smitfraud-toolbar

A

amanyeah

New member
as instructed:

Logfile of HijackThis v1.99.1
Scan saved at 6:09:04 AM, on 6/16/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\wbem\wbemstest.exe
C:\Program Files\Common Files\WinAntiSpyware 2007\WAS7Mon.exe
C:\WINDOWS\System32\ctfmon.exe
C:\DOCUME~1\AMANEN~1\MYDOCU~1\RACLE~1\regedit.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\DAP\DAP.EXE
C:\WINDOWS\Explorer.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\ipmon.exe
C:\WINDOWS\System32\ipmon.exe
C:\Program Files\Common Files\A?pPatch\r?gsvr32.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 10.34.50.7:8080
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NeroFilterCheck] $$
O4 - HKLM\..\Run: [IgfxTray] $$
O4 - HKLM\..\Run: [HotKeysCmds] $$
O4 - HKLM\..\Run: [DataLayer] $$
O4 - HKLM\..\Run: [ipmon] ipmon.exe
O4 - HKLM\..\Run: [Server Runtime Process] C:\WINDOWS\System32\wbem\wbemstest.exe
O4 - HKLM\..\Run: [Winmplayer] "C:\WINDOWS\System32\KB_963493.exe"
O4 - HKLM\..\Run: [poolsv] "C:\WINDOWS\poolsv.exe"
O4 - HKLM\..\Run: [svhost] "C:\WINDOWS\svhost.exe"
O4 - HKLM\..\Run: [GPLv3] rundll32.exe "C:\WINDOWS\System32\hosqyknx.dll",realset
O4 - HKLM\..\Run: [Salestart] "C:\Program Files\Common Files\WinAntiSpyware 2007\WAS7Mon.exe"
O4 - HKLM\..\RunServices: [Server Runtime Process] C:\WINDOWS\System32\wbem\wbemstest.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Server Runtime Process] C:\WINDOWS\System32\wbem\wbemstest.exe
O4 - HKCU\..\Run: [Cido] "C:\DOCUME~1\AMANEN~1\MYDOCU~1\RACLE~1\regedit.exe" -vt yazb
O4 - HKCU\..\Run: [Skehjqb] "C:\Program Files\Common Files\A?pPatch\r?gsvr32.exe"
O4 - HKCU\..\RunServices: [Server Runtime Process] C:\WINDOWS\System32\wbem\wbemstest.exe
O8 - Extra context menu item: &Clean Traces - C:\Program Files\DAP\Privacy Package\dapcleanerie.htm
O8 - Extra context menu item: &Download with &DAP - C:\Program Files\DAP\dapextie.htm
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Download &all with DAP - C:\Program Files\DAP\dapextie2.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Software Installer - {D1A4DEBD-C2EE-449f-B9FB-E8409F9A0BC5} - C:\Program Files\Lenovo\PkgMgr\\PkgMgr.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{17E170B3-408A-461A-929F-39ECE29F1D74}: NameServer = 10.32.1.7
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: iPod Service iPodServiceNetlogon (iPodServiceNetlogon) - Unknown owner - c:\mwdgdj.exe (file missing)
O23 - Service: Network helper Service (MSDisk) - Unknown owner - C:\WINDOWS\System32\irdvxc.exe" /service (file missing)
O23 - Service: IBM PSA Access Driver Control (PsaSrv) - Unknown owner - C:\WINDOWS\system32\PsaSrv.exe (file missing)
O23 - Service: Remote Auther Service - Unknown owner - C:\WINDOWS\system32\svshost.exe (file missing)
O23 - Service: Telephony TapiSrvSSDPSRV (TapiSrvSSDPSRV) - Unknown owner - c:\mwdgdj.exe (file missing)
O23 - Service: Windows User Mode Driver Framework (UMWdf) - Unknown owner - C:\WINDOWS\System32\wdfmgr.exe (file missing)
 
VundoFix V6.5.0

Checking Java version...

Sun Java not detected
Scan started at 6:18:04 AM 6/16/2007

Listing files found while scanning....

C:\windows\system32\awtuvtt.dll
C:\windows\system32\ddcdaxw.dll
C:\windows\system32\ddcdbba.dll
C:\WINDOWS\System32\fccddec.dll
C:\windows\system32\fetrhiml.dll
C:\windows\system32\gebccaw.dll
C:\windows\system32\gebxvts.dll
C:\WINDOWS\System32\hiqxyxts.dll
C:\windows\system32\iifgede.dll
C:\windows\system32\jkkhfgh.dll
C:\windows\system32\jkkihgg.dll
C:\windows\system32\jkkkhif.dll
C:\windows\system32\khfcywx.dll
C:\windows\system32\ojfletkg.dll
C:\WINDOWS\System32\ruuvw.ini
C:\WINDOWS\System32\ruuvw.ini2
C:\WINDOWS\System32\ruuvw.tmp
C:\windows\system32\ssqnool.dll
C:\windows\system32\ssqolli.dll
C:\windows\system32\urqqqrs.dll
C:\windows\system32\uttgnfad.exe
C:\windows\system32\wvusqpq.dll
C:\WINDOWS\System32\wvuur.dll
C:\windows\system32\xxyaaaw.dll
C:\windows\system32\xxyvsts.dll
C:\windows\system32\yaywxwt.dll
C:\windows\system32\yayyvsp.dll
C:\WINDOWS\System32\ypchrcjw.dll

Beginning removal...

Attempting to delete C:\windows\system32\awtuvtt.dll
C:\windows\system32\awtuvtt.dll Has been deleted!

Attempting to delete C:\windows\system32\ddcdaxw.dll
C:\windows\system32\ddcdaxw.dll Has been deleted!

Attempting to delete C:\windows\system32\ddcdbba.dll
C:\windows\system32\ddcdbba.dll Has been deleted!

Attempting to delete C:\WINDOWS\System32\fccddec.dll
C:\WINDOWS\System32\fccddec.dll Has been deleted!

Attempting to delete C:\windows\system32\fetrhiml.dll
C:\windows\system32\fetrhiml.dll Has been deleted!

Attempting to delete C:\windows\system32\gebccaw.dll
C:\windows\system32\gebccaw.dll Has been deleted!

Attempting to delete C:\windows\system32\gebxvts.dll
C:\windows\system32\gebxvts.dll Has been deleted!

Attempting to delete C:\WINDOWS\System32\hiqxyxts.dll
C:\WINDOWS\System32\hiqxyxts.dll Has been deleted!

Attempting to delete C:\windows\system32\iifgede.dll
C:\windows\system32\iifgede.dll Has been deleted!

Attempting to delete C:\windows\system32\jkkhfgh.dll
C:\windows\system32\jkkhfgh.dll Has been deleted!

Attempting to delete C:\windows\system32\jkkihgg.dll
C:\windows\system32\jkkihgg.dll Has been deleted!

Attempting to delete C:\windows\system32\jkkkhif.dll
C:\windows\system32\jkkkhif.dll Has been deleted!

Attempting to delete C:\windows\system32\khfcywx.dll
C:\windows\system32\khfcywx.dll Has been deleted!

Attempting to delete C:\windows\system32\ojfletkg.dll
C:\windows\system32\ojfletkg.dll Has been deleted!

Attempting to delete C:\WINDOWS\System32\ruuvw.ini
C:\WINDOWS\System32\ruuvw.ini Has been deleted!

Attempting to delete C:\WINDOWS\System32\ruuvw.ini2
C:\WINDOWS\System32\ruuvw.ini2 Has been deleted!

Attempting to delete C:\WINDOWS\System32\ruuvw.tmp
C:\WINDOWS\System32\ruuvw.tmp Has been deleted!

Attempting to delete C:\windows\system32\ssqnool.dll
C:\windows\system32\ssqnool.dll Has been deleted!

Attempting to delete C:\windows\system32\ssqolli.dll
C:\windows\system32\ssqolli.dll Has been deleted!

Attempting to delete C:\windows\system32\urqqqrs.dll
C:\windows\system32\urqqqrs.dll Has been deleted!

Attempting to delete C:\windows\system32\uttgnfad.exe
C:\windows\system32\uttgnfad.exe Has been deleted!

Attempting to delete C:\windows\system32\wvusqpq.dll
C:\windows\system32\wvusqpq.dll Has been deleted!

Attempting to delete C:\WINDOWS\System32\wvuur.dll
C:\WINDOWS\System32\wvuur.dll Could not be deleted.

Attempting to delete C:\windows\system32\xxyaaaw.dll
C:\windows\system32\xxyaaaw.dll Has been deleted!

Attempting to delete C:\windows\system32\xxyvsts.dll
C:\windows\system32\xxyvsts.dll Has been deleted!

Attempting to delete C:\windows\system32\yaywxwt.dll
C:\windows\system32\yaywxwt.dll Has been deleted!

Attempting to delete C:\windows\system32\yayyvsp.dll
C:\windows\system32\yayyvsp.dll Has been deleted!

Attempting to delete C:\WINDOWS\System32\ypchrcjw.dll
C:\WINDOWS\System32\ypchrcjw.dll Has been deleted!

Performing Repairs to the registry.
Done!

Beginning removal...

Attempting to delete C:\WINDOWS\System32\wvuur.dll
C:\WINDOWS\System32\wvuur.dll Has been deleted!

Performing Repairs to the registry.
Done!

VundoFix V6.5.0

Checking Java version...

Sun Java not detected
Scan started at 6:24:49 AM 6/16/2007

Listing files found while scanning....

No infected files were found.

---------------------
Logfile of HijackThis v1.99.1
Scan saved at 6:36:06 AM, on 6/16/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\WinAntiSpyware 2007\WAS7Mon.exe
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\System32\wbem\wbemstest.exe
C:\DOCUME~1\AMANEN~1\MYDOCU~1\RACLE~1\regedit.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\ipmon.exe
C:\WINDOWS\System32\ipmon.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Common Files\A?pPatch\r?gsvr32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 10.34.50.7:8080
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - AutorunsDisabled - (no file)
O2 - BHO: (no name) - {05041043-0C5F-46A4-A959-58D2A1F73262} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {143997E7-7FA5-4D70-A569-389D4C3BA882} - C:\WINDOWS\System32\wvuur.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {549317F8-A74A-4D54-A981-6BAAC1A675A0} - (no file)
O2 - BHO: (no name) - {5ADF3862-9E2E-4ad3-86F7-4510E6550CD0} - C:\WINDOWS\System32\imwknkpf.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: (no name) - {905E1D3B-D788-AB0A-D007-8BADDDE97794} - C:\WINDOWS\System32\mnyvnz.dll
O2 - BHO: (no name) - {AA986A55-8524-45F9-80EA-30D707AEDC00} - C:\WINDOWS\System32\firqacun.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NeroFilterCheck] $$
O4 - HKLM\..\Run: [IgfxTray] $$
O4 - HKLM\..\Run: [HotKeysCmds] $$
O4 - HKLM\..\Run: [DataLayer] $$
O4 - HKLM\..\Run: [ipmon] ipmon.exe
O4 - HKLM\..\Run: [Server Runtime Process] C:\WINDOWS\System32\wbem\wbemstest.exe
O4 - HKLM\..\Run: [Winmplayer] "C:\WINDOWS\System32\KB_963493.exe"
O4 - HKLM\..\Run: [poolsv] "C:\WINDOWS\poolsv.exe"
O4 - HKLM\..\Run: [svhost] "C:\WINDOWS\svhost.exe"
O4 - HKLM\..\Run: [GPLv3] rundll32.exe "C:\WINDOWS\System32\hosqyknx.dll",realset
O4 - HKLM\..\Run: [Salestart] "C:\Program Files\Common Files\WinAntiSpyware 2007\WAS7Mon.exe"
O4 - HKLM\..\RunServices: [Server Runtime Process] C:\WINDOWS\System32\wbem\wbemstest.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Server Runtime Process] C:\WINDOWS\System32\wbem\wbemstest.exe
O4 - HKCU\..\Run: [Cido] "C:\DOCUME~1\AMANEN~1\MYDOCU~1\RACLE~1\regedit.exe" -vt yazb
O4 - HKCU\..\Run: [Skehjqb] "C:\Program Files\Common Files\A?pPatch\r?gsvr32.exe"
O4 - HKCU\..\RunServices: [Server Runtime Process] C:\WINDOWS\System32\wbem\wbemstest.exe
O8 - Extra context menu item: &Clean Traces - C:\Program Files\DAP\Privacy Package\dapcleanerie.htm
O8 - Extra context menu item: &Download with &DAP - C:\Program Files\DAP\dapextie.htm
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Download &all with DAP - C:\Program Files\DAP\dapextie2.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Software Installer - {D1A4DEBD-C2EE-449f-B9FB-E8409F9A0BC5} - C:\Program Files\Lenovo\PkgMgr\\PkgMgr.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{17E170B3-408A-461A-929F-39ECE29F1D74}: NameServer = 10.32.1.7
O20 - Winlogon Notify: AutorunsDisabled - C:\WINDOWS\
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: iPod Service iPodServiceNetlogon (iPodServiceNetlogon) - Unknown owner - c:\mwdgdj.exe (file missing)
O23 - Service: Network helper Service (MSDisk) - Unknown owner - C:\WINDOWS\System32\irdvxc.exe" /service (file missing)
O23 - Service: IBM PSA Access Driver Control (PsaSrv) - Unknown owner - C:\WINDOWS\system32\PsaSrv.exe (file missing)
O23 - Service: Remote Auther Service - Unknown owner - C:\WINDOWS\system32\svshost.exe (file missing)
O23 - Service: Telephony TapiSrvSSDPSRV (TapiSrvSSDPSRV) - Unknown owner - c:\mwdgdj.exe (file missing)
O23 - Service: Windows User Mode Driver Framework (UMWdf) - Unknown owner - C:\WINDOWS\System32\wdfmgr.exe (file missing)

i still got some malware coz in the lower right of my toolbar (next to the clock)there's this red shield with an X saying that i have spyware. it's the same prompt for smitfraud i think..
 
Last edited by a moderator:
Hi amanyeah

One or more of the identified infections is a backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and Download and Execute files

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the Trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of Trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

When Should I Format, How Should I Reinstall

We can attempt to clean this machine but i can't guarantee that it will be 100% secure afterwards.

Should you have any questions, please feel free to ask.

Please let us know what you have decided to do in your next post.
 
thanks so much for replying shaba.:D:

fortunately for me i do no online banking nor any pecuniary transaction for that matter.

so how are we gonna do this?
 
i wanna get rid of these little devils man.. :devilpoin:

do whatever it takes.. although i did run avira on my system one last time just for the heck of it.. it got rid of the red shield with the x! i'm not sure if permanently though...

here's a new log from hjt and avira.. hope it helps you in your endeavor to help mankind rid of these evil virus.. :2thumb:

this is a really great forum i might add.. you guys are awesome! :bow:

i hope that i can help you guys somehow.. btw is it ok if i recommend your site to my friends?

-------------------------------
AntiVir PersonalEdition Classic
Report file date: Sunday, June 17, 2007 08:09

Scanning for 829791 virus strains and unwanted programs.


Configuration settings for the scan:
Jobname..........................: Local Hard Disks
Configuration file...............: C:\Program Files\AntiVir PersonalEdition Classic\alldiscs.avp
Logging..........................: low
Primary action...................: interactive
Secondary action.................: ignore
Scan master boot sector..........: off
Scan boot sector.................: on
Boot sectors.....................: C:,
Scan memory......................: on
Process scan.....................: on
Scan registry....................: on
Search for rootkits..............: off
Scan all files...................: Intelligent file selection
Scan archives....................: on
Recursion depth..................: 20
Smart extensions.................: on
Macro heuristic..................: on
File heuristic...................: medium

Start of the scan: Sunday, June 17, 2007 08:09

The scan of running processes will be started
Scan process 'avscan.exe' - '1' Module(s) have been scanned
Scan process 'avcenter.exe' - '1' Module(s) have been scanned
Scan process 'avgnt.exe' - '1' Module(s) have been scanned
Scan process 'avguard.exe' - '1' Module(s) have been scanned
Scan process 'sched.exe' - '1' Module(s) have been scanned
Scan process 'BnrRepo2.exe' - '1' Module(s) have been scanned
Scan process 'chikka.exe' - '1' Module(s) have been scanned
Scan process 'wmiapsrv.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'alg.exe' - '1' Module(s) have been scanned
Scan process 'regedit.exe' - '1' Module(s) have been scanned
Module is infected -> 'C:\DOCUME~1\AMANEN~1\MYDOCU~1\RACLE~1\regedit.exe'
Scan process 'ctfmon.exe' - '1' Module(s) have been scanned
Scan process 'qttask.exe' - '1' Module(s) have been scanned
Scan process 'wbemstest.exe' - '1' Module(s) have been scanned
Module is infected -> 'C:\WINDOWS\System32\wbem\wbemstest.exe'
Scan process 'explorer.exe' - '1' Module(s) have been scanned
Scan process 'spoolsv.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'lsass.exe' - '1' Module(s) have been scanned
Scan process 'services.exe' - '1' Module(s) have been scanned
Scan process 'winlogon.exe' - '1' Module(s) have been scanned
Scan process 'csrss.exe' - '1' Module(s) have been scanned
Scan process 'smss.exe' - '1' Module(s) have been scanned
Process 'regedit.exe' has been terminated
Process 'wbemstest.exe' has been terminated
C:\DOCUME~1\AMANEN~1\MYDOCU~1\RACLE~1\regedit.exe
[DETECTION] Contains suspicious code HEUR/Malware
[INFO] The file was moved to '46db7c2e.qua'!
C:\WINDOWS\System32\wbem\wbemstest.exe
[DETECTION] Is the Trojan horse TR/Crypt.XPACK.Gen
[INFO] The file was moved to '46d97c31.qua'!

27 processes with 25 modules were scanned

Start scanning boot sectors:
Boot sector 'C:\'
[NOTE] No virus was found!

Starting to scan the registry.

The registry was scanned ( '8' files ).
 
Starting the file scan:

Begin scan in 'C:\'
C:\jsjdjoa.exe
[DETECTION] Is the Trojan horse TR/Dldr.Small.cwj.216
[INFO] The file was deleted!
C:\nzlrs.exe
[DETECTION] Is the Trojan horse TR/KillApp.V.1
[INFO] The file was deleted!
C:\pagefile.sys
[WARNING] The file could not be opened!
C:\plugy.exe
[DETECTION] Is the Trojan horse TR/Dldr.Agent.bls.12
[INFO] The file was deleted!
C:\rsjddpwe.exe
[DETECTION] Is the Trojan horse TR/Dldr.Small.erp
[INFO] The file was deleted!
C:\upls.exe
[DETECTION] Is the Trojan horse TR/Click.VB.QW.1
[INFO] The file was deleted!
C:\Documents and Settings\Aman Enconado\Local Settings\Temp\mwdgdj.exe
[DETECTION] Contains suspicious code HEUR/Crypted
[INFO] The file was moved to '46d87e54.qua'!
C:\Documents and Settings\Aman Enconado\Local Settings\Temp\parDBE4.tmp
[DETECTION] Is the Trojan horse TR/Proxy.Xorpix.AR.38
[INFO] The file was deleted!
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\33MNIYHF\acid[2].exe
[DETECTION] Is the Trojan horse TR/Dldr.VB.aey.7
[INFO] The file was moved to '46dd80f0.qua'!
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\33MNIYHF\agmjxkuurb[1].txt
[DETECTION] Is the Trojan horse TR/Dldr.Small.DDT.3
[INFO] The file was deleted!
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\33MNIYHF\blanko[2].exe
[DETECTION] Contains signature of the worm WORM/Sdbot.67584.57
[INFO] The file was moved to '46d58106.qua'!
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\33MNIYHF\clear[1].exe
[DETECTION] Contains signature of the worm WORM/Sdbot.44358.3
[INFO] The file was deleted!
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\33MNIYHF\hjgddaoxuh[1].htm
[DETECTION] Is the Trojan horse TR/Dldr.Small.cwj.216
[INFO] The file was deleted!
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\33MNIYHF\homus[1].exe
[DETECTION] Is the Trojan horse TR/Click.VB.QW.1
[INFO] The file was deleted!
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\33MNIYHF\yroln[1].htm
[DETECTION] Is the Trojan horse TR/Proxy.Dlena.C
[INFO] The file was deleted!
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\XPQIS234\acid[1].exe
[DETECTION] Is the Trojan horse TR/Vundo.BQ
[INFO] The file was deleted!
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\XPQIS234\acid[2].exe
[DETECTION] Is the Trojan horse TR/Dldr.VB.aey.6
[INFO] The file was deleted!
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\XPQIS234\acid[3].exe
[DETECTION] Is the Trojan horse TR/Dldr.VB.aey.7
[INFO] The file was deleted!
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\XPQIS234\bku[1].exe
[DETECTION] Is the Trojan horse TR/Click.VB.QW.1
[INFO] The file was deleted!
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\XPQIS234\funky[1].exe
[DETECTION] Contains signature of the worm WORM/Sdbot.44358.1
[INFO] The file was deleted!
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\XPQIS234\hjgddaoxuh[1].htm
[DETECTION] Is the Trojan horse TR/Dldr.Small.cwj.216
[INFO] The file was deleted!
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\XPQIS234\kqwgtddn[1].htm
[DETECTION] The file name contains an executable file extension disguised as a harmless one HEUR-DBLEXT/Crypted
[INFO] The file was moved to '46eb814c.qua'!
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\XPQIS234\kqwgtddn[2].htm
[DETECTION] The file name contains an executable file extension disguised as a harmless one HEUR-DBLEXT/Crypted
[INFO] The file was moved to '46eb8151.qua'!
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\XPQIS234\urlx[1].exe
[DETECTION] Is the Trojan horse TR/KillApp.V.1
[INFO] The file was deleted!
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\XPQIS234\yroln[10].htm
[DETECTION] Is the Trojan horse TR/Proxy.Dlena.C
[INFO] The file was deleted!
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\XPQIS234\yroln[1].htm
[DETECTION] Is the Trojan horse TR/Proxy.Dlena.C
[INFO] The file was deleted!
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\XPQIS234\yroln[2].htm
[DETECTION] Is the Trojan horse TR/Proxy.Dlena.C
[INFO] The file was deleted!
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\XPQIS234\yroln[3].htm
[DETECTION] Is the Trojan horse TR/Proxy.Dlena.C
[INFO] The file was deleted!
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\XPQIS234\yroln[4].htm
[DETECTION] Is the Trojan horse TR/Proxy.Dlena.C
[INFO] The file was deleted!
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\XPQIS234\yroln[5].htm
[DETECTION] Is the Trojan horse TR/Proxy.Dlena.C
[INFO] The file was deleted!
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\XPQIS234\yroln[6].htm
[DETECTION] Is the Trojan horse TR/Proxy.Dlena.C
[INFO] The file was deleted!
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\XPQIS234\yroln[7].htm
[DETECTION] Is the Trojan horse TR/Proxy.Dlena.C
[INFO] The file was deleted!
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\XPQIS234\yroln[8].htm
[DETECTION] Is the Trojan horse TR/Proxy.Dlena.C
[INFO] The file was deleted!
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\XPQIS234\yroln[9].htm
[DETECTION] Is the Trojan horse TR/Proxy.Dlena.C
[INFO] The file was deleted!
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\YQ0123MW\acid[2].exe
[DETECTION] Is the Trojan horse TR/Dldr.VB.aey.11
[INFO] The file was deleted!
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\YQ0123MW\blanko[1].exe
[DETECTION] Contains signature of the worm WORM/Sdbot.67072.44
[INFO] The file was deleted!
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\YQ0123MW\hjgddaoxuh[1].htm
[DETECTION] Is the Trojan horse TR/Dldr.Small.cwj.216
[INFO] The file was deleted!
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\YQ0123MW\kqwgtddn[1].htm
[DETECTION] The file name contains an executable file extension disguised as a harmless one HEUR-DBLEXT/Crypted
[INFO] The file was moved to '46eb818d.qua'!
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\YQ0123MW\kqwgtddn[2].htm
[DETECTION] The file name contains an executable file extension disguised as a harmless one HEUR-DBLEXT/Crypted
[INFO] The file was moved to '46eb8191.qua'!
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\YQ0123MW\kqwgtddn[3].htm
[DETECTION] Is the Trojan horse TR/Click.Agent.IS.13
[INFO] The file was moved to '46eb8194.qua'!
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\YQ0123MW\kqwgtddn[4].htm
[DETECTION] Is the Trojan horse TR/Click.Agent.IS.13
[INFO] The file was deleted!
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\YQ0123MW\plugy[1].exe
[DETECTION] Is the Trojan horse TR/Dldr.Agent.bls.12
[INFO] The file was deleted!
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\YQ0123MW\seat[1].exe
[DETECTION] Contains signature of the worm WORM/Sdbot.41804.5
[INFO] The file was deleted!
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\YQ0123MW\yroln[1].htm
[DETECTION] Is the Trojan horse TR/Proxy.Dlena.C
[INFO] The file was deleted!
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\YQ0123MW\yroln[2].htm
[DETECTION] Is the Trojan horse TR/Proxy.Dlena.C
[INFO] The file was deleted!
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\YQ0123MW\zm[1].exe
[DETECTION] Is the Trojan horse TR/Vundo.Gen
[INFO] The file was deleted!
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\Z0SKCD5F\acid[1].exe
[DETECTION] Is the Trojan horse TR/Vundo.BQ
[INFO] The file was deleted!
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\Z0SKCD5F\bulk[1].exe
[DETECTION] Contains signature of the worm WORM/Sdbot.41804.26
[INFO] The file was deleted!
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\Z0SKCD5F\info[1].exe
[DETECTION] Is the Trojan horse TR/Dldr.Harnig.XB.6
[INFO] The file was deleted!
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\Z0SKCD5F\info[2].exe
[DETECTION] Is the Trojan horse TR/Crypt.XPACK.Gen
[INFO] The file was deleted!
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\Z0SKCD5F\mostt[1].exe
[DETECTION] Is the Trojan horse TR/Click.VB.QW.1
[INFO] The file was deleted!
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\Z0SKCD5F\seat[1].exe
[DETECTION] Contains signature of the worm WORM/Sdbot.41804.23
[INFO] The file was deleted!
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\Z0SKCD5F\zm[1].exe
[DETECTION] Is the Trojan horse TR/Crypt.ULPM.Gen
[INFO] The file was deleted!
C:\Program Files\Common Files\Yazzle1549OinAdmin.exe
[DETECTION] Is the Trojan horse TR/Dldr.PurityScan.EG.12
[INFO] The file was deleted!
C:\Program Files\poolsv\wr-1-0000077.exe
[DETECTION] Is the Trojan horse TR/Dldr.Agent.brf.3
[INFO] The file was deleted!
C:\Program Files\svhost\wr-1-0000077.exe
[DETECTION] Is the Trojan horse TR/Dldr.Agent.brf.3
[INFO] The file was deleted!
C:\Tools\tsc\tsc.exe
[DETECTION] Contains signature of the worm WORM/Rontok.D
[INFO] The file was deleted!
C:\Tools\tsc\debug\debug.exe
[DETECTION] Is the Trojan horse TR/Agent.CEW
[INFO] The file was deleted!
C:\Tools\tsc\report\report.exe
[DETECTION] Is the Trojan horse TR/Agent.CEW
[INFO] The file was moved to '46e4923c.qua'!
C:\Tools\tsc\tsc\tsc.exe
[DETECTION] Contains signature of the worm WORM/Rontok.D
[INFO] The file was moved to '46d7924f.qua'!
C:\Tools\tsc\tsc\debug\debug.exe
[DETECTION] Is the Trojan horse TR/Agent.CEW
[INFO] The file was moved to '46d69244.qua'!
C:\Tools\tsc\tsc\report\report.exe
[DETECTION] Is the Trojan horse TR/Agent.CEW
[INFO] The file was moved to '46e49248.qua'!
C:\VundoFix Backups\ddcdaxw.dll.bad
[DETECTION] Is the Trojan horse TR/Dldr.NF.9
[INFO] The file was moved to '46d79253.qua'!
C:\VundoFix Backups\fetrhiml.dll.bad
[DETECTION] Is the Trojan horse TR/BHO.BD.5
[INFO] The file was moved to '46e89259.qua'!
C:\VundoFix Backups\hiqxyxts.dll.bad
[DETECTION] Is the Trojan horse TR/BHO.BD.4
[INFO] The file was moved to '46e59261.qua'!
C:\VundoFix Backups\iifgede.dll.bad
[DETECTION] Is the Trojan horse TR/Dldr.NF.9
[INFO] The file was moved to '46da9265.qua'!
C:\VundoFix Backups\jkkhfgh.dll.bad
[DETECTION] Is the Trojan horse TR/Dldr.NF.9
[INFO] The file was moved to '46df926a.qua'!
C:\VundoFix Backups\jkkihgg.dll.bad
[DETECTION] Is the Trojan horse TR/Dldr.NF.9
[INFO] The file was moved to '46df926d.qua'!
C:\VundoFix Backups\jkkkhif.dll.bad
[DETECTION] Is the Trojan horse TR/Dldr.NF.9
[INFO] The file was moved to '46df9276.qua'!
C:\VundoFix Backups\khfcywx.dll.bad
[DETECTION] Is the Trojan horse TR/Dldr.NF.9
[INFO] The file was moved to '46da9277.qua'!
C:\VundoFix Backups\ojfletkg.dll.bad
[DETECTION] Is the Trojan horse TR/Spy.VBStat.J
[INFO] The file was moved to '46da927b.qua'!
C:\VundoFix Backups\ssqnool.dll.bad
[DETECTION] Is the Trojan horse TR/Dldr.NF.9
[INFO] The file was moved to '46e59285.qua'!
C:\VundoFix Backups\ssqolli.dll.bad
[DETECTION] Is the Trojan horse TR/Vundo.F.2
[INFO] The file was moved to '46e59288.qua'!
C:\VundoFix Backups\urqqqrs.dll.bad
[DETECTION] Is the Trojan horse TR/Vundo.F.2
[INFO] The file was moved to '46e5928a.qua'!
C:\VundoFix Backups\uttgnfad.exe.bad
[DETECTION] Is the Trojan horse TR/Agent.anr.1
[INFO] The file was moved to '46e8928f.qua'!
C:\VundoFix Backups\wvusqpq.dll.bad
[DETECTION] Is the Trojan horse TR/Vundo.F.2
[INFO] The file was moved to '46e99294.qua'!
C:\VundoFix Backups\xxyaaaw.dll.bad
[DETECTION] Is the Trojan horse TR/Vundo.F.2
[INFO] The file was moved to '46ed929a.qua'!
C:\VundoFix Backups\xxyvsts.dll.bad
[DETECTION] Is the Trojan horse TR/Vundo.F.2
[INFO] The file was moved to '46ed929c.qua'!
C:\VundoFix Backups\yaywxwt.dll.bad
[DETECTION] Is the Trojan horse TR/Dldr.NF.9
[INFO] The file was moved to '46ed9288.qua'!
C:\WINDOWS\b122.exe.bin
[0] Archive type: ZIP
--> b122.exe
[DETECTION] Contains signature of the dropper DR/Softomate.U.65
[INFO] The file was moved to '46a6927b.qua'!
C:\WINDOWS\system32\.exe
[DETECTION] Contains signature of the worm WORM/Rbot.50176.5
[INFO] The file was moved to '46d9938b.qua'!
C:\WINDOWS\system32\eraseme_52275.exe
[DETECTION] Contains signature of the worm WORM/Sdbot.43793.1
[INFO] The file was moved to '46d593e9.qua'!
C:\WINDOWS\system32\firqacun.dll
[DETECTION] Is the Trojan horse TR/Dldr.ConHook.Gen
[INFO] The file was moved to '46e693e8.qua'!
C:\WINDOWS\system32\imwknkpf.dll
[DETECTION] Is the Trojan horse TR/Vundo.Gen
[INFO] The file was moved to '46eb93f9.qua'!
C:\WINDOWS\system32\jp6A27V8.exe
[DETECTION] Is the Trojan horse TR/Hijack.Explor.3270
[INFO] The file was moved to '46aa9404.qua'!
C:\WINDOWS\system32\KB18561603.exe
[DETECTION] Is the Trojan horse TR/Crypt.XDR.Gen
[INFO] The file was moved to '46a593db.qua'!
C:\WINDOWS\system32\KB21542167.exe
[DETECTION] Is the Trojan horse TR/Crypt.FKM.Gen
[INFO] The file was moved to '46a693e0.qua'!
C:\WINDOWS\system32\KB42687917.exe
[DETECTION] Is the Trojan horse TR/Proxy.Xorpix.AR.37
[INFO] The file was moved to '46a893e5.qua'!
C:\WINDOWS\system32\KB66507128.exe
[DETECTION] Is the Trojan horse TR/Dldr.Tibs.LE.47
[INFO] The file was moved to '46aa93ea.qua'!
C:\WINDOWS\system32\KB93427757.exe
[DETECTION] Is the Trojan horse TR/Crypt.XPACK.Gen
[INFO] The file was moved to '46ad93ee.qua'!
C:\WINDOWS\system32\KB93736873.exe
[DETECTION] Is the Trojan horse TR/Dldr.Agent.bnf.1
[INFO] The file was moved to '46ad93f0.qua'!
C:\WINDOWS\system32\KB96926207.exe
[DETECTION] Is the Trojan horse TR/Shutdowner.BA
[INFO] The file was moved to '46ad93f4.qua'!
C:\WINDOWS\system32\KB_963493.exe.bak
[DETECTION] Is the Trojan horse TR/Delphi.Downloader.Gen
[INFO] The file was moved to '46d393fa.qua'!
C:\WINDOWS\system32\msorcl32.exe
[DETECTION] Is the Trojan horse TR/Crypt.FKM.Gen
[INFO] The file was moved to '46e3943e.qua'!
C:\WINDOWS\system32\salvage.exe
[DETECTION] Is the Trojan horse TR/Crypt.PCMM.Gen
[INFO] The file was moved to '46e09442.qua'!
C:\WINDOWS\system32\smcs.exe
[DETECTION] Contains signature of the worm WORM/Sdbot.41804.26
[INFO] The file was moved to '46d79456.qua'!
C:\WINDOWS\system32\spoolcs.exe
[DETECTION] Contains signature of the worm WORM/Sdbot.41804.5
[INFO] The file was moved to '46e3945c.qua'!
C:\WINDOWS\system32\spoolsc.exe
[DETECTION] Contains signature of the worm WORM/Sdbot.44358.1
[INFO] The file was moved to '46e39461.qua'!
C:\WINDOWS\system32\symon.exe
[DETECTION] Contains signature of the worm WORM/Sdbot.44358.3
[INFO] The file was moved to '46e19470.qua'!
C:\WINDOWS\system32\varakitu.dll
[DETECTION] Is the Trojan horse TR/Dldr.ConHook.Gen
[INFO] The file was moved to '46e6945e.qua'!
C:\WINDOWS\system32\vcmon.exe
[DETECTION] Contains signature of the worm WORM/Sdbot.67584.57
[INFO] The file was moved to '46e19464.qua'!
C:\WINDOWS\system32\wbemstest.exe
[DETECTION] Is the Trojan horse TR/Crypt.XPACK.Gen
[INFO] The file was moved to '46d99467.qua'!
C:\WINDOWS\system32\wmvds32.dll
[DETECTION] Is the Trojan horse TR/Crypt.FKM.Gen
[INFO] The file was moved to '46ea947a.qua'!
C:\WINDOWS\Temp\eraseme_45600.exe
[DETECTION] Is the Trojan horse TR/FWDisable.40588
[INFO] The file was moved to '46d5950e.qua'!
C:\WINDOWS\Temp\ma1x1dd1.game
[DETECTION] Contains signature of the dial-up program DIAL/Generic
[INFO] The file was moved to '46a59503.qua'!
C:\WINDOWS\Temp\svcipa.exe
[DETECTION] Is the Trojan horse TR/Hijack.Explor.3270
[INFO] The file was moved to '46d7951b.qua'!
C:\_virusfolder\geebydll.BERMAN
[DETECTION] Is the Trojan horse TR/Vundo.AB
[INFO] The file was moved to '46d99522.qua'!
C:\_virusfolder\opnklkidll.BERMAN
[DETECTION] Is the Trojan horse TR/Vundo.F.2
[INFO] The file was moved to '46e2952f.qua'!


End of the scan: Sunday, June 17, 2007 09:56
Used time: 1:46:54 min

The scan has been done completely.

3974 Scanning directories
266950 Files were scanned
111 viruses and/or unwanted programs were found
7 classified as suspicious:
49 files were deleted
0 files were repaired
60 files were moved to quarantine
0 files were renamed
1 Files cannot be scanned
266832 Files not concerned
4018 Archives were scanned
1 Warnings
0 Notes
0 Hidden objects were found
 
----------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 10:13:35 AM, on 6/17/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 10.34.50.7:8080
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - AutorunsDisabled - (no file)
O2 - BHO: (no name) - {05041043-0C5F-46A4-A959-58D2A1F73262} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {549317F8-A74A-4D54-A981-6BAAC1A675A0} - (no file)
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NeroFilterCheck] $$
O4 - HKLM\..\Run: [IgfxTray] $$
O4 - HKLM\..\Run: [HotKeysCmds] $$
O4 - HKLM\..\Run: [DataLayer] $$
O4 - HKLM\..\Run: [Server Runtime Process] C:\WINDOWS\System32\wbem\wbemstest.exe
O4 - HKLM\..\Run: [Winmplayer] "C:\WINDOWS\System32\KB_963493.exe"
O4 - HKLM\..\Run: [poolsv] "C:\WINDOWS\poolsv.exe"
O4 - HKLM\..\Run: [svhost] "C:\WINDOWS\svhost.exe"
O4 - HKLM\..\Run: [GPLv3] rundll32.exe "C:\WINDOWS\System32\hosqyknx.dll",realset
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\RunServices: [Server Runtime Process] C:\WINDOWS\System32\wbem\wbemstest.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Server Runtime Process] C:\WINDOWS\System32\wbem\wbemstest.exe
O4 - HKCU\..\Run: [Cido] "C:\DOCUME~1\AMANEN~1\MYDOCU~1\RACLE~1\regedit.exe" -vt yazb
O4 - HKCU\..\Run: [Skehjqb] "C:\Program Files\Common Files\A?pPatch\r?gsvr32.exe"
O4 - HKCU\..\RunServices: [Server Runtime Process] C:\WINDOWS\System32\wbem\wbemstest.exe
O8 - Extra context menu item: &Clean Traces - C:\Program Files\DAP\Privacy Package\dapcleanerie.htm
O8 - Extra context menu item: &Download with &DAP - C:\Program Files\DAP\dapextie.htm
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Download &all with DAP - C:\Program Files\DAP\dapextie2.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Software Installer - {D1A4DEBD-C2EE-449f-B9FB-E8409F9A0BC5} - C:\Program Files\Lenovo\PkgMgr\\PkgMgr.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{17E170B3-408A-461A-929F-39ECE29F1D74}: NameServer = 10.32.1.7
O20 - Winlogon Notify: AutorunsDisabled - C:\WINDOWS\
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: iPod Service iPodServiceNetlogon (iPodServiceNetlogon) - Unknown owner - c:\mwdgdj.exe (file missing)
O23 - Service: Network helper Service (MSDisk) - Unknown owner - C:\WINDOWS\System32\irdvxc.exe" /service (file missing)
O23 - Service: IBM PSA Access Driver Control (PsaSrv) - Unknown owner - C:\WINDOWS\system32\PsaSrv.exe (file missing)
O23 - Service: Remote Auther Service - Unknown owner - C:\WINDOWS\system32\svshost.exe (file missing)
O23 - Service: Telephony TapiSrvSSDPSRV (TapiSrvSSDPSRV) - Unknown owner - c:\mwdgdj.exe (file missing)
O23 - Service: Windows User Mode Driver Framework (UMWdf) - Unknown owner - C:\WINDOWS\System32\wdfmgr.exe (file missing)

----------------------

i hope this helps. i hope for your response.

thanks! -amanyeah
 
----------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 10:13:35 AM, on 6/17/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 10.34.50.7:8080
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - AutorunsDisabled - (no file)
O2 - BHO: (no name) - {05041043-0C5F-46A4-A959-58D2A1F73262} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {549317F8-A74A-4D54-A981-6BAAC1A675A0} - (no file)
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NeroFilterCheck] $$
O4 - HKLM\..\Run: [IgfxTray] $$
O4 - HKLM\..\Run: [HotKeysCmds] $$
O4 - HKLM\..\Run: [DataLayer] $$
O4 - HKLM\..\Run: [Server Runtime Process] C:\WINDOWS\System32\wbem\wbemstest.exe
O4 - HKLM\..\Run: [Winmplayer] "C:\WINDOWS\System32\KB_963493.exe"
O4 - HKLM\..\Run: [poolsv] "C:\WINDOWS\poolsv.exe"
O4 - HKLM\..\Run: [svhost] "C:\WINDOWS\svhost.exe"
O4 - HKLM\..\Run: [GPLv3] rundll32.exe "C:\WINDOWS\System32\hosqyknx.dll",realset
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\RunServices: [Server Runtime Process] C:\WINDOWS\System32\wbem\wbemstest.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Server Runtime Process] C:\WINDOWS\System32\wbem\wbemstest.exe
O4 - HKCU\..\Run: [Cido] "C:\DOCUME~1\AMANEN~1\MYDOCU~1\RACLE~1\regedit.exe" -vt yazb
O4 - HKCU\..\Run: [Skehjqb] "C:\Program Files\Common Files\A?pPatch\r?gsvr32.exe"
O4 - HKCU\..\RunServices: [Server Runtime Process] C:\WINDOWS\System32\wbem\wbemstest.exe
O8 - Extra context menu item: &Clean Traces - C:\Program Files\DAP\Privacy Package\dapcleanerie.htm
O8 - Extra context menu item: &Download with &DAP - C:\Program Files\DAP\dapextie.htm
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Download &all with DAP - C:\Program Files\DAP\dapextie2.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Software Installer - {D1A4DEBD-C2EE-449f-B9FB-E8409F9A0BC5} - C:\Program Files\Lenovo\PkgMgr\\PkgMgr.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{17E170B3-408A-461A-929F-39ECE29F1D74}: NameServer = 10.32.1.7
O20 - Winlogon Notify: AutorunsDisabled - C:\WINDOWS\
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: iPod Service iPodServiceNetlogon (iPodServiceNetlogon) - Unknown owner - c:\mwdgdj.exe (file missing)
O23 - Service: Network helper Service (MSDisk) - Unknown owner - C:\WINDOWS\System32\irdvxc.exe" /service (file missing)
O23 - Service: IBM PSA Access Driver Control (PsaSrv) - Unknown owner - C:\WINDOWS\system32\PsaSrv.exe (file missing)
O23 - Service: Remote Auther Service - Unknown owner - C:\WINDOWS\system32\svshost.exe (file missing)
O23 - Service: Telephony TapiSrvSSDPSRV (TapiSrvSSDPSRV) - Unknown owner - c:\mwdgdj.exe (file missing)
O23 - Service: Windows User Mode Driver Framework (UMWdf) - Unknown owner - C:\WINDOWS\System32\wdfmgr.exe (file missing)

----------------------

i hope this helps. i hope for your response.

thanks! -amanyeah
 
----------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 10:13:35 AM, on 6/17/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\ctfmon.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 10.34.50.7:8080
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - AutorunsDisabled - (no file)
O2 - BHO: (no name) - {05041043-0C5F-46A4-A959-58D2A1F73262} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {549317F8-A74A-4D54-A981-6BAAC1A675A0} - (no file)
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NeroFilterCheck] $$
O4 - HKLM\..\Run: [IgfxTray] $$
O4 - HKLM\..\Run: [HotKeysCmds] $$
O4 - HKLM\..\Run: [DataLayer] $$
O4 - HKLM\..\Run: [Server Runtime Process] C:\WINDOWS\System32\wbem\wbemstest.exe
O4 - HKLM\..\Run: [Winmplayer] "C:\WINDOWS\System32\KB_963493.exe"
O4 - HKLM\..\Run: [poolsv] "C:\WINDOWS\poolsv.exe"
O4 - HKLM\..\Run: [svhost] "C:\WINDOWS\svhost.exe"
O4 - HKLM\..\Run: [GPLv3] rundll32.exe "C:\WINDOWS\System32\hosqyknx.dll",realset
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\RunServices: [Server Runtime Process] C:\WINDOWS\System32\wbem\wbemstest.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [Server Runtime Process] C:\WINDOWS\System32\wbem\wbemstest.exe
O4 - HKCU\..\Run: [Cido] "C:\DOCUME~1\AMANEN~1\MYDOCU~1\RACLE~1\regedit.exe" -vt yazb
O4 - HKCU\..\Run: [Skehjqb] "C:\Program Files\Common Files\A?pPatch\r?gsvr32.exe"
O4 - HKCU\..\RunServices: [Server Runtime Process] C:\WINDOWS\System32\wbem\wbemstest.exe
O8 - Extra context menu item: &Clean Traces - C:\Program Files\DAP\Privacy Package\dapcleanerie.htm
O8 - Extra context menu item: &Download with &DAP - C:\Program Files\DAP\dapextie.htm
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Download &all with DAP - C:\Program Files\DAP\dapextie2.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Software Installer - {D1A4DEBD-C2EE-449f-B9FB-E8409F9A0BC5} - C:\Program Files\Lenovo\PkgMgr\\PkgMgr.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{17E170B3-408A-461A-929F-39ECE29F1D74}: NameServer = 10.32.1.7
O20 - Winlogon Notify: AutorunsDisabled - C:\WINDOWS\
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: iPod Service iPodServiceNetlogon (iPodServiceNetlogon) - Unknown owner - c:\mwdgdj.exe (file missing)
O23 - Service: Network helper Service (MSDisk) - Unknown owner - C:\WINDOWS\System32\irdvxc.exe" /service (file missing)
O23 - Service: IBM PSA Access Driver Control (PsaSrv) - Unknown owner - C:\WINDOWS\system32\PsaSrv.exe (file missing)
O23 - Service: Remote Auther Service - Unknown owner - C:\WINDOWS\system32\svshost.exe (file missing)
O23 - Service: Telephony TapiSrvSSDPSRV (TapiSrvSSDPSRV) - Unknown owner - c:\mwdgdj.exe (file missing)
O23 - Service: Windows User Mode Driver Framework (UMWdf) - Unknown owner - C:\WINDOWS\System32\wdfmgr.exe (file missing)

----------------------

i hope this helps. i hope for your response.

thanks! -amanyeah
 
hi shaba:D:. i was tinkering with my laptop and ran msconfig...

saw the startup and saw that these startup items:

wbemtest.exe
kb_963493.exe
poolsv.exe
svhost.exe
hosqyknx (command>) rundll32.exe "C:\WINDOWS\System32\hosqyknx.dll",realset
qttask - quicktime i think
avgnt - avira (my antivirus)
ctfmon - C:\WINDOWS\System32\ctfmon.exe
wbemtest - C:\WINDOWS\System32\wbem\wbemtest.exe
regedit - "C:\DOCUME~1\AMANEN~1\MYDOCU~1\RACLE~1\regedit.exe" -vt yazb
regsvr32 - "C:\Program Files\Common Files\AppPatch\regsvr32.exe"

i disabled all of them except the antivirus.. aside from these there are also some dollar signs $$ $$ which i do not know what they represent so i disabled them also.

hope this helps.:bigthumb:
 
Hi

Please download VundoFix.exe to your desktop.
  • Double-click VundoFix.exe to run it.
  • Click the Scan for Vundo button.
  • Once it's done scanning, click the Remove Vundo button.
  • You will receive a prompt asking if you want to remove the files, click YES
  • Once you click yes, your desktop will go blank as it starts removing Vundo.
  • When completed, it will prompt that it will reboot your computer, click OK.
  • Please post the contents of C:\vundofix.txt and a new HiJackThis log in a reply to this thread.
Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears upon rebooting.

1. Download combofix from one of these links:
Link1
Link2
2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Post:

- a fresh HijackThis log
- combofix report
- vundofix report
 
fresh hjt

Logfile of HijackThis v1.99.1
Scan saved at 5:41:45 PM, on 6/20/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\cmd.exe
C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 10.34.50.7:8080
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: (no name) - AutorunsDisabled - (no file)
O2 - BHO: (no name) - {05041043-0C5F-46A4-A959-58D2A1F73262} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {549317F8-A74A-4D54-A981-6BAAC1A675A0} - (no file)
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\RunServices: [Server Runtime Process] C:\WINDOWS\System32\wbem\wbemstest.exe
O4 - HKCU\..\RunServices: [Server Runtime Process] C:\WINDOWS\System32\wbem\wbemstest.exe
O8 - Extra context menu item: &Clean Traces - C:\Program Files\DAP\Privacy Package\dapcleanerie.htm
O8 - Extra context menu item: &Download with &DAP - C:\Program Files\DAP\dapextie.htm
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Download &all with DAP - C:\Program Files\DAP\dapextie2.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Software Installer - {D1A4DEBD-C2EE-449f-B9FB-E8409F9A0BC5} - C:\Program Files\Lenovo\PkgMgr\\PkgMgr.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{17E170B3-408A-461A-929F-39ECE29F1D74}: NameServer = 10.32.1.7
O20 - Winlogon Notify: AutorunsDisabled - C:\WINDOWS\
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: iPod Service iPodServiceNetlogon (iPodServiceNetlogon) - Unknown owner - c:\mwdgdj.exe (file missing)
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Network helper Service (MSDisk) - Unknown owner - C:\WINDOWS\System32\irdvxc.exe" /service (file missing)
O23 - Service: IBM PSA Access Driver Control (PsaSrv) - Unknown owner - C:\WINDOWS\system32\PsaSrv.exe (file missing)
O23 - Service: Remote Auther Service - Unknown owner - C:\WINDOWS\system32\svshost.exe (file missing)
O23 - Service: Telephony TapiSrvSSDPSRV (TapiSrvSSDPSRV) - Unknown owner - c:\mwdgdj.exe (file missing)
O23 - Service: Windows User Mode Driver Framework (UMWdf) - Unknown owner - C:\WINDOWS\System32\wdfmgr.exe (file missing)

---------
vundofix said i had no infections

and i don't know how to get a log from combofix
 
i was able to run combofix once. but i didn't know how to get a logfile. so i ran it again. now it won't run because i'm missing C:\WINDOWS\regedit.exeh
 
Hi

As for regedit.exe

Restore regedit.exe from your original Windows installation disk (if you don't have one, use someone else's)

1. Click Start > Run.
2. Type cmd
3. Click OK.
4. Insert your Windows Installation CD into your CD-ROM drive.
5. Navigate to the drive corresponding to your CD-ROM drive (e.g. if your CD-ROM uses drive letter e: you would type e: )
6. To copy regedit onto your system type:

copy \I386\regedit.exe c:\Windows\regedit.exe

If no success, download it here and place to c:\windows

After that, please re-run combofix.

Combofix report is here -> C:\ComboFix.txt
 
thanks so much for being patient shaba.

here is the combofix log.

ComboFix 07-06-18.2 - C:\Documents and Settings\Aman Enconado\Desktop\ComboFix.exe
"Aman Enconado" - 2007-06-21 2:06:34 - Service Pack 1 NTFS


((((((((((((((((((((((((( Files Created from 2007-05-20 to 2007-06-20 )))))))))))))))))))))))))))))))


2007-06-28 20:47 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-06-28 09:04 109 --ahs---- C:\WINDOWS\system32\3560095853.dat
2007-06-21 02:05 <DIR> d-------- C:\WINDOWS\Regedit
2007-06-20 17:11 49,152 --a------ C:\WINDOWS\nircmd.exe
2007-06-20 04:24 <DIR> d-------- C:\Program Files\hp deskjet 3420 series
2007-06-20 04:21 <DIR> d-------- C:\Program Files\Hewlett-Packard
2007-06-20 00:50 299,520 --a------ C:\WINDOWS\uninst.exe
2007-06-20 00:50 286,720 --a------ C:\WINDOWS\system32\lxalpmnt.dll
2007-06-20 00:50 <DIR> d-------- C:\LxkZ65
2007-06-20 00:50 <DIR> d-------- C:\DOCUME~1\Mama\WINDOWS
2007-06-20 00:32 <DIR> d---s---- C:\DOCUME~1\Mama\UserData
2007-06-17 18:26 <DIR> d-------- C:\Program Files\DivX
2007-06-17 15:54 <DIR> d-------- C:\Program Files\QuickTime
2007-06-17 15:48 <DIR> d-------- C:\WINDOWS\pss
2007-06-17 07:43 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\AntiVir PersonalEdition Classic
2007-06-16 06:18 <DIR> d-------- C:\VundoFix Backups
2007-06-16 02:59 <DIR> dr------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\SalesMonitor
2007-06-16 02:58 89,088 --a------ C:\WINDOWS\system32\atl71.dll
2007-06-16 02:58 79,872 --a------ C:\WINDOWS\system32\drivers\FOPN.sys
2007-06-16 02:58 499,712 --a------ C:\WINDOWS\system32\msvcp71.dll
2007-06-16 02:58 1,060,864 --a------ C:\WINDOWS\system32\mfc71.dll
2007-06-16 02:56 <DIR> d-------- C:\WINDOWS\system32\o09PrEz
2007-06-16 02:56 <DIR> d-------- C:\Temp\iee
2007-06-16 02:56 <DIR> d-------- C:\Temp
2007-06-16 02:55 <DIR> d-------- C:\Program Files\svhost
2007-06-16 02:54 <DIR> d-------- C:\Program Files\poolsv
2007-06-06 06:19 <DIR> d-------- C:\Tools
2007-06-05 13:19 <DIR> d-------- C:\_virusfolder


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-06-28 01:17:51 -------- d-----w C:\Program Files\Common Files\Scanner
2007-06-17 10:26:41 2,435 ----a-w C:\WINDOWS\mozver.dat
2007-06-15 19:40:35 -------- d-----w C:\Program Files\Yahoo!
2007-06-05 05:06:54 377 --sh--w C:\WINDOWS\system32\ybeeg.ini2
2007-04-23 00:15:18 200,704 ----a-w C:\WINDOWS\system32\ssldivx.dll
2007-04-23 00:15:18 1,044,480 ----a-w C:\WINDOWS\system32\libdivx.dll


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}=C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx [2001-04-16 16:39]
{53707962-6F74-2D53-2644-206D7942484F}=C:\PROGRA~1\SPYBOT~1\SDHelper.dll [2005-05-31 01:04]
{5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897}=C:\Program Files\Yahoo!\Common\yiesrvc.dll [2005-08-17 08:40]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avgnt"="C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" [2007-04-02 10:35]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\runservices]
"Server Runtime Process"=C:\WINDOWS\System32\wbem\wbemstest.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices]
"Server Runtime Process"=C:\WINDOWS\System32\wbem\wbemstest.exe

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runservices]
"Server Runtime Process"=C:\WINDOWS\System32\wbem\wbemstest.exe

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"CTFMON.EXE"=$$
"Server Runtime Process"=C:\WINDOWS\System32\wbem\wbemstest.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\AutorunsDisabled]
C:\WINDOWS\System32\geeby.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Server Runtime Process C:\WINDOWS\System32\wbem\wbemstest.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Cido]
"C:\DOCUME~1\AMANEN~1\MYDOCU~1\RACLE~1\regedit.exe" -vt yazb

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTFMON.EXE]
C:\WINDOWS\System32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DataLayer]
$$

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GPLv3]
rundll32.exe "C:\WINDOWS\System32\hosqyknx.dll",realset

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
$$

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPDJ Taskbar Utility]
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
$$

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LXSUPMON]
C:\WINDOWS\System32\LXSUPMON.EXE RUN

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
$$

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\poolsv]
"C:\WINDOWS\poolsv.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Server Runtime Process]
C:\WINDOWS\System32\wbem\wbemstest.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skehjqb]
"C:\Program Files\Common Files\A?pPatch\r?gsvr32.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\svhost]
"C:\WINDOWS\svhost.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Winmplayer]
"C:\WINDOWS\System32\KB_963493.exe"


Contents of the 'Scheduled Tasks' folder
2007-06-20 16:00:00 C:\WINDOWS\tasks\At1.job

**************************************************************************

catchme 0.3.721 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-06-21 02:10:54
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-06-21 2:11:53
C:\ComboFix-quarantined-files.txt ... 2007-06-21 02:11

--- E O F ---
 
Hi

First we'll need to backup registry:

Start -> Run -> regedit -> ok. Then File -> Export. Give it a name and press Save.

Save text below as fix.reg on Notepad (save it as all files (*.*)) on Desktop

Windows Registry Editor Version 5.00

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runservices]
"Server Runtime Process"=-

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"Server Runtime Process"=-

[-HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Cido]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\GPLv3]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\poolsv]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Server Runtime Process]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skehjqb]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\svhost]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Winmplayer]

It should look like this ->
reg.gif


Doubleclick fix.reg, press Yes and ok.

(In case you are unsure how to create a reg file, take a look here with screenshots.)

Open HijackThis, click do a system scan only and checkmark these:

O2 - BHO: (no name) - AutorunsDisabled - (no file)
O2 - BHO: (no name) - {05041043-0C5F-46A4-A959-58D2A1F73262} - (no file)
O2 - BHO: (no name) - {549317F8-A74A-4D54-A981-6BAAC1A675A0} - (no file)
O4 - HKLM\..\RunServices: [Server Runtime Process] C:\WINDOWS\System32\wbem\wbemstest.exe
O4 - HKCU\..\RunServices: [Server Runtime Process] C:\WINDOWS\System32\wbem\wbemstest.exe
O20 - Winlogon Notify: AutorunsDisabled - C:\WINDOWS\
O23 - Service: iPod Service iPodServiceNetlogon (iPodServiceNetlogon) - Unknown owner - c:\mwdgdj.exe (file missing)
O23 - Service: Network helper Service (MSDisk) - Unknown owner - C:\WINDOWS\System32\irdvxc.exe" /service (file missing)
O23 - Service: Remote Auther Service - Unknown owner - C:\WINDOWS\system32\svshost.exe (file missing)
O23 - Service: Telephony TapiSrvSSDPSRV (TapiSrvSSDPSRV) - Unknown owner - c:\mwdgdj.exe (file missing)

Close all windows including browser and press fix checked.

Reboot.

Open notepad and copy/paste the text in the quotebox below into it:

File::
C:\WINDOWS\system32\ybeeg.ini2
C:\WINDOWS\system32\drivers\FOPN.sys

Folder::
C:\WINDOWS\system32\o09PrEz
C:\Temp
C:\Program Files\svhost
C:\Program Files\poolsv
C:\DOCUME~1\ALLUSE~1\APPLIC~1\SalesMonitor
Click to expand...

Save this as ComboFix-Do.txt

Then drag the ComboFix-Do.txt into ComboFix.exe as you see in the screenshot below.

Combo-Do.gif


This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.
 
Last edited:
sorry shaba.. more bad news..

weirdest thing happened.. so i use hjt and reboot. but it doesn't. after the black "windows" screen (right before where i choose user), a box says "system error. lsass.exe could not be found." so i click the ok box. and it restarts... a vicious cycle. until i decide to press f8.. and start windows which last worked.

so i ran hjt again.. and none of the things you asked me to check are there.. totally disappeared..

what now??? sorry..
 
ok.. i ran combofix anyway.. here's what you asked for:

ComboFix 07-06-18.2 - C:\Documents and Settings\Aman Enconado\Desktop\ComboFix.exe
"Aman Enconado" - 2007-06-22 15:36:29 - Service Pack 1 NTFS
Command switches used :: C:\Documents and Settings\Aman Enconado\Desktop\ComboFix-Do.txt


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\DOCUME~1\ALLUSE~1\APPLIC~1\SalesMonitor
C:\Program Files\poolsv
C:\Program Files\poolsv\k11u72.exe
C:\Program Files\poolsv\svhost.exe
C:\Program Files\poolsv\WinAntiSpyware2007FreeInstall.exe
C:\Program Files\poolsv\YazzleBundle-1549.exe
C:\Program Files\svhost
C:\Temp
C:\WINDOWS\system32\drivers\FOPN.sys
C:\WINDOWS\system32\o09PrEz
C:\WINDOWS\system32\o09PrEz\o09PrEz1099.exe
C:\WINDOWS\system32\ybeeg.ini2


((((((((((((((((((((((((( Files Created from 2007-05-22 to 2007-06-22 )))))))))))))))))))))))))))))))


2007-06-28 20:47 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-06-28 09:04 109 --ahs---- C:\WINDOWS\system32\3560095853.dat
2007-06-21 02:05 <DIR> d-------- C:\WINDOWS\Regedit
2007-06-20 17:11 49,152 --a------ C:\WINDOWS\nircmd.exe
2007-06-20 04:24 <DIR> d-------- C:\Program Files\hp deskjet 3420 series
2007-06-20 04:21 <DIR> d-------- C:\Program Files\Hewlett-Packard
2007-06-20 00:50 299,520 --a------ C:\WINDOWS\uninst.exe
2007-06-20 00:50 286,720 --a------ C:\WINDOWS\system32\lxalpmnt.dll
2007-06-20 00:50 <DIR> d-------- C:\LxkZ65
2007-06-20 00:50 <DIR> d-------- C:\DOCUME~1\Mama\WINDOWS
2007-06-20 00:32 <DIR> d---s---- C:\DOCUME~1\Mama\UserData
2007-06-17 18:26 <DIR> d-------- C:\Program Files\DivX
2007-06-17 15:54 <DIR> d-------- C:\Program Files\QuickTime
2007-06-17 15:48 <DIR> d-------- C:\WINDOWS\pss
2007-06-17 07:43 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\AntiVir PersonalEdition Classic
2007-06-16 06:18 <DIR> d-------- C:\VundoFix Backups
2007-06-16 02:58 89,088 --a------ C:\WINDOWS\system32\atl71.dll
2007-06-16 02:58 499,712 --a------ C:\WINDOWS\system32\msvcp71.dll
2007-06-16 02:58 1,060,864 --a------ C:\WINDOWS\system32\mfc71.dll
2007-06-06 06:19 <DIR> d-------- C:\Tools
2007-06-05 13:19 <DIR> d-------- C:\_virusfolder


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-06-28 01:17:51 -------- d-----w C:\Program Files\Common Files\Scanner
2007-06-17 10:26:41 2,435 ----a-w C:\WINDOWS\mozver.dat
2007-06-15 19:40:35 -------- d-----w C:\Program Files\Yahoo!
2007-04-23 00:15:18 200,704 ----a-w C:\WINDOWS\system32\ssldivx.dll
2007-04-23 00:15:18 1,044,480 ----a-w C:\WINDOWS\system32\libdivx.dll


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}=C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx [2001-04-16 16:39]
{53707962-6F74-2D53-2644-206D7942484F}=C:\PROGRA~1\SPYBOT~1\SDHelper.dll [2005-05-31 01:04]
{5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897}=C:\Program Files\Yahoo!\Common\yiesrvc.dll [2005-08-17 08:40]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avgnt"="C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" [2007-04-02 10:35]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"CTFMON.EXE"=$$

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Server Runtime Process C:\WINDOWS\System32\wbem\wbemstest.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTFMON.EXE]
C:\WINDOWS\System32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DataLayer]
$$

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
$$

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HPDJ Taskbar Utility]
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IgfxTray]
$$

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LXSUPMON]
C:\WINDOWS\System32\LXSUPMON.EXE RUN

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
$$

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime


Contents of the 'Scheduled Tasks' folder
2007-06-21 16:00:00 C:\WINDOWS\tasks\At1.job

**************************************************************************

catchme 0.3.721 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-06-22 15:40:53
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-06-22 15:41:31
C:\ComboFix-quarantined-files.txt ... 2007-06-22 15:41
C:\ComboFix2.txt ... 2007-06-21 02:11

--- E O F ---
 
Logfile of HijackThis v1.99.1
Scan saved at 3:49:40 PM, on 6/22/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\explorer.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = 10.34.50.7:8080
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min
O8 - Extra context menu item: &Clean Traces - C:\Program Files\DAP\Privacy Package\dapcleanerie.htm
O8 - Extra context menu item: &Download with &DAP - C:\Program Files\DAP\dapextie.htm
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Download &all with DAP - C:\Program Files\DAP\dapextie2.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Software Installer - {D1A4DEBD-C2EE-449f-B9FB-E8409F9A0BC5} - C:\Program Files\Lenovo\PkgMgr\\PkgMgr.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{17E170B3-408A-461A-929F-39ECE29F1D74}: NameServer = 10.32.1.7
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: AntiVir PersonalEdition Classic Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: AntiVir PersonalEdition Classic Guard (AntiVirService) - Avira GmbH - C:\Program Files\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: iPod Service iPodServiceNetlogon (iPodServiceNetlogon) - Unknown owner - c:\mwdgdj.exe (file missing)
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Network helper Service (MSDisk) - Unknown owner - C:\WINDOWS\System32\irdvxc.exe" /service (file missing)
O23 - Service: IBM PSA Access Driver Control (PsaSrv) - Unknown owner - C:\WINDOWS\system32\PsaSrv.exe (file missing)
O23 - Service: Telephony TapiSrvSSDPSRV (TapiSrvSSDPSRV) - Unknown owner - c:\mwdgdj.exe (file missing)
O23 - Service: Windows User Mode Driver Framework (UMWdf) - Unknown owner - C:\WINDOWS\System32\wdfmgr.exe (file missing)

:sad:
 
You must log in or register to reply here.
Back
Top