead
2006-12-22 17:41 -------- d-------- C:\Program Files\nero
2006-12-22 17:39 -------- d-------- C:\Program Files\3gp player
2006-12-22 17:38 -------- d-------- C:\Program Files\Common Files\adobe
2006-12-22 17:34 -------- d-------- C:\DOCUME~1\S\Application Data\toshiba
2006-12-22 17:34 -------- d-------- C:\DOCUME~1\S\Application Data\ati
2006-12-22 17:32 -------- d-------- C:\DOCUME~1\S\Application Data\sonic
2006-12-22 17:30 -------- d-------- C:\Program Files\toshiba
2006-12-22 17:29 -------- d-------- C:\Program Files\synaptics
2006-12-22 17:28 -------- d-------- C:\Program Files\Common Files\java
2006-12-22 17:20 -------- d-------- C:\DOCUME~1\S\Application Data\u3
2006-12-22 17:18 -------- d-------- C:\Program Files\Common Files\cisco systems
2006-12-22 17:03 -------- d-------- C:\Program Files\intervideo
2006-12-22 17:03 -------- d-------- C:\Program Files\dvd-ram
2006-12-22 17:01 -------- d-------- C:\Program Files\ati technologies
2006-12-22 16:56 -------- d-------- C:\Program Files\intel
2006-12-22 16:49 21035 --a------ C:\WINDOWS\system32\drivers\AegisP.sys
2006-12-22 16:49 -------- d-------- C:\Program Files\atheros
2006-12-22 16:44 -------- d-------- C:\DOCUME~1\S\Application Data\identities
2006-12-22 16:39 -------- d-------- C:\Program Files\microsoft frontpage
2006-12-22 16:38 0 -rahs---- C:\MSDOS.SYS
2006-12-22 16:38 0 -rahs---- C:\IO.SYS
2006-12-22 16:38 0 --a------ C:\CONFIG.SYS
2006-12-22 16:38 0 --a------ C:\AUTOEXEC.BAT
2006-12-22 16:37 -------- d--h----- C:\Program Files\windowsupdate
2006-12-22 16:36 -------- d-------- C:\Program Files\movie maker
2006-12-22 16:36 -------- d-------- C:\Program Files\Common Files\mssoap
2006-12-22 16:35 21640 --a------ C:\WINDOWS\system32\emptyregdb.dat
2006-12-22 16:35 -------- d-------- C:\Program Files\online services
2006-12-22 16:34 -------- d-------- C:\Program Files\windows nt
2006-12-22 16:34 -------- d-------- C:\Program Files\msn gaming zone
2006-12-07 17:02 2174976 --a------ C:\WINDOWS\system32\wmvcore.dll

**phone222** · 2007-02-11, 13:14

(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
"Lusi"="\"C:\\PROGRA~1\\YMANTE~1\\svchost.exe\" -vt yazb"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"ccApp"="\"C:\\Program Files\\Common Files\\Symantec Shared\\ccApp.exe\""
"Symantec NetDriver Monitor"="C:\\PROGRA~1\\SYMNET~1\\SNDMon.exe /Consumer"
"BluetoothAuthenticationAgent"="rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent"
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"SBRegRebootCleaner"="C:\\Program Files\\Sunbelt Software\\CounterSpy\\SBRC.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^.protected]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\.protected"
"backup"="C:\\WINDOWS\\pss\\.protectedCommon Startup"
"location"="Common Startup"
"command"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\.protected"
"item"=".protected"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
"backup"="C:\\WINDOWS\\pss\\Adobe Gamma Loader.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\COMMON~1\\Adobe\\CALIBR~1\\ADOBEG~1.EXE "
"item"="Adobe Gamma Loader"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
"backup"="C:\\WINDOWS\\pss\\Adobe Reader Speed Launch.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\Adobe\\ACROBA~1.0\\Reader\\READER~1.EXE "
"item"="Adobe Reader Speed Launch"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Al-Ufuq Internet Timer.LNK]
"backup"="C:\\WINDOWS\\pss\\Al-Ufuq Internet Timer.LNKCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\AL-UFU~1\\TIMERT~1.EXE "
"item"="Al-Ufuq Internet Timer"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Bluetooth Manager.lnk]
"backup"="C:\\WINDOWS\\pss\\Bluetooth Manager.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\Toshiba\\BLUETO~2\\TosBtMng.exe "
"item"="Bluetooth Manager"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Bluetooth Monitor.lnk]
"backup"="C:\\WINDOWS\\pss\\Bluetooth Monitor.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\TOSHIBA\\BLUETO~1\\BtMon2.exe "
"item"="Bluetooth Monitor"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office OneNote 2003 Quick Launch.lnk]
"backup"="C:\\WINDOWS\\pss\\Microsoft Office OneNote 2003 Quick Launch.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\MICROS~2\\OFFICE11\\ONENOTEM.EXE /tsr"
"item"="Microsoft Office OneNote 2003 Quick Launch"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^RAMASST.lnk]
"backup"="C:\\WINDOWS\\pss\\RAMASST.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\WINDOWS\\system32\\RAMASST.exe "
"item"="RAMASST"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^S^Start Menu^Programs^Startup^.protected]
"path"="C:\\Documents and Settings\\S\\Start Menu\\Programs\\Startup\\.protected"
"backup"="C:\\WINDOWS\\pss\\.protectedStartup"
"location"="Startup"
"command"="C:\\Documents and Settings\\S\\Start Menu\\Programs\\Startup\\.protected"
"item"=".protected"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="NMBgMonitor"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\Common Files\\Ahead\\Lib\\NMBgMonitor.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTDrive]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="drvjak"
"hkey"="HKLM"
"command"="rundll32.exe C:\\WINDOWS\\system32\\drvjak.dll,startup"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DLA]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="DLACTRLW"
"hkey"="HKLM"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DownloadAccelerator]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="DAP"
"hkey"="HKLM"
"command"="C:\\PROGRA~1\\DAP\\DAP.EXE /STARTUP"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\McAfeeUpdaterUI]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="UpdaterUI"
"hkey"="HKLM"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MOD]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="muamgr"
"hkey"="HKLM"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="NeroCheck"
"hkey"="HKLM"
"command"="C:\\Program Files\\Common Files\\Ahead\\Lib\\NeroCheck.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Network Associates Error Reporting Service]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="TBMon"
"hkey"="HKLM"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\otzups.dll]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="otzups"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\system32\\rundll32.exe C:\\WINDOWS\\system32\\otzups.dll,lmjgdqd"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCSuiteTrayApplication]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="LAUNCH~1"
"hkey"="HKLM"
"command"="C:\\PROGRA~1\\Nokia\\NOKIAP~1\\LAUNCH~1.EXE -onlytray"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PcSync]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="PcSync2"
"hkey"="HKCU"
"command"="C:\\Program Files\\Nokia\\Nokia PC Suite 6\\PcSync2.exe /NoDialog"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RegDoctor]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="RegDoctor"
"hkey"="HKLM"
"command"="C:\\Program Files\\RegDoctor\\RegDoctor.exe -Quick"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ShStatEXE]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="SHSTAT"
"hkey"="HKLM"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Ultimate Defender]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="App"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Ultimate Defender\\App.exe\" hide"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Uniblue Registry Booster]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="RegistryBooster"
"hkey"="HKCU"
"command"="C:\\Program Files\\Uniblue\\Registry Booster\\RegistryBooster.exe /S"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="YahooMessenger"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe\" -quiet"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"LinkResolveIgnoreLinkInfo"=dword:00000000
"NoResolveSearch"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"LinkResolveIgnoreLinkInfo"=dword:00000000

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\wineij32

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0
bthsvcs REG_MULTI_SZ BthServ\0\0

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{4e395e60-9c42-11db-b634-b26693f49a93}]
Shell\AutoRun\command C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL wscript.exe MS32DLL.dll.vbs

Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\Advanced WindowsCare V2 Pro.job
C:\WINDOWS\tasks\AwcProUpdate.job
C:\WINDOWS\tasks\Norton AntiVirus - Scan my computer - S.job
C:\WINDOWS\tasks\Symantec NetDetect.job

********************************************************************

catchme 0.1 W2K/XP - userland rootkit detector by Gmer, 17 October 2006
http://www.gmer.net

scanning hidden processes ...

scanning hidden services ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0

********************************************************************

Completion time: 07-02-11 16:02:04
C:\ComboFix2.txt ... 07-02-10 01:00

**phone222** · 2007-02-11, 13:15

Logfile of HijackThis v1.99.1
Scan saved at 04:11:17 م, on 11/02/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\acs.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
C:\WINDOWS\system32\DVDRAMSV.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\YMANTE~1\svchost.exe
C:\Program Files\internet explorer\iexplore.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\notepad.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\HJT\HijackThis.exe

O1 - Hosts: 67.15.57.172 auto.search.msn.com #NETVISION
O2 - BHO: DAPHelper Class - {0000CC75-ACF3-4cac-A0A9-DD3868E06852} - C:\Program Files\DAP\DAPBHO.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: DAP Bar - {62999427-33FC-4baf-9C9C-BCE6BD127F08} - C:\Program Files\DAP\DAPIEBar.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SBRegRebootCleaner] C:\Program Files\Sunbelt Software\CounterSpy\SBRC.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Lusi] "C:\PROGRA~1\YMANTE~1\svchost.exe" -vt yazb
O8 - Extra context menu item: &Download with &DAP - C:\PROGRA~1\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\PROGRA~1\DAP\dapextie2.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Run DAP - {669695BC-A811-4A9D-8CDF-BA8C795F261C} - C:\PROGRA~1\DAP\DAP.EXE
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O17 - HKLM\System\CCS\Services\Tcpip\..\{4B32F6DB-B833-4033-B664-B7A1E799035A}: NameServer = 212.72.23.4 212.72.1.186
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: wineij32 - C:\WINDOWS\SYSTEM32\wineij32.dll
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\system32\acs.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: ConfigFree Service (CFSvcs) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: DVD-RAM_Service - Matsushita Electric Industrial Co., Ltd. - C:\WINDOWS\system32\DVDRAMSV.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: TOSHIBA Application Service (TAPPSRV) - TOSHIBA Corp. - C:\Program Files\TOSHIBA\TOSHIBA Applet\TAPPSRV.exe

**phone222** · 2007-02-11, 13:36

i restart the PC to run safe mode and i run smitfraudfix.cmd then i select 2 to clean and this is the SmitfraudFix report

SmitFraudFix v2.141

Scan done at 16:24:50.01, Sun 02/11/2007
Run from C:\Documents and Settings\S\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in safe mode

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» Killing process

»»»»»»»»»»»»»»»»»»»»»»»» hosts

127.0.0.1 localhost

»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri

»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files

»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files

»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""

»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» SharedTaskScheduler After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» End

**phone222** · 2007-02-11, 13:41

By the way my virous is Trojan.Nebuler not Trojan.Nebular as i mentioned before

**phone222** · 2007-02-17, 21:18

thank you,,, I have removed that trojan by an easy way so no need to use ay program like SmitfraudFix or hijackthis.

**tashi** · 2007-02-26, 07:06

Originally Posted by phone222

thank you,,, I have removed that trojan by an easy way so no need to use ay program like SmitfraudFix or hijackthis.

Well you already run the fix

I will archive this topic for now.

If you need it re-opened please send me a private message (pm) and provide a link to the thread. Applies only to the original poster, anyone else with similar problems please start a new topic.

For future reference:
If you have waited FOUR days for advice post here.

Thread: can not remove Trojan.Nebular

Thread Tools

Display

can not remove Trojan.Nebular

Smitfraudfix log

combofix log part 1

combofix log part 2

hijackthis

SmitfraudFix report after runing Clean in safe mode

Trojan.Nebuler

i did it

Posting Permissions