Please help having trouble with Command Service spyware

wtsismoney · May 26, 2007

Can you please help with getting rid of the spyware that I have.

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 7:03:04 PM, on 5/25/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\WINDOWS\system32\fxssvc.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
C:\Program Files\Trend Micro\Internet Security 12\pccguide.exe
C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAEA.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\Program Files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Program Files\TrueAssistant\TrueAssistant.exe
C:\Program Files\SBC Self Support Tool\bin\mpbtn.exe
C:\DOCUME~1\Will\LOCALS~1\Temp\Temporary Directory 1 for HiJackThis_v2.zip\HiJackThis_v2.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {3E8EC2D9-806B-4C7F-AE7F-F44AD4ABE8B5} - C:\WINDOWS\system32\vtuvwtr.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: 0 - {9C52C6D3-FAAE-4B9A-3DB2-0C0AF3A5BF66} - C:\Program Files\ComPlus Applications\qukatop.dll (file missing)
O2 - BHO: (no name) - {CCE2F36F-7A72-45CF-91E9-2A37315B13DE} - C:\WINDOWS\system32\ssqrq.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [MMTray] "C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe"
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 12\pccguide.exe"
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [EPSON Stylus CX4200 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAEA.EXE /P26 "EPSON Stylus CX4200 Series" /O6 "USB001" /M "Stylus CX4200"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [OE_OEM] "C:\Program Files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] 1
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Zinio DLM] C:\Program Files\Zinio\ZinioDeliveryManager.exe /autostart
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [Mckbktv] "C:\Documents and Settings\Will\My Documents\S?mantec\wowexec.exe"
O4 - HKCU\..\Run: [Sen] "C:\PROGRA~1\STEM~1\mshta.exe" -vt ndrv
O4 - Startup: Think-Adz.lnk = C:\WINDOWS\system32\kwinlodv.exe
O4 - Startup: TrueAssistant.lnk = C:\Program Files\TrueAssistant\TrueAssistant.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O4 - Global Startup: SBC Self Support Tool.lnk = C:\Program Files\SBC Self Support Tool\bin\matcli.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Absolute Poker - {EFFF8D47-D060-4108-B761-E8EC86622E56} - C:\Documents and Settings\All Users\Start Menu\Programs\Absolute Poker\Absolute Poker.lnk
O9 - Extra 'Tools' menuitem: Absolute Poker - {EFFF8D47-D060-4108-B761-E8EC86622E56} - C:\Documents and Settings\All Users\Start Menu\Programs\Absolute Poker\Absolute Poker.lnk
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=48835
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: ssqrq - C:\WINDOWS\system32\ssqrq.dll
O20 - Winlogon Notify: vtuvwtr - C:\WINDOWS\SYSTEM32\vtuvwtr.dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe

--
End of file - 8834 bytes

Mr_JAk3 · May 27, 2007

Hello and welcome to the FOrums

You're infected.

Download HijackThis 1.99.1 to your desktop from here

Create a new folder for HijackThis and move HijackThis.exe into it.

At first you need to disable a few realtime protections. These may interfere with our cleaning process.
We'll enable these when you're clean...

Disable Windows Defender's realtime protection.

Open Windows Defender
Click on "Tools"
Click on "General Settings"
Scroll down to "Real-time protection options"
Uncheck "Turn on Real-time protection (recommended)"
Click "Save"
Exit the program.

Please download VundoFix.exe to your desktop.

Double-click VundoFix.exe to run it.
Click the Scan for Vundo button.
Once it's done scanning, click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will reboot your computer, click OK.
Please post the contents of C:\vundofix.txt and a new HiJackThis log.

Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.

wtsismoney · May 28, 2007

Thank you for your help. Here is a new hijackThis log and contents of C:\vundofix.txt.

Logfile of HijackThis v1.99.1
Scan saved at 9:00:50 AM, on 5/28/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
C:\Program Files\Trend Micro\Internet Security 12\pccguide.exe
C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAEA.EXE
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\Program Files\TrueAssistant\TrueAssistant.exe
C:\Program Files\SBC Self Support Tool\bin\mpbtn.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Will\Desktop\HijackThis.1.99.1.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {4B646AFB-9341-4330-8FD1-C32485AEE619} - C:\WINDOWS\system32\esamblmr.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {59A31711-A3BD-46F9-82A8-AC0A7235BCBD} - C:\WINDOWS\system32\ssqrq.dll (file missing)
O2 - BHO: 0 - {9C52C6D3-FAAE-4B9A-3DB2-0C0AF3A5BF66} - C:\Program Files\ComPlus Applications\qukatop.dll (file missing)
O2 - BHO: (no name) - {C4818131-5EF7-4AF8-9019-D9041180AA71} - C:\WINDOWS\system32\egxsgnhx.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [MMTray] "C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe"
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 12\pccguide.exe"
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [EPSON Stylus CX4200 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAEA.EXE /P26 "EPSON Stylus CX4200 Series" /O6 "USB001" /M "Stylus CX4200"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [OE_OEM] "C:\Program Files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] 1
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Zinio DLM] C:\Program Files\Zinio\ZinioDeliveryManager.exe /autostart
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [Sen] "C:\PROGRA~1\STEM~1\mshta.exe" -vt ndrv
O4 - Startup: Think-Adz.lnk = C:\WINDOWS\system32\kwinlodv.exe
O4 - Startup: TrueAssistant.lnk = C:\Program Files\TrueAssistant\TrueAssistant.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O4 - Global Startup: SBC Self Support Tool.lnk = C:\Program Files\SBC Self Support Tool\bin\matcli.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Absolute Poker - {EFFF8D47-D060-4108-B761-E8EC86622E56} - C:\Documents and Settings\All Users\Start Menu\Programs\Absolute Poker\Absolute Poker.lnk
O9 - Extra 'Tools' menuitem: Absolute Poker - {EFFF8D47-D060-4108-B761-E8EC86622E56} - C:\Documents and Settings\All Users\Start Menu\Programs\Absolute Poker\Absolute Poker.lnk
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=48835
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe

VundoFix V6.4.1

Checking Java version...

Java version is 1.4.2.3
Old versions of java are exploitable and should be removed.

Scan started at 8:36:38 AM 5/28/2007

Listing files found while scanning....

C:\WINDOWS\system32\ddcyy.dll
C:\WINDOWS\system32\etufuttf.ini
C:\WINDOWS\system32\fryweoxq.ini
C:\WINDOWS\system32\fttufute.dll
C:\WINDOWS\system32\qrqss.bak1
C:\WINDOWS\system32\qrqss.bak2
C:\WINDOWS\system32\qrqss.ini
C:\WINDOWS\system32\qrqss.tmp
C:\WINDOWS\system32\qxoewyrf.dll
C:\WINDOWS\system32\rrutv.ini
C:\WINDOWS\system32\ssqrq.dll
C:\WINDOWS\system32\vturr.dll
C:\WINDOWS\system32\vtuvwtr.dll
C:\WINDOWS\system32\xxywxus.dll
C:\WINDOWS\system32\yycdd.ini

Beginning removal...

Attempting to delete C:\WINDOWS\system32\ddcyy.dll
C:\WINDOWS\system32\ddcyy.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\etufuttf.ini
C:\WINDOWS\system32\etufuttf.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\fryweoxq.ini
C:\WINDOWS\system32\fryweoxq.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\fttufute.dll
C:\WINDOWS\system32\fttufute.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\qrqss.bak1
C:\WINDOWS\system32\qrqss.bak1 Has been deleted!

Attempting to delete C:\WINDOWS\system32\qrqss.bak2
C:\WINDOWS\system32\qrqss.bak2 Has been deleted!

Attempting to delete C:\WINDOWS\system32\qrqss.ini
C:\WINDOWS\system32\qrqss.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\qrqss.tmp
C:\WINDOWS\system32\qrqss.tmp Has been deleted!

Attempting to delete C:\WINDOWS\system32\qxoewyrf.dll
C:\WINDOWS\system32\qxoewyrf.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\rrutv.ini
C:\WINDOWS\system32\rrutv.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\ssqrq.dll
C:\WINDOWS\system32\ssqrq.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\vturr.dll
C:\WINDOWS\system32\vturr.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\vtuvwtr.dll
C:\WINDOWS\system32\vtuvwtr.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\xxywxus.dll
C:\WINDOWS\system32\xxywxus.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\yycdd.ini
C:\WINDOWS\system32\yycdd.ini Has been deleted!

Performing Repairs to the registry.
Done!

VundoFix V6.4.1

Checking Java version...

Java version is 1.4.2.3
Old versions of java are exploitable and should be removed.

Scan started at 9:04:50 AM 5/28/2007

Listing files found while scanning....

Mr_JAk3 · May 28, 2007

hi, we'll continue

1. Download this file - combofix.exe
2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

wtsismoney · May 29, 2007

"Will" - 2007-05-28 18:36:57 Service Pack 2
ComboFix 07-05.27.V - Running from: "C:\Documents and Settings\Will\Desktop\"

(((((((((((((((((((((((((((((((((((((((((((((((((( V Log )))))))))))))))))))))))))))))))))))))))))))))))))))))))

C:\WINDOWS\system32\esamblmr.dll

* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

"C:\Program Files\Common Files\Yazzle1122OinUninstaller.exe"
"C:\Program Files\outerinfo\OiUninstaller.exe"
"C:\Program Files\outerinfo\outerinfo.ico"
"C:\Program Files\outerinfo\Terms.rtf"
"C:\WINDOWS\system32\smpi1\lib06.exe"
"C:\Temp\17O7\tmpTF.log"
"C:\Program Files\outerinfo"
"C:\WINDOWS\system32\smpi1"
"C:\Temp\17O7"
"C:\Temp\tn3"

Purity Folders:

C:\WINDOWS\WNSXS~1
C:\Program Files\STEM~1
C:\DOCUME~1\Will\MYDOCU~1\SMANTE~1

((((((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

-------\LEGACY_CMDSERVICE
-------\LEGACY_CORE
-------\LEGACY_NETWORK_MONITOR
-------\cmdService

((((((((((((((((((((((((((((((( Files Created from 2007-04-28 to 2007-05-28 ))))))))))))))))))))))))))))))))))

2007-05-28 08:36 <DIR> d-------- C:\VundoFix Backups
2007-05-27 20:39 124,436 --a------ C:\WINDOWS\system32\egxsgnhx.dll
2007-05-24 04:30 <DIR> d-------- C:\Program Files\Windows Defender
2007-05-24 04:04 3,968 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-05-23 05:47 <DIR> d--hs---- C:\WINDOWS\V2lsbA
2007-05-20 20:11 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\Lavasoft
2007-05-20 19:31 1,310,720 --ah----- C:\DOCUME~1\ADMINI~1\NTUSER.DAT
2007-05-20 19:31 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\Google
2007-05-20 19:31 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\Corel
2007-05-19 11:55 931 --a------ C:\WINDOWS\system32\winpfz32.sys
2007-05-19 11:54 <DIR> d-------- C:\WINDOWS\system32\SBO
2007-05-19 02:27 <DIR> d-------- C:\DOCUME~1\Will\APPLIC~1\Skype
2007-05-19 02:26 <DIR> d-------- C:\Program Files\Skype
2007-05-19 02:26 <DIR> d-------- C:\Program Files\Common Files\Skype
2007-05-19 02:26 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Skype
2007-05-11 11:38 54 --a------ C:\DOCUME~1\Will\APPLIC~1\lapath.dat
2007-05-11 11:29 <DIR> d-------- C:\temp\LoanAce_2_0_247_0
2007-05-11 11:29 <DIR> d-------- C:\temp

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-05-29 01:10:10 -------- d-----w C:\Program Files\TrueAssistant
2007-05-22 00:46:39 -------- d-----w C:\Program Files\Intel
2007-05-22 00:45:56 -------- d--h--w C:\Program Files\InstallShield Installation Information
2007-04-29 05:33:04 -------- d-----w C:\DOCUME~1\Will\APPLIC~1\ContentGuard
2007-04-24 04:47:28 -------- d-----w C:\DOCUME~1\Will\APPLIC~1\Leadertech
2007-04-24 04:45:49 -------- d-----w C:\DOCUME~1\Will\APPLIC~1\AdobeUM
2007-04-21 06:20:27 -------- d-----w C:\DOCUME~1\Will\APPLIC~1\AdobeAUM
2007-04-18 16:12:23 2,854,400 ----a-w C:\WINDOWS\system32\msi.dll
2007-04-13 09:43:23 -------- d-----w C:\DOCUME~1\Will\APPLIC~1\EPSON
2007-04-10 01:59:57 -------- d--h--w C:\DOCUME~1\Will\APPLIC~1\Gtek
2007-04-10 01:41:20 -------- d-----w C:\Program Files\DellSupport
2007-04-04 03:33:57 -------- d-----w C:\DOCUME~1\Will\APPLIC~1\Apple Computer
2007-04-04 03:33:42 -------- d-----w C:\Program Files\iTunes
2007-04-04 03:33:34 -------- d-----w C:\Program Files\iPod
2007-04-04 03:32:57 -------- d-----w C:\Program Files\QuickTime
2007-04-04 03:32:03 -------- d-----w C:\Program Files\Apple Software Update
2007-03-17 13:43:01 292,864 ----a-w C:\WINDOWS\system32\winsrv.dll
2007-03-08 15:36:28 577,536 ----a-w C:\WINDOWS\system32\user32.dll
2007-03-08 15:36:28 40,960 ----a-w C:\WINDOWS\system32\mf3216.dll
2007-03-08 15:36:28 281,600 ----a-w C:\WINDOWS\system32\gdi32.dll
2007-03-08 13:47:48 1,843,584 ----a-w C:\WINDOWS\system32\win32k.sys

(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{53707962-6F74-2D53-2644-206D7942484F}=C:\PROGRA~1\SPYBOT~1\SDHelper.dll [2005-05-31 02:04]
{59A31711-A3BD-46F9-82A8-AC0A7235BCBD}=C:\WINDOWS\system32\ssqrq.dll []
{9C52C6D3-FAAE-4B9A-3DB2-0C0AF3A5BF66}=C:\Program Files\ComPlus Applications\qukatop.dll []
{C4818131-5EF7-4AF8-9019-D9041180AA71}=C:\WINDOWS\system32\egxsgnhx.dll [2007-05-27 20:39]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="C:\Program Files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 18:42]
"SunJavaUpdateSched"="C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe" [2003-11-19 16:48]
"DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 15:19]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-02-16 10:54]
"ISUSPM Startup"="C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 09:44]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 09:44]
"DMXLauncher"="C:\Program Files\Dell\Media Experience\DMXLauncher.exe" [2005-01-27 00:02]
"MMTray"="C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe" [2005-09-08 18:20]
"pccguide.exe"="C:\Program Files\Trend Micro\Internet Security 12\pccguide.exe" [2005-08-30 15:30]
"Motive SmartBridge"="C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe" [2003-12-10 05:52]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-03-14 19:05]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-06 23:46]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2006-10-07 05:20]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 19:20]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"OE_OEM"="C:\Program Files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon.exe" [2006-04-11 20:39]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 04:00]
"Yahoo! Pager"="1" []
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 09:24]
"Zinio DLM"="C:\Program Files\Zinio\ZinioDeliveryManager.exe" []
"DellSupport"="C:\Program Files\DellSupport\DSAgnt.exe" [2007-03-15 11:09]
"Skype"="C:\Program Files\Skype\Phone\Skype.exe" [2007-05-10 16:09]
"Sen"="C:\PROGRA~1\STEM~1\mshta.exe" []

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoActiveDesktopChanges"=0 (0x0)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll" [2006-09-28 07:13]

Contents of the 'Scheduled Tasks' folder
2007-05-15 13:32:00 C:\WINDOWS\tasks\AppleSoftwareUpdate.job
2007-05-29 01:12:41 C:\WINDOWS\tasks\MP Scheduled Scan.job

********************************************************************

catchme 0.3.681 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-05-28 18:42:27
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

********************************************************************

Completion time: 2007-05-28 18:45:41 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-05-28 18:45

--- E O F ---

Mr_JAk3 · May 29, 2007

Hi again, we'll continue

You should print these instructions or save these to a text file. Follow these instructions carefully.

open AVG Anti-Spyware

On the main screen under Your Computer's security.
- Click on Change state next to Resident shield. It should now change to inactive.
- Click on Change state next to Automatic updates. It should now change to inactive.
- Next to Last Update, click on Update now. (You will need an active internet connection to perform this)
- Wait until you see the Update succesfull message.
Right-click the AVG Anti-Spyware Tray Icon and uncheck Start with Windows.
Right-click the AVG Anti-Spyware Tray Icon and select Exit. Confirm by clicking Yes.

If you are having problems with the updater, you can use this link to manually update ewido.
AVG Anti-Spyware manual updates.
Download the Full database to your Desktop or to your usual Download Folder and install it by double clicking the file. Make sure that AVG Anti-Spyware is closed before installing the update.

Download ATF Cleaner by Atribune to your desktop.
Do NOT run yet.

Make your hidden files visible:

Go to My Computer
Select the Tools menu and click Folder Options
Click the View tab.
Checkmark the "Display the contents of system folders"
Under the Hidden files and folders select "Show hidden files and folders"
Uncheck "Hide protected operating system files"
Click Apply and then the OK and close My Computer.

==================

Open Control Panel -> Add/Remove programs -> Remove all the of the following or similar entries if found:

Absolute Poker

and any other programs you didn't install or don't recognize - if your not sure please ask first
Run HijackThis, click Do a system scan only, and check the box next to each of these entries if still present. Close all other windows and press Fix checked. If something isn't there, please continue with the next entry in the list.

O2 - BHO: (no name) - {4B646AFB-9341-4330-8FD1-C32485AEE619} - C:\WINDOWS\system32\esamblmr.dll
O2 - BHO: (no name) - {59A31711-A3BD-46F9-82A8-AC0A7235BCBD} - C:\WINDOWS\system32\ssqrq.dll (file missing)
O2 - BHO: 0 - {9C52C6D3-FAAE-4B9A-3DB2-0C0AF3A5BF66} - C:\Program Files\ComPlus Applications\qukatop.dll (file missing)
O2 - BHO: (no name) - {C4818131-5EF7-4AF8-9019-D9041180AA71} - C:\WINDOWS\system32\egxsgnhx.dll
O4 - HKCU\..\Run: [Sen] "C:\PROGRA~1\STEM~1\mshta.exe" -vt ndrv
O4 - Startup: Think-Adz.lnk = C:\WINDOWS\system32\kwinlodv.exe
O9 - Extra button: Absolute Poker - {EFFF8D47-D060-4108-B761-E8EC86622E56} - C:\Documents and Settings\All Users\Start Menu\Programs\Absolute Poker\Absolute Poker.lnk
O9 - Extra 'Tools' menuitem: Absolute Poker - {EFFF8D47-D060-4108-B761-E8EC86622E56} - C:\Documents and Settings\All Users\Start Menu\Programs\Absolute Poker\Absolute Poker.lnk

Restart your computer to the safe mode:

Restart your computer
Start tapping the F8 key when the computer restarts.
When the start menu opens, choose Safe mode
Press Enter. The computer then begins to start in Safe mode.

Go to the My Computer and delete the following files (if present):
C:\WINDOWS\system32\winpfz32.sys
C:\WINDOWS\system32\egxsgnhx.dll
C:\WINDOWS\system32\kwinlodv.exe

Go to the My Computer and delete the following folders (if present):
C:\Documents and Settings\All Users\Start Menu\Programs\Absolute Poker
C:\Program Files\Absolute Poker

Run ATF Cleaner

Under Main choose: Select All
Click the Empty Selected button.

If you use Firefox browser

Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser

Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.

Close ALL open Windows / Programs / Folders. Please start AVG Anti-Spyware and run a full scan.

Click on Scanner on the toolbar.
Click on the Settings tab.
- Under How to act?
  - Click on Recommended Action and choose Quarantine from the popup menu.
- Under How to scan?
  - All checkboxes should be ticked.
- Under Possibly unwanted software:
  - All checkboxes should be ticked.
- Under Reports:
  - Select Automatically generate report after every scan and uncheck Only if threats were found.
- Under What to scan?
  - Select Scan every file.
Click on the Scan tab.
Click on Complete System Scan to start the scan process.
Let the program scan the machine.
When the scan has finished, follow the instructions below.
IMPORTANT : Don't click on the "Save Scan Report" button before you did hit the "Apply all Actions" button.
- Make sure that Set all elements to: shows Quarantine (1), if not click on the link and choose Quarantine from the popup menu. (2)
- At the bottom of the window click on the Apply all Actions button. (3)
When done, click the Save Scan Report button. (4)
- Click the Save Report as button.
- Save the report to your Desktop.
Right-click the AVG Anti-Spyware Tray Icon and select Exit. Confirm by clicking Yes.

Reboot in Normal Mode.

Do you know this folder?
C:\WINDOWS\V2lsbA

Any files inside it?

================

When you're ready, please post the following logs to here:
- AVG's report
- a fresh HijackThis log

wtsismoney · May 30, 2007

Logfile of HijackThis v1.99.1
Scan saved at 6:36:43 PM, on 5/29/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
C:\Program Files\Trend Micro\Internet Security 12\pccguide.exe
C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\TrueAssistant\TrueAssistant.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\Program Files\SBC Self Support Tool\bin\mpbtn.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Will\Desktop\HijackThis.1.99.1.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [MMTray] "C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe"
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 12\pccguide.exe"
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [OE_OEM] "C:\Program Files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] 1
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - Startup: TrueAssistant.lnk = C:\Program Files\TrueAssistant\TrueAssistant.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O4 - Global Startup: SBC Self Support Tool.lnk = C:\Program Files\SBC Self Support Tool\bin\matcli.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=48835
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe

---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 6:15:18 PM 5/29/2007

+ Scan result:

C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP394\A0042846.dll -> Adware.PurityScan : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP394\A0042873.exe -> Adware.PurityScan : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP397\A0042980.dll -> Adware.PurityScan : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP403\A0043140.exe -> Adware.Softomate : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP403\A0043166.dll -> Adware.Virtumonde : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP403\A0043167.dll -> Adware.Virtumonde : Cleaned with backup (quarantined).
C:\VundoFix Backups\vtuvwtr.dll.bad -> Adware.Virtumonde : Cleaned with backup (quarantined).
C:\VundoFix Backups\xxywxus.dll.bad -> Adware.Virtumonde : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP392\A0042143.dll -> Adware.WebBuying : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP392\A0042165.dll -> Adware.WebBuying : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP392\A0042185.dll -> Adware.WebBuying : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP392\A0042205.dll -> Adware.WebBuying : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP393\A0042286.dll -> Adware.WebBuying : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP393\A0042306.dll -> Adware.WebBuying : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP393\A0042490.dll -> Adware.WebBuying : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP397\A0042991.exe -> Adware.WebHancer : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP397\A0042990.exe -> Adware.ZenoSearch : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP397\A0042992.exe -> Adware.ZQuest : Cleaned with backup (quarantined).
C:\QooBox\Quarantine\C\WINDOWS\system32\smpi1\lib06.exe.vir -> Downloader.Agent.bls : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP403\A0043139.exe -> Downloader.Agent.bls : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP403\A0043210.exe -> Downloader.Agent.bls : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP393\A0042823.exe -> Downloader.PurityScan.af : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP400\A0043070.exe -> Downloader.PurityScan.ee : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP393\A0042830.exe -> Downloader.PurityScan.eg : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP397\A0042988.exe -> Downloader.Small.buy : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP397\A0042989.exe -> Hijacker.Small : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP397\A0042986.vbs -> Trojan.Small : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP397\A0042987.exe -> Trojan.Small : Cleaned with backup (quarantined).

::Report end

Mr_JAk3 · May 30, 2007

Hello

Looks pretty good. How is the computer running?

wtsismoney · May 30, 2007

It is running very good. Thank you so much for all of your help I really appreciate it.

Mr_JAk3 · May 31, 2007

Hi again, it is looking clean now

Now you can clean AVG's Quarantine:

Open AVG Anti-Spyware
Click Infections
Click Quarantine tab
Click Select all
Click Remove finally
Close the program

You can remove the tools we used.

Then you should update your Java to the latest version (6u1)

[*]Start
[*]Control Panel
[*]Add/Remove Programs
Delete the old Java, Java 2 Runtime Environment, SE v1.4.2_03
Download the latest version of Java Runtime Environment (JRE) 6u1.
Scroll down to where it says "The J2SE Runtime Environment (JRE) allows end-users to run Java applications."
Click the "Download" button to the right.
Check the box that says: "Accept License Agreement."
The page will refresh.
Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
Install it

Now you can make your hidden files hidden again.

Go to My Computer
Select the Tools menu and click Folder Options
Click the View tab.
Checkmark the "Display the contents of system folders"
Under the Hidden files and folders select "Show hidden files and folders"
Check "Hide protected operating system files"
Click Apply and then the OK and close My Computer.

=============

Now that you seem to be clean, please follow these simple steps in order to keep your computer clean and secure:

Clear your system restore
This will clear the system restore folders from possible malware that was left behind during the cleaning process.
Use ATF Cleaner
Download and install ATF Cleaner. Clean your temporary files & folders with it regularly.
Use Ad-Aware
Download and install Ad-Aware. Update it and scan your computer regularly with it.
Use AVG Anti-Spyware
Download and install AVG Anti-Spyware. Update it and scan your computer regularly with it.
Use Spybot S&D
Download and install Spybot S&D. Update it and scan your computer regularly with it.
Install SpywareBlaster
SpywareBlaster will prevent spyware from being installed.
Install MVPS Hosts file
This prevents your computer from connecting to harmful sites.
Use Firefox browser
Firefox is faster and more secure browser than Internet Explorer.
Keep your systen up-to-date
Visit Windows Update regularly. How to enable Automatic Updates?
Keep your antivirus and firewall up-to-date
Scan your computer regularly with you antivirus software.
Read this article by TonyKlein
So how did I get infected in the first place?
Stand Up and Be Counted !
The site offers people who have been (or are) victims of malware the opportunity to document their story and, in that way, launch a complaint against the malware and the makers of the malware.

Stay clean and be safe

wtsismoney · Jun 3, 2007

I am having issues again.

I did not have a chance to make final changes and I started getting pop ups again. I also had something put on the lower part of my pc with out me being able to stop it called myCleanerPC. Sorry, but could you please help again. Below is HijackThis log. Thank you so much for all of your help.

Logfile of HijackThis v1.99.1
Scan saved at 5:59:42 PM, on 6/2/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
C:\Program Files\Trend Micro\Internet Security 12\pccguide.exe
C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\fchibvcA.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\Program Files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TSC.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Documents and Settings\Will\Desktop\HijackThis.1.99.1.exe
C:\PROGRA~1\MYCLEA~1\myCleanerPC.exe
C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
C:\Program Files\TrueAssistant\TrueAssistant.exe
C:\Program Files\SBC Self Support Tool\bin\mpbtn.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\WINDOWS\system32\verclsid.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {2432F099-F8E2-43C9-B765-3AF002FFC6A7} - C:\WINDOWS\system32\efcyyvt.dll
O2 - BHO: (no name) - {476CA6B8-70C5-4432-8681-0917130A25E1} - C:\WINDOWS\system32\gebcd.dll
O2 - BHO: 0 - {528122BB-0771-496D-588A-76DBB560B4BB} - C:\Program Files\ComPlus Applications\qukatop.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {9D1C5210-1DDE-45C2-A564-9511461BDFB4} - C:\Program Files\Common Files\mexob.dll
O2 - BHO: (no name) - {C7086F6A-A4AB-D87F-DF0E-FDADAEE624E7} - C:\WINDOWS\system32\ffzboyq.dll
O2 - BHO: (no name) - {CD3447D4-CA39-4377-8084-30E86331D74C} - C:\WINDOWS\system32\wykgpyfc.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [MMTray] "C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe"
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 12\pccguide.exe"
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [fchibvcA] C:\WINDOWS\fchibvcA.exe
O4 - HKLM\..\Run: [Genuine] rundll32.exe "C:\WINDOWS\system32\vlbgldrs.dll",realset
O4 - HKCU\..\Run: [OE_OEM] "C:\Program Files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] 1
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [Sen] "C:\DOCUME~1\Will\MYDOCU~1\APPATC~1\regedit.exe" -vt yazb
O4 - HKCU\..\Run: [Rap] "C:\Program Files\Common Files\F?nts\msconfig.exe"
O4 - HKCU\..\Run: [myCleanerPC] C:\PROGRA~1\MYCLEA~1\myCleanerPC.exe
O4 - Startup: TA_Start.lnk = C:\Documents and Settings\Will\Local Settings\Temp\TICHD003.exe
O4 - Startup: TrueAssistant.lnk = C:\Program Files\TrueAssistant\TrueAssistant.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O4 - Global Startup: SBC Self Support Tool.lnk = C:\Program Files\SBC Self Support Tool\bin\matcli.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.amaena.com
O15 - Trusted Zone: *.drivecleaner.com
O15 - Trusted Zone: *.errorprotector.com
O15 - Trusted Zone: *.errorsafe.com
O15 - Trusted Zone: *.systemdoctor.com
O15 - Trusted Zone: *.winantispyware.com
O15 - Trusted Zone: *.winantivirus.com
O15 - Trusted Zone: *.winfixer.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=48835
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: efcyyvt - C:\WINDOWS\SYSTEM32\efcyyvt.dll
O20 - Winlogon Notify: gebcd - C:\WINDOWS\system32\gebcd.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe

Mr_JAk3 · Jun 3, 2007

OK you're re-infected.

Please remove any previous versions of VundoFix.

Please download VundoFix.exe to your desktop.

Double-click VundoFix.exe to run it.
Click the Scan for Vundo button.
Once it's done scanning, click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will reboot your computer, click OK.
Please post the contents of C:\vundofix.txt and a new HiJackThis log.

Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.

wtsismoney · Jun 3, 2007

Here is a copy of HijackThis and Vundo Fix logs.

VundoFix V6.4.1

Checking Java version...

Java version is 1.4.2.3
Old versions of java are exploitable and should be removed.

Scan started at 7:05:35 AM 6/3/2007

Listing files found while scanning....

C:\WINDOWS\system32\dcbeg.bak1
C:\WINDOWS\system32\dcbeg.bak2
C:\WINDOWS\system32\dcbeg.ini
C:\WINDOWS\system32\efcyyvt.dll
C:\WINDOWS\system32\gebcd.dll
C:\WINDOWS\system32\gebyyyy.dll
C:\WINDOWS\system32\jkklmmn.dll
C:\WINDOWS\system32\pmnnnnl.dll

Beginning removal...

Attempting to delete C:\WINDOWS\system32\dcbeg.bak1
C:\WINDOWS\system32\dcbeg.bak1 Has been deleted!

Attempting to delete C:\WINDOWS\system32\dcbeg.bak2
C:\WINDOWS\system32\dcbeg.bak2 Has been deleted!

Attempting to delete C:\WINDOWS\system32\dcbeg.ini
C:\WINDOWS\system32\dcbeg.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\efcyyvt.dll
C:\WINDOWS\system32\efcyyvt.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\gebcd.dll
C:\WINDOWS\system32\gebcd.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\gebyyyy.dll
C:\WINDOWS\system32\gebyyyy.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\jkklmmn.dll
C:\WINDOWS\system32\jkklmmn.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\pmnnnnl.dll
C:\WINDOWS\system32\pmnnnnl.dll Has been deleted!

Performing Repairs to the registry.
Done!

Logfile of HijackThis v1.99.1
Scan saved at 7:33:13 AM, on 6/3/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
C:\Program Files\Trend Micro\Internet Security 12\pccguide.exe
C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\WINDOWS\fchibvcA.exe
C:\Program Files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\DOCUME~1\Will\MYDOCU~1\APPATC~1\regedit.exe
C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\SBC Self Support Tool\bin\mpbtn.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\Program Files\TrueAssistant\TrueAssistant.exe
c:\windows\system32\dwdsregt.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Will\Desktop\HijackThis.1.99.1.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {2432F099-F8E2-43C9-B765-3AF002FFC6A7} - C:\WINDOWS\system32\efcyyvt.dll (file missing)
O2 - BHO: 0 - {528122BB-0771-496D-588A-76DBB560B4BB} - C:\Program Files\ComPlus Applications\qukatop.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {9D1C5210-1DDE-45C2-A564-9511461BDFB4} - C:\Program Files\Common Files\mexob.dll
O2 - BHO: (no name) - {C7086F6A-A4AB-D87F-DF0E-FDADAEE624E7} - C:\WINDOWS\system32\ffzboyq.dll
O2 - BHO: (no name) - {CD3447D4-CA39-4377-8084-30E86331D74C} - C:\WINDOWS\system32\wykgpyfc.dll
O2 - BHO: (no name) - {DA1E9416-5A30-4B99-BEE6-3A02E3954F37} - C:\WINDOWS\system32\gebcd.dll (file missing)
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [MMTray] "C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe"
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 12\pccguide.exe"
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [fchibvcA] C:\WINDOWS\fchibvcA.exe
O4 - HKLM\..\Run: [Genuine] rundll32.exe "C:\WINDOWS\system32\vlbgldrs.dll",realset
O4 - HKLM\..\Run: [{77-7A-A0-09-ZN}] c:\windows\system32\dwdsregt.exe CHD003
O4 - HKCU\..\Run: [OE_OEM] "C:\Program Files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] 1
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKCU\..\Run: [Sen] "C:\DOCUME~1\Will\MYDOCU~1\APPATC~1\regedit.exe" -vt yazb
O4 - HKCU\..\Run: [Rap] "C:\Program Files\Common Files\F?nts\msconfig.exe"
O4 - HKCU\..\Run: [myCleanerPC] C:\PROGRA~1\MYCLEA~1\myCleanerPC.exe
O4 - Startup: TA_Start.lnk = C:\Documents and Settings\Will\Local Settings\Temp\TICHD003.exe
O4 - Startup: TrueAssistant.lnk = C:\Program Files\TrueAssistant\TrueAssistant.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O4 - Global Startup: SBC Self Support Tool.lnk = C:\Program Files\SBC Self Support Tool\bin\matcli.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.amaena.com
O15 - Trusted Zone: *.drivecleaner.com
O15 - Trusted Zone: *.errorprotector.com
O15 - Trusted Zone: *.errorsafe.com
O15 - Trusted Zone: *.systemdoctor.com
O15 - Trusted Zone: *.winantispyware.com
O15 - Trusted Zone: *.winantivirus.com
O15 - Trusted Zone: *.winfixer.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=48835
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe

Mr_JAk3 · Jun 3, 2007

The cleaning continues

1. Download this file - combofix.exe
2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

wtsismoney · Jun 4, 2007

Here is ComboFix log

"Will" - 2007-06-03 20:52:27 Service Pack 2
ComboFix 07-05.27.BV - Running from: "C:\Documents and Settings\Will\Desktop\"

(((((((((((((((((((((((((((((((((((((((((((((((((( V Log )))))))))))))))))))))))))))))))))))))))))))))))))))))))

C:\WINDOWS\system32\wykgpyfc.dll

* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

"C:\Program Files\Common Files\Yazzle1281OinAdmin.exe"
"C:\Program Files\Common Files\Yazzle1281OinUninstaller.exe"
"C:\Program Files\ComPlus Applications\qukatop.dll"
"C:\Program Files\outerinfo\Terms.rtf"
"C:\WINDOWS\system32\dwdsregt.exe"
"C:\Program Files\outerinfo"

-- Purity Folders:

C:\WINDOWS\DOBE~1
C:\Program Files\Common Files\FNTS~1
C:\DOCUME~1\Will\MYDOCU~1\APPATC~1

((((((((((((((((((((((((((((((( Files Created from 2007-05-04 to 2007-06-04 ))))))))))))))))))))))))))))))))))

2007-06-03 20:55 918 --a------ C:\WINDOWS\system32\winpfz32.sys
2007-06-03 20:45 49,187 --a------ C:\WINDOWS\system32\nkdsregr.exe
2007-06-03 07:05 <DIR> d-------- C:\VundoFix Backups
2007-06-03 07:04 2,580 --a------ C:\WINDOWS\system32\bwwajago.exe
2007-06-02 09:18 43,062 --a------ C:\WINDOWS\WpAJTrYf67HazytRD.exe
2007-06-02 07:06 2,580 --a------ C:\WINDOWS\system32\dwocdxnv.exe
2007-06-02 07:06 131,124 --a------ C:\WINDOWS\system32\vlbgldrs.dll
2007-06-02 06:57 105,434 --a------ C:\WINDOWS\qwr67.exe
2007-06-02 06:54 72,192 --a------ C:\WINDOWS\system32\zlib.dll
2007-06-02 06:54 25,088 --a------ C:\WINDOWS\system32\msxml3a.dll
2007-06-02 06:54 169,017 --a------ C:\WINDOWS\system32\mcpcuninstaller1_25.EXE
2007-06-02 03:28 60,928 --a------ C:\WINDOWS\system32\ffzboyq.dll
2007-06-02 03:28 2 --a------ C:\WINDOWS\system32\wcpsvtr32.exe
2007-06-02 03:27 351,920 -r-hs---- C:\WINDOWS\fchibvcA.exe
2007-06-02 03:26 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\myCleanerPC
2007-06-02 03:25 46,592 --a------ C:\WINDOWS\fchibvc.exe
2007-06-02 03:25 <DIR> d-------- C:\Program Files\myCleanerPC
2007-06-02 03:24 <DIR> d-------- C:\WINDOWS\system32\TQ0
2007-06-02 03:24 <DIR> d-------- C:\WINDOWS\system32\T7
2007-06-02 03:24 <DIR> d-------- C:\WINDOWS\system32\T6
2007-06-02 03:24 <DIR> d-------- C:\WINDOWS\system32\T4
2007-06-02 03:24 <DIR> d-------- C:\WINDOWS\system32\T3
2007-06-02 03:24 <DIR> d-------- C:\WINDOWS\system32\T1QaSQ
2007-06-02 03:24 <DIR> d-------- C:\WINDOWS\system32\pog
2007-06-02 03:24 <DIR> d-------- C:\temp\x2b
2007-06-02 03:24 <DIR> d-------- C:\temp\0b9
2007-05-28 18:45 49,152 --a------ C:\WINDOWS\nircmd.exe
2007-05-24 04:30 <DIR> d-------- C:\Program Files\Windows Defender
2007-05-24 04:04 3,968 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-05-23 05:47 <DIR> d--hs---- C:\WINDOWS\V2lsbA
2007-05-20 20:11 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\Lavasoft
2007-05-20 19:31 1,310,720 --ah----- C:\DOCUME~1\ADMINI~1\NTUSER.DAT
2007-05-20 19:31 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\Google
2007-05-20 19:31 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\Corel
2007-05-19 11:54 <DIR> d-------- C:\WINDOWS\system32\SBO
2007-05-19 02:27 <DIR> d-------- C:\DOCUME~1\Will\APPLIC~1\Skype
2007-05-19 02:26 <DIR> d-------- C:\Program Files\Skype
2007-05-19 02:26 <DIR> d-------- C:\Program Files\Common Files\Skype
2007-05-19 02:26 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Skype
2007-05-11 11:38 54 --a------ C:\DOCUME~1\Will\APPLIC~1\lapath.dat
2007-05-11 11:29 <DIR> d-------- C:\temp\LoanAce_2_0_247_0
2007-05-11 11:29 <DIR> d-------- C:\temp

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-06-04 03:45:58 -------- d-----w C:\Program Files\TrueAssistant
2007-05-29 23:50:03 -------- d-----w C:\Program Files\Absolute Poker
2007-05-22 00:46:39 -------- d-----w C:\Program Files\Intel
2007-05-22 00:45:56 -------- d--h--w C:\Program Files\InstallShield Installation Information
2007-04-29 05:33:04 -------- d-----w C:\DOCUME~1\Will\APPLIC~1\ContentGuard
2007-04-24 04:47:28 -------- d-----w C:\DOCUME~1\Will\APPLIC~1\Leadertech
2007-04-24 04:45:49 -------- d-----w C:\DOCUME~1\Will\APPLIC~1\AdobeUM
2007-04-21 06:20:27 -------- d-----w C:\DOCUME~1\Will\APPLIC~1\AdobeAUM
2007-04-18 16:12:23 2,854,400 ----a-w C:\WINDOWS\system32\msi.dll
2007-04-13 09:43:23 -------- d-----w C:\DOCUME~1\Will\APPLIC~1\EPSON
2007-04-10 01:59:57 -------- d--h--w C:\DOCUME~1\Will\APPLIC~1\Gtek
2007-04-10 01:41:20 -------- d-----w C:\Program Files\DellSupport
2007-04-06 19:27:01 139,264 ----a-w C:\Program Files\Common Files\mexob.dll
2007-04-04 03:33:57 -------- d-----w C:\DOCUME~1\Will\APPLIC~1\Apple Computer
2007-04-04 03:33:42 -------- d-----w C:\Program Files\iTunes
2007-04-04 03:33:34 -------- d-----w C:\Program Files\iPod
2007-04-04 03:32:57 -------- d-----w C:\Program Files\QuickTime
2007-04-04 03:32:03 -------- d-----w C:\Program Files\Apple Software Update
2007-03-17 13:43:01 292,864 ----a-w C:\WINDOWS\system32\winsrv.dll
2007-03-08 15:36:28 577,536 ----a-w C:\WINDOWS\system32\user32.dll
2007-03-08 15:36:28 40,960 ----a-w C:\WINDOWS\system32\mf3216.dll
2007-03-08 15:36:28 281,600 ----a-w C:\WINDOWS\system32\gdi32.dll
2007-03-08 13:47:48 1,843,584 ----a-w C:\WINDOWS\system32\win32k.sys

(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{53707962-6F74-2D53-2644-206D7942484F}=C:\PROGRA~1\SPYBOT~1\SDHelper.dll [2005-05-31 02:04]
{9D1C5210-1DDE-45C2-A564-9511461BDFB4}=C:\Program Files\Common Files\mexob.dll [2007-04-06 12:27]
{C7086F6A-A4AB-D87F-DF0E-FDADAEE624E7}=C:\WINDOWS\system32\ffzboyq.dll [2007-05-21 06:59]
{DA1E9416-5A30-4B99-BEE6-3A02E3954F37}=C:\WINDOWS\system32\gebcd.dll []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMAXPnP"="C:\Program Files\Analog Devices\Core\smax4pnp.exe" [2004-10-14 18:42]
"SunJavaUpdateSched"="C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe" [2003-11-19 16:48]
"DVDLauncher"="C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe" [2005-02-23 15:19]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-02-16 10:54]
"ISUSPM Startup"="C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" [2005-06-10 09:44]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2005-06-10 09:44]
"DMXLauncher"="C:\Program Files\Dell\Media Experience\DMXLauncher.exe" [2005-01-27 00:02]
"MMTray"="C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe" [2005-09-08 18:20]
"pccguide.exe"="C:\Program Files\Trend Micro\Internet Security 12\pccguide.exe" [2005-08-30 15:30]
"Motive SmartBridge"="C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe" [2003-12-10 05:52]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-03-14 19:05]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-06-06 23:46]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 19:20]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"OE_OEM"="C:\Program Files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon.exe" [2006-04-11 20:39]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 04:00]
"Yahoo! Pager"="1" []
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 09:24]
"DellSupport"="C:\Program Files\DellSupport\DSAgnt.exe" [2007-03-15 11:09]
"Skype"="C:\Program Files\Skype\Phone\Skype.exe" [2007-05-10 16:09]
"Sen"="C:\DOCUME~1\Will\MYDOCU~1\APPATC~1\regedit.exe" []
"Rap"="C:\Program Files\Common Files\F?nts\msconfig.exe" []
"@"="" []
"myCleanerPC"="C:\PROGRA~1\MYCLEA~1\myCleanerPC.exe" [2005-05-02 11:15]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoActiveDesktopChanges"=0 (0x0)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll" [2006-09-28 07:13]

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost *netsvcs*

Contents of the 'Scheduled Tasks' folder
2007-05-29 13:32:01 C:\WINDOWS\tasks\AppleSoftwareUpdate.job
2007-06-04 03:48:16 C:\WINDOWS\tasks\MP Scheduled Scan.job

********************************************************************

catchme 0.3.692 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-06-03 20:56:21
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

********************************************************************

Completion time: 2007-06-03 20:57:06
C:\ComboFix-quarantined-files.txt ... 2007-06-03 20:56

--- E O F ---

Mr_JAk3 · Jun 4, 2007

Hi again

Go to virustotal.com
Copy the following to the box next to "Browse" button:
C:\WINDOWS\WpAJTrYf67HazytRD.exe
Click on Send
Wait for the scan to end.

Copy & Paste the scan results to here.

Scan these too and post the results:

C:\WINDOWS\system32\nkdsregr.exe
C:\WINDOWS\system32\bwwajago.exe
C:\WINDOWS\qwr67.exe
C:\WINDOWS\fchibvcA.exe

Then we'll continue :bigthumb:

wtsismoney · Jun 5, 2007

Hello, thanks again for all your help.
Here are the scan results.

STATUS: FINISHEDComplete scanning result of "WpAJTrYf67HazytRD.exe", received in VirusTotal at 06.05.2007, 01:45:56 (CET).

Antivirus Version Update Result
AhnLab-V3 2007.5.31.2 06.04.2007 no virus found
AntiVir 7.4.0.29 06.04.2007 TR/Drop.Click.JF.7
Authentium 4.93.8 05.23.2007 no virus found
Avast 4.7.997.0 06.04.2007 Win32:Trojan-gen. {Other}
AVG 7.5.0.467 06.04.2007 no virus found
BitDefender 7.2 06.05.2007 Trojan.Clicker.Small.AV
CAT-QuickHeal 9.00 06.04.2007 no virus found
ClamAV devel-20070416 06.05.2007 no virus found
DrWeb 4.33 06.04.2007 Trojan.Click.1237
eSafe 7.0.15.0 06.04.2007 Win32.Small.jf
eTrust-Vet 30.7.3692 06.04.2007 no virus found
Ewido 4.0 06.04.2007 Hijacker.Small.jf
FileAdvisor 1 06.05.2007 No threat detected
Fortinet 2.85.0.0 06.02.2007 Adware/Small
F-Prot 4.3.2.48 06.04.2007 no virus found
F-Secure 6.70.13030.0 06.05.2007 Trojan-Clicker.Win32.Small.jf
Ikarus T3.1.1.8 06.04.2007 no virus found
Kaspersky 4.0.2.24 06.05.2007 Trojan-Clicker.Win32.Small.jf
McAfee 5045 06.04.2007 Zquest
Microsoft 1.2503 06.04.2007 Trojan:Win32/Deskwizz (threat-c)
NOD32v2 2308 06.04.2007 Win32/TrojanClicker.Small.JF
Norman 5.80.02 06.04.2007 Smalltroj.HAP.dropper
Panda 9.0.0.4 06.05.2007 Adware/CWS
Prevx1 V2 06.05.2007 Malicious
Sophos 4.18.0 06.01.2007 Troj/Small-ECV
Sunbelt 2.2.907.0 06.04.2007 Trojan-Clicker.Small.AV
Symantec 10 06.05.2007 no virus found
TheHacker 6.1.6.129 06.04.2007 no virus found
VBA32 3.12.0 06.04.2007 Trojan-Clicker.Win32.Small.jf
VirusBuster 4.3.23:9 06.04.2007 no virus found
Webwasher-Gateway 6.0.1 06.04.2007 Trojan.Drop.Click.JF.7

Aditional Information
File size: 43062 bytes
MD5: 28a1c7d5a170427cdf6207f7e9e05b96
SHA1: 11fdf975773136b0ab4054a0bc2e28c21d77c741
packers: BINARYRES
Bit9 info: http://fileadvisor.bit9.com/services/extinfo.aspx?md5=28a1c7d5a170427cdf6207f7e9e05b96
Prevx info: http://fileinfo.prevx.com/fileinfo.asp?PXC=bdf792678270

STATUS: FINISHEDComplete scanning result of "nkdsregr.exe", received in VirusTotal at 06.05.2007, 02:01:19 (CET).

Antivirus Version Update Result
AhnLab-V3 2007.5.31.2 06.04.2007 Win-AppCare/Zenosearch.49172
AntiVir 7.4.0.29 06.04.2007 TR/Drop.Zeno.A
Authentium 4.93.8 05.23.2007 no virus found
Avast 4.7.997.0 06.04.2007 no virus found
AVG 7.5.0.467 06.04.2007 Adware Generic.XSY
BitDefender 7.2 06.05.2007 Adware.Zeno.F
CAT-QuickHeal 9.00 06.04.2007 no virus found
ClamAV devel-20070416 06.05.2007 no virus found
DrWeb 4.33 06.04.2007 no virus found
eSafe 7.0.15.0 06.04.2007 no virus found
eTrust-Vet 30.7.3692 06.04.2007 no virus found
Ewido 4.0 06.04.2007 Adware.ZenoSearch
FileAdvisor 1 06.05.2007 no virus found
Fortinet 2.85.0.0 06.02.2007 no virus found
F-Prot 4.3.2.48 06.04.2007 W32/Adware.JIL
F-Secure 6.70.13030.0 06.05.2007 no virus found
Ikarus T3.1.1.8 06.04.2007 Trojan-Dropper.Zeno.A
Kaspersky 4.0.2.24 06.05.2007 not-a-virus:AdWare.Win32.ZenoSearch.o
McAfee 5045 06.04.2007 potentially unwanted program Adware-Zeno
Microsoft 1.2503 06.05.2007 no virus found
NOD32v2 2308 06.04.2007 Win32/Adware.ZenoSearch
Norman 5.80.02 06.04.2007 W32/ZenoSearch.AV
Panda 9.0.0.4 06.05.2007 Adware/Zenosearch
Prevx1 V2 06.05.2007 no virus found
Sophos 4.18.0 06.01.2007 ZenoSearch
Sunbelt 2.2.907.0 06.04.2007 no virus found
Symantec 10 06.05.2007 Adware.ZenoSearch
TheHacker 6.1.6.129 06.04.2007 Adware/ZenoSearch.o
VBA32 3.12.0 06.04.2007 AdWare.Win32.ZenoSearch.o
VirusBuster 4.3.23:9 06.04.2007 no virus found
Webwasher-Gateway 6.0.1 06.04.2007 Trojan.Drop.Zeno.A

Aditional Information
File size: 49187 bytes
MD5: 9dc8deb8ed162a8b7c131338c8a16960
SHA1: a1943dfd90f5339b2384ca71a9114b6c80ac46ea

STATUS: FINISHEDComplete scanning result of "bwwajago.exe", received in VirusTotal at 06.05.2007, 02:10:34 (CET).

Antivirus Version Update Result
AhnLab-V3 2007.5.31.2 06.04.2007 Win-Trojan/Agent.2560.G
AntiVir 7.4.0.29 06.04.2007 TR/Agent.anr.1
Authentium 4.93.8 05.23.2007 no virus found
Avast 4.7.997.0 06.04.2007 no virus found
AVG 7.5.0.467 06.04.2007 Generic4.SLZ
BitDefender 7.2 06.05.2007 Trojan.LowZones.SA
CAT-QuickHeal 9.00 06.04.2007 Trojan.Agent.anr
ClamAV devel-20070416 06.05.2007 no virus found
DrWeb 4.33 06.04.2007 no virus found
eSafe 7.0.15.0 06.04.2007 no virus found
eTrust-Vet 30.7.3692 06.04.2007 no virus found
Ewido 4.0 06.04.2007 Trojan.Agent.anr
FileAdvisor 1 06.05.2007 no virus found
Fortinet 2.85.0.0 06.02.2007 no virus found
F-Prot 4.3.2.48 06.04.2007 no virus found
F-Secure 6.70.13030.0 06.05.2007 Trojan.Win32.Agent.anr
Ikarus T3.1.1.8 06.04.2007 Trojan.Win32.Agent.anr
Kaspersky 4.0.2.24 06.05.2007 Trojan.Win32.Agent.anr
McAfee 5045 06.04.2007 no virus found
Microsoft 1.2503 06.05.2007 no virus found
NOD32v2 2308 06.04.2007 no virus found
Norman 5.80.02 06.04.2007 W32/Agent.BQSQ
Panda 9.0.0.4 06.05.2007 no virus found
Prevx1 V2 06.05.2007 Covert.Sys.Exec
Sophos 4.18.0 06.01.2007 no virus found
Sunbelt 2.2.907.0 06.04.2007 no virus found
Symantec 10 06.05.2007 Trojan.LowZones
TheHacker 6.1.6.129 06.04.2007 no virus found
VBA32 3.12.0 06.04.2007 Trojan.Win32.Agent.anr
VirusBuster 4.3.23:9 06.04.2007 Trojan.Lowzones.FI
Webwasher-Gateway 6.0.1 06.04.2007 Trojan.Agent.anr.1

Aditional Information
File size: 2580 bytes
MD5: fd5b60a6cd394192ef6831f7e9f5c00c
SHA1: b498841cc8225e712fedc29cbade036fa0614c6e
Prevx info: http://fileinfo.prevx.com/fileinfo.asp?PXC=580699751500

STATUS: FINISHEDComplete scanning result of "qwr67.exe", received in VirusTotal at 06.05.2007, 02:32:33 (CET).

Antivirus Version Update Result
AhnLab-V3 2007.5.31.2 06.04.2007 no virus found
AntiVir 7.4.0.29 06.04.2007 DR/TTC.A.2
Authentium 4.93.8 05.23.2007 no virus found
Avast 4.7.997.0 06.04.2007 Win32:Adware-gen.
AVG 7.5.0.467 06.04.2007 no virus found
BitDefender 7.2 06.05.2007 Adware.TTC.A
CAT-QuickHeal 9.00 06.04.2007 no virus found
ClamAV devel-20070416 06.05.2007 no virus found
DrWeb 4.33 06.04.2007 no virus found
eSafe 7.0.15.0 06.04.2007 no virus found
eTrust-Vet 30.7.3692 06.04.2007 no virus found
Ewido 4.0 06.04.2007 Adware.TTC
FileAdvisor 1 06.05.2007 Not analyzed yet
Fortinet 2.85.0.0 06.02.2007 Adware/TTC
F-Prot 4.3.2.48 06.04.2007 W32/AdwareX.CBT
F-Secure 6.70.13030.0 06.05.2007 no virus found
Ikarus T3.1.1.8 06.04.2007 no virus found
Kaspersky 4.0.2.24 06.05.2007 not-a-virus:AdWare.Win32.TTC.a
McAfee 5045 06.04.2007 Generic Dropper.i
Microsoft 1.2503 06.05.2007 Program:Win32/TTC (threat-c)
NOD32v2 2308 06.04.2007 no virus found
Norman 5.80.02 06.04.2007 no virus found
Panda 9.0.0.4 06.05.2007 Adware/TTC
Prevx1 V2 06.05.2007 Adware.DeskWizz
Sophos 4.18.0 06.01.2007 no virus found
Sunbelt 2.2.907.0 06.04.2007 Deskwizz/ZQuest
Symantec 10 06.05.2007 no virus found
TheHacker 6.1.6.129 06.04.2007 Trojan/Clicker.Small.jf
VBA32 3.12.0 06.04.2007 AdvWare.Win32.TTC.a
VirusBuster 4.3.23:9 06.04.2007 no virus found
Webwasher-Gateway 6.0.1 06.04.2007 Trojan.TTC.A.2

Aditional Information
File size: 105434 bytes
MD5: 13aa50c6cfd2d3b9faee505028b2272e
SHA1: 2ea308db0df9d64a9a3082bb1decdf2e7a3c3d51
packers: BINARYRES
Bit9 info: http://fileadvisor.bit9.com/services/extinfo.aspx?md5=13aa50c6cfd2d3b9faee505028b2272e
Prevx info: http://fileinfo.prevx.com/fileinfo.asp?PXC=e75f87486946
Sunbelt info: Deskwizz/ZQuest is an adware application that tracks the user's browsing in order to display targeted advertising on the desktop

STATUS: FINISHEDComplete scanning result of "fchibvcA.exe", received in VirusTotal at 06.05.2007, 02:48:45 (CET).

Antivirus Version Update Result
AhnLab-V3 2007.5.31.2 06.04.2007 no virus found
AntiVir 7.4.0.29 06.04.2007 no virus found
Authentium 4.93.8 05.23.2007 no virus found
Avast 4.7.997.0 06.04.2007 no virus found
AVG 7.5.0.467 06.04.2007 Downloader.Generic3.NPN
BitDefender 7.2 06.05.2007 Trojan.Click.JX
CAT-QuickHeal 9.00 06.04.2007 no virus found
ClamAV devel-20070416 06.05.2007 no virus found
DrWeb 4.33 06.04.2007 Trojan.Click.1928
eSafe 7.0.15.0 06.04.2007 no virus found
eTrust-Vet 30.7.3692 06.04.2007 Win32/SillyDl.CTU
Ewido 4.0 06.04.2007 no virus found
FileAdvisor 1 06.05.2007 no virus found
Fortinet 2.85.0.0 06.02.2007 no virus found
F-Prot 4.3.2.48 06.04.2007 no virus found
F-Secure 6.70.13030.0 06.05.2007 W32/DLoader.BYGF
Ikarus T3.1.1.8 06.04.2007 no virus found
Kaspersky 4.0.2.24 06.05.2007 no virus found
McAfee 5045 06.04.2007 Generic Downloader.s
Microsoft 1.2503 06.05.2007 no virus found
NOD32v2 2308 06.04.2007 no virus found
Norman 5.80.02 06.04.2007 W32/DLoader.BYGF
Panda 9.0.0.4 06.05.2007 no virus found
Prevx1 V2 06.05.2007 no virus found
Sophos 4.18.0 06.01.2007 no virus found
Sunbelt 2.2.907.0 06.04.2007 no virus found
Symantec 10 06.05.2007 Downloader
TheHacker 6.1.6.129 06.04.2007 no virus found
VBA32 3.12.0 06.04.2007 Trojan.Click.1928
VirusBuster 4.3.23:9 06.04.2007 no virus found
Webwasher-Gateway 6.0.1 06.04.2007 no virus found

Aditional Information
File size: 351920 bytes
MD5: 0a5bc1ac35fdc711505351a0761845cb
SHA1: 4ecdfb0d2f4db5135fc7540751a9b4c0a19a209a

Mr_JAk3 · Jun 5, 2007

Hi again, we'll continue

You should print these instructions or save these to a text file. Follow these instructions carefully.

Download Dr.Web CureIt to the desktop -> ftp://ftp.drweb.com/pub/drweb/cureit/drweb-cureit.exe

Download ATF Cleaner by Atribune to your desktop.
Do NOT run yet.

Please download the Killbox.
Unzip it to the desktop but do NOT run it yet.

Make your hidden files visible:

Go to My Computer
Select the Tools menu and click Folder Options
Click the View tab.
Checkmark the "Display the contents of system folders"
Under the Hidden files and folders select "Show hidden files and folders"
Uncheck "Hide protected operating system files"
Click Apply and then the OK and close My Computer.

==================

Open Control Panel -> Add/Remove programs -> Remove all the of the following or similar entries if found:

myCleanerPC
Absolute Poker

and any other programs you didn't install or don't recognize - if your not sure please ask first

Stop the following processes using Task Manager (press ctrl+alt+del, select the Processes tab, highlight the first process in the list and click End Process). Continue through the list (one at a time) until all processes have been ended. If something isn't found, please continue with the next process in the list.

fchibvcA.exe
dwdsregt.exe

Run HijackThis, click Do a system scan only, and check the box next to each of these entries if still present. Close all other windows and press Fix checked. If something isn't there, please continue with the next entry in the list.

O2 - BHO: (no name) - {2432F099-F8E2-43C9-B765-3AF002FFC6A7} - C:\WINDOWS\system32\efcyyvt.dll (file missing)
O2 - BHO: 0 - {528122BB-0771-496D-588A-76DBB560B4BB} - C:\Program Files\ComPlus Applications\qukatop.dll
O2 - BHO: (no name) - {9D1C5210-1DDE-45C2-A564-9511461BDFB4} - C:\Program Files\Common Files\mexob.dll
O2 - BHO: (no name) - {C7086F6A-A4AB-D87F-DF0E-FDADAEE624E7} - C:\WINDOWS\system32\ffzboyq.dll
O2 - BHO: (no name) - {CD3447D4-CA39-4377-8084-30E86331D74C} - C:\WINDOWS\system32\wykgpyfc.dll
O2 - BHO: (no name) - {DA1E9416-5A30-4B99-BEE6-3A02E3954F37} - C:\WINDOWS\system32\gebcd.dll (file missing)
O4 - HKLM\..\Run: [fchibvcA] C:\WINDOWS\fchibvcA.exe
O4 - HKLM\..\Run: [Genuine] rundll32.exe "C:\WINDOWS\system32\vlbgldrs.dll",realset
O4 - HKLM\..\Run: [{77-7A-A0-09-ZN}] c:\windows\system32\dwdsregt.exe CHD003
O4 - HKCU\..\Run: [Sen] "C:\DOCUME~1\Will\MYDOCU~1\APPATC~1\regedit.exe" -vt yazb
O4 - HKCU\..\Run: [Rap] "C:\Program Files\Common Files\F?nts\msconfig.exe"
O4 - HKCU\..\Run: [myCleanerPC] C:\PROGRA~1\MYCLEA~1\myCleanerPC.exe
O4 - Startup: TA_Start.lnk = C:\Documents and Settings\Will\Local Settings\Temp\TICHD003.exe
O15 - Trusted Zone: *.amaena.com
O15 - Trusted Zone: *.drivecleaner.com
O15 - Trusted Zone: *.errorprotector.com
O15 - Trusted Zone: *.errorsafe.com
O15 - Trusted Zone: *.systemdoctor.com
O15 - Trusted Zone: *.winantispyware.com
O15 - Trusted Zone: *.winantivirus.com
O15 - Trusted Zone: *.winfixer.com

Please run Killbox.

Select "Delete on Reboot".

Copy the file names below to the clipboard by highlighting them and pressing Control-C:

C:\WINDOWS\system32\winpfz32.sys
C:\WINDOWS\system32\nkdsregr.exe
C:\WINDOWS\system32\bwwajago.exe
c:\windows\system32\dwdsregt.exe
C:\WINDOWS\WpAJTrYf67HazytRD.exe
C:\WINDOWS\system32\dwocdxnv.exe
C:\WINDOWS\system32\vlbgldrs.dll
C:\WINDOWS\qwr67.exe
C:\WINDOWS\system32\mcpcuninstaller1_25.EXE
C:\WINDOWS\system32\ffzboyq.dll
C:\WINDOWS\system32\wcpsvtr32.exe
C:\WINDOWS\fchibvcA.exe
C:\WINDOWS\fchibvc.exe
C:\Program Files\Common Files\mexob.dll

Return to Killbox, go to the File menu, and choose "Paste from Clipboard".

Select "All Files".

Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.

If your computer does not restart automatically, please restart it manually.

Restart your computer to the safe mode:

Restart your computer
Start tapping the F8 key when the computer restarts.
When the start menu opens, choose Safe mode
Press Enter. The computer then begins to start in Safe mode.

Go to the My Computer and delete the following folders (if present):
C:\Program Files\Absolute Poker
C:\Documents and Settings\All Users\Application Data\myCleanerPC
C:\Program Files\myCleanerPC
C:\WINDOWS\system32\TQ0
C:\WINDOWS\system32\T7
C:\WINDOWS\system32\T6
C:\WINDOWS\system32\T4
C:\WINDOWS\system32\T3
C:\WINDOWS\system32\T1QaSQ
C:\WINDOWS\system32\pog
C:\temp\x2b
C:\temp\0b9

Run ATF Cleaner

Under Main choose: Select All
Click the Empty Selected button.

If you use Firefox browser

Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser

Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.

Restart your computer
Start tapping the F8 key when the computer restarts.
When the start menu opens, choose Safe mode
Press Enter. The computer then begins to start in Safe mode.

Run a scan with Dr.Web CureIt

Doubleclick the drweb-cureit.exe file and Allow to run the express scan
This will scan the files currently running in memory and when something is found, click the yes button when it asks you if you want to cure it. This is only a short scan.
Once the short scan has finished, you should now mark the drives that you want to scan.
Select all drives. A red dot shows which drives have been chosen.
Click the green arrow at the right, and the scan will start.
Click 'Yes to all' if it asks if you want to cure/move the file.
When the scan has finished, look if you can click next icon next to the files found
If so, click it and then click the next icon right below and select Move incurable
After the scan, in the menu, click file and choose save report list
Save the report to your desktop. The report will be called DrWeb.csv
Close Dr.Web Cureit.
Reboot the computer in Normal Mode,
Post the Cure-it report and a fresh HijackThis log

wtsismoney · Jun 6, 2007

Here are the log reports.

fchibvc.exe;C:\!KillBox;Trojan.MulDrop.4522;Deleted.;
fchibvcA.exe;C:\!KillBox;Trojan.Click.1928;Deleted.;
nkdsregr.exe;C:\!KillBox;Adware.ZenoSearch;Incurable.Moved.;
vlbgldrs.dll;C:\!KillBox;Trojan.Virtumod;Deleted.;
backup-20070529-165714-589.dll;C:\Documents and Settings\Will\Desktop\backups;Adware.Crew;Incurable.Moved.;
Process.exe;C:\Documents and Settings\Will\Desktop\smitRem;Tool.Prockill;Incurable.Moved.;
InstallHelper.exe;C:\Program Files\Common Files\Motive;Probably MULDROP.Trojan;Incurable.Moved.;
qdiagd.ocx;C:\Program Files\DellSupport;Probably DLOADER.Trojan;Incurable.Moved.;
regedit.exe;C:\QooBox\Quarantine\C\DOCUME~1\Will\MYDOCU~1\APPATC~1;Trojan.PurityAd;Deleted.;
Yazzle1281OinAdmin.exe.vir;C:\QooBox\Quarantine\C\Program Files\Common Files;Adware.ClickSpring;Incurable.Moved.;
msconfig.exe;C:\QooBox\Quarantine\C\Program Files\Common Files\FNTS~1;Adware.ClickSpring;Incurable.Moved.;
qukatop.dll.vir;C:\QooBox\Quarantine\C\Program Files\ComPlus Applications;Trojan.StartPage.19992;Deleted.;
dwdsregt.exe.vir;C:\QooBox\Quarantine\C\WINDOWS\system32;Adware.ZenoSearch;Incurable.Moved.;
esamblmr.dll.vir;C:\QooBox\Quarantine\C\WINDOWS\system32;Trojan.Virtumod;Deleted.;
wykgpyfc.dll.vir;C:\QooBox\Quarantine\C\WINDOWS\system32;Trojan.Virtumod;Deleted.;
A0042843.dll;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP394;Trojan.Virtumod;Deleted.;
A0043159.dll;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP403;Trojan.Virtumod;Deleted.;
A0043161.dll;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP403;Trojan.Virtumod;Deleted.;
A0043162.dll;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP403;Trojan.Virtumod;Deleted.;
A0043164.dll;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP403;Trojan.Virtumod;Deleted.;
A0043165.dll;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP403;Trojan.Virtumod;Deleted.;
A0043211.dll;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP403;Trojan.Virtumod;Deleted.;
A0043428.dll;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP405;Adware.Crew;Incurable.Moved.;
A0044682.dll;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP409;Trojan.Virtumod;Deleted.;
A0044732.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP411;Adware.ClickSpring;Incurable.Moved.;
A0044734.dll;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP411;Trojan.StartPage.19992;Deleted.;
A0044735.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP411;Adware.ZenoSearch;Incurable.Moved.;
A0044736.dll;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP411;Trojan.Virtumod;Deleted.;
A0044814.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP414;Adware.ZenoSearch;Incurable.Moved.;
A0044817.dll;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP414;Trojan.Virtumod;Deleted.;
A0044820.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP414;Trojan.Click.1928;Deleted.;
A0044821.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP414;Trojan.MulDrop.4522;Deleted.;
A0044825.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP414;Trojan.StartPage.19993;Deleted.;
A0044826.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP414;Trojan.DownLoader.22968;Deleted.;
A0044828.exe\data001;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP414\A0044828.exe;Adware.Bagon;;
A0044828.exe\data002;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP414\A0044828.exe;Trojan.MulDrop.4522;;
A0044828.exe\data003;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP414\A0044828.exe;Trojan.DownLoader.10588;;
A0044828.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP414;Archive contains infected objects;Moved.;
A0044839.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP414;Trojan.MulDrop.4522;Deleted.;
A0044840.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP414;Trojan.Click.1928;Deleted.;
A0044841.dll;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP414;Trojan.Virtumod;Deleted.;
A0044842.exe;C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP414;Trojan.PurityAd;Deleted.;
gebcd.dll.bad;C:\VundoFix Backups;Trojan.Virtumod;Deleted.;

Logfile of HijackThis v1.99.1
Scan saved at 7:06:31 PM, on 6/5/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
C:\Program Files\Analog Devices\Core\smax4pnp.exe
C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Dell\Media Experience\DMXLauncher.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe
C:\Program Files\Trend Micro\Internet Security 12\pccguide.exe
C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\DellSupport\DSAgnt.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
C:\Program Files\TrueAssistant\TrueAssistant.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\Program Files\SBC Self Support Tool\bin\mpbtn.exe
C:\Program Files\Skype\Plugin Manager\skypePM.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Documents and Settings\Will\Desktop\HijackThis.1.99.1.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [SoundMAXPnP] C:\Program Files\Analog Devices\Core\smax4pnp.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_03\bin\jusched.exe
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ISUSPM Startup] "C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM\..\Run: [MMTray] "C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe"
O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 12\pccguide.exe"
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\SBCSEL~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [OE_OEM] "C:\Program Files\Trend Micro\Internet Security 12\TMAS_OE\TMAS_OEMon.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] 1
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\DellSupport\DSAgnt.exe" /startup
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - Startup: TrueAssistant.lnk = C:\Program Files\TrueAssistant\TrueAssistant.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O4 - Global Startup: SBC Self Support Tool.lnk = C:\Program Files\SBC Self Support Tool\bin\matcli.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=48835
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe

Mr_JAk3 · Jun 6, 2007

Hello

Looks quite good. how is the computer running?

Please help having trouble with Command Service spyware

New member

Security Expert-Emeritus

New member

Security Expert-Emeritus

New member

Security Expert-Emeritus

New member

Security Expert-Emeritus

New member

Security Expert-Emeritus

New member

Security Expert-Emeritus

New member

Security Expert-Emeritus

New member

Security Expert-Emeritus

New member

Security Expert-Emeritus

New member

Security Expert-Emeritus