Virtumonde fix request (logs are ready) - please help!!!

**ken545** · 2008-02-22, 00:16

Peter,

The vundo trojan has so many files and registry entries that are being updated by these slimeballs on a regular basis, so it takes running a few programs to get rid of it all.

What I would like you to do is drag Combofx to the trash and download a fresh copy to your desktop, you can use the same links I provided earlier.

Then do this.

Open Notepad and copy all the text inside the Code box by highlighting it all and pressing CTRL C on your keyboard, then paste it into Notepad, make sure there is no space before and above File::

Code:

File::
C:\WINDOWS\system32\mlfcache.dat
C:\WINDOWS\system32\AAK.dll
C:\WINDOWS\system32\AAD.DLL
C:\WINDOWS\system32\AAP.DLL
C:\WINDOWS\system32\ad_away.lic

Folder::
C:\VundoFix Backups

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1BE195F9-F7C7-4334-B591-B9900BA24DB1}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1E71ADDC-4451-43F1-A6E2-3B515E578E67}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8146B1B8-0078-4131-81FC-2A76C1FD6ECC}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D1BA9F50-D95B-4B4E-9218-E796EC763161}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"f45555a6"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\gebxyxy]

Save this as CFScript to your desktop.

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.

**peter100** · 2008-02-22, 01:00

Hi Ken,

Here come the new logs per your instructions:

ComboFix 08-02-22 - Majsan 2008-02-23 0:43:19.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.46.1033.18.186 [GMT 1:00]
Running from: C:\Documents and Settings\Majsan\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Majsan\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\WINDOWS\system32\AAD.DLL
C:\WINDOWS\system32\AAK.dll
C:\WINDOWS\system32\AAP.DLL
C:\WINDOWS\system32\ad_away.lic
C:\WINDOWS\system32\mlfcache.dat
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\VundoFix Backups
C:\WINDOWS\system32\AAD.DLL
C:\WINDOWS\system32\AAK.dll
C:\WINDOWS\system32\AAP.DLL
C:\WINDOWS\system32\ad_away.lic
C:\WINDOWS\system32\mlfcache.dat

.
((((((((((((((((((((((((( Files Created from 2008-01-22 to 2008-02-22 )))))))))))))))))))))))))))))))
.

2008-02-21 21:28 . 2008-02-21 21:28 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-02-21 21:28 . 2008-02-21 21:28 <DIR> d-------- C:\Documents and Settings\Majsan\Application Data\Malwarebytes
2008-02-21 21:28 . 2008-02-21 21:28 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-02-21 21:27 . 2008-02-21 21:27 <DIR> d-------- C:\Program Files\Common Files\Download Manager
2008-02-21 20:57 . 2008-02-21 20:57 24,576 --a------ C:\WINDOWS\system32\VundoFixSVC.exe
2008-02-18 18:53 . 2008-02-18 18:53 <DIR> d-------- C:\Program Files\Bonjour
2008-02-17 00:23 . 2008-02-17 00:23 <DIR> d-------- C:\Program Files\Safari
2008-02-16 21:53 . 2008-02-20 12:28 <DIR> d-------- C:\Program Files\Pettson2
2008-02-16 21:53 . 1999-12-17 09:13 86,016 --a------ C:\WINDOWS\unvise32.exe
2008-02-15 14:44 . 2008-02-15 14:44 <DIR> d-------- C:\Downloads
2008-02-15 14:44 . 2008-02-15 14:44 <DIR> d-------- C:\Documents and Settings\Majsan\Application Data\PCF-VLC
2008-02-15 13:41 . 2008-02-21 13:37 <DIR> d-------- C:\Program Files\FlashGet
2008-02-15 00:47 . 2008-02-15 01:01 91,700 --a------ C:\WINDOWS\system32\drivers\klin.dat
2008-02-15 00:47 . 2008-02-15 00:47 85,860 --a------ C:\WINDOWS\system32\drivers\klick.dat
2008-02-15 00:45 . 2008-02-15 00:45 <DIR> d-------- C:\Program Files\Kaspersky Lab
2008-02-15 00:45 . 2008-02-23 00:46 5,148,448 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2008-02-15 00:45 . 2008-02-22 22:18 72,488 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx
2008-02-15 00:45 . 2008-02-23 00:46 64,544 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.dat
2008-02-15 00:45 . 2008-02-22 22:18 6,788 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.idx
2008-02-14 20:21 . 2008-02-14 20:21 <DIR> d-------- C:\kav
2008-02-14 17:02 . 2008-02-14 17:02 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-02-14 17:02 . 2008-02-22 22:20 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-02-14 12:11 . 2008-02-14 12:16 <DIR> d-------- C:\Program Files\Windows Live Safety Center
2008-02-14 11:37 . 2008-02-14 11:37 <DIR> d-------- C:\Program Files\Trend Micro
2008-02-14 02:07 . 2008-02-14 02:09 <DIR> d-------- C:\hidownload
2008-02-14 01:41 . 2008-02-14 01:40 691,545 --a------ C:\WINDOWS\unins000.exe
2008-02-14 01:41 . 2008-02-14 01:41 3,445 --a------ C:\WINDOWS\unins000.dat
2008-02-14 01:31 . 2008-02-14 01:34 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-02-14 01:29 . 2008-02-14 01:29 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-02-14 01:11 . 2008-02-14 01:11 <DIR> d-------- C:\WINDOWS\system32\uw3
2008-02-14 01:11 . 2008-02-15 08:11 <DIR> d-------- C:\WINDOWS\system32\fe9
2008-02-14 01:11 . 2008-02-14 01:11 <DIR> d-------- C:\WINDOWS\system32\de1
2008-02-14 01:11 . 2008-02-14 01:11 <DIR> d-------- C:\Temp\gTiis19
2008-02-14 01:11 . 2008-02-14 01:11 <DIR> d-------- C:\Temp\cXzz9
2008-02-14 01:11 . 2008-02-22 22:13 <DIR> d-------- C:\Temp
2008-02-14 01:11 . 2008-02-14 01:11 0 --a------ C:\WINDOWS\system32\ope3D.tmp
2008-02-14 01:11 . 2008-02-14 01:11 0 --a------ C:\WINDOWS\system32\ope3C.tmp
2008-02-14 01:10 . 2008-02-14 01:10 352,410 --a------ C:\WINDOWS\ope31.exe
2008-02-14 01:10 . 2008-02-14 01:10 352,410 --a------ C:\WINDOWS\ope30.exe
2008-02-14 01:10 . 2008-02-14 01:10 0 --a------ C:\WINDOWS\system32\ope3B.tmp
2008-02-14 01:10 . 2008-02-14 01:10 0 --a------ C:\WINDOWS\system32\ope3A.tmp
2008-02-14 01:10 . 2008-02-14 01:10 0 --a------ C:\WINDOWS\ope31.tmp
2008-02-14 01:10 . 2008-02-14 01:10 0 --a------ C:\WINDOWS\ope30.tmp
2008-02-14 00:32 . 2008-02-14 00:32 <DIR> d-------- C:\Documents and Settings\Majsan\Application Data\Participatory Culture Foundation
2008-02-14 00:31 . 2008-02-14 00:31 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Participatory Culture Foundation
2008-02-14 00:13 . 2008-02-14 00:13 <DIR> d-------- C:\Documents and Settings\Majsan\dwhelper
2008-02-13 23:49 . 2008-02-13 23:49 1,158 --a------ C:\WINDOWS\mozver.dat
2008-02-13 23:23 . 2008-02-13 23:23 0 --a------ C:\WINDOWS\nsreg.dat
2008-02-13 14:53 . 2008-02-13 14:53 <DIR> d-------- C:\Program Files\HCA
2008-02-12 12:57 . 2008-02-12 12:57 <DIR> d-------- C:\Program Files\THQ
2008-02-12 09:16 . 2007-09-24 23:31 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-02-12 08:59 . 2008-02-12 08:59 <DIR> d-------- C:\Program Files\PDFCreator Toolbar
2008-02-12 08:59 . 2008-02-12 09:00 <DIR> d-------- C:\Program Files\PDFCreator
2008-02-12 08:59 . 2004-03-09 00:00 662,288 --a------ C:\WINDOWS\system32\MSCOMCT2.OCX
2008-02-12 08:59 . 2008-02-12 08:59 253,116 --a------ C:\WINDOWS\PDFCreator_Toolbar_Uninstaller_1312.exe
2008-02-12 08:59 . 2005-10-15 12:32 196,608 --a------ C:\WINDOWS\system32\pdfcmnnt.dll
2008-02-12 08:59 . 1998-06-24 00:00 137,000 --a------ C:\WINDOWS\system32\MSMAPI32.OCX
2008-02-12 08:59 . 1998-07-06 00:00 23,552 --a------ C:\WINDOWS\system32\MSMPIDE.DLL
2008-02-12 08:59 . 2008-02-12 08:59 14,290 --a------ C:\Program Files\settings.dat
2008-02-09 14:25 . 2008-02-12 08:24 <DIR> d-------- C:\Program Files\Pettson1
2008-02-05 10:53 . 2008-02-05 10:53 <DIR> d-------- C:\Program Files\Common Files\Knowledge Adventure
2008-02-05 10:53 . 2008-02-05 10:54 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Knowledge Adventure
2008-01-31 12:28 . 2008-01-31 12:28 75,776 --ah----- C:\Documents and Settings\Majsan\Application Data\rbqt450.DLL
2008-01-31 12:28 . 2008-01-31 12:28 64,512 --ah----- C:\Documents and Settings\Majsan\Application Data\rbap450.dll
2008-01-31 12:28 . 2008-01-31 12:28 54,272 --ah----- C:\Documents and Settings\Majsan\Application Data\MBSQTImporterPlugin1635.dll
2008-01-31 12:28 . 2008-01-31 12:28 53,760 --ah----- C:\Documents and Settings\Majsan\Application Data\MBSPicturePlugin1635.dll
2008-01-31 12:28 . 2008-01-31 12:28 52,224 --ah----- C:\Documents and Settings\Majsan\Application Data\EHZComp.dll
2008-01-31 12:28 . 2008-01-31 12:28 51,712 --ah----- C:\Documents and Settings\Majsan\Application Data\MBSWinPlugin1635.dll
2008-01-31 12:28 . 2008-01-31 12:28 49,664 --ah----- C:\WINDOWS\system32\MBSQuickTimePlugin1636.dll
2008-01-31 12:28 . 2008-01-31 12:28 49,664 --ah----- C:\Documents and Settings\Majsan\Application Data\MBSQuickTimePlugin1636.dll
2008-01-31 12:28 . 2008-01-31 12:28 48,128 --ah----- C:\Documents and Settings\Majsan\Application Data\MBSResPlugin1635.dll
2008-01-31 12:28 . 2008-01-31 12:28 41,984 --ah----- C:\Documents and Settings\Majsan\Application Data\MBSMainPlugin1635.dll
2008-01-31 12:28 . 2008-01-31 12:28 41,472 --ah----- C:\WINDOWS\system32\RBShell400.dll
2008-01-31 12:28 . 2008-01-31 12:28 41,472 --ah----- C:\Documents and Settings\Majsan\Application Data\RBShell400.dll
2008-01-31 12:28 . 2008-01-31 12:28 37,376 --ah----- C:\Documents and Settings\Majsan\Application Data\MBSPictureMacPlugin1635.dll
2008-01-31 12:28 . 2008-01-31 12:28 36,352 --ah----- C:\Documents and Settings\Majsan\Application Data\MBSRegistryPlugin1636.dll
2008-01-31 12:28 . 2008-01-31 12:28 36,352 --ah----- C:\Documents and Settings\Majsan\Application Data\MBSFolderitemsCreatePlugin1635.dll
2008-01-31 12:28 . 2008-01-31 12:28 33,280 --ah----- C:\Documents and Settings\Majsan\Application Data\MBSEncryptPlugin1636.dll
2008-01-31 12:28 . 2008-01-31 12:28 32,256 --ah----- C:\WINDOWS\system32\MBSIconPlugin1635.dll
2008-01-31 12:28 . 2008-01-31 12:28 32,256 --ah----- C:\Documents and Settings\Majsan\Application Data\MBSProcessPlugin1636.dll
2008-01-31 12:28 . 2008-01-31 12:28 32,256 --ah----- C:\Documents and Settings\Majsan\Application Data\MBSIconPlugin1635.dll
2008-01-31 12:28 . 2008-01-31 12:28 29,184 --ah----- C:\Documents and Settings\Majsan\Application Data\MBSRectPlugin1635.dll
2008-01-31 12:28 . 2008-01-31 12:28 29,184 --ah----- C:\Documents and Settings\Majsan\Application Data\MBSMemoryPlugin1635.dll
2008-01-31 12:28 . 2008-01-31 12:28 26,624 --ah----- C:\Documents and Settings\Majsan\Application Data\MBSUsernamePlugin1635.dll
2008-01-31 12:28 . 2008-01-31 12:28 26,112 --ah----- C:\Documents and Settings\Majsan\Application Data\MBSResStreamPlugin1635.dll
2008-01-31 12:28 . 2008-01-31 12:28 26,112 --ah----- C:\Documents and Settings\Majsan\Application Data\MBSRegistrationPlugin1636.dll
2008-01-31 12:28 . 2008-01-31 12:28 25,088 --ah----- C:\Documents and Settings\Majsan\Application Data\MBSPluginVersionPlugin1635.dll
2008-01-31 12:28 . 2008-01-31 12:28 19,968 --ah----- C:\Documents and Settings\Majsan\Application Data\EHMD5.dll
2008-01-31 12:28 . 2008-01-31 12:28 18,432 --ah----- C:\Documents and Settings\Majsan\Application Data\EHEncrypt.dll
2008-01-31 12:27 . 2008-01-31 12:27 28,672 --ah----- C:\Documents and Settings\Majsan\Application Data\MBSMacOSXPlugin1635.dll
2008-01-24 16:08 . 2008-01-24 16:08 <DIR> d-------- C:\Program Files\Citrix
2008-01-23 12:23 . 2008-01-23 12:49 <DIR> d-------- C:\Program Files\RegCure
2008-01-23 11:40 . 2007-12-01 00:23 101,888 -----c--- C:\WINDOWS\system32\dllcache\dpcdll.dll
2008-01-23 11:40 . 2007-12-01 00:25 10,752 --a------ C:\WINDOWS\system32\smtpapi.dll
2008-01-23 11:40 . 2007-12-01 00:25 9,728 --a------ C:\WINDOWS\system32\rwnh.dll
2008-01-23 11:34 . 2007-11-30 17:25 10,240 --------- C:\WINDOWS\system32\drivers\sffp_mmc.sys
2008-01-23 11:34 . 2007-11-30 17:24 9,472 --------- C:\WINDOWS\system32\drivers\dumpdrv.sys
2008-01-23 11:31 . 2006-12-29 00:31 19,569 --a------ C:\WINDOWS\006256_.tmp
2008-01-22 15:24 . 2008-01-22 15:24 <DIR> d-------- C:\Documents and Settings\Majsan\Application Data\ICAClient

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-16 23:23 --------- d-----w C:\Documents and Settings\Majsan\Application Data\Apple Computer
2008-02-14 07:24 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-02-14 07:23 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-02-14 00:32 --------- d-----w C:\Program Files\Lavasoft
2008-02-14 00:32 --------- d-----w C:\Documents and Settings\Majsan\Application Data\Lavasoft
2008-02-12 08:16 --------- d-----w C:\Program Files\Java
2008-02-12 07:26 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-01-24 16:28 --------- d-----w C:\Documents and Settings\Majsan\Application Data\Skype
2008-01-21 09:49 --------- d-----w C:\Program Files\RegistrySmart
2008-01-21 01:03 --------- d-----w C:\Documents and Settings\Majsan\Application Data\RegistrySmart
2008-01-21 00:54 23,600 ----a-w C:\WINDOWS\system32\drivers\TVICHW32.SYS
2008-01-21 00:24 --------- d-----w C:\Program Files\MSBuild
2008-01-21 00:15 --------- d-----w C:\Program Files\Reference Assemblies
2008-01-20 23:54 --------- d-----w C:\Program Files\ATI Technologies
2008-01-20 23:38 --------- d-----w C:\Program Files\iTunes
2008-01-20 23:38 --------- d-----w C:\Program Files\iPod
2008-01-20 23:36 --------- d-----w C:\Program Files\QuickTime
2008-01-20 23:35 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-01-20 23:32 --------- d-----w C:\Program Files\Apple Software Update
2008-01-20 23:31 --------- d-----w C:\Program Files\Common Files\Apple
2008-01-20 23:31 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple
2008-01-20 23:29 --------- d-----w C:\Program Files\Roku Radio Snooper
2008-01-20 23:27 --------- d-----w C:\Program Files\WinPcap
2008-01-20 23:03 --------- d-----w C:\Program Files\MSXML 6.0
2008-01-20 23:02 --------- d-----w C:\Program Files\Windows Media Connect 2
2008-01-20 22:58 0 ---ha-w C:\WINDOWS\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
2008-01-20 22:58 0 ---ha-w C:\WINDOWS\system32\drivers\Msft_Kernel_NuidFltr_01005.Wdf
2008-01-20 22:34 --------- d-----w C:\Program Files\MSXML 4.0
2008-01-20 22:30 --------- d-----w C:\Program Files\Google
2008-01-20 22:14 --------- d-----w C:\Program Files\Common Files\Adobe
2007-12-17 23:44 219,664 ----a-w C:\WINDOWS\system32\klogon.dll
2007-12-14 10:32 12,632 ----a-w C:\WINDOWS\system32\lsdelete.exe
2007-11-30 23:31 329,728 ----a-w C:\WINDOWS\system32\netsetup.exe
2007-11-30 23:26 990,208 ----a-w C:\WINDOWS\system32\syssetup.dll
2007-11-30 23:25 997,376 ----a-w C:\WINDOWS\system32\msgina.dll
2007-11-30 23:24 756,224 ----a-w C:\WINDOWS\system32\winntbbu.dll
2007-11-30 23:24 706,048 ----a-w C:\WINDOWS\system32\ntdll.dll
2007-11-30 23:24 5,632 ----a-w C:\WINDOWS\system32\wmi.dll
2007-11-30 23:23 53,279 ----a-w C:\WINDOWS\system32\odbcji32.dll
2007-11-30 23:23 101,888 ----a-w C:\WINDOWS\system32\dpcdll.dll
2007-11-30 23:21 285,696 ----a-w C:\WINDOWS\system32\atmfd.dll
2007-11-30 23:21 16,896 ----a-w C:\WINDOWS\system32\cfgmgr32.dll
2007-11-30 17:25 2,188,928 ----a-w C:\WINDOWS\system32\ntoskrnl.exe
2007-11-30 17:24 1,843,968 ----a-w C:\WINDOWS\system32\win32k.sys
2007-11-30 16:30 17,664 ----a-w C:\WINDOWS\system32\watchdog.sys
2007-11-30 16:27 9,728 ----a-w C:\WINDOWS\system32\comsdupd.exe
2007-11-30 16:27 12,800 ----a-w C:\WINDOWS\system32\spiisupd.exe
2007-11-30 16:25 7,424 ----a-w C:\WINDOWS\system32\kd1394.dll
2007-11-30 16:25 2,065,792 ----a-w C:\WINDOWS\system32\ntkrnlpa.exe
2007-11-30 16:24 61,440 ----a-w C:\WINDOWS\system32\msvcrt40.dll
2007-11-30 15:38 79,872 ----a-w C:\WINDOWS\system32\msxml6r.dll
2007-11-30 15:37 94,208 ----a-w C:\WINDOWS\system32\odbcint.dll
2007-11-30 15:37 12,288 ----a-w C:\WINDOWS\system32\odbcp32r.dll
2007-11-30 15:37 12,288 ----a-w C:\WINDOWS\system32\mscpx32r.dll
2007-11-30 15:35 20,480 ----a-w C:\WINDOWS\system32\msorc32r.dll
2007-11-30 15:25 438,784 ----a-w C:\WINDOWS\system32\xpob2res.dll
2007-11-30 15:25 2,897,920 ----a-w C:\WINDOWS\system32\xpsp2res.dll
2007-11-30 15:25 187,392 ----a-w C:\WINDOWS\system32\xpsp1res.dll
2007-11-30 15:23 208,384 ----a-w C:\WINDOWS\system32\rsaenh.dll
2007-11-30 15:23 138,752 ----a-w C:\WINDOWS\system32\dssenh.dll
2007-11-30 15:06 733,696 ----a-w C:\WINDOWS\system32\qedwipes.dll
2007-11-30 14:54 4,096 ----a-w C:\WINDOWS\system32\dsprpres.dll
2007-11-30 14:53 76,800 ----a-w C:\WINDOWS\system32\msshavmsg.dll
2007-11-30 14:45 48,128 ----a-w C:\WINDOWS\system32\inetres.dll
2007-11-30 14:37 63,488 ----a-w C:\WINDOWS\system32\browselc.dll
2007-11-30 14:36 549,376 ----a-w C:\WINDOWS\system32\shdoclc.dll
2007-11-30 14:35 1,647,616 ----a-w C:\WINDOWS\system32\winbrand.dll
2007-11-30 14:32 216,064 ----a-w C:\WINDOWS\system32\moricons.dll
2007-11-30 14:10 48,128 ----a-w C:\WINDOWS\system32\msprivs.dll
2007-11-30 13:31 884,736 ----a-w C:\WINDOWS\system32\msimsg.dll
2004-11-03 21:46 82,640 -c--a-w C:\Documents and Settings\Majsan\Application Data\GDIPFONTCACHEV1.DAT
.

**peter100** · 2008-02-22, 01:01

------- Sigcheck -------

"C:\WINDOWS\system32\wininet.dll"
----a-w 656,896 2004-09-29 18:27:41 C:\WINDOWS\$hf_mig$\KB834707\SP2QFE\wininet.dll
----a-w 657,920 2005-01-27 17:08:42 C:\WINDOWS\$hf_mig$\KB867282\SP2QFE\wininet.dll
----a-w 658,944 2005-05-02 20:57:24 C:\WINDOWS\$hf_mig$\KB883939\SP2QFE\wininet.dll
----a-w 657,920 2005-03-10 07:43:23 C:\WINDOWS\$hf_mig$\KB890923\SP2QFE\wininet.dll
----a-w 660,480 2005-09-02 23:53:41 C:\WINDOWS\$hf_mig$\KB896688\SP2QFE\wininet.dll
----a-w 659,456 2005-07-03 02:09:33 C:\WINDOWS\$hf_mig$\KB896727\SP2QFE\wininet.dll
----a-w 661,504 2005-10-21 03:38:08 C:\WINDOWS\$hf_mig$\KB905915\SP2QFE\wininet.dll
----a-w 825,344 2007-10-10 23:47:29 C:\WINDOWS\$hf_mig$\KB942615-IE7\SP2QFE\wininet.dll
-c----w 656,384 2004-08-04 07:56:46 C:\WINDOWS\$NtServicePackUninstall$\wininet.dll
-c----w 656,384 2004-08-04 07:56:46 C:\WINDOWS\$NtUninstallKB834707$\wininet.dll
-c----w 593,920 2001-08-23 12:00:00 C:\WINDOWS\$NtUninstallKB834707-IE6-20040929.115007$\wininet.dll
-c----w 656,896 2004-09-29 18:47:04 C:\WINDOWS\$NtUninstallKB867282$\wininet.dll
-c----w 656,896 2005-03-10 08:02:35 C:\WINDOWS\$NtUninstallKB883939$\wininet.dll
-c----w 656,896 2005-01-27 17:13:18 C:\WINDOWS\$NtUninstallKB890923$\wininet.dll
-c----w 658,432 2005-07-03 02:11:30 C:\WINDOWS\$NtUninstallKB896688$\wininet.dll
-c----w 657,920 2005-05-02 20:52:36 C:\WINDOWS\$NtUninstallKB896727$\wininet.dll
-c----w 658,432 2005-09-02 23:52:06 C:\WINDOWS\$NtUninstallKB905915$\wininet.dll
-c----w 662,016 2006-01-09 18:02:00 C:\WINDOWS\$NtUninstallKB912812$\wininet.dll
-c----w 658,432 2005-10-21 03:39:30 C:\WINDOWS\$NtUninstallKB912945$\wininet.dll
-c----w 663,552 2006-03-04 03:58:52 C:\WINDOWS\$NtUninstallKB916281$\wininet.dll
-c----w 663,552 2006-05-10 05:25:22 C:\WINDOWS\$NtUninstallKB918899$\wininet.dll
-c--a-w 664,576 2006-06-23 11:25:31 C:\WINDOWS\ie7\wininet.dll
-c----w 818,688 2007-08-13 17:54:10 C:\WINDOWS\ie7updates\KB942615-IE7\wininet.dll
------w 666,112 2007-11-30 23:26:08 C:\WINDOWS\ServicePackFiles\i386\wininet.dll
----a-w 666,112 2007-10-11 05:57:41 C:\WINDOWS\SoftwareDistribution\Download\fa58243222bcfe35e5467668df396003\sp2qfe\wininet.dll
----a-w 824,832 2007-10-10 23:56:00 C:\WINDOWS\system32\wininet.dll
-c----w 824,832 2007-10-10 23:56:00 C:\WINDOWS\system32\dllcache\wininet.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2007-12-01 00:26 15360]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 20:05 204288]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"USRpdA"="" []
"HGTXPEI"="C:\WINDOWS\system32\FirstReboot.exe" [2005-10-17 15:43 0]
"SoundFusion"="hercplgs.cpl" [2002-12-20 14:46 453120 C:\WINDOWS\system32\hercplgs.cpl]
"NeroCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2004-10-19 19:28 155648]
"SSBkgdUpdate"="C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2003-10-14 09:22 155648]
"Opware14"="C:\Program Files\ScanSoft\OmniPagePro14.0\Opware14.exe" [2004-03-08 19:33 57344]
"REGSHAVE"="C:\Program Files\REGSHAVE\REGSHAVE.exe" [2002-02-04 22:32 53248]
"IntelliPoint"="C:\Program Files\Microsoft IntelliPoint\point32.exe" [2005-06-10 10:21 217088]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2008-01-10 15:27 385024]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2008-01-15 03:22 267048]
"ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" [2006-01-02 16:41 45056]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 22:16 39792]
"AVP"="C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe" [2007-12-18 00:43 227856]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2007-12-01 00:26 15360]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, credssp.dll,

R0 trm3x5;trm3x5;C:\WINDOWS\system32\DRIVERS\trm3x5.sys [2000-05-04 23:51]
R1 jsmux;jsmux;C:\WINDOWS\system32\drivers\jsmux.sys [1999-09-22 10:48]
R1 jsscan;jsscan;C:\WINDOWS\system32\drivers\jsscan.sys [1999-09-22 10:48]
R1 VIAPFD;VIAPFD;C:\WINDOWS\system32\Drivers\VIAPFD.SYS [2001-12-18 15:45]
R2 jsfax;jsfax;C:\WINDOWS\system32\drivers\jsfax.sys [1999-09-22 10:48]
R3 hercspud;Hercules (R) WDM Audio Driver;C:\WINDOWS\system32\drivers\hercspud.sys [2003-01-10 08:21]
R3 hercwdm;Hercules (R) WDM Interface Driver;C:\WINDOWS\system32\drivers\hercwdm.sys [2003-01-10 08:21]
R3 klim5;Kaspersky Anti-Virus NDIS Filter;C:\WINDOWS\system32\DRIVERS\klim5.sys [2007-12-13 13:28]
R3 USRpdA;U.S. Robotics 56K PCI Faxmodem Driver;C:\WINDOWS\system32\DRIVERS\USRpdA.sys [2001-08-17 14:28]
S2 Ca536av;4.1M MPEG4 DV Video Capture;C:\WINDOWS\system32\Drivers\Ca536av.sys [2003-07-09 10:49]
S2 ousbehci;%OWC_USBEHCD.DeviceDesc%;C:\WINDOWS\system32\Drivers\ousbehci.sys [2002-02-01 00:39]
S3 ousb2hub;OrangeWare USB 2.0 Root Hub Support;C:\WINDOWS\system32\DRIVERS\ousb2hub.sys [2002-02-01 00:39]
S3 p2pgasvc;Peer Networking Group Authentication;C:\WINDOWS\system32\svchost.exe [2007-12-01 00:26]
S3 p2pimsvc;Peer Networking Identity Manager;C:\WINDOWS\system32\svchost.exe [2007-12-01 00:26]
S3 p2psvc;Peer Networking;C:\WINDOWS\system32\svchost.exe [2007-12-01 00:26]
S3 PNRPSvc;Peer Name Resolution Protocol;C:\WINDOWS\system32\svchost.exe [2007-12-01 00:26]
S3 USBCamera;4.1M MPEG4 DV Bulk Driver;C:\WINDOWS\system32\Drivers\Bulk536.sys [2003-05-14 16:28]
S3 WLAN_USB;Wireless LAN USB Driver;C:\WINDOWS\system32\DRIVERS\MA111nd5.sys [2004-03-03 16:27]
S3 WlanUIB;NETGEAR 802.11b USB Driver;C:\WINDOWS\system32\DRIVERS\MA111nd5.sys [2004-03-03 16:27]
S4 jsdbg;jsdbg;C:\WINDOWS\system32\drivers\jsdbg.sys [1999-09-22 10:48]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
p2psvc REG_MULTI_SZ p2psvc p2pimsvc p2pgasvc PNRPSvc

.
Contents of the 'Scheduled Tasks' folder
"2008-02-19 09:00:00 C:\WINDOWS\Tasks\Norton Ghost.job"
- C:\PROGRA~1\COMMON~1\SYMANT~1\NMain.exeB/dat:C:\Program Files\Norton SystemWorks\Norton Ghost\nswigho.nsi
"2008-02-22 21:20:03 C:\WINDOWS\Tasks\RegCure Program Check.job"
- C:\Program Files\RegCure\RegCure.exe
"2008-02-14 02:01:09 C:\WINDOWS\Tasks\RegCure.job"
- C:\Program Files\RegCure\RegCure.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-23 00:47:10
Windows 5.1.2600 Service Pack 3, v.3264 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows
AppInit_DLLs = ??????????

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-02-23 0:48:23
ComboFix-quarantined-files.txt 2008-02-22 23:48:18
ComboFix2.txt 2008-02-22 21:23:08
.
2008-02-13 13:52:40 --- E O F ---

**peter100** · 2008-02-22, 01:02

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:53:35 AM, on 2/23/2008
Platform: Windows XP SP3, v.3264 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\HP Jetsuite\jsdaemon.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\ScanSoft\OmniPagePro14.0\Opware14.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = https://remote.pers.hh.se
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: flashget urlcatch - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\Program Files\FlashGet\jccatch.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: PDFCreator Toolbar Helper - {C451C08A-EC37-45DF-AAAD-18B51AB5E837} - C:\Program Files\PDFCreator Toolbar\v3.3.0.1\PDFCreator_Toolbar.dll
O2 - BHO: FlashGet GetFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\Program Files\FlashGet\getflash.dll
O3 - Toolbar: PDFCreator Toolbar - {31CF9EBE-5755-4A1D-AC25-2834D952D9B4} - C:\Program Files\PDFCreator Toolbar\v3.3.0.1\PDFCreator_Toolbar.dll
O4 - HKLM\..\Run: [HGTXPEI] C:\WINDOWS\system32\FirstReboot.exe
O4 - HKLM\..\Run: [SoundFusion] RunDll32 hercplgs.cpl,BootEntryPoint
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [Opware14] "C:\Program Files\ScanSoft\OmniPagePro14.0\Opware14.exe"
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: &Download All with FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: &Download with FlashGet - C:\Program Files\FlashGet\jc_link.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\SCIEPlgn.dll
O9 - Extra button: Bonjour - {7F9DB11C-E358-4ca6-A83D-ACC663939424} - C:\Program Files\Bonjour\ExplorerPlugin.dll
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: ppctlcab - http://www.pestscan.com/scanner/ppctlcab.cab
O16 - DPF: {0D41B8C5-2599-4893-8183-00195EC8D5F9} (asusTek_sysctrl Class) - http://support.asus.com/common/asusTek_sys_ctrl.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english...an_unicode.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by113fd.bay113.hotmail.msn.co...s/MsnPUpld.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://software-dl.real.com/201839e7...p/RdxIE601.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/res...lscbase370.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.co...?1097630386527
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/Ms...Downloader.cab
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://driveragent.com/files/driveragent.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by2fd.bay2.hotmail.msn.com/activex/HMAtchmt.ocx
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Kaspersky Anti-Virus 7.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: jsdaemon - JetFax, Inc. - C:\Program Files\HP Jetsuite\jsdaemon.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe

--
End of file - 9362 bytes

**ken545** · 2008-02-22, 01:16

Peter,

The last fix should have fixed that error you where getting.

Open HijackThis > Do a System Scan Only, close your browser and all open windows including this one, the only program or window you should have open is HijackThis, check the following entries and click on Fix Checked.

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =

O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://software-dl.real.com/201839e7...p/RdxIE601.cab

In relation to the email worm, I am not looking at it on your system.

Time for some housekeeping

Click START then RUN
Now type Combofix /u in the runbox and click OK. Note the space between the X and the U, it needs to be there.
When shown the disclaimer, Select "2"

The above procedure will:

Delete the following:
- ComboFix and its associated files and folders.
- VundoFix backups, if present
- The C:\Deckard folder, if present
- The C:_OtMoveIt folder, if present
Reset the clock settings.
Hide file extensions, if required.
Hide System/Hidden files, if required.
Reset System Restore.

Please download ATF Cleaner by Atribune to your desktop.

This program is for XP and Windows 2000 only
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.

Your system may start up slower after running ATF Cleaner, this is expected but will be back to normal after the first or second boot up

How are things running now????

**peter100** · 2008-02-22, 08:29

Hi Ken,

Sorry I didn't reply yesterday. It was 2 am here local time by the end of your last post. I do think I'm in the clear thanks to you, but I just want to confirm a few things before we close this:

a) when I turned tea timer on after reboot it asked for 5-6 registry change allows, but I decided to accept them since I had just completed the processes you recommended. I have since run both Kaspersky AV scan and Spybot and rebooted without any warnings. However, Kaspersky did report the following at the end of the scan:
not found: virus Heur.Invader (modification) File: C:\Documents and Settings\Majsan\Local Settings\Application Data\Mozilla\Firefox\Profiles\rgv44fkt.default\Cache\6D952C06d01//PE_Patch.UPX/327882R2FWJFW\catchme.cfexe

After another reboot both this notice and the tea timeer notices disappeared. Also, the dll message and worm warnings are gone.

I'm pasting another HJT log for your final inspection:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:23:57 AM, on 2/22/2008
Platform: Windows XP SP3, v.3264 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\ScanSoft\OmniPagePro14.0\Opware14.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\HP Jetsuite\jsdaemon.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = https://remote.pers.hh.se
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1BE195F9-F7C7-4334-B591-B9900BA24DB1} - (no file)
O2 - BHO: (no name) - {1E71ADDC-4451-43F1-A6E2-3B515E578E67} - (no file)
O2 - BHO: flashget urlcatch - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\Program Files\FlashGet\jccatch.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {8146B1B8-0078-4131-81FC-2A76C1FD6ECC} - (no file)
O2 - BHO: PDFCreator Toolbar Helper - {C451C08A-EC37-45DF-AAAD-18B51AB5E837} - C:\Program Files\PDFCreator Toolbar\v3.3.0.1\PDFCreator_Toolbar.dll
O2 - BHO: (no name) - {D1BA9F50-D95B-4B4E-9218-E796EC763161} - (no file)
O2 - BHO: FlashGet GetFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\Program Files\FlashGet\getflash.dll
O3 - Toolbar: PDFCreator Toolbar - {31CF9EBE-5755-4A1D-AC25-2834D952D9B4} - C:\Program Files\PDFCreator Toolbar\v3.3.0.1\PDFCreator_Toolbar.dll
O4 - HKLM\..\Run: [HGTXPEI] C:\WINDOWS\system32\FirstReboot.exe
O4 - HKLM\..\Run: [SoundFusion] RunDll32 hercplgs.cpl,BootEntryPoint
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [Opware14] "C:\Program Files\ScanSoft\OmniPagePro14.0\Opware14.exe"
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: &Download All with FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: &Download with FlashGet - C:\Program Files\FlashGet\jc_link.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\SCIEPlgn.dll
O9 - Extra button: Bonjour - {7F9DB11C-E358-4ca6-A83D-ACC663939424} - C:\Program Files\Bonjour\ExplorerPlugin.dll
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: ppctlcab - http://www.pestscan.com/scanner/ppctlcab.cab
O16 - DPF: {0D41B8C5-2599-4893-8183-00195EC8D5F9} (asusTek_sysctrl Class) - http://support.asus.com/common/asusTek_sys_ctrl.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english...an_unicode.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by113fd.bay113.hotmail.msn.co...s/MsnPUpld.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} -
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/res...lscbase370.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.co...?1097630386527
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/Ms...Downloader.cab
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://driveragent.com/files/driveragent.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by2fd.bay2.hotmail.msn.com/activex/HMAtchmt.ocx
O20 - Winlogon Notify: gebxyxy - C:\WINDOWS\
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Kaspersky Anti-Virus 7.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: jsdaemon - JetFax, Inc. - C:\Program Files\HP Jetsuite\jsdaemon.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe

--
End of file - 9944 bytes

My 5 yo son thought I should use this

Peter

**peter100** · 2008-02-22, 08:52

I found the tea timer log that shows the registry changes that I mentioned from this morning - 2/22/2008 7:50:24 AM onward. I've left the earlier ones for your reference.

2/14/2008 9:19:57 AM Allowed (based on user decision) value "{267D49C1-CD3B-4C0C-A1CA-462E58A547D4}" (new data: "") deleted in Browser Helper Object!
2/14/2008 10:49:32 AM Denied (based on Spybot-S&D scan) value "{F39C1598-78B0-4B0F-B6B2-157F8699EB31}" (new data: "") added in Browser Helper Object!
2/14/2008 10:49:35 AM Denied (based on Spybot-S&D scan) value "{F39C1598-78B0-4B0F-B6B2-157F8699EB31}" (new data: "") added in Browser Helper Object!
2/14/2008 10:49:37 AM Denied (based on Spybot-S&D scan) value "{F39C1598-78B0-4B0F-B6B2-157F8699EB31}" (new data: "") added in Browser Helper Object!
2/14/2008 10:49:39 AM Denied (based on Spybot-S&D scan) value "{F39C1598-78B0-4B0F-B6B2-157F8699EB31}" (new data: "") added in Browser Helper Object!
2/14/2008 10:49:40 AM Denied (based on Spybot-S&D scan) value "{F39C1598-78B0-4B0F-B6B2-157F8699EB31}" (new data: "") added in Browser Helper Object!
2/14/2008 10:49:42 AM Denied (based on Spybot-S&D scan) value "{F39C1598-78B0-4B0F-B6B2-157F8699EB31}" (new data: "") added in Browser Helper Object!
2/14/2008 10:49:43 AM Denied (based on Spybot-S&D scan) value "{F39C1598-78B0-4B0F-B6B2-157F8699EB31}" (new data: "") added in Browser Helper Object!
2/14/2008 10:49:45 AM Denied (based on Spybot-S&D scan) value "{F39C1598-78B0-4B0F-B6B2-157F8699EB31}" (new data: "") added in Browser Helper Object!
2/14/2008 10:49:52 AM Denied (based on Spybot-S&D scan) value "{F39C1598-78B0-4B0F-B6B2-157F8699EB31}" (new data: "") added in Browser Helper Object!
2/14/2008 10:50:06 AM Denied (based on Spybot-S&D scan) value "{F39C1598-78B0-4B0F-B6B2-157F8699EB31}" (new data: "") added in Browser Helper Object!
2/14/2008 10:53:20 AM Denied (based on user decision) value "{607eb0f8-290e-4341-912d-cbfb48b36fc7}" (new data: "") added in Browser Helper Object!
2/14/2008 10:53:27 AM Denied (based on Spybot-S&D scan) value "{F39C1598-78B0-4B0F-B6B2-157F8699EB31}" (new data: "") added in Browser Helper Object!
2/14/2008 11:27:47 AM Denied (based on user decision) value "{1E71ADDC-4451-43F1-A6E2-3B515E578E67}" (new data: "") added in Browser Helper Object!
2/14/2008 11:44:41 AM Denied (based on user decision) value "{F39C1598-78B0-4B0F-B6B2-157F8699EB31}" (new data: "") deleted in Browser Helper Object!
2/14/2008 12:02:40 PM Allowed (based on authenticode whitelist) value "SpybotSD TeaTimer" (new data: "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe") added in System Startup user entry!
2/14/2008 12:12:43 PM Allowed (based on user decision) value "{5ED80217-570B-4DA9-BF44-BE107C0EC166}" (new data: "") added in ActiveX Distribution Unit!
2/14/2008 1:41:13 PM Allowed (based on user decision) value "SpybotDeletingB6638" (new data: "command /c del "C:\WINDOWS\system32\ddabc.dll_old"") added in System Startup user entry!
2/14/2008 1:41:35 PM Allowed (based on user decision) value "SpybotDeletingD258" (new data: "cmd /c del "C:\WINDOWS\system32\ddabc.dll_old"") added in System Startup user entry!
2/14/2008 1:41:37 PM Allowed (based on user decision) value "SpybotDeletingA1135" (new data: "command /c del "C:\WINDOWS\system32\ddabc.dll_old"") added in System Startup global entry!
2/14/2008 1:41:42 PM Allowed (based on user decision) value "SpybotDeletingC3323" (new data: "cmd /c del "C:\WINDOWS\system32\ddabc.dll_old"") added in System Startup global entry!
2/14/2008 3:02:46 PM Allowed (based on user decision) value "SpybotDeletingD1938" (new data: "cmd /c del "C:\WINDOWS\system32\ddabc.dll_old"") added in System Startup user entry!
2/14/2008 3:02:51 PM Denied (based on user decision) value "SpybotDeletingA4345" (new data: "command /c del "C:\WINDOWS\system32\ddabc.dll_old"") added in System Startup global entry!
2/14/2008 3:02:58 PM Denied (based on user decision) value "SpybotDeletingC884" (new data: "cmd /c del "C:\WINDOWS\system32\ddabc.dll_old"") added in System Startup global entry!
2/14/2008 3:03:30 PM Allowed (based on authenticode whitelist) value "SpybotSnD" (new data: ""C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck") added in System Startup global entry!
2/14/2008 4:03:11 PM Allowed (based on user decision) value "SpybotDeletingB6638" (new data: "") deleted in System Startup user entry!
2/14/2008 4:03:23 PM Allowed (based on user decision) value "SpybotDeletingD258" (new data: "") deleted in System Startup user entry!
2/14/2008 4:03:26 PM Allowed (based on user decision) value "SpybotDeletingB7145" (new data: "") deleted in System Startup user entry!
2/14/2008 4:03:26 PM Allowed (based on user decision) value "SpybotDeletingD1938" (new data: "") deleted in System Startup user entry!
2/14/2008 4:03:27 PM Allowed (based on user decision) value "SpybotDeletingA1135" (new data: "") deleted in System Startup global entry!
2/14/2008 4:03:28 PM Allowed (based on user decision) value "SpybotDeletingC3323" (new data: "") deleted in System Startup global entry!
2/14/2008 4:03:28 PM Allowed (based on user decision) value "SpybotSnD" (new data: "") deleted in System Startup global entry!
2/14/2008 4:06:05 PM Denied (based on user decision) value "{6063030d-46c1-4792-952b-af77b2e7b5e4}" (new data: "") added in Browser Helper Object!
2/14/2008 4:07:19 PM Allowed (based on authenticode whitelist) value "SpybotSnD" (new data: ""C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck") added in System Startup global entry!
2/14/2008 4:07:24 PM Allowed (based on authenticode whitelist) value "SpybotSnD" (new data: ""C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck") added in System Startup global entry!
2/14/2008 4:07:38 PM Allowed (based on user decision) value "SpybotSnD" (new data: "") deleted in System Startup global entry!
2/14/2008 4:12:24 PM Denied (based on user decision) value "f45555a6" (new data: "rundll32.exe "C:\WINDOWS\system32\jxhjgymw.dll",b") changed in System Startup global entry!
2/14/2008 5:00:16 PM Denied (based on user decision) value "f45555a6" (new data: "rundll32.exe "C:\WINDOWS\system32\jxhjgymw.dll",b") changed in System Startup global entry!
2/14/2008 5:02:49 PM Allowed (based on user decision) value "{0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75}" (new data: "") added in ActiveX Distribution Unit!
2/14/2008 7:30:31 PM Denied (based on user decision) value "f45555a6" (new data: "rundll32.exe "C:\WINDOWS\system32\jxhjgymw.dll",b") changed in System Startup global entry!
2/14/2008 8:24:30 PM Allowed (based on user decision) value "avast!" (new data: "") deleted in System Startup global entry!
2/15/2008 12:51:29 AM Allowed (based on user decision) value "klogon" (new data: "") added in Winlogon Notifiers!
2/15/2008 12:51:32 AM Allowed (based on user decision) value "AVP" (new data: ""C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe"") added in System Startup global entry!
2/15/2008 1:05:43 AM Allowed (based on user decision) value "gebxyxy" (new data: "") deleted in Winlogon Notifiers!
2/15/2008 1:05:48 AM Allowed (based on user decision) value "gebxyxy" (new data: "") added in Winlogon Notifiers!
2/15/2008 1:41:33 PM Allowed (based on user decision) value "{2F364306-AA45-47B5-9F9D-39A8B94E7EF7}" (new data: "") added in Browser Helper Object!
2/15/2008 1:41:47 PM Allowed (based on user decision) value "Flashget" (new data: ""C:\Program Files\FlashGet\FlashGet.exe" /min") added in System Startup global entry!
2/15/2008 1:41:50 PM Allowed (based on user decision) value "{F156768E-81EF-470C-9057-481BA8380DBA}" (new data: "") added in Browser Helper Object!
2/15/2008 1:41:51 PM Allowed (based on user decision) value "&Download All with FlashGet" (new data: "") added in Browser menu extension!
2/15/2008 1:41:53 PM Allowed (based on user decision) value "&Download with FlashGet" (new data: "") added in Browser menu extension!
2/15/2008 1:48:46 PM Allowed (based on user decision) value "Flashget" (new data: "C:\Program Files\FlashGet\flashget.exe /min") changed in System Startup global entry!
2/15/2008 2:48:04 PM Allowed (based on authenticode whitelist) value "SpybotSnD" (new data: ""C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe"") changed in System Startup global entry!
2/15/2008 2:48:30 PM Allowed (based on user decision) value "SpybotSnD" (new data: "") deleted in System Startup global entry!
2/15/2008 2:53:00 PM Allowed (based on user decision) value "Flashget" (new data: "") deleted in System Startup global entry!
2/18/2008 6:56:08 PM Allowed (based on user decision) value "Download All Files by HiDownload" (new data: "") deleted in Browser menu extension!
2/18/2008 6:56:10 PM Allowed (based on user decision) value "Download by HiDownload" (new data: "") deleted in Browser menu extension!
2/21/2008 9:47:39 PM Allowed (based on user decision) value "{BED7C2B4-3DA5-4F4F-84F7-07CAB3418E5F}" (new data: "") deleted in Browser Helper Object!
2/23/2008 12:16:42 AM Allowed (based on authenticode whitelist) value "SpybotSD TeaTimer" (new data: "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe") added in System Startup user entry!
2/23/2008 12:16:47 AM Denied (based on user decision) value "Search Page" (new data: "http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch") changed in Browser page!
2/23/2008 12:16:53 AM Denied (based on user decision) value "Search Bar" (new data: "") deleted in Browser page!
2/23/2008 12:17:01 AM Denied (based on user decision) value "SearchAssistant" (new data: "http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm") changed in Browser page!
2/23/2008 12:17:24 AM Denied (based on user decision) value "AutoRun" (new data: "") deleted in Command processor!
2/23/2008 12:17:38 AM Denied (based on user decision) value "load" (new data: "") deleted in NT startup!
2/23/2008 12:17:42 AM Denied (based on user decision) value "scrnsave.exe" (new data: "") deleted in Desktop settings!
2/23/2008 12:41:09 AM Denied (based on user decision) value "{53707962-6F74-2D53-2644-206D7942484F}" (new data: "") deleted in Browser Helper Object!
2/22/2008 7:50:24 AM Allowed (based on authenticode whitelist) value "SpybotSD TeaTimer" (new data: "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe") added in System Startup user entry!
2/22/2008 7:54:30 AM Allowed (based on user decision) value "f45555a6" (new data: "") deleted in System Startup global entry!
2/22/2008 7:54:54 AM Allowed (based on user decision) value "Search Page" (new data: "http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch") changed in Browser page!
2/22/2008 7:55:01 AM Allowed (based on user decision) value "Search Bar" (new data: "") deleted in Browser page!
2/22/2008 7:55:06 AM Allowed (based on user decision) value "Local Page" (new data: "C:\WINDOWS\SYSTEM32\blank.htm") added in Browser page!
2/22/2008 7:55:09 AM Allowed (based on user decision) value "Local Page" (new data: "C:\WINDOWS\SYSTEM32\blank.htm") added in Browser page!
2/22/2008 7:55:23 AM Allowed (based on user decision) value "SearchAssistant" (new data: "http://ie.search.msn.com/{SUB_RFC1766}/srchasst/srchasst.htm") changed in Browser page!
2/22/2008 7:55:31 AM Allowed (based on user decision) value "AutoRun" (new data: "") deleted in Command processor!
2/22/2008 7:55:43 AM Allowed (based on user decision) value "load" (new data: "") deleted in NT startup!
2/22/2008 7:55:53 AM Allowed (based on user decision) value "scrnsave.exe" (new data: "") deleted in Desktop settings!
2/22/2008 8:40:45 AM Allowed (based on user decision) value "Local Page" (new data: "") deleted in Browser page!
2/22/2008 8:44:40 AM Allowed (based on user decision) value "Local Page" (new data: "") deleted in Browser page!

**ken545** · 2008-02-22, 15:07

Peter,

The Teatimer has prevented some of the reg entries from being removed. Although Spybot Search and Destroy is a great program, I am going to link you to some free programs to install and with them you can keep and run Spybot but keep the TeaTimer disabled as Spyware Guard and Spyware Blaster will protect you from changes.

So, disable the TeaTimer , reboot for it to take effect and then remove these with HJT.

O2 - BHO: (no name) - {1BE195F9-F7C7-4334-B591-B9900BA24DB1} - (no file)
O2 - BHO: (no name) - {1E71ADDC-4451-43F1-A6E2-3B515E578E67} - (no file)
O2 - BHO: (no name) - {8146B1B8-0078-4131-81FC-2A76C1FD6ECC} - (no file)
O2 - BHO: (no name) - {D1BA9F50-D95B-4B4E-9218-E796EC763161} - (no file)

O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} -

O20 - Winlogon Notify: gebxyxy - C:\WINDOWS\

Malware Complaints
Are you mad ? I mean really mad, seething mad, so mad your ready to spit, mad that you have taken your hard earned dollars to buy a computer only to have some Miscredents, Dirt Bags and Cyber Criminals install a malicious program on your computer without your knowledge or consent. You can post your complaint at the above site. If you live in the U.S.A. you can also report your grievance to your State Attorney Generals Office and the Federal Trade Commission's Bureau of Consumer Protection.

How did I get infected in the first place ? Read these links and find out how to prevent getting infected again.
Tutorial for System Restore <-- Do this first to prevent yourself from being reinfected.
WhattheTech
TonyKlein CastleCops
Grinler BleepingComputer
GeeksTo Go
Dslreports

Keep in mind if you install some of these programs. Only ONE Anti Virus and only ONE Firewall is recommended, more is overkill and can cause you problems. You can install all the Spyware programs I have listed without any problems. If you install Spyware Blaster, you can still install Spybot Search and Destroy but do not enable the TeaTimer in Spybot.

Here are some free programs to install, all free and highly regarded by the fine people in the Malware Removal Community

Spybot Search and Destroy 1.5
Check for Updates/ Immunize and run a Full System Scan on a regular basis. If you install Spyware Blaster ( Recommended ) then do not enable the TeaTimer in Spybot Search and Destroy.
Spyware Blaster It will prevent most spyware from ever being installed. No scan to run, just update about once a week and enable all protection.
Spyware Guard It offers realtime protection from spyware installation attempts, again, no scan to run, just install it and let it do its thing.
IE-Spyad
IE-Spyad places over 6000 web sites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (cookies etc) from the sites listed, although you will still be able to connect to the sites.
Firefox 2.0.0.12 It has more features and is a lot more secure than IE. It is a very easy and painless download and install, it will no way interfere with IE, you can use them both.

Glad we could help

Safe Surfn
Ken

**peter100** · 2008-02-22, 19:22

Hi Ken,

Thanks for all the great help. I think we have them beat for now. I've pasted a final HJT log for you to confirm that I'm clean. A few final questions:

1) You suggest I use Spyware Blaster instead of TeaTimer, but since it doesn't run resident will I still be protected from the registry changes that the TeaTimer seems to shield in realtime?

2) Also, I only use the Windows XP firewall. Is that enough or should I go with a different free third party one? If so, will you please suggest one.

3) I was previously using Avast! but switched to the trial Kaspersky when these problems occurred. Can I feel safe to switch back to Avast! and trust that I'll be sufficiently protected?

Here is the HJT log after your suggested edits:

C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: flashget urlcatch - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\Program Files\FlashGet\jccatch.dll
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: PDFCreator Toolbar Helper - {C451C08A-EC37-45DF-AAAD-18B51AB5E837} - C:\Program Files\PDFCreator Toolbar\v3.3.0.1\PDFCreator_Toolbar.dll
O2 - BHO: FlashGet GetFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\Program Files\FlashGet\getflash.dll
O3 - Toolbar: PDFCreator Toolbar - {31CF9EBE-5755-4A1D-AC25-2834D952D9B4} - C:\Program Files\PDFCreator Toolbar\v3.3.0.1\PDFCreator_Toolbar.dll
O4 - HKLM\..\Run: [HGTXPEI] C:\WINDOWS\system32\FirstReboot.exe
O4 - HKLM\..\Run: [SoundFusion] RunDll32 hercplgs.cpl,BootEntryPoint
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [Opware14] "C:\Program Files\ScanSoft\OmniPagePro14.0\Opware14.exe"
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O8 - Extra context menu item: &Download All with FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: &Download with FlashGet - C:\Program Files\FlashGet\jc_link.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\SCIEPlgn.dll
O9 - Extra button: Bonjour - {7F9DB11C-E358-4ca6-A83D-ACC663939424} - C:\Program Files\Bonjour\ExplorerPlugin.dll
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: ppctlcab - http://www.pestscan.com/scanner/ppctlcab.cab
O16 - DPF: {0D41B8C5-2599-4893-8183-00195EC8D5F9} (asusTek_sysctrl Class) - http://support.asus.com/common/asusTek_sys_ctrl.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english...an_unicode.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by113fd.bay113.hotmail.msn.co...s/MsnPUpld.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/res...lscbase370.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.co...?1097630386527
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/S.../bin/cabsa.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/Ms...Downloader.cab
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://driveragent.com/files/driveragent.cab
O16 - DPF: {F04A8AE2-A59D-11D2-8792-00C04F8EF29D} (Hotmail Attachments Control) - http://by2fd.bay2.hotmail.msn.com/activex/HMAtchmt.ocx
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Kaspersky Anti-Virus 7.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: jsdaemon - JetFax, Inc. - C:\Program Files\HP Jetsuite\jsdaemon.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe

--
End of file - 9382 bytes

**ken545** · 2008-02-22, 23:10

Hello Pete,

Sorry for the delay getting back to you but the NE got hit with some snow and the roads are a mess.

These two need to go, but sometimes there hard to get rid of, not to worry if they don't.

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =

Tell your little guy that I appreciate him helping

You have to keep and eye on small kids when they go online as these slimeballs target kids because they know there vulnerable.

To answer your questions.

Spyware Blaster just sits in the background and at the present time its blocking 9641 bad sites from from attempting to infect your computer, there is no scan to run but about once a week or so you need to open the program, check for updates and then enable all protection.

Spyware Guard is written by the same fine people that wrote Spyware Blaster , a one time download, no scan to run, just sits in the background blocking changes to your system, so you can use it or enable the Tea Timer, SG does not get in your face as much as the tea timer so its your call which one to use but you should not use them both.

As far as Anti Virus, this again is totally your call, there both good programs but with AV, just use one , they use a huge amount of system resources and sometimes get in each others way , can considerably slow down your system if you use two.

If your AV is a stand alone program then you need a firewall, most suites , like Symantec and such include a Firewall in there program. The windows firewall just blocks incoming attempts and not outgoing, so you should have a third party firewall, I am listing 4 for you, just like AV, you need just one firewall, if by chance you have a router that includes a firewall, then thats fine, you can have one software and one hardware firewall with no problems.

You have many software ports of entry on your computer, the only ones needed by a home user are for email and web surfing and maybe a program you have installed, a firewall helps block those other ports. You can run the Shields Up tests on your computer by Steve Gibson, one of the leading experts in computer security, no software to download and install, just some online tests and its free. Do this after you install a firewall, your test should show you in stealth mode.

http://www.grc.com/intro.htm

Stay well Steve, been a pleasure helping you, take care of the little guy, they grow up quick.

I am including this for him in return for his smile

Ken

Thread: Virtumonde fix request (logs are ready) - please help!!!

Thread Tools

Display

CFScript into ComboFix (log) part a

part b

hijackthis log

How are things running now????

addendum: tea timer log

last questions

Posting Permissions