Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

NOD32 found Win32/Adware/Virtumonde.O application-pls help me get rid


  • Please log in to reply

#1
anoop1234

anoop1234

    Member

  • Member
  • PipPip
  • 25 posts
the file is C:\WINDOWS\Config\spibn.dll
the threat is Win32/Adware.Virtumonde.O application

I cant get rid of it. I'm not very computer techy but I have run hijack this...so here is my log. Please guide me to get rid of it. Thank you very much!

Logfile of HijackThis v1.99.1
Scan saved at 12:27:23 PM, on 4/6/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Eset\nod32kui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Namz007\Desktop\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://format.packar...i...&key=SEARCH
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://uk.red.client...fo/bt_side.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://uk.red.client...www.yahoo.co.uk
R3 - URLSearchHook: (no name) - _{EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: (no name) - {4727C74E-66CF-47FB-B0E4-9D5BCD0DB993} - C:\WINDOWS\Config\spibn.dll
O2 - BHO: (no name) - {4A0345B4-9EB2-4F9D-A699-1B43667B2EE6} - (no file)
O2 - BHO: (no name) - {57E218E6-5A80-4f0c-AB25-83598F25D7E9} - C:\WINDOWS\System32\rjqgmwod.dll (file missing)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [PRISMSVR.EXE] "C:\WINDOWS\System32\PRISMSVR.EXE" /APPLY
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SoundService] rundll32.exe "C:\WINDOWS\system32\dbtjfgwt.dll",setvm
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Pldo] "C:\DOCUME~1\Namz007\APPLIC~1\STEM32~1\taskmgr.exe" -vt yazb
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - Startup: 2WireSetup.lnk = C:\Program Files\2Wire\WebWorks.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - (no file)
O9 - Extra 'Tools' menuitem: Java - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - (no file)
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O14 - IERESET.INF: START_PAGE_URL=file://C:\APPS\IE\offline\uk.htm
O15 - Trusted Zone: *.adgate.info
O15 - Trusted Zone: *.adsextend.net
O15 - Trusted Zone: *.dollarrevenue.com
O15 - Trusted Zone: *.elitemediagroup.net
O15 - Trusted Zone: *.errorsafe.com
O15 - Trusted Zone: *.imagesrvr.com
O15 - Trusted Zone: *.matcash.com
O15 - Trusted Zone: *.media-motor.com
O15 - Trusted Zone: *.mediatickets.net
O15 - Trusted Zone: *.mt-download.com
O15 - Trusted Zone: *.snipernet.biz
O15 - Trusted Zone: *.systemdoctor.com
O15 - Trusted Zone: *.winantivirus.com
O15 - Trusted Zone: *.winfixer.com
O15 - Trusted Zone: *.adgate.info (HKLM)
O15 - Trusted Zone: *.adsextend.net (HKLM)
O15 - Trusted Zone: *.dollarrevenue.com (HKLM)
O15 - Trusted Zone: *.elitemediagroup.net (HKLM)
O15 - Trusted Zone: *.errorsafe.com (HKLM)
O15 - Trusted Zone: *.imagesrvr.com (HKLM)
O15 - Trusted Zone: *.matcash.com (HKLM)
O15 - Trusted Zone: *.media-motor.com (HKLM)
O15 - Trusted Zone: *.media-motor.net (HKLM)
O15 - Trusted Zone: *.mediatickets.net (HKLM)
O15 - Trusted Zone: *.mt-download.com (HKLM)
O15 - Trusted Zone: *.snipernet.biz (HKLM)
O15 - Trusted Zone: *.systemdoctor.com (HKLM)
O15 - Trusted Zone: *.winantivirus.com (HKLM)
O15 - Trusted Zone: *.winfixer.com (HKLM)
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1168863327188
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/s...nfo/webscan.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: spibn - C:\WINDOWS\Config\spibn.dll
O20 - Winlogon Notify: StillImage - C:\WINDOWS\system32\g0jo0a13ed.dll (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: F-Secure BlackLight Sensor - F-Secure Corporation - C:\WINDOWS\TEMP\F-Secure\Anti-Virus\fsblsrv.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: Pml Driver HPZ12 - Unknown owner - C:\WINDOWS\System32\HPZipm12.exe (file missing)
O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
O23 - Service: Broadcom Wireless LAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe
  • 0

Advertisements


#2
Anthony10

Anthony10

    Member

  • Member
  • PipPipPip
  • 314 posts
Hi anoop1234,

I am currently working on your log under expert supervision and be back ASAP. Thanks.

Anthony.
  • 0

#3
Anthony10

Anthony10

    Member

  • Member
  • PipPipPip
  • 314 posts
Hi anoop1234,

Before you do anything else, please create a folder for HijackThis and put it in a permanent folder (like C:\HJT) instead of the Desktop. This is required because HijackThis will create backups and we don't want them to be deleted.

----------

Please download and run DELDOMAINS right click the link, and select Save Link/Target As) then double click to open the DelDomains.inf .To execute the file: right-click and Select 'Install' from the Menu. You may only see the desktop perhaps flicker when the fix makes the corrections.

(Note, if you use SpywareBlaster and/or IE/Spyads, it may be necessary to re-install the protection both afford. For SpywareBlaster, run the program and re-protect all items. For IE/Spyads, run the batch file and reinstall the protection.)

----------

Please download Look2Me-Destroyer.exe to your Desktop.

Close all windows before continuing.
Double-click Look2Me-Destroyer.exe to run it.
Put a check next to Run this program as a task.
You will receive a message saying Look2Me-Destroyer will close and re-open in approximately 10 seconds. Click OK
When Look2Me-Destroyer re-opens, click the Scan for L2M button, your desktop icons will disappear, this is normal.
Once it's done scanning, click the Remove L2M button.
You will receive a Done Scanning message, click OK.
When completed, you will receive this message: Done removing infected files! Look2Me-Destroyer will now shutdown your computer, click OK.
Your computer will then shutdown.
Turn your computer back on.

If you receive a message from your firewall about this program accessing the internet please allow it.

If you receive a runtime error '339' please download MSWINSCK.OCX from the link below and place it in your C:\Windows\System32 Directory.
http://www.ascentive...ib/MSWINSCK.OCX

---------

Please download VundoFix.exe to your Desktop.

- Double-click VundoFix.exe to run it.
- Click the Scan for Vundo button.
- Once it's done scanning, click the Remove Vundo button.
- You will receive a prompt asking if you want to remove the files, click YES
- Once you click yes, your desktop will go blank as it starts removing Vundo.
- When completed, it will prompt that it will reboot your computer, click OK.

Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.

---------

Please download combofix.exe.

Double click combofix.exe & follow the prompts. A window will open with a warning. Type "Y" (and Enter) to start the fix.
When the scan completes it will open a text window.

A caution - do not touch your mouse/keyboard until the scan has completed. The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop.

---------------

Post a new HijackThis scan, the report of ComboFix, the contents of C:\vundofix.txt and the contents of C:\Look2Me-Destroyer.txt. You can use separate posts if needed.

Anthony.
  • 0

#4
anoop1234

anoop1234

    Member

  • Topic Starter
  • Member
  • PipPip
  • 25 posts
Hello Anthony 10,

Here is the new HijackThis scan log:

Logfile of HijackThis v1.99.1
Scan saved at 7:16:48 PM, on 4/6/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Eset\nod32kui.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\slserv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Namz007\Desktop\VundoFix.exe
C:\WINDOWS\system32\taskmgr.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://format.packar...i...&key=SEARCH
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://uk.red.client...fo/bt_side.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://uk.red.client...www.yahoo.co.uk
R3 - URLSearchHook: (no name) - _{EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: (no name) - {4A0345B4-9EB2-4F9D-A699-1B43667B2EE6} - (no file)
O2 - BHO: (no name) - {C336C4C3-7747-4F86-B610-B5876A5DA22A} - C:\WINDOWS\Config\spibn.dll (file missing)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [PRISMSVR.EXE] "C:\WINDOWS\System32\PRISMSVR.EXE" /APPLY
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SoundService] rundll32.exe "C:\WINDOWS\system32\dbtjfgwt.dll",setvm
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Pldo] "C:\DOCUME~1\Namz007\APPLIC~1\STEM32~1\taskmgr.exe" -vt yazb
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - Startup: 2WireSetup.lnk = C:\Program Files\2Wire\WebWorks.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - (no file)
O9 - Extra 'Tools' menuitem: Java - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - (no file)
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O14 - IERESET.INF: START_PAGE_URL=file://C:\APPS\IE\offline\uk.htm
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1168863327188
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/s...nfo/webscan.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: F-Secure BlackLight Sensor - Unknown owner - C:\WINDOWS\TEMP\F-Secure\Anti-Virus\fsblsrv.exe (file missing)
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: Pml Driver HPZ12 - Unknown owner - C:\WINDOWS\System32\HPZipm12.exe (file missing)
O23 - Service: Broadcom Wireless LAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe
-----------------------------------------
Here is the report of ComboFix:

"Namz007" - 07-04-06 19:05:39 Service Pack 2
ComboFix 07-04-05 - Running from: "C:\Documents and Settings\Namz007\Desktop"


(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\system32\atmtd.dll
C:\WINDOWS\system32\atmtd.dll._
C:\WINDOWS\uninstall_nmon.vbs
C:\DOCUME~1\LOCALS~1\APPLIC~1\netmon\domains.txt
C:\DOCUME~1\LOCALS~1\APPLIC~1\netmon\log.txt
C:\WINDOWS\system32\aaa00000.sys
C:\WINDOWS\uni_e6h.exe
C:\Program Files\deluxecommunications
C:\DOCUME~1\LOCALS~1\APPLIC~1\netmon
~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ Purity ~ ~ ~ ~ ~ ~ ~ ~~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~
Folders Quarantined:
C:\qoobox\purity\DOCUME~1
C:\qoobox\purity\DOCUME~1\Namz007
C:\qoobox\purity\DOCUME~1\Namz007\APPLIC~1
C:\qoobox\purity\DOCUME~1\Namz007\APPLIC~1\from.txt
C:\qoobox\purity\DOCUME~1\Namz007\APPLIC~1\STEM32~1
C:\qoobox\purity\DOCUME~1\Namz007\APPLIC~1\STEM32~1\??stem32


((((((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


-------\SLService
-------\LEGACY_CMDSERVICE
-------\LEGACY_MCHINJDRV
-------\LEGACY_NETWORK_MONITOR
-------\LEGACY_SLSERVICE


((((((((((((((((((((((((((((((( Files Created from 2007-03-06 to 2007-04-06 ))))))))))))))))))))))))))))))))))


2007-04-06 18:51 24,576 --a------ C:\WINDOWS\system32\VundoFixSVC.exe
2007-04-06 17:53 <DIR> d-------- C:\VundoFix Backups
2007-04-06 04:11 512,096 --a------ C:\WINDOWS\system32\drivers\amon.sys
2007-04-06 04:11 298,104 --a------ C:\WINDOWS\system32\imon.dll
2007-04-06 04:11 15,424 --a------ C:\WINDOWS\system32\drivers\nod32drv.sys
2007-04-06 02:56 <DIR> d-------- C:\WINDOWS\network diagnostic
2007-04-04 22:44 <DIR> d-------- C:\WINDOWS\Prefetch
2007-04-04 20:28 <DIR> d-------- C:\WINDOWS\peernet
2007-04-04 20:27 <DIR> d-------- C:\WINDOWS\provisioning
2007-04-04 20:23 <DIR> d-------- C:\WINDOWS\ServicePackFiles
2007-04-04 19:57 <DIR> d-------- C:\WINDOWS\EHome
2007-04-04 11:36 6,550 --a------ C:\WINDOWS\jautoexp.dat
2007-04-04 11:36 46,352 --a------ C:\WINDOWS\setdebug.exe
2007-04-04 11:36 313,856 --a------ C:\WINDOWS\system32\dx3j.dll
2007-04-04 11:36 171,280 --a------ C:\WINDOWS\system32\jit.dll
2007-04-04 11:36 139,536 --a------ C:\WINDOWS\system32\javaee.dll
2007-04-04 11:35 947,472 --a------ C:\WINDOWS\system32\msjava.dll
2007-04-04 11:35 63,248 --a------ C:\WINDOWS\system32\javaprxy.dll
2007-04-04 11:35 49,424 --a------ C:\WINDOWS\system32\clspack.exe
2007-04-04 11:35 404,752 --a------ C:\WINDOWS\system32\javart.dll
2007-04-04 11:35 286,992 --a------ C:\WINDOWS\system32\vmhelper.dll
2007-04-04 11:35 21,264 --a------ C:\WINDOWS\system32\msjdbc10.dll
2007-04-04 11:35 187,152 --a------ C:\WINDOWS\system32\javacypt.dll
2007-04-04 11:35 172,304 --a------ C:\WINDOWS\system32\jview.exe
2007-04-04 11:35 171,792 --a------ C:\WINDOWS\system32\wjview.exe
2007-04-04 11:35 154,384 --a------ C:\WINDOWS\system32\msawt.dll
2007-04-04 11:35 15,120 --a------ C:\WINDOWS\system32\jdbgmgr.exe
2007-04-04 11:35 113 --a------ C:\WINDOWS\system32\zonedon.reg
2007-04-04 11:35 113 --a------ C:\WINDOWS\system32\zonedoff.reg
2007-04-04 10:56 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Windows Genuine Advantage
2007-04-04 10:44 <DIR> d-------- C:\Program Files\MSXML 4.0
2007-04-04 03:04 <DIR> d-------- C:\DOCUME~1\Namz007\APPLIC~1\F-Secure
2007-04-04 02:40 <DIR> d-------- C:\Program Files\F-Secure
2007-04-04 02:39 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\fssg
2007-04-04 00:34 <DIR> d-------- C:\DOCUME~1\Namz007\Contacts


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2007-04-05 03:13 -------- d-------- C:\Program Files\messenger
2007-04-05 00:04 -------- d-------- C:\Program Files\msn messenger
2007-04-04 20:28 -------- d-------- C:\Program Files\movie maker
2007-04-04 20:22 -------- d-------- C:\Program Files\windows nt
2007-04-04 20:05 -------- d-------- C:\Program Files\hewlett-packard
2007-03-08 08:36 577536 --a------ C:\WINDOWS\system32\user32.dll
2007-03-08 08:36 40960 --a------ C:\WINDOWS\system32\mf3216.dll
2007-03-08 08:36 281600 --a------ C:\WINDOWS\system32\gdi32.dll
2007-03-08 06:47 1843584 --a------ C:\WINDOWS\system32\win32k.sys


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
"Yahoo! Pager"="\"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe\" -quiet"
"MsnMsgr"="\"C:\\Program Files\\MSN Messenger\\MsnMsgr.Exe\" /background"
"Pldo"="\"C:\\DOCUME~1\\Namz007\\APPLIC~1\\STEM32~1\\taskmgr.exe\" -vt yazb"
"AIM"="C:\\Program Files\\AIM\\aim.exe -cnetwait.odl"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"SynTPLpr"="C:\\Program Files\\Synaptics\\SynTP\\SynTPLpr.exe"
"SynTPEnh"="C:\\Program Files\\Synaptics\\SynTP\\SynTPEnh.exe"
"PRISMSVR.EXE"="\"C:\\WINDOWS\\System32\\PRISMSVR.EXE\" /APPLY"
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"SoundService"="rundll32.exe \"C:\\WINDOWS\\system32\\dbtjfgwt.dll\",setvm"
"nod32kui"="\"C:\\Program Files\\Eset\\nod32kui.exe\" /WAITSERVICE"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BT Broadband Basic Help.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\BT Broadband Basic Help.lnk"
"backup"="C:\\WINDOWS\\pss\\BT Broadband Basic Help.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\BTBROA~1\\bin\\matcli.exe -boot"
"item"="BT Broadband Basic Help"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Microsoft Office.lnk"
"backup"="C:\\WINDOWS\\pss\\Microsoft Office.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\MICROS~2\\Office\\OSA9.EXE -b -l"
"item"="Microsoft Office"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Utility Tray.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Utility Tray.lnk"
"backup"="C:\\WINDOWS\\pss\\Utility Tray.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\WINDOWS\\system32\\sistray.exe "
"item"="Utility Tray"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"=""
"hkey"="HKLM"
"command"=""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ACTX1]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="v1201"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\v1201.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AIM]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="aim"
"hkey"="HKCU"
"command"="C:\\Program Files\\AIM\\aim.exe -cnetwait.odl"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\avast!]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ashDisp"
"hkey"="HKLM"
"command"="C:\\PROGRA~1\\ALWILS~1\\Avast4\\ashDisp.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ctfmon"
"hkey"="HKCU"
"command"="C:\\WINDOWS\\System32\\ctfmon.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DataLayer]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="DATALA~1"
"hkey"="HKLM"
"command"="C:\\PROGRA~1\\COMMON~1\\PCSuite\\DATALA~1\\DATALA~1.EXE"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DSLAGENTEXE]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="dslagent"
"hkey"="HKLM"
"command"="C:\\Program Files\\BT Voyager 105 ADSL Modem\\dslagent.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DSLSTATEXE]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="dslstat"
"hkey"="HKLM"
"command"="C:\\Program Files\\BT Voyager 105 ADSL Modem\\dslstat.exe icon"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Desktop Search]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="GoogleDesktop"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\Google\\Google Desktop Search\\GoogleDesktop.exe\" /startup"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="AOLHostManager"
"hkey"="HKLM"
"command"="C:\\Program Files\\Common Files\\AOL\\1143836107\\ee\\AOLHostManager.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Internet Optimizer]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="optimize"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Internet Optimizer\\optimize.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="dumprep 0 -k"
"hkey"="HKLM"
"command"="%systemroot%\\system32\\dumprep 0 -k"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="msmsgs"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCSuiteTrayApplication]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="TRAYAP~1"
"hkey"="HKLM"
"command"="C:\\PROGRA~1\\Nokia\\NOKIAP~1\\TRAYAP~1.EXE"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PRISMSVR.EXE]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="PRISMSVR"
"hkey"="HKLM"
"command"="\"C:\\WINDOWS\\System32\\PRISMSVR.EXE\" /APPLY"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="qttask"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\septpop06apsept]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="septpop06apsept"
"hkey"="HKLM"
"command"="C:\\program files\\popupwithcast\\septpop06apsept.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SiS Windows KeyHook]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="keyhook"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\System32\\keyhook.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SiSUSBRG]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="SiSUSBrg"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\SiSUSBrg.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StatusClient]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="StatusClient"
"hkey"="HKLM"
"command"="C:\\Program Files\\Hewlett-Packard\\Toolbox2.0\\Apache Tomcat 4.0\\webapps\\Toolbox\\StatusClient\\StatusClient.exe /auto"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\STOPzilla]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="STOPzilla"
"hkey"="HKLM"
"command"="C:\\Program Files\\STOPzilla!\\STOPzilla.exe /autostart"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="jusched"
"hkey"="HKLM"
"command"="C:\\Program Files\\Java\\jre1.5.0\\bin\\jusched.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\sys09-52204217]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="sys09-52204217"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\sys09-52204217.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="realsched"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TomcatStartup]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="hpbpsttp"
"hkey"="HKLM"
"command"="C:\\Program Files\\Hewlett-Packard\\Toolbox2.0\\hpbpsttp.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\trmf6af9]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="RUNDLL32"
"hkey"="HKLM"
"command"="RUNDLL32.EXE w5c1f521.dll,n 004f6af5000000125c1f521"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ujonl]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="yueuky"
"hkey"="HKCU"
"command"="C:\\WINDOWS\\System32\\yueuky.exe reg_run"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ViewMgr]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ViewMgr"
"hkey"="HKLM"
"command"="C:\\Program Files\\Viewpoint\\Viewpoint Manager\\ViewMgr.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\webHancer Agent]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="whAgent"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\webHancer\\Programs\\whAgent.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\webHancer Survey Companion]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="whSurvey"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\webHancer\\Programs\\whSurvey.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="winampa"
"hkey"="HKLM"
"command"="C:\\Program Files\\Winamp\\winampa.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\wltray.exe]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="wltray"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\System32\\wltray.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\xmimkw]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="yueuky"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\System32\\yueuky.exe reg_run"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="YahooMessenger"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe\" -quiet"
"inimapping"="0"


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"NoDispAppearancePage"=dword:00000000
"NoDispBackgroundPage"=dword:00000000
"DisableTaskMgr"=dword:00000000

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoCDBurning"=dword:00000000

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
Source REG_SZ C:\Program Files\WindowsUpdate\kyfevy.html

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\1]
Source REG_SZ C:\Program Files\Windows Media Player\hocysoku.html

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa
Authentication Packages REG_MULTI_SZ msv1_0\
Security Packages REG_MULTI_SZ kerberosmsv1_0schannelwdigest\
Notification Packages REG_MULTI_SZ scecli\

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
LocalService REG_MULTI_SZ AlerterWebClientLmHostsRemoteRegistryupnphostSSDPSRV\
NetworkService REG_MULTI_SZ DnsCache\
rpcss REG_MULTI_SZ RpcSs\
imgsvc REG_MULTI_SZ StiSvc\
termsvcs REG_MULTI_SZ TermService\
Usnsvc REG_MULTI_SZ usnsvc\
HTTPFilter REG_MULTI_SZ HTTPFilter\
DcomLaunch REG_MULTI_SZ DcomLaunchTermService\



Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\Registration reminder 3.job


********************************************************************

catchme 0.2 W2K/XP/Vista - userland rootkit detector by Gmer, 17 October 2006
http://www.gmer.net

scanning hidden processes ...

scanning hidden services ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0

********************************************************************

Completion time: 07-04-06 19:12:51
C:\ComboFix-quarantined-files.txt ... 07-04-06 19:12
---------------------------------------------------------------

Here is the contents of C:\vundofix.txt:


VundoFix V6.3.19

Checking Java version...

Sun Java not detected
Scan started at 5:53:46 PM 4/6/2007

Listing files found while scanning....

C:\WINDOWS\Config\nbips.bak1
C:\WINDOWS\Config\nbips.bak2
C:\WINDOWS\Config\nbips.ini
C:\WINDOWS\Config\nbips.ini2
C:\WINDOWS\Config\nbips.tmp
C:\WINDOWS\Config\spibn.dll
C:\WINDOWS\System32\hadxmouw.dll
C:\WINDOWS\System32\lxsyxcar.dll
C:\WINDOWS\System32\poxwnnal.dll
C:\WINDOWS\System32\rjqgmwod.dll
C:\WINDOWS\System32\rvwharcb.dll
C:\WINDOWS\System32\rytfqnew.dll
C:\WINDOWS\System32\vnrnkpxh.dll

Beginning removal...

Attempting to delete C:\WINDOWS\Config\nbips.bak1
C:\WINDOWS\Config\nbips.bak1 Has been deleted!

Attempting to delete C:\WINDOWS\Config\nbips.bak2
C:\WINDOWS\Config\nbips.bak2 Has been deleted!

Attempting to delete C:\WINDOWS\Config\nbips.ini
C:\WINDOWS\Config\nbips.ini Has been deleted!

Attempting to delete C:\WINDOWS\Config\nbips.ini2
C:\WINDOWS\Config\nbips.ini2 Has been deleted!

Attempting to delete C:\WINDOWS\Config\nbips.tmp
C:\WINDOWS\Config\nbips.tmp Has been deleted!

Attempting to delete C:\WINDOWS\Config\spibn.dll
C:\WINDOWS\Config\spibn.dll Has been deleted!

Performing Repairs to the registry.
Done!

VundoFix V6.3.19

Checking Java version...

Sun Java not detected
Scan started at 7:00:03 PM 4/6/2007

Listing files found while scanning....
----------------------------------------------
The contents of C:\Look2Me-Destroyer.txt:


Look2Me-Destroyer V1.0.12

Scanning for infected files.....
Scan started at 06/04/2007 17:33:09

Infected! C:\WINDOWS\system32\g0jo0a13ed.dll

Attempting to delete infected files...

Making registry repairs.

Removing: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\StillImage

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{DE24FCD0-695C-47D6-871F-B697AADDDC35}"
HKCR\Clsid\{DE24FCD0-695C-47D6-871F-B697AADDDC35}

Restoring Windows certificates.

Replaced hosts file with default windows hosts file


Restoring SeDebugPrivilege for Administrators - Succeeded


Thank you!!!
  • 0

#5
anoop1234

anoop1234

    Member

  • Topic Starter
  • Member
  • PipPip
  • 25 posts
Hello Anthony 10,

AVG Internet Security found some more viruses (I think the same file as the vondu one so I'm not sure if it has been deleted). Please have a look at my log below:

Logfile of HijackThis v1.99.1
Scan saved at 2:24:07 PM, on 4/7/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\PROGRA~1\Grisoft\AVG7\avgfwsrv.exe
C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://format.packar...i...&key=SEARCH
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://uk.red.client...fo/bt_side.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://uk.red.client...www.yahoo.co.uk
R3 - URLSearchHook: (no name) - _{EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O2 - BHO: (no name) - {4A0345B4-9EB2-4F9D-A699-1B43667B2EE6} - (no file)
O2 - BHO: (no name) - {C336C4C3-7747-4F86-B610-B5876A5DA22A} - C:\WINDOWS\Config\spibn.dll (file missing)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [PRISMSVR.EXE] "C:\WINDOWS\System32\PRISMSVR.EXE" /APPLY
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SoundService] rundll32.exe "C:\WINDOWS\system32\dbtjfgwt.dll",setvm
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Pldo] "C:\DOCUME~1\Namz007\APPLIC~1\STEM32~1\taskmgr.exe" -vt yazb
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - Startup: 2WireSetup.lnk = C:\Program Files\2Wire\WebWorks.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - (no file)
O9 - Extra 'Tools' menuitem: Java - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - (no file)
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwafu.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwafu.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwafu.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwafu.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\avgfwafu.dll
O11 - Options group: [INTERNATIONAL] International*
O14 - IERESET.INF: START_PAGE_URL=file://C:\APPS\IE\offline\uk.htm
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1168863327188
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/s...nfo/webscan.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: avgwlntf - C:\WINDOWS\SYSTEM32\avgwlntf.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG7 Resident Shield Service (AvgCoreSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgrssvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: AVG Firewall (AVGFwSrv) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgfwsrv.exe
O23 - Service: F-Secure BlackLight Sensor - Unknown owner - C:\WINDOWS\TEMP\F-Secure\Anti-Virus\fsblsrv.exe (file missing)
O23 - Service: Pml Driver HPZ12 - Unknown owner - C:\WINDOWS\System32\HPZipm12.exe (file missing)
O23 - Service: Broadcom Wireless LAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe


Please let me know if I have any other malware that needs to be deleted. My laptop is going very slow and loads very slowly. Thank you very much!!
  • 0

#6
Anthony10

Anthony10

    Member

  • Member
  • PipPipPip
  • 314 posts
Hi anoop1234,

Open HijackThis, click Config, click Misc Tools
Click "Open Uninstall Manager"
Click "Save List" (generates uninstall_list.txt)
Click Save, copy and paste the results in your next post.

Anthony.
  • 0

#7
anoop1234

anoop1234

    Member

  • Topic Starter
  • Member
  • PipPip
  • 25 posts
2Wire Wireless Client
Adobe Reader 6.0
Adobe Shockwave Player
AOL Instant Messenger
ArcSoft PhotoImpression
ArcSoft VideoImpression 1.6
AVG 7.5
Belkin Wireless Utility
Hesperian Wars
HijackThis 1.99.1
Hotfix for Windows XP (KB914440)
Hotfix for Windows XP (KB915865)
Macromedia Flash Player 8
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office 2000 Premium
Microsoft Word 2002
Mozilla Firefox (1.5.0.11)
MSXML 4.0 SP2 (KB925672)
MSXML 4.0 SP2 (KB927978)
Nokia Connectivity Cable Driver
Nokia PC Suite
PB-WC100 USB Camera
RealPlayer
SBC Yahoo! DSL Home Networking Installer
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Internet Explorer 7 (KB928090)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921398)
Security Update for Windows XP (KB921883)
Security Update for Windows XP (KB922616)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923694)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB925902)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928090)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
Sonic RecordNow!
SopCast 1.1.1
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB904942)
Update for Windows XP (KB908531)
Update for Windows XP (KB910437)
Update for Windows XP (KB911280)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB929338)
Update for Windows XP (KB931836)
Windows Installer 3.1 (KB893803)
Windows Internet Explorer 7
Windows Live Messenger
Windows Media Format Runtime
Windows Media Player 10
Windows Overlay Components
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB885884
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781
Windows XP Service Pack 2
WinRAR archiver
Yahoo! extras
Yahoo! Mail Quick Select Tool (PhotoMail)
Yahoo! Messenger
Yahoo! Toolbar
  • 0

#8
Anthony10

Anthony10

    Member

  • Member
  • PipPipPip
  • 314 posts
Hi anoop1234,

Print this topic and read the entire post before proceed.

------------------

Go Here and download ATF cleaner. Click on the downloaded file to run it, and select "Select All", then click Empty Selected (and close ATF).

If you have them, also click on Firefox/Opera at the top and repeat the steps (and close ATF). Firefox/Opera will need to be closed first for the cleaning to be effective.

-------------------

Download the trial version of AVG Anti-Spyware 7.5 from here and install it.

If you have an exisiting copy of Ewido (which this software replaces), agree to the uninstall notification and uninstall Ewido. Reboot after. Then click the AVG download file again to install the software. (If you have a paid version of Ewido installed, go here to follow the steps to upgrade that now.)

After installation, double-click the icon on your Desktop to launch AVG Anti-Spyware 7.5.

On the top of the main screen click Shield. Then click the word active to change it to inactive.

You will need to also update AVG Anti-Spyware 7.5 to the latest definition files. On the top of the main screen click Update. Then click on Start Update. The update will start and a progress bar will show the updates being installed.

Now close AVG Anti-Spyware 7.5 (don't scan just yet).

--------------------

Please download Brute Force Uninstaller to your Desktop.
Right click the BFU folder on your desktop, and choose Extract All
Click "Next"
In the box to choose where to extract the files to,
Click "Browse"
Click on the + sign next to "My Computer"
Click on "Local Disk (C:) or whatever your primary drive is
Click "Make New Folder"
Type in BFU
Click "Next", and Uncheck the "Show Extracted Files" box and then click "Finish".

RIGHT-CLICK HERE and choose "Save As" (in IE it's "Save Target As") in order to download Alcra PLUS Remover.
Save it in the same folder you made earlier (c:\BFU).

--------------------

Reboot into Safe Mode (at startup tap the F8 key and select Safe Mode).

---------------------

Make sure that you can see hidden files.
Click Start.
Click My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab.
Under the Hidden files and folders heading select Show hidden files and folders.
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm.
Uncheck the Hide file extensions for known file types.
Click OK.

--------------------

Please go to Start > My Computer and navigate to the C:\BFU folder.
Start the Brute Force Uninstaller by doubleclicking BFU.exe
Behind the scriptline to execute field click the folder icon Posted Image and select alcanshorty.bfu
Press Execute and let the program do it’s job. (You ought to see a progress bar if you did this correctly.)
Wait for the complete script execution box to pop up and press OK.
Press exit to terminate the BFU program.

-------------------

Open HijackThis, run a scan, place a check next to the following entries and then click Fix checked :

R3 - URLSearchHook: (no name) - _{EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)

O2 - BHO: (no name) - {4A0345B4-9EB2-4F9D-A699-1B43667B2EE6} - (no file)
O2 - BHO: (no name) - {C336C4C3-7747-4F86-B610-B5876A5DA22A} - C:\WINDOWS\Config\spibn.dll (file missing)

O4 - HKLM\..\Run: [SoundService] rundll32.exe "C:\WINDOWS\system32\dbtjfgwt.dll",setvm
O4 - HKCU\..\Run: [Pldo] "C:\DOCUME~1\Namz007\APPLIC~1\STEM32~1\taskmgr.exe" -vt yazb


-------------------

Please note any other programs that you dont recognize in that list in your next response
Using Windows Explorer (to get there right-click your Start button and go to "Explore"), please delete these folders (if present) :

C:\Program Files\ webHancer <= The folder
C:\program files\ popupwithcast <= The folder

Using Windows Explorer (to get there right-click your Start button and go to "Explore"), please delete these files (if present):

C:\WINDOWS\system32\ dbtjfgwt.dll <= The file
C:\WINDOWS\System32\ yueuky.exe <= The file
C:\WINDOWS\ jautoexp.dat <= The file
C:\WINDOWS\ setdebug.exe <= The file
C:\WINDOWS\ v1201.exe <= The file
C:\WINDOWS\ sys09-52204217.exe <= The file

---------------------

Make sure all windows are closed and run AVG Anti-Spyware 7.5. Click Scanner, then click on the Scan tab. Click Complete System Scan to begin scanning. When the scan is complete click Recommended Action and change it to Quarantine. Then click Apply all actions.

Once the scan has finished, click the Save report button, then click Save Report As. This will create a text file. Make sure you know where to find this file again.

---------------------

Then reboot back to Normal Mode.

------------------

Post your AVG log please, along with a new HijackThis scan and a new report of ComboFix. You can use separate posts if needed.

Anthony.
  • 0

#9
anoop1234

anoop1234

    Member

  • Topic Starter
  • Member
  • PipPip
  • 25 posts
Hello Anthony,

I know it has been a while. I did not have time to work with this computer but am now on summer vacation and have enough time to dedicate to it and fix it up. I haven't used the computer since the last time I posted so here are the results to the tests you have recommended.



---------------------
HiJackThis Log:
--------------------


Logfile of HijackThis v1.99.1
Scan saved at 10:03:05 PM, on 7/25/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\explorer.exe
C:\Program Files\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://format.packar...i...&key=SEARCH
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://uk.red.client...fo/bt_side.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://uk.red.client...www.yahoo.co.uk
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn1\yt.dll
O4 - HKLM\..\Run: [SynTPLpr] C:\Program Files\Synaptics\SynTP\SynTPLpr.exe
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - (no file)
O9 - Extra 'Tools' menuitem: Java - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - (no file)
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O14 - IERESET.INF: START_PAGE_URL=file://C:\APPS\IE\offline\uk.htm
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onec...lscbase8300.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1168863327188
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/s...nfo/webscan.cab
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.c.../cpcScanner.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: F-Secure BlackLight Sensor - Unknown owner - C:\WINDOWS\TEMP\F-Secure\Anti-Virus\fsblsrv.exe (file missing)
O23 - Service: Pml Driver HPZ12 - Unknown owner - C:\WINDOWS\System32\HPZipm12.exe (file missing)
O23 - Service: Broadcom Wireless LAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe



---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------


+ Created at: 12:13:07 AM 7/26/2007

+ Scan result:



:mozilla.36:C:\Documents and Settings\Namz007\Application Data\Mozilla\Firefox\Profiles\c12p74wq.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned.
:mozilla.37:C:\Documents and Settings\Namz007\Application Data\Mozilla\Firefox\Profiles\c12p74wq.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned.
:mozilla.38:C:\Documents and Settings\Namz007\Application Data\Mozilla\Firefox\Profiles\c12p74wq.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned.
:mozilla.41:C:\Documents and Settings\Namz007\Application Data\Mozilla\Firefox\Profiles\c12p74wq.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned.
:mozilla.42:C:\Documents and Settings\Namz007\Application Data\Mozilla\Firefox\Profiles\c12p74wq.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned.
:mozilla.19:C:\Documents and Settings\Namz007\Application Data\Mozilla\Firefox\Profiles\c12p74wq.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.20:C:\Documents and Settings\Namz007\Application Data\Mozilla\Firefox\Profiles\c12p74wq.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.21:C:\Documents and Settings\Namz007\Application Data\Mozilla\Firefox\Profiles\c12p74wq.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.22:C:\Documents and Settings\Namz007\Application Data\Mozilla\Firefox\Profiles\c12p74wq.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.23:C:\Documents and Settings\Namz007\Application Data\Mozilla\Firefox\Profiles\c12p74wq.default\cookies.txt -> TrackingCookie.Atdmt : Cleaned.
:mozilla.24:C:\Documents and Settings\Namz007\Application Data\Mozilla\Firefox\Profiles\c12p74wq.default\cookies.txt -> TrackingCookie.Bluestreak : Cleaned.
:mozilla.30:C:\Documents and Settings\Namz007\Application Data\Mozilla\Firefox\Profiles\c12p74wq.default\cookies.txt -> TrackingCookie.Doubleclick : Cleaned.
:mozilla.34:C:\Documents and Settings\Namz007\Application Data\Mozilla\Firefox\Profiles\c12p74wq.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned.
:mozilla.35:C:\Documents and Settings\Namz007\Application Data\Mozilla\Firefox\Profiles\c12p74wq.default\cookies.txt -> TrackingCookie.Hitbox : Cleaned.
:mozilla.17:C:\Documents and Settings\Namz007\Application Data\Mozilla\Firefox\Profiles\c12p74wq.default\cookies.txt -> TrackingCookie.Questionmarket : Cleaned.
:mozilla.18:C:\Documents and Settings\Namz007\Application Data\Mozilla\Firefox\Profiles\c12p74wq.default\cookies.txt -> TrackingCookie.Questionmarket : Cleaned.
:mozilla.39:C:\Documents and Settings\Namz007\Application Data\Mozilla\Firefox\Profiles\c12p74wq.default\cookies.txt -> TrackingCookie.Ru4 : Cleaned.
:mozilla.40:C:\Documents and Settings\Namz007\Application Data\Mozilla\Firefox\Profiles\c12p74wq.default\cookies.txt -> TrackingCookie.Ru4 : Cleaned.
:mozilla.31:C:\Documents and Settings\Namz007\Application Data\Mozilla\Firefox\Profiles\c12p74wq.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned.


::Report end

------------------------
Combo Fix Report
------------------------

"Namz007" - 07-04-06 19:05:39 Service Pack 2
ComboFix 07-04-05 - Running from: "C:\Documents and Settings\Namz007\Desktop"


(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\system32\atmtd.dll
C:\WINDOWS\system32\atmtd.dll._
C:\WINDOWS\uninstall_nmon.vbs
C:\DOCUME~1\LOCALS~1\APPLIC~1\netmon\domains.txt
C:\DOCUME~1\LOCALS~1\APPLIC~1\netmon\log.txt
C:\WINDOWS\system32\aaa00000.sys
C:\WINDOWS\uni_e6h.exe
C:\Program Files\deluxecommunications
C:\DOCUME~1\LOCALS~1\APPLIC~1\netmon
~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ Purity ~ ~ ~ ~ ~ ~ ~ ~~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~
Folders Quarantined:
C:\qoobox\purity\DOCUME~1
C:\qoobox\purity\DOCUME~1\Namz007
C:\qoobox\purity\DOCUME~1\Namz007\APPLIC~1
C:\qoobox\purity\DOCUME~1\Namz007\APPLIC~1\from.txt
C:\qoobox\purity\DOCUME~1\Namz007\APPLIC~1\STEM32~1
C:\qoobox\purity\DOCUME~1\Namz007\APPLIC~1\STEM32~1\??stem32


((((((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


-------\SLService
-------\LEGACY_CMDSERVICE
-------\LEGACY_MCHINJDRV
-------\LEGACY_NETWORK_MONITOR
-------\LEGACY_SLSERVICE


((((((((((((((((((((((((((((((( Files Created from 2007-03-06 to 2007-04-06 ))))))))))))))))))))))))))))))))))


2007-04-06 18:51 24,576 --a------ C:\WINDOWS\system32\VundoFixSVC.exe
2007-04-06 17:53 <DIR> d-------- C:\VundoFix Backups
2007-04-06 04:11 512,096 --a------ C:\WINDOWS\system32\drivers\amon.sys
2007-04-06 04:11 298,104 --a------ C:\WINDOWS\system32\imon.dll
2007-04-06 04:11 15,424 --a------ C:\WINDOWS\system32\drivers\nod32drv.sys
2007-04-06 02:56 <DIR> d-------- C:\WINDOWS\network diagnostic
2007-04-04 22:44 <DIR> d-------- C:\WINDOWS\Prefetch
2007-04-04 20:28 <DIR> d-------- C:\WINDOWS\peernet
2007-04-04 20:27 <DIR> d-------- C:\WINDOWS\provisioning
2007-04-04 20:23 <DIR> d-------- C:\WINDOWS\ServicePackFiles
2007-04-04 19:57 <DIR> d-------- C:\WINDOWS\EHome
2007-04-04 11:36 6,550 --a------ C:\WINDOWS\jautoexp.dat
2007-04-04 11:36 46,352 --a------ C:\WINDOWS\setdebug.exe
2007-04-04 11:36 313,856 --a------ C:\WINDOWS\system32\dx3j.dll
2007-04-04 11:36 171,280 --a------ C:\WINDOWS\system32\jit.dll
2007-04-04 11:36 139,536 --a------ C:\WINDOWS\system32\javaee.dll
2007-04-04 11:35 947,472 --a------ C:\WINDOWS\system32\msjava.dll
2007-04-04 11:35 63,248 --a------ C:\WINDOWS\system32\javaprxy.dll
2007-04-04 11:35 49,424 --a------ C:\WINDOWS\system32\clspack.exe
2007-04-04 11:35 404,752 --a------ C:\WINDOWS\system32\javart.dll
2007-04-04 11:35 286,992 --a------ C:\WINDOWS\system32\vmhelper.dll
2007-04-04 11:35 21,264 --a------ C:\WINDOWS\system32\msjdbc10.dll
2007-04-04 11:35 187,152 --a------ C:\WINDOWS\system32\javacypt.dll
2007-04-04 11:35 172,304 --a------ C:\WINDOWS\system32\jview.exe
2007-04-04 11:35 171,792 --a------ C:\WINDOWS\system32\wjview.exe
2007-04-04 11:35 154,384 --a------ C:\WINDOWS\system32\msawt.dll
2007-04-04 11:35 15,120 --a------ C:\WINDOWS\system32\jdbgmgr.exe
2007-04-04 11:35 113 --a------ C:\WINDOWS\system32\zonedon.reg
2007-04-04 11:35 113 --a------ C:\WINDOWS\system32\zonedoff.reg
2007-04-04 10:56 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Windows Genuine Advantage
2007-04-04 10:44 <DIR> d-------- C:\Program Files\MSXML 4.0
2007-04-04 03:04 <DIR> d-------- C:\DOCUME~1\Namz007\APPLIC~1\F-Secure
2007-04-04 02:40 <DIR> d-------- C:\Program Files\F-Secure
2007-04-04 02:39 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\fssg
2007-04-04 00:34 <DIR> d-------- C:\DOCUME~1\Namz007\Contacts


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2007-04-05 03:13 -------- d-------- C:\Program Files\messenger
2007-04-05 00:04 -------- d-------- C:\Program Files\msn messenger
2007-04-04 20:28 -------- d-------- C:\Program Files\movie maker
2007-04-04 20:22 -------- d-------- C:\Program Files\windows nt
2007-04-04 20:05 -------- d-------- C:\Program Files\hewlett-packard
2007-03-08 08:36 577536 --a------ C:\WINDOWS\system32\user32.dll
2007-03-08 08:36 40960 --a------ C:\WINDOWS\system32\mf3216.dll
2007-03-08 08:36 281600 --a------ C:\WINDOWS\system32\gdi32.dll
2007-03-08 06:47 1843584 --a------ C:\WINDOWS\system32\win32k.sys


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
"Yahoo! Pager"="\"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe\" -quiet"
"MsnMsgr"="\"C:\\Program Files\\MSN Messenger\\MsnMsgr.Exe\" /background"
"Pldo"="\"C:\\DOCUME~1\\Namz007\\APPLIC~1\\STEM32~1\\taskmgr.exe\" -vt yazb"
"AIM"="C:\\Program Files\\AIM\\aim.exe -cnetwait.odl"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"SynTPLpr"="C:\\Program Files\\Synaptics\\SynTP\\SynTPLpr.exe"
"SynTPEnh"="C:\\Program Files\\Synaptics\\SynTP\\SynTPEnh.exe"
"PRISMSVR.EXE"="\"C:\\WINDOWS\\System32\\PRISMSVR.EXE\" /APPLY"
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"SoundService"="rundll32.exe \"C:\\WINDOWS\\system32\\dbtjfgwt.dll\",setvm"
"nod32kui"="\"C:\\Program Files\\Eset\\nod32kui.exe\" /WAITSERVICE"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BT Broadband Basic Help.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\BT Broadband Basic Help.lnk"
"backup"="C:\\WINDOWS\\pss\\BT Broadband Basic Help.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\BTBROA~1\\bin\\matcli.exe -boot"
"item"="BT Broadband Basic Help"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Microsoft Office.lnk"
"backup"="C:\\WINDOWS\\pss\\Microsoft Office.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\MICROS~2\\Office\\OSA9.EXE -b -l"
"item"="Microsoft Office"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Utility Tray.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Utility Tray.lnk"
"backup"="C:\\WINDOWS\\pss\\Utility Tray.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\WINDOWS\\system32\\sistray.exe "
"item"="Utility Tray"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"=""
"hkey"="HKLM"
"command"=""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ACTX1]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="v1201"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\v1201.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AIM]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="aim"
"hkey"="HKCU"
"command"="C:\\Program Files\\AIM\\aim.exe -cnetwait.odl"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\avast!]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ashDisp"
"hkey"="HKLM"
"command"="C:\\PROGRA~1\\ALWILS~1\\Avast4\\ashDisp.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ctfmon"
"hkey"="HKCU"
"command"="C:\\WINDOWS\\System32\\ctfmon.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DataLayer]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="DATALA~1"
"hkey"="HKLM"
"command"="C:\\PROGRA~1\\COMMON~1\\PCSuite\\DATALA~1\\DATALA~1.EXE"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DSLAGENTEXE]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="dslagent"
"hkey"="HKLM"
"command"="C:\\Program Files\\BT Voyager 105 ADSL Modem\\dslagent.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DSLSTATEXE]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="dslstat"
"hkey"="HKLM"
"command"="C:\\Program Files\\BT Voyager 105 ADSL Modem\\dslstat.exe icon"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Desktop Search]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="GoogleDesktop"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\Google\\Google Desktop Search\\GoogleDesktop.exe\" /startup"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="AOLHostManager"
"hkey"="HKLM"
"command"="C:\\Program Files\\Common Files\\AOL\\1143836107\\ee\\AOLHostManager.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Internet Optimizer]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="optimize"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Internet Optimizer\\optimize.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="dumprep 0 -k"
"hkey"="HKLM"
"command"="%systemroot%\\system32\\dumprep 0 -k"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="msmsgs"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCSuiteTrayApplication]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="TRAYAP~1"
"hkey"="HKLM"
"command"="C:\\PROGRA~1\\Nokia\\NOKIAP~1\\TRAYAP~1.EXE"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PRISMSVR.EXE]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="PRISMSVR"
"hkey"="HKLM"
"command"="\"C:\\WINDOWS\\System32\\PRISMSVR.EXE\" /APPLY"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="qttask"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\septpop06apsept]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="septpop06apsept"
"hkey"="HKLM"
"command"="C:\\program files\\popupwithcast\\septpop06apsept.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SiS Windows KeyHook]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="keyhook"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\System32\\keyhook.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SiSUSBRG]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="SiSUSBrg"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\SiSUSBrg.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StatusClient]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="StatusClient"
"hkey"="HKLM"
"command"="C:\\Program Files\\Hewlett-Packard\\Toolbox2.0\\Apache Tomcat 4.0\\webapps\\Toolbox\\StatusClient\\StatusClient.exe /auto"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\STOPzilla]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="STOPzilla"
"hkey"="HKLM"
"command"="C:\\Program Files\\STOPzilla!\\STOPzilla.exe /autostart"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="jusched"
"hkey"="HKLM"
"command"="C:\\Program Files\\Java\\jre1.5.0\\bin\\jusched.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\sys09-52204217]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="sys09-52204217"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\sys09-52204217.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="realsched"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TomcatStartup]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="hpbpsttp"
"hkey"="HKLM"
"command"="C:\\Program Files\\Hewlett-Packard\\Toolbox2.0\\hpbpsttp.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\trmf6af9]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="RUNDLL32"
"hkey"="HKLM"
"command"="RUNDLL32.EXE w5c1f521.dll,n 004f6af5000000125c1f521"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ujonl]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="yueuky"
"hkey"="HKCU"
"command"="C:\\WINDOWS\\System32\\yueuky.exe reg_run"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ViewMgr]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ViewMgr"
"hkey"="HKLM"
"command"="C:\\Program Files\\Viewpoint\\Viewpoint Manager\\ViewMgr.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\webHancer Agent]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="whAgent"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\webHancer\\Programs\\whAgent.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\webHancer Survey Companion]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="whSurvey"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\webHancer\\Programs\\whSurvey.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="winampa"
"hkey"="HKLM"
"command"="C:\\Program Files\\Winamp\\winampa.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\wltray.exe]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="wltray"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\System32\\wltray.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\xmimkw]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="yueuky"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\System32\\yueuky.exe reg_run"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="YahooMessenger"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe\" -quiet"
"inimapping"="0"


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"NoDispAppearancePage"=dword:00000000
"NoDispBackgroundPage"=dword:00000000
"DisableTaskMgr"=dword:00000000

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoCDBurning"=dword:00000000

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
Source REG_SZ C:\Program Files\WindowsUpdate\kyfevy.html

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\1]
Source REG_SZ C:\Program Files\Windows Media Player\hocysoku.html

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa
Authentication Packages REG_MULTI_SZ msv1_0\
Security Packages REG_MULTI_SZ kerberosmsv1_0schannelwdigest\
Notification Packages REG_MULTI_SZ scecli\

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
LocalService REG_MULTI_SZ AlerterWebClientLmHostsRemoteRegistryupnphostSSDPSRV\
NetworkService REG_MULTI_SZ DnsCache\
rpcss REG_MULTI_SZ RpcSs\
imgsvc REG_MULTI_SZ StiSvc\
termsvcs REG_MULTI_SZ TermService\
Usnsvc REG_MULTI_SZ usnsvc\
HTTPFilter REG_MULTI_SZ HTTPFilter\
DcomLaunch REG_MULTI_SZ DcomLaunchTermService\



Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\Registration reminder 3.job


********************************************************************

catchme 0.2 W2K/XP/Vista - userland rootkit detector by Gmer, 17 October 2006
http://www.gmer.net

scanning hidden processes ...

scanning hidden services ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0

********************************************************************

Completion time: 07-04-06 19:12:51
C:\ComboFix-quarantined-files.txt ... 07-04-06 19:12

06-01-03 17:45	  1989	--a------	C:\Qoobox\Quarantine\WINDOWS\uninstall_nmon.vbs.vir 
06-09-15 14:16	  53248	--a------	C:\Qoobox\Quarantine\WINDOWS\uni_e6h.exe.vir 
06-09-26 12:51	  1233	--a------	C:\Qoobox\Quarantine\WINDOWS\system32\aaa00000.sys.vir 
06-09-26 12:51	  687592	--a------	C:\Qoobox\Quarantine\WINDOWS\system32\atmtd.dll._.vir 
06-09-26 12:51	  687592	--a------	C:\Qoobox\Quarantine\WINDOWS\system32\atmtd.dll.vir 
06-09-26 14:27	  14	--a------	C:\Qoobox\Quarantine\DOCUME~1\LOCALS~1\APPLIC~1\NetMon\domains.txt.vir 
06-09-26 14:27	  1612	--a------	C:\Qoobox\Quarantine\DOCUME~1\LOCALS~1\APPLIC~1\NetMon\log.txt.vir 
07-04-06 19:10	  1072	--a------	C:\Qoobox\Quarantine\Registry_backups\LEGACY_SLSERVICE.reg.cf 
07-04-06 19:10	  2262	--a------	C:\Qoobox\Quarantine\Registry_backups\services_SLService.reg.cf 
07-04-06 19:10	  840	--a------	C:\Qoobox\Quarantine\Registry_backups\LEGACY_CMDSERVICE.reg.cf 
07-04-06 19:10	  870	--a------	C:\Qoobox\Quarantine\Registry_backups\LEGACY_NETWORK_MONITOR.reg.cf 
07-04-06 19:10	  884	--a------	C:\Qoobox\Quarantine\Registry_backups\LEGACY_MCHINJDRV.reg.cf 
07-04-06 19:11	  39	--a------	C:\Qoobox\purity\DOCUME~1\Namz007\APPLIC~1\from.txt 


Folder PATH listing for volume HDD
Volume serial number is FCE3-6D47
C:\QOOBOX
+---purity
|   \---DOCUME~1
|	   \---Namz007
|		   \---APPLIC~1
|			   |   from.txt
|			   |   
|			   \---STEM32~1
|				   \---??stem32
\---Quarantine
	+---DOCUME~1
	|   \---LOCALS~1
	|	   \---APPLIC~1
	|		   \---NetMon
	|				   domains.txt.vir
	|				   log.txt.vir
	|				   
	+---Registry_backups
	|	   LEGACY_CMDSERVICE.reg.cf
	|	   LEGACY_MCHINJDRV.reg.cf
	|	   LEGACY_NETWORK_MONITOR.reg.cf
	|	   LEGACY_SLSERVICE.reg.cf
	|	   services_SLService.reg.cf
	|	   
	\---WINDOWS
		|   uninstall_nmon.vbs.vir
		|   uni_e6h.exe.vir
		|   
		\---system32
				aaa00000.sys.vir
				atmtd.dll.vir
				atmtd.dll._.vir


Anything else left I need to do? I have noticed a speed up in my computer's "reaction time." Thank you very much!
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP