Welcome to Tech Support Forum home to more then 136,000 problems solved. Issues have included: Spyware, Malware, Virus Issues, Windows, Microsoft, Linux, Networking, Security, Hardware, and Gaming Getting your problem solved is as easy as:
1. Registering for a free account
2. Asking your question
3. Receiving an answer

Registered members:
* Get free support
* Communicate privately with other members (PM).
* Removal of this message
* See fewer ads.
* And much more..

 


Want to know how to post a question? click here Having problems with spyware and pop-ups? First Steps
Go Back   Tech Support Forum > Security Center > Virus/Trojan/Spyware Help > Resolved HJT Threads
Reload this Page MS Windows XP will not load when connected to internet
User Name
Password
Site Map Register Donate Rules Blogs Mark Forums Read


Resolved HJT Threads Resolved spyware and popup issues.

 
Page 2 of 9 1 2 345 Last »
 
LinkBack Thread Tools
Old 02-25-2007, 04:13 PM   #21 (permalink)
Security Team (ret.)
 
Pancake's Avatar
 
Join Date: Nov 2003
Location: Victoria.Australia
Posts: 7,404
OS: XP Pro SP3


Please download the Killbox.

Run Killbox, left click and drag you mouse over the highlighted files below (including filepath) then right click and choose Copy (including filepath) with your mouse, rightclick and choose Copy. Insert your mouse pointer within the box entitled "Full Filepath of File to Delete", rightclick again and choose File > Paste from Clipboard. All the files should now appear in the box (click on the Tab and check to make sure that only the files I have identified as malware and marked for deletion are there). If each file exists, it will appear in blue under that window when you click on it. Click on Delete on Reboot. Next click on > "Delete on Reboot" and click on "All Files". Please do this even if this option is already checked. You will get a message saying "File with be deleted on next reboot, click "Yes". Process and Reboot now?" Click "Yes" to reboot


C:\WINDOWS\System32\ebacdlso.dll



Remove this entry from the log,reboot and post a new log.

O4 - HKLM\..\Run: [DllRunning] rundll32.exe "C:\WINDOWS\System32\ebacdlso.dll",setvm
__________________
Eddy
Pancake is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Important Information
Join the #1 Tech Support Forum Today - It's Totally Free!

TechSupportForum.com is a leading support website for your computer needs. We offer free, friendly and personalized computer support. Why pay to have your computer fixed when you can do it for free.

Join TechSupportforum.com Today - Click Here

Old 02-28-2007, 08:23 PM   #22 (permalink)
Registered User
 
cul8rman's Avatar
 
Join Date: Aug 2006
Location: Arizona
Posts: 134
OS: XP


New log, I see a different dllrunning in the log

Logfile of HijackThis v1.99.1
Scan saved at 8:19:55 PM, on 2/28/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
C:\Program Files\Ulead Systems\Ulead Photo Explorer 8.0 SE Basic\Monitor.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb10.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Program Files\Picasa2\PicasaMediaDetector.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Micro Innovations\Keyboard\kbdap32a.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Micro Innovations\Mouse\mouse32a.exe
C:\PROGRA~1\Sygate\SPF\smc.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\BigFix\BigFix.exe
C:\Program Files\Ulead Systems\Ulead Photo Express 4.0 SE\CalCheck.exe
C:\Program Files\HP\hpcoretech\comp\hptskmgr.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Program Files\Hijack This\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.emachines.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\ycomp5_3_16_0.dll
O2 - BHO: (no name) - {067BE456-B710-4015-84FF-E09B52ACE092} - C:\WINDOWS\System32\pmkjj.dll (file missing)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: (no name) - {37EB498E-7800-A96A-AED9-045FF6ECB283} - C:\WINDOWS\System32\ceamvdb.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {8C5AFBC1-5D1E-4A8A-ABB5-90BE5DC3E248} - C:\WINDOWS\System32\vtstr.dll
O2 - BHO: (no name) - {911427C3-6065-497F-9C72-B2562DA349C6} - C:\WINDOWS\System32\vtstq.dll (file missing)
O2 - BHO: 0 - {A87A5C44-882B-42BC-27A5-06511D2BA675} - C:\Program Files\Common Files\sagu292.dll (file missing)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: (no name) - {C3581462-AD4C-43AF-A8A7-AFEFEBA11B44} - C:\WINDOWS\system32\byxwttt.dll
O2 - BHO: (no name) - {E03C740E-BB24-4d3c-B92A-6F84DE1DD99C} - C:\WINDOWS\System32\xbiehfer.dll (file missing)
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\ycomp5_3_16_0.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [Ulead AutoDetector] C:\Program Files\Ulead Systems\Ulead Photo Explorer 8.0 SE Basic\Monitor.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb10.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [DSS] C:\WINDOWS\BBSTORE\DSS\DSSAGENT.EXE
O4 - HKLM\..\Run: [OFFICEKB] C:\Program Files\Micro Innovations\Keyboard\kbdap32a.EXE
O4 - HKLM\..\Run: [FLMOFFICE4DMOUSE] C:\Program Files\Micro Innovations\Mouse\mouse32a.exe
O4 - HKLM\..\Run: [PC Pitstop Optimize Scheduler] C:\Program Files\PCPitstop\Optimize\PCPOptimize.exe -boot
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [DllRunning] rundll32.exe "C:\WINDOWS\System32\kxrwuojr.dll",setvm
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Microsoft Works Update Detection] c:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe
O4 - Global Startup: Ulead Photo Express 4.0 SE Calendar Checker .lnk = C:\Program Files\Ulead Systems\Ulead Photo Express 4.0 SE\CalCheck.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O16 - DPF: Video Poker - http://download.games.yahoo.com/game...s/y/vpt0_x.cab
O16 - DPF: Yahoo! Backgammon - http://download.games.yahoo.com/game...ts/y/at1_x.cab
O16 - DPF: Yahoo! Bingo - http://download.games.yahoo.com/game...ts/y/xt0_x.cab
O16 - DPF: Yahoo! Blackjack - http://download.games.yahoo.com/game...ts/y/jt0_x.cab
O16 - DPF: Yahoo! Checkers - http://download.games.yahoo.com/game...ts/y/kt4_x.cab
O16 - DPF: Yahoo! Chess - http://download.games.yahoo.com/game...ts/y/ct2_x.cab
O16 - DPF: Yahoo! Cribbage - http://download.games.yahoo.com/game...ts/y/it1_x.cab
O16 - DPF: Yahoo! Dice - http://download.games.yahoo.com/game...s/y/dct4_x.cab
O16 - DPF: Yahoo! Go Fish - http://download.games.yahoo.com/game...ts/y/zt3_x.cab
O16 - DPF: Yahoo! Klondike Solitaire - http://presence.games.yahoo.com/yog/y/ks12_x.cab
O16 - DPF: Yahoo! Poker - http://download.games.yahoo.com/game...ts/y/pt3_x.cab
O16 - DPF: Yahoo! Pyramids - http://download.games.yahoo.com/game...s/y/pyt1_x.cab
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://support.cox.com/sdccommon/download/tgctlcm.cab
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {4620BC29-8B8E-4F4E-9D92-1DB6633D6793} (SurferNETWORK Plugin) - http://rd1.surfernetwork.com/surferplugin.ocx
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://software-dl.real.com/14939218...p/RdxIE601.cab
O16 - DPF: {62789780-B744-11D0-986B-00609731A21D} (Autodesk MapGuide ActiveX Control) - http://maricopa.gov/assessor/gis/plugin/mgaxctrl.cab
O16 - DPF: {7FE26BE2-B923-4B41-9834-E84DA1CC1F96} (Maid Control) - http://vsp.closetmaid.com/vsp/cmaidc...downloader.cab
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab
O16 - DPF: {D77EF652-9A6B-40C8-A4B9-1C0697C6CF41} (TikGames Online Control) - http://download.games.yahoo.com/game.../gpcontrol.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/game...ploader_v6.cab
O20 - Winlogon Notify: byxyvwv - byxyvwv.dll (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: szr_dll - C:\WINDOWS\szr_dll.dll
O20 - Winlogon Notify: vtstq - C:\WINDOWS\System32\vtstq.dll (file missing)
O20 - Winlogon Notify: vtstr - C:\WINDOWS\System32\vtstr.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: ICF - Unknown owner - C:\WINDOWS\System32\svchost.exe:exe.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
cul8rman is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 02-28-2007, 11:24 PM   #23 (permalink)
Security Team (ret.)
 
Pancake's Avatar
 
Join Date: Nov 2003
Location: Victoria.Australia
Posts: 7,404
OS: XP Pro SP3


And still more to clear out....


Download VirtumundoBegone and save it to your desktop. When you have done this doubleclick on VirtumundoBeGone.exe and follow the instructions. When it has finished, reboot and post the log that is created on your desktop called VBG.TXT in your next reply. Do not worry if you see a BLUE SCREEN "Fatal Error" Message, it is normal and expected.





Have "Hijack This" fix all the following items in the list below by placing a check in the appropriate boxes.Confirm that you have only the listed ones checked, then press <Fix checked> and Close HJT.

O2 - BHO: (no name) - {067BE456-B710-4015-84FF-E09B52ACE092} - C:\WINDOWS\System32\pmkjj.dll (file missing)
O2 - BHO: (no name) - {37EB498E-7800-A96A-AED9-045FF6ECB283} - C:\WINDOWS\System32\ceamvdb.dll (file missing)
O2 - BHO: (no name) - {8C5AFBC1-5D1E-4A8A-ABB5-90BE5DC3E248} - C:\WINDOWS\System32\vtstr.dll
O2 - BHO: (no name) - {911427C3-6065-497F-9C72-B2562DA349C6} - C:\WINDOWS\System32\vtstq.dll (file missing)
O2 - BHO: 0 - {A87A5C44-882B-42BC-27A5-06511D2BA675} - C:\Program Files\Common Files\sagu292.dll (file missing)
O2 - BHO: (no name) - {C3581462-AD4C-43AF-A8A7-AFEFEBA11B44} - C:\WINDOWS\system32\byxwttt.dll
O2 - BHO: (no name) - {E03C740E-BB24-4d3c-B92A-6F84DE1DD99C} - C:\WINDOWS\System32\xbiehfer.dll (file missing)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O4 - HKLM\..\Run: [DllRunning] rundll32.exe "C:\WINDOWS\System32\kxrwuojr.dll",setvm
O20 - Winlogon Notify: byxyvwv - byxyvwv.dll (file missing)
O20 - Winlogon Notify: szr_dll - C:\WINDOWS\szr_dll.dll
O20 - Winlogon Notify: vtstq - C:\WINDOWS\System32\vtstq.dll (file missing)
O20 - Winlogon Notify: vtstr - C:\WINDOWS\System32\vtstr.dll


Reboot and run Hijack This again and post a new Hijack This log and VBG.TXT (if any viruses are detected and removed, reboot first).
__________________
Eddy
Pancake is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 03-01-2007, 07:50 PM   #24 (permalink)
Registered User
 
cul8rman's Avatar
 
Join Date: Aug 2006
Location: Arizona
Posts: 134
OS: XP


Two separate replies due to file length.

VBG Log

[03/01/2007, 19:45:50] - VirtumundoBeGone v1.5 ( "C:\Documents and Settings\Duane\Desktop\VirtumundoBeGone.exe" )
[03/01/2007, 19:45:56] - Detected System Information:
[03/01/2007, 19:45:56] - Windows Version: 5.1.2600, Service Pack 1
[03/01/2007, 19:45:56] - Current Username: Duane (Admin)
[03/01/2007, 19:45:56] - Windows is in NORMAL mode.
[03/01/2007, 19:45:56] - Searching for Browser Helper Objects:
[03/01/2007, 19:45:56] - BHO 1: {02478D38-C3F9-4efb-9B51-7695ECA05670} (Yahoo! Companion BHO)
[03/01/2007, 19:45:56] - BHO 2: {067BE456-B710-4015-84FF-E09B52ACE092} ()
[03/01/2007, 19:45:56] - WARNING: BHO has no default name. Checking for Winlogon reference.
[03/01/2007, 19:45:56] - Checking for HKLM\...\Winlogon\Notify\pmkjj
[03/01/2007, 19:45:56] - Key not found: HKLM\...\Winlogon\Notify\pmkjj, continuing.
[03/01/2007, 19:45:56] - BHO 3: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (Adobe PDF Reader Link Helper)
[03/01/2007, 19:45:56] - BHO 4: {243B17DE-77C7-46BF-B94B-0B5F309A0E64} ()
[03/01/2007, 19:45:56] - WARNING: BHO has no default name. Checking for Winlogon reference.
[03/01/2007, 19:45:56] - Checking for HKLM\...\Winlogon\Notify\mnyside
[03/01/2007, 19:45:56] - Key not found: HKLM\...\Winlogon\Notify\mnyside, continuing.
[03/01/2007, 19:45:56] - BHO 5: {2DD683FF-4391-4C37-AFA6-365BB9C5BBDD} ()
[03/01/2007, 19:45:56] - WARNING: BHO has no default name. Checking for Winlogon reference.
[03/01/2007, 19:45:56] - Checking for HKLM\...\Winlogon\Notify\vtstr
[03/01/2007, 19:45:56] - Found: HKLM\...\Winlogon\Notify\vtstr - This is probably Virtumundo.
[03/01/2007, 19:45:56] - Assigning {2DD683FF-4391-4C37-AFA6-365BB9C5BBDD} MSEvents Object
[03/01/2007, 19:45:56] - BHO list has been changed! Starting over...
[03/01/2007, 19:45:56] - BHO 1: {02478D38-C3F9-4efb-9B51-7695ECA05670} (Yahoo! Companion BHO)
[03/01/2007, 19:45:56] - BHO 2: {067BE456-B710-4015-84FF-E09B52ACE092} ()
[03/01/2007, 19:45:56] - WARNING: BHO has no default name. Checking for Winlogon reference.
[03/01/2007, 19:45:56] - Checking for HKLM\...\Winlogon\Notify\pmkjj
[03/01/2007, 19:45:56] - Key not found: HKLM\...\Winlogon\Notify\pmkjj, continuing.
[03/01/2007, 19:45:56] - BHO 3: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (Adobe PDF Reader Link Helper)
[03/01/2007, 19:45:56] - BHO 4: {243B17DE-77C7-46BF-B94B-0B5F309A0E64} ()
[03/01/2007, 19:45:56] - WARNING: BHO has no default name. Checking for Winlogon reference.
[03/01/2007, 19:45:56] - Checking for HKLM\...\Winlogon\Notify\mnyside
[03/01/2007, 19:45:56] - Key not found: HKLM\...\Winlogon\Notify\mnyside, continuing.
[03/01/2007, 19:45:56] - BHO 5: {2DD683FF-4391-4C37-AFA6-365BB9C5BBDD} (MSEvents Object)
[03/01/2007, 19:45:56] - ALERT: Found MSEvents Object!
[03/01/2007, 19:45:56] - BHO 6: {37EB498E-7800-A96A-AED9-045FF6ECB283} ()
[03/01/2007, 19:45:56] - WARNING: BHO has no default name. Checking for Winlogon reference.
[03/01/2007, 19:45:56] - Checking for HKLM\...\Winlogon\Notify\ceamvdb
[03/01/2007, 19:45:56] - Key not found: HKLM\...\Winlogon\Notify\ceamvdb, continuing.
[03/01/2007, 19:45:56] - BHO 7: {53707962-6F74-2D53-2644-206D7942484F} ()
[03/01/2007, 19:45:56] - WARNING: BHO has no default name. Checking for Winlogon reference.
[03/01/2007, 19:45:56] - Checking for HKLM\...\Winlogon\Notify\SDHelper
[03/01/2007, 19:45:56] - Key not found: HKLM\...\Winlogon\Notify\SDHelper, continuing.
[03/01/2007, 19:45:56] - BHO 8: {911427C3-6065-497F-9C72-B2562DA349C6} ()
[03/01/2007, 19:45:56] - WARNING: BHO has no default name. Checking for Winlogon reference.
[03/01/2007, 19:45:56] - Checking for HKLM\...\Winlogon\Notify\vtstq
[03/01/2007, 19:45:56] - Found: HKLM\...\Winlogon\Notify\vtstq - This is probably Virtumundo.
[03/01/2007, 19:45:56] - Assigning {911427C3-6065-497F-9C72-B2562DA349C6} MSEvents Object
[03/01/2007, 19:45:56] - BHO list has been changed! Starting over...
[03/01/2007, 19:45:56] - BHO 1: {02478D38-C3F9-4efb-9B51-7695ECA05670} (Yahoo! Companion BHO)
[03/01/2007, 19:45:56] - BHO 2: {067BE456-B710-4015-84FF-E09B52ACE092} ()
[03/01/2007, 19:45:56] - WARNING: BHO has no default name. Checking for Winlogon reference.
[03/01/2007, 19:45:56] - Checking for HKLM\...\Winlogon\Notify\pmkjj
[03/01/2007, 19:45:56] - Key not found: HKLM\...\Winlogon\Notify\pmkjj, continuing.
[03/01/2007, 19:45:56] - BHO 3: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (Adobe PDF Reader Link Helper)
[03/01/2007, 19:45:56] - BHO 4: {243B17DE-77C7-46BF-B94B-0B5F309A0E64} ()
[03/01/2007, 19:45:56] - WARNING: BHO has no default name. Checking for Winlogon reference.
[03/01/2007, 19:45:56] - Checking for HKLM\...\Winlogon\Notify\mnyside
[03/01/2007, 19:45:56] - Key not found: HKLM\...\Winlogon\Notify\mnyside, continuing.
[03/01/2007, 19:45:56] - BHO 5: {2DD683FF-4391-4C37-AFA6-365BB9C5BBDD} (MSEvents Object)
[03/01/2007, 19:45:56] - ALERT: Found MSEvents Object!
[03/01/2007, 19:45:56] - BHO 6: {37EB498E-7800-A96A-AED9-045FF6ECB283} ()
[03/01/2007, 19:45:56] - WARNING: BHO has no default name. Checking for Winlogon reference.
[03/01/2007, 19:45:56] - Checking for HKLM\...\Winlogon\Notify\ceamvdb
[03/01/2007, 19:45:56] - Key not found: HKLM\...\Winlogon\Notify\ceamvdb, continuing.
[03/01/2007, 19:45:56] - BHO 7: {53707962-6F74-2D53-2644-206D7942484F} ()
[03/01/2007, 19:45:56] - WARNING: BHO has no default name. Checking for Winlogon reference.
[03/01/2007, 19:45:56] - Checking for HKLM\...\Winlogon\Notify\SDHelper
[03/01/2007, 19:45:56] - Key not found: HKLM\...\Winlogon\Notify\SDHelper, continuing.
[03/01/2007, 19:45:56] - BHO 8: {911427C3-6065-497F-9C72-B2562DA349C6} (MSEvents Object)
[03/01/2007, 19:45:56] - ALERT: Found MSEvents Object!
[03/01/2007, 19:45:56] - BHO 9: {A87A5C44-882B-42BC-27A5-06511D2BA675} ()
[03/01/2007, 19:45:56] - WARNING: BHO has no default name. Checking for Winlogon reference.
[03/01/2007, 19:45:56] - Checking for HKLM\...\Winlogon\Notify\sagu292
[03/01/2007, 19:45:56] - Key not found: HKLM\...\Winlogon\Notify\sagu292, continuing.
[03/01/2007, 19:45:56] - BHO 10: {AA58ED58-01DD-4d91-8333-CF10577473F7} (Google Toolbar Helper)
[03/01/2007, 19:45:56] - BHO 11: {C3581462-AD4C-43AF-A8A7-AFEFEBA11B44} ()
[03/01/2007, 19:45:56] - WARNING: BHO has no default name. Checking for Winlogon reference.
[03/01/2007, 19:45:56] - Checking for HKLM\...\Winlogon\Notify\byxwttt
[03/01/2007, 19:45:56] - Key not found: HKLM\...\Winlogon\Notify\byxwttt, continuing.
[03/01/2007, 19:45:56] - BHO 12: {E03C740E-BB24-4d3c-B92A-6F84DE1DD99C} ()
[03/01/2007, 19:45:56] - WARNING: BHO has no default name. Checking for Winlogon reference.
[03/01/2007, 19:45:56] - Checking for HKLM\...\Winlogon\Notify\xbiehfer
[03/01/2007, 19:45:56] - Key not found: HKLM\...\Winlogon\Notify\xbiehfer, continuing.
[03/01/2007, 19:45:56] - BHO 13: {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} (EpsonToolBandKicker Class)
[03/01/2007, 19:45:56] - BHO 14: {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} ()
[03/01/2007, 19:45:56] - WARNING: BHO has no default name. Checking for Winlogon reference.
[03/01/2007, 19:45:56] - No filename found. Continuing.
[03/01/2007, 19:45:56] - Finished Searching Browser Helper Objects
[03/01/2007, 19:45:56] - *** Detected MSEvents Object
[03/01/2007, 19:45:56] - Trying to remove MSEvents Object...
[03/01/2007, 19:45:57] - Terminating Process: IEXPLORE.EXE
[03/01/2007, 19:45:58] - Terminating Process: RUNDLL32.EXE
[03/01/2007, 19:45:58] - Disabling Automatic Shell Restart
[03/01/2007, 19:45:58] - Terminating Process: EXPLORER.EXE
[03/01/2007, 19:45:59] - Suspending the NT Session Manager System Service
[03/01/2007, 19:45:59] - Terminating Windows NT Logon/Logoff Manager
[03/01/2007, 19:45:59] - Re-enabling Automatic Shell Restart
[03/01/2007, 19:45:59] - File to disable: C:\WINDOWS\System32\vtstr.dll
[03/01/2007, 19:45:59] - Renaming C:\WINDOWS\System32\vtstr.dll -> C:\WINDOWS\System32\vtstr.dll.vir
[03/01/2007, 19:45:59] - File successfully renamed!
[03/01/2007, 19:45:59] - Removing HKLM\...\Browser Helper Objects\{2DD683FF-4391-4C37-AFA6-365BB9C5BBDD}
[03/01/2007, 19:45:59] - Removing HKCR\CLSID\{2DD683FF-4391-4C37-AFA6-365BB9C5BBDD}
[03/01/2007, 19:45:59] - Adding Kill Bit for ActiveX for GUID: {2DD683FF-4391-4C37-AFA6-365BB9C5BBDD}
[03/01/2007, 19:45:59] - Deleting ATLEvents/MSEvents Registry entries
[03/01/2007, 19:45:59] - Removing HKLM\...\Winlogon\Notify\vtstr
[03/01/2007, 19:45:59] - Searching for Browser Helper Objects:
[03/01/2007, 19:45:59] - BHO 1: {02478D38-C3F9-4efb-9B51-7695ECA05670} (Yahoo! Companion BHO)
[03/01/2007, 19:45:59] - BHO 2: {067BE456-B710-4015-84FF-E09B52ACE092} ()
[03/01/2007, 19:45:59] - WARNING: BHO has no default name. Checking for Winlogon reference.
[03/01/2007, 19:45:59] - Checking for HKLM\...\Winlogon\Notify\pmkjj
[03/01/2007, 19:45:59] - Key not found: HKLM\...\Winlogon\Notify\pmkjj, continuing.
[03/01/2007, 19:45:59] - BHO 3: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (Adobe PDF Reader Link Helper)
[03/01/2007, 19:45:59] - BHO 4: {243B17DE-77C7-46BF-B94B-0B5F309A0E64} ()
[03/01/2007, 19:45:59] - WARNING: BHO has no default name. Checking for Winlogon reference.
[03/01/2007, 19:45:59] - Checking for HKLM\...\Winlogon\Notify\mnyside
[03/01/2007, 19:45:59] - Key not found: HKLM\...\Winlogon\Notify\mnyside, continuing.
[03/01/2007, 19:45:59] - BHO 5: {37EB498E-7800-A96A-AED9-045FF6ECB283} ()
[03/01/2007, 19:45:59] - WARNING: BHO has no default name. Checking for Winlogon reference.
[03/01/2007, 19:45:59] - Checking for HKLM\...\Winlogon\Notify\ceamvdb
[03/01/2007, 19:45:59] - Key not found: HKLM\...\Winlogon\Notify\ceamvdb, continuing.
[03/01/2007, 19:45:59] - BHO 6: {53707962-6F74-2D53-2644-206D7942484F} ()
[03/01/2007, 19:45:59] - WARNING: BHO has no default name. Checking for Winlogon reference.
[03/01/2007, 19:45:59] - Checking for HKLM\...\Winlogon\Notify\SDHelper
[03/01/2007, 19:45:59] - Key not found: HKLM\...\Winlogon\Notify\SDHelper, continuing.
[03/01/2007, 19:45:59] - BHO 7: {911427C3-6065-497F-9C72-B2562DA349C6} (MSEvents Object)
[03/01/2007, 19:45:59] - ALERT: Found MSEvents Object!
[03/01/2007, 19:45:59] - BHO 8: {A87A5C44-882B-42BC-27A5-06511D2BA675} ()
[03/01/2007, 19:45:59] - WARNING: BHO has no default name. Checking for Winlogon reference.
[03/01/2007, 19:45:59] - Checking for HKLM\...\Winlogon\Notify\sagu292
[03/01/2007, 19:45:59] - Key not found: HKLM\...\Winlogon\Notify\sagu292, continuing.
[03/01/2007, 19:45:59] - BHO 9: {AA58ED58-01DD-4d91-8333-CF10577473F7} (Google Toolbar Helper)
[03/01/2007, 19:45:59] - BHO 10: {C3581462-AD4C-43AF-A8A7-AFEFEBA11B44} ()
[03/01/2007, 19:45:59] - WARNING: BHO has no default name. Checking for Winlogon reference.
[03/01/2007, 19:45:59] - Checking for HKLM\...\Winlogon\Notify\byxwttt
[03/01/2007, 19:45:59] - Key not found: HKLM\...\Winlogon\Notify\byxwttt, continuing.
[03/01/2007, 19:45:59] - BHO 11: {E03C740E-BB24-4d3c-B92A-6F84DE1DD99C} ()
[03/01/2007, 19:45:59] - WARNING: BHO has no default name. Checking for Winlogon reference.
[03/01/2007, 19:45:59] - Checking for HKLM\...\Winlogon\Notify\xbiehfer
[03/01/2007, 19:45:59] - Key not found: HKLM\...\Winlogon\Notify\xbiehfer, continuing.
[03/01/2007, 19:45:59] - BHO 12: {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} (EpsonToolBandKicker Class)
[03/01/2007, 19:45:59] - BHO 13: {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} ()
[03/01/2007, 19:45:59] - WARNING: BHO has no default name. Checking for Winlogon reference.
[03/01/2007, 19:45:59] - No filename found. Continuing.
[03/01/2007, 19:45:59] - Finished Searching Browser Helper Objects
[03/01/2007, 19:45:59] - *** Detected MSEvents Object
[03/01/2007, 19:45:59] - Trying to remove MSEvents Object...
[03/01/2007, 19:46:00] - Terminating Process: IEXPLORE.EXE
[03/01/2007, 19:46:00] - Terminating Process: RUNDLL32.EXE
[03/01/2007, 19:46:00] - Disabling Automatic Shell Restart
[03/01/2007, 19:46:00] - Terminating Process: EXPLORER.EXE
[03/01/2007, 19:46:00] - Suspending the NT Session Manager System Service
[03/01/2007, 19:46:01] - Terminating Windows NT Logon/Logoff Manager
[03/01/2007, 19:46:01] - Re-enabling Automatic Shell Restart
[03/01/2007, 19:46:01] - File to disable: C:\WINDOWS\System32\vtstq.dll
[03/01/2007, 19:46:01] - Removing HKLM\...\Browser Helper Objects\{911427C3-6065-497F-9C72-B2562DA349C6}
[03/01/2007, 19:46:01] - Removing HKCR\CLSID\{911427C3-6065-497F-9C72-B2562DA349C6}
[03/01/2007, 19:46:01] - Adding Kill Bit for ActiveX for GUID: {911427C3-6065-497F-9C72-B2562DA349C6}
[03/01/2007, 19:46:01] - Deleting ATLEvents/MSEvents Registry entries
[03/01/2007, 19:46:01] - Removing HKLM\...\Winlogon\Notify\vtstq
[03/01/2007, 19:46:01] - Searching for Browser Helper Objects:
[03/01/2007, 19:46:01] - BHO 1: {02478D38-C3F9-4efb-9B51-7695ECA05670} (Yahoo! Companion BHO)
[03/01/2007, 19:46:01] - BHO 2: {067BE456-B710-4015-84FF-E09B52ACE092} ()
[03/01/2007, 19:46:01] - WARNING: BHO has no default name. Checking for Winlogon reference.
[03/01/2007, 19:46:01] - Checking for HKLM\...\Winlogon\Notify\pmkjj
[03/01/2007, 19:46:01] - Key not found: HKLM\...\Winlogon\Notify\pmkjj, continuing.
[03/01/2007, 19:46:01] - BHO 3: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (Adobe PDF Reader Link Helper)
[03/01/2007, 19:46:01] - BHO 4: {243B17DE-77C7-46BF-B94B-0B5F309A0E64} ()
[03/01/2007, 19:46:01] - WARNING: BHO has no default name. Checking for Winlogon reference.
[03/01/2007, 19:46:01] - Checking for HKLM\...\Winlogon\Notify\mnyside
[03/01/2007, 19:46:01] - Key not found: HKLM\...\Winlogon\Notify\mnyside, continuing.
[03/01/2007, 19:46:01] - BHO 5: {37EB498E-7800-A96A-AED9-045FF6ECB283} ()
[03/01/2007, 19:46:01] - WARNING: BHO has no default name. Checking for Winlogon reference.
[03/01/2007, 19:46:01] - Checking for HKLM\...\Winlogon\Notify\ceamvdb
[03/01/2007, 19:46:01] - Key not found: HKLM\...\Winlogon\Notify\ceamvdb, continuing.
[03/01/2007, 19:46:01] - BHO 6: {53707962-6F74-2D53-2644-206D7942484F} ()
[03/01/2007, 19:46:01] - WARNING: BHO has no default name. Checking for Winlogon reference.
[03/01/2007, 19:46:01] - Checking for HKLM\...\Winlogon\Notify\SDHelper
[03/01/2007, 19:46:01] - Key not found: HKLM\...\Winlogon\Notify\SDHelper, continuing.
[03/01/2007, 19:46:01] - BHO 7: {A87A5C44-882B-42BC-27A5-06511D2BA675} ()
[03/01/2007, 19:46:01] - WARNING: BHO has no default name. Checking for Winlogon reference.
[03/01/2007, 19:46:01] - Checking for HKLM\...\Winlogon\Notify\sagu292
[03/01/2007, 19:46:01] - Key not found: HKLM\...\Winlogon\Notify\sagu292, continuing.
[03/01/2007, 19:46:01] - BHO 8: {AA58ED58-01DD-4d91-8333-CF10577473F7} (Google Toolbar Helper)
[03/01/2007, 19:46:01] - BHO 9: {C3581462-AD4C-43AF-A8A7-AFEFEBA11B44} ()
[03/01/2007, 19:46:01] - WARNING: BHO has no default name. Checking for Winlogon reference.
[03/01/2007, 19:46:01] - Checking for HKLM\...\Winlogon\Notify\byxwttt
[03/01/2007, 19:46:01] - Key not found: HKLM\...\Winlogon\Notify\byxwttt, continuing.
[03/01/2007, 19:46:01] - BHO 10: {E03C740E-BB24-4d3c-B92A-6F84DE1DD99C} ()
[03/01/2007, 19:46:01] - WARNING: BHO has no default name. Checking for Winlogon reference.
[03/01/2007, 19:46:01] - Checking for HKLM\...\Winlogon\Notify\xbiehfer
[03/01/2007, 19:46:01] - Key not found: HKLM\...\Winlogon\Notify\xbiehfer, continuing.
[03/01/2007, 19:46:01] - BHO 11: {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} (EpsonToolBandKicker Class)
[03/01/2007, 19:46:01] - BHO 12: {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} ()
[03/01/2007, 19:46:01] - WARNING: BHO has no default name. Checking for Winlogon reference.
[03/01/2007, 19:46:01] - No filename found. Continuing.
[03/01/2007, 19:46:01] - Finished Searching Browser Helper Objects
[03/01/2007, 19:46:01] - Finishing up...
[03/01/2007, 19:46:01] - A restart is needed.
[03/01/2007, 19:46:16] - Attempting to Restart via STOP error (Blue Screen!)
cul8rman is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 03-01-2007, 08:13 PM   #25 (permalink)
Registered User
 
cul8rman's Avatar
 
Join Date: Aug 2006
Location: Arizona
Posts: 134
OS: XP


After running VirtumundoBegone I did the HJTscan. I did not find the files that were highlighted. HJT file is below *******

O2 - BHO: (no name) - {067BE456-B710-4015-84FF-E09B52ACE092} - C:\WINDOWS\System32\pmkjj.dll (file missing)
O2 - BHO: (no name) - {37EB498E-7800-A96A-AED9-045FF6ECB283} - C:\WINDOWS\System32\ceamvdb.dll (file missing)
O2 - BHO: (no name) - {8C5AFBC1-5D1E-4A8A-ABB5-90BE5DC3E248} - C:\WINDOWS\System32\vtstr.dll
O2 - BHO: (no name) - {911427C3-6065-497F-9C72-B2562DA349C6} - C:\WINDOWS\System32\vtstq.dll (file missing)
O2 - BHO: 0 - {A87A5C44-882B-42BC-27A5-06511D2BA675} - C:\Program Files\Common Files\sagu292.dll (file missing)
O2 - BHO: (no name) - {C3581462-AD4C-43AF-A8A7-AFEFEBA11B44} - C:\WINDOWS\system32\byxwttt.dll
O2 - BHO: (no name) - {E03C740E-BB24-4d3c-B92A-6F84DE1DD99C} - C:\WINDOWS\System32\xbiehfer.dll (file missing)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O4 - HKLM\..\Run: [DllRunning] rundll32.exe "C:\WINDOWS\System32\kxrwuojr.dll",setvm
O20 - Winlogon Notify: byxyvwv - byxyvwv.dll (file missing)
O20 - Winlogon Notify: szr_dll - C:\WINDOWS\szr_dll.dll
O20 - Winlogon Notify: vtstq - C:\WINDOWS\System32\vtstq.dll (file missing)
O20 - Winlogon Notify: vtstr - C:\WINDOWS\System32\vtstr.dll

********* HJT ****
O2 - BHO: (no name) - {067BE456-B710-4015-84FF-E09B52ACE092} - C:\WINDOWS\System32\pmkjj.dll (file missing)
O2 - BHO: (no name) - {37EB498E-7800-A96A-AED9-045FF6ECB283} - C:\WINDOWS\System32\ceamvdb.dll (file missing)
O2 - BHO: (no name) - {8C5AFBC1-5D1E-4A8A-ABB5-90BE5DC3E248} - C:\WINDOWS\System32\vtstr.dll
O2 - BHO: (no name) - {911427C3-6065-497F-9C72-B2562DA349C6} - C:\WINDOWS\System32\vtstq.dll (file missing)
O2 - BHO: 0 - {A87A5C44-882B-42BC-27A5-06511D2BA675} - C:\Program Files\Common Files\sagu292.dll (file missing)
O2 - BHO: (no name) - {C3581462-AD4C-43AF-A8A7-AFEFEBA11B44} - C:\WINDOWS\system32\byxwttt.dll
O2 - BHO: (no name) - {E03C740E-BB24-4d3c-B92A-6F84DE1DD99C} - C:\WINDOWS\System32\xbiehfer.dll (file missing)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O4 - HKLM\..\Run: [DllRunning] rundll32.exe "C:\WINDOWS\System32\kxrwuojr.dll",setvm
O20 - Winlogon Notify: byxyvwv - byxyvwv.dll (file missing)
O20 - Winlogon Notify: szr_dll - C:\WINDOWS\szr_dll.dll
O20 - Winlogon Notify: vtstq - C:\WINDOWS\System32\vtstq.dll (file missing)
O20 - Winlogon Notify: vtstr - C:\WINDOWS\System32\vtstr.dll
Last edited by cul8rman; 03-01-2007 at 08:15 PM.
cul8rman is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 03-03-2007, 09:25 PM   #26 (permalink)
Security Team (ret.)
 
Pancake's Avatar
 
Join Date: Nov 2003
Location: Victoria.Australia
Posts: 7,404
OS: XP Pro SP3


we will need a new HJT log please...
__________________
Eddy
Pancake is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 03-04-2007, 11:00 AM   #27 (permalink)
Registered User
 
cul8rman's Avatar
 
Join Date: Aug 2006
Location: Arizona
Posts: 134
OS: XP


Logfile of HijackThis v1.99.1
Scan saved at 11:00:26 AM, on 3/4/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Ulead Systems\Ulead Photo Explorer 8.0 SE Basic\Monitor.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb10.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Program Files\Picasa2\PicasaMediaDetector.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Micro Innovations\Keyboard\kbdap32a.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Micro Innovations\Mouse\mouse32a.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\BigFix\BigFix.exe
C:\Program Files\Ulead Systems\Ulead Photo Express 4.0 SE\CalCheck.exe
C:\Program Files\HP\hpcoretech\comp\hptskmgr.exe
C:\PROGRA~1\Mozilla Firefox\firefox.exe
C:\Program Files\Adobe\Acrobat 4.0\Reader\AcroRd32.exe
C:\Program Files\Hijack This\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.emachines.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\ycomp5_3_16_0.dll
O2 - BHO: (no name) - {067BE456-B710-4015-84FF-E09B52ACE092} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: (no name) - {37EB498E-7800-A96A-AED9-045FF6ECB283} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: 0 - {A87A5C44-882B-42BC-27A5-06511D2BA675} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: (no name) - {C3581462-AD4C-43AF-A8A7-AFEFEBA11B44} - (no file)
O2 - BHO: (no name) - {DEB17D59-1D80-4627-AA07-E01BB37A8399} - C:\WINDOWS\System32\awvtq.dll
O2 - BHO: (no name) - {E03C740E-BB24-4d3c-B92A-6F84DE1DD99C} - (no file)
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\ycomp5_3_16_0.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [Ulead AutoDetector] C:\Program Files\Ulead Systems\Ulead Photo Explorer 8.0 SE Basic\Monitor.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb10.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [DSS] C:\WINDOWS\BBSTORE\DSS\DSSAGENT.EXE
O4 - HKLM\..\Run: [OFFICEKB] C:\Program Files\Micro Innovations\Keyboard\kbdap32a.EXE
O4 - HKLM\..\Run: [FLMOFFICE4DMOUSE] C:\Program Files\Micro Innovations\Mouse\mouse32a.exe
O4 - HKLM\..\Run: [PC Pitstop Optimize Scheduler] C:\Program Files\PCPitstop\Optimize\PCPOptimize.exe -boot
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [DllRunning] rundll32.exe "C:\WINDOWS\System32\uejowmvf.dll",setvm
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Microsoft Works Update Detection] c:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe
O4 - Global Startup: Ulead Photo Express 4.0 SE Calendar Checker .lnk = C:\Program Files\Ulead Systems\Ulead Photo Express 4.0 SE\CalCheck.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O16 - DPF: Video Poker - http://download.games.yahoo.com/game...s/y/vpt0_x.cab
O16 - DPF: Yahoo! Backgammon - http://download.games.yahoo.com/game...ts/y/at1_x.cab
O16 - DPF: Yahoo! Bingo - http://download.games.yahoo.com/game...ts/y/xt0_x.cab
O16 - DPF: Yahoo! Blackjack - http://download.games.yahoo.com/game...ts/y/jt0_x.cab
O16 - DPF: Yahoo! Checkers - http://download.games.yahoo.com/game...ts/y/kt4_x.cab
O16 - DPF: Yahoo! Chess - http://download.games.yahoo.com/game...ts/y/ct2_x.cab
O16 - DPF: Yahoo! Cribbage - http://download.games.yahoo.com/game...ts/y/it1_x.cab
O16 - DPF: Yahoo! Dice - http://download.games.yahoo.com/game...s/y/dct4_x.cab
O16 - DPF: Yahoo! Go Fish - http://download.games.yahoo.com/game...ts/y/zt3_x.cab
O16 - DPF: Yahoo! Klondike Solitaire - http://presence.games.yahoo.com/yog/y/ks12_x.cab
O16 - DPF: Yahoo! Poker - http://download.games.yahoo.com/game...ts/y/pt3_x.cab
O16 - DPF: Yahoo! Pyramids - http://download.games.yahoo.com/game...s/y/pyt1_x.cab
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://support.cox.com/sdccommon/download/tgctlcm.cab
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {4620BC29-8B8E-4F4E-9D92-1DB6633D6793} (SurferNETWORK Plugin) - http://rd1.surfernetwork.com/surferplugin.ocx
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://software-dl.real.com/14939218...p/RdxIE601.cab
O16 - DPF: {62789780-B744-11D0-986B-00609731A21D} (Autodesk MapGuide ActiveX Control) - http://maricopa.gov/assessor/gis/plugin/mgaxctrl.cab
O16 - DPF: {7FE26BE2-B923-4B41-9834-E84DA1CC1F96} (Maid Control) - http://vsp.closetmaid.com/vsp/cmaidc...downloader.cab
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab
O16 - DPF: {D77EF652-9A6B-40C8-A4B9-1C0697C6CF41} (TikGames Online Control) - http://download.games.yahoo.com/game.../gpcontrol.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/game...ploader_v6.cab
O20 - Winlogon Notify: awvtq - C:\WINDOWS\System32\awvtq.dll
O20 - Winlogon Notify: byxyvwv - byxyvwv.dll (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: szr_dll - C:\WINDOWS\szr_dll.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: ICF - Unknown owner - C:\WINDOWS\System32\svchost.exe:exe.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
cul8rman is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 03-07-2007, 11:11 PM   #28 (permalink)
Assistant Manager, TSF Academy; Moderator/Analyst Security Team
 
Ried's Avatar
 
Join Date: Jan 2005
Location: Ohio
Posts: 26,578
OS: WinXP and Vista


Hello cul8rman,

Pancake will be away from the computer for an extended period of time and has asked me to continue with you.

Please copy this page to Notepad and save to your desktop for reference as you will not have any browsers open while you are carrying out portions of these instructions.

It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence.

***************************************************

You currently have 2 Anti Virus programs installed. While it may seem to be added protection for you, more than 1 Anti Virus can cause conflicts and confusion between the AV programs as well as system instability. Please choose and run only 1 and uninstall the other via the Add/Remove Programs in the Control Panel.

***************************************************

Download SDFix and save it to your Desktop. Double click SDFix.exe and it will extract the files to %systemdrive% -(Drive that contains the Windows Directory, typically C:\SDFix)

--------------------------------------------------------------------

Download Combofix and save it to your desktop.

**Note: It is important that it is saved directly to your desktop**

--------------------------------------------------------------------

Close any open browsers.

--------------------------------------------------------------------

Go to <<Start>> then <<Run>> then copy/paste the following red text into the Run box then click OK

"%userprofile%\desktop\combofix.exe" /wow-drv ICF /v uejowmvf byxyvwv

When finished, it shall produce a log for you. We'll need that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

--------------------------------------------------------------------------

Now restart your system once again and please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Use the up arrow key to highlight Safe Mode and press Enter.
5) Login with your usual account. Make sure to close any open browsers.

--------------------------------------------------------------------

Open HijackThis and click on 'Do a System Scan Only'. 'Check' the following entries: (if they still exist)

O2 - BHO: (no name) - {067BE456-B710-4015-84FF-E09B52ACE092} - (no file)
O2 - BHO: (no name) - {37EB498E-7800-A96A-AED9-045FF6ECB283} - (no file)
O2 - BHO: 0 - {A87A5C44-882B-42BC-27A5-06511D2BA675} - (no file)
O2 - BHO: (no name) - {C3581462-AD4C-43AF-A8A7-AFEFEBA11B44} - (no file)
O2 - BHO: (no name) - {DEB17D59-1D80-4627-AA07-E01BB37A8399} - C:\WINDOWS\System32\awvtq.dll
O2 - BHO: (no name) - {E03C740E-BB24-4d3c-B92A-6F84DE1DD99C} - (no file)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O4 - HKLM\..\Run: [DSS] C:\WINDOWS\BBSTORE\DSS\DSSAGENT.EXE
O4 - HKLM\..\Run: [DllRunning] rundll32.exe "C:\WINDOWS\System32\uejowmvf.dll",setvm
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O20 - Winlogon Notify: awvtq - C:\WINDOWS\System32\awvtq.dll
O20 - Winlogon Notify: byxyvwv - byxyvwv.dll (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\

Click 'Fix Checked' and close HijackThis.

--------------------------------------------------------------------

Using 'My Computer', navigate to and delete the following Folder

C:\WINDOWS\BBSTORE\ DSS

--------------------------------------------------------------------

Open the extracted SDFix folder and double click RunThis.bat to start the script.
  • Type Y to begin the cleanup process.
  • It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
  • Press any Key and it will restart the PC.
  • When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
  • Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt I'll need that in your next reply.
--------------------------------------------------------------------

Please run this online scan to search for any remnants. It can take some time, so please be patient and allow it to run it's full course:

Perform an online scan with Internet Explorer with Panda ActiveScan
  1. Click on located at the bottom of the page.
  2. A "pop up" window will appear. * Please ensure that your pop up blocker doesn't block it *
  3. Enter your e-mail address, country, and state & click "Free Online Scan" *The download of the 8 MB Panda's ActiveX control will take place*
Begin the scan by selecting
  • If it finds any malware, it will offer you a report.
  • Please ignore any entry it finds and the offer to buy the program to remove the entry, as we will address this later.
  • Click on then click
* You needn't remain online while it's doing the scan but you have to re-connect after it has finished to see the report.
* Turn off the real time scanner of any existing antivirus program while performing the online scan

--------------------------------------------------------------------

Double click on combofix.exe & follow the prompts.
When finished, it shall produce a log for you.

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall

Post the ComboFix.txt in your next reply.

--------------------------------------------------------------------

Run a new scan with HijackThis and save the log.

--------------------------------------------------------------------

Please include the following in your next reply:

C:\ComboFix2.txt
C:\SDFix\Report.txt
Panda report
C:\ComboFix.txt
New HijackThis log
Update on system behavior
__________________

Member of ASAP since 2005
Member of UNITE since 2006

"It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."
Ried is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 03-08-2007, 07:45 PM   #29 (permalink)
Registered User
 
cul8rman's Avatar
 
Join Date: Aug 2006
Location: Arizona
Posts: 134
OS: XP


Which two programs are Anti virus? I know AVG is one, but what is the other? I did remove the Symantec programs thinking that was one of them and I want to keep AVG.
cul8rman is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 03-08-2007, 08:05 PM   #30 (permalink)
Assistant Manager, TSF Academy; Moderator/Analyst Security Team
 
Ried's Avatar
 
Join Date: Jan 2005
Location: Ohio
Posts: 26,578
OS: WinXP and Vista


My apologies for not listing them out for you. Yes, AVG7 (not to be confused with AVG Anti-Spyware 7.5), and Symantec Security Center.
__________________

Member of ASAP since 2005
Member of UNITE since 2006

"It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."
Ried is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 03-09-2007, 05:51 AM   #31 (permalink)
Registered User
 
cul8rman's Avatar
 
Join Date: Aug 2006
Location: Arizona
Posts: 134
OS: XP


I am to the step
**Perform an online scan with Internet Explorer with Panda ActiveScan** but can not run it due to IE issues. I try to open IE and I get an error message - This application has failed to start because msvcrl.dll was not found. Re-installing the application may fix this problem.
I did a download from MS site for IE7 but it appears it did not install. I went to Add / Remove programs thinking I could uninstall and download again but that appears to be disabled being when I clicked the option in control panel it would not open that function.

Suggestions? I do have a second PC at home connected to the internet through a hub but did not set up networking.

Thanks
cul8rman is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 03-09-2007, 07:09 AM   #32 (permalink)
Assistant Manager, TSF Academy; Moderator/Analyst Security Team
 
Ried's Avatar
 
Join Date: Jan 2005
Location: Ohio
Posts: 26,578
OS: WinXP and Vista


Hello,

Please don't try uninstalling or reinstalling IE as you're still infected. Just skip the online scan and post the logs requested so we may continue.
__________________

Member of ASAP since 2005
Member of UNITE since 2006

"It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."
Ried is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 03-09-2007, 11:33 PM   #33 (permalink)
Registered User
 
cul8rman's Avatar
 
Join Date: Aug 2006
Location: Arizona
Posts: 134
OS: XP


Thumbs Up
The steps are dark orange and bolded. Comments that post has ended are at the end and are blue

**** Combofix2.txt file *****

"Duane" - 07-03-08 19:54:04 Service Pack 1
ComboFix 07-03-08 - Running from: "C:\Documents and Settings\Duane\desktop"
Command switches used :: /wow-drv ICF /v uejowmvf byxyvwv

/wow section not completed - STAGE #6B

(((((((((((((((((((((((((((((((((((((((((((((((( Vundo Log )))))))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\system32\uejowmvf.dll
C:\WINDOWS\system32\fvmwojeu.ini


* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *



(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\system32\fcqlep.dat
C:\WINDOWS\system32\fcqlep.exe
C:\WINDOWS\system32\fcqlep_nav.dat
C:\WINDOWS\system32\fcqlep_navps.dat


((((((((((((((((((((((((((((((( Files Created from 2007-02-08 to 2007-03-08 ))))))))))))))))))))))))))))))))))


2007-03-08 19:56 <DIR> d-------- C:\WINDOWS\ERDNT
2007-03-08 19:33 971 --a------ C:\DOCUME~1\Duane\Purity.bat
2007-03-08 19:33 8,192 --a------ C:\DOCUME~1\Duane\RestartIt.exe
2007-03-08 19:33 79,360 --a------ C:\DOCUME~1\Duane\swxcacls.exe
2007-03-08 19:33 73,728 --a------ C:\DOCUME~1\Duane\FDSV.EXE
2007-03-08 19:33 6,914 --a------ C:\DOCUME~1\Duane\Qoo.bat
2007-03-08 19:33 51,200 --a------ C:\DOCUME~1\Duane\dumphive.exe
2007-03-08 19:33 5,074 --a------ C:\DOCUME~1\Duane\NTPBack.exe
2007-03-08 19:33 49,152 --a------ C:\DOCUME~1\Duane\vfind.exe
2007-03-08 19:33 42,887 --a------ C:\DOCUME~1\Duane\ntp.exe
2007-03-08 19:33 39,184 --a------ C:\DOCUME~1\Duane\Ntrights.exe
2007-03-08 19:33 38,400 --a------ C:\DOCUME~1\Duane\moveex.exe
2007-03-08 19:33 319,415 --a------ C:\DOCUME~1\Duane\Creg.reg
2007-03-08 19:33 28,672 --a------ C:\DOCUME~1\Duane\catchme.exe
2007-03-08 19:33 26,112 --a------ C:\DOCUME~1\Duane\nircmd.exe
2007-03-08 19:33 2,304 --a------ C:\DOCUME~1\Duane\Look2Me.bat
2007-03-08 19:33 181,776 --a------ C:\DOCUME~1\Duane\handle.exe
2007-03-08 19:33 140,800 --a------ C:\DOCUME~1\Duane\swreg.exe
2007-03-08 19:33 123,904 --a------ C:\DOCUME~1\Duane\swsc.exe
2007-03-08 19:33 117,379 --a------ C:\DOCUME~1\Duane\LIST-C.bat
2007-03-01 19:52 1,186,531 --ahs---- C:\WINDOWS\system32\qtvwa.bak1
2007-02-28 19:24 <DIR> d-------- C:\!KillBox
2007-02-26 21:18 0 --a------ C:\WINDOWS\system32\setup_12452.exe
2007-02-24 21:33 53,248 --a------ C:\WINDOWS\system32\Process.exe
2007-02-24 21:33 <DIR> d-------- C:\SmitfraudFix
2007-02-24 10:28 3,968 --a------ C:\WINDOWS\system32\drivers\avgclean.sys
2007-02-24 10:28 19,392 --a------ C:\WINDOWS\system32\drivers\avgmfx86.sys
2007-02-23 22:45 118,804 --a------ C:\WINDOWS\system32\arbcakff.dll
2007-02-21 22:29 <DIR> d-------- C:\avenger
2007-02-21 21:42 129 --a------ C:\fix.bat
2007-02-20 23:22 <DIR> d-------- C:\Program Files\backups
2007-02-18 08:30 1,014,623 --ahs---- C:\WINDOWS\system32\qtstv.bak1
2007-02-17 09:53 118,804 --a------ C:\WINDOWS\system32\etlcsjcc.dll
2007-02-16 05:28 <DIR> d-------- C:\Program Files\Hijack This
2007-02-15 20:28 73,387 --a------ C:\WINDOWS\hgefefedsf.exe
2007-02-14 19:18 74,094 --a------ C:\WINDOWS\jhtfddsdsv.exe
2007-02-13 22:36 1,189,475 --ahs---- C:\WINDOWS\system32\rtstv.bak2
2007-02-13 05:48 <DIR> d-------- C:\DOCUME~1\ADMINI~1\DoctorWeb
2007-02-12 22:38 74,094 --a------ C:\WINDOWS\ertrtyt.exe
2007-02-12 22:36 1,023,235 --ahs---- C:\WINDOWS\system32\rtstv.bak1
2007-02-12 22:05 <DIR> d-------- C:\VundoFix Backups
2007-02-12 21:43 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Office Genuine Advantage
2007-02-10 14:16 807,368 --ahs---- C:\WINDOWS\system32\jjkmp.ini2
2007-02-09 16:39 74 --a------ C:\DOCUME~1\Robyn\APPLIC~1\Dxcdmns.dll
2007-02-08 18:51 102 --a------ C:\DOCUME~1\Molly\APPLIC~1\Dxcdmns.dll


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

Rootkit driver lzx32 is present. A rootkit scan is required

2007-03-08 19:47 -------- d-------- C:\Program Files\Common Files\symantec shared
2007-02-25 10:48 -------- d---s---- C:\DOCUME~1\Duane\APPLIC~1\microsoft
2007-02-25 10:06 775680 --a------ C:\WINDOWS\system32\drivers\avg7core.sys
2007-02-25 10:06 27776 --a------ C:\WINDOWS\system32\drivers\avg7rsxp.sys
2007-02-24 22:08 3762 --a------ C:\WINDOWS\system32\tmp.reg
2007-02-24 10:40 -------- d-------- C:\DOCUME~1\Duane\APPLIC~1\avg7
2007-02-24 10:28 4960 --a------ C:\WINDOWS\system32\drivers\avgtdi.sys
2007-02-24 10:28 4224 --a------ C:\WINDOWS\system32\drivers\avg7rsw.sys
2007-02-20 21:14 -------- d-------- C:\Program Files\shockwave.com
2007-02-15 20:28 77466 --a------ C:\WINDOWS\hrefnkndefsd.exe
2007-02-13 21:29 -------- d-------- C:\Program Files\save
2007-02-13 21:29 -------- d-------- C:\Program Files\Common Files\sandlot shared
2007-02-10 20:00 14201 --a------ C:\Program Files\hijackthis.log
2007-02-04 18:37 77466 --a------ C:\WINDOWS\bgtrneiknkjnew.exe
2007-02-04 11:08 70929 --a------ C:\WINDOWS\tojndkedewf.exe
2007-02-03 14:15 999000 --ahs---- C:\WINDOWS\system32\jjkmp.bak2
2007-02-03 14:15 74072 --a------ C:\WINDOWS\njfekmfde.exe
2007-02-03 14:15 71833 --a------ C:\WINDOWS\nsicknjnfew.exe
2007-02-02 11:40 72483 --a------ C:\WINDOWS\wmnkfnjnb.exe
2007-02-02 11:27 71539 --a------ C:\WINDOWS\bmeromknge.exe
2007-02-02 10:55 70956 --a------ C:\WINDOWS\bvjbjnce.exe
2007-02-02 05:56 72483 --a------ C:\WINDOWS\vguwbjce.exe
2007-02-02 05:44 71539 --a------ C:\WINDOWS\dhinikjncew.exe
2007-01-31 19:50 71539 --a------ C:\WINDOWS\nuinkmwdw.exe
2007-01-31 19:50 70956 --a------ C:\WINDOWS\hoinkndw.exe
2007-01-31 19:29 -------- d-------- C:\Program Files\vsadd-in
2007-01-31 17:06 932 --a------ C:\WINDOWS\system32\winpfz32.sys
2007-01-28 22:13 -------- d-------- C:\Program Files\lg software innovations
2007-01-28 22:05 -------- d-------- C:\Program Files\clonedvd
2007-01-28 21:28 14 --a------ C:\WINDOWS\system32\systeminfo3.dll
2007-01-28 21:26 81920 --a------ C:\DOCUME~1\Duane\APPLIC~1\ezpinst.exe
2007-01-28 21:26 7176 --a------ C:\DOCUME~1\Duane\APPLIC~1\pcouffin.cat
2007-01-28 21:26 47360 --a------ C:\WINDOWS\system32\drivers\pcouffin.sys
2007-01-28 21:26 47360 --a------ C:\DOCUME~1\Duane\APPLIC~1\pcouffin.sys
2007-01-28 21:26 34 --a------ C:\DOCUME~1\Duane\APPLIC~1\pcouffin.log
2007-01-28 21:26 1144 --a------ C:\DOCUME~1\Duane\APPLIC~1\pcouffin.inf
2007-01-28 21:26 -------- d-------- C:\DOCUME~1\Duane\APPLIC~1\vso
2007-01-27 08:15 -------- d-------- C:\Program Files\google
2007-01-26 17:12 988601 --ahs---- C:\WINDOWS\system32\jjkmp.bak1
2007-01-21 15:19 -------- d-------- C:\Program Files\lavasoft
2007-01-21 15:19 -------- d-------- C:\DOCUME~1\Duane\APPLIC~1\lavasoft
2007-01-21 15:08 14612 --a------ C:\Program Files\cwshredder.exe-2d092fd4.pf
2007-01-21 15:03 532480 --a------ C:\Program Files\cwshredder.exe
2007-01-20 20:28 3072 --ahs---- C:\WINDOWS\system32\porumnss.exe
2007-01-20 14:18 280 --a------ C:\Program Files\Common Files\sagu292
2007-01-16 09:44 -------- d--h----- C:\Program Files\bho plugin
2007-01-15 11:29 44032 --a------ C:\loder.exe
2007-01-14 10:30 -------- d-------- C:\Program Files\sygate
2007-01-14 10:29 -------- d-------- C:\Program Files\Common Files\wise installation wizard
2007-01-13 21:34 -------- d-------- C:\Program Files\ultimate cleaner
2007-01-13 21:34 -------- d-------- C:\DOCUME~1\Duane\APPLIC~1\ultimate cleaner
2007-01-13 14:31 16 --a------ C:\WINDOWS\system32\dlh9jkd1q8.exe
2007-01-12 22:03 22541 --a------ C:\WINDOWS\system32\byxwttt.dll
2007-01-12 18:19 0 --a------ C:\WINDOWS\system32\vb2en16.dll
2007-01-11 16:35 12800 --a------ C:\WINDOWS\system32\svchost.exe
2007-01-11 16:34 53 --a------ C:\WINDOWS\nnqvcc.dat
2007-01-11 16:34 0 --a------ C:\WINDOWS\system32\3718845c.exe
2007-01-10 17:23 69670 --a------ C:\WINDOWS\system32\lzx32.sys
2007-01-09 21:04 89600 --a------ C:\WINDOWS\system32\setup_23577.exe
2007-01-08 17:52 89600 --a------ C:\WINDOWS\system32\setup_23335.exe
2007-01-07 18:21 1 --a------ C:\WINDOWS\system32\ps.dat
2007-01-07 18:21 1 --a------ C:\WINDOWS\system32\cookie.dat
2007-01-07 13:17 1536 --a------ C:\WINDOWS\szr_dll.dll
2007-01-07 13:16 25600 --a------ C:\WINDOWS\system32\helper.dll
2007-01-07 13:16 2432 --a------ C:\WINDOWS\system32\szr_dr.sys
2007-01-07 13:16 120661 --a------ C:\abcxz.exe
2007-01-06 20:27 0 --a------ C:\WINDOWS\system32\setup_25578.exe
2007-01-06 14:16 89600 --a------ C:\WINDOWS\system32\setup_38863.exe
2007-01-06 11:17 89600 --a------ C:\WINDOWS\system32\setup_60545.exe
2007-01-06 09:40 0 --a------ C:\wuvhs.exe
2007-01-06 09:40 0 --a------ C:\cgpevf.exe
2007-01-06 09:39 0 --a------ C:\whmiqq.exe
2007-01-06 09:39 0 --a------ C:\egrxcf.exe
2007-01-06 09:38 0 --a------ C:\pjvatvux.exe
2007-01-06 09:38 0 --a------ C:\kvxxuykr.exe
2007-01-06 09:38 0 --a------ C:\hioxmh.exe
2007-01-06 09:38 0 --a------ C:\doqic.exe
2007-01-06 09:37 0 --a------ C:\twjyq.exe
2007-01-06 09:37 0 --a------ C:\ngaobk.exe
2007-01-06 09:36 0 --a------ C:\omhran.exe
2007-01-06 09:36 0 --a------ C:\ghkv.exe
2007-01-06 09:35 0 --a------ C:\qnbndeof.exe
2007-01-06 09:35 0 --a------ C:\jtcjyqpk.exe
2007-01-06 09:34 0 --a------ C:\sdqmmkl.exe
2007-01-06 09:34 0 --a------ C:\ntbtggkm.exe
2007-01-05 20:03 390 --a------ C:\ehh4.exe
2007-01-05 20:03 390 --a------ C:\efhh.exe
2007-01-05 18:39 89600 --a------ C:\WINDOWS\system32\setup_41007.exe
2007-01-05 13:22 89600 --a------ C:\WINDOWS\system32\setup_16437.exe
2007-01-05 10:41 0 --a------ C:\WINDOWS\cab2.exe
2007-01-05 00:23 184447 --a------ C:\WINDOWS\system32\qwinpoeb.exe
2007-01-05 00:17 11066 --a------ C:\eryvk.exe
2007-01-05 00:15 89600 -r-hs---- C:\WINDOWS\userinit.exe
2007-01-04 22:35 10660 --a------ C:\WINDOWS\mozver.dat
2007-01-03 20:49 5037072 --a------ C:\Program Files\spybotsd14.exe
2007-01-01 12:02 507 --a------ C:\WINDOWS\ereg077.dat
2006-12-25 16:33 23066 --a------ C:\Program Files\plainoldfavorites-0.5.6-fx-windows.xpi
2006-12-19 16:51 142 --a------ C:\Program Files\Common Files\wuopry.html


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"Microsoft Works Update Detection"="c:\\Program Files\\Microsoft Works\\WkDetect.exe"
"swg"="C:\\Program Files\\Google\\GoogleToolbarNotifier\\1.2.1128.5462\\GoogleToolbarNotifier.exe"
"aconti"=""
"PrinterSpool"=""
"hkgaqge"=""
"ShellApi"=""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"SSC_UserPrompt"="C:\\Program Files\\Common Files\\Symantec Shared\\Security Center\\UsrPrmpt.exe"
"Ulead AutoDetector"="C:\\Program Files\\Ulead Systems\\Ulead Photo Explorer 8.0 SE Basic\\Monitor.exe"
"HPDJ Taskbar Utility"="C:\\WINDOWS\\System32\\spool\\drivers\\w32x86\\3\\hpztsb10.exe"
"HP Component Manager"="\"C:\\Program Files\\HP\\hpcoretech\\hpcmpmgr.exe\""
"HP Software Update"="\"C:\\Program Files\\Hewlett-Packard\\HP Software Update\\HPWuSchd2.exe\""
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"Picasa Media Detector"="C:\\Program Files\\Picasa2\\PicasaMediaDetector.exe"
"iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVG7\\avgcc.exe /STARTUP"
"DSS"="C:\\WINDOWS\\BBSTORE\\DSS\\DSSAGENT.EXE"
"OFFICEKB"="C:\\Program Files\\Micro Innovations\\Keyboard\\kbdap32a.EXE"
"FLMOFFICE4DMOUSE"="C:\\Program Files\\Micro Innovations\\Mouse\\mouse32a.exe"
"PC Pitstop Optimize Scheduler"="C:\\Program Files\\PCPitstop\\Optimize\\PCPOptimize.exe -boot"
"SmcService"="C:\\PROGRA~1\\Sygate\\SPF\\smc.exe -startgui"
"DllRunning"="rundll32.exe \"C:\\WINDOWS\\System32\\uejowmvf.dll\",setvm"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"


[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVG7\\avgw.exe /RUNONCE"
"cwingllib"="C:\\WINDOWS\\system32\\atllsimm.exe"
"jmlcv4m"="C:\\WINDOWS\\System32\\sdmvdlxe.exe"
"TaskManager"="C:\\WINDOWS\\TaskMgr.exe"

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVG7\\avgw.exe /RUNONCE"
"cwingllib"="C:\\WINDOWS\\system32\\atllsimm.exe"
"jmlcv4m"="C:\\WINDOWS\\System32\\sdmvdlxe.exe"
"TaskManager"="C:\\WINDOWS\\TaskMgr.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\Run]
"system"=""

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\awvtq
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\szr_dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0



********************************************************************

catchme 0.2 W2K/XP/Vista - userland rootkit detector by Gmer, 17 October 2006
http://www.gmer.net

scanning hidden processes ...

scanning hidden services ...

HKLM\SYSTEM\CurrentControlSet\Services\mnmddnger

HKLM\SYSTEM\CurrentControlSet\Services\Modemvc

HKLM\SYSTEM\CurrentControlSet\Services\mouhidss

HKLM\SYSTEM\CurrentControlSet\Services\MRxDAV5x

HKLM\SYSTEM\CurrentControlSet\Services\MSDTCb

HKLM\SYSTEM\CurrentControlSet\Services\MsfsC

HKLM\SYSTEM\CurrentControlSet\Services\MSKSSRVer

HKLM\SYSTEM\CurrentControlSet\Services\MSPQMOCK

HKLM\SYSTEM\CurrentControlSet\Services\MupEE

HKLM\SYSTEM\CurrentControlSet\Services\NDISSFEC

HKLM\SYSTEM\CurrentControlSet\Services\Ndisuioi

HKLM\SYSTEM\CurrentControlSet\Services\NetBTOS

HKLM\SYSTEM\CurrentControlSet\Services\Netlogondm

HKLM\SYSTEM\CurrentControlSet\Services\Netmanon

HKLM\SYSTEM\CurrentControlSet\Services\Nlaman

HKLM\SYSTEM\CurrentControlSet\Services\NullSvc

HKLM\SYSTEM\CurrentControlSet\Services\osenkFwd

HKLM\SYSTEM\CurrentControlSet\Services\ParVdmr

HKLM\SYSTEM\CurrentControlSet\Services\PCIVdm

HKLM\SYSTEM\CurrentControlSet\Services\PCIIdep

HKLM\SYSTEM\CurrentControlSet\Services\PDCOMPin

HKLM\SYSTEM\CurrentControlSet\Services\PDRELIE

HKLM\SYSTEM\CurrentControlSet\Services\perc2AME

HKLM\SYSTEM\CurrentControlSet\Services\PerfNetk

HKLM\SYSTEM\CurrentControlSet\Services\PerfOSt

HKLM\SYSTEM\CurrentControlSet\Services\Processorort

HKLM\SYSTEM\CurrentControlSet\Services\PSchedtedStorage

HKLM\SYSTEM\CurrentControlSet\Services\ql108020

HKLM\SYSTEM\CurrentControlSet\Services\ql12400

HKLM\SYSTEM\CurrentControlSet\Services\RasManp

HKLM\SYSTEM\CurrentControlSet\Services\Rasptioe

HKLM\SYSTEM\CurrentControlSet\Services\Rdbssi

HKLM\SYSTEM\CurrentControlSet\Services\RDPDDD

HKLM\SYSTEM\CurrentControlSet\Services\redbookgr

HKLM\SYSTEM\CurrentControlSet\Services\RpcLocatorstry

HKLM\SYSTEM\CurrentControlSet\Services\RpcSscator

HKLM\SYSTEM\CurrentControlSet\Services\RSVPs

HKLM\SYSTEM\CurrentControlSet\Services\SamSs39

HKLM\SYSTEM\CurrentControlSet\Services\Secdrvle

HKLM\SYSTEM\CurrentControlSet\Services\SENSogon

HKLM\SYSTEM\CurrentControlSet\Services\Serialm

HKLM\SYSTEM\CurrentControlSet\Services\SimbadWDetection

HKLM\SYSTEM\CurrentControlSet\Services\SLIPad

HKLM\SYSTEM\CurrentControlSet\Services\Sparrowice

HKLM\SYSTEM\CurrentControlSet\Services\Spoolerr

HKLM\SYSTEM\CurrentControlSet\Services\srooler

HKLM\SYSTEM\CurrentControlSet\Services\Srvervice

HKLM\SYSTEM\CurrentControlSet\Services\stisvcV

HKLM\SYSTEM\CurrentControlSet\Services\swenumip

HKLM\SYSTEM\CurrentControlSet\Services\SwPrvi

HKLM\SYSTEM\CurrentControlSet\Services\SymWSCx

HKLM\SYSTEM\CurrentControlSet\Services\TapiSrviver

HKLM\SYSTEM\CurrentControlSet\Services\Tcpipnd UDP Supp0rt

HKLM\SYSTEM\CurrentControlSet\Services\TDTCPE

HKLM\SYSTEM\CurrentControlSet\Services\Themesrvice

HKLM\SYSTEM\CurrentControlSet\Services\TosIder

HKLM\SYSTEM\CurrentControlSet\Services\TSDDDs

HKLM\SYSTEM\CurrentControlSet\Services\UdfsD

HKLM\SYSTEM\CurrentControlSet\Services\upnphostr

HKLM\SYSTEM\CurrentControlSet\Services\UPSphost

HKLM\SYSTEM\CurrentControlSet\Services\usbehcira

HKLM\SYSTEM\CurrentControlSet\Services\usbhubi

HKLM\SYSTEM\CurrentControlSet\Services\USBSTORt

HKLM\SYSTEM\CurrentControlSet\Services\ViaIdee

HKLM\SYSTEM\CurrentControlSet\Services\VSSatant

HKLM\SYSTEM\CurrentControlSet\Services\W3SVCme

HKLM\SYSTEM\CurrentControlSet\Services\WDICAniportService

HKLM\SYSTEM\CurrentControlSet\Services\wg3nlient

HKLM\SYSTEM\CurrentControlSet\Services\winmgmtf

HKLM\SYSTEM\CurrentControlSet\Services\Winsock - Google Desktop Search Backup Before Last Installl

HKLM\SYSTEM\CurrentControlSet\Services\WinSock2- Google Desktop Search Backup Before Last Install

HKLM\SYSTEM\CurrentControlSet\Services\Winsock2 - Google Desktop Search Backup Before Last Installl

HKLM\SYSTEM\CurrentControlSet\Services\WinTrust - Google Desktop Search Backup Before Last Install

HKLM\SYSTEM\CurrentControlSet\Services\wscsvcnt

HKLM\SYSTEM\CurrentControlSet\Services\WZCSVCrv

scanning hidden autostart entries ...

scanning hidden files ...


scan completed successfully
hidden processes: 0
hidden services: 75
hidden files: 0

********************************************************************

Completion time: 07-03-08 20:08:50

***** sdfix\report.txt *********

SDFix: Version 1.69

Run by Duane - Thu 03/08/2007 @ 23:05:00.10

Microsoft Windows XP [Version 5.1.2600]

Running From: C:\Documents and Settings\Duane\Desktop\SDFix

Safe Mode:
Checking Services:

Name:
szr_droiver
TCP and UDP Supp0rt

Path:
\??\C:\WINDOWS\System32\szr_dr.sys
C:\WINDOWS\System32\tccpip.exe /winnt

szr_droiver Deleted
TCP and UDP Supp0rt Deleted


Killing PID 132 'smss.exe'
Killing PID 204 'winlogon.exe'

Restoring Windows Registry Entries
Restoring Default Hosts File


Rebooting...

Normal Mode:
Checking Files:

Below files will be copied to Backups folder then removed:

C:\WINDOWS\ie-hook.txt - Deleted
C:\WINDOWS\system32\dlh9jkd1q8.exe - Deleted
C:\WINDOWS\system32\i - Deleted
C:\WINDOWS\system32\lzx32.sys - Deleted
C:\WINDOWS\system32\setup_12452.exe - Deleted
C:\WINDOWS\system32\setup_16437.exe - Deleted
C:\WINDOWS\system32\setup_23335.exe - Deleted
C:\WINDOWS\system32\setup_23577.exe - Deleted
C:\WINDOWS\system32\setup_25578.exe - Deleted
C:\WINDOWS\system32\setup_38863.exe - Deleted
C:\WINDOWS\system32\setup_41007.exe - Deleted
C:\WINDOWS\system32\setup_60545.exe - Deleted
C:\WINDOWS\system32\szr_dr.sys - Deleted
C:\WINDOWS\szr_dll.dll - Deleted
C:\WINDOWS\userinit.exe - Deleted



ADS Check:

C:\WINDOWS\system32
No streams found.


Final Check:

Remaining Services:
------------------


Rootkit lzx32 maybe active, Use a Rootkit scanner!

Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"


[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"


Remaining Files:
---------------

Backups Folder: - C:\DOCUME~1\Duane\Desktop\SDFix\backups\backups.zip


Checking For Files with Hidden Attributes :

C:\Program Files\Common Files\aolshare\shell\us\shellext.dll
C:\Program Files\Common Files\csshare\shell\us\shellext.dll
C:\My Games\Action Ball\actionball.exe
C:\My Games\Adventure Ball\AdventureBall.exe
C:\My Games\Aqua Pearls\pearls.exe
C:\My Games\Cactus Bruce and the Corporate Monkeys\RealCB12.exe
C:\My Games\Clash 'N Slash\Clash N Slash.exe
C:\My Games\Flying Leo\FlyingLeo.exe
C:\My Games\Icy Spell\IcySpell.exe
C:\My Games\Impact\Impact.exe
C:\My Games\Inspheration\Inspheration.exe
C:\My Games\Jewel of Atlantis\Jewel of Atlantis.exe
C:\My Games\Mirror Magic\mirrormagic.exe
C:\My Games\Mosaic - Tomb of Mystery\Mosaic.exe
C:\My Games\Phlinx to Go\PhlinxToGo.exe
C:\My Games\Rainbow Web\RainbowWeb.exe
C:\My Games\Snowy - Space Trip\SpaceTrip.exe
C:\My Games\Turtle Odyssey\Game.exe
C:\My Games\Wheel of Fortune\Wheel of Fortune.exe
C:\Program Files\America Online 8.0\aolphx.exe
C:\Program Files\America Online 8.0\aoltray.exe
C:\Program Files\America Online 8.0\RBM.exe
C:\Program Files\America Online 8.0\waol.exe
C:\Program Files\America Online 8.0\COMIT\cswitch.exe
C:\Program Files\CompuServe 7.0\csphx.exe
C:\Program Files\CompuServe 7.0\cstray.exe
C:\Program Files\CompuServe 7.0\RBM.exe
C:\Program Files\CompuServe 7.0\wcs2000.exe
C:\Program Files\CompuServe 7.0\COMIT\cswitch.exe
C:\Program Files\Picasa2\setup.exe
C:\WINDOWS\system32\dvlsysmv.exe
C:\WINDOWS\system32\fxsugwhh.exe
C:\WINDOWS\system32\porumnss.exe
C:\Documents and Settings\Cody\Local Settings\Temp\$b17a2e8.tmp
C:\Documents and Settings\Molly\Local Settings\Temp\$b17a2e8.tmp
C:\Documents and Settings\Others\Local Settings\Temp\$b17a2e8.tmp
C:\Documents and Settings\Robyn\Local Settings\Temp\$b17a2e8.tmp
C:\WINDOWS\system32\jjkmp.tmp
C:\WINDOWS\system32\qtstv.tmp
C:\WINDOWS\system32\config\system.tmp.LOG

Add/Remove Programs List:

1Click DVD Copy 4.2.9.2
3D Snowy Cottage Screen Saver
Ad-Aware SE Personal
Adobe Acrobat 4.0
Agfa ePhoto CL18 Digital Camera Driver
America Online
AOL Instant Messenger (SM)
AOL Coach Version 1.0(Build:20020823.1)
AVG 7.5
AVG Anti-Spyware 7.5
BadCopy Pro
Belarc Advisor 7.0
BigFix
Calm Before the Storm Screen Saver
Chess Live 4.2
Cinema Tycoon(TM) Gold
CleanUp!
Conexant SoftK56 Modem(M)
CompuServe
Codec Pack - All In 1 6.0.2.7
Cox Online Support Controls
EPSON Printer Software
EZBack-it-up 2.0.1
Fiber Twig 2: Restoration of Magic Garden
Fish Tycoon
Fortune Tiles(TM) Gold
FREE Hi-Q Recorder 1.9
Gem Shop
Google Desktop Search
Gum Droppers
Hexalot
High Flying Act - Interactive Storybook
HijackThis 1.99.1
ICQ
iTunes
Java 2 Runtime Environment Standard Edition v1.3.1
Java 2 Runtime Environment Standard Edition v1.3.1_02
Karu
Microsoft Data Access Components KB870669
Lavasoft VX2 Cleaner
LEGO Chess
Macromedia Shockwave Player
CloneDVD 4.0
Micro Innovations Wireless Keyboard
Micro Innovations Wireless Optical Mouse
Mozilla Firefox (2.0.0.2)
MSN Music Assistant
WeatherBug Browser Bar - powered by MyWebSearch
Netscape 6 (6.2.1)
PC Pitstop Optimize 1.5
Picasa 2
QuickTime
Reader Rabbit 1st Grade
Reader Rabbit 1st Grade(R) Capers on Cloud Nine!(TM)
Reader Rabbit Thinking Adventures Ages 4-6
Reader Rabbit(R) I Can Read! With Phonics
RealArcade
RealPlayer
RegistryFix v3.0
Reader Rabbit's 2nd Grade
Sandlot Games Client Services
WhenU SaveNow
Macromedia Flash Player 8
SimCity 3000
Splash
Spybot - Search & Destroy 1.4
IncBack +
SurferNETWORK Player
SyncBackSE
Ultimate Cleaner
Viewpoint Media Player (Remove Only)
WeatherBug
Winamp (remove only)
Yahoo! Toolbar
Yahoo! Toolbar
Zulu Gems
Microsoft Money 2003
Microsoft Money 2003 System Pack
PC Inspector File Recovery
The Sims Deluxe Edition
Norton WMI Update
Google Toolbar for Internet Explorer
DataRobot Premium
Stomp Backup MyPC
MaxBlast 4
PowerDVD
Windows Backup Utility
EPSON Web-To-Page
Mirror Magic
NetZero For Riverdeep
iTunes
Intel(R) Extreme Graphics Driver
Microsoft Office Excel Viewer 2003
Microsoft Office Word Viewer 2003
Adobe Reader 7.0.7
DV 4100M
HP Software Update
Ulead Photo Express 4.0 SE
Texas Hold 'Em: High Stakes Poker
Ulead Photo Explorer 8.0 SE Basic
Disney's Phonics Quest
Greeting Card Factory Express
Sygate Personal Firewall
Microsoft Works 6.0
HP Deskjet 3740
Realtek AC'97 Audio
Multimedia Keyboard Driver

Finished

***** Panda Report ****
- could not run due to IE issues (Previous post has error msg)

**** Combofix.txt ****

"Duane" - 07-03-09 18:39:59 Service Pack 1
ComboFix 07-03-08 - Running from: "C:\Documents and Settings\Duane\Desktop"

/wow section not completed - STAGE #6B

((((((((((((((((((((((((((((((( Files Created from 2007-02-09 to 2007-03-09 ))))))))))))))))))))))))))))))))))


2007-03-09 05:37 <DIR> d-------- C:\WINDOWS\LastGood
2007-03-08 19:56 <DIR> d-------- C:\WINDOWS\ERDNT
2007-03-08 19:33 971 --a------ C:\DOCUME~1\Duane\Purity.bat
2007-03-08 19:33 8,192 --a------ C:\DOCUME~1\Duane\RestartIt.exe
2007-03-08 19:33 79,360 --a------ C:\DOCUME~1\Duane\swxcacls.exe
2007-03-08 19:33 73,728 --a------ C:\DOCUME~1\Duane\FDSV.EXE
2007-03-08 19:33 6,914 --a------ C:\DOCUME~1\Duane\Qoo.bat
2007-03-08 19:33 51,200 --a------ C:\DOCUME~1\Duane\dumphive.exe
2007-03-08 19:33 5,074 --a------ C:\DOCUME~1\Duane\NTPBack.exe
2007-03-08 19:33 49,152 --a------ C:\DOCUME~1\Duane\vfind.exe
2007-03-08 19:33 42,887 --a------ C:\DOCUME~1\Duane\ntp.exe
2007-03-08 19:33 39,184 --a------ C:\DOCUME~1\Duane\Ntrights.exe
2007-03-08 19:33 38,400 --a------ C:\DOCUME~1\Duane\moveex.exe
2007-03-08 19:33 319,415 --a------ C:\DOCUME~1\Duane\Creg.reg
2007-03-08 19:33 28,672 --a------ C:\DOCUME~1\Duane\catchme.exe
2007-03-08 19:33 26,112 --a------ C:\DOCUME~1\Duane\nircmd.exe
2007-03-08 19:33 2,304 --a------ C:\DOCUME~1\Duane\Look2Me.bat
2007-03-08 19:33 181,776 --a------ C:\DOCUME~1\Duane\handle.exe
2007-03-08 19:33 140,800 --a------ C:\DOCUME~1\Duane\swreg.exe
2007-03-08 19:33 123,904 --a------ C:\DOCUME~1\Duane\swsc.exe
2007-03-08 19:33 117,379 --a------ C:\DOCUME~1\Duane\LIST-C.bat
2007-03-01 19:52 1,186,531 --ahs---- C:\WINDOWS\system32\qtvwa.bak1
2007-02-28 19:24 <DIR> d-------- C:\!KillBox
2007-02-24 21:33 53,248 --a------ C:\WINDOWS\system32\Process.exe
2007-02-24 21:33 <DIR> d-------- C:\SmitfraudFix
2007-02-24 10:28 3,968 --a------ C:\WINDOWS\system32\drivers\avgclean.sys
2007-02-24 10:28 19,392 --a------ C:\WINDOWS\system32\drivers\avgmfx86.sys
2007-02-23 22:45 118,804 --a------ C:\WINDOWS\system32\arbcakff.dll
2007-02-21 22:29 <DIR> d-------- C:\avenger
2007-02-21 21:42 129 --a------ C:\fix.bat
2007-02-20 23:22 <DIR> d-------- C:\Program Files\backups
2007-02-18 08:30 1,014,623 --ahs---- C:\WINDOWS\system32\qtstv.bak1
2007-02-17 09:53 118,804 --a------ C:\WINDOWS\system32\etlcsjcc.dll
2007-02-16 05:28 <DIR> d-------- C:\Program Files\Hijack This
2007-02-15 20:28 73,387 --a------ C:\WINDOWS\hgefefedsf.exe
2007-02-14 19:18 74,094 --a------ C:\WINDOWS\jhtfddsdsv.exe
2007-02-13 22:36 1,189,475 --ahs---- C:\WINDOWS\system32\rtstv.bak2
2007-02-13 05:48 <DIR> d-------- C:\DOCUME~1\ADMINI~1\DoctorWeb
2007-02-12 22:38 74,094 --a------ C:\WINDOWS\ertrtyt.exe
2007-02-12 22:36 1,023,235 --ahs---- C:\WINDOWS\system32\rtstv.bak1
2007-02-12 22:05 <DIR> d-------- C:\VundoFix Backups
2007-02-12 21:43 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Office Genuine Advantage
2007-02-10 14:16 807,368 --ahs---- C:\WINDOWS\system32\jjkmp.ini2
2007-02-09 16:39 74 --a------ C:\DOCUME~1\Robyn\APPLIC~1\Dxcdmns.dll


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

Rootkit driver lzx32 is present. A rootkit scan is required

2007-03-08 19:47 -------- d-------- C:\Program Files\Common Files\symantec shared
2007-02-25 10:48 -------- d---s---- C:\DOCUME~1\Duane\APPLIC~1\microsoft
2007-02-25 10:06 775680 --a------ C:\WINDOWS\system32\drivers\avg7core.sys
2007-02-25 10:06 27776 --a------ C:\WINDOWS\system32\drivers\avg7rsxp.sys
2007-02-24 22:08 3762 --a------ C:\WINDOWS\system32\tmp.reg
2007-02-24 10:40 -------- d-------- C:\DOCUME~1\Duane\APPLIC~1\avg7
2007-02-24 10:28 4960 --a------ C:\WINDOWS\system32\drivers\avgtdi.sys
2007-02-24 10:28 4224 --a------ C:\WINDOWS\system32\drivers\avg7rsw.sys
2007-02-20 21:14 -------- d-------- C:\Program Files\shockwave.com
2007-02-15 20:28 77466 --a------ C:\WINDOWS\hrefnkndefsd.exe
2007-02-13 21:29 -------- d-------- C:\Program Files\save
2007-02-13 21:29 -------- d-------- C:\Program Files\Common Files\sandlot shared
2007-02-10 20:00 14201 --a------ C:\Program Files\hijackthis.log
2007-02-04 18:37 77466 --a------ C:\WINDOWS\bgtrneiknkjnew.exe
2007-02-04 11:08 70929 --a------ C:\WINDOWS\tojndkedewf.exe
2007-02-03 14:15 999000 --ahs---- C:\WINDOWS\system32\jjkmp.bak2
2007-02-03 14:15 74072 --a------ C:\WINDOWS\njfekmfde.exe
2007-02-03 14:15 71833 --a------ C:\WINDOWS\nsicknjnfew.exe
2007-02-02 11:40 72483 --a------ C:\WINDOWS\wmnkfnjnb.exe
2007-02-02 11:27 71539 --a------ C:\WINDOWS\bmeromknge.exe
2007-02-02 10:55 70956 --a------ C:\WINDOWS\bvjbjnce.exe
2007-02-02 05:56 72483 --a------ C:\WINDOWS\vguwbjce.exe
2007-02-02 05:44 71539 --a------ C:\WINDOWS\dhinikjncew.exe
2007-01-31 19:50 71539 --a------ C:\WINDOWS\nuinkmwdw.exe
2007-01-31 19:50 70956 --a------ C:\WINDOWS\hoinkndw.exe
2007-01-31 19:29 -------- d-------- C:\Program Files\vsadd-in
2007-01-31 17:06 932 --a------ C:\WINDOWS\system32\winpfz32.sys
2007-01-28 22:13 -------- d-------- C:\Program Files\lg software innovations
2007-01-28 22:05 -------- d-------- C:\Program Files\clonedvd
2007-01-28 21:28 14 --a------ C:\WINDOWS\system32\systeminfo3.dll
2007-01-28 21:26 81920 --a------ C:\DOCUME~1\Duane\APPLIC~1\ezpinst.exe
2007-01-28 21:26 7176 --a------ C:\DOCUME~1\Duane\APPLIC~1\pcouffin.cat
2007-01-28 21:26 47360 --a------ C:\WINDOWS\system32\drivers\pcouffin.sys
2007-01-28 21:26 47360 --a------ C:\DOCUME~1\Duane\APPLIC~1\pcouffin.sys
2007-01-28 21:26 34 --a------ C:\DOCUME~1\Duane\APPLIC~1\pcouffin.log
2007-01-28 21:26 1144 --a------ C:\DOCUME~1\Duane\APPLIC~1\pcouffin.inf
2007-01-28 21:26 -------- d-------- C:\DOCUME~1\Duane\APPLIC~1\vso
2007-01-27 08:15 -------- d-------- C:\Program Files\google
2007-01-26 17:12 988601 --ahs---- C:\WINDOWS\system32\jjkmp.bak1
2007-01-21 15:19 -------- d-------- C:\Program Files\lavasoft
2007-01-21 15:19 -------- d-------- C:\DOCUME~1\Duane\APPLIC~1\lavasoft
2007-01-21 15:08 14612 --a------ C:\Program Files\cwshredder.exe-2d092fd4.pf
2007-01-21 15:03 532480 --a------ C:\Program Files\cwshredder.exe
2007-01-20 20:28 3072 --ahs---- C:\WINDOWS\system32\porumnss.exe
2007-01-20 14:18 280 --a------ C:\Program Files\Common Files\sagu292
2007-01-16 09:44 -------- d--h----- C:\Program Files\bho plugin
2007-01-15 11:29 44032 --a------ C:\loder.exe
2007-01-14 10:30 -------- d-------- C:\Program Files\sygate
2007-01-14 10:29 -------- d-------- C:\Program Files\Common Files\wise installation wizard
2007-01-13 21:34 -------- d-------- C:\Program Files\ultimate cleaner
2007-01-13 21:34 -------- d-------- C:\DOCUME~1\Duane\APPLIC~1\ultimate cleaner
2007-01-12 22:03 22541 --a------ C:\WINDOWS\system32\byxwttt.dll
2007-01-12 18:19 0 --a------ C:\WINDOWS\system32\vb2en16.dll
2007-01-11 16:35 12800 --a------ C:\WINDOWS\system32\svchost.exe
2007-01-11 16:34 53 --a------ C:\WINDOWS\nnqvcc.dat
2007-01-11 16:34 0 --a------ C:\WINDOWS\system32\3718845c.exe
2007-01-07 18:21 1 --a------ C:\WINDOWS\system32\ps.dat
2007-01-07 18:21 1 --a------ C:\WINDOWS\system32\cookie.dat
2007-01-07 13:16 25600 --a------ C:\WINDOWS\system32\helper.dll
2007-01-07 13:16 120661 --a------ C:\abcxz.exe
2007-01-06 09:40 0 --a------ C:\wuvhs.exe
2007-01-06 09:40 0 --a------ C:\cgpevf.exe
2007-01-06 09:39 0 --a------ C:\whmiqq.exe
2007-01-06 09:39 0 --a------ C:\egrxcf.exe
2007-01-06 09:38 0 --a------ C:\pjvatvux.exe
2007-01-06 09:38 0 --a------ C:\kvxxuykr.exe
2007-01-06 09:38 0 --a------ C:\hioxmh.exe
2007-01-06 09:38 0 --a------ C:\doqic.exe
2007-01-06 09:37 0 --a------ C:\twjyq.exe
2007-01-06 09:37 0 --a------ C:\ngaobk.exe
2007-01-06 09:36 0 --a------ C:\omhran.exe
2007-01-06 09:36 0 --a------ C:\ghkv.exe
2007-01-06 09:35 0 --a------ C:\qnbndeof.exe
2007-01-06 09:35 0 --a------ C:\jtcjyqpk.exe
2007-01-06 09:34 0 --a------ C:\sdqmmkl.exe
2007-01-06 09:34 0 --a------ C:\ntbtggkm.exe
2007-01-05 20:03 390 --a------ C:\ehh4.exe
2007-01-05 20:03 390 --a------ C:\efhh.exe
2007-01-05 10:41 0 --a------ C:\WINDOWS\cab2.exe
2007-01-05 00:23 184447 --a------ C:\WINDOWS\system32\qwinpoeb.exe
2007-01-05 00:17 11066 --a------ C:\eryvk.exe
2007-01-04 22:35 10660 --a------ C:\WINDOWS\mozver.dat
2007-01-03 20:49 5037072 --a------ C:\Program Files\spybotsd14.exe
2007-01-01 12:02 507 --a------ C:\WINDOWS\ereg077.dat
2006-12-25 16:33 23066 --a------ C:\Program Files\plainoldfavorites-0.5.6-fx-windows.xpi
2006-12-19 16:51 142 --a------ C:\Program Files\Common Files\wuopry.html


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"Microsoft Works Update Detection"="c:\\Program Files\\Microsoft Works\\WkDetect.exe"
"swg"="C:\\Program Files\\Google\\GoogleToolbarNotifier\\1.2.1128.5462\\GoogleToolbarNotifier.exe"
"aconti"=""
"PrinterSpool"=""
"hkgaqge"=""
"ShellApi"=""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"SSC_UserPrompt"="C:\\Program Files\\Common Files\\Symantec Shared\\Security Center\\UsrPrmpt.exe"
"Ulead AutoDetector"="C:\\Program Files\\Ulead Systems\\Ulead Photo Explorer 8.0 SE Basic\\Monitor.exe"
"HPDJ Taskbar Utility"="C:\\WINDOWS\\System32\\spool\\drivers\\w32x86\\3\\hpztsb10.exe"
"HP Component Manager"="\"C:\\Program Files\\HP\\hpcoretech\\hpcmpmgr.exe\""
"HP Software Update"="\"C:\\Program Files\\Hewlett-Packard\\HP Software Update\\HPWuSchd2.exe\""
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"Picasa Media Detector"="C:\\Program Files\\Picasa2\\PicasaMediaDetector.exe"
"iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVG7\\avgcc.exe /STARTUP"
"OFFICEKB"="C:\\Program Files\\Micro Innovations\\Keyboard\\kbdap32a.EXE"
"FLMOFFICE4DMOUSE"="C:\\Program Files\\Micro Innovations\\Mouse\\mouse32a.exe"
"PC Pitstop Optimize Scheduler"="C:\\Program Files\\PCPitstop\\Optimize\\PCPOptimize.exe -boot"
"SmcService"="C:\\PROGRA~1\\Sygate\\SPF\\smc.exe -startgui"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"


[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVG7\\avgw.exe /RUNONCE"
"cwingllib"="C:\\WINDOWS\\system32\\atllsimm.exe"
"jmlcv4m"="C:\\WINDOWS\\System32\\sdmvdlxe.exe"
"TaskManager"="C:\\WINDOWS\\TaskMgr.exe"

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVG7\\avgw.exe /RUNONCE"
"cwingllib"="C:\\WINDOWS\\system32\\atllsimm.exe"
"jmlcv4m"="C:\\WINDOWS\\System32\\sdmvdlxe.exe"
"TaskManager"="C:\\WINDOWS\\TaskMgr.exe"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0



********************************************************************

catchme 0.2 W2K/XP/Vista - userland rootkit detector by Gmer, 17 October 2006
http://www.gmer.net

scanning hidden processes ...

scanning hidden services ...

HKLM\SYSTEM\CurrentControlSet\Services\mnmddnger

HKLM\SYSTEM\CurrentControlSet\Services\Modemvc

HKLM\SYSTEM\CurrentControlSet\Services\mouhidss

HKLM\SYSTEM\CurrentControlSet\Services\MRxDAV5x

HKLM\SYSTEM\CurrentControlSet\Services\MSDTCb

HKLM\SYSTEM\CurrentControlSet\Services\MsfsC

HKLM\SYSTEM\CurrentControlSet\Services\MSKSSRVer

HKLM\SYSTEM\CurrentControlSet\Services\MSPQMOCK

HKLM\SYSTEM\CurrentControlSet\Services\MupEE

HKLM\SYSTEM\CurrentControlSet\Services\NDISSFEC

HKLM\SYSTEM\CurrentControlSet\Services\Ndisuioi

HKLM\SYSTEM\CurrentControlSet\Services\NetBTOS

HKLM\SYSTEM\CurrentControlSet\Services\Netlogondm

HKLM\SYSTEM\CurrentControlSet\Services\Netmanon

HKLM\SYSTEM\CurrentControlSet\Services\Nlaman

HKLM\SYSTEM\CurrentControlSet\Services\NullSvc

HKLM\SYSTEM\CurrentControlSet\Services\osenkFwd

HKLM\SYSTEM\CurrentControlSet\Services\ParVdmr

HKLM\SYSTEM\CurrentControlSet\Services\PCIVdm

HKLM\SYSTEM\CurrentControlSet\Services\PCIIdep

HKLM\SYSTEM\CurrentControlSet\Services\PDCOMPin

HKLM\SYSTEM\CurrentControlSet\Services\PDRELIE

HKLM\SYSTEM\CurrentControlSet\Services\perc2AME

HKLM\SYSTEM\CurrentControlSet\Services\PerfNetk

HKLM\SYSTEM\CurrentControlSet\Services\PerfOSt

HKLM\SYSTEM\CurrentControlSet\Services\Processorort

HKLM\SYSTEM\CurrentControlSet\Services\PSchedtedStorage

HKLM\SYSTEM\CurrentControlSet\Services\ql108020

HKLM\SYSTEM\CurrentControlSet\Services\ql12400

HKLM\SYSTEM\CurrentControlSet\Services\RasManp

HKLM\SYSTEM\CurrentControlSet\Services\Rasptioe

HKLM\SYSTEM\CurrentControlSet\Services\Rdbssi

HKLM\SYSTEM\CurrentControlSet\Services\RDPDDD

HKLM\SYSTEM\CurrentControlSet\Services\redbookgr

HKLM\SYSTEM\CurrentControlSet\Services\RpcLocatorstry

HKLM\SYSTEM\CurrentControlSet\Services\RpcSscator

HKLM\SYSTEM\CurrentControlSet\Services\RSVPs

HKLM\SYSTEM\CurrentControlSet\Services\SamSs39

HKLM\SYSTEM\CurrentControlSet\Services\Secdrvle

HKLM\SYSTEM\CurrentControlSet\Services\SENSogon

HKLM\SYSTEM\CurrentControlSet\Services\Serialm

HKLM\SYSTEM\CurrentControlSet\Services\SimbadWDetection

HKLM\SYSTEM\CurrentControlSet\Services\SLIPad

HKLM\SYSTEM\CurrentControlSet\Services\Sparrowice

HKLM\SYSTEM\CurrentControlSet\Services\Spoolerr

HKLM\SYSTEM\CurrentControlSet\Services\srooler

HKLM\SYSTEM\CurrentControlSet\Services\Srvervice

HKLM\SYSTEM\CurrentControlSet\Services\stisvcV

HKLM\SYSTEM\CurrentControlSet\Services\swenumip

HKLM\SYSTEM\CurrentControlSet\Services\SwPrvi

HKLM\SYSTEM\CurrentControlSet\Services\SymWSCx

HKLM\SYSTEM\CurrentControlSet\Services\TapiSrvog

HKLM\SYSTEM\CurrentControlSet\Services\Tcpiprv

HKLM\SYSTEM\CurrentControlSet\Services\TDTCPE

HKLM\SYSTEM\CurrentControlSet\Services\Themesrvice

HKLM\SYSTEM\CurrentControlSet\Services\TosIder

HKLM\SYSTEM\CurrentControlSet\Services\TSDDDs

HKLM\SYSTEM\CurrentControlSet\Services\UdfsD

HKLM\SYSTEM\CurrentControlSet\Services\upnphostr

HKLM\SYSTEM\CurrentControlSet\Services\UPSphost

HKLM\SYSTEM\CurrentControlSet\Services\usbehcira

HKLM\SYSTEM\CurrentControlSet\Services\usbhubi

HKLM\SYSTEM\CurrentControlSet\Services\USBSTORt

HKLM\SYSTEM\CurrentControlSet\Services\ViaIdee

HKLM\SYSTEM\CurrentControlSet\Services\VSSatant

HKLM\SYSTEM\CurrentControlSet\Services\W3SVCme

HKLM\SYSTEM\CurrentControlSet\Services\WDICAniportService

HKLM\SYSTEM\CurrentControlSet\Services\wg3nlient

HKLM\SYSTEM\CurrentControlSet\Services\winmgmtf

HKLM\SYSTEM\CurrentControlSet\Services\Winsock - Google Desktop Search Backup Before Last Installl

HKLM\SYSTEM\CurrentControlSet\Services\WinSock2- Google Desktop Search Backup Before Last Install

HKLM\SYSTEM\CurrentControlSet\Services\Winsock2 - Google Desktop Search Backup Before Last Installl

HKLM\SYSTEM\CurrentControlSet\Services\WinTrust - Google Desktop Search Backup Before Last Install

HKLM\SYSTEM\CurrentControlSet\Services\wscsvcnt

HKLM\SYSTEM\CurrentControlSet\Services\WZCSVCrv

scanning hidden autostart entries ...

scanning hidden files ...


scan completed successfully
hidden processes: 0
hidden services: 75
hidden files: 0

********************************************************************

Completion time: 07-03-09 18:42:26
C:\ComboFix2.txt ... 07-03-08 20:08
C:\ComboFix3.txt ... 07-03-08 20:16

***** HJT Log *****

Logfile of HijackThis v1.99.1
Scan saved at 11:21:00 PM, on 3/9/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Ulead Systems\Ulead Photo Explorer 8.0 SE Basic\Monitor.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb10.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Program Files\Picasa2\PicasaMediaDetector.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Micro Innovations\Keyboard\kbdap32a.EXE
C:\Program Files\Micro Innovations\Mouse\mouse32a.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\Program Files\BigFix\BigFix.exe
C:\Program Files\Ulead Systems\Ulead Photo Express 4.0 SE\CalCheck.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\HP\hpcoretech\comp\hptskmgr.exe
C:\WINDOWS\wanmpsvc.exe
C:\PROGRA~1\Mozilla Firefox\firefox.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Hijack This\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.emachines.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\ycomp5_3_16_0.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\ycomp5_3_16_0.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [Ulead AutoDetector] C:\Program Files\Ulead Systems\Ulead Photo Explorer 8.0 SE Basic\Monitor.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb10.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [OFFICEKB] C:\Program Files\Micro Innovations\Keyboard\kbdap32a.EXE
O4 - HKLM\..\Run: [FLMOFFICE4DMOUSE] C:\Program Files\Micro Innovations\Mouse\mouse32a.exe
O4 - HKLM\..\Run: [PC Pitstop Optimize Scheduler] C:\Program Files\PCPitstop\Optimize\PCPOptimize.exe -boot
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Microsoft Works Update Detection] c:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe
O4 - Global Startup: Ulead Photo Express 4.0 SE Calendar Checker .lnk = C:\Program Files\Ulead Systems\Ulead Photo Express 4.0 SE\CalCheck.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O16 - DPF: Video Poker - http://download.games.yahoo.com/game...s/y/vpt0_x.cab
O16 - DPF: Yahoo! Backgammon - http://download.games.yahoo.com/game...ts/y/at1_x.cab
O16 - DPF: Yahoo! Bingo - http://download.games.yahoo.com/game...ts/y/xt0_x.cab
O16 - DPF: Yahoo! Blackjack - http://download.games.yahoo.com/game...ts/y/jt0_x.cab
O16 - DPF: Yahoo! Checkers - http://download.games.yahoo.com/game...ts/y/kt4_x.cab
O16 - DPF: Yahoo! Chess - http://download.games.yahoo.com/game...ts/y/ct2_x.cab
O16 - DPF: Yahoo! Cribbage - http://download.games.yahoo.com/game...ts/y/it1_x.cab
O16 - DPF: Yahoo! Dice - http://download.games.yahoo.com/game...s/y/dct4_x.cab
O16 - DPF: Yahoo! Go Fish - http://download.games.yahoo.com/game...ts/y/zt3_x.cab
O16 - DPF: Yahoo! Klondike Solitaire - http://presence.games.yahoo.com/yog/y/ks12_x.cab
O16 - DPF: Yahoo! Poker - http://download.games.yahoo.com/game...ts/y/pt3_x.cab
O16 - DPF: Yahoo! Pyramids - http://download.games.yahoo.com/game...s/y/pyt1_x.cab
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://support.cox.com/sdccommon/download/tgctlcm.cab
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {4620BC29-8B8E-4F4E-9D92-1DB6633D6793} (SurferNETWORK Plugin) - http://rd1.surfernetwork.com/surferplugin.ocx
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://software-dl.real.com/14939218...p/RdxIE601.cab
O16 - DPF: {62789780-B744-11D0-986B-00609731A21D} (Autodesk MapGuide ActiveX Control) - http://maricopa.gov/assessor/gis/plugin/mgaxctrl.cab
O16 - DPF: {7FE26BE2-B923-4B41-9834-E84DA1CC1F96} (Maid Control) - http://vsp.closetmaid.com/vsp/cmaidc...downloader.cab
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab
O16 - DPF: {D77EF652-9A6B-40C8-A4B9-1C0697C6CF41} (TikGames Online Control) - http://download.games.yahoo.com/game.../gpcontrol.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/game...ploader_v6.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

***** Update on system behavior *****

The system appears to be running well. I have not updated AVG in the past week, but I did not get any virus or threat warnings the past two days when doing
this maintenance. Internet pages load pretty quickly with no pop up warnings.

End of post and log files, waiting on next directions. I do appreciate the help, things are getting much better.
cul8rman is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 03-09-2007, 11:45 PM   #34 (permalink)
Assistant Manager, TSF Academy; Moderator/Analyst Security Team
 
Ried's Avatar
 
Join Date: Jan 2005
Location: Ohio
Posts: 26,578
OS: WinXP and Vista


Hiya,

There it is. Before we go any further, we need to rid the system of the rootkit.

Please copy this page to Notepad and save to your desktop for reference as you will not have any browsers open while you are carrying out portions of these instructions.

As before, it is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence.

***************************************************

Download Rustbfix and save it to your desktop.


Alternate download Mirrors if needed:

http://andymanchesta.com/uploads.ejvindh/Rustbfix.exe
http://uploads.ejvindh.andymanchesta.com/Rustbfix.exe


Double click on rustbfix.exe to run the tool. If a Rustock.b-infection is found, you will shortly hereafter be asked to reboot the computer. The reboot will probably take quite a while, and perhaps 2 reboots will be needed. But this will happen automatically.

After the reboot 2 logfiles will open (C:\avenger.txt & C:\rustbfixpelog.txt). Post the content of these logfiles in your next reply.

------------------------------------------------

Double click on combofix.exe & follow the prompts.
When finished, it shall produce a log for you.

Note:
Do not mouseclick combofix's window while it's running. That may cause it to stall

Post the ComboFix.txt in your next reply as well.
__________________

Member of ASAP since 2005
Member of UNITE since 2006

"It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."
Ried is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 03-10-2007, 01:47 PM   #35 (permalink)
Registered User
 
cul8rman's Avatar
 
Join Date: Aug 2006
Location: Arizona
Posts: 134
OS: XP


The system seems to be running better with no detections by AVG like it had just a week ago

Avenger.txt file

Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\usohctwn

*******************

Script file located at: \??\C:\Program Files\xbejcaeu.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Driver lzx32 unloaded successfully.
Program C:\Rustbfix\2run.bat successfully set up to run once on reboot.

Completed script processing.

*******************

Finished! Terminate.

C:\rustbfixpelog.txt
************************* Rustock.b-fix -- By ejvindh *************************
Sat 03/10/2007 11:55:25.75

******************* Pre-run Status of system *******************

Rootkit driver lzx32 is found. Starting the unload-procedure....

Rustock.b-ADS attached to the System32-folder:
:lzx32.sys 72886
Total size: 72886 bytes.
Attempting to remove ADS...
system32: deleted 72886 bytes in 1 streams.

Looking for Rustock.b-files in the System32-folder:
No Rustock.b-files found in system32


******************* Post-run Status of system *******************

Rustock.b-driver on the system: NONE!

Rustock.b-ADS attached to the System32-folder:
No System32-ADS found.

Looking for Rustock.b-files in the System32-folder:
No Rustock.b-files found in system32


******************************* End of Logfile ********************************

ComboFix.txt


"Duane" - 07-03-10 13:24:53 Service Pack 1
ComboFix 07-03-08 - Running from: "C:\Documents and Settings\Duane\Desktop"

/wow section not completed - STAGE #6B

((((((((((((((((((((((((((((((( Files Created from 2007-02-10 to 2007-03-10 ))))))))))))))))))))))))))))))))))


2007-03-10 12:04 0 --a------ C:\WINDOWS\system32\eraseme_40180.exe
2007-03-10 12:01 <DIR> d-------- C:\avenger
2007-03-10 11:31 <DIR> d-------- C:\Rustbfix
2007-03-10 11:10 62,739 --a------ C:\WINDOWS\system32\setup_50418.exe
2007-03-09 18:42 639 --a------ C:\Combo.bat
2007-03-08 19:56 <DIR> d-------- C:\WINDOWS\ERDNT
2007-03-08 19:33 971 --a------ C:\DOCUME~1\Duane\Purity.bat
2007-03-08 19:33 8,192 --a------ C:\DOCUME~1\Duane\RestartIt.exe
2007-03-08 19:33 79,360 --a------ C:\DOCUME~1\Duane\swxcacls.exe
2007-03-08 19:33 73,728 --a------ C:\DOCUME~1\Duane\FDSV.EXE
2007-03-08 19:33 6,914 --a------ C:\DOCUME~1\Duane\Qoo.bat
2007-03-08 19:33 51,200 --a------ C:\DOCUME~1\Duane\dumphive.exe
2007-03-08 19:33 5,074 --a------ C:\DOCUME~1\Duane\NTPBack.exe
2007-03-08 19:33 49,152 --a------ C:\DOCUME~1\Duane\vfind.exe
2007-03-08 19:33 42,887 --a------ C:\DOCUME~1\Duane\ntp.exe
2007-03-08 19:33 39,184 --a------ C:\DOCUME~1\Duane\Ntrights.exe
2007-03-08 19:33 38,400 --a------ C:\DOCUME~1\Duane\moveex.exe
2007-03-08 19:33 319,415 --a------ C:\DOCUME~1\Duane\Creg.reg
2007-03-08 19:33 28,672 --a------ C:\DOCUME~1\Duane\catchme.exe
2007-03-08 19:33 26,112 --a------ C:\DOCUME~1\Duane\nircmd.exe
2007-03-08 19:33 2,304 --a------ C:\DOCUME~1\Duane\Look2Me.bat
2007-03-08 19:33 181,776 --a------ C:\DOCUME~1\Duane\handle.exe
2007-03-08 19:33 140,800 --a------ C:\DOCUME~1\Duane\swreg.exe
2007-03-08 19:33 123,904 --a------ C:\DOCUME~1\Duane\swsc.exe
2007-03-08 19:33 117,379 --a------ C:\DOCUME~1\Duane\LIST-C.bat
2007-03-01 19:52 1,186,531 --ahs---- C:\WINDOWS\system32\qtvwa.bak1
2007-02-28 19:24 <DIR> d-------- C:\!KillBox
2007-02-24 21:33 53,248 --a------ C:\WINDOWS\system32\Process.exe
2007-02-24 21:33 <DIR> d-------- C:\SmitfraudFix
2007-02-24 10:28 3,968 --a------ C:\WINDOWS\system32\drivers\avgclean.sys
2007-02-24 10:28 19,392 --a------ C:\WINDOWS\system32\drivers\avgmfx86.sys
2007-02-23 22:45 118,804 --a------ C:\WINDOWS\system32\arbcakff.dll
2007-02-21 21:42 129 --a------ C:\fix.bat
2007-02-20 23:22 <DIR> d-------- C:\Program Files\backups
2007-02-18 08:30 1,014,623 --ahs---- C:\WINDOWS\system32\qtstv.bak1
2007-02-17 09:53 118,804 --a------ C:\WINDOWS\system32\etlcsjcc.dll
2007-02-16 05:28 <DIR> d-------- C:\Program Files\Hijack This
2007-02-15 20:28 73,387 --a------ C:\WINDOWS\hgefefedsf.exe
2007-02-14 19:18 74,094 --a------ C:\WINDOWS\jhtfddsdsv.exe
2007-02-13 22:36 1,189,475 --ahs---- C:\WINDOWS\system32\rtstv.bak2
2007-02-13 05:48 <DIR> d-------- C:\DOCUME~1\ADMINI~1\DoctorWeb
2007-02-12 22:38 74,094 --a------ C:\WINDOWS\ertrtyt.exe
2007-02-12 22:36 1,023,235 --ahs---- C:\WINDOWS\system32\rtstv.bak1
2007-02-12 22:05 <DIR> d-------- C:\VundoFix Backups
2007-02-12 21:43 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Office Genuine Advantage
2007-02-10 14:16 807,368 --ahs---- C:\WINDOWS\system32\jjkmp.ini2


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2007-03-08 19:47 -------- d-------- C:\Program Files\Common Files\symantec shared
2007-02-25 10:48 -------- d---s---- C:\DOCUME~1\Duane\APPLIC~1\microsoft
2007-02-25 10:06 775680 --a------ C:\WINDOWS\system32\drivers\avg7core.sys
2007-02-25 10:06 27776 --a------ C:\WINDOWS\system32\drivers\avg7rsxp.sys
2007-02-24 22:08 3762 --a------ C:\WINDOWS\system32\tmp.reg
2007-02-24 10:40 -------- d-------- C:\DOCUME~1\Duane\APPLIC~1\avg7
2007-02-24 10:28 4960 --a------ C:\WINDOWS\system32\drivers\avgtdi.sys
2007-02-24 10:28 4224 --a------ C:\WINDOWS\system32\drivers\avg7rsw.sys
2007-02-20 21:14 -------- d-------- C:\Program Files\shockwave.com
2007-02-15 20:28 77466 --a------ C:\WINDOWS\hrefnkndefsd.exe
2007-02-13 21:29 -------- d-------- C:\Program Files\save
2007-02-13 21:29 -------- d-------- C:\Program Files\Common Files\sandlot shared
2007-02-10 20:00 14201 --a------ C:\Program Files\hijackthis.log
2007-02-04 18:37 77466 --a------ C:\WINDOWS\bgtrneiknkjnew.exe
2007-02-04 11:08 70929 --a------ C:\WINDOWS\tojndkedewf.exe
2007-02-03 14:15 999000 --ahs---- C:\WINDOWS\system32\jjkmp.bak2
2007-02-03 14:15 74072 --a------ C:\WINDOWS\njfekmfde.exe
2007-02-03 14:15 71833 --a------ C:\WINDOWS\nsicknjnfew.exe
2007-02-02 11:40 72483 --a------ C:\WINDOWS\wmnkfnjnb.exe
2007-02-02 11:27 71539 --a------ C:\WINDOWS\bmeromknge.exe
2007-02-02 10:55 70956 --a------ C:\WINDOWS\bvjbjnce.exe
2007-02-02 05:56 72483 --a------ C:\WINDOWS\vguwbjce.exe
2007-02-02 05:44 71539 --a------ C:\WINDOWS\dhinikjncew.exe
2007-01-31 19:50 71539 --a------ C:\WINDOWS\nuinkmwdw.exe
2007-01-31 19:50 70956 --a------ C:\WINDOWS\hoinkndw.exe
2007-01-31 19:29 -------- d-------- C:\Program Files\vsadd-in
2007-01-31 17:06 932 --a------ C:\WINDOWS\system32\winpfz32.sys
2007-01-28 22:13 -------- d-------- C:\Program Files\lg software innovations
2007-01-28 22:05 -------- d-------- C:\Program Files\clonedvd
2007-01-28 21:28 14 --a------ C:\WINDOWS\system32\systeminfo3.dll
2007-01-28 21:26 81920 --a------ C:\DOCUME~1\Duane\APPLIC~1\ezpinst.exe
2007-01-28 21:26 7176 --a------ C:\DOCUME~1\Duane\APPLIC~1\pcouffin.cat
2007-01-28 21:26 47360 --a------ C:\WINDOWS\system32\drivers\pcouffin.sys
2007-01-28 21:26 47360 --a------ C:\DOCUME~1\Duane\APPLIC~1\pcouffin.sys
2007-01-28 21:26 34 --a------ C:\DOCUME~1\Duane\APPLIC~1\pcouffin.log
2007-01-28 21:26 1144 --a------ C:\DOCUME~1\Duane\APPLIC~1\pcouffin.inf
2007-01-28 21:26 -------- d-------- C:\DOCUME~1\Duane\APPLIC~1\vso
2007-01-27 08:15 -------- d-------- C:\Program Files\google
2007-01-26 17:12 988601 --ahs---- C:\WINDOWS\system32\jjkmp.bak1
2007-01-21 15:19 -------- d-------- C:\Program Files\lavasoft
2007-01-21 15:19 -------- d-------- C:\DOCUME~1\Duane\APPLIC~1\lavasoft
2007-01-21 15:08 14612 --a------ C:\Program Files\cwshredder.exe-2d092fd4.pf
2007-01-21 15:03 532480 --a------ C:\Program Files\cwshredder.exe
2007-01-20 20:28 3072 --ahs---- C:\WINDOWS\system32\porumnss.exe
2007-01-20 14:18 280 --a------ C:\Program Files\Common Files\sagu292
2007-01-16 09:44 -------- d--h----- C:\Program Files\bho plugin
2007-01-15 11:29 44032 --a------ C:\loder.exe
2007-01-14 10:30 -------- d-------- C:\Program Files\sygate
2007-01-14 10:29 -------- d-------- C:\Program Files\Common Files\wise installation wizard
2007-01-13 21:34 -------- d-------- C:\Program Files\ultimate cleaner
2007-01-13 21:34 -------- d-------- C:\DOCUME~1\Duane\APPLIC~1\ultimate cleaner
2007-01-12 22:03 22541 --a------ C:\WINDOWS\system32\byxwttt.dll
2007-01-12 18:19 0 --a------ C:\WINDOWS\system32\vb2en16.dll
2007-01-11 16:35 12800 --a------ C:\WINDOWS\system32\svchost.exe
2007-01-11 16:34 53 --a------ C:\WINDOWS\nnqvcc.dat
2007-01-11 16:34 0 --a------ C:\WINDOWS\system32\3718845c.exe
2007-01-07 18:21 1 --a------ C:\WINDOWS\system32\ps.dat
2007-01-07 18:21 1 --a------ C:\WINDOWS\system32\cookie.dat
2007-01-07 13:16 25600 --a------ C:\WINDOWS\system32\helper.dll
2007-01-07 13:16 120661 --a------ C:\abcxz.exe
2007-01-06 09:40 0 --a------ C:\wuvhs.exe
2007-01-06 09:40 0 --a------ C:\cgpevf.exe
2007-01-06 09:39 0 --a------ C:\whmiqq.exe
2007-01-06 09:39 0 --a------ C:\egrxcf.exe
2007-01-06 09:38 0 --a------ C:\pjvatvux.exe
2007-01-06 09:38 0 --a------ C:\kvxxuykr.exe
2007-01-06 09:38 0 --a------ C:\hioxmh.exe
2007-01-06 09:38 0 --a------ C:\doqic.exe
2007-01-06 09:37 0 --a------ C:\twjyq.exe
2007-01-06 09:37 0 --a------ C:\ngaobk.exe
2007-01-06 09:36 0 --a------ C:\omhran.exe
2007-01-06 09:36 0 --a------ C:\ghkv.exe
2007-01-06 09:35 0 --a------ C:\qnbndeof.exe
2007-01-06 09:35 0 --a------ C:\jtcjyqpk.exe
2007-01-06 09:34 0 --a------ C:\sdqmmkl.exe
2007-01-06 09:34 0 --a------ C:\ntbtggkm.exe
2007-01-05 20:03 390 --a------ C:\ehh4.exe
2007-01-05 20:03 390 --a------ C:\efhh.exe
2007-01-05 10:41 0 --a------ C:\WINDOWS\cab2.exe
2007-01-05 00:23 184447 --a------ C:\WINDOWS\system32\qwinpoeb.exe
2007-01-05 00:17 11066 --a------ C:\eryvk.exe
2007-01-04 22:35 10660 --a------ C:\WINDOWS\mozver.dat
2007-01-03 20:49 5037072 --a------ C:\Program Files\spybotsd14.exe
2007-01-01 12:02 507 --a------ C:\WINDOWS\ereg077.dat
2006-12-25 16:33 23066 --a------ C:\Program Files\plainoldfavorites-0.5.6-fx-windows.xpi
2006-12-19 16:51 142 --a------ C:\Program Files\Common Files\wuopry.html


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"Microsoft Works Update Detection"="c:\\Program Files\\Microsoft Works\\WkDetect.exe"
"swg"="C:\\Program Files\\Google\\GoogleToolbarNotifier\\1.2.1128.5462\\GoogleToolbarNotifier.exe"
"aconti"=""
"PrinterSpool"=""
"hkgaqge"=""
"ShellApi"=""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"SSC_UserPrompt"="C:\\Program Files\\Common Files\\Symantec Shared\\Security Center\\UsrPrmpt.exe"
"Ulead AutoDetector"="C:\\Program Files\\Ulead Systems\\Ulead Photo Explorer 8.0 SE Basic\\Monitor.exe"
"HPDJ Taskbar Utility"="C:\\WINDOWS\\System32\\spool\\drivers\\w32x86\\3\\hpztsb10.exe"
"HP Component Manager"="\"C:\\Program Files\\HP\\hpcoretech\\hpcmpmgr.exe\""
"HP Software Update"="\"C:\\Program Files\\Hewlett-Packard\\HP Software Update\\HPWuSchd2.exe\""
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"Picasa Media Detector"="C:\\Program Files\\Picasa2\\PicasaMediaDetector.exe"
"iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVG7\\avgcc.exe /STARTUP"
"OFFICEKB"="C:\\Program Files\\Micro Innovations\\Keyboard\\kbdap32a.EXE"
"FLMOFFICE4DMOUSE"="C:\\Program Files\\Micro Innovations\\Mouse\\mouse32a.exe"
"PC Pitstop Optimize Scheduler"="C:\\Program Files\\PCPitstop\\Optimize\\PCPOptimize.exe -boot"
"SmcService"="C:\\PROGRA~1\\Sygate\\SPF\\smc.exe -startgui"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"


[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVG7\\avgw.exe /RUNONCE"
"cwingllib"="C:\\WINDOWS\\system32\\atllsimm.exe"
"jmlcv4m"="C:\\WINDOWS\\System32\\sdmvdlxe.exe"
"TaskManager"="C:\\WINDOWS\\TaskMgr.exe"

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVG7\\avgw.exe /RUNONCE"
"cwingllib"="C:\\WINDOWS\\system32\\atllsimm.exe"
"jmlcv4m"="C:\\WINDOWS\\System32\\sdmvdlxe.exe"
"TaskManager"="C:\\WINDOWS\\TaskMgr.exe"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0



********************************************************************

catchme 0.2 W2K/XP/Vista - userland rootkit detector by Gmer, 17 October 2006
http://www.gmer.net

scanning hidden processes ...

scanning hidden services ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0

********************************************************************

Completion time: 07-03-10 13:27:32
C:\ComboFix2.txt ... 07-03-09 18:42
C:\ComboFix3.txt ... 07-03-08 20:08


End of posts, thanks
cul8rman is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 03-10-2007, 06:55 PM   #36 (permalink)
Registered User
 
cul8rman's Avatar
 
Join Date: Aug 2006
Location: Arizona
Posts: 134
OS: XP


I did check the AVG logs and there are still trojan horse files showing up in the virus vault with a date of yesterday. It appears they are still there somewhere. I appreciate your help with my mess.
cul8rman is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 03-10-2007, 07:48 PM   #37 (permalink)
Assistant Manager, TSF Academy; Moderator/Analyst Security Team
 
Ried's Avatar
 
Join Date: Jan 2005
Location: Ohio
Posts: 26,578
OS: WinXP and Vista


Hiya,

You're still quite infected and we have a lot to do. Your quick carrying out of instructions and replying are helping.

Please copy this page to Notepad and save to your desktop for reference as you will not have any browsers open while you are carrying out portions of these instructions.

It is IMPORTANT that you don't miss a step & perform everything in the correct order/sequence.

***************************************************

Download the attached cul8.zip file to your desktop. Do not run it yet.

--------------------------------------------------------------------

Please reboot your computer in Safe Mode by doing the following:
1) Restart your computer
2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
3) Instead of Windows loading as normal, a menu should appear
4) Use the up arrow key to highlight Safe Mode and press Enter.
5) Login with your usual account. Make sure to close any open browsers.

--------------------------------------------------------------------

Uninstall the following via the Add/Remove Panel (Start->(Settings)->Control Panel->Add/Remove Programs)

Ultimate Cleaner
WeatherBug Browser Bar - powered by MyWebSearch
WhenU SaveNow

--------------------------------------------------------------------

Double click on the cul8.zip folder, then double click on the .reg file within. Click yes to allow it to merge into your registry.

--------------------------------------------------------------------

Using 'My Computer', navigate to and delete the following Folders:

C:\Program Files\ save
C:\Program Files\ MyWebSearchWB
C:\Program Files\ Ultimate Cleaner
C:\Program Files\ vsadd-in
C:\ VundoFix Backups

--------------------------------------------------------------------

Launch KillBox.exe & select the following options:
  • Delete on Reboot
  • All files (if available)
Use your mouse to select all the filenames highlighted in blue & then right-click & select Copy: **Note--they may not all fit at one time. If all do not show, please split the list and do not allow the reboot until you've entered the last of the files.

C:\WINDOWS\system32\atllsimm.exe
C:\WINDOWS\System32\sdmvdlxe.exe
C:\abcxz.exe
C:\cgpevf.exe
C:\doqic.exe
C:\efhh.exe
C:\egrxcf.exe
C:\ehh4.exe
C:\ghkv.exe
C:\hioxmh.exe
C:\jtcjyqpk.exe
C:\kvxxuykr.exe
C:\ngaobk.exe
C:\ntbtggkm.exe
C:\omhran.exe
C:\pjvatvux.exe
C:\qnbndeof.exe
C:\sdqmmkl.exe
C:\twjyq.exe
C:\whmiqq.exe
C:\WINDOWS\bgtrneiknkjnew.exe
C:\WINDOWS\bmeromknge.exe
C:\WINDOWS\bvjbjnce.exe
C:\WINDOWS\cab2.exe
C:\WINDOWS\dhinikjncew.exe
C:\WINDOWS\ertrtyt.exe
C:\WINDOWS\hgefefedsf.exe
C:\WINDOWS\hoinkndw.exe
C:\WINDOWS\hrefnkndefsd.exe
C:\WINDOWS\jhtfddsdsv.exe
C:\WINDOWS\njfekmfde.exe
C:\WINDOWS\nsicknjnfew.exe
C:\WINDOWS\nuinkmwdw.exe
C:\WINDOWS\system32\arbcakff.dll
C:\WINDOWS\system32\eraseme_40180.exe
C:\WINDOWS\system32\etlcsjcc.dll
C:\WINDOWS\system32\jjkmp.bak1
C:\WINDOWS\system32\jjkmp.bak2
C:\WINDOWS\system32\jjkmp.ini2
C:\WINDOWS\system32\porumnss.exe
C:\WINDOWS\system32\qtstv.bak1
C:\WINDOWS\system32\qtvwa.bak1
C:\WINDOWS\system32\qwinpoeb.exe
C:\WINDOWS\system32\rtstv.bak1
C:\WINDOWS\system32\rtstv.bak2
C:\WINDOWS\system32\winpfz32.sys
C:\WINDOWS\TaskMgr.exe
C:\WINDOWS\tojndkedewf.exe
C:\WINDOWS\vguwbjce.exe
C:\WINDOWS\wmnkfnjnb.exe
C:\wuvhs.exe

* Go to the File menu, and choose Paste from Clipboard
* Click the RED X button.
* KillBox will alert you the files will be deleted on next reboot, click Yes
* When asked to Reboot, select Yes

Click OK at any PendingFileRenameOperations prompt, and let us know if you receive this message.

Also, if the computer does not restart automatically, please restart it manually.

--------------------------------------------------------------------

**Important** Before you spend any more time online, your Java is out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version Java components and update.

Updating Java:
  • Download the latest version of Java Runtime Environment (JRE) 6.
  • Scroll down to where it says "The J2SE Runtime Environment (JRE) allows end-users to run Java applications".
  • Click the "Download" button to the right.
  • Check the box that says: "Accept License Agreement".
  • The page will refresh.
  • Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6-windowsi586-p.exe to install the newest version.
--------------------------------------------------------------------

Once you've updated the Sun Java...

Try again to perform the online scan at Panda. Please scroll up for the link and instructions given previously for the online scan.

Be sure to save the report.

--------------------------------------------------------------------

Delete your current ComboScan.exe and download the updated version:

Download ComboScan to your Desktop.Note: You must be logged onto an account with administrator privileges.
  1. Close all applications and windows.
  2. Double-click on comboscan.exe to run it, and follow the prompts.
  3. When the scan is complete, two text files will open - ComboScan.txt <- this one will be maximized and Supplementary.txt <-this one will be minimized
  4. Copy (Ctrl+A then Ctrl+C) and paste (Ctrl+V) the contents of ComboScan.txt in your thread in the HijackThis Log Help Forum.
  5. Please attach Supplementary.txt to your post.
To attach a file to a new post, simply
  1. Click the[Manage Attachments] button under Additional Options > Attach Files on the post composition page, and
  2. copy and paste the following into the "Upload File from your Computer" box:
    C:\ComboScanSupplementary.txt
  3. Click Upload.
--------------------------------------------------------------------

Please include the following in your next reply"

Panda results
C:\ComboScan.txt
an attached Supplementary.txt
__________________

Member of ASAP since 2005
Member of UNITE since 2006

"It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."
Last edited by Ried; 04-19-2007 at 11:28 PM.
Ried is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 03-11-2007, 11:32 AM   #38 (permalink)
Registered User
 
cul8rman's Avatar
 
Join Date: Aug 2006
Location: Arizona
Posts: 134
OS: XP


Greetings,

I try to implement suggestions and reply asap since I know the sooner I get back to you the fresher this issue is in your mind. I am also trying to get this computer back up so the kids can do some online gaming (Runescape0 with it. I think one of the kids friends came by and clicked on a Popup "Your system is infected - Do you want to install?" They keep asking if this PC is ready and I tell then no, they need to be patient. They all know now that you NEVER click on a pop up offering to clean up your computer.:

Notes from last directions to follow. Your direction is one color, issue is another.

Uninstall the following via the Add/Remove Panel (Start->(Settings)->Control Panel->Add/Remove Programs)

Ultimate Cleaner
WeatherBug Browser Bar - powered by MyWebSearch

*** Error Loading
C:\progr~1\mywebs~1\bar\1.bin\w6bar.dll

The Specified module could not be found. ****
WhenU SaveNow *(Removed)*

--------------------------------------------------------------------

Using 'My Computer', navigate to and delete the following Folders:

C:\Program Files\save
*** Not present ***
C:\Program Files\MyWebSearchWB
*** Not present ***
C:\Program Files\Ultimate Cleaner
C:\Program Files\vsadd-in
C:\VundoFix Backups

--------------------------------------------------------------------

Launch KillBox.exe & select the following options:

* Delete on Reboot
* All files (if available)

C:\WINDOWS\system32\atllsimm.exe
*** not found ***
C:\WINDOW
*** not found ***
C:\abcxz.exe
C:\cgpevf.exe
C:\doqic.exe
C:\efhh.exe
|
\/
C:\WINDOWS\system32\winpfz32.sys
C:\WINDOWS\TaskMgr.exe
*** not found ***
C:\WINDOWS\tojndkedewf.exe
*** not found ***
C:\WINDOWS\vguwbjce.exe
C:\WINDOWS\wmnkfnjnb.exe
C:\wuvhs.exe


--------------------------------

Updating Java:
* It was not happy with SP1, but did load *
----------------------------------
Once you've updated the Sun Java...

Try again to perform the online scan at Panda. Please scroll up for
the link and instructions given previously for the online scan.
***** Browser not supported *****
I can not open IE and will wait for you to tell me when to reload it

Be sure to save the report.

-------------------------------
Please include the following in your next reply"

Panda results
C:\ComboScan.txt
an attached Supplementary.txt

ComboScan v20070306.20 run by Duane on 2007-03-11 at 09:47:54
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created ComboScan Restore Point.


-- Last 5 Restore Point(s) --
85: 2007-03-11 16:47:58 UTC - RP302 - ComboScan Restore Point
84: 2007-03-11 02:38:15 UTC - RP301 - System Checkpoint
83: 2007-03-10 02:18:38 UTC - RP300 - System Checkpoint
82: 2007-03-09 01:25:39 UTC - RP299 - System Checkpoint
81: 2007-03-06 05:44:52 UTC - RP298 - System Checkpoint


-- First Restore Point --
1: 2006-12-18 12:57:08 UTC - RP218 - System Checkpoint


Performed disk cleanup.


-- HijackThis (run as Duane.exe) -----------------------------------------------

Logfile of HijackThis v1.99.1
Scan saved at 9:48:08 AM, on 3/11/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Ulead Systems\Ulead Photo Explorer 8.0 SE Basic\Monitor.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb10.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Program Files\Picasa2\PicasaMediaDetector.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\Program Files\Micro Innovations\Keyboard\kbdap32a.EXE
C:\Program Files\Micro Innovations\Mouse\mouse32a.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\BigFix\BigFix.exe
C:\Program Files\Ulead Systems\Ulead Photo Express 4.0 SE\CalCheck.exe
C:\Program Files\HP\hpcoretech\comp\hptskmgr.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Documents and Settings\Duane\Desktop\comboscan.exe
C:\PROGRA~1\HIJACK~1\Duane.exe

R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.emachines.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\ycomp5_3_16_0.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\ycomp5_3_16_0.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [Ulead AutoDetector] C:\Program Files\Ulead Systems\Ulead Photo Explorer 8.0 SE Basic\Monitor.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb10.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HP Software Update] "C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [OFFICEKB] C:\Program Files\Micro Innovations\Keyboard\kbdap32a.EXE
O4 - HKLM\..\Run: [FLMOFFICE4DMOUSE] C:\Program Files\Micro Innovations\Mouse\mouse32a.exe
O4 - HKLM\..\Run: [PC Pitstop Optimize Scheduler] C:\Program Files\PCPitstop\Optimize\PCPOptimize.exe -boot
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0\bin\jusched.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Microsoft Works Update Detection] c:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: BigFix.lnk = C:\Program Files\BigFix\BigFix.exe
O4 - Global Startup: Ulead Photo Express 4.0 SE Calendar Checker .lnk = C:\Program Files\Ulead Systems\Ulead Photo Express 4.0 SE\CalCheck.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: &Translate English Word - res://c:\program files\google\GoogleToolbar1.dll/cmwordtrans.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate Page into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\npjpi160.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\npjpi160.dll
O9 - Extra button: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O14 - IERESET.INF: START_PAGE_URL=http://www.emachines.com
O16 - DPF: Video Poker - http://download.games.yahoo.com/game...s/y/vpt0_x.cab
O16 - DPF: Yahoo! Backgammon - http://download.games.yahoo.com/game...ts/y/at1_x.cab
O16 - DPF: Yahoo! Bingo - http://download.games.yahoo.com/game...ts/y/xt0_x.cab
O16 - DPF: Yahoo! Blackjack - http://download.games.yahoo.com/game...ts/y/jt0_x.cab
O16 - DPF: Yahoo! Checkers - http://download.games.yahoo.com/game...ts/y/kt4_x.cab
O16 - DPF: Yahoo! Chess - http://download.games.yahoo.com/game...ts/y/ct2_x.cab
O16 - DPF: Yahoo! Cribbage - http://download.games.yahoo.com/game...ts/y/it1_x.cab
O16 - DPF: Yahoo! Dice - http://download.games.yahoo.com/game...s/y/dct4_x.cab
O16 - DPF: Yahoo! Go Fish - http://download.games.yahoo.com/game...ts/y/zt3_x.cab
O16 - DPF: Yahoo! Klondike Solitaire - http://presence.games.yahoo.com/yog/y/ks12_x.cab
O16 - DPF: Yahoo! Poker - http://download.games.yahoo.com/game...ts/y/pt3_x.cab
O16 - DPF: Yahoo! Pyramids - http://download.games.yahoo.com/game...s/y/pyt1_x.cab
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://support.cox.com/sdccommon/download/tgctlcm.cab
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {4620BC29-8B8E-4F4E-9D92-1DB6633D6793} (SurferNETWORK Plugin) - http://rd1.surfernetwork.com/surferplugin.ocx
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://software-dl.real.com/14939218...p/RdxIE601.cab
O16 - DPF: {62789780-B744-11D0-986B-00609731A21D} (Autodesk MapGuide ActiveX Control) - http://maricopa.gov/assessor/gis/plugin/mgaxctrl.cab
O16 - DPF: {7FE26BE2-B923-4B41-9834-E84DA1CC1F96} (Maid Control) - http://vsp.closetmaid.com/vsp/cmaidc...downloader.cab
O16 - DPF: {CC05BC12-2AA2-4AC7-AC81-0E40F83B1ADF} (Live365Player Class) - http://www.live365.com/players/play365.cab
O16 - DPF: {D77EF652-9A6B-40C8-A4B9-1C0697C6CF41} (TikGames Online Control) - http://download.games.yahoo.com/game.../gpcontrol.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.games.yahoo.com/game...ploader_v6.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe


-- HijackThis Fixed Entries (C:\PROGRA~1\HIJACK~1\backups\) --------------------

backup-20070216-054427-128 O4 - HKLM\..\Run: [kdmmcvs] C:\WINDOWS\System32\gmonstml.exe
backup-20070216-054427-175 O4 - HKLM\..\Run: [nvcdllx] C:\WINDOWS\System32\cstatvmq.exe
backup-20070216-054427-288 O4 - HKCU\..\Run: [jmlcv4m] C:\WINDOWS\System32\mgcplwin.exe
backup-20070216-054427-352 O4 - HKCU\..\Run: [ymmsddlop] C:\WINDOWS\system32\vssmnptc.exe
backup-20070216-054427-370 O4 - HKLM\..\Run: [DllRunning] rundll32.exe "C:\WINDOWS\System32\iiydacla.dll",setvm
backup-20070216-054427-399 R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
backup-20070216-054427-431 O4 - HKLM\..\Run: [Error Nuker] C:\Program Files\Error Nuker\bin\ErrorNuker.exe autostart
backup-20070216-054427-438 O4 - HKLM\..\Run: [lmjvservc] fxsugwhh.exe
backup-20070216-054427-566 O4 - HKLM\..\Run: [{7B-BE-E8-8B-ZN}] C:\windows\system32\nodsregj.exe SKY001
backup-20070216-054427-608 R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
backup-20070216-054427-619 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file:///c:/secure32.html
backup-20070216-054427-624 O4 - HKCU\..\Run: [WinInit] "C:\DOCUME~1\Duane\LOCALS~1\Temp\162015.exe "
backup-20070216-054427-645 O4 - HKCU\..\Run: [cwingllib] C:\WINDOWS\system32\atllsimm.exe
backup-20070216-054427-684 O4 - HKLM\..\Run: [ExploreUpdSched] C:\WINDOWS\System32\qwinpoeb.exe SKY001
backup-20070216-054427-698 O4 - HKLM\..\Run: [ijciiqc.dll] C:\WINDOWS\System32\rundll32.exe C:\WINDOWS\System32\ijciiqc.dll,okbblr
backup-20070216-054427-702 R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
backup-20070216-054427-794 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = about:blank
backup-20070216-054427-897 O4 - HKLM\..\Run: [AutoSys] C:\WINDOWS\System32\autosys.exe
backup-20070216-054427-929 O4 - HKCU\..\Run: [mdwinllm3] C:\WINDOWS\System32\sscmsslv.exe
backup-20070216-054428-100 O23 - Service: Microsoft Apache for Windows (Windows Apache Service) - Unknown owner - C:\WINDOWS\wpablin.exe (file missing)
backup-20070216-054428-254 O4 - HKCU\..\Run: [ncsmmlg] C:\WINDOWS\System32\ctlmems.exe
backup-20070216-054428-293 O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbar...p=ZUxdm080YYUS
backup-20070216-054428-361 O4 - HKCU\..\Run: [csmhtop] C:\WINDOWS\System32\sdmmlmn.exe
backup-20070216-054428-368 O4 - HKCU\..\Run: [kdmmcvs] C:\WINDOWS\System32\gmonstml.exe
backup-20070216-054428-388 O23 - Service: WINS Client (RpcPatch) - Unknown owner - C:\WINDOWS\System32\wins\DLLHOST.EXE (file missing)
backup-20070216-054428-416 O23 - Service: Network Connections Sharing (RpcTftpd) - Unknown owner - C:\WINDOWS\System32\wins\svchost.exe (file missing)
backup-20070216-054428-503 O4 - HKCU\..\Run: [lsmdwinr] C:\WINDOWS\System32\vstldmem.exe
backup-20070216-054428-517 O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://wdownload.weatherbug.com/mini...ansporter.cab?
backup-20070216-054428-621 O4 - HKCU\..\Run: [winksddm] C:\WINDOWS\System32\jvmmods.exe
backup-20070216-054428-670 O4 - HKCU\..\Run: [lvcdmsys] C:\WINDOWS\System32\dbbsrcc.exe
backup-20070216-054428-692 O23 - Service: Windows Host Services (DLLHOST32) - Unknown owner - C:\WINDOWS\system\dllhost.exe (file missing)
backup-20070216-054428-782 O4 - HKCU\..\Run: [ddsysmns] C:\WINDOWS\System32\scmdcon.exe
backup-20070216-054428-923 O4 - HKCU\..\Run: [nvcdllx] C:\WINDOWS\System32\cstatvmq.exe
backup-20070216-054428-976 O23 - Service: Microsoft authenticate service (MsaSvc) - Unknown owner - C:\WINDOWS\System32\msasvc.exe (file missing)
backup-20070216-054428-981 O4 - HKCU\..\Run: [gdxapimn] C:\WINDOWS\System32\jgdepgc.exe
backup-20070217-094852-237 O4 - HKLM\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~2\bar\1.bin\mwsoemon.exe
backup-20070217-094852-412 O4 - HKLM\..\Run: [DeluxeCommunications] C:\Program Files\DeluxeCommunications\Dxc.exe
backup-20070217-094852-445 R3 - URLSearchHook: (no name) - {A8BD6820-6ED7-423E-9558-2D1486B0FEEA} - C:\Program Files\DeluxeCommunications\DxcBho.dll
backup-20070217-094852-538 O4 - HKLM\..\Run: [DllRunning] rundll32.exe "C:\WINDOWS\System32\vpgvkoua.dll",setvm
backup-20070217-095341-714 O23 - Service: TCP and UDP Supp0rt - Unknown owner - C:\WINDOWS\System32\tccpip.exe (file missing)
backup-20070217-095341-913 O23 - Service: Microsoft Apache for Windows (Windows Apache Service) - Unknown owner - C:\WINDOWS\wpablin.exe (file missing)
backup-20070217-095504-553 R3 - URLSearchHook: (no name) - {A8BD6820-6ED7-423E-9558-2D1486B0FEEA} - C:\Program Files\DeluxeCommunications\DxcBho.dll
backup-20070217-095630-934 O4 - HKLM\..\Run: [DeluxeCommunications] C:\Program Files\DeluxeCommunications\Dxc.exe
backup-20070217-095814-485 O4 - HKLM\..\Run: [DeluxeCommunications] C:\Program Files\DeluxeCommunications\Dxc.exe
backup-20070217-095845-703 O4 - HKLM\..\Run: [DllRunning] rundll32.exe "C:\WINDOWS\System32\etlcsjcc.dll",setvm
backup-20070217-105355-336 O4 - HKLM\..\Run: [DeluxeCommunications] C:\Program Files\DeluxeCommunications\Dxc.exe
backup-20070217-105355-357 R3 - URLSearchHook: (no name) - {A8BD6820-6ED7-423E-9558-2D1486B0FEEA} - C:\Program Files\DeluxeCommunications\DxcBho.dll
backup-20070217-110354-366 O23 - Service: Microsoft Apache for Windows (Windows Apache Service) - Unknown owner - C:\WINDOWS\wpablin.exe (file missing)
backup-20070217-114409-294 R3 - URLSearchHook: (no name) - {A8BD6820-6ED7-423E-9558-2D1486B0FEEA} - C:\Program Files\DeluxeCommunications\DxcBho.dll
backup-20070217-114545-903 O4 - HKLM\..\Run: [DeluxeCommunications] C:\Program Files\DeluxeCommunications\Dxc.exe
backup-20070217-114616-441 O4 - HKLM\..\Run: [DeluxeCommunications] C:\Program Files\DeluxeCommunications\Dxc.exe
backup-20070220-231401-253 O4 - Global Startup: .protected
backup-20070220-231401-880 O4 - Startup: .protected
backup-20070220-231401-900 O4 - HKCU\..\Run: [DeluxeCommunications] C:\Program Files\DeluxeCommunications\Dxc.exe
backup-20070220-231411-468 O23 - Service: Microsoft Apache for Windows (Windows Apache Service) - Unknown owner - C:\WINDOWS\wpablin.exe (file missing)
backup-20070220-231411-583 O23 - Service: Windows Host Services (DLLHOST32) - Unknown owner - C:\WINDOWS\system\dllhost.exe (file missing)
backup-20070220-231440-277 O4 - Startup: .protected
backup-20070220-231440-539 O4 - Global Startup: .protected
backup-20070221-190232-390 R3 - URLSearchHook: (no name) - {A8BD6820-6ED7-423E-9558-2D1486B0FEEA} - C:\Program Files\DeluxeCommunications\DxcBho.dll
backup-20070221-190232-606 O4 - Global Startup: .protected
backup-20070221-190232-680 O4 - Startup: .protected
backup-20070221-190232-900 O4 - HKCU\..\Run: [DeluxeCommunications] C:\Program Files\DeluxeCommunications\Dxc.exe
backup-20070221-190517-258 O23 - Service: Windows Host Services (DLLHOST32) - Unknown owner - C:\WINDOWS\system\dllhost.exe (file missing)
backup-20070221-190517-645 O23 - Service: Microsoft Apache for Windows (Windows Apache Service) - Unknown owner - C:\WINDOWS\wpablin.exe (file missing)
backup-20070221-190939-975 R3 - URLSearchHook: (no name) - {A8BD6820-6ED7-423E-9558-2D1486B0FEEA} - C:\Program Files\DeluxeCommunications\DxcBho.dll
backup-20070223-224512-185 O16 - DPF: {15589FA1-C456-11CE-BF01-000000000000} - http://www.errornuker.com/products/e...rInstaller.exe
backup-20070223-224512-192 O4 - Global Startup: .protected
backup-20070223-224512-482 O4 - HKLM\..\Run: [nvcdllx] C:\WINDOWS\System32\cstatvmq.exe
backup-20070223-224512-515 R3 - URLSearchHook: (no name) - {A8BD6820-6ED7-423E-9558-2D1486B0FEEA} - (no file)
backup-20070223-224512-523 O4 - Startup: .protected
backup-20070223-224512-588 O4 - HKCU\..\Run: [kdmmcvs] C:\WINDOWS\System32\gmonstml.exe
backup-20070223-224512-766 O4 - HKLM\..\Run: [kdmmcvs] C:\WINDOWS\System32\gmonstml.exe
backup-20070223-224512-839 O4 - HKLM\..\Run: [DllRunning] rundll32.exe "C:\WINDOWS\System32\lpuotxaf.dll",setvm
backup-20070223-224512-855 O4 - HKCU\..\Run: [nvcdllx] C:\WINDOWS\System32\cstatvmq.exe
backup-20070223-224856-783 O4 - Startup: .protected
backup-20070223-224856-791 O4 - Global Startup: .protected
backup-20070223-225649-352 O4 - HKLM\..\Run: [DllRunning] rundll32.exe "C:\WINDOWS\System32\arbcakff.dll",setvm
backup-20070223-230505-157 O4 - Global Startup: .protected
backup-20070223-230505-646 O4 - Startup: .protected
backup-20070223-230834-571 O4 - Startup: .protected
backup-20070223-230834-966 O4 - Global Startup: .protected
backup-20070224-121833-356 O4 - Startup: .protected
backup-20070224-121834-543 O4 - Global Startup: .protected
backup-20070228-200450-511 O4 - HKLM\..\Run: [DllRunning] rundll32.exe "C:\WINDOWS\System32\ebacdlso.dll",setvm
backup-20070301-200021-179 O2 - BHO: 0 - {A87A5C44-882B-42BC-27A5-06511D2BA675} - C:\Program Files\Common Files\sagu292.dll (file missing)
backup-20070301-200021-201 O2 - BHO: (no name) - {067BE456-B710-4015-84FF-E09B52ACE092} - C:\WINDOWS\System32\pmkjj.dll (file missing)
backup-20070301-200021-208 O4 - HKLM\..\Run: [DllRunning] rundll32.exe "C:\WINDOWS\System32\kxrwuojr.dll",setvm
backup-20070301-200021-574 O2 - BHO: (no name) - {C3581462-AD4C-43AF-A8A7-AFEFEBA11B44} - C:\WINDOWS\system32\byxwttt.dll
backup-20070301-200021-742 O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
backup-20070301-200021-877 O20 - Winlogon Notify: byxyvwv - byxyvwv.dll (file missing)
backup-20070301-200021-920 O2 - BHO: (no name) - {E03C740E-BB24-4d3c-B92A-6F84DE1DD99C} - C:\WINDOWS\System32\xbiehfer.dll (file missing)
backup-20070301-200021-993 O2 - BHO: (no name) - {37EB498E-7800-A96A-AED9-045FF6ECB283} - C:\WINDOWS\System32\ceamvdb.dll (file missing)
backup-20070301-200022-224 O20 - Winlogon Notify: szr_dll - C:\WINDOWS\szr_dll.dll
backup-20070308-230025-273 O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
backup-20070308-230025-385 O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\
backup-20070308-230025-425 O4 - HKLM\..\Run: [DllRunning] rundll32.exe "C:\WINDOWS\System32\uejowmvf.dll",setvm
backup-20070308-230025-533 O2 - BHO: 0 - {A87A5C44-882B-42BC-27A5-06511D2BA675} - (no file)
backup-20070308-230025-624 O20 - Winlogon Notify: awvtq - C:\WINDOWS\System32\awvtq.dll (file missing)
backup-20070308-230025-627 O4 - HKLM\..\Run: [DSS] C:\WINDOWS\BBSTORE\DSS\DSSAGENT.EXE
backup-20070308-230025-753 O2 - BHO: (no name) - {37EB498E-7800-A96A-AED9-045FF6ECB283} - (no file)
backup-20070308-230025-774 O2 - BHO: (no name) - {067BE456-B710-4015-84FF-E09B52ACE092} - (no file)
backup-20070308-230025-928 O2 - BHO: (no name) - {DEB17D59-1D80-4627-AA07-E01BB37A8399} - C:\WINDOWS\System32\awvtq.dll (file missing)

-- File Associations -----------------------------------------------------------

.bat - batfile - "%1" %*
.chm - chm.file - "C:\WINDOWS\hh.exe" %1
.cmd - cmdfile - "%1" %*
.com - comfile - "%1" %*
.exe - exefile - "%1" %*
.hlp - hlpfile - %SystemRoot%\System32\winhlp32.exe %1
.inf - inffile - %SystemRoot%\System32\NOTEPAD.EXE %1
.ini - inifile - %SystemRoot%\System32\NOTEPAD.EXE %1
.js - JSFile - %SystemRoot%\System32\WScript.exe "%1" %*
.lnk - lnkfile - {00021401-0000-0000-C000-000000000046}
.pif - piffile - "%1" %*
.reg - regfile - regedit.exe "%1"
.scr - scrfile - "%1" /S
.txt - txtfile - %SystemRoot%\system32\NOTEPAD.EXE %1
.vbs - VBSFile - %SystemRoot%\System32\WScript.exe "%1" %*


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

3R ALCXWDM (Service for Realtek AC97 Audio (WDM)) - C:\WINDOWS\system32\drivers\ALCXWDM.SYS
1R AVG Anti-Spyware Driver - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.sys
1R Avg7Core (AVG7 Kernel) - C:\WINDOWS\system32\drivers\avg7core.sys
1R Avg7RsW (AVG7 Wrap Driver) - C:\WINDOWS\system32\drivers\avg7rsw.sys
1R Avg7RsXP (AVG7 Resident Driver XP) - C:\WINDOWS\system32\drivers\avg7rsxp.sys
1R AvgAsCln (AVG Anti-Spyware Clean Driver) - C:\WINDOWS\system32\drivers\AvgAsCln.sys
1R AvgClean (AVG7 Clean Driver) - C:\WINDOWS\system32\drivers\avgclean.sys
2R AvgTdi (AVG Network Redirector) - C:\WINDOWS\system32\drivers\avgtdi.sys
1R BANTExt (Belarc SMBios Access) - C:\WINDOWS\system32\drivers\BANTExt.sys
2S Ca536av (DV 4100M(Video)) - C:\WINDOWS\system32\drivers\Ca536av.sys
3S CCDECODE (Closed Caption Decoder) - C:\WINDOWS\system32\drivers\ccdecode.sys
2S DILUSBCamera (Agfa ePhoto CL18 Camera Stream Driver) - C:\WINDOWS\system32\drivers\stream18.sys
0R drvmcdb - C:\WINDOWS\system32\drivers\drvmcdb.sys
3R GEARAspiWDM - C:\WINDOWS\system32\drivers\GEARAspiWDM.sys
3S HidUsb (Microsoft HID Class Driver) - C:\WINDOWS\system32\drivers\hidusb.sys
3R HSFHWBS2 - C:\WINDOWS\system32\drivers\HSFHWBS2.sys
3R HSF_DP - C:\WINDOWS\system32\drivers\HSF_DP.sys
3R ialm - C:\WINDOWS\system32\drivers\ialmnt5.sys
2R mdmxsdk - C:\WINDOWS\system32\drivers\mdmxsdk.sys
3S mouhid (Mouse HID Driver) - C:\WINDOWS\system32\drivers\mouhid.sys
3S MSTEE (Microsoft Streaming Tee/Sink-to-Sink Converter) - C:\WINDOWS\system32\drivers\mstee.sys
3S NABTSFEC (NABTS/FEC VBI Codec) - C:\WINDOWS\system32\drivers\nabtsfec.sys
3S NdisIP (Microsoft TV/Video Connection) - C:\WINDOWS\system32\drivers\ndisip.sys
2S ntio256 (Input and output operations) - C:\WINDOWS\System32\ntio256.sys (not found)
3R pcouffin (VSO Software pcouffin) - C:\WINDOWS\system32\drivers\pcouffin.sys
0R PxHelp20 - C:\WINDOWS\system32\drivers\pxhelp20.sys
3R rtl8139 (Realtek RTL8139/810X Family PCI Fast Ethernet NIC NT Driver) - C:\WINDOWS\system32\drivers\RTL8139.sys
3S SLIP (BDA Slip De-Framer) - C:\WINDOWS\system32\drivers\slip.sys
3S streamip (BDA IPSink) - C:\WINDOWS\system32\drivers\streamip.sys
0R Teefer (Teefer for NT) - C:\WINDOWS\system32\drivers\Teefer.sys
3S usbaudio (USB Audio Driver (WDM)) - C:\WINDOWS\system32\drivers\USBAUDIO.sys
3S USBCamera (DV 4100M(Still)) - C:\WINDOWS\system32\drivers\Bulk536.sys
3R usbehci (Microsoft USB 2.0 Enhanced Host Controller Miniport Driver) - C:\WINDOWS\system32\drivers\usbehci.sys
3S usbprint (Microsoft USB PRINTER Class) - C:\WINDOWS\system32\drivers\usbprint.sys
3S USBSTOR (USB Mass Storage Driver) - C:\WINDOWS\system32\drivers\USBSTOR.SYS
3R wanatw (WAN Miniport (ATW)) - C:\WINDOWS\system32\drivers\wanatw4.sys
2S wg3n (SyGate for NT, wg3n) - C:\WINDOWS\system32\drivers\wg3n.sys
2S wg4n (SyGate for NT, wg4n) - C:\WINDOWS\system32\drivers\wg4n.sys
2S wg5n (SyGate for NT, wg5n) - C:\WINDOWS\system32\drivers\wg5n.sys
2R wg6n (SyGate for NT, wg6n) - C:\WINDOWS\system32\drivers\wg6n.sys
3R winachsf - C:\WINDOWS\system32\drivers\HSF_CNXT.sys
1R wpsdrvnt - C:\WINDOWS\system32\drivers\wpsdrvnt.sys
3S WSTCODEC (World Standard Teletext Codec) - C:\WINDOWS\system32\drivers\wstcodec.sys
3R {6080A529-897E-4629-A488-ABA0C29B635E} (Intel(R) Graphics Platform (SoftBIOS) Driver) - C:\WINDOWS\system32\drivers\ialmsbw.sys
3R {D31A0762-0CEB-444e-ACFF-B049A1F6FE91} (Intel(R) Graphics Chipset (KCH) Driver) - C:\WINDOWS\system32\drivers\ialmkchw.sys


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

2R AVG Anti-Spyware Guard - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
2R Avg7Alrt (AVG7 Alert Manager Server) - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
2R Avg7UpdSvc (AVG7 Update Service) - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
2R AVGEMS (AVG E-mail Scanner) - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
3S gusvc (Google Updater Service) - "C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe"
3S IDriverT (InstallDriver Table Manager) - "C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe"
3R iPodService - C:\Program Files\iPod\bin\iPodService.exe
3S ose (Office Source Engine) - "C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
3S SCardDrv (Smart Card Helper) - C:\WINDOWS\System32\SCardSvr.exe
2S SmcService (Sygate Personal Firewall) - C:\Program Files\Sygate\SPF\smc.exe
2S SymWSC (SymWMI Service) - "C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe"
2R UMWdf (Windows User Mode Driver Framework) - C:\WINDOWS\System32\wdfmgr.exe
2R uploadmgr (Upload Manager) - C:\WINDOWS\System32\svchost.exe -k netsvcs
2R WANMiniportService (WAN Miniport (ATW) Service) - "C:\WINDOWS\wanmpsvc.exe"


-- Files created between 2007-02-11 and 2007-03-11 -----------------------------

2007-03-11 09:25:11 0 d-------- C:\Program Files\Java
2007-03-11 09:25:11 0 d-------- C:\Program Files\Common Files\Java
2007-03-11 09:24:21 0 d-------- C:\Documents and Settings\Duane\Application Data\Sun
2007-03-10 16:40:58 62739 --a------ C:\WINDOWS\System32\setup_88038.exe<SETUP_~2.EXE>
2007-03-10 12:01:17 0 d-------- C:\avenger
2007-03-10 11:31:19 0 d-------- C:\Rustbfix
2007-03-10 11:10:24 62739 --a------ C:\WINDOWS\System32\setup_50418.exe<SETUP_~1.EXE>
2007-03-09 18:42:41 639 --a------ C:\Combo.bat
2007-03-08 19:56:44 0 d-------- C:\WINDOWS\ERDNT
2007-03-08 19:33:08 49152 --a------ C:\Documents and Settings\Duane\vfind.exe
2007-03-08 19:33:08 79360 --a------ C:\Documents and Settings\Duane\swxcacls.exe
2007-03-08 19:33:08 123904 --a------ C:\Documents and Settings\Duane\swsc.exe
2007-03-08 19:33:08 140800 --a------ C:\Documents and Settings\Duane\swreg.exe
2007-03-08 19:33:08 8192 --a------ C:\Documents and Settings\Duane\RestartIt.exe<RESTAR~1.EXE>
2007-03-08 19:33:08 6914 --a------ C:\Documents and Settings\Duane\Qoo.bat
2007-03-08 19:33:08 971 --a------ C:\Documents and Settings\Duane\Purity.bat
2007-03-08 19:33:08 39184 --a------ C:\Documents and Settings\Duane\Ntrights.exe
2007-03-08 19:33:08 5074 --a------ C:\Documents and Settings\Duane\NTPBack.exe
2007-03-08 19:33:08 42887 --a------ C:\Documents and Settings\Duane\ntp.exe
2007-03-08 19:33:08 26112 --a------ C:\Documents and Settings\Duane\nircmd.exe
2007-03-08 19:33:08 38400 --a------ C:\Documents and Settings\Duane\moveex.exe
2007-03-08 19:33:08 2304 --a------ C:\Documents and Settings\Duane\Look2Me.bat
2007-03-08 19:33:08 117379 --a------ C:\Documents and Settings\Duane\LIST-C.bat
2007-03-08 19:33:08 181776 --a------ C:\Documents and Settings\Duane\handle.exe
2007-03-08 19:33:08 73728 --a------ C:\Documents and Settings\Duane\FDSV.EXE
2007-03-08 19:33:08 51200 --a------ C:\Documents and Settings\Duane\dumphive.exe
2007-03-08 19:33:08 319415 --a------ C:\Documents and Settings\Duane\Creg.reg
2007-03-08 19:33:08 28672 --a------ C:\Documents and Settings\Duane\catchme.exe
2007-02-28 19:24:14 0 d-------- C:\!KillBox
2007-02-24 21:33:14 53248 --a------ C:\WINDOWS\System32\Process.exe
2007-02-24 21:33:08 0 d-------- C:\SmitfraudFix<SMITFR~1>
2007-02-24 10:28:21 19392 --a------ C:\WINDOWS\System32\drivers\avgmfx86.sys
2007-02-24 10:28:21 3968 --a------ C:\WINDOWS\System32\drivers\avgclean.sys
2007-02-21 21:42:30 129 --a------ C:\fix.bat
2007-02-20 23:22:43 0 d-------- C:\Program Files\backups
2007-02-16 05:28:25 0 d-------- C:\Program Files\Hijack This<HIJACK~1>
2007-02-13 05:48:17 0 d-------- C:\Documents and Settings\Administrator\DoctorWeb<DOCTOR~1>
2007-02-12 21:43:49 0 d-------- C:\Documents and Settings\All Users\Application Data\Office Genuine Advantage<OFFICE~1>


-- Find3M Report ---------------------------------------------------------------

2007-03-11 09:47:11 0 d-------- C:\Program Files\Mozilla Firefox<MOZILL~1>
2007-03-08 19:47:09 0 d-------- C:\Program Files\Common Files\Symantec Shared<SYMANT~1>
2007-02-25 10:48:59 0 d---s---- C:\Documents and Settings\Duane\Application Data\Microsoft<MICROS~1>
2007-02-24 22:08:44 3762 --a------ C:\WINDOWS\System32\tmp.reg
2007-02-24 10:40:37 0 d-------- C:\Documents and Settings\Duane\Application Data\AVG7
2007-02-24 10:28:12 0 d-------- C:\Program Files\Grisoft
2007-02-20 21:14:12 0 d-------- C:\Program Files\Shockwave.com<SHOCKW~1.COM>
2007-02-13 21:29:11 0 d-------- C:\Program Files\Common Files\Sandlot Shared<SANDLO~1>
2007-02-10 20:00:13 14201 --a------ C:\Program Files\hijackthis.log<HIJACK~1.LOG>
2007-01-28 22:13:42 0 d-------- C:\Program Files\LG Software Innovations<LGSOFT~1>
2007-01-28 22:05:20 0 d-------- C:\Program Files\CloneDVD
2007-01-28 21:28:17 14 --a------ C:\WINDOWS\System32\systeminfo3.dll<SYSTEM~1.DLL>
2007-01-28 21:26:56 0 d-------- C:\Documents and Settings\Duane\Application Data\Vso
2007-01-28 21:26:55 34 --a------ C:\Documents and Settings\Duane\Application Data\pcouffin.log
2007-01-28 21:26:41 47360 --a------ C:\Documents and Settings\Duane\Application Data\pcouffin.sys
2007-01-28 21:26:41 1144 --a------ C:\Documents and Settings\Duane\Application Data\pcouffin.inf
2007-01-28 21:26:41 7176 --a------ C:\Documents and Settings\Duane\Application Data\pcouffin.cat
2007-01-28 21:26:41 81920 --a------ C:\Documents and Settings\Duane\Application Data\ezpinst.exe
2007-01-27 08:15:32 0 d-------- C:\Program Files\Google
2007-01-21 15:19:32 0 d-------- C:\Documents and Settings\Duane\Application Data\Lavasoft
2007-01-21 15:19:15 0 d-------- C:\Program Files\Lavasoft
2007-01-21 15:08:15 14612 --a------ C:\Program Files\CWSHREDDER.EXE-2D092FD4.pf<CWSHRE~1.PF>
2007-01-21 15:03:52 532480 --a------ C:\Program Files\cwshredder.exe<CWSHRE~1.EXE>
2007-01-20 14:18:22 280 --a------ C:\Program Files\Common Files\sagu292
2007-01-16 09:44:09 0 d--h----- C:\Program Files\BHO Plugin<BHOPLU~1>
2007-01-15 11:29:34 44032 --a------ C:\loder.exe
2007-01-14 10:30:55 0 d-------- C:\Program Files\Sygate
2007-01-14 10:29:50 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard<WISEIN~1>
2007-01-13 21:34:35 0 d-------- C:\Documents and Settings\Duane\Application Data\Ultimate Cleaner<ULTIMA~1>
2007-01-12 22:03:29 22541 --a------ C:\WINDOWS\System32\byxwttt.dll
2007-01-12 18:19:57 0 --a------ C:\WINDOWS\System32\vb2en16.dll
2007-01-11 16:35:33 12800 --a------ C:\WINDOWS\System32\svchost.exe
2007-01-11 16:34:25 0 --a------ C:\WINDOWS\System32\3718845C.exe
2007-01-11 16:34:01 53 --a------ C:\WINDOWS\nnqvcc.dat
2007-01-07 18:21:40 1 --a------ C:\WINDOWS\System32\ps.dat
2007-01-07 18:21:40 1 --a------ C:\WINDOWS\System32\cookie.dat
2007-01-07 13:16:52 25600 --a------ C:\WINDOWS\System32\helper.dll
2007-01-05 00:17:53 11066 --a------ C:\eryvk.exe
2007-01-04 22:35:41 10660 --a------ C:\WINDOWS\mozver.dat
2007-01-03 20:49:11 5037072 --a------ C:\Program Files\spybotsd14.exe<SPYBOT~1.EXE>
2007-01-01 12:02:40 507 --a------ C:\WINDOWS\EReg077.dat
2006-12-25 16:33:11 23066 --a------ C:\Program Files\plainoldfavorites-0.5.6-fx-windows.xpi<PLAINO~1.XPI>
2006-12-19 16:51:14 142 --a------ C:\Program Files\Common Files\wuopry.html<WUOPRY~1.HTM>


-- Registry Dump ---------------------------------------------------------------


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"Microsoft Works Update Detection"="c:\\Program Files\\Microsoft Works\\WkDetect.exe"
"swg"="C:\\Program Files\\Google\\GoogleToolbarNotifier\\1.2.1128.5462\\GoogleToolbarNotifier.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"SSC_UserPrompt"="C:\\Program Files\\Common Files\\Symantec Shared\\Security Center\\UsrPrmpt.exe"
"Ulead AutoDetector"="C:\\Program Files\\Ulead Systems\\Ulead Photo Explorer 8.0 SE Basic\\Monitor.exe"
"HPDJ Taskbar Utility"="C:\\WINDOWS\\System32\\spool\\drivers\\w32x86\\3\\hpztsb10.exe"
"HP Component Manager"="\"C:\\Program Files\\HP\\hpcoretech\\hpcmpmgr.exe\""
"HP Software Update"="\"C:\\Program Files\\Hewlett-Packard\\HP Software Update\\HPWuSchd2.exe\""
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"Picasa Media Detector"="C:\\Program Files\\Picasa2\\PicasaMediaDetector.exe"
"iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVG7\\avgcc.exe /STARTUP"
"OFFICEKB"="C:\\Program Files\\Micro Innovations\\Keyboard\\kbdap32a.EXE"
"FLMOFFICE4DMOUSE"="C:\\Program Files\\Micro Innovations\\Mouse\\mouse32a.exe"
"PC Pitstop Optimize Scheduler"="C:\\Program Files\\PCPitstop\\Optimize\\PCPOptimize.exe -boot"
"SmcService"="C:\\PROGRA~1\\Sygate\\SPF\\smc.exe -startgui"
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.6.0\\bin\\jusched.exe\""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"


[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVG7\\avgw.exe /RUNONCE"

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVG7\\avgw.exe /RUNONCE"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0



-- End of ComboScan: finished at 2007-03-11 at 09:48:32 ------------------------
Attached Files
File Type: txt Supplementary.txt (14.0 KB, 1 views)
cul8rman is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 03-11-2007, 07:04 PM   #39 (permalink)
Assistant Manager, TSF Academy; Moderator/Analyst Security Team
 
Ried's Avatar
 
Join Date: Jan 2005
Location: Ohio
Posts: 26,578
OS: WinXP and Vista


Well done that round.

Once again, please copy this page to Notepad and save to your desktop for reference as you will not have any browsers open while you are carrying out portions of these instructions.

Also be sure to carry out the instructions in the order given.

***************************************************

Open HJT. Click on Open the Misc Tools Section.
*Click on 'Open Uninstall Manager
*Highlight (click on) WeatherBug Browser Bar - powered by MyWebSearch
*Click "Delete this entry"
Close HijackThis

--------------------------------------------------------------------

Using 'My Computer', navigate to and delete the following Files and Folders:

C:\Documents and Settings\Duane\Application Data\ Ultimate Cleaner
C:\ eryvk.exe
C:\ loder.exe
C:\Program Files\ BHO Plugin
C:\Program Files\Common Files\ sagu292
C:\program files\ mywebsearch
C:\WINDOWS\ nnqvcc.dat
C:\WINDOWS\System32\ byxwttt.dll

**If any of the above resist deletion, boot into Safe Mode and delete them.

--------------------------------------------------------------------

Reinstall your Internet Explorer. (*Note--sometimes this doesn't go so smoothly)

--------------------------------------------------------------------

Upload the following files (one at a time) to http://virusscan.jotti.org and report back what it found.

C:\WINDOWS\System32\3718845C.exe
C:\Program Files\Common Files\wuopry.html
C:\WINDOWS\System32\svchost.exe


At the top of the window you should see "File to Upload & scan" and a blank box. Copy and paste the red text from above into the box. (one at a time) Then click "submit".

When it is finished, please copy and paste the information listed under "Service" and "Scanner Results" here.

If the site is too busy, upload it here http://www.virustotal.com/en/indexf.html

--------------------------------------------------------------------

We still need an online scan to search for remnants. If you were not able to get Internet Explorer up and running, I'd like you to install the IE Tab add on for Firefox. We can use that Tab to perform an online scan.

https://addons.mozilla.org/firefox/1419/

Further instructions about how to use it can be found here.

Once you've gotten the IE tab installed in Firefox, run an online scan at Panda:

Make sure you've activated the IE Tab and perform this online scan using the IETab in Firefox at Panda ActiveScan
  1. Click on located at the bottom of the page.
  2. A "pop up" window will appear. * Please ensure that your pop up blocker doesn't block it *
  3. Enter your e-mail address, country, and state & click "Free Online Scan" *The download of the 8 MB Panda's ActiveX control will take place*
Begin the scan by selecting
  • If it finds any malware, it will offer you a report.
  • Please ignore any entry it finds and the offer to buy the program to remove the entry, as we will address this later.
  • Click on then click
* You needn't remain online while it's doing the scan but you have to re-connect after it has finished to see the report.
* Turn off the real time scanner of any existing antivirus program while performing the online scan

Post those results here in your next reply.

--------------------------------------------------------------------

Run ComboScan.exe

--------------------------------------------------------------------

Please include the following in your next reply:

jotti results
Panda results
New ComboScan.txt
__________________

Member of ASAP since 2005
Member of UNITE since 2006

"It is one life whether we spend it laughing or weeping." "Take the time to laugh--it is the music of the soul."
Ried is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
Old 03-11-2007, 11:56 PM   #40 (permalink)
Registered User
 
cul8rman's Avatar
 
Join Date: Aug 2006
Location: Arizona
Posts: 134
OS: XP


Partial success. All was going well until the Panda section. I tried installing IE6 thinking that with SP1 that would be best. It wanted my XP home CD to copy files off of but I can not find it. I tried proceeding through the install but it did not work due to having a newer version of XP installed. Can I delete and reinstall? I thought about it and figured I should get your advice first. I am currently running panda activescan (firefox plug in) but the window is about 1/4 the page with out scroll bars on the edges. I am afraid I will not get to the save button with it looking like that.

Thanks
cul8rman is offline  
Digg this Post!Add Post to del.icio.usBookmark Post in TechnoratiFurl this Post!Reddit!
 
Page 2 of 9 1 2 345 Last »

« Previous Thread | Next Thread »

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off



All times are GMT -7. The time now is 12:53 PM.

Contact Us - Tech Support Forum - Archive - Privacy Statement - Top


Copyright 2001 - 2009, Tech Support Forum
Home Tips Plus | Outdoor Basecamp | Automotive Support Forum

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85