Hello Anthony 10,
Here is the new HijackThis scan log:
Logfile of HijackThis v1.99.1
Scan saved at 7:16:48 PM, on 4/6/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Eset\nod32kui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Namz007\Desktop\VundoFix.exe
C:\WINDOWS\system32\taskmgr.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\hijackthis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar =
http://format.packar...i...&key=SEARCHR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
http://go.microsoft....k/?LinkId=69157R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
http://go.microsoft....k/?LinkId=54896R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar =
http://uk.red.client...fo/bt_side.htmlR1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =
http://go.microsoft....k/?LinkId=54896R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
http://go.microsoft....k/?LinkId=69157R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) =
http://uk.red.client...www.yahoo.co.ukR3 - URLSearchHook: (no name) - _{EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: (no name) - {4A0345B4-9EB2-4F9D-A699-1B43667B2EE6} - (no file)
O2 - BHO: (no name) - {C336C4C3-7747-4F86-B610-B5876A5DA22A} - C:\WINDOWS\Config\spibn.dll (file missing)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [PRISMSVR.EXE] "C:\WINDOWS\System32\PRISMSVR.EXE" /APPLY
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SoundService] rundll32.exe "C:\WINDOWS\system32\dbtjfgwt.dll",setvm
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Pldo] "C:\DOCUME~1\Namz007\APPLIC~1\STEM32~1\taskmgr.exe" -vt yazb
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - Startup: 2WireSetup.lnk = C:\Program Files\2Wire\WebWorks.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - (no file)
O9 - Extra 'Tools' menuitem: Java - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - (no file)
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O14 - IERESET.INF: START_PAGE_URL=file://C:\APPS\IE\offline\uk.htm
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) -
http://update.micros...b?1168863327188O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) -
http://www3.ca.com/s...nfo/webscan.cabO18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: F-Secure BlackLight Sensor - Unknown owner - C:\WINDOWS\TEMP\F-Secure\Anti-Virus\fsblsrv.exe (file missing)
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: Pml Driver HPZ12 - Unknown owner - C:\WINDOWS\System32\HPZipm12.exe (file missing)
O23 - Service: Broadcom Wireless LAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe
-----------------------------------------
Here is the report of ComboFix:
"Namz007" - 07-04-06 19:05:39 Service Pack 2
ComboFix 07-04-05 - Running from: "C:\Documents and Settings\Namz007\Desktop"
(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
C:\WINDOWS\system32\atmtd.dll
C:\WINDOWS\system32\atmtd.dll._
C:\WINDOWS\uninstall_nmon.vbs
C:\DOCUME~1\LOCALS~1\APPLIC~1\netmon\domains.txt
C:\DOCUME~1\LOCALS~1\APPLIC~1\netmon\log.txt
C:\WINDOWS\system32\aaa00000.sys
C:\WINDOWS\uni_e6h.exe
C:\Program Files\deluxecommunications
C:\DOCUME~1\LOCALS~1\APPLIC~1\netmon
~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ Purity ~ ~ ~ ~ ~ ~ ~ ~~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~
Folders Quarantined:
C:\qoobox\purity\DOCUME~1
C:\qoobox\purity\DOCUME~1\Namz007
C:\qoobox\purity\DOCUME~1\Namz007\APPLIC~1
C:\qoobox\purity\DOCUME~1\Namz007\APPLIC~1\from.txt
C:\qoobox\purity\DOCUME~1\Namz007\APPLIC~1\STEM32~1
C:\qoobox\purity\DOCUME~1\Namz007\APPLIC~1\STEM32~1\??stem32
((((((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
-------\SLService
-------\LEGACY_CMDSERVICE
-------\LEGACY_MCHINJDRV
-------\LEGACY_NETWORK_MONITOR
-------\LEGACY_SLSERVICE
((((((((((((((((((((((((((((((( Files Created from 2007-03-06 to 2007-04-06 ))))))))))))))))))))))))))))))))))
2007-04-06 18:51 24,576 --a------ C:\WINDOWS\system32\VundoFixSVC.exe
2007-04-06 17:53 <DIR> d-------- C:\VundoFix Backups
2007-04-06 04:11 512,096 --a------ C:\WINDOWS\system32\drivers\amon.sys
2007-04-06 04:11 298,104 --a------ C:\WINDOWS\system32\imon.dll
2007-04-06 04:11 15,424 --a------ C:\WINDOWS\system32\drivers\nod32drv.sys
2007-04-06 02:56 <DIR> d-------- C:\WINDOWS\network diagnostic
2007-04-04 22:44 <DIR> d-------- C:\WINDOWS\Prefetch
2007-04-04 20:28 <DIR> d-------- C:\WINDOWS\peernet
2007-04-04 20:27 <DIR> d-------- C:\WINDOWS\provisioning
2007-04-04 20:23 <DIR> d-------- C:\WINDOWS\ServicePackFiles
2007-04-04 19:57 <DIR> d-------- C:\WINDOWS\EHome
2007-04-04 11:36 6,550 --a------ C:\WINDOWS\jautoexp.dat
2007-04-04 11:36 46,352 --a------ C:\WINDOWS\setdebug.exe
2007-04-04 11:36 313,856 --a------ C:\WINDOWS\system32\dx3j.dll
2007-04-04 11:36 171,280 --a------ C:\WINDOWS\system32\jit.dll
2007-04-04 11:36 139,536 --a------ C:\WINDOWS\system32\javaee.dll
2007-04-04 11:35 947,472 --a------ C:\WINDOWS\system32\msjava.dll
2007-04-04 11:35 63,248 --a------ C:\WINDOWS\system32\javaprxy.dll
2007-04-04 11:35 49,424 --a------ C:\WINDOWS\system32\clspack.exe
2007-04-04 11:35 404,752 --a------ C:\WINDOWS\system32\javart.dll
2007-04-04 11:35 286,992 --a------ C:\WINDOWS\system32\vmhelper.dll
2007-04-04 11:35 21,264 --a------ C:\WINDOWS\system32\msjdbc10.dll
2007-04-04 11:35 187,152 --a------ C:\WINDOWS\system32\javacypt.dll
2007-04-04 11:35 172,304 --a------ C:\WINDOWS\system32\jview.exe
2007-04-04 11:35 171,792 --a------ C:\WINDOWS\system32\wjview.exe
2007-04-04 11:35 154,384 --a------ C:\WINDOWS\system32\msawt.dll
2007-04-04 11:35 15,120 --a------ C:\WINDOWS\system32\jdbgmgr.exe
2007-04-04 11:35 113 --a------ C:\WINDOWS\system32\zonedon.reg
2007-04-04 11:35 113 --a------ C:\WINDOWS\system32\zonedoff.reg
2007-04-04 10:56 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Windows Genuine Advantage
2007-04-04 10:44 <DIR> d-------- C:\Program Files\MSXML 4.0
2007-04-04 03:04 <DIR> d-------- C:\DOCUME~1\Namz007\APPLIC~1\F-Secure
2007-04-04 02:40 <DIR> d-------- C:\Program Files\F-Secure
2007-04-04 02:39 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\fssg
2007-04-04 00:34 <DIR> d-------- C:\DOCUME~1\Namz007\Contacts
(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))
2007-04-05 03:13 -------- d-------- C:\Program Files\messenger
2007-04-05 00:04 -------- d-------- C:\Program Files\msn messenger
2007-04-04 20:28 -------- d-------- C:\Program Files\movie maker
2007-04-04 20:22 -------- d-------- C:\Program Files\windows nt
2007-04-04 20:05 -------- d-------- C:\Program Files\hewlett-packard
2007-03-08 08:36 577536 --a------ C:\WINDOWS\system32\user32.dll
2007-03-08 08:36 40960 --a------ C:\WINDOWS\system32\mf3216.dll
2007-03-08 08:36 281600 --a------ C:\WINDOWS\system32\gdi32.dll
2007-03-08 06:47 1843584 --a------ C:\WINDOWS\system32\win32k.sys
(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))
*Note* empty entries & legit default entries are not shown
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
"Yahoo! Pager"="\"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe\" -quiet"
"MsnMsgr"="\"C:\\Program Files\\MSN Messenger\\MsnMsgr.Exe\" /background"
"Pldo"="\"C:\\DOCUME~1\\Namz007\\APPLIC~1\\STEM32~1\\taskmgr.exe\" -vt yazb"
"AIM"="C:\\Program Files\\AIM\\aim.exe -cnetwait.odl"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"SynTPLpr"="C:\\Program Files\\Synaptics\\SynTP\\SynTPLpr.exe"
"SynTPEnh"="C:\\Program Files\\Synaptics\\SynTP\\SynTPEnh.exe"
"PRISMSVR.EXE"="\"C:\\WINDOWS\\System32\\PRISMSVR.EXE\" /APPLY"
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"SoundService"="rundll32.exe \"C:\\WINDOWS\\system32\\dbtjfgwt.dll\",setvm"
"nod32kui"="\"C:\\Program Files\\Eset\\nod32kui.exe\" /WAITSERVICE"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BT Broadband Basic Help.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\BT Broadband Basic Help.lnk"
"backup"="C:\\WINDOWS\\pss\\BT Broadband Basic Help.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\BTBROA~1\\bin\\matcli.exe -boot"
"item"="BT Broadband Basic Help"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Microsoft Office.lnk"
"backup"="C:\\WINDOWS\\pss\\Microsoft Office.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\MICROS~2\\Office\\OSA9.EXE -b -l"
"item"="Microsoft Office"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Utility Tray.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Utility Tray.lnk"
"backup"="C:\\WINDOWS\\pss\\Utility Tray.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\WINDOWS\\system32\\sistray.exe "
"item"="Utility Tray"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"=""
"hkey"="HKLM"
"command"=""
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ACTX1]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="v1201"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\v1201.exe"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AIM]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="aim"
"hkey"="HKCU"
"command"="C:\\Program Files\\AIM\\aim.exe -cnetwait.odl"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\avast!]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ashDisp"
"hkey"="HKLM"
"command"="C:\\PROGRA~1\\ALWILS~1\\Avast4\\ashDisp.exe"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ctfmon"
"hkey"="HKCU"
"command"="C:\\WINDOWS\\System32\\ctfmon.exe"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DataLayer]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="DATALA~1"
"hkey"="HKLM"
"command"="C:\\PROGRA~1\\COMMON~1\\PCSuite\\DATALA~1\\DATALA~1.EXE"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DSLAGENTEXE]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="dslagent"
"hkey"="HKLM"
"command"="C:\\Program Files\\BT Voyager 105 ADSL Modem\\dslagent.exe"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DSLSTATEXE]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="dslstat"
"hkey"="HKLM"
"command"="C:\\Program Files\\BT Voyager 105 ADSL Modem\\dslstat.exe icon"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Desktop Search]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="GoogleDesktop"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\Google\\Google Desktop Search\\GoogleDesktop.exe\" /startup"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="AOLHostManager"
"hkey"="HKLM"
"command"="C:\\Program Files\\Common Files\\AOL\\1143836107\\ee\\AOLHostManager.exe"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Internet Optimizer]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="optimize"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Internet Optimizer\\optimize.exe\""
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="dumprep 0 -k"
"hkey"="HKLM"
"command"="%systemroot%\\system32\\dumprep 0 -k"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="msmsgs"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCSuiteTrayApplication]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="TRAYAP~1"
"hkey"="HKLM"
"command"="C:\\PROGRA~1\\Nokia\\NOKIAP~1\\TRAYAP~1.EXE"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PRISMSVR.EXE]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="PRISMSVR"
"hkey"="HKLM"
"command"="\"C:\\WINDOWS\\System32\\PRISMSVR.EXE\" /APPLY"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="qttask"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\septpop06apsept]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="septpop06apsept"
"hkey"="HKLM"
"command"="C:\\program files\\popupwithcast\\septpop06apsept.exe"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SiS Windows KeyHook]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="keyhook"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\System32\\keyhook.exe"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SiSUSBRG]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="SiSUSBrg"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\SiSUSBrg.exe"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StatusClient]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="StatusClient"
"hkey"="HKLM"
"command"="C:\\Program Files\\Hewlett-Packard\\Toolbox2.0\\Apache Tomcat 4.0\\webapps\\Toolbox\\StatusClient\\StatusClient.exe /auto"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\STOPzilla]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="STOPzilla"
"hkey"="HKLM"
"command"="C:\\Program Files\\STOPzilla!\\STOPzilla.exe /autostart"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="jusched"
"hkey"="HKLM"
"command"="C:\\Program Files\\Java\\jre1.5.0\\bin\\jusched.exe"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\sys09-52204217]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="sys09-52204217"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\sys09-52204217.exe"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="realsched"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TomcatStartup]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="hpbpsttp"
"hkey"="HKLM"
"command"="C:\\Program Files\\Hewlett-Packard\\Toolbox2.0\\hpbpsttp.exe"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\trmf6af9]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="RUNDLL32"
"hkey"="HKLM"
"command"="RUNDLL32.EXE w5c1f521.dll,n 004f6af5000000125c1f521"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ujonl]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="yueuky"
"hkey"="HKCU"
"command"="C:\\WINDOWS\\System32\\yueuky.exe reg_run"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ViewMgr]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ViewMgr"
"hkey"="HKLM"
"command"="C:\\Program Files\\Viewpoint\\Viewpoint Manager\\ViewMgr.exe"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\webHancer Agent]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="whAgent"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\webHancer\\Programs\\whAgent.exe\""
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\webHancer Survey Companion]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="whSurvey"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\webHancer\\Programs\\whSurvey.exe\""
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="winampa"
"hkey"="HKLM"
"command"="C:\\Program Files\\Winamp\\winampa.exe"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\wltray.exe]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="wltray"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\System32\\wltray.exe"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\xmimkw]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="yueuky"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\System32\\yueuky.exe reg_run"
"inimapping"="0"
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="YahooMessenger"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe\" -quiet"
"inimapping"="0"
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"NoDispAppearancePage"=dword:00000000
"NoDispBackgroundPage"=dword:00000000
"DisableTaskMgr"=dword:00000000
[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoCDBurning"=dword:00000000
[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
Source REG_SZ C:\Program Files\WindowsUpdate\kyfevy.html
[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\1]
Source REG_SZ C:\Program Files\Windows Media Player\hocysoku.html
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"
HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa
Authentication Packages REG_MULTI_SZ msv1_0\
Security Packages REG_MULTI_SZ kerberosmsv1_0schannelwdigest\
Notification Packages REG_MULTI_SZ scecli\
[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
LocalService REG_MULTI_SZ AlerterWebClientLmHostsRemoteRegistryupnphostSSDPSRV\
NetworkService REG_MULTI_SZ DnsCache\
rpcss REG_MULTI_SZ RpcSs\
imgsvc REG_MULTI_SZ StiSvc\
termsvcs REG_MULTI_SZ TermService\
Usnsvc REG_MULTI_SZ usnsvc\
HTTPFilter REG_MULTI_SZ HTTPFilter\
DcomLaunch REG_MULTI_SZ DcomLaunchTermService\
Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\Registration reminder 3.job
********************************************************************
catchme 0.2 W2K/XP/Vista - userland rootkit detector by Gmer, 17 October 2006
http://www.gmer.netscanning hidden processes ...
scanning hidden services ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0
********************************************************************
Completion time: 07-04-06 19:12:51
C:\ComboFix-quarantined-files.txt ... 07-04-06 19:12
---------------------------------------------------------------
Here is the contents of C:\vundofix.txt:
VundoFix V6.3.19
Checking Java version...
Sun Java not detected
Scan started at 5:53:46 PM 4/6/2007
Listing files found while scanning....
C:\WINDOWS\Config\nbips.bak1
C:\WINDOWS\Config\nbips.bak2
C:\WINDOWS\Config\nbips.ini
C:\WINDOWS\Config\nbips.ini2
C:\WINDOWS\Config\nbips.tmp
C:\WINDOWS\Config\spibn.dll
C:\WINDOWS\System32\hadxmouw.dll
C:\WINDOWS\System32\lxsyxcar.dll
C:\WINDOWS\System32\poxwnnal.dll
C:\WINDOWS\System32\rjqgmwod.dll
C:\WINDOWS\System32\rvwharcb.dll
C:\WINDOWS\System32\rytfqnew.dll
C:\WINDOWS\System32\vnrnkpxh.dll
Beginning removal...
Attempting to delete C:\WINDOWS\Config\nbips.bak1
C:\WINDOWS\Config\nbips.bak1 Has been deleted!
Attempting to delete C:\WINDOWS\Config\nbips.bak2
C:\WINDOWS\Config\nbips.bak2 Has been deleted!
Attempting to delete C:\WINDOWS\Config\nbips.ini
C:\WINDOWS\Config\nbips.ini Has been deleted!
Attempting to delete C:\WINDOWS\Config\nbips.ini2
C:\WINDOWS\Config\nbips.ini2 Has been deleted!
Attempting to delete C:\WINDOWS\Config\nbips.tmp
C:\WINDOWS\Config\nbips.tmp Has been deleted!
Attempting to delete C:\WINDOWS\Config\spibn.dll
C:\WINDOWS\Config\spibn.dll Has been deleted!
Performing Repairs to the registry.
Done!
VundoFix V6.3.19
Checking Java version...
Sun Java not detected
Scan started at 7:00:03 PM 4/6/2007
Listing files found while scanning....
----------------------------------------------
The contents of C:\Look2Me-Destroyer.txt:
Look2Me-Destroyer V1.0.12
Scanning for infected files.....
Scan started at 06/04/2007 17:33:09
Infected! C:\WINDOWS\system32\g0jo0a13ed.dll
Attempting to delete infected files...
Making registry repairs.
Removing: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\StillImage
Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{DE24FCD0-695C-47D6-871F-B697AADDDC35}"
HKCR\Clsid\{DE24FCD0-695C-47D6-871F-B697AADDDC35}
Restoring Windows certificates.
Replaced hosts file with default windows hosts file
Restoring SeDebugPrivilege for Administrators - Succeeded
Thank you!!!