"Command Service, WinAntiSpyware, and Virtumonde"

[blitz]

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:37:51 PM, on 10/8/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\SONY\sHotKey\sHotKey.exe
C:\WINDOWS\System32\ezSP_Px.exe
C:\program files\support.com\client\bin\tgcmd.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\ehome\ehSched.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Common Files\Sony Shared\WMPlugIn\SonicStageMonitoring.exe
C:\Program Files\Sony\Sony TV Tuner Library\SMceMan.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Sony\Sony TV Tuner Library\RM_SV.exe
C:\WINDOWS\ehome\ehmsas.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Hijackthis\Scanner.exe.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.sony.com/vaiopeople
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {4b7c213c-b627-4975-af76-1b8aa21a66b3} - C:\WINDOWS\System32\wxeusvn.dll (file missing)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll (file missing)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [sHotKey] "C:\Program Files\SONY\sHotKey\sHotKey.exe"
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [ZTgServerSwitch] "c:\program files\support.com\client\bin\tgcmd.exe" /server
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [VAIO Recovery] C:\WINDOWS\Sonysys\VAIO Recovery\PartSeal.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ares] "D:\Program Files\Ares\Ares.exe" -h
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Steam] "D:\steam\Steam.exe" -silent
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = ?
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - D:\Program Files\AIM95\aim.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: pmnkkii - pmnkkii.dll (file missing)
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SonicStageMonitoring - Sony Corporation - C:\Program Files\Common Files\Sony Shared\WMPlugIn\SonicStageMonitoring.exe
O23 - Service: Sony TV Tuner Controller - Sony Corporation - C:\Program Files\Sony\Sony TV Tuner Library\halsv.exe
O23 - Service: Sony TV Tuner Manager - Sony Corporation - C:\Program Files\Sony\Sony TV Tuner Library\RM_SV.exe
O23 - Service: Sony TVTA Manager - Sony Corporation - C:\Program Files\Sony\Sony TV Tuner Library\SMceMan.exe
O23 - Service: VAIO Media Music Server (VAIOMediaPlatform-MusicServer-AppServer) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Music\SSSvr.exe
O23 - Service: VAIO Media Music Server (HTTP) (VAIOMediaPlatform-MusicServer-HTTP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe
O23 - Service: VAIO Media Music Server (UPnP) (VAIOMediaPlatform-MusicServer-UPnP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe
O23 - Service: VAIO Media Photo Server (VAIOMediaPlatform-PhotoServer-AppServer) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Photo\appsrv\PhotoAppSrv.exe
O23 - Service: VAIO Media Photo Server (HTTP) (VAIOMediaPlatform-PhotoServer-HTTP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe
O23 - Service: VAIO Media Photo Server (UPnP) (VAIOMediaPlatform-PhotoServer-UPnP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe
O23 - Service: VAIO Media Video Server (VAIOMediaPlatform-VideoServer-AppServer) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Video\GPVSvr.exe
O23 - Service: VAIO Media Video Server (HTTP) (VAIOMediaPlatform-VideoServer-HTTP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe
O23 - Service: VAIO Media Video Server (UPnP) (VAIOMediaPlatform-VideoServer-UPnP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe

--
End of file - 7718 bytes


Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\mkmeipxc

*******************

Script file located at: \??\C:\Documents and Settings\lsxwxbvv.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:



File C:\WINDOWS\system32\qommllm.dll not found!
Deletion of file C:\WINDOWS\system32\qommllm.dll failed!

Could not process line:
C:\WINDOWS\system32\qommllm.dll
Status: 0xc0000034



File C:\WINDOWS\System32\ssqrr.dll not found!
Deletion of file C:\WINDOWS\System32\ssqrr.dll failed!

Could not process line:
C:\WINDOWS\System32\ssqrr.dll
Status: 0xc0000034



File C:\WINDOWS\retadpu1000106.exe not found!
Deletion of file C:\WINDOWS\retadpu1000106.exe failed!

Could not process line:
C:\WINDOWS\retadpu1000106.exe
Status: 0xc0000034



Folder C:\Program Files\ISM not found!
Deletion of folder C:\Program Files\ISM failed!

Could not process line:
C:\Program Files\ISM
Status: 0xc0000034


Completed script processing.

*******************

Finished! Terminate.

[blitz]

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 10/08/2007 at 09:30 PM

Application Version : 3.9.1008

Core Rules Database Version : 3321
Trace Rules Database Version: 1322

Scan type : Complete Scan
Total Scan Time : 01:01:50

Memory items scanned : 388
Memory threats detected : 0
Registry items scanned : 5819
Registry threats detected : 3
File items scanned : 36948
File threats detected : 206

Adware.Tracking Cookie
C:\Documents and Settings\Jose\Cookies\jose@revsci[2].txt
C:\Documents and Settings\Jose\Cookies\jose@atwola[1].txt
C:\Documents and Settings\Jose\Cookies\jose@serving-sys[2].txt
C:\Documents and Settings\Jose\Cookies\jose@ad.yieldmanager[1].txt
C:\Documents and Settings\Jose\Cookies\jose@zedo[2].txt
C:\Documents and Settings\Jose\Cookies\jose@ads.k8l[1].txt
C:\Documents and Settings\Jose\Cookies\jose@2o7[2].txt
C:\Documents and Settings\Jose\Cookies\jose@html[1].txt
C:\Documents and Settings\Jose\Cookies\jose@cgi-bin[1].txt
C:\Documents and Settings\Jose\Cookies\jose@adrevolver[2].txt
C:\Documents and Settings\Jose\Cookies\jose@media.adrevolver[2].txt
C:\Documents and Settings\Jose\Cookies\jose@atdmt[2].txt
C:\Documents and Settings\Jose\Cookies\jose@mediaplex[1].txt
C:\Documents and Settings\Jose\Cookies\jose@bs.serving-sys[2].txt
C:\Documents and Settings\Jose\Cookies\jose@advertising[1].txt
C:\Documents and Settings\Jose\Cookies\jose@doubleclick[1].txt
C:\Documents and Settings\Jose\Cookies\jose@adrevolver[3].txt

Adware.AdSponsor
HKCR\AppId\AdBand.DLL
HKCR\AppId\AdBand.DLL#AppID

Adware.AdSponsor/ISM
HKU\S-1-5-21-3504141195-3040112619-1337730830-1004\Software\BndDrive
C:\Documents and Settings\Jose\Start Menu\Programs\Internet Speed Monitor\Check Now.lnk
C:\Documents and Settings\Jose\Start Menu\Programs\Internet Speed Monitor\Uninstall.lnk
C:\Documents and Settings\Jose\Start Menu\Programs\Internet Speed Monitor
C:\QOOBOX\QUARANTINE\C\PROGRAM FILES\ISM\BNDLOADER.EXE.VIR
C:\QOOBOX\QUARANTINE\C\PROGRAM FILES\ISM\ISM.EXE.VIR
C:\QOOBOX\QUARANTINE\C\PROGRAM FILES\ISM\ISMMODULE4.EXE.VIR
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9EB11C26-F7D9-4FB7-B426-D4B624B3F43D}\RP336\A1175339.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9EB11C26-F7D9-4FB7-B426-D4B624B3F43D}\RP336\A1175340.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9EB11C26-F7D9-4FB7-B426-D4B624B3F43D}\RP336\A1175341.EXE

Unclassified.Unknown Origin
C:\HIJACKTHIS\BACKUPS\BACKUP-20070926-213549-715.DLL
C:\HIJACKTHIS\BACKUPS\BACKUP-20070926-213549-885.DLL
C:\QOOBOX\QUARANTINE\C\PROGRAM FILES\TTC.DLL.VIR
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9EB11C26-F7D9-4FB7-B426-D4B624B3F43D}\RP333\A1167170.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9EB11C26-F7D9-4FB7-B426-D4B624B3F43D}\RP333\A1168169.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9EB11C26-F7D9-4FB7-B426-D4B624B3F43D}\RP333\A1170169.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9EB11C26-F7D9-4FB7-B426-D4B624B3F43D}\RP333\A1171169.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9EB11C26-F7D9-4FB7-B426-D4B624B3F43D}\RP333\A1172169.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9EB11C26-F7D9-4FB7-B426-D4B624B3F43D}\RP333\A1172179.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9EB11C26-F7D9-4FB7-B426-D4B624B3F43D}\RP333\A1173169.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9EB11C26-F7D9-4FB7-B426-D4B624B3F43D}\RP333\SNAPSHOT\MFEX-1.DAT
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9EB11C26-F7D9-4FB7-B426-D4B624B3F43D}\RP335\A1173303.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9EB11C26-F7D9-4FB7-B426-D4B624B3F43D}\RP335\A1174309.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9EB11C26-F7D9-4FB7-B426-D4B624B3F43D}\RP335\A1175319.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9EB11C26-F7D9-4FB7-B426-D4B624B3F43D}\RP335\A1175320.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9EB11C26-F7D9-4FB7-B426-D4B624B3F43D}\RP335\SNAPSHOT\MFEX-1.DAT
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9EB11C26-F7D9-4FB7-B426-D4B624B3F43D}\RP336\A1175338.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9EB11C26-F7D9-4FB7-B426-D4B624B3F43D}\RP336\SNAPSHOT\MFEX-1.DAT

Adware.Vundo Variant
C:\HIJACKTHIS\BACKUPS\BACKUP-20070926-213549-851.DLL
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\JKKHEDA.DLL.VIR
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9EB11C26-F7D9-4FB7-B426-D4B624B3F43D}\RP332\A1166151.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9EB11C26-F7D9-4FB7-B426-D4B624B3F43D}\RP332\A1166166.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9EB11C26-F7D9-4FB7-B426-D4B624B3F43D}\RP336\A1175356.DLL
C:\VUNDOFIX BACKUPS\QOMMLLM.DLL.BAD

Adware.WebBuying Assistant-Installer
C:\QOOBOX\QUARANTINE\C\PROGRAM FILES\WEB BUYING\V1.8.4\WBUNINST.EXE.VIR
C:\QOOBOX\QUARANTINE\C\PROGRAM FILES\WEB BUYING\V1.8.4\WEBBUYING.EXE.VIR
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9EB11C26-F7D9-4FB7-B426-D4B624B3F43D}\RP333\A1167169.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9EB11C26-F7D9-4FB7-B426-D4B624B3F43D}\RP336\A1175343.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9EB11C26-F7D9-4FB7-B426-D4B624B3F43D}\RP336\A1175344.EXE

Trojan.ZQuest
C:\QOOBOX\QUARANTINE\C\PROGRAM FILES\WINDOWSUPDATE\QUDASUD.DLL.VIR
C:\QOOBOX\QUARANTINE\C\PROGRAM FILES\WINDOWSUPDATE\QUDASUD162.DLL.VIR
C:\QOOBOX\QUARANTINE\C\PROGRAM FILES\WINDOWSUPDATE\QUDASUD231.DLL.VIR
C:\QOOBOX\QUARANTINE\C\PROGRAM FILES\WINDOWSUPDATE\QUDASUD247.DLL.VIR
C:\QOOBOX\QUARANTINE\C\PROGRAM FILES\WINDOWSUPDATE\QUDASUD389.DLL.VIR
C:\QOOBOX\QUARANTINE\C\PROGRAM FILES\WINDOWSUPDATE\QUDASUD459.DLL.VIR
C:\QOOBOX\QUARANTINE\C\PROGRAM FILES\WINDOWSUPDATE\QUDASUD513.DLL.VIR
C:\QOOBOX\QUARANTINE\C\PROGRAM FILES\WINDOWSUPDATE\QUDASUD750.DLL.VIR
C:\QOOBOX\QUARANTINE\C\PROGRAM FILES\WINDOWSUPDATE\QUDASUD843.DLL.VIR
C:\QOOBOX\QUARANTINE\C\PROGRAM FILES\WINDOWSUPDATE\QUDASUD954.DLL.VIR

Adware.eZula
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\AAYEQOVL.EXE.VIR
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\AJUWXYEL.EXE.VIR
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\AOECNMCU.EXE.VIR
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\BEVMBDTW.EXE.VIR
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\BFQASMPI.EXE.VIR
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\CPWMDDNM.EXE.VIR
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\CYDJWFPB.EXE.VIR
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\DOUODMAG.EXE.VIR
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\DSAWWLNQ.EXE.VIR
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\EDGEOOUJ.EXE.VIR
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\EHNGPNIS.EXE.VIR
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\EUGHDBGW.EXE.VIR
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\FACVFFAQ.EXE.VIR
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\FFWTJDTD.EXE.VIR
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\FKFFQWQX.EXE.VIR
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\HDFGPJFR.EXE.VIR
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\HURPLPIA.EXE.VIR
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\IPILETDB.EXE.VIR
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\IQCWSDGU.EXE.VIR
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\IVCJDHUV.EXE.VIR
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\JANYJBHX.EXE.VIR
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\KENSTKYP.EXE.VIR
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\LFEVHGMF.EXE.VIR
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\LJSWBUWQ.EXE.VIR
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\LJWVQEHP.EXE.VIR
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\LQOUBTBE.EXE.VIR
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\LQXWTLCF.EXE.VIR
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\MEFECSBP.EXE.VIR
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\NBIYHILX.EXE.VIR
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\OBMNMOTG.EXE.VIR
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\OCOLPSCR.EXE.VIR
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\OCOQDTRO.EXE.VIR
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\OLEHLCVH.EXE.VIR
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\QHVSKKSX.EXE.VIR
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\QOQDVCYY.EXE.VIR
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\QRIGAKQH.EXE.VIR
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\QVQJFCBR.EXE.VIR
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\QXHTHXCT.EXE.VIR
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\SHSNKFOA.EXE.VIR
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\SPAEHGDJ.EXE.VIR
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\TGTFPGAT.EXE.VIR
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\TWGQTTFI.EXE.VIR
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\UMNIRCHU.EXE.VIR
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\USXVYUMI.EXE.VIR
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\VEMGBNEE.EXE.VIR
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\VNRREDXI.EXE.VIR
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\WNURQDGA.EXE.VIR
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\XBWOBONN.EXE.VIR
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\YGHDUDXI.EXE.VIR
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\YHIYNKRO.EXE.VIR
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\YXGOWYMD.EXE.VIR
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9EB11C26-F7D9-4FB7-B426-D4B624B3F43D}\RP328\A1139913.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9EB11C26-F7D9-4FB7-B426-D4B624B3F43D}\RP329\A1141021.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9EB11C26-F7D9-4FB7-B426-D4B624B3F43D}\RP331\A1163997.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9EB11C26-F7D9-4FB7-B426-D4B624B3F43D}\RP332\A1166099.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9EB11C26-F7D9-4FB7-B426-D4B624B3F43D}\RP332\A1166100.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9EB11C26-F7D9-4FB7-B426-D4B624B3F43D}\RP332\A1166101.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9EB11C26-F7D9-4FB7-B426-D4B624B3F43D}\RP332\A1166102.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9EB11C26-F7D9-4FB7-B426-D4B624B3F43D}\RP332\A1166103.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9EB11C26-F7D9-4FB7-B426-D4B624B3F43D}\RP332\A1166104.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9EB11C26-F7D9-4FB7-B426-D4B624B3F43D}\RP332\A1166105.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9EB11C26-F7D9-4FB7-B426-D4B624B3F43D}\RP332\A1166106.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9EB11C26-F7D9-4FB7-B426-D4B624B3F43D}\RP332\A1166107.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9EB11C26-F7D9-4FB7-B426-D4B624B3F43D}\RP332\A1166108.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9EB11C26-F7D9-4FB7-B426-D4B624B3F43D}\RP332\A1166109.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9EB11C26-F7D9-4FB7-B426-D4B624B3F43D}\RP332\A1166110.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9EB11C26-F7D9-4FB7-B426-D4B624B3F43D}\RP332\A1166111.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9EB11C26-F7D9-4FB7-B426-D4B624B3F43D}\RP332\A1166112.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9EB11C26-F7D9-4FB7-B426-D4B624B3F43D}\RP332\A1166113.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9EB11C26-F7D9-4FB7-B426-D4B624B3F43D}\RP332\A1166114.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9EB11C26-F7D9-4FB7-B426-D4B624B3F43D}\RP332\A1166115.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9EB11C26-F7D9-4FB7-B426-D4B624B3F43D}\RP332\A1166116.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9EB11C26-F7D9-4FB7-B426-D4B624B3F43D}\RP332\A1166117.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9EB11C26-F7D9-4FB7-B426-D4B624B3F43D}\RP332\A1166118.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9EB11C26-F7D9-4FB7-B426-D4B624B3F43D}\RP332\A1166119.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9EB11C26-F7D9-4FB7-B426-D4B624B3F43D}\RP332\A1166120.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9EB11C26-F7D9-4FB7-B426-D4B624B3F43D}\RP332\A1166121.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9EB11C26-F7D9-4FB7-B426-D4B624B3F43D}\RP332\A1166122.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9EB11C26-F7D9-4FB7-B426-D4B624B3F43D}\RP332\A1166123.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9EB11C26-F7D9-4FB7-B426-D4B624B3F43D}\RP332\A1166124.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9EB11C26-F7D9-4FB7-B426-D4B624B3F43D}\RP332\A1166125.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9EB11C26-F7D9-4FB7-B426-D4B624B3F43D}\RP332\A1166126.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9EB11C26-F7D9-4FB7-B426-D4B624B3F43D}\RP332\A1166127.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9EB11C26-F7D9-4FB7-B426-D4B624B3F43D}\RP332\A1166128.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9EB11C26-F7D9-4FB7-B426-D4B624B3F43D}\RP332\A1166129.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9EB11C26-F7D9-4FB7-B426-D4B624B3F43D}\RP332\A1166130.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9EB11C26-F7D9-4FB7-B426-D4B624B3F43D}\RP332\A1166131.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9EB11C26-F7D9-4FB7-B426-D4B624B3F43D}\RP332\A1166132.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9EB11C26-F7D9-4FB7-B426-D4B624B3F43D}\RP332\A1166133.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9EB11C26-F7D9-4FB7-B426-D4B624B3F43D}\RP332\A1166134.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9EB11C26-F7D9-4FB7-B426-D4B624B3F43D}\RP332\A1166135.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9EB11C26-F7D9-4FB7-B426-D4B624B3F43D}\RP332\A1166136.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9EB11C26-F7D9-4FB7-B426-D4B624B3F43D}\RP332\A1166137.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9EB11C26-F7D9-4FB7-B426-D4B624B3F43D}\RP332\A1166138.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9EB11C26-F7D9-4FB7-B426-D4B624B3F43D}\RP332\A1166139.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9EB11C26-F7D9-4FB7-B426-D4B624B3F43D}\RP332\A1166140.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9EB11C26-F7D9-4FB7-B426-D4B624B3F43D}\RP332\A1166141.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9EB11C26-F7D9-4FB7-B426-D4B624B3F43D}\RP332\A1166142.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9EB11C26-F7D9-4FB7-B426-D4B624B3F43D}\RP332\A1166143.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9EB11C26-F7D9-4FB7-B426-D4B624B3F43D}\RP332\A1166144.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9EB11C26-F7D9-4FB7-B426-D4B624B3F43D}\RP332\A1166145.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9EB11C26-F7D9-4FB7-B426-D4B624B3F43D}\RP332\A1166146.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9EB11C26-F7D9-4FB7-B426-D4B624B3F43D}\RP332\A1166147.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9EB11C26-F7D9-4FB7-B426-D4B624B3F43D}\RP332\A1166148.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9EB11C26-F7D9-4FB7-B426-D4B624B3F43D}\RP332\A1166149.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9EB11C26-F7D9-4FB7-B426-D4B624B3F43D}\RP333\A1173170.EXE

Adware.Adservs
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\Z1\MID2DLL.EXE.VIR
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9EB11C26-F7D9-4FB7-B426-D4B624B3F43D}\RP333\A1173171.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9EB11C26-F7D9-4FB7-B426-D4B624B3F43D}\RP336\A1175345.EXE

Trojan.ZQuest-Installer
C:\QOOBOX\QUARANTINE\C\WINDOWS\TK58.EXE.VIR
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9EB11C26-F7D9-4FB7-B426-D4B624B3F43D}\RP333\A1167178.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9EB11C26-F7D9-4FB7-B426-D4B624B3F43D}\RP333\A1169176.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9EB11C26-F7D9-4FB7-B426-D4B624B3F43D}\RP333\A1170177.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9EB11C26-F7D9-4FB7-B426-D4B624B3F43D}\RP333\A1171177.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9EB11C26-F7D9-4FB7-B426-D4B624B3F43D}\RP333\A1172177.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9EB11C26-F7D9-4FB7-B426-D4B624B3F43D}\RP334\A1173293.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9EB11C26-F7D9-4FB7-B426-D4B624B3F43D}\RP335\A1173316.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9EB11C26-F7D9-4FB7-B426-D4B624B3F43D}\RP335\A1175316.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9EB11C26-F7D9-4FB7-B426-D4B624B3F43D}\RP336\A1175348.EXE

Trojan.Unknown Origin
C:\QOOBOX\QUARANTINE\C\WINDOWS\TTC-4444.EXE.VIR
C:\QOOBOX\QUARANTINE\C\WINDOWS\UNINSTALL_NMON.VBS.VIR
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9EB11C26-F7D9-4FB7-B426-D4B624B3F43D}\RP323\A1118878.VBS
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9EB11C26-F7D9-4FB7-B426-D4B624B3F43D}\RP333\A1167177.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9EB11C26-F7D9-4FB7-B426-D4B624B3F43D}\RP333\A1169175.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9EB11C26-F7D9-4FB7-B426-D4B624B3F43D}\RP333\A1170176.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9EB11C26-F7D9-4FB7-B426-D4B624B3F43D}\RP333\A1171176.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9EB11C26-F7D9-4FB7-B426-D4B624B3F43D}\RP333\A1172176.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9EB11C26-F7D9-4FB7-B426-D4B624B3F43D}\RP334\A1173292.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9EB11C26-F7D9-4FB7-B426-D4B624B3F43D}\RP335\A1173315.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9EB11C26-F7D9-4FB7-B426-D4B624B3F43D}\RP335\A1175315.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9EB11C26-F7D9-4FB7-B426-D4B624B3F43D}\RP336\A1175337.VBS
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9EB11C26-F7D9-4FB7-B426-D4B624B3F43D}\RP336\A1175349.EXE
C:\WINDOWS\SM9ZZQ\MA6WTK.VBS
C:\WINDOWS\SYSTEM32\DL1\MMEMDT83122.EXE

Trojan.Downloader-Gen/HitItQuitIt
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9EB11C26-F7D9-4FB7-B426-D4B624B3F43D}\RP323\A1118880.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9EB11C26-F7D9-4FB7-B426-D4B624B3F43D}\RP323\A1118881.DLL

Trojan.WinAntiSpyware 2007
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9EB11C26-F7D9-4FB7-B426-D4B624B3F43D}\RP329\A1148014.EXE

Trojan.NetMon/DNSChange
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9EB11C26-F7D9-4FB7-B426-D4B624B3F43D}\RP333\A1172180.EXE

Adware.WebBuying Assistant/Resident
C:\SYSTEM VOLUME INFORMATION\_RESTORE{9EB11C26-F7D9-4FB7-B426-D4B624B3F43D}\RP333\A1173172.DLL

BearShare File Sharing Client
D:\PROGRAM FILES\BEARSHARE APPLICATIONS\BEARSHARE\BEARSHARE.EXE
C:\WINDOWS\Prefetch\BEARSHARE.EXE-302796FB.pf

[ken545]

Good Morning,

Remove both these entries with HJT, check your HJT log after you remove them and if there still present you will have to boot to safemode to remove them.

O2 - BHO: (no name) - {4b7c213c-b627-4975-af76-1b8aa21a66b3} - C:\WINDOWS\System32\wxeusvn.dll (file missing)

O20 - Winlogon Notify: pmnkkii - pmnkkii.dll (file missing)

To Enter Safemode

• Go to Start> Shut off your Computer> Restart
• As the computer starts to boot-up, Tap the F8 KEY somewhat rapidly,
  this will bring up a menu.
• Use the Up and Down Arrow Keys to scroll up to Safemode
• Then press the Enter Key on your Keyboard

Tutorial if you need it How to boot into Safemode

Please download ATF Cleaner by Atribune to your desktop.

• This program is for XP and Windows 2000 only
• Double-click ATF-Cleaner.exe to run the program.
• Under Main choose: Select All
• Click the Empty Selected button.

Your system may start up slower after running ATF Cleaner, this is expected but will be back to normal after the first or second boot up


Delete the Combofix program that you downloaded and download it again as its updated every few days and run it and post a new Combolog and a new HJT log.

Download ComboFix from Here or Here to your Desktop.

• Double click combofix.exe and follow the prompts.
• When finished, it shall produce a log for you. Post the Combofix log and a HiJackthis log in your next reply

Note: Do not mouseclick combofix's window while its running. That may cause it to stall

The rest of your log looks good, just want to make sure that there is nothing left on your system that needs to go.

Ken

[tashi]

blitz, still with us?

[tashi]

This topic has been archived due to lack of a response.

If you need it re-opened, please send me a private message (pm) and provide a link to the thread.

Applies only to the original poster, anyone else with similar problems please start a new topic.

Thank you ken545.

[tashi]

Re-opened upon request.

[blitz]

Hey, sorry about the really late response, been busy. I'm really appreciating all you're doing ken.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:31:02 AM, on 10/21/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehSched.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Common Files\Sony Shared\WMPlugIn\SonicStageMonitoring.exe
C:\Program Files\Sony\Sony TV Tuner Library\SMceMan.exe
C:\Program Files\Sony\Sony TV Tuner Library\RM_SV.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\SONY\sHotKey\sHotKey.exe
C:\WINDOWS\ehome\ehmsas.exe
C:\WINDOWS\System32\ezSP_Px.exe
C:\program files\support.com\client\bin\tgcmd.exe
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Hijackthis\Scanner.exe.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.sony.com/vaiopeople
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll (file missing)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [sHotKey] "C:\Program Files\SONY\sHotKey\sHotKey.exe"
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [ZTgServerSwitch] "c:\program files\support.com\client\bin\tgcmd.exe" /server
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [VAIO Recovery] C:\WINDOWS\Sonysys\VAIO Recovery\PartSeal.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ares] "D:\Program Files\Ares\Ares.exe" -h
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Steam] "D:\steam\Steam.exe" -silent
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = ?
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - D:\Program Files\AIM95\aim.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O14 - IERESET.INF: START_PAGE_URL=http://www.sony.com/vaiopeople
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: SonicStageMonitoring - Sony Corporation - C:\Program Files\Common Files\Sony Shared\WMPlugIn\SonicStageMonitoring.exe
O23 - Service: Sony TV Tuner Controller - Sony Corporation - C:\Program Files\Sony\Sony TV Tuner Library\halsv.exe
O23 - Service: Sony TV Tuner Manager - Sony Corporation - C:\Program Files\Sony\Sony TV Tuner Library\RM_SV.exe
O23 - Service: Sony TVTA Manager - Sony Corporation - C:\Program Files\Sony\Sony TV Tuner Library\SMceMan.exe
O23 - Service: VAIO Media Music Server (VAIOMediaPlatform-MusicServer-AppServer) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Music\SSSvr.exe
O23 - Service: VAIO Media Music Server (HTTP) (VAIOMediaPlatform-MusicServer-HTTP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe
O23 - Service: VAIO Media Music Server (UPnP) (VAIOMediaPlatform-MusicServer-UPnP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe
O23 - Service: VAIO Media Photo Server (VAIOMediaPlatform-PhotoServer-AppServer) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Photo\appsrv\PhotoAppSrv.exe
O23 - Service: VAIO Media Photo Server (HTTP) (VAIOMediaPlatform-PhotoServer-HTTP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe
O23 - Service: VAIO Media Photo Server (UPnP) (VAIOMediaPlatform-PhotoServer-UPnP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe
O23 - Service: VAIO Media Video Server (VAIOMediaPlatform-VideoServer-AppServer) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Video\GPVSvr.exe
O23 - Service: VAIO Media Video Server (HTTP) (VAIOMediaPlatform-VideoServer-HTTP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\SV_Httpd.exe
O23 - Service: VAIO Media Video Server (UPnP) (VAIOMediaPlatform-VideoServer-UPnP) - Sony Corporation - C:\Program Files\Sony\VAIO Media Integrated Server\Platform\UPnPFramework.exe

--
End of file - 7537 bytes

ComboFix 07-10-21.1** - Jose 2007-10-21 1:20:41.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.1.1252.1.1033.18.688 [GMT -5:00]
Running from: C:\Documents and Settings\Jose\Desktop\ComboFix(2).exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\LocalService\Application Data\NetMon
C:\Documents and Settings\LocalService\Application Data\NetMon\domains.txt
C:\Documents and Settings\LocalService\Application Data\NetMon\log.txt
C:\WINDOWS\system32\akyircxj.dll
C:\WINDOWS\system32\arbpatvd.dll
C:\WINDOWS\system32\aufmcjus.dll
C:\WINDOWS\system32\dvtapbra.ini
C:\WINDOWS\system32\dxeltopq.ini
C:\WINDOWS\system32\ffspjrxv.dll
C:\WINDOWS\system32\flelmgfp.ini
C:\WINDOWS\system32\ggcomifs.ini
C:\WINDOWS\system32\hgitqddt.dll
C:\WINDOWS\system32\jkmfvvwt.ini
C:\WINDOWS\system32\jxcriyka.ini
C:\WINDOWS\system32\pfgmlelf.dll
C:\WINDOWS\system32\prwiwmaq.dll
C:\WINDOWS\system32\qehadlau.ini
C:\WINDOWS\system32\qpotlexd.dll
C:\WINDOWS\system32\sfimocgg.dll
C:\WINDOWS\system32\sujcmfua.ini
C:\WINDOWS\system32\tddqtigh.ini
C:\WINDOWS\system32\trwdtjcy.dll
C:\WINDOWS\system32\twvvfmkj.dll
C:\WINDOWS\system32\ualdaheq.dll

.
((((((((((((((((((((((((( Files Created from 2007-09-21 to 2007-10-21 )))))))))))))))))))))))))))))))
.

2007-10-09 06:16 81,332 --a------ C:\WINDOWS\system32\bass.dll
2007-10-08 20:27 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2007-10-08 20:27 <DIR> d-------- C:\Documents and Settings\Jose\Application Data\SUPERAntiSpyware.com
2007-10-08 20:27 <DIR> d----c--- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2007-09-26 13:32 24,576 --a------ C:\WINDOWS\system32\VundoFixSVC.exe
2007-09-26 13:31 <DIR> d----c--- C:\VundoFix Backups
2007-09-26 13:27 <DIR> d-------- C:\Program Files\Common Files\Java
2007-09-26 10:31 <DIR> d-------- C:\WINDOWS\system32\GB9
2007-09-26 10:31 <DIR> d-------- C:\WINDOWS\system32\DL1
2007-09-26 09:52 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-09-26 09:34 <DIR> d----c--- C:\Hijackthis
2007-09-25 23:51 <DIR> d-------- C:\Documents and Settings\Jose\Application Data\BearShare
2007-09-21 01:29 1,060,864 --a------ C:\WINDOWS\system32\mfc71.dll
2007-09-21 01:29 499,712 --a------ C:\WINDOWS\system32\msvcp71.dll
2007-09-21 01:29 89,088 --a------ C:\WINDOWS\system32\atl71.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-10-09 01:27 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2007-09-26 18:27 --------- d-----w C:\Program Files\Java
2007-09-26 18:14 --------- dc----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2007-09-26 18:14 --------- d-----w C:\Program Files\Viewpoint
2007-09-26 14:52 --------- dc----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-09-13 04:39 --------- d-----w C:\Program Files\MSN Messenger
2007-02-24 02:55 1,397,554 -c--a-w C:\Documents and Settings\Jose\WoW-2.0.8.6403-to-0.0.10.6422-enUS-patch.exe
.

((((((((((((((((((((((((((((( snapshot_2007-09-26_ 95950.26 )))))))))))))))))))))))))))))))))))))))))
.
- 2007-07-20 05:47:22 109,056 ----a-w C:\WINDOWS\catchme.exe
+ 2007-10-20 11:03:30 136,192 ----a-w C:\WINDOWS\catchme.exe
+ 2007-10-09 01:27:46 29,696 ----a-r C:\WINDOWS\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF11.exe
+ 2007-10-09 01:27:46 18,944 ----a-r C:\WINDOWS\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF13.exe
+ 2007-10-09 01:27:46 65,024 ----a-r C:\WINDOWS\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF15.exe
- 2007-09-26 01:34:08 16,384 -c--a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
+ 2007-10-10 02:13:19 16,384 -c--a-w C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat
- 2007-09-26 01:34:08 32,768 -c--a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
+ 2007-10-10 02:13:19 32,768 -c--a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat
- 2007-09-26 01:34:08 32,768 -c--a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2007-10-10 02:13:19 32,768 -c--a-w C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat
+ 2007-09-23 14:13:54 9,814 ----a-w C:\WINDOWS\system32\GB9\wrdrvrdl23.exe
- 2003-08-20 00:41:26 24,673 -c--a-w C:\WINDOWS\system32\java.exe
+ 2007-07-12 06:22:00 135,168 ----a-w C:\WINDOWS\system32\java.exe
- 2003-08-20 00:41:28 28,771 -c--a-w C:\WINDOWS\system32\javaw.exe
+ 2007-07-12 06:22:04 135,168 ----a-w C:\WINDOWS\system32\javaw.exe
+ 2007-07-12 07:22:38 139,264 ----a-w C:\WINDOWS\system32\javaws.exe
- 2003-07-30 12:00:00 1,388,544 ----a-w C:\WINDOWS\system32\msvbvm60.dll
+ 2002-09-04 02:33:38 1,394,688 ----a-w C:\WINDOWS\system32\msvbvm60.dll
- 2007-07-22 23:39:27 279,552 ----a-w C:\WINDOWS\system32\swreg.exe
+ 2007-04-02 19:21:27 139,776 ----a-w C:\WINDOWS\system32\swreg.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4b7c213c-b627-4975-af76-1b8aa21a66b3}]
C:\WINDOWS\System32\wxeusvn.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"@"="" []
"ehTray"="C:\WINDOWS\ehome\ehtray.exe" [2003-11-12 06:54]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2003-11-16 00:00]
"NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [2003-08-18 20:56]
"sHotKey"="C:\Program Files\SONY\sHotKey\sHotKey.exe" [2003-08-22 12:22]
"ezShieldProtector for Px"="C:\WINDOWS\System32\ezSP_Px.exe" [2002-08-20 13:29]
"ZTgServerSwitch"="c:\program files\support.com\client\bin\tgcmd.exe" [2003-06-23 19:32]
"AGRSMMSG"="AGRSMMSG.exe" [2003-05-23 12:43 C:\WINDOWS\AGRSMMSG.exe]
"UpdReg"="C:\WINDOWS\UpdReg.EXE" [2000-05-11 02:00]
"VAIO Recovery"="C:\WINDOWS\Sonysys\VAIO Recovery\PartSeal.exe" [2003-04-20 00:08]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-10-25 19:58]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2006-10-30 10:36]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 04:00]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"@"="" []
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe" []
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2007-01-19 12:54]
"ares"="D:\Program Files\Ares\Ares.exe" [2006-02-11 17:37]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe" []
"Steam"="D:\steam\Steam.exe" [2007-10-04 21:06]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-06-21 14:06]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\pmnkkii]
pmnkkii.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 nwprovau

R0 SonyLSM;LED State Service;C:\WINDOWS\System32\Drivers\SonyLSM.sys
R3 P17;Creative SB Audigy LS;C:\WINDOWS\System32\drivers\P17.sys

.
Contents of the 'Scheduled Tasks' folder
"2007-10-10 14:41:00 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
"2006-01-19 23:11:59 C:\WINDOWS\Tasks\Registration reminder 2.job"
- C:\WINDOWS\System32\OOBE\oobebaln.exe
.
**************************************************************************

catchme 0.3.1232 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-10-21 01:23:53
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-10-21 1:25:58 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-09-26 21:52
C:\ComboFix2.txt ... 2007-09-26 21:52
C:\ComboFix3.txt ... 2007-09-26 10:00
.
--- E O F ---

[ken545]

Your back, sorry they closed this on you but if you dont respond in a week or so they close the thread.

REGEDIT4

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4b7c213c-b627-4975-af76-1b8aa21a66b3}]
C:\WINDOWS\System32\wxeusvn.dll

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\pmnkkii]
pmnkkii.dll

Copy the entire contents inside the Quote box and Paste it into Notepad ( this will only work with Notepad )
Name the file Regfix.reg and in the drop down box, save it as All Files.
Save it to your desktop.
Then Rightclick on the Regfix.reg file and click on Merge,
When it asks you to merge with the Registry, say yes.


C:\VundoFix\ Backups <-- Delete this



You need to enable windows to show all files and folders, instructions Here

Go to this site Jotti Upload and under the browse feature, browse to this file
C:\WINDOWS\system32\GB9\wrdrvrdl23.exe

Then click on upload and it will give you a report, post the report in your next reply.


System Restore makes regular backups of all your settings, if you ever had to use this program to restore your system to a previous date, you will be infected all over again so we need to clean out the previous Restore Points

Turn off System Restore.

• Right-click My Computer.
• Click Properties.
• Click the System Restore tab.
• Check Turn off System Restore on all Drives.
• Click Apply, and then click OK.

Reboot your computer


Turn ON System Restore.

• Right-click My Computer.
• ClickProperties.
• Click the System Restore tab.
• UN-Check Turn off System Restore on all Drives.
• Click Apply, and then click OK.

Create a new Restore Point <-- Very Important

• Go to Start/ Control Panel/ Performance and Maintenance/ System Restore/ Create a New Restore Point
  You need to go into the Control Panel and switch to Catagory View to be able to Create a New Restore Point

System Restore Tutorial <-- If you need it

• Your Java is out of date and leaving your system vulnerable.
• Go to your Add-Remove Programs in the Control Panel and uninstall any previous versions of Java (J2SE Runtime Environment)
• It should have an icon next to it:
  
  Select it and click Remove.
• Reboot your system.
• Then go to the Sun Microsystems and install the update
• Java Runtime Environment Version 6 Update 3 <--This is what you need to download and install.
• If you chose the online installation, it will prompt you to run the program.
• If you chose the offline installation, you will be prompted to save the file and you can run it from wherever you saved it.
• Then after install you can verify your installation here Sun Java Verify

I like to to do the offline installation and save the setup file in case I may need it in the future


Run this free online virus scanner and post the report
http://www.kaspersky.com/kos/english/kavwebscan.html



Let me see the file upload report and the Kaspersky report please

The rest of your log looks fine, how are things running now??

[blitz]

Go to this site Jotti Upload and under the browse feature, browse to this file
C:\WINDOWS\system32\GB9\wrdrvrdl23.exe


I'm stuck at this part, not sure what I'm supposed to do when I get the file.

[ken545]

Let me tell ya, your system is picking up bad files related to the Vundo Trojan as fast as we remove them, I stongly urge you outside of posting here to stay off the internet until we have you clean. Also you Windows Operating system is very outdated and is not blocking this garbage from installing, not now but after your clean you need to run windows update and install Service Pack 2 and beyond

Delete the copy of Combofix that you have and download the latest version, its updated on a regular basis.

Open Notepad and copy all the text inside the quote box by highlighting it all and pressing CTRL C on your keyboard, then paste it into Notepad

Folder::
C:\WINDOWS\system32\GB9

Save this as CFScript to your desktop.

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.





This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.