Trojan.Win32.Agent.aoy and more...

**rdaled** · 2007-06-26, 17:25

In addition to the one listed in the title F-Secure has also picked up these viruses:

Exploit.HTML.IESlice.p
Trojan-Downloader.JS.Psyme.el

Online scan log

Scan Results: 70324 files scanned. 3 viruses were detected.

File Infection Status Path
tob_snd_20070616[1] Win32/Abetear.A cannot cure C:\Documents and Settings\daled\Local Settings\Temporary Internet Files\Content.IE5\9IR9Q1Z6\
ddawv.dll Win32/Vundo!generic cannot cure C:\WINDOWS\SYSTEM32\
eqafjvyc.dll Win32/Vundo!generic cannot cure C:\WINDOWS\SYSTEM32\

Hijackthis log

Logfile of HijackThis v1.99.1
Scan saved at 8:53:24 AM, on 6/26/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\F-Secure\admin.pub\BackWeb\7681197\Program\SERVIC~1.EXE
C:\F-Secure\admin.pub\Anti-Virus\fsgk32st.exe
C:\F-Secure\admin.pub\Anti-Virus\FSGK32.EXE
C:\F-Secure\admin.pub\BackWeb\7681197\program\fsbwsys.exe
C:\F-Secure\admin.pub\Anti-Virus\fssm32.exe
C:\F-Secure\admin.pub\Common\FSMA32.EXE
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\F-Secure\admin.pub\Common\FSMB32.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\F-Secure\admin.pub\Common\FCH32.EXE
C:\F-Secure\admin.pub\Common\FAMEH32.EXE
C:\F-Secure\admin.pub\Anti-Virus\fsqh.exe
C:\F-Secure\admin.pub\Anti-Virus\fsrw.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\F-Secure\admin.pub\Anti-Virus\fsav32.exe
C:\F-Secure\admin.pub\Common\FNRB32.EXE
C:\F-Secure\admin.pub\FWES\Program\fsdfwd.exe
C:\F-Secure\admin.pub\Common\FIH32.EXE
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\hkcmd.exe
C:\F-Secure\admin.pub\Common\FSM32.EXE
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\F-Secure\admin.pub\ANTI-S~1\fsaw.exe
C:\Program Files\Apoint\Apoint.exe
C:\F-Secure\admin.pub\FSGUI\fsguidll.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\F-Secure\admin.pub\BackWeb\7681197\program\F-Secure Automatic Update.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.exe
C:\PROGRA~1\MICROS~2\OFFICE11\OUTLOOK.EXE
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://r.office.microsoft.com/r/rlid...treg?clid=1033
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [F-Secure TNB] "C:\F-Secure\admin.pub\TNB\TNBUtil.exe" /CHECKALL /WAITFORSW
O4 - HKLM\..\Run: [F-Secure Manager] "C:\F-Secure\admin.pub\Common\FSM32.EXE" /splash
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [icq.com] rundll32.exe "C:\WINDOWS\system32\ntbendqg.dll",forkonce
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [SpywareBot] C:\Program Files\SpywareBot\SpywareBot.exe -boot
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - Global Startup: F-Secure Automatic Update.lnk = C:\F-Secure\admin.pub\BackWeb\7681197\program\F-Secure Automatic Update.exe
O8 - Extra context menu item: &Block this popup - C:\F-Secure\admin.pub\Anti-Spyware\blockpopups.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: IE Shield - {300DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\F-Secure\admin.pub\Anti-Spyware\ieshield.dll
O9 - Extra 'Tools' menuitem: IE Shield... - {300DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\F-Secure\admin.pub\Anti-Spyware\ieshield.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O10 - Unknown file in Winsock LSP: c:\f-secure\admin.pub\fsps\program\fslsp.dll
O10 - Unknown file in Winsock LSP: c:\f-secure\admin.pub\fsps\program\fslsp.dll
O10 - Unknown file in Winsock LSP: c:\f-secure\admin.pub\fsps\program\fslsp.dll
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor...fo/webscan.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yaho...tocomplete.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = Fontaine.msft
O17 - HKLM\Software\..\Telephony: DomainName = Fontaine.msft
O17 - HKLM\System\CCS\Services\Tcpip\..\{F1D52D2D-8667-4796-BE06-3D9C1C1DC4F2}: NameServer = 10.16.209.5
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = Fontaine.msft
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = Fontaine.msft
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: F-Secure Automatic Update (BackWeb Plug-in - 7681197) - F-Secure Automatic Update - C:\F-Secure\admin.pub\BackWeb\7681197\Program\SERVIC~1.EXE
O23 - Service: DomainService - Unknown owner - C:\WINDOWS\system32\qmeitquy.exe (file missing)
O23 - Service: FSGKHS (F-Secure Gatekeeper Handler Starter) - F-Secure Corp. - C:\F-Secure\admin.pub\Anti-Virus\fsgk32st.exe
O23 - Service: F-Secure Network Request Broker - F-Secure Corporation - C:\F-Secure\admin.pub\Common\FNRB32.EXE
O23 - Service: fsbwsys - F-Secure Corp. - C:\F-Secure\admin.pub\BackWeb\7681197\program\fsbwsys.exe
O23 - Service: F-Secure Anti-Virus Firewall Daemon (FSDFWD) - F-Secure Corporation - C:\F-Secure\admin.pub\FWES\Program\fsdfwd.exe
O23 - Service: F-Secure Management Agent (FSMA) - F-Secure Corporation - C:\F-Secure\admin.pub\Common\FSMA32.EXE
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Sprint PCS v3 Utility Service - Sprint Spectrum, L.L.C - C:\Program Files\Sprint\Sprint PCS Connection Manager\CMSPCSUtilSvc.exe
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

Thanks in advance for any help!

**Shaba** · 2007-06-27, 15:07

Hi rdaled

Rename HijackThis.exe to scanner.exe and post back a fresh HijackThis log, please

**rdaled** · 2007-06-27, 15:24

Thanks for the quick reply!

Here is the new log after renaming to scanner.exe:

HijackThis Log

Logfile of HijackThis v1.99.1
Scan saved at 9:21:32 AM, on 6/27/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\F-Secure\admin.pub\BackWeb\7681197\Program\SERVIC~1.EXE
C:\F-Secure\admin.pub\Anti-Virus\fsgk32st.exe
C:\F-Secure\admin.pub\Anti-Virus\FSGK32.EXE
C:\F-Secure\admin.pub\BackWeb\7681197\program\fsbwsys.exe
C:\F-Secure\admin.pub\Anti-Virus\fssm32.exe
C:\F-Secure\admin.pub\Common\FSMA32.EXE
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\F-Secure\admin.pub\Common\FSMB32.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\F-Secure\admin.pub\Common\FCH32.EXE
C:\Program Files\Sunbelt Software\CounterSpy\SBCSSvc.exe
C:\F-Secure\admin.pub\Common\FAMEH32.EXE
C:\F-Secure\admin.pub\Anti-Virus\fsqh.exe
C:\F-Secure\admin.pub\Anti-Virus\fsrw.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\WINDOWS\System32\bcmwltry.exe
C:\F-Secure\admin.pub\Anti-Virus\fsav32.exe
C:\WINDOWS\Explorer.EXE
C:\F-Secure\admin.pub\FWES\Program\fsdfwd.exe
C:\F-Secure\admin.pub\Common\FNRB32.EXE
C:\F-Secure\admin.pub\Common\FIH32.EXE
C:\WINDOWS\system32\igfxpers.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\F-Secure\admin.pub\Common\FSM32.EXE
C:\WINDOWS\System32\DSentry.exe
C:\F-Secure\admin.pub\ANTI-S~1\fsaw.exe
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\QuickTime\qttask.exe
C:\F-Secure\admin.pub\FSGUI\fsguidll.exe
C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\Program Files\Lexmark X5100 Series\lxbabmgr.exe
C:\Program Files\Lexmark X5100 Series\lxbabmon.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Brother\ControlCenter2\brctrcen.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
C:\Program Files\Sunbelt Software\CounterSpy\SBCSTray.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\Program Files\Microsoft Location Finder\LocationFinder.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\F-Secure\admin.pub\BackWeb\7681197\program\F-Secure Automatic Update.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\Program Files\Palm\Hotsync.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpomau08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\scanner.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://r.office.microsoft.com/r/rlid...treg?clid=1033
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1F6581D5-AA53-4b73-A6F9-41420C6B61F1} - C:\WINDOWS\system32\ywcypqey.dll
O2 - BHO: (no name) - {2E9D4C81-9F27-4c14-B804-7B0F6BC88A4F} - C:\Program Files\Outerinfo\Outerinfo.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: (no name) - {995B2125-8441-4F79-9D41-E0EE0CFA6805} - C:\WINDOWS\system32\ddawv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: (no name) - {DC192567-65F9-4AB6-ADB7-E13575F81726} - C:\WINDOWS\system32\tuvvwuu.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [igfxtray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [F-Secure TNB] "C:\F-Secure\admin.pub\TNB\TNBUtil.exe" /CHECKALL /WAITFORSW
O4 - HKLM\..\Run: [F-Secure Manager] "C:\F-Secure\admin.pub\Common\FSM32.EXE" /splash
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [SpywareBot] C:\Program Files\SpywareBot\SpywareBot.exe -boot
O4 - HKLM\..\Run: [SetDefPrt] C:\Program Files\Brother\Brmfl04g\BrStDvPt.exe
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe"
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [Lexmark X5100 Series] "C:\Program Files\Lexmark X5100 Series\lxbabmgr.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [ControlCenter2.0] C:\Program Files\Brother\ControlCenter2\brctrcen.exe /autorun
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [SBCSTray] C:\Program Files\Sunbelt Software\CounterSpy\SBCSTray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [icq.com] rundll32.exe "C:\WINDOWS\system32\jxxrlmtd.dll",forkonce
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [SpywareBot] C:\Program Files\SpywareBot\SpywareBot.exe -boot
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [OuterinfoUpdate] "C:\Program Files\Outerinfo\OuterinfoUpdate.exe"
O4 - HKCU\..\Run: [Outerinfo] "C:\Program Files\Outerinfo\Outerinfo.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
O4 - HKCU\..\Run: [Microsoft Location Finder] "C:\Program Files\Microsoft Location Finder\LocationFinder.exe"
O4 - Startup: Palm Registration.lnk = C:\Program Files\Palm\register.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: F-Secure Automatic Update.lnk = C:\F-Secure\admin.pub\BackWeb\7681197\program\F-Secure Automatic Update.exe
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O4 - Global Startup: HOTSYNCSHORTCUTNAME.lnk = C:\Program Files\Palm\Hotsync.exe
O4 - Global Startup: hp officejet 4100 series.lnk = ?
O4 - Global Startup: hpoddt01.exe.lnk = ?
O8 - Extra context menu item: &Block this popup - C:\F-Secure\admin.pub\Anti-Spyware\blockpopups.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: IE Shield - {300DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\F-Secure\admin.pub\Anti-Spyware\ieshield.dll
O9 - Extra 'Tools' menuitem: IE Shield... - {300DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\F-Secure\admin.pub\Anti-Spyware\ieshield.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O10 - Unknown file in Winsock LSP: c:\f-secure\admin.pub\fsps\program\fslsp.dll
O10 - Unknown file in Winsock LSP: c:\f-secure\admin.pub\fsps\program\fslsp.dll
O10 - Unknown file in Winsock LSP: c:\f-secure\admin.pub\fsps\program\fslsp.dll
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/reso...an8/oscan8.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor...fo/webscan.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yaho...tocomplete.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = Fontaine.msft
O17 - HKLM\Software\..\Telephony: DomainName = Fontaine.msft
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = Fontaine.msft
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = Fontaine.msft
O20 - Winlogon Notify: ddawv - C:\WINDOWS\system32\ddawv.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: tuvvwuu - C:\WINDOWS\SYSTEM32\tuvvwuu.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: F-Secure Automatic Update (BackWeb Plug-in - 7681197) - F-Secure Automatic Update - C:\F-Secure\admin.pub\BackWeb\7681197\Program\SERVIC~1.EXE
O23 - Service: DomainService - Unknown owner - C:\WINDOWS\system32\qmeitquy.exe (file missing)
O23 - Service: FSGKHS (F-Secure Gatekeeper Handler Starter) - F-Secure Corp. - C:\F-Secure\admin.pub\Anti-Virus\fsgk32st.exe
O23 - Service: F-Secure Network Request Broker - F-Secure Corporation - C:\F-Secure\admin.pub\Common\FNRB32.EXE
O23 - Service: fsbwsys - F-Secure Corp. - C:\F-Secure\admin.pub\BackWeb\7681197\program\fsbwsys.exe
O23 - Service: F-Secure Anti-Virus Firewall Daemon (FSDFWD) - F-Secure Corporation - C:\F-Secure\admin.pub\FWES\Program\fsdfwd.exe
O23 - Service: F-Secure Management Agent (FSMA) - F-Secure Corporation - C:\F-Secure\admin.pub\Common\FSMA32.EXE
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Sunbelt CounterSpy Antispyware (SBCSSvc) - Sunbelt Software - C:\Program Files\Sunbelt Software\CounterSpy\SBCSSvc.exe
O23 - Service: Sprint PCS v3 Utility Service - Sprint Spectrum, L.L.C - C:\Program Files\Sprint\Sprint PCS Connection Manager\CMSPCSUtilSvc.exe
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

**Shaba** · 2007-06-27, 15:32

Hi

Please download VundoFix.exe to your desktop.

Double-click VundoFix.exe to run it.
Click the Scan for Vundo button.
Once it's done scanning, click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will reboot your computer, click OK.
Please post the contents of C:\vundofix.txt and a new HiJackThis log in a reply to this thread.

Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears upon rebooting.

1. Download combofix from one of these links:
Link1
Link2
2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Post:

- a fresh HijackThis log
- combofix report
- vundofix report

**rdaled** · 2007-06-27, 16:24

HijackThis log

Logfile of HijackThis v1.99.1
Scan saved at 10:18, on 2007-06-27
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\F-Secure\admin.pub\BackWeb\7681197\Program\SERVIC~1.EXE
C:\F-Secure\admin.pub\Anti-Virus\fsgk32st.exe
C:\F-Secure\admin.pub\BackWeb\7681197\program\fsbwsys.exe
C:\F-Secure\admin.pub\Anti-Virus\FSGK32.EXE
C:\F-Secure\admin.pub\Common\FSMA32.EXE
C:\F-Secure\admin.pub\Anti-Virus\fssm32.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\F-Secure\admin.pub\Common\FSMB32.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Sunbelt Software\CounterSpy\SBCSSvc.exe
C:\F-Secure\admin.pub\Common\FCH32.EXE
C:\WINDOWS\System32\svchost.exe
C:\F-Secure\admin.pub\Common\FAMEH32.EXE
C:\F-Secure\admin.pub\Anti-Virus\fsqh.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\F-Secure\admin.pub\Anti-Virus\fsrw.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\F-Secure\admin.pub\Common\FNRB32.EXE
C:\F-Secure\admin.pub\FWES\Program\fsdfwd.exe
C:\F-Secure\admin.pub\Common\FIH32.EXE
C:\F-Secure\admin.pub\Anti-Virus\fsav32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\cmd.exe
C:\F-Secure\admin.pub\Common\FSM32.EXE
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Apoint\Apoint.exe
C:\F-Secure\admin.pub\ANTI-S~1\fsaw.exe
C:\Program Files\QuickTime\qttask.exe
C:\F-Secure\admin.pub\FSGUI\fsguidll.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\Program Files\Lexmark X5100 Series\lxbabmgr.exe
C:\Program Files\Lexmark X5100 Series\lxbabmon.exe
C:\Program Files\Brother\ControlCenter2\brctrcen.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
C:\Program Files\Sunbelt Software\CounterSpy\SBCSTray.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\Program Files\Microsoft Location Finder\LocationFinder.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\F-Secure\admin.pub\BackWeb\7681197\program\F-Secure Automatic Update.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\Program Files\Palm\Hotsync.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpomau08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\scanner.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://r.office.microsoft.com/r/rlid...treg?clid=1033
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {2E9D4C81-9F27-4c14-B804-7B0F6BC88A4F} - C:\Program Files\Outerinfo\Outerinfo.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: (no name) - {995B2125-8441-4F79-9D41-E0EE0CFA6805} - C:\WINDOWS\system32\ddawv.dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [F-Secure TNB] "C:\F-Secure\admin.pub\TNB\TNBUtil.exe" /CHECKALL /WAITFORSW
O4 - HKLM\..\Run: [F-Secure Manager] "C:\F-Secure\admin.pub\Common\FSM32.EXE" /splash
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [SpywareBot] C:\Program Files\SpywareBot\SpywareBot.exe -boot
O4 - HKLM\..\Run: [SetDefPrt] C:\Program Files\Brother\Brmfl04g\BrStDvPt.exe
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe"
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [Lexmark X5100 Series] "C:\Program Files\Lexmark X5100 Series\lxbabmgr.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [ControlCenter2.0] C:\Program Files\Brother\ControlCenter2\brctrcen.exe /autorun
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [SBCSTray] C:\Program Files\Sunbelt Software\CounterSpy\SBCSTray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [SpywareBot] C:\Program Files\SpywareBot\SpywareBot.exe -boot
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
O4 - HKCU\..\Run: [Microsoft Location Finder] "C:\Program Files\Microsoft Location Finder\LocationFinder.exe"
O4 - Startup: Palm Registration.lnk = C:\Program Files\Palm\register.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: F-Secure Automatic Update.lnk = C:\F-Secure\admin.pub\BackWeb\7681197\program\F-Secure Automatic Update.exe
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O4 - Global Startup: HOTSYNCSHORTCUTNAME.lnk = C:\Program Files\Palm\Hotsync.exe
O4 - Global Startup: hp officejet 4100 series.lnk = ?
O4 - Global Startup: hpoddt01.exe.lnk = ?
O8 - Extra context menu item: &Block this popup - C:\F-Secure\admin.pub\Anti-Spyware\blockpopups.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: IE Shield - {300DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\F-Secure\admin.pub\Anti-Spyware\ieshield.dll
O9 - Extra 'Tools' menuitem: IE Shield... - {300DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\F-Secure\admin.pub\Anti-Spyware\ieshield.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O10 - Unknown file in Winsock LSP: c:\f-secure\admin.pub\fsps\program\fslsp.dll
O10 - Unknown file in Winsock LSP: c:\f-secure\admin.pub\fsps\program\fslsp.dll
O10 - Unknown file in Winsock LSP: c:\f-secure\admin.pub\fsps\program\fslsp.dll
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/reso...an8/oscan8.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor...fo/webscan.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yaho...tocomplete.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = Fontaine.msft
O17 - HKLM\Software\..\Telephony: DomainName = Fontaine.msft
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = Fontaine.msft
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = Fontaine.msft
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: F-Secure Automatic Update (BackWeb Plug-in - 7681197) - F-Secure Automatic Update - C:\F-Secure\admin.pub\BackWeb\7681197\Program\SERVIC~1.EXE
O23 - Service: FSGKHS (F-Secure Gatekeeper Handler Starter) - F-Secure Corp. - C:\F-Secure\admin.pub\Anti-Virus\fsgk32st.exe
O23 - Service: F-Secure Network Request Broker - F-Secure Corporation - C:\F-Secure\admin.pub\Common\FNRB32.EXE
O23 - Service: fsbwsys - F-Secure Corp. - C:\F-Secure\admin.pub\BackWeb\7681197\program\fsbwsys.exe
O23 - Service: F-Secure Anti-Virus Firewall Daemon (FSDFWD) - F-Secure Corporation - C:\F-Secure\admin.pub\FWES\Program\fsdfwd.exe
O23 - Service: F-Secure Management Agent (FSMA) - F-Secure Corporation - C:\F-Secure\admin.pub\Common\FSMA32.EXE
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Sunbelt CounterSpy Antispyware (SBCSSvc) - Sunbelt Software - C:\Program Files\Sunbelt Software\CounterSpy\SBCSSvc.exe
O23 - Service: Sprint PCS v3 Utility Service - Sprint Spectrum, L.L.C - C:\Program Files\Sprint\Sprint PCS Connection Manager\CMSPCSUtilSvc.exe
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

**rdaled** · 2007-06-27, 16:25

combofix report

"daled" - 2007-06-27 9:59:06 - ComboFix 07-06-27.7 - Service Pack 2 NTFS

(((((((((((((((((((((((((((((((((((((((((((( V Log )))))))))))))))))))))))))))))))))))))))))))))))))))))))

C:\WINDOWS\system32\llnmp.ini
C:\WINDOWS\SYSTEM32\llnmp.bak1
C:\WINDOWS\SYSTEM32\llnmp.ini
C:\WINDOWS\system32\pmnll.dll
C:\WINDOWS\system32\tuvvwuu.dll

* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

C:\WINDOWS\system32\o02PrEz

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

-------\LEGACY_DOMAINSERVICE
-------\DomainService

((((((((((((((((((((((((( Files Created from 2007-05-27 to 2007-06-27 )))))))))))))))))))))))))))))))

2007-06-27 09:57 49,152 --a------ C:\WINDOWS\nircmd.exe
2007-06-27 09:39 <DIR> d----c--- C:\VundoFix Backups
2007-06-27 08:34 <DIR> d-------- C:\Program Files\Microsoft CAPICOM 2.1.0.2
2007-06-27 07:35 11,254 --a------ C:\WINDOWS\SYSTEM32\locate.com
2007-06-26 20:32 128,576 --a------ C:\WINDOWS\SYSTEM32\jxxrlmtd.dll
2007-06-26 19:49 <DIR> d-------- C:\WINDOWS\SYSTEM32\ActiveScan
2007-06-26 16:22 <DIR> d-------- C:\WINDOWS\BDOSCAN8
2007-06-26 15:32 128,576 --a------ C:\WINDOWS\SYSTEM32\ekfbncbc.dll
2007-06-26 15:13 128,576 --a------ C:\WINDOWS\SYSTEM32\rygnlwyr.dll
2007-06-26 13:12 0 --a------ C:\WINDOWS\SYSTEM32\SBRC.dat
2007-06-26 13:12 0 --a------ C:\WINDOWS\SYSTEM32\SBFC.dat
2007-06-26 12:47 <DIR> d----c--- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Sunbelt Software
2007-06-26 12:24 <DIR> d-------- C:\Program Files\Sunbelt Software
2007-06-26 12:10 <DIR> d----c--- C:\MGTools
2007-06-26 11:59 128,576 --a------ C:\WINDOWS\SYSTEM32\ufhpnkim.dll
2007-06-26 09:41 <DIR> d----c--- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Lavasoft
2007-06-26 09:41 <DIR> d-------- C:\Program Files\Lavasoft
2007-06-26 09:40 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-06-26 08:27 <DIR> d----c--- C:\DOCUME~1\ALLUSE~1\APPLIC~1\WinZip
2007-06-26 08:07 66,112 --a------ C:\WINDOWS\SYSTEM32\ywcypqey.dll
2007-06-25 16:59 76,560 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\tmcomm.sys
2007-06-25 12:53 <DIR> d----c--- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-06-24 21:28 <DIR> d-------- C:\DOCUME~1\daled\APPLIC~1\SpywareBot
2007-06-24 04:56 <DIR> d----c--- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Google Updater
2007-06-24 04:55 <DIR> d-------- C:\Program Files\Google
2007-06-24 04:50 <DIR> d----c--- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Google
2007-06-22 06:22 <DIR> d-------- C:\DOCUME~1\daled\APPLIC~1\RegSweep
2007-06-11 08:25 0 --a------ C:\WINDOWS\nsreg.dat
2007-06-04 15:18 9,344 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\NSDriver.sys
2007-06-04 15:17 8,320 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\AWRTRD.sys
2007-06-04 15:14 6,272 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\AWRTPD.sys

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-06-27 13:19:54 -------- d-----w C:\Program Files\IMT
2007-06-27 00:00:11 -------- d-----w C:\Program Files\Apoint
2007-06-27 00:00:06 -------- d-----w C:\Program Files\QuickTime
2007-06-26 23:59:52 -------- d-----w C:\Program Files\Lexmark X5100 Series
2007-06-26 23:59:40 -------- d-----w C:\Program Files\Microsoft ActiveSync
2007-06-26 23:59:36 -------- d-----w C:\Program Files\Microsoft Location Finder
2007-06-26 23:59:35 -------- d-----w C:\Program Files\Digital Line Detect
2007-06-26 23:59:22 -------- d-----w C:\Program Files\Palm
2007-06-25 20:59:12 -------- d-----w C:\Program Files\Trend Micro
2007-06-24 09:58:25 -------- d-----w C:\DOCUME~1\daled\APPLIC~1\Google
2007-06-24 09:31:41 -------- d-----w C:\Program Files\Watchtower
2007-06-24 09:27:35 -------- d-----w C:\Program Files\MSN Gaming Zone
2007-06-24 09:25:48 -------- d-----w C:\Program Files\Motorola
2007-06-24 09:25:05 -------- d-----w C:\Program Files\iPod
2007-06-24 09:21:53 -------- d--h--w C:\Program Files\InstallShield Installation Information
2007-06-24 09:17:58 -------- d-----w C:\Program Files\Dell
2007-06-22 10:29:45 -------- d-----w C:\Program Files\Online Services
2007-05-29 21:41:47 -------- d-----w C:\DOCUME~1\daled\APPLIC~1\F-Secure
2007-05-16 15:12:02 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
2007-05-15 11:26:36 -------- d-----w C:\DOCUME~1\daled\APPLIC~1\Watchtower
2007-04-25 14:21:15 144,896 ----a-w C:\WINDOWS\system32\schannel.dll
2007-04-18 16:12:23 2,854,400 ----a-w C:\WINDOWS\system32\msi.dll
2007-04-17 02:47:36 33,624 ----a-w C:\WINDOWS\system32\wups.dll
2007-04-17 02:45:54 1,710,936 ----a-w C:\WINDOWS\system32\wuaueng.dll
2007-04-17 02:45:48 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll
2007-04-17 02:45:42 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll
2007-04-17 02:45:36 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll
2007-04-17 02:45:28 92,504 ----a-w C:\WINDOWS\system32\cdm.dll
2007-04-17 02:45:20 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe
2007-04-17 02:45:20 43,352 ----a-w C:\WINDOWS\system32\wups2.dll
2007-04-17 02:44:20 271,224 ----a-w C:\WINDOWS\system32\mucltui.dll
2007-04-17 02:44:18 208,248 ----a-w C:\WINDOWS\system32\muweb.dll
2007-04-13 19:19:52 7,680 ----a-w C:\WINDOWS\system32\lsdelete.exe

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{2E9D4C81-9F27-4c14-B804-7B0F6BC88A4F}=C:\Program Files\Outerinfo\Outerinfo.dll []
{53707962-6F74-2D53-2644-206D7942484F}=C:\PROGRA~1\SPYBOT~1\SDHelper.dll [2005-05-31 01:04]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}=C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll [2007-03-14 03:43]
{995B2125-8441-4F79-9D41-E0EE0CFA6805}=C:\WINDOWS\system32\ddawv.dll []
{AA58ED58-01DD-4d91-8333-CF10577473F7}=c:\program files\google\googletoolbar1.dll [2007-06-24 05:03]
{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}=C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll [2007-06-24 05:03]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"F-Secure TNB"="C:\F-Secure\admin.pub\TNB\TNBUtil.exe" [2004-05-27 04:57]
"F-Secure Manager"="C:\F-Secure\admin.pub\Common\FSM32.exe" [2005-10-25 21:51]
"Dell QuickSet"="C:\Program Files\Dell\QuickSet\quickset.exe" [2003-06-20 16:18]
"Apoint"="C:\Program Files\Apoint\Apoint.exe" [2003-06-11 01:07]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-04-27 09:41]
"UserFaultCheck"="%systemroot%\system32\dumprep 0 -u" []
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" []
"SSBkgdUpdate"="C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2003-10-14 11:22]
"SpywareBot"="C:\Program Files\SpywareBot\SpywareBot.exe" []
"SetDefPrt"="C:\Program Files\Brother\Brmfl04g\BrStDvPt.exe" [2004-11-11 18:14]
"RoxioDragToDisc"="C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe" [2005-06-09 09:51]
"PaperPort PTD"="C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe" [2004-04-14 15:46]
"Lexmark X5100 Series"="C:\Program Files\Lexmark X5100 Series\lxbabmgr.exe" [2003-03-04 08:49]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" []
"IndexSearch"="C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe" [2004-04-14 16:04]
"ControlCenter2.0"="C:\Program Files\Brother\ControlCenter2\brctrcen.exe" [2005-01-07 18:30]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 03:06]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" [2007-03-09 11:09]
"@"="" []
"SBCSTray"="C:\Program Files\Sunbelt Software\CounterSpy\SBCSTray.exe" [2007-03-09 10:31]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" [2007-03-14 03:43]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 03:56]
"H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\wcescomm.exe" [2006-11-13 13:39]
"SpywareBot"="C:\Program Files\SpywareBot\SpywareBot.exe" []
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-24 04:56]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\ypager.exe" []
"MSMSGS"="C:\Program Files\Messenger\MSMSGS.exe" []
"Microsoft Location Finder"="C:\Program Files\Microsoft Location Finder\LocationFinder.exe" [2005-08-24 19:25]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages msv1_0 nwprovau

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\aawservice]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\SBCSSvc]

Contents of the 'Scheduled Tasks' folder
2007-06-21 02:21:03 C:\WINDOWS\tasks\AppleSoftwareUpdate.job
2006-03-24 10:50:16 C:\WINDOWS\tasks\FRU Task #Hewlett-Packard#hp officejet 4100 series#1135301524.job
2007-06-23 00:38:24 C:\WINDOWS\tasks\RegSweep Scheduled Scan.job
2007-06-25 15:51:23 C:\WINDOWS\tasks\SpywareBot Scheduled Scan.job

**************************************************************************

catchme 0.3.721 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-06-27 10:12:26
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-06-27 10:17:05 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-06-27 10:16

--- E O F ---

vunfofix report

VundoFix V6.5.1

Checking Java version...

Scan started at 9:39:43 AM 6/27/2007

Listing files found while scanning....

C:\windows\system32\cyvjfaqe.ini
C:\WINDOWS\system32\ddawv.dll
C:\windows\system32\eqafjvyc.dll
C:\WINDOWS\system32\ijqsqyqd.dll
C:\WINDOWS\system32\vwadd.bak1
C:\WINDOWS\system32\vwadd.bak2
C:\WINDOWS\system32\vwadd.ini
C:\WINDOWS\system32\vwadd.ini2
C:\WINDOWS\system32\vwadd.tmp

Beginning removal...

Attempting to delete C:\windows\system32\cyvjfaqe.ini
C:\windows\system32\cyvjfaqe.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\ddawv.dll
C:\WINDOWS\system32\ddawv.dll Has been deleted!

Attempting to delete C:\windows\system32\eqafjvyc.dll
C:\windows\system32\eqafjvyc.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\vwadd.bak1
C:\WINDOWS\system32\vwadd.bak1 Has been deleted!

Attempting to delete C:\WINDOWS\system32\vwadd.bak2
C:\WINDOWS\system32\vwadd.bak2 Has been deleted!

Attempting to delete C:\WINDOWS\system32\vwadd.ini
C:\WINDOWS\system32\vwadd.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\vwadd.ini2
C:\WINDOWS\system32\vwadd.ini2 Has been deleted!

Attempting to delete C:\WINDOWS\system32\vwadd.tmp
C:\WINDOWS\system32\vwadd.tmp Has been deleted!

Performing Repairs to the registry.
Done!

**Shaba** · 2007-06-27, 16:51

Hi

Uninstall from add/remove programs:

Spywarebot

Open HijackThis, click do a system scan only and checkmark these:

O2 - BHO: (no name) - {2E9D4C81-9F27-4c14-B804-7B0F6BC88A4F} - C:\Program Files\Outerinfo\Outerinfo.dll (file missing)
O2 - BHO: (no name) - {995B2125-8441-4F79-9D41-E0EE0CFA6805} - C:\WINDOWS\system32\ddawv.dll (file missing)
O4 - HKLM\..\Run: [SpywareBot] C:\Program Files\SpywareBot\SpywareBot.exe -boot
O4 - HKCU\..\Run: [SpywareBot] C:\Program Files\SpywareBot\SpywareBot.exe -boot

Close all windows including browser and press fix checked.

Reboot.

Open notepad and copy/paste the text in the quotebox below into it:

File::
C:\WINDOWS\SYSTEM32\jxxrlmtd.dll
C:WINDOWS\SYSTEM32\ekfbncbc.dll
C:\WINDOWS\SYSTEM32\rygnlwyr.dll
C:\WINDOWS\SYSTEM32\ufhpnkim.dll
C:\WINDOWS\SYSTEM32\ywcypqey.dll

Folder::
C:\DOCUME~1\daled\APPLIC~1\SpywareBot

Save this as ComboFix-Do.txt

Then drag the ComboFix-Do.txt into ComboFix.exe as you see in the screenshot below.

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThislog.

**rdaled** · 2007-06-27, 17:19

ComboFix log

"daled" - 2007-06-27 11:10:44 - ComboFix 07-06-27.7 - Service Pack 2 NTFS
Command switches used :: C:\Documents and Settings\daled\Desktop\ComboFix-Do.txt

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

C:\DOCUME~1\daled\APPLIC~1\SpywareBot
C:\DOCUME~1\daled\APPLIC~1\SpywareBot\DataBase.ref
C:\DOCUME~1\daled\APPLIC~1\SpywareBot\Log\2007 Jun 25 - 07_05_26 AM_235.log
C:\DOCUME~1\daled\APPLIC~1\SpywareBot\Log\2007 Jun 25 - 07_05_28 AM_709.log
C:\DOCUME~1\daled\APPLIC~1\SpywareBot\Log\2007 Jun 25 - 07_05_32 AM_464.log
C:\DOCUME~1\daled\APPLIC~1\SpywareBot\Log\2007 Jun 25 - 07_05_39 AM_895.log
C:\DOCUME~1\daled\APPLIC~1\SpywareBot\Log\2007 Jun 25 - 07_15_36 AM_222.log
C:\DOCUME~1\daled\APPLIC~1\SpywareBot\Log\2007 Jun 25 - 07_15_36 AM_283.log
C:\DOCUME~1\daled\APPLIC~1\SpywareBot\Log\2007 Jun 25 - 07_19_18 AM_752.log
C:\DOCUME~1\daled\APPLIC~1\SpywareBot\Log\2007 Jun 25 - 07_19_18 AM_772.log
C:\DOCUME~1\daled\APPLIC~1\SpywareBot\Log\2007 Jun 25 - 07_35_50 AM_674.log
C:\DOCUME~1\daled\APPLIC~1\SpywareBot\Log\2007 Jun 25 - 07_35_50 AM_895.log
C:\DOCUME~1\daled\APPLIC~1\SpywareBot\Log\2007 Jun 25 - 07_35_53 AM_907.log
C:\DOCUME~1\daled\APPLIC~1\SpywareBot\Log\2007 Jun 25 - 07_35_55 AM_181.log
C:\DOCUME~1\daled\APPLIC~1\SpywareBot\Log\2007 Jun 25 - 07_37_30 AM_994.log
C:\DOCUME~1\daled\APPLIC~1\SpywareBot\Log\2007 Jun 25 - 07_37_31 AM_024.log
C:\DOCUME~1\daled\APPLIC~1\SpywareBot\Log\2007 Jun 25 - 08_46_38 AM_485.log
C:\DOCUME~1\daled\APPLIC~1\SpywareBot\Log\2007 Jun 25 - 08_46_39 AM_246.log
C:\DOCUME~1\daled\APPLIC~1\SpywareBot\Log\2007 Jun 25 - 08_46_50 AM_311.log
C:\DOCUME~1\daled\APPLIC~1\SpywareBot\Log\2007 Jun 25 - 08_46_50 AM_342.log
C:\DOCUME~1\daled\APPLIC~1\SpywareBot\Log\2007 Jun 25 - 10_44_54 AM_571.log
C:\DOCUME~1\daled\APPLIC~1\SpywareBot\Log\2007 Jun 25 - 10_44_54 AM_702.log
C:\DOCUME~1\daled\APPLIC~1\SpywareBot\Log\2007 Jun 25 - 10_45_02 AM_181.log
C:\DOCUME~1\daled\APPLIC~1\SpywareBot\Log\2007 Jun 25 - 10_45_02 AM_221.log
C:\DOCUME~1\daled\APPLIC~1\SpywareBot\Log\2007 Jun 25 - 11_49_05 AM_530.log
C:\DOCUME~1\daled\APPLIC~1\SpywareBot\Log\2007 Jun 25 - 11_49_05 AM_861.log
C:\DOCUME~1\daled\APPLIC~1\SpywareBot\Log\2007 Jun 25 - 11_51_22 AM_645.log
C:\DOCUME~1\daled\APPLIC~1\SpywareBot\Log\2007 Jun 25 - 11_51_22 AM_726.log
C:\DOCUME~1\daled\APPLIC~1\SpywareBot\rs.dat
C:\DOCUME~1\daled\APPLIC~1\SpywareBot\Settings\CustomScan.stg
C:\DOCUME~1\daled\APPLIC~1\SpywareBot\Settings\IgnoreList.stg
C:\DOCUME~1\daled\APPLIC~1\SpywareBot\Settings\ScanInfo.stg
C:\DOCUME~1\daled\APPLIC~1\SpywareBot\Settings\ScanResults.stg
C:\DOCUME~1\daled\APPLIC~1\SpywareBot\Settings\SelectedFolders.stg
C:\DOCUME~1\daled\APPLIC~1\SpywareBot\Settings\Settings.stg
C:\WINDOWS\SYSTEM32\jxxrlmtd.dll
C:\WINDOWS\SYSTEM32\rygnlwyr.dll
C:\WINDOWS\SYSTEM32\ufhpnkim.dll
C:\WINDOWS\SYSTEM32\ywcypqey.dll

((((((((((((((((((((((((( Files Created from 2007-05-27 to 2007-06-27 )))))))))))))))))))))))))))))))

2007-06-27 11:02 <DIR> d-------- C:\Program Files\backups
2007-06-27 09:57 49,152 --a------ C:\WINDOWS\nircmd.exe
2007-06-27 09:39 <DIR> d----c--- C:\VundoFix Backups
2007-06-27 08:34 <DIR> d-------- C:\Program Files\Microsoft CAPICOM 2.1.0.2
2007-06-27 07:35 11,254 --a------ C:\WINDOWS\SYSTEM32\locate.com
2007-06-26 19:49 <DIR> d-------- C:\WINDOWS\SYSTEM32\ActiveScan
2007-06-26 16:22 <DIR> d-------- C:\WINDOWS\BDOSCAN8
2007-06-26 15:32 128,576 --a------ C:\WINDOWS\SYSTEM32\ekfbncbc.dll
2007-06-26 13:12 0 --a------ C:\WINDOWS\SYSTEM32\SBRC.dat
2007-06-26 13:12 0 --a------ C:\WINDOWS\SYSTEM32\SBFC.dat
2007-06-26 12:47 <DIR> d----c--- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Sunbelt Software
2007-06-26 12:24 <DIR> d-------- C:\Program Files\Sunbelt Software
2007-06-26 12:10 <DIR> d----c--- C:\MGTools
2007-06-26 08:27 <DIR> d----c--- C:\DOCUME~1\ALLUSE~1\APPLIC~1\WinZip
2007-06-25 16:59 76,560 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\tmcomm.sys
2007-06-25 12:53 <DIR> d----c--- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-06-24 04:56 <DIR> d----c--- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Google Updater
2007-06-24 04:55 <DIR> d-------- C:\Program Files\Google
2007-06-24 04:50 <DIR> d----c--- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Google
2007-06-22 06:22 <DIR> d-------- C:\DOCUME~1\daled\APPLIC~1\RegSweep
2007-06-11 08:25 0 --a------ C:\WINDOWS\nsreg.dat

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-06-27 13:19:54 -------- d-----w C:\Program Files\IMT
2007-06-27 00:00:11 -------- d-----w C:\Program Files\Apoint
2007-06-27 00:00:06 -------- d-----w C:\Program Files\QuickTime
2007-06-26 23:59:52 -------- d-----w C:\Program Files\Lexmark X5100 Series
2007-06-26 23:59:40 -------- d-----w C:\Program Files\Microsoft ActiveSync
2007-06-26 23:59:36 -------- d-----w C:\Program Files\Microsoft Location Finder
2007-06-26 23:59:35 -------- d-----w C:\Program Files\Digital Line Detect
2007-06-26 23:59:22 -------- d-----w C:\Program Files\Palm
2007-06-25 20:59:12 -------- d-----w C:\Program Files\Trend Micro
2007-06-24 09:58:25 -------- d-----w C:\DOCUME~1\daled\APPLIC~1\Google
2007-06-24 09:31:41 -------- d-----w C:\Program Files\Watchtower
2007-06-24 09:27:35 -------- d-----w C:\Program Files\MSN Gaming Zone
2007-06-24 09:25:48 -------- d-----w C:\Program Files\Motorola
2007-06-24 09:25:05 -------- d-----w C:\Program Files\iPod
2007-06-24 09:21:53 -------- d--h--w C:\Program Files\InstallShield Installation Information
2007-06-24 09:17:58 -------- d-----w C:\Program Files\Dell
2007-06-22 10:29:45 -------- d-----w C:\Program Files\Online Services
2007-05-29 21:41:47 -------- d-----w C:\DOCUME~1\daled\APPLIC~1\F-Secure
2007-05-16 15:12:02 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
2007-05-15 11:26:36 -------- d-----w C:\DOCUME~1\daled\APPLIC~1\Watchtower
2007-04-25 14:21:15 144,896 ----a-w C:\WINDOWS\system32\schannel.dll
2007-04-18 16:12:23 2,854,400 ----a-w C:\WINDOWS\system32\msi.dll
2007-04-17 02:47:36 33,624 ----a-w C:\WINDOWS\system32\wups.dll
2007-04-17 02:45:54 1,710,936 ----a-w C:\WINDOWS\system32\wuaueng.dll
2007-04-17 02:45:48 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll
2007-04-17 02:45:42 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll
2007-04-17 02:45:36 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll
2007-04-17 02:45:28 92,504 ----a-w C:\WINDOWS\system32\cdm.dll
2007-04-17 02:45:20 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe
2007-04-17 02:45:20 43,352 ----a-w C:\WINDOWS\system32\wups2.dll
2007-04-17 02:44:20 271,224 ----a-w C:\WINDOWS\system32\mucltui.dll
2007-04-17 02:44:18 208,248 ----a-w C:\WINDOWS\system32\muweb.dll

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{53707962-6F74-2D53-2644-206D7942484F}=C:\PROGRA~1\SPYBOT~1\SDHelper.dll []
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}=C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll [2007-03-14 03:43]
{AA58ED58-01DD-4d91-8333-CF10577473F7}=c:\program files\google\googletoolbar1.dll [2007-06-24 05:03]
{AF69DE43-7D58-4638-B6FA-CE66B5AD205D}=C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll [2007-06-24 05:03]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"F-Secure TNB"="C:\F-Secure\admin.pub\TNB\TNBUtil.exe" [2004-05-27 04:57]
"F-Secure Manager"="C:\F-Secure\admin.pub\Common\FSM32.exe" [2005-10-25 21:51]
"Dell QuickSet"="C:\Program Files\Dell\QuickSet\quickset.exe" [2003-06-20 16:18]
"Apoint"="C:\Program Files\Apoint\Apoint.exe" [2003-06-11 01:07]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-04-27 09:41]
"UserFaultCheck"="%systemroot%\system32\dumprep 0 -u" []
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" []
"SSBkgdUpdate"="C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2003-10-14 11:22]
"SetDefPrt"="C:\Program Files\Brother\Brmfl04g\BrStDvPt.exe" [2004-11-11 18:14]
"RoxioDragToDisc"="C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe" [2005-06-09 09:51]
"PaperPort PTD"="C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe" [2004-04-14 15:46]
"Lexmark X5100 Series"="C:\Program Files\Lexmark X5100 Series\lxbabmgr.exe" [2003-03-04 08:49]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" []
"IndexSearch"="C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe" [2004-04-14 16:04]
"ControlCenter2.0"="C:\Program Files\Brother\ControlCenter2\brctrcen.exe" [2005-01-07 18:30]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 03:06]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe" [2007-03-09 11:09]
"@"="" []
"SBCSTray"="C:\Program Files\Sunbelt Software\CounterSpy\SBCSTray.exe" [2007-03-09 10:31]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" [2007-03-14 03:43]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 03:56]
"H/PC Connection Agent"="C:\Program Files\Microsoft ActiveSync\wcescomm.exe" [2006-11-13 13:39]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-06-24 04:56]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\ypager.exe" []
"MSMSGS"="C:\Program Files\Messenger\MSMSGS.exe" []
"Microsoft Location Finder"="C:\Program Files\Microsoft Location Finder\LocationFinder.exe" [2005-08-24 19:25]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages msv1_0 nwprovau

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\SBCSSvc]

Contents of the 'Scheduled Tasks' folder
2007-06-21 02:21:03 C:\WINDOWS\tasks\AppleSoftwareUpdate.job
2006-03-24 10:50:16 C:\WINDOWS\tasks\FRU Task #Hewlett-Packard#hp officejet 4100 series#1135301524.job
2007-06-23 00:38:24 C:\WINDOWS\tasks\RegSweep Scheduled Scan.job
2007-06-25 15:51:23 C:\WINDOWS\tasks\SpywareBot Scheduled Scan.job

**************************************************************************

catchme 0.3.721 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-06-27 11:14:40
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-06-27 11:15:39
C:\ComboFix-quarantined-files.txt ... 2007-06-27 11:15
C:\ComboFix2.txt ... 2007-06-27 10:17

--- E O F ---

**rdaled** · 2007-06-27, 17:19

Logfile of HijackThis v1.99.1
Scan saved at 11:19, on 2007-06-27
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\F-Secure\admin.pub\BackWeb\7681197\Program\SERVIC~1.EXE
C:\F-Secure\admin.pub\Anti-Virus\fsgk32st.exe
C:\F-Secure\admin.pub\BackWeb\7681197\program\fsbwsys.exe
C:\F-Secure\admin.pub\Anti-Virus\FSGK32.EXE
C:\F-Secure\admin.pub\Common\FSMA32.EXE
C:\F-Secure\admin.pub\Anti-Virus\fssm32.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\F-Secure\admin.pub\Common\FSMB32.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Sunbelt Software\CounterSpy\SBCSSvc.exe
C:\F-Secure\admin.pub\Common\FCH32.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\WLTRYSVC.EXE
C:\F-Secure\admin.pub\Common\FAMEH32.EXE
C:\F-Secure\admin.pub\Anti-Virus\fsqh.exe
C:\F-Secure\admin.pub\Anti-Virus\fsrw.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\F-Secure\admin.pub\FWES\Program\fsdfwd.exe
C:\F-Secure\admin.pub\Common\FNRB32.EXE
C:\F-Secure\admin.pub\Common\FIH32.EXE
C:\F-Secure\admin.pub\Anti-Virus\fsav32.exe
C:\F-Secure\admin.pub\Common\FSM32.EXE
C:\Program Files\Dell\QuickSet\quickset.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\QuickTime\qttask.exe
C:\F-Secure\admin.pub\ANTI-S~1\fsaw.exe
C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\Program Files\Apoint\Apntex.exe
C:\F-Secure\admin.pub\FSGUI\fsguidll.exe
C:\Program Files\Lexmark X5100 Series\lxbabmgr.exe
C:\Program Files\Lexmark X5100 Series\lxbabmon.exe
C:\Program Files\Brother\ControlCenter2\brctrcen.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe
C:\Program Files\Sunbelt Software\CounterSpy\SBCSTray.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\Program Files\Microsoft Location Finder\LocationFinder.exe
C:\PROGRA~1\MI3AA1~1\rapimgr.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\F-Secure\admin.pub\BackWeb\7681197\program\F-Secure Automatic Update.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\Program Files\Palm\Hotsync.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpomau08.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpotdd01.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\scanner.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://r.office.microsoft.com/r/rlid...treg?clid=1033
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [F-Secure TNB] "C:\F-Secure\admin.pub\TNB\TNBUtil.exe" /CHECKALL /WAITFORSW
O4 - HKLM\..\Run: [F-Secure Manager] "C:\F-Secure\admin.pub\Common\FSM32.EXE" /splash
O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [SetDefPrt] C:\Program Files\Brother\Brmfl04g\BrStDvPt.exe
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe"
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [Lexmark X5100 Series] "C:\Program Files\Lexmark X5100 Series\lxbabmgr.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [ControlCenter2.0] C:\Program Files\Brother\ControlCenter2\brctrcen.exe /autorun
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [SBCSTray] C:\Program Files\Sunbelt Software\CounterSpy\SBCSTray.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
O4 - HKCU\..\Run: [Microsoft Location Finder] "C:\Program Files\Microsoft Location Finder\LocationFinder.exe"
O4 - Startup: Palm Registration.lnk = C:\Program Files\Palm\register.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: F-Secure Automatic Update.lnk = C:\F-Secure\admin.pub\BackWeb\7681197\program\F-Secure Automatic Update.exe
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O4 - Global Startup: HOTSYNCSHORTCUTNAME.lnk = C:\Program Files\Palm\Hotsync.exe
O4 - Global Startup: hp officejet 4100 series.lnk = ?
O4 - Global Startup: hpoddt01.exe.lnk = ?
O8 - Extra context menu item: &Block this popup - C:\F-Secure\admin.pub\Anti-Spyware\blockpopups.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MI3AA1~1\INetRepl.dll
O9 - Extra button: IE Shield - {300DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\F-Secure\admin.pub\Anti-Spyware\ieshield.dll
O9 - Extra 'Tools' menuitem: IE Shield... - {300DB664-75B5-47c0-8B45-A44ACCF73C00} - C:\F-Secure\admin.pub\Anti-Spyware\ieshield.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O10 - Unknown file in Winsock LSP: c:\f-secure\admin.pub\fsps\program\fslsp.dll
O10 - Unknown file in Winsock LSP: c:\f-secure\admin.pub\fsps\program\fslsp.dll
O10 - Unknown file in Winsock LSP: c:\f-secure\admin.pub\fsps\program\fslsp.dll
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/reso...an8/oscan8.cab
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor...fo/webscan.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yaho...tocomplete.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = Fontaine.msft
O17 - HKLM\Software\..\Telephony: DomainName = Fontaine.msft
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = Fontaine.msft
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = Fontaine.msft
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: F-Secure Automatic Update (BackWeb Plug-in - 7681197) - F-Secure Automatic Update - C:\F-Secure\admin.pub\BackWeb\7681197\Program\SERVIC~1.EXE
O23 - Service: FSGKHS (F-Secure Gatekeeper Handler Starter) - F-Secure Corp. - C:\F-Secure\admin.pub\Anti-Virus\fsgk32st.exe
O23 - Service: F-Secure Network Request Broker - F-Secure Corporation - C:\F-Secure\admin.pub\Common\FNRB32.EXE
O23 - Service: fsbwsys - F-Secure Corp. - C:\F-Secure\admin.pub\BackWeb\7681197\program\fsbwsys.exe
O23 - Service: F-Secure Anti-Virus Firewall Daemon (FSDFWD) - F-Secure Corporation - C:\F-Secure\admin.pub\FWES\Program\fsdfwd.exe
O23 - Service: F-Secure Management Agent (FSMA) - F-Secure Corporation - C:\F-Secure\admin.pub\Common\FSMA32.EXE
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Sunbelt CounterSpy Antispyware (SBCSSvc) - Sunbelt Software - C:\Program Files\Sunbelt Software\CounterSpy\SBCSSvc.exe
O23 - Service: Sprint PCS v3 Utility Service - Sprint Spectrum, L.L.C - C:\Program Files\Sprint\Sprint PCS Connection Manager\CMSPCSUtilSvc.exe
O23 - Service: WLTRYSVC - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

**Shaba** · 2007-06-27, 18:36

Hi

Delete this:

C:\WINDOWS\SYSTEM32\ekfbncbc.dll

Empty Recycle Bin

Please do an online scan with Kaspersky Online Scanner. You will be prompted to install an ActiveX component from Kaspersky, Click Yes.

The program will launch and then start to download the latest definition files.
Once the scanner is installed and the definitions downloaded, click Next.
Now click on Scan Settings
In the scan settings make sure that the following are selected:

o Scan using the following Anti-Virus database:

+ Extended (If available otherwise Standard)

o Scan Options:

+ Scan Archives
+ Scan Mail Bases
Click OK
Now under select a target to scan select My Computer
The scan will take a while so be patient and let it run. Once the scan is complete it will display if your system has been infected.
Now click on the Save as Text button
Save the file to your desktop.
Copy and paste that information in your next post.

Post:

- a fresh HijackThis log
- kaspersky report

Thread: Trojan.Win32.Agent.aoy and more...

Thread Tools

Display

Trojan.Win32.Agent.aoy and more...

ComboFix log

HijackThis log

Posting Permissions