Smitfraud + other evil nasties

**playfulimp** · 2007-11-30, 06:39

Two nights ago I was forwarded to a web page that infected my computer with its text. A banned commercial with the Flinstones selling cigarettes. If others are reading this... funny commercial... EVIL virus just from opening web page.

I have run Spybot and AVG several times. I have updated all my files. I have attempted to Restore my computer to an earlier date. However, my previous restore points no longer exist. This has never happened to me before and I assume the virus destroyed prior restore points.
I have deleted the on screen icons a few times now and attempted to remove the files from my system 32 folder. I was unable to remove them since they were in use.

A) HJT LOG :
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:04:49 PM, on 11/29/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\SYSTEM32\CTXFISPI.EXE
C:\Program Files\Spruce\X_Spruce.exe
c:\windows\system32\dwdsrngt.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Program Files\Intel\IntelDH\Intel(R) Quick Resume Technology\ELService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\?asks\n?lookup.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.google.com/ig/dell?hl=en&...suk&channel=us
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = http://www.google.com/ig/dell?hl=en&...suk&channel=us
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [AudioDrvEmulator] "C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe" -1 AudioDrvEmulator "C:\Program Files\Creative\Shared Files\Module Loader\Audio Emulator\AudDrvEm.dll"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [{7F-F7-75-54-ZN}] c:\windows\system32\dwdsrngt.exe CHD001
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Startup: Spruce - Auto Update.lnk = C:\Program Files\Spruce\Spruce.exe
O4 - Startup: TA_Start.lnk = C:\WINDOWS\system32\dwdsrngt.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Search - ?p=ZJxdm078YYUS
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english...an_unicode.cab
O16 - DPF: {3107C2A8-9F0B-4404-A58B-21BD85268FBC} (PogoWebLauncher Control) - http://www.pogo.com/cdl/launcher/Pog...rInstaller.CAB
O16 - DPF: {459E93B6-150E-45D5-8D4B-45C66FC035FE} (get_atlcom Class) - http://apps.corel.com/nos_dl_manager...EGetPlugin.ocx
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/acti..._v1-0-3-48.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by115fd.bay115.hotmail.msn.co...s/MsnPUpld.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://clubgames.pogo.com/online2/po...ploader_v6.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://microblendtechnologies.webex...mt/ieatgpc.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by115fd.bay115.hotmail.msn.co...x/HMAtchmt.ocx
O20 - AppInit_DLLs: c:\windows\system32\ldcore.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Intel® Quick Resume Technology Drivers (ELService) - Intel Corporation - C:\Program Files\Intel\IntelDH\Intel(R) Quick Resume Technology\ELService.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

--
End of file - 7062 bytes

**playfulimp** · 2007-11-30, 06:41

B) Kaspersky
-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Thursday, November 29, 2007 8:31:39 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 30/11/2007
Kaspersky Anti-Virus database records: 468662
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\
E:\

Scan Statistics:
Total number of scanned objects: 176586
Number of viruses found: 23
Number of infected objects: 75
Number of suspicious objects: 2
Duration of the scan process: 01:57:52

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\avg7\Log\emc.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log.lck Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\3ad391678a806ec4d691e83aaa393b6f_24adf822-76f7-4481-b30b-ff1b40f8687f Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Yazzle1.zip/Yazzle1281OinUninstaller.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\Yazzle1.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Michelle\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmsecman.jar-69ee0d96-2bee8f84.zip/vlocal.class Infected: Trojan-Downloader.Java.Agent.f skipped
C:\Documents and Settings\Michelle\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmsecman.jar-69ee0d96-2bee8f84.zip ZIP: infected - 1 skipped
C:\Documents and Settings\Michelle\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmsecman.jar-69ee0e0e-1ea8f828.zip/vlocal.class Infected: Trojan-Downloader.Java.Agent.f skipped
C:\Documents and Settings\Michelle\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmsecman.jar-69ee0e0e-1ea8f828.zip ZIP: infected - 1 skipped
C:\Documents and Settings\Michelle\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmsecman.jar-69ee0e0e-22b80ad8.zip/vlocal.class Infected: Trojan-Downloader.Java.Agent.f skipped
C:\Documents and Settings\Michelle\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmsecman.jar-69ee0e0e-22b80ad8.zip ZIP: infected - 1 skipped
C:\Documents and Settings\Michelle\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmsecman.jar-6b26dca8-2c1d9f93.zip/vlocal.class Infected: Trojan-Downloader.Java.Agent.f skipped
C:\Documents and Settings\Michelle\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmsecman.jar-6b26dca8-2c1d9f93.zip ZIP: infected - 1 skipped
C:\Documents and Settings\Michelle\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Michelle\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat Object is locked skipped
C:\Documents and Settings\Michelle\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Michelle\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Michelle\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Michelle\Local Settings\History\History.IE5\MSHist012007112920071130\index.dat Object is locked skipped
C:\Documents and Settings\Michelle\Local Settings\Temp\!update.exe Object is locked skipped
C:\Documents and Settings\Michelle\Local Settings\Temp\btfpietd.dll Object is locked skipped
C:\Documents and Settings\Michelle\Local Settings\Temp\CEMG555077.exe/data0002 Infected: not-a-virus:AdWare.Win32.TTC.a skipped
C:\Documents and Settings\Michelle\Local Settings\Temp\CEMG555077.exe NSIS: infected - 1 skipped
C:\Documents and Settings\Michelle\Local Settings\Temp\install_en.exe Infected: not-a-virus:Downloader.Win32.WinFixer.au skipped
C:\Documents and Settings\Michelle\Local Settings\Temp\is151079.exe Object is locked skipped
C:\Documents and Settings\Michelle\Local Settings\Temp\k11u72.exe/data0005 Infected: Trojan-Downloader.Win32.VB.awj skipped
C:\Documents and Settings\Michelle\Local Settings\Temp\k11u72.exe NSIS: infected - 1 skipped
C:\Documents and Settings\Michelle\Local Settings\Temp\k11u78.exe/data0006 Infected: Trojan-Downloader.Win32.VB.bto skipped
C:\Documents and Settings\Michelle\Local Settings\Temp\k11u78.exe NSIS: infected - 1 skipped
C:\Documents and Settings\Michelle\Local Settings\Temp\lhifxtou.dll Object is locked skipped
C:\Documents and Settings\Michelle\Local Settings\Temp\mirc63.exe/stream/data0014 Infected: not-a-virus:Client-IRC.Win32.mIRC.63 skipped
C:\Documents and Settings\Michelle\Local Settings\Temp\mirc63.exe/stream Infected: not-a-virus:Client-IRC.Win32.mIRC.63 skipped
C:\Documents and Settings\Michelle\Local Settings\Temp\mirc63.exe NSIS: infected - 2 skipped
C:\Documents and Settings\Michelle\Local Settings\Temp\NeroDemo12550\Toolbar.exe Infected: not-a-virus:AdTool.Win32.MyWebSearch.bm skipped
C:\Documents and Settings\Michelle\Local Settings\Temp\Setup195.exe Infected: Trojan-Clicker.Win32.VB.vx skipped
C:\Documents and Settings\Michelle\Local Settings\Temp\T0CHD001.exe Infected: not-a-virus:AdWare.Win32.ZenoSearch.ac skipped
C:\Documents and Settings\Michelle\Local Settings\Temp\T0CHD001_c.exe Infected: not-a-virus:AdWare.Win32.ZenoSearch.ac skipped
C:\Documents and Settings\Michelle\Local Settings\Temp\WinAntiSpyware 2007 FreeInstall.exe Infected: not-a-virus:Downloader.Win32.WinFixer.o skipped
C:\Documents and Settings\Michelle\Local Settings\Temp\WinAntiSpyware2007Setup.exe/file03 Infected: Trojan-Downloader.Win32.Agent.dhj skipped
C:\Documents and Settings\Michelle\Local Settings\Temp\WinAntiSpyware2007Setup.exe/file05/file2 Infected: not-a-virus:Downloader.Win32.WinFixer.t skipped
C:\Documents and Settings\Michelle\Local Settings\Temp\WinAntiSpyware2007Setup.exe/file05 Infected: not-a-virus:Downloader.Win32.WinFixer.t skipped
C:\Documents and Settings\Michelle\Local Settings\Temp\WinAntiSpyware2007Setup.exe/file26 Infected: not-a-virus:Downloader.Win32.WinFixer.t skipped
C:\Documents and Settings\Michelle\Local Settings\Temp\WinAntiSpyware2007Setup.exe/file39 Infected: not-a-virus:Downloader.Win32.WinFixer.x skipped
C:\Documents and Settings\Michelle\Local Settings\Temp\WinAntiSpyware2007Setup.exe Inno: infected - 5 skipped
C:\Documents and Settings\Michelle\Local Settings\Temp\wpfsuqbr.exe Object is locked skipped
C:\Documents and Settings\Michelle\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Documents and Settings\Michelle\Local Settings\Temporary Internet Files\Content.IE5\217WD03I\hctp[1] Object is locked skipped
C:\Documents and Settings\Michelle\Local Settings\Temporary Internet Files\Content.IE5\2XRGP036\k11u78[1].exe/data0006 Infected: Trojan-Downloader.Win32.VB.bto skipped
C:\Documents and Settings\Michelle\Local Settings\Temporary Internet Files\Content.IE5\2XRGP036\k11u78[1].exe NSIS: infected - 1 skipped
C:\Documents and Settings\Michelle\Local Settings\Temporary Internet Files\Content.IE5\2XRGP036\poiu[2] Object is locked skipped
C:\Documents and Settings\Michelle\Local Settings\Temporary Internet Files\Content.IE5\2XRGP036\upd32_v14[1] Object is locked skipped
C:\Documents and Settings\Michelle\Local Settings\Temporary Internet Files\Content.IE5\5S8JLTOT\CSG_UOP_20070824_SCROLL_160x600[1].swf Object is locked skipped
C:\Documents and Settings\Michelle\Local Settings\Temporary Internet Files\Content.IE5\5S8JLTOT\install_en[1].exe Infected: not-a-virus:Downloader.Win32.WinFixer.au skipped
C:\Documents and Settings\Michelle\Local Settings\Temporary Internet Files\Content.IE5\8BJJYW95\124876[1].swf Object is locked skipped
C:\Documents and Settings\Michelle\Local Settings\Temporary Internet Files\Content.IE5\A90VULU9\acdt-pid72[1].exe/data0004 Infected: Trojan-Clicker.Win32.Small.jf skipped
C:\Documents and Settings\Michelle\Local Settings\Temporary Internet Files\Content.IE5\A90VULU9\acdt-pid72[1].exe NSIS: infected - 1 skipped
C:\Documents and Settings\Michelle\Local Settings\Temporary Internet Files\Content.IE5\B3PNNPKS\pochki20071106[1] Object is locked skipped
C:\Documents and Settings\Michelle\Local Settings\Temporary Internet Files\Content.IE5\B3PNNPKS\TTC-4444[1].exe/data0002 Infected: not-a-virus:AdWare.Win32.TTC.a skipped
C:\Documents and Settings\Michelle\Local Settings\Temporary Internet Files\Content.IE5\B3PNNPKS\TTC-4444[1].exe NSIS: infected - 1 skipped
C:\Documents and Settings\Michelle\Local Settings\Temporary Internet Files\Content.IE5\CH8NO38Z\83122[1].exe/data0004 Infected: Trojan-Clicker.Win32.Small.jf skipped
C:\Documents and Settings\Michelle\Local Settings\Temporary Internet Files\Content.IE5\CH8NO38Z\83122[1].exe/data0005 Infected: Trojan-Clicker.HTML.IFrame.dn skipped
C:\Documents and Settings\Michelle\Local Settings\Temporary Internet Files\Content.IE5\CH8NO38Z\83122[1].exe NSIS: infected - 2 skipped
C:\Documents and Settings\Michelle\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Michelle\Local Settings\Temporary Internet Files\Content.IE5\XGCBDH01\ptch[1] Object is locked skipped
C:\Documents and Settings\Michelle\Local Settings\Temporary Internet Files\Content.IE5\YZARUT2B\!update-4395[1].0000 Infected: Trojan-Downloader.Win32.PurityScan.dx skipped
C:\Documents and Settings\Michelle\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Michelle\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Program Files\Common Files\WinAntiSpyware 2007\uwas7cw.exe Infected: not-a-virus:Downloader.Win32.WinFixer.t skipped
C:\Program Files\GameHouse\Luxor\Luxor.log Object is locked skipped
C:\Program Files\mIRC\backups\mirc.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.621 skipped
C:\Program Files\mIRC\mirc.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.63 skipped
C:\Program Files\Outerinfo\FF\components\FF.dll Infected: not-a-virus:AdWare.Win32.ZenoSearch.ad skipped
C:\Program Files\page.html Infected: Trojan-Clicker.HTML.IFrame.dn skipped
C:\Program Files\Windows Media Player\qurobu4444.dll Object is locked skipped
C:\Program Files\Windows Media Player\qurobu555077.dll Object is locked skipped
C:\Program Files\Windows Media Player\qurobu83122.dll Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP378\A0028643.exe/stream/data0001 Infected: not-a-virus:AdWare.Win32.BargainBuddy.ai skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP378\A0028643.exe/stream Infected: not-a-virus:AdWare.Win32.BargainBuddy.ai skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP378\A0028643.exe NSIS: infected - 2 skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP411\A0029664.dll Infected: Trojan-Downloader.Win32.Small.gkh skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP411\A0029666.exe Infected: not-a-virus:Downloader.Win32.WinFixer.x skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP411\A0029669.exe Object is locked skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP411\A0029671.exe Infected: not-a-virus:AdWare.Win32.ZenoSearch.ac skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP411\A0029673.exe Infected: not-a-virus:AdWare.Win32.ZenoSearch.ad skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP411\A0030507.dll Infected: Trojan-Downloader.Win32.Small.gkh skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP411\A0030516.dll Infected: Trojan-Downloader.Win32.Small.gkh skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP411\A0030601.exe Object is locked skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP411\A0030602.exe Object is locked skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP411\A0030603.exe Object is locked skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP411\A0030604.dll Object is locked skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP411\A0030605.dll Object is locked skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP411\A0030606.exe Object is locked skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP411\A0030607.exe Object is locked skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP411\A0030608.exe Object is locked skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP411\A0030614.dll Infected: Trojan-Downloader.Win32.Small.gkh skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP412\A0030630.exe/data0002 Infected: not-a-virus:AdWare.Win32.TTC.a skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP412\A0030630.exe NSIS: infected - 1 skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP413\snapshot\MFEX-1.DAT Infected: not-a-virus:AdWare.Win32.TTC.a skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP414\A0030648.dll Infected: Trojan-Downloader.Win32.Small.gkh skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP414\snapshot\MFEX-1.DAT Infected: not-a-virus:AdWare.Win32.TTC.a skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP415\A0031146.dll Object is locked skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP415\A0031270.dll Infected: Trojan-Downloader.Win32.Small.gkh skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP415\snapshot\MFEX-1.DAT Infected: not-a-virus:AdWare.Win32.TTC.a skipped
C:\System Volume Information\_restore{129201FA-B0AC-49B3-96B2-DEB8B91E727B}\RP416\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\df87173.exe Infected: Trojan-Clicker.Win32.VB.vx skipped
C:\WINDOWS\Downloaded Program Files\popcaploader.dll Infected: not-a-virus:Downloader.Win32.PopCap.a skipped
C:\WINDOWS\hg173.exe Infected: Trojan-Clicker.Win32.VB.vx skipped
C:\WINDOWS\io43mvuiw4kj.exe Infected: Trojan-Clicker.Win32.VB.vx skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{BCC3193F-9A0B-46F3-A9E9-A3D31D4E3D4E}.bin Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\DEFAULT Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\IntelDH.evt Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\Media Ce.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\SOFTWARE Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SYSTEM Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\drivers\core.cache.dsk Object is locked skipped
C:\WINDOWS\system32\drivers\core.sys Object is locked skipped
C:\WINDOWS\system32\dwdsrngt.exe Infected: not-a-virus:AdWare.Win32.ZenoSearch.ac skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\j2\ppjup83122.exe/data0002 Infected: not-a-virus:AdWare.Win32.TTC.a skipped
C:\WINDOWS\system32\j2\ppjup83122.exe NSIS: infected - 1 skipped
C:\WINDOWS\system32\krdsrngk.exe Infected: not-a-virus:AdWare.Win32.ZenoSearch.ac skipped
C:\WINDOWS\system32\kwinsldq.exe Infected: not-a-virus:AdWare.Win32.ZenoSearch.ad skipped
C:\WINDOWS\system32\ldcore.dll Infected: Trojan-Downloader.Win32.Small.gkh skipped
C:\WINDOWS\system32\supz.dll Infected: not-a-virus:AdWare.Win32.PurityScan.gl skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\TTC-4444.exe/data0002 Infected: not-a-virus:AdWare.Win32.TTC.a skipped
C:\WINDOWS\TTC-4444.exe NSIS: infected - 1 skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
C:\WINDOWS\ѕуmbols\winspool.exe Object is locked skipped

Scan process completed.

**playfulimp** · 2007-11-30, 06:51

It was not asked for in the "BEFORE you POST" section, but i have some nice new additions in my processes that I did not see named in my lists I just posted.

under user:
CTXFISPI.EXE
nslookup.exe
ctfmon.exe

several others begin at start up but only these 3 refuse to stay deleted.

Please help me.

ps. my husband helped me go into msconfig and we stopped a lot of services trying to stop the virus. not sure if that's important.

Thankyou

**pskelley** · 2007-12-05, 00:17

Welcome to Safer Networking, I wish to be sure you have viewed and understand this information.
"BEFORE you POST" (READ this Procedure before Requesting Assistance)
http://forums.spybot.info/showthread.php?t=288
All advice given is taken at your own risk.
Please make sure you have read this information so we are on the same page.

I apologize for the wait, we look for 0 responses and your shows 3.
The Waiting Room <<< be aware of this failsafe.
http://forums.spybot.info/forumdisplay.php?f=37

You are infected, I see PurityScan/OIN and probably Vundo:
You have a Vundo infection which can be very hard to remove. This will take some time and unless you are patient, understand how to follow directions and are comfortable working on your computer, you may want to seek local professional help. If you wish to proceed, read and follow the directions carefully.

If your issues are not resolved, please do this:
1) C:\Program Files\Trend Micro\HijackThis\HijackThis.exe <<< rename HJT, call it playfulimp.exe that will work, after a restart we should see the hidden Vundo junk.

2) Stay offline when not troubleshooting, the junk will download more.

3) Post a new HJT log, add any comments you think will help.

Thanks

KASPERSKY ONLINE SCANNER REPORT
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\ <<< clean out the Recovery folder
http://ict.cas.psu.edu/training/howt...vespybot.htm#1

C:\Documents and Settings\Michelle\Application Data\Sun\Java\Deployment\cache\ <<< clean your infected Java cache
http://support.f-secure.com/enu/home...avacache.shtml

Your Temp and TIF folders are loaded with nasty junk, you can clean them out, it will help in the long run.
C:\Documents and Settings\Michelle\Local Settings\Temp\
C:\Documents and Settings\Michelle\Local Settings\Temporary Internet Files\

System Restore is badly infected also, but we will clean that later so we only need do it once. DO NOT use it.

You may not be able to delete all Temp and TIF items, the newers stuff should go though and that is all the infections.

**playfulimp** · 2007-12-05, 16:25

Okay I did everything you suggested. And this is the first Hijackthis that I ran. I ran a second one after removing all of the temp files etc. So here is the first one.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:58:08 PM, on 12/4/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Program Files\Intel\IntelDH\Intel(R) Quick Resume Technology\ELService.exe
C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\SYSTEM32\CTXFISPI.EXE
C:\Program Files\Spruce\X_Spruce.exe
c:\windows\system32\krdsrngk.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\Playfulimp.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.google.com/ig/dell?hl=en&...suk&channel=us
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = http://www.google.com/ig/dell?hl=en&...suk&channel=us
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {17725A8E-68A2-4D60-A4C6-EFB0969F2F4D} - C:\WINDOWS\system32\ssqpn.dll (file missing)
O2 - BHO: (no name) - {4CB8F4B4-5F66-4D9E-BC3B-184596A58824} - C:\WINDOWS\system32\hggfedb.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SpruceBHO - {54DE7259-C729-45B1-BBD8-4BE9B5BD8248} - C:\Program Files\Spruce\Spruce.dll
O2 - BHO: CoolBHO - {5C2A9795-B130-4622-B036-BDCAD28602DC} - C:\Program Files\Cool\Cool.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: (no name) - {ADBB735E-358D-493A-8A0D-E7EAAA50297C} - C:\Program Files\Windows Media Player\qurobu83122.dll (file missing)
O2 - BHO: (no name) - {ADEF3926-48FE-4740-A8CB-0D3D71BB531F} - C:\Program Files\Windows Media Player\qurobu555077.dll (file missing)
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\BAE\BAE.dll
O2 - BHO: (no name) - {D1475105-77CD-4CAB-8747-34E4EF83DB96} - C:\Program Files\Windows Media Player\qurobu4444.dll (file missing)
O2 - BHO: (no name) - {E1AAA940-6F8F-6F28-DE2F-4DE678860BE4} - C:\WINDOWS\system32\supz.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [AudioDrvEmulator] "C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe" -1 AudioDrvEmulator "C:\Program Files\Creative\Shared Files\Module Loader\Audio Emulator\AudDrvEm.dll"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [{7F-F7-75-54-ZN}] c:\windows\system32\krdsrngk.exe CHD001
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Startup: Spruce - Auto Update.lnk = C:\Program Files\Spruce\Spruce.exe
O4 - Startup: TA_Start.lnk = C:\WINDOWS\system32\krdsrngk.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Search - ?p=ZJxdm078YYUS
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english...an_unicode.cab
O16 - DPF: {3107C2A8-9F0B-4404-A58B-21BD85268FBC} (PogoWebLauncher Control) - http://www.pogo.com/cdl/launcher/Pog...rInstaller.CAB
O16 - DPF: {459E93B6-150E-45D5-8D4B-45C66FC035FE} (get_atlcom Class) - http://apps.corel.com/nos_dl_manager...EGetPlugin.ocx
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/acti..._v1-0-3-48.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by115fd.bay115.hotmail.msn.co...s/MsnPUpld.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://clubgames.pogo.com/online2/po...ploader_v6.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://microblendtechnologies.webex...mt/ieatgpc.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by115fd.bay115.hotmail.msn.co...x/HMAtchmt.ocx
O20 - AppInit_DLLs: c:\windows\system32\ldcore.dll
O20 - Winlogon Notify: hggfedb - hggfedb.dll (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Intel® Quick Resume Technology Drivers (ELService) - Intel Corporation - C:\Program Files\Intel\IntelDH\Intel(R) Quick Resume Technology\ELService.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

--
End of file - 8641 bytes

I also uninstalled my old spybot program as suggested and downloaded the newest version. It was after running the newer version of spybot that I ran a second Hijackthis. If you want/need the second one just let me know. I'll be back online later today. I'm unplugging my internet in between posts to avoid more viruses.
Thankyou so much for your help.

**pskelley** · 2007-12-05, 17:33

1) Thanks to Atribune and any others who helped with this fix.

http://vundofix.atribune.org/ <<< tutorial

"Download VundoFix" to your Desktop

http://www.atribune.org/ccount/click.php?id=4

Double-click VundoFix.exe to run it.
When VundoFix opens, click the Scan for Vundo button.
Once it's done scanning, click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will reboot your computer, click OK.
Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will attempt run on reboot, simply follow the above instructions starting from "Click
the Scan for Vundo button." when VundoFix appears at reboot. Vundofix.txt will be on the C:\

(wait until you finish to post reports and logs)

2) Thanks to sUBs and anyone else who helped with this fix.

Download ComboFix from Here or Here to your Desktop

Double click combofix.exe and follow the prompts.
When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply

Note: Do not mouseclick combofix's window while its running. That may cause it to stall

Post the Vundofix.txt, combofix log and a new HJT log.

Thanks

**playfulimp** · 2007-12-05, 21:39

VundoFix:

VundoFix V6.7.0

Checking Java version...

Java version is 1.4.2.3
Old versions of java are exploitable and should be removed.

Scan started at 1:10:26 PM 12/5/2007

Listing files found while scanning....

C:\WINDOWS\system32\hggfedb.dll

Beginning removal...

Performing Repairs to the registry.
Done!

ComboFix:
ComboFix 07-12-02.7 - Michelle 2007-12-05 13:23:44.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1529 [GMT -7:00]
Running from: C:\Documents and Settings\Michelle\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data.\salesmonitor
C:\Documents and Settings\All Users\Application Data.\winantispyware 2007
C:\Documents and Settings\All Users\Application Data.\winantispyware 2007\Data\Abbr
C:\Documents and Settings\All Users\Application Data.\winantispyware 2007\Data\ProductCode
C:\Documents and Settings\All Users\Application Data\WinAntiSpyware 2007\Data\Abbr
C:\Documents and Settings\All Users\Application Data\WinAntiSpyware 2007\Data\ProductCode
C:\Documents and Settings\Michelle\Application Data\macromedia\Flash Player\#SharedObjects\95JTQ7BP\www.broadcaster.com
C:\Documents and Settings\Michelle\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com
C:\Documents and Settings\Michelle\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com\settings.sol
C:\Documents and Settings\Michelle\Start Menu\Programs\Startup\ta_start.lnk
C:\Program Files\asks~1
C:\Program Files\asks~1\n?lookup.exe
C:\Program Files\Common Files\winantispyware 2007
C:\Program Files\Common Files\winantispyware 2007\err.log
C:\Program Files\Common Files\winantispyware 2007\uwas7cw.exe
C:\Program Files\ini.ini\
C:\Program Files\outerinfo
C:\Program Files\outerinfo\FF\chrome.manifest
C:\Program Files\outerinfo\FF\components\FF.dll
C:\Program Files\outerinfo\FF\components\OuterinfoAds.xpt
C:\Program Files\outerinfo\FF\install.rdf
C:\Program Files\outerinfo\Terms.rtf
C:\Temp\1cb
C:\Temp\1cb\syscheck.log
C:\Temp\abW9
C:\Temp\abW9\tPho.log
C:\Temp\fse
C:\temp\tn3
C:\WINDOWS\mbols~1
C:\WINDOWS\mbols~1\??mbols\
C:\WINDOWS\mbols~1\winspool.exe
C:\WINDOWS\system32\c1
C:\WINDOWS\system32\drivers\fopn.sys
C:\WINDOWS\system32\dwdsrngt.exe
C:\WINDOWS\system32\f10WtR
C:\WINDOWS\system32\j2
C:\WINDOWS\system32\j2\ppjup83122.exe
C:\WINDOWS\system32\ldinfo.ldr
C:\WINDOWS\system32\m8
C:\WINDOWS\system32\m8\nsts2dll1.exe
C:\WINDOWS\system32\msnav32.ax
C:\WINDOWS\system32\pac.txt
C:\WINDOWS\system32\rMa02yy
C:\WINDOWS\system32\supz.dll
C:\WINDOWS\system32\wnsinticom32.exe
C:\WINDOWS\TTC-4444.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_CORE
-------\LEGACY_FOPN

((((((((((((((((((((((((( Files Created from 2007-11-05 to 2007-12-05 )))))))))))))))))))))))))))))))
.

2007-12-05 13:10 . 2007-12-05 13:10 <DIR> d-------- C:\VundoFix Backups
2007-12-04 19:51 . 2007-12-05 08:13 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-12-04 18:43 . 2007-12-04 18:43 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2007-12-04 18:43 . 2007-12-04 18:43 1,409 --a------ C:\WINDOWS\QTFont.for
2007-11-29 21:04 . 2007-11-29 21:04 <DIR> d-------- C:\Program Files\Trend Micro
2007-11-29 16:26 . 2007-11-29 16:26 106,520 --a------ C:\WINDOWS\system32\krdsrngk.exe
2007-11-29 15:54 . 2007-11-29 15:54 <DIR> d-------- C:\Program Files\Spruce
2007-11-28 16:13 . 2007-08-13 18:54 33,792 --a------ C:\WINDOWS\system32\dllcache\custsat.dll
2007-11-28 16:01 . 2006-08-21 02:14 128,896 --------- C:\WINDOWS\system32\dllcache\fltmgr.sys
2007-11-28 16:01 . 2006-08-21 02:14 23,040 --------- C:\WINDOWS\system32\dllcache\fltmc.exe
2007-11-28 16:01 . 2006-08-21 05:21 16,896 --------- C:\WINDOWS\system32\dllcache\fltlib.dll
2007-11-28 16:01 . 2007-11-28 16:01 4,286 --a------ C:\WINDOWS\system32\callwavefax.32x32.ico
2007-11-28 15:59 . 2007-11-28 15:59 <DIR> d-------- C:\Program Files\MSXML 4.0
2007-11-28 15:57 . 2007-07-09 06:09 584,192 --------- C:\WINDOWS\system32\dllcache\rpcrt4.dll
2007-11-28 15:56 . 2006-12-06 21:14 2,330,624 --------- C:\WINDOWS\system32\dllcache\wmvcore.dll
2007-11-28 15:53 . 2007-07-30 19:18 34,136 --a------ C:\WINDOWS\system32\wucltui.dll.mui
2007-11-28 15:53 . 2007-07-30 19:19 25,944 --a------ C:\WINDOWS\system32\wuaucpl.cpl.mui
2007-11-28 15:53 . 2007-07-30 19:19 25,944 --a------ C:\WINDOWS\system32\wuapi.dll.mui
2007-11-28 15:53 . 2007-07-30 19:18 20,312 --a------ C:\WINDOWS\system32\wuaueng.dll.mui
2007-11-28 15:44 . 2007-11-28 15:44 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-11-28 15:44 . 2007-11-28 15:44 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2007-11-28 15:36 . 2007-11-28 15:36 <DIR> d-------- C:\Program Files\Sun
2007-11-28 15:36 . 2007-09-24 23:31 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2007-11-28 15:26 . 2007-11-28 15:26 2,238 --a------ C:\WINDOWS\system32\ClickToFindandFixErrors_US.ico
2007-11-28 00:59 . 2007-11-29 17:32 0 --a------ C:\WINDOWS\system32\mcrh.tmp
2007-11-27 21:21 . 2007-12-01 10:49 434,934 --ahs---- C:\WINDOWS\system32\npqss.ini2
2007-11-27 21:21 . 2007-12-01 10:50 434,934 --ahs---- C:\WINDOWS\system32\npqss.ini
2007-11-27 21:18 . 2007-11-27 21:20 <DIR> d-------- C:\Program Files\Cool
2007-11-27 21:18 . 2007-12-05 08:15 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Rabio
2007-11-21 19:18 . 2007-11-21 19:18 <DIR> d-------- C:\Program Files\Veoh Networks
2007-11-16 10:20 . 2007-11-16 10:20 208,896 --a------ C:\WINDOWS\io43mvuiw4kj.exe
2007-11-10 11:26 . 2007-04-24 16:30 60,273 --a------ C:\WINDOWS\system32\pthreadGC2.dll
2007-11-10 11:26 . 2007-07-29 16:51 7,680 --a------ C:\WINDOWS\system32\ff_vfw.dll
2007-11-10 11:26 . 2007-07-10 17:10 547 --a------ C:\WINDOWS\system32\ff_vfw.dll.manifest
2007-11-05 18:12 . 2007-11-05 18:16 <DIR> d-------- C:\temp\simfilemaid

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-30 15:00 --------- d-----w C:\Documents and Settings\Michelle\Application Data\AVG7
2007-11-28 22:36 --------- d-----w C:\Program Files\Java
2007-11-28 22:19 75 ----a-w C:\Program Files\ini.ini
2007-11-24 23:33 --------- d-----w C:\Documents and Settings\Michelle\Application Data\uTorrent
2007-11-22 02:19 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-11-05 21:16 --------- d-----w C:\Program Files\SimPE
2007-11-05 01:02 --------- d-----w C:\Program Files\Sims2Pack Clean Installer
2007-10-23 17:16 --------- d-----w C:\Program Files\EA GAMES
2007-10-22 04:02 --------- d-----w C:\Program Files\mIRC
2007-10-16 14:37 --------- d-----w C:\Program Files\Oberon Media
2007-10-16 14:36 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2007-10-11 14:44 --------- d-----w C:\Program Files\RGB
2007-10-09 07:48 --------- d-----w C:\Documents and Settings\All Users\Application Data\PopCap
2007-09-12 18:52 53,248 ----a-w C:\WINDOWS\hg173.exe
2007-09-12 18:50 53,248 ----a-w C:\WINDOWS\df87173.exe
2007-07-28 09:06 135 ----a-w C:\Program Files\page.html
2007-07-05 21:19 8 --sha-r C:\WINDOWS\system32\4AC98B6981.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{17725A8E-68A2-4D60-A4C6-EFB0969F2F4D}]
C:\WINDOWS\system32\ssqpn.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{54DE7259-C729-45B1-BBD8-4BE9B5BD8248}]
2007-11-29 10:28 401408 --a------ C:\Program Files\Spruce\Spruce.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5C2A9795-B130-4622-B036-BDCAD28602DC}]
2007-11-12 11:50 397312 --a------ C:\Program Files\Cool\Cool.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{ADBB735E-358D-493A-8A0D-E7EAAA50297C}]
C:\Program Files\Windows Media Player\qurobu83122.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{ADEF3926-48FE-4740-A8CB-0D3D71BB531F}]
C:\Program Files\Windows Media Player\qurobu555077.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D1475105-77CD-4CAB-8747-34E4EF83DB96}]
C:\Program Files\Windows Media Player\qurobu4444.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 03:00]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2007-08-31 16:46]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AudioDrvEmulator"="C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe" [2005-11-04 16:07]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11]
"{7F-F7-75-54-ZN}"="c:\windows\system32\dwdsrngt.exe" []
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-06-29 06:24]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-11-27 23:27]

C:\Documents and Settings\Michelle\Start Menu\Programs\Startup\
Spruce - Auto Update.lnk - C:\Program Files\Spruce\Spruce.exe [2007-11-29 15:54:22]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\hggfedb]
hggfedb.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"= c:\windows\system32\ldcore.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk
backup=C:\WINDOWS\pss\Digital Line Detect.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Michelle^Start Menu^Programs^Startup^Cool - Auto Update.lnk]
path=C:\Documents and Settings\Michelle\Start Menu\Programs\Startup\Cool - Auto Update.lnk
backup=C:\WINDOWS\pss\Cool - Auto Update.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Michelle^Start Menu^Programs^Startup^TA_Start.lnk]
path=C:\Documents and Settings\Michelle\Start Menu\Programs\Startup\TA_Start.lnk
backup=C:\WINDOWS\pss\TA_Start.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
2005-06-06 23:46 57344 --a------ C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG7_CC]
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
2007-03-12 13:49 153136 --a------ C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTDVDDET]
2003-06-17 23:00 45056 --------- C:\Program Files\Creative\Sound Blaster X-Fi\DVDAudio\CTDVDDET.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTHelper]
CTHELPER.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTxfiHlp]
CTXFIHLP.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DLA]
2005-09-08 03:20 122940 --a------ C:\WINDOWS\System32\DLA\DLACTRLW.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DMXLauncher]
2005-10-05 01:12 94208 --a------ C:\Program Files\Dell\Media Experience\DMXLauncher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EA Core]
C:\Program Files\Electronic Arts\EADM\Core.exe -silent

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray]
2005-09-29 12:01 67584 --a------ C:\WINDOWS\ehome\ehtray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EPSON Stylus CX6000 Series]
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIBIA.EXE /FU C:\WINDOWS\TEMP\E_S3FB.tmp /EF HKLM

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IAAnotif]
2005-06-17 05:56 139264 --a------ C:\Program Files\Intel\Intel Matrix Storage Manager\iaanotif.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\io43mvuiw4kj]
2007-11-16 10:20 208896 --a------ C:\WINDOWS\io43mvuiw4kj.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM.exe -startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe -start

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2006-09-12 01:58 229952 --a------ C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSKDetectorExe]
C:\Program Files\McAfee\SpamKiller\MSKDetct.exe /uninstall

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
C:\Program Files\Messenger\msmsgs.exe /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2007-03-09 18:53 153136 --a------ C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
C:\Program Files\QuickTime\qttask.exe -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\runner1]
C:\WINDOWS\mrofinu77.exe 61A847B5BBF72815358B2B27128065E9C084320161C4661227A755E9C2933154389A

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
C:\Program Files\Common Files\Real\Update_OB\realsched.exe -osboot

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Uaol]
C:\WINDOWS\MBOLS~1\winspool.exe -vt yazb

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdReg]
2000-05-10 23:00 90112 --------- C:\WINDOWS\UpdReg.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Veoh]
C:\Program Files\Veoh Networks\Veoh\VeohClient.exe /VeohHide

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VolPanel]
C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanel.exe /r

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Whtef]
C:\Program Files\?asks\n?lookup.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\{7F-F7-75-54-ZN}]
c:\windows\system32\dwdsrngt.exe CHD001

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"iPod Service"=3 (0x3)
"UMWdf"=3 (0x3)
"SQLAgent$SONY_MEDIAMGR"=3 (0x3)
"ProtexisLicensing"=2 (0x2)
"NMIndexingService"=3 (0x3)
"ehSched"=2 (0x2)
"ehRecvr"=2 (0x2)
"McrdSvc"=2 (0x2)
"MSSQLServerADHelper"=3 (0x3)
"MSSQL$SONY_MEDIAMGR"=3 (0x3)
"MHN"=3 (0x3)
"IDriverT"=3 (0x3)
"Fax"=2 (0x2)
"Creative Service for CDROM Access"=2 (0x2)
"wuauserv"=2 (0x2)

R3 ha20x2k;Creative 20X HAL Driver;C:\WINDOWS\system32\drivers\ha20x2k.sys

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\M]
\Shell\AutoRun\command - M:\Autorun.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}]
\Shell\AutoRun\command - E:\setup.exe

.
**************************************************************************

catchme 0.3.1318 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-05 13:31:23
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

**************************************************************************
.
Completion time: 2007-12-05 13:33:51 - machine was rebooted
.
--- E O F ---

**playfulimp** · 2007-12-05, 21:40

Hijack This
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:35:00 PM, on 12/5/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\SYSTEM32\CTXFISPI.EXE
C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Spruce\X_Spruce.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Program Files\Intel\IntelDH\Intel(R) Quick Resume Technology\ELService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Trend Micro\HijackThis\Playfulimp.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = http://www.google.com/ig/dell?hl=en&...suk&channel=us
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {17725A8E-68A2-4D60-A4C6-EFB0969F2F4D} - C:\WINDOWS\system32\ssqpn.dll (file missing)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SpruceBHO - {54DE7259-C729-45B1-BBD8-4BE9B5BD8248} - C:\Program Files\Spruce\Spruce.dll
O2 - BHO: CoolBHO - {5C2A9795-B130-4622-B036-BDCAD28602DC} - C:\Program Files\Cool\Cool.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: (no name) - {ADBB735E-358D-493A-8A0D-E7EAAA50297C} - C:\Program Files\Windows Media Player\qurobu83122.dll (file missing)
O2 - BHO: (no name) - {ADEF3926-48FE-4740-A8CB-0D3D71BB531F} - C:\Program Files\Windows Media Player\qurobu555077.dll (file missing)
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\BAE\BAE.dll
O2 - BHO: (no name) - {D1475105-77CD-4CAB-8747-34E4EF83DB96} - C:\Program Files\Windows Media Player\qurobu4444.dll (file missing)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [AudioDrvEmulator] "C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe" -1 AudioDrvEmulator "C:\Program Files\Creative\Shared Files\Module Loader\Audio Emulator\AudDrvEm.dll"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [{7F-F7-75-54-ZN}] c:\windows\system32\dwdsrngt.exe CHD001
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Startup: Spruce - Auto Update.lnk = C:\Program Files\Spruce\Spruce.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Search - ?p=ZJxdm078YYUS
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english...an_unicode.cab
O16 - DPF: {3107C2A8-9F0B-4404-A58B-21BD85268FBC} (PogoWebLauncher Control) - http://www.pogo.com/cdl/launcher/Pog...rInstaller.CAB
O16 - DPF: {459E93B6-150E-45D5-8D4B-45C66FC035FE} (get_atlcom Class) - http://apps.corel.com/nos_dl_manager...EGetPlugin.ocx
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/acti..._v1-0-3-48.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by115fd.bay115.hotmail.msn.co...s/MsnPUpld.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://clubgames.pogo.com/online2/po...ploader_v6.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://microblendtechnologies.webex...mt/ieatgpc.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by115fd.bay115.hotmail.msn.co...x/HMAtchmt.ocx
O20 - AppInit_DLLs: c:\windows\system32\ldcore.dll
O20 - Winlogon Notify: hggfedb - hggfedb.dll (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Intel® Quick Resume Technology Drivers (ELService) - Intel Corporation - C:\Program Files\Intel\IntelDH\Intel(R) Quick Resume Technology\ELService.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

--
End of file - 8835 bytes

sorry too much info for one post

**pskelley** · 2007-12-05, 22:13

Thanks for returning your information, I believe you cut off Vundofix before it had time to complete removal.
C:\WINDOWS\system32\hggfedb.dll <<< we do not know as a results if it successfully remove this item, please allow the tools time to run anddo not be in a hurry.
Beginning removal...
Performing Repairs to the registry.
Done!
Open the C:\ and locate this >> Vundofix.txt If there is more information than you posted the first time, post that information for me.

See this: http://forums.spybot.info/showpost.p...80&postcount=2

and this: Java version is 1.4.2.3
Old versions of java are exploitable and should be removed.

Indicate you are up to date but have old versions, uninstall all old versions in Add Remove programs, they will get you infected!

1) How to make files and folders visible:
Click Start > Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
Uncheck: Hide file extensions for known file types
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm. Click OK.
You may reverse this for safety when we are finished.

2) Please download ATF Cleaner by Atribune
http://www.atribune.org/content/view/25/2/
Save it to your Desktop. We will use this later.

3) TeaTimer will block changes we must make, use these instruction to turn it off until we are done.
http://russelltexas.com/malware/teatimer.htm

4) Start > Control Panel > Add Remove Programs and uninstall C:\Program Files\Spruce\ if there.

5) Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:

O2 - BHO: (no name) - {17725A8E-68A2-4D60-A4C6-EFB0969F2F4D} - C:\WINDOWS\system32\ssqpn.dll (file missing)
O2 - BHO: SpruceBHO - {54DE7259-C729-45B1-BBD8-4BE9B5BD8248} - C:\Program Files\Spruce\Spruce.dll
O2 - BHO: CoolBHO - {5C2A9795-B130-4622-B036-BDCAD28602DC} - C:\Program Files\Cool\Cool.dll
O2 - BHO: (no name) - {ADBB735E-358D-493A-8A0D-E7EAAA50297C} - C:\Program Files\Windows Media Player\qurobu83122.dll (file missing)
O2 - BHO: (no name) - {ADEF3926-48FE-4740-A8CB-0D3D71BB531F} - C:\Program Files\Windows Media Player\qurobu555077.dll (file missing)
O2 - BHO: (no name) - {D1475105-77CD-4CAB-8747-34E4EF83DB96} - C:\Program Files\Windows Media Player\qurobu4444.dll (file missing)
O4 - HKLM\..\Run: [{7F-F7-75-54-ZN}] c:\windows\system32\dwdsrngt.exe CHD001
O4 - Startup: Spruce - Auto Update.lnk = C:\Program Files\Spruce\Spruce.exe
O8 - Extra context menu item: &Search - ?p=ZJxdm078YYUS
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://clubgames.pogo.com/online2/po...ploader_v6.cab
O20 - AppInit_DLLs: c:\windows\system32\ldcore.dll
O20 - Winlogon Notify: hggfedb - hggfedb.dll (file missing)

Close all programs but HJT and all browser windows, then click on "Fix Checked"

6) RIGHT Click on Start then click on Explore. Locate and delete these items:

C:\Program Files\Spruce\ <<< delete that folder

c:\windows\system32\dwdsrngt.exe <<< delete that file

c:\windows\system32\ldcore.dll <<< delete that file

C:\WINDOWS\system32\krdsrngk.exe <<< delete that file

7) Run ATF Cleaner
Double-click ATF-Cleaner.exe to run the program.
Click Select All found at the bottom of the list.
Click the Empty Selected button.
Click Exit on the Main menu to close the program.

Restart and post a new HJT log and some feedback.

Thanks

**playfulimp** · 2007-12-06, 00:52

I went through all the steps and cleaned and deleted most of the files, however these three files were not in system32
I did notice that dwd was running in my taskmanager under user before I shut down the system for a restart.

c:\windows\system32\dwdsrngt.exe <<< delete that file

c:\windows\system32\ldcore.dll <<< delete that file

C:\WINDOWS\system32\krdsrngk.exe <<< delete that file

These files were still under user taskmanager
jusched.exe
ctfmon
ctxfispi
krdsrngk
dllml
kwinsldq
iexplore
explore

I double checked that the two items to be unchecked in spybot were still unchecked and they were. I then went back and tried to find the above files that you said to remove and still could not find them despite seeing the programs in my taskmanager.

I'm not sure if the taskmanager info shows for you in the hijack text, but I hope I'm not givingyou redundant info.

Hijack This

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:40:13 PM, on 12/5/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\SYSTEM32\CTXFISPI.EXE
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
c:\windows\system32\krdsrngk.exe
C:\Program Files\Intel\IntelDH\Intel(R) Quick Resume Technology\ELService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\kwinsldq.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Michelle\Desktop\Playfulimp.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = http://www.google.com/ig/dell?hl=en&...suk&channel=us
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\System32\DLA\DLASHX_W.DLL
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Browser Address Error Redirector - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\BAE\BAE.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [AudioDrvEmulator] "C:\Program Files\Creative\Shared Files\Module Loader\DLLML.exe" -1 AudioDrvEmulator "C:\Program Files\Creative\Shared Files\Module Loader\Audio Emulator\AudDrvEm.dll"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [{7F-F7-75-54-ZN}] c:\windows\system32\krdsrngk.exe CHD001
O4 - HKLM\..\Run: [ExploreUpdSched] C:\WINDOWS\system32\kwinsldq.exe CHD001
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Startup: TA_Start.lnk = C:\WINDOWS\system32\krdsrngk.exe
O4 - Startup: Think-Adz.lnk = C:\WINDOWS\system32\kwinsldq.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar2.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english...an_unicode.cab
O16 - DPF: {3107C2A8-9F0B-4404-A58B-21BD85268FBC} (PogoWebLauncher Control) - http://www.pogo.com/cdl/launcher/Pog...rInstaller.CAB
O16 - DPF: {459E93B6-150E-45D5-8D4B-45C66FC035FE} (get_atlcom Class) - http://apps.corel.com/nos_dl_manager...EGetPlugin.ocx
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/acti..._v1-0-3-48.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by115fd.bay115.hotmail.msn.co...s/MsnPUpld.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://javadl-esd.sun.com/update/1.6...ws-i586-jc.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://microblendtechnologies.webex...mt/ieatgpc.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by115fd.bay115.hotmail.msn.co...x/HMAtchmt.ocx
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Intel® Quick Resume Technology Drivers (ELService) - Intel Corporation - C:\Program Files\Intel\IntelDH\Intel(R) Quick Resume Technology\ELService.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

--
End of file - 7554 bytes

Again. Thankyou for your time and help on this.

Thread: Smitfraud + other evil nasties

Thread Tools

Display

Smitfraud + other evil nasties

Smitfraud + Evil Nasties part II

Smitfraud + Evil Nasties Part III

text files

text continued

Posting Permissions