Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

My PC was infected by Vitumonde Adware [RESOLVED]

Started by twentysomething , Apr 29 2007 09:14 PM

This topic is locked

#1
twentysomething

Posted 29 April 2007 - 09:14 PM

Member

Member
19 posts

hi im new here in your forum. i have a problem in my pc since a week ago.

my NOD32 antivirus detected an adware named virtumonde. and there is a message popping out if u want to delete or rename the file infected which is the pbpsrujg.dll & rcwaguol.ll when i clicked delete & i restart my pc. there is a popup coming out that the file is missing which is the said file i deleted. so i went again to NOD32 quarantine & restore again the said file, and i restart the pc again the NOD32 popup message saying the said file is infected by adware virtumonde application. this really bothers me. i hope u guys u can help me. thanks!

Edited by twentysomething, 29 April 2007 - 09:15 PM.

#2
Crustyoldbloke

Posted 30 April 2007 - 02:09 AM

Old Malware Surgeon with a shaky scalpel

Retired Staff
15,131 posts

Please Click here!, and follow the recommendations in the guide.

If you're still having trouble, We'll need you to use a free diagnostic tool, Hijack This. Follow the instructions in step five of this guide, and reply here with your log.

Most of what Hijack This lists lists will be harmless or even essential, DO NOT delete or modify anything yet! Someone will be along to tell you what steps to take after you post the contents of the scan results.

#3
twentysomething

Posted 30 April 2007 - 12:31 PM

Member

Topic Starter
Member
19 posts

hi Crustyoldbloke, thanks for the reply... by the way i follow the recommendations in the guide... but my NOD32 antivirus still detects that the virtumonde adware are still present in my pc... here are the results / logs of the scans i accomplished such as hijack this, panda active scan & superantispyware... hope u can help me... thanks... :whistling:

Logfile of HijackThis v1.99.1
Scan saved at 10:02:55 PM, on 4/30/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\DRIVERS\CDANTSRV.EXE
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Hotspot Shield\bin\openvpnas.exe
C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
C:\WINDOWS\system32\CTHELPER.EXE
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Common Files\PCSuite\DataLayer\DataLayer.exe
C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\COMMON~1\PCSuite\Services\SERVIC~1.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Documents and Settings\Bahar\Desktop\iexplore.exe
C:\Documents and Settings\Bahar\Desktop\GEEKS\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.c...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.c...rch/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.c...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn3\yt.dll
R3 - URLSearchHook: (no name) - {9CB65206-89C4-402c-BA80-02D8C59F9B1D} - C:\Program Files\AskTBar\SrchAstt\5.bin\A5SRCHAS.DLL
O1 - Hosts: 66.98.148.65 auto.search.msn.com
O1 - Hosts: 66.98.148.65 auto.search.msn.es
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn3\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Ask Search Assistant BHO - {9CB65201-89C4-402c-BA80-02D8C59F9B1D} - C:\Program Files\AskTBar\SrchAstt\5.bin\A5SRCHAS.DLL
O2 - BHO: AF BHO - {B7154C4D-87C0-4A2C-AB64-DA132BAC2EE6} - C:\Program Files\AnchorFree\bin\AFBho.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: (no name) - {CA4492DF-F110-447F-9FA5-4A0D1A30E2Da} - C:\WINDOWS\system32\lmfamqwx.dll (file missing)
O2 - BHO: Ask Toolbar BHO - {FE063DB1-4EC0-403e-8DD8-394C54984B2C} - C:\Program Files\AskTBar\bar\5.bin\ASKTBAR.DLL
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn3\yt.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: AFToolbar - {1F385865-F3D4-41ff-960D-7B7D0A7A72F6} - C:\Program Files\AnchorFree\bin\AFToolbar.dll
O3 - Toolbar: Ask Toolbar - {FE063DB9-4EC0-403e-8DD8-394C54984B2C} - C:\Program Files\AskTBar\bar\5.bin\ASKTBAR.DLL
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKLM\..\Run: [IAAnotif] "C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe"
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [IntelMeM] "C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe"
O4 - HKLM\..\Run: [CTSysVol] "C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe"
O4 - HKLM\..\Run: [CTDVDDet] "C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE"
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [AsioReg] "REGSVR32.EXE" /S CTASIO.DLL
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [HPWG myPrintMileage Agent] C:\Program Files\Hewlett-Packard\hp deskjet 9300 series\Toolbox\mpm.exe
O4 - HKLM\..\Run: [DataLayer] "C:\Program Files\Common Files\PCSuite\DataLayer\DataLayer.exe"
O4 - HKLM\..\Run: [PCSuiteTrayApplication] "C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe" -onlytray
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] "C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe"
O4 - HKCU\..\Run: [SB Audigy 2 Startup Menu] /L:ENG
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized
O4 - HKCU\..\Run: [Free Internet Window Washer] C:\Program Files\Free Internet Window Washer\Clearpch.exe -Start
O4 - HKCU\..\Run: [AFProg] C:\Program Files\AnchorFree\bin\ctrl\AFController.exe
O4 - HKCU\..\Run: [INetBooster] C:\Program Files\SoftwareClub.ws\SC Net Speed Booster\ISpBos.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &Search - http://kl.bar.need2f...earch.html?p=KL
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Open in new background tab - res://C:\Program Files\Windows Live Toolbar\Components\en-us\msntabres.dll.mui/229?afdc4a8f81594853b2254498be87e4e6
O8 - Extra context menu item: Open in new foreground tab - res://C:\Program Files\Windows Live Toolbar\Components\en-us\msntabres.dll.mui/230?afdc4a8f81594853b2254498be87e4e6
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfar...tup1.0.0.15.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {A18962F6-E6ED-40B1-97C9-1FB36F38BFA8} (Aurigma Image Uploader 3.0 Control) - http://ernicole.mult...os/uploader.cab
O16 - DPF: {AE563720-B4F5-11D4-A415-00108302FDFD} (NOXLATE-BANR) - file://C:\Program Files\AutoCAD 2002\InstBanr.ocx
O16 - DPF: {C6637286-300D-11D4-AE0A-0010830243BD} (InstaFred) - file://C:\Program Files\AutoCAD 2002\InstFred.ocx
O16 - DPF: {F281A59C-7B65-11D3-8617-0010830243BD} (AcPreview Control) - file://C:\Program Files\AutoCAD 2002\AcPreview.ocx
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O20 - Winlogon Notify: vtursrq - vtursrq.dll (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Belkin High-Speed Mode Wireless G USB Driver (Belkin High-Speed Mode Wireless G USB Network Adapter Service) - Unknown owner - C:\Program Files\Belkin\F5D7051\WLService.exe (file missing)
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: C-DillaSrv - C-Dilla Ltd - C:\WINDOWS\system32\DRIVERS\CDANTSRV.EXE
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Hotspot Shield Service (HotspotShieldService) - Unknown owner - C:\Program Files\Hotspot Shield\bin\openvpnas.exe
O23 - Service: IAA Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: RaySat_3dsmax8 Server (mi-raysat_3dsmax8) - Unknown owner - C:\Program Files\Autodesk\3dsMax8\mentalray\satellite\raysat_3dsmax8server.exe (file missing)
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe

-------------------------------------------------------------------------------------------

Panda - Active scan

Incident Status Location

Potentially unwanted tool:Application/MyWebSearch Not disinfected C:\Program Files\AskTBar\SrchAstt\5.bin\A5SRCHAS.DLL
Potentially unwanted tool:application/funweb Not disinfected c:\windows\downloaded program files\f3initialsetup1.0.0.15.inf
Potentially unwanted tool:application/mywebsearch Not disinfected hkey_classes_root\clsid\{147A976F-EEE1-4377-8EA7-4716E4CDD239}
Adware:adware/rxtoolbar Not disinfected Windows Registry
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Bahar\Cookies\bahar@atdmt[2].txt
Spyware:Cookie/QuestionMarket Not disinfected C:\Documents and Settings\Bahar\Cookies\bahar@questionmarket[2].txt
Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\Bahar\Cookies\bahar@statcounter[1].txt
Potentially unwanted tool:Application/Processor Not disinfected C:\Documents and Settings\Bahar\Desktop\GEEKS\VundoFix\VundoFix\process.exe
Potentially unwanted tool:Application/MyWebSearch Not disinfected C:\Program Files\AskTBar\bar\5.bin\A5POPSWT.DLL
Virus:Trj/Agent.DYH Disinfected C:\WINDOWS\SecureWin32.exe
Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\SYSTEM32\bfxaexdf.Vdll
Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\SYSTEM32\cevfljti.Vdll
Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\SYSTEM32\dtdliepn.Vdll
Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\SYSTEM32\dwrfplfw.Vdll
Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\SYSTEM32\fqioivvm.Vdll
Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\SYSTEM32\gsuukmff.Vdll
Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\SYSTEM32\gxelllek.Vdll
Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\SYSTEM32\hbmddhlq.Vdll
Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\SYSTEM32\jnfohvkt.Vdll
Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\SYSTEM32\jyvvwxbb.Vdll
Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\SYSTEM32\kkotkcsh.Vdll
Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\SYSTEM32\msjhiiju.Vdll
Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\SYSTEM32\oufqeumu.Vdll
Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\SYSTEM32\pbpsrujg.dll
Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\SYSTEM32\thidmfgs.Vdll
Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\SYSTEM32\ululeihj.Vdll
Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\SYSTEM32\uvrdmdmi.Vdll
Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\SYSTEM32\vbqrqvas.Vdll

-------------------------------------------------------------------------------------------

SUPERAntiSpyware Scan Log
Generated 04/30/2007 at 05:12 PM

Application Version : 3.6.1000

Core Rules Database Version : 3227
Trace Rules Database Version: 1238

Scan type : Complete Scan
Total Scan Time : 00:39:26

Memory items scanned : 556
Memory threats detected : 1
Registry items scanned : 9271
Registry threats detected : 45
File items scanned : 52454
File threats detected : 26

Trojan.Downloader-Gen/LIB
C:\WINDOWS\SYSTEM32\NOUEWYQN.DLL
C:\WINDOWS\SYSTEM32\NOUEWYQN.DLL
C:\DOCUMENTS AND SETTINGS\BAHAR\LOCAL SETTINGS\TEMP\QEOVJSWH.DLL

Adware.Lop-Gen
[city ping] C:\DOCUME~1\BAHAR\APPLIC~1\ONCESE~1\ERROR MP3 GLOBAL.EXE
C:\DOCUME~1\BAHAR\APPLIC~1\ONCESE~1\ERROR MP3 GLOBAL.EXE
C:\DOCUMENTS AND SETTINGS\BAHAR\APPLICATION DATA\ONCE SEND\ERROR MP3 GLOBAL.EXE
C:\DOCUMENTS AND SETTINGS\BAHAR\APPLICATION DATA\ONCE SEND\ROAMTONSFORK.EXE
C:\WINDOWS\Prefetch\ERROR MP3 GLOBAL.EXE-29C102A9.pf

Adware.Vundo Variant
HKLM\Software\Classes\CLSID\{1557B435-8242-4686-9AA3-9265BF7525A4}
HKCR\CLSID\{1557B435-8242-4686-9AA3-9265BF7525A4}
HKCR\CLSID\{1557B435-8242-4686-9AA3-9265BF7525A4}\InprocServer32
HKCR\CLSID\{1557B435-8242-4686-9AA3-9265BF7525A4}\InprocServer32#ThreadingModel
C:\WINDOWS\SYSTEM32\CNKMOIRK.DLL
HKLM\Software\Classes\CLSID\{D651AFF4-9590-424d-BD1E-8E33E090DFB3}
HKCR\CLSID\{D651AFF4-9590-424D-BD1E-8E33E090DFB3}
HKCR\CLSID\{D651AFF4-9590-424D-BD1E-8E33E090DFB3}\InprocServer32
HKCR\CLSID\{D651AFF4-9590-424D-BD1E-8E33E090DFB3}\InprocServer32#ThreadingModel
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{D651AFF4-9590-424d-BD1E-8E33E090DFB3}
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks#{A416D604-EAA3-4618-958C-2ECA22414616}
HKCR\CLSID\{1557B435-8242-4686-9AA3-9265BF7525A4}
HKCR\CLSID\{D651AFF4-9590-424D-BD1E-8E33E090DFB3}

Trojan.WinFixer
HKLM\Software\Classes\CLSID\{7FBDFF29-4B4E-444C-950B-66017175A932}
HKCR\CLSID\{7FBDFF29-4B4E-444C-950B-66017175A932}
HKCR\CLSID\{7FBDFF29-4B4E-444C-950B-66017175A932}\InprocServer32
HKCR\CLSID\{7FBDFF29-4B4E-444C-950B-66017175A932}\InprocServer32#ThreadingModel
C:\WINDOWS\SYSTEM32\SSTQO.DLL

Trojan.Downloader-ChinaHot
HKLM\Software\Classes\CLSID\{A75E294E-C047-4D29-B07E-37B792881BEF}
HKCR\CLSID\{A75E294E-C047-4D29-B07E-37B792881BEF}
HKCR\CLSID\{A75E294E-C047-4D29-B07E-37B792881BEF}
HKCR\CLSID\{A75E294E-C047-4D29-B07E-37B792881BEF}\InprocServer32
HKCR\CLSID\{A75E294E-C047-4D29-B07E-37B792881BEF}\InprocServer32#ThreadingModel
HKCR\CLSID\{A75E294E-C047-4D29-B07E-37B792881BEF}\ProgID
HKCR\CLSID\{A75E294E-C047-4D29-B07E-37B792881BEF}\Programmable
HKCR\CLSID\{A75E294E-C047-4D29-B07E-37B792881BEF}\TypeLib
HKCR\CLSID\{A75E294E-C047-4D29-B07E-37B792881BEF}\VersionIndependentProgID
C:\WINDOWS\SECUREWIN31.DLL
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{A75E294E-C047-4D29-B07E-37B792881BEF}
HKCR\SampleTrack.AleTrack
HKCR\SampleTrack.AleTrack\CLSID
HKCR\SampleTrack.AleTrack\CurVer
HKCR\SampleTrack.AleTrack.1
HKCR\SampleTrack.AleTrack.1\CLSID
HKCR\TypeLib\{97641909-2311-4513-8581-F5C84B3F05F2}
HKCR\TypeLib\{97641909-2311-4513-8581-F5C84B3F05F2}\1.0
HKCR\TypeLib\{97641909-2311-4513-8581-F5C84B3F05F2}\1.0\0
HKCR\TypeLib\{97641909-2311-4513-8581-F5C84B3F05F2}\1.0\0\win32
HKCR\TypeLib\{97641909-2311-4513-8581-F5C84B3F05F2}\1.0\FLAGS
HKCR\TypeLib\{97641909-2311-4513-8581-F5C84B3F05F2}\1.0\HELPDIR
HKCR\Interface\{1D2CC793-B043-4DD2-A52C-3D9ADE61BBBD}
HKCR\Interface\{1D2CC793-B043-4DD2-A52C-3D9ADE61BBBD}\ProxyStubClsid
HKCR\Interface\{1D2CC793-B043-4DD2-A52C-3D9ADE61BBBD}\ProxyStubClsid32
HKCR\Interface\{1D2CC793-B043-4DD2-A52C-3D9ADE61BBBD}\TypeLib
HKCR\Interface\{1D2CC793-B043-4DD2-A52C-3D9ADE61BBBD}\TypeLib#Version

Unclassified.Unknown Origin
HKCR\PROTOCOLS\Filter\text/html
HKCR\PROTOCOLS\Filter\text/html#CLSID

Adware.Tracking Cookie
C:\Documents and Settings\Bahar\Cookies\bahar@doubleclick[1].txt
C:\Documents and Settings\Bahar\Cookies\bahar@adultfriendfinder[2].txt
C:\Documents and Settings\Bahar\Cookies\[email protected][1].txt
C:\Documents and Settings\Bahar\Cookies\[email protected][2].txt
C:\Documents and Settings\Bahar\Cookies\bahar@alnisr[1].txt
C:\Documents and Settings\Bahar\Cookies\bahar@clickbank[1].txt
C:\Documents and Settings\Bahar\Cookies\bahar@adbrite[2].txt
C:\Documents and Settings\Bahar\Cookies\bahar@cpvfeed[2].txt
C:\Documents and Settings\Bahar\Cookies\bahar@atdmt[1].txt
C:\Documents and Settings\Bahar\Cookies\bahar@gulfnews[1].txt
C:\Documents and Settings\Bahar\Cookies\[email protected][1].txt
C:\Documents and Settings\Bahar\Cookies\bahar@toplist[1].txt
C:\Documents and Settings\Bahar\Cookies\bahar@statcounter[2].txt

Trojan.Downloader-SpyTool
C:\DOCUMENTS AND SETTINGS\BAHAR\LOCAL SETTINGS\TEMP\ADDFCOFK.DLL
C:\DOCUMENTS AND SETTINGS\BAHAR\LOCAL SETTINGS\TEMP\RFYXCEOY.DLL
C:\DOCUMENTS AND SETTINGS\BAHAR\LOCAL SETTINGS\TEMP\VBPUQLJL.DLL

Trojan.Downloader-Gen/HardFall
C:\SYSTEM VOLUME INFORMATION\_RESTORE{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1438\A0122641.DLL

#4
Crustyoldbloke

Posted 30 April 2007 - 01:25 PM

Old Malware Surgeon with a shaky scalpel

Retired Staff
15,131 posts

Hello Bahar and welcome to Geeks to Go

As an introduction, please note that I am not Superhuman, I do not know everything, but what I do know has taken me years to learn. I am happy to pass on this information to you, but please bear in mind that I am also fallible.

ALL staff here at Geeks To Go are volunteers, please bear that in mind if I don’t answer your post as quickly as you’d like; I give what time I can.

Please note that you should have Administrator rights to perform the fixes. Also note that multiple identity PC’s (family PC’s) present a different problem; please tell me if your PC has more than one individual’s setting, but continue with the fix.

Before we get underway, you may wish to print these instructions for easy reference during the fix, although please be aware that many of the required URLs are hyperlinks in the red names shown on your screen. Part of the fix may require you to be in Safe Mode, which will not allow you to access the internet, or my instructions! (Click the Options drop down near the upper right of the topic. Select Print this topic.)

One or more of the identified infections is a backdoor Trojan and a key logger.

If this computer is ever used for on-line banking, I suggest you do the following immediately:

1. Call all of your banks, credit card companies, financial institutions and inform them that you may be a victim of identity theft and to put a watch on your accounts or change all your account numbers.

2. From a clean computer, change ALL your on-line passwords for email, for banks, financial accounts, PayPal, eBay, on-line companies, any on-line forums or groups you belong to.

Do NOT change passwords or do any transactions while using the infected computer because the attacker will get the new passwords and transaction information.

Firstly could you please disable Windows Defender from running during the fix, it may just hinder our attempts to change anything. Open Windows Defender, click Tools, click Options, under Real-time protection options, clear the Use real-time protection check box, click Save

You have some entries in your HijackThis log which adds your PC to an outside network (along the lines of a P2P Network); you may not be aware of this. This is called “The Bonjour Package” which is being bundled with iTunes.

You may choose if you want me to delete it, or if you wish to download a programme to disable it, or just leave it as it is. I cannot comment on the consequences of leaving it in place or the efficacy of the disabling programme.

This is the link to the disabling programme: http://gizmoproject.com/jasmine/ select TurnOffBonjour.exe

To start please download the following programmes, we will run them later. Please save them to a place that you will remember, I suggest the Desktop:

Killbox by Option^Explicit
CCleaner
AVG AntiSpyware
combofix.exe

Please install, and update AVG Anti Spyware

Load AVGas and then click the Update tab at the top. Under Manual Update click Start update.(you may have to try at different times as this is a very busy server).
After the update finishes (the status bar at the bottom will display "Update successful")
Please select the "Scanner" icon at the top of the screen, then select the "Settings" tab.
Once in the Settings screen click on "Recommended actions" and then select "Quarantine".
Under "Reports"
Select "Automatically generate report after every scan"
Deselect "Only if threats were found"
Close AVGas. Do not run it yet.

Next, please reboot your computer in Safe Mode by doing the following:

Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
Instead of Windows loading as normal, a menu should appear
Select the first option, to run Windows in Safe Mode.

For additional help in booting into Safe Mode, see the following site:

Safe Mode

In Safe Mode, load AVGas and click on the Scanner tab at the top and then click on Complete System Scan. This scan can take quite a while to run, so be patient.
AVGas will list any infections found on the left hand side. When the scan has finished, it will automatically set the recommended action. Click the Apply all actions button. AVGas will display "All actions have been applied" on the right hand side.
Click on "Save Report", then "Save Report As". This will create a text file. Make sure you know where to find this file again (I suggest the Desktop).
Please ensure you post that log in your reply.

Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.

O1 - Hosts: 66.98.148.65 auto.search.msn.com
O1 - Hosts: 66.98.148.65 auto.search.msn.es
O2 - BHO: Ask Search Assistant BHO - {9CB65201-89C4-402c-BA80-02D8C59F9B1D} - C:\Program Files\AskTBar\SrchAstt\5.bin\A5SRCHAS.DLL
O2 - BHO: (no name) - {CA4492DF-F110-447F-9FA5-4A0D1A30E2Da} - C:\WINDOWS\system32\lmfamqwx.dll (file missing)
O2 - BHO: Ask Toolbar BHO - {FE063DB1-4EC0-403e-8DD8-394C54984B2C} - C:\Program Files\AskTBar\bar\5.bin\ASKTBAR.DLL
O3 - Toolbar: Ask Toolbar - {FE063DB9-4EC0-403e-8DD8-394C54984B2C} - C:\Program Files\AskTBar\bar\5.bin\ASKTBAR.DLL
O8 - Extra context menu item: &Search - http://kl.bar.need2f...earch.html?p=KL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfar...tup1.0.0.15.cab
O20 - Winlogon Notify: vtursrq - vtursrq.dll (file missing)

Now close all windows other than HiJackThis, then click Fix Checked. Please now reboot into normal mode.

Please install Killbox by Option^Explicit.

Please double-click Killbox.exe to run it.
Select Delete on Reboot
then Click on the All Files button.
Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

C:\Documents and Settings\Bahar\Desktop\iexplore.exe
C:\Program Files\AskTBar\SrchAstt\5.bin\A5SRCHAS.DLL
C:\Program Files\AskTBar\bar\5.bin\ASKTBAR.DLL

Return to Killbox, go to the File menu, and choose Paste from Clipboard.
Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt. Click OK at any PendingFileRenameOperations prompt (and please let me know if you receive this message!).

If your computer does not restart automatically, please restart it manually.

If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run Killbox, click here to download and run missingfilesetup.exe. Then try Killbox again.

There is almost certainly bound to be some junk (leftover bits and pieces) on your system that is doing nothing but taking up space. I would recommend that you run CCleaner. Install it, check the default setting in the left-hand pane, ensure you uncheck old prefetch data found under the Windows tab, and under the heading of Applications, Utilities uncheck AVGas Anti-Spyware then click Analyze> Run Cleaner. You may be fairly surprised by how much it finds. Also click Issues then Scan for issues – fix selected issues

Double click combofix.exe & follow the prompts.

When it has finished, it will produce a log. Please post that log in your next reply.

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Post back a fresh HijackThis log (from normal mode) and I will take another look. (3 logs in total please).

#5
twentysomething

Posted 01 May 2007 - 12:10 PM

Member

Topic Starter
Member
19 posts

Thank you for your reply Crustyoldbloke... :whistling:

I really appreciate your great help! I know some of you guys here are volunteers, so i am patient enough to wait for your reply... Im not a computer genius so im trying to understand your intstructions & reccomendations as far as i can & i hope i did the right thing on my part... :blink:

By the way, this PC im using is an Office PC & i am the only one who's using this... before there was somebody using this when i was not here in this company... And I never use this PC on any Online Banking...

You noted in your reply, when i perform the Killbox procedure... when I saw a Prompt "PendingFileRename Operations" i will tell you this thing... And When I accomplish it, i saw that prompt message when im done deleting those file you told me to delete...

One thing more... the Virtumonde Adware are still infecting my files... my NOD32 still detects that Adware in my PC...

Here are the Logs you needed to check (3 Logs in total):

____________________________________________________________

>> AVG Anti-spyware

---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 9:23:36 PM 5/1/2007

+ Scan result:

C:\Program Files\Eset\infected\ZHEH0PDA.NQF -> Adware.Agent : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1443\A0123158.dll -> Adware.Agent : Cleaned with backup (quarantined).
HKU\S-1-5-21-1259100097-596128907-3717492054-1006\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{59879FA4-4790-461C-A1CC-4EC4DE4CA483} -> Adware.RXToolbar : Cleaned with backup (quarantined).
C:\Program Files\Yahoo!\Messenger\ycomp.dll -> Adware.Yahoo : Cleaned with backup (quarantined).
C:\Program Files\Foxit Software\PDF Editor\patch.exe -> Downloader.Harnig.bq : Cleaned with backup (quarantined).
C:\Program Files\bip\PROGRAMS\Foxit ( PDF reader,editor,creator) pack completo\Foxit PDF Editor 1.5\patch.exe -> Downloader.Harnig.bq : Cleaned with backup (quarantined).
C:\Program Files\bip\PROGRAMS\Norton Antivirus 2007 + KeyGen\Norton Antivirus 2007 + KeyGen.zip/Keygen.zip/Keygen.exe -> Dropper.Agent.bcw : Cleaned with backup (quarantined).
C:\Program Files\bip\PROGRAMS\Norton Antivirus 2007 + KeyGen\Norton Antivirus 2007 + KeyGen\Keygen\Keygen.exe -> Dropper.Agent.bcw : Cleaned with backup (quarantined).
C:\Program Files\bip\PROGRAMS\Norton Antivirus 2007 + KeyGen\Norton Antivirus 2007 + KeyGen\Keygen\Keygen.zip/Keygen.exe -> Dropper.Agent.bcw : Cleaned with backup (quarantined).
C:\Documents and Settings\Bahar\Cookies\[email protected][1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\Bahar\Cookies\[email protected][1].txt -> TrackingCookie.Adbrite : Cleaned.
C:\Documents and Settings\Bahar\Cookies\bahar@adbrite[1].txt -> TrackingCookie.Adbrite : Cleaned.
C:\Documents and Settings\Bahar\Cookies\[email protected][2].txt -> TrackingCookie.Adbrite : Cleaned.
C:\Documents and Settings\Bahar\Cookies\bahar@atdmt[2].txt -> TrackingCookie.Atdmt : Cleaned.
C:\Documents and Settings\Bahar\Cookies\bahar@burstnet[2].txt -> TrackingCookie.Burstnet : Cleaned.
C:\Documents and Settings\Bahar\Cookies\[email protected][1].txt -> TrackingCookie.Burstnet : Cleaned.
C:\Documents and Settings\Bahar\Cookies\bahar@doubleclick[1].txt -> TrackingCookie.Doubleclick : Cleaned.
C:\Documents and Settings\Bahar\Cookies\bahar@mediaplex[1].txt -> TrackingCookie.Mediaplex : Cleaned.
C:\Documents and Settings\Bahar\Cookies\[email protected][2].txt -> TrackingCookie.Netflame : Cleaned.
C:\Documents and Settings\Bahar\Cookies\[email protected][1].txt -> TrackingCookie.Paypal : Cleaned.
C:\Documents and Settings\Bahar\Cookies\bahar@questionmarket[2].txt -> TrackingCookie.Questionmarket : Cleaned.
C:\Documents and Settings\Bahar\Cookies\[email protected][1].txt -> TrackingCookie.Starware : Cleaned.
C:\Documents and Settings\Bahar\Cookies\[email protected][1].txt -> TrackingCookie.Starware : Cleaned.
C:\Documents and Settings\Bahar\Cookies\bahar@statcounter[2].txt -> TrackingCookie.Statcounter : Cleaned.
C:\Documents and Settings\Bahar\Cookies\bahar@tacoda[2].txt -> TrackingCookie.Tacoda : Cleaned.
C:\Documents and Settings\Bahar\Cookies\bahar@tribalfusion[1].txt -> TrackingCookie.Tribalfusion : Cleaned.
C:\Documents and Settings\Bahar\Cookies\[email protected][1].txt -> TrackingCookie.Webtrends : Cleaned.
C:\Documents and Settings\Bahar\Cookies\[email protected][1].txt -> TrackingCookie.Yieldmanager : Cleaned.
C:\System Volume Information\_restore{202550A8-7A33-4BCA-9586-051D24DDBF8F}\RP1444\A0125207.exe -> Trojan.Agent : Cleaned with backup (quarantined).

::Report end

____________________________________________________________

>> Combofix

"Bahar" - 07-05-01 21:40:27 Service Pack 2
ComboFix 07-04-28.V - Running from: "C:\Documents and Settings\Bahar\Desktop\GEEKS\"

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

C:\Program Files\install.log
C:\install.log

((((((((((((((((((((((((((((((( Files Created from 2007-04-01 to 2007-05-01 ))))))))))))))))))))))))))))))))))

2007-05-01 21:31 <DIR> d-------- C:\Program Files\CCleaner
2007-05-01 20:46 552 --a------ C:\WINDOWS\SYSTEM32\d3d8caps.dat
2007-05-01 09:50 3,968 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\AvgAsCln.sys
2007-05-01 07:12 <DIR> d-------- C:\!KillBox
2007-04-30 22:51 <DIR> d-------- C:\Program Files\DivX
2007-04-30 17:40 <DIR> d-------- C:\WINDOWS\SYSTEM32\ActiveScan
2007-04-30 16:41 <DIR> d-------- C:\Program Files\Foxit Software
2007-04-30 16:38 0 --a------ C:\WINDOWS\SYSTEM32\CMMGR32.EXE
2007-04-30 16:38 0 --a------ C:\WINDOWS\ORUN32.EXE
2007-04-30 16:28 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2007-04-30 16:28 <DIR> d-------- C:\DOCUME~1\Bahar\APPLIC~1\SUPERAntiSpyware.com
2007-04-30 16:28 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\SUPERAntiSpyware.com
2007-04-30 16:27 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-04-30 09:38 <DIR> d-------- C:\VundoFix Backups
2007-04-30 09:35 132,660 --a------ C:\WINDOWS\SYSTEM32\rcwaguol.dll
2007-04-30 09:35 123,972 --a------ C:\WINDOWS\SYSTEM32\pbpsrujg.dll
2007-04-29 11:57 684,032 --a------ C:\WINDOWS\SYSTEM32\libeay32.dll
2007-04-29 11:57 155,648 --a------ C:\WINDOWS\SYSTEM32\ssleay32.dll
2007-04-22 15:18 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Nero
2007-04-21 15:26 <DIR> d-------- C:\Program Files\MTV Networks
2007-04-21 15:00 <DIR> d-------- C:\Program Files\iTunes
2007-04-21 15:00 <DIR> d-------- C:\Program Files\iPod
2007-04-21 15:00 <DIR> d-------- C:\DOCUME~1\Bahar\APPLIC~1\Apple Computer
2007-04-21 14:59 <DIR> d-------- C:\Program Files\QuickTime
2007-04-21 14:58 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Apple Computer
2007-04-21 14:52 <DIR> d-------- C:\Program Files\Common Files\xing shared
2007-04-21 14:52 <DIR> d-------- C:\Program Files\Common Files\Real
2007-04-21 14:51 <DIR> d-------- C:\DOCUME~1\Bahar\APPLIC~1\Real
2007-04-18 15:57 512,096 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\amon.sys
2007-04-18 15:57 298,104 --a------ C:\WINDOWS\SYSTEM32\imon.dll
2007-04-18 15:57 15,424 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\nod32drv.sys
2007-04-18 14:03 <DIR> d-------- C:\WINDOWS\pss
2007-04-18 08:47 353 ---hs---- C:\WINDOWS\SYSTEM32\oqtss.ini2
2007-04-16 18:24 339,968 --a------ C:\WINDOWS\SYSTEM32\mpiwin32.dll
2007-04-16 18:24 15,840 --a------ C:\WINDOWS\SYSTEM32\Machnm1.exe
2007-04-16 18:24 <DIR> d-------- C:\Program Files\@Last Software
2007-04-10 20:59 <DIR> d-------- C:\Program Files\AutoCAD 2008
2007-04-05 08:25 <DIR> d-------- C:\Program Files\Nero
2007-04-05 08:16 <DIR> d-------- C:\Program Files\AskTBar

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-05-01 20:21 288 --a------ C:\WINDOWS\SYSTEM32\dvcstatebkp-{00000004-00000000-00000002-00001102-00000004-10031102}.dat
2007-05-01 20:21 288 --a------ C:\WINDOWS\SYSTEM32\dvcstate-{00000004-00000000-00000002-00001102-00000004-10031102}.dat
2007-05-01 06:21 -------- d-------- C:\DOCUME~1\Bahar\APPLIC~1\azureus
2007-04-30 21:35 -------- d-------- C:\Program Files\windows live toolbar
2007-04-30 21:34 -------- d--h----- C:\Program Files\poweriso
2007-04-30 21:34 -------- d-------- C:\Program Files\windows defender
2007-04-30 21:19 -------- d-------- C:\Program Files\bonjour
2007-04-30 21:19 -------- d-------- C:\Program Files\bit lord 1.1
2007-04-29 13:09 -------- d--h----- C:\Program Files\bip
2007-04-27 16:46 132660 --a------ C:\WINDOWS\SYSTEM32\rcwaguol.vdll
2007-04-27 07:26 -------- d-------- C:\Program Files\azureus
2007-04-25 09:39 123972 --a------ C:\WINDOWS\SYSTEM32\vbqrqvas.vdll
2007-04-25 09:39 123972 --a------ C:\WINDOWS\SYSTEM32\uvrdmdmi.vdll
2007-04-25 09:39 123972 --a------ C:\WINDOWS\SYSTEM32\ululeihj.vdll
2007-04-25 09:39 123972 --a------ C:\WINDOWS\SYSTEM32\thidmfgs.vdll
2007-04-25 09:37 123972 --a------ C:\WINDOWS\SYSTEM32\oufqeumu.vdll
2007-04-25 09:37 123972 --a------ C:\WINDOWS\SYSTEM32\msjhiiju.vdll
2007-04-25 09:37 123972 --a------ C:\WINDOWS\SYSTEM32\kkotkcsh.vdll
2007-04-25 09:37 123972 --a------ C:\WINDOWS\SYSTEM32\jyvvwxbb.vdll
2007-04-25 09:37 123972 --a------ C:\WINDOWS\SYSTEM32\jnfohvkt.vdll
2007-04-25 09:36 123972 --a------ C:\WINDOWS\SYSTEM32\hbmddhlq.vdll
2007-04-25 09:36 123972 --a------ C:\WINDOWS\SYSTEM32\gxelllek.vdll
2007-04-25 09:36 123972 --a------ C:\WINDOWS\SYSTEM32\gsuukmff.vdll
2007-04-25 09:36 123972 --a------ C:\WINDOWS\SYSTEM32\fqioivvm.vdll
2007-04-25 09:36 123972 --a------ C:\WINDOWS\SYSTEM32\dwrfplfw.vdll
2007-04-25 09:36 123972 --a------ C:\WINDOWS\SYSTEM32\dtdliepn.vdll
2007-04-25 09:36 123972 --a------ C:\WINDOWS\SYSTEM32\cevfljti.vdll
2007-04-25 09:36 123972 --a------ C:\WINDOWS\SYSTEM32\bfxaexdf.vdll
2007-04-21 14:52 -------- d-------- C:\Program Files\real
2007-04-18 15:16 -------- d-------- C:\Program Files\Common Files\symantec shared
2007-04-18 15:16 -------- d-------- C:\DOCUME~1\Bahar\APPLIC~1\symantec
2007-04-18 15:14 -------- d-------- C:\Program Files\symantec
2007-04-16 18:24 -------- d--h----- C:\Program Files\installshield installation information
2007-04-14 08:36 -------- d-------- C:\DOCUME~1\Bahar\APPLIC~1\autodesk
2007-04-10 20:25 -------- d-------- C:\Program Files\autodesk
2007-03-30 22:09 -------- d-------- C:\DOCUME~1\Bahar\APPLIC~1\once send
2007-03-28 06:51 -------- d-------- C:\Program Files\microsoft works
2007-03-27 11:55 200704 --a------ C:\WINDOWS\SYSTEM32\ssldivx.dll
2007-03-27 11:55 1044480 --a------ C:\WINDOWS\SYSTEM32\libdivx.dll
2007-03-17 20:25 17801 --a------ C:\WINDOWS\SYSTEM32\DRIVERS\AegisP.sys
2007-03-17 17:43 292864 --a------ C:\WINDOWS\SYSTEM32\winsrv.dll
2007-03-08 19:36 577536 --a------ C:\WINDOWS\SYSTEM32\user32.dll
2007-03-08 19:36 40960 --a------ C:\WINDOWS\SYSTEM32\mf3216.dll
2007-03-08 19:36 281600 --a------ C:\WINDOWS\SYSTEM32\gdi32.dll
2007-03-08 17:47 1843584 --a------ C:\WINDOWS\SYSTEM32\win32k.sys
2007-03-01 23:09 230454 --a------ C:\StiImg.dat
2007-02-12 07:25 15976 --a------ C:\WINDOWS\SYSTEM32\acsignextres.dll
2007-02-12 07:12 54376 --a------ C:\WINDOWS\SYSTEM32\acsignopt.exe
2007-02-12 07:12 44648 --a------ C:\WINDOWS\SYSTEM32\acsignicon.dll
2007-02-12 07:12 30312 --a------ C:\WINDOWS\SYSTEM32\acsignext.dll
2007-02-06 00:17 185344 --a------ C:\WINDOWS\SYSTEM32\upnphost.dll

(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
"{02478D38-C3F9-4EFB-9B51-7695ECA05670}"="C:\Program Files\Yahoo!\Companion\Installs\cpn3\yt.dll"
"{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}"="C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll"
"{5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897}"="C:\Program Files\Yahoo!\Common\yiesrvc.dll"
"{5CA3D70E-1895-11CF-8E15-001234567890}"="C:\WINDOWS\system32\dla\tfswshx.dll"
"{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}"="C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll"
"{9030D464-4C02-4ABF-8ECC-5164760863C6}"="C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll"
"{B7154C4D-87C0-4A2C-AB64-DA132BAC2EE6}"="C:\Program Files\AnchorFree\bin\AFBho.dll"
"{BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0}"="C:\Program Files\Windows Live Toolbar\msntb.dll"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.5.0_10\\bin\\jusched.exe\""
"IAAnotif"="\"C:\\Program Files\\Intel\\Intel Application Accelerator\\iaanotif.exe\""
"PCMService"="\"C:\\Program Files\\Dell\\Media Experience\\PCMService.exe\""
"ATIPTA"="\"C:\\Program Files\\ATI Technologies\\ATI Control Panel\\atiptaxx.exe\""
"IntelMeM"="\"C:\\Program Files\\Intel\\Modem Event Monitor\\IntelMEM.exe\""
"CTSysVol"="\"C:\\Program Files\\Creative\\SBAudigy2\\Surround Mixer\\CTSysVol.exe\""
"CTDVDDet"="\"C:\\Program Files\\Creative\\SBAudigy2\\DVDAudio\\CTDVDDet.EXE\""
"CTHelper"="CTHELPER.EXE"
"AsioReg"="\"REGSVR32.EXE\" /S CTASIO.DLL"
"UpdReg"="C:\\WINDOWS\\UpdReg.EXE"
"dla"="C:\\WINDOWS\\system32\\dla\\tfswctrl.exe"
"UpdateManager"="\"C:\\Program Files\\Common Files\\Sonic\\Update Manager\\sgtray.exe\" /r"
"DVDLauncher"="\"C:\\Program Files\\CyberLink\\PowerDVD\\DVDLauncher.exe\""
"DataLayer"="\"C:\\Program Files\\Common Files\\PCSuite\\DataLayer\\DataLayer.exe\""
"PCSuiteTrayApplication"="\"C:\\Program Files\\Nokia\\Nokia PC Suite 6\\LaunchApplication.exe\" -onlytray"
"NeroCheck"="C:\\WINDOWS\\system32\\NeroCheck.exe"
"Windows Defender"="\"C:\\Program Files\\Windows Defender\\MSASCui.exe\" -hide"
"nod32kui"="\"C:\\Program Files\\Eset\\nod32kui.exe\" /WAITSERVICE"
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"NeroFilterCheck"="\"C:\\Program Files\\Common Files\\Ahead\\Lib\\NeroCheck.exe\""

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"SB Audigy 2 Startup Menu"=" /L:ENG"
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="\"C:\\Program Files\\Common Files\\Ahead\\Lib\\NMBgMonitor.exe\""
"SUPERAntiSpyware"="C:\\Program Files\\SUPERAntiSpyware\\SUPERAntiSpyware.exe"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"DWQueuedReporting"="\"C:\\PROGRA~1\\COMMON~1\\MICROS~1\\DW\\dwtrig20.exe\" -t"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"="C:\Program Files\SUPERAntiSpyware\SASSEH.DLL"
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"{e57ce738-33e8-4c51-8354-bb4de9d215d1}"="C:\WINDOWS\system32\upnpui.dll"

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa
Authentication Packages REG_MULTI_SZ msv1_0\0\0
Security Packages REG_MULTI_SZ kerberos\0msv1_0\0schannel\0wdigest\0\0
Notification Packages REG_MULTI_SZ scecli\0\0

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0
WudfServiceGroup REG_MULTI_SZ WUDFSvc\0\0
Usnsvc REG_MULTI_SZ usnsvc\0\0

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{7ec74f2e-bfe5-11db-99db-96eacd686393}]
Shell\AutoRun\command C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL copy.exe

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{f016b2e2-bf62-11db-99d9-eac61f4d8eea}]
Shell\AutoRun\command C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL copy.exe

Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\MP Scheduled Scan.job

********************************************************************

catchme 0.3.660 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-05-01 21:44:46
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0

********************************************************************

Completion time: 07-05-01 21:44:55
C:\ComboFix-quarantined-files.txt ... 07-05-01 21:44

05-06-27 15:16	  1120	--a------	C:\Qoobox\Quarantine\C\INSTALL.LOG.vir
06-05-21 09:26	  459	--a--c---	C:\Qoobox\Quarantine\C\Program Files\INSTALL.LOG.vir


Folder PATH listing
Volume serial number is 1C37-FB5B
C:\QOOBOX
\---Quarantine
	+---C
	|   |   INSTALL.LOG.vir
	|   |   
	|   \---Program Files
	|		   INSTALL.LOG.vir
	|		   
	\---Registry_backups

____________________________________________________________

>> HijackThis

Logfile of HijackThis v1.99.1
Scan saved at 9:49:53 PM, on 5/1/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\system32\DRIVERS\CDANTSRV.EXE
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Hotspot Shield\bin\openvpnas.exe
C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
C:\WINDOWS\system32\CTHELPER.EXE
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Common Files\PCSuite\DataLayer\DataLayer.exe
C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\PROGRA~1\COMMON~1\PCSuite\Services\SERVIC~1.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\Documents and Settings\Bahar\Desktop\GEEKS\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.c...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.c...rch/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.c...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn3\yt.dll
R3 - URLSearchHook: (no name) - {9CB65206-89C4-402c-BA80-02D8C59F9B1D} - (no file)
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn3\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: AF BHO - {B7154C4D-87C0-4A2C-AB64-DA132BAC2EE6} - C:\Program Files\AnchorFree\bin\AFBho.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn3\yt.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: AFToolbar - {1F385865-F3D4-41ff-960D-7B7D0A7A72F6} - C:\Program Files\AnchorFree\bin\AFToolbar.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKLM\..\Run: [IAAnotif] "C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe"
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [IntelMeM] "C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe"
O4 - HKLM\..\Run: [CTSysVol] "C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe"
O4 - HKLM\..\Run: [CTDVDDet] "C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE"
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [AsioReg] "REGSVR32.EXE" /S CTASIO.DLL
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [DataLayer] "C:\Program Files\Common Files\PCSuite\DataLayer\DataLayer.exe"
O4 - HKLM\..\Run: [PCSuiteTrayApplication] "C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe" -onlytray
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] "C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe"
O4 - HKCU\..\Run: [SB Audigy 2 Startup Menu] /L:ENG
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Open in new background tab - res://C:\Program Files\Windows Live Toolbar\Components\en-us\msntabres.dll.mui/229?afdc4a8f81594853b2254498be87e4e6
O8 - Extra context menu item: Open in new foreground tab - res://C:\Program Files\Windows Live Toolbar\Components\en-us\msntabres.dll.mui/230?afdc4a8f81594853b2254498be87e4e6
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {A18962F6-E6ED-40B1-97C9-1FB36F38BFA8} (Aurigma Image Uploader 3.0 Control) - http://ernicole.mult...os/uploader.cab
O16 - DPF: {AE563720-B4F5-11D4-A415-00108302FDFD} (NOXLATE-BANR) - file://C:\Program Files\AutoCAD 2002\InstBanr.ocx
O16 - DPF: {C6637286-300D-11D4-AE0A-0010830243BD} (InstaFred) - file://C:\Program Files\AutoCAD 2002\InstFred.ocx
O16 - DPF: {F281A59C-7B65-11D3-8617-0010830243BD} (AcPreview Control) - file://C:\Program Files\AutoCAD 2002\AcPreview.ocx
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Belkin High-Speed Mode Wireless G USB Driver (Belkin High-Speed Mode Wireless G USB Network Adapter Service) - Unknown owner - C:\Program Files\Belkin\F5D7051\WLService.exe (file missing)
O23 - Service: C-DillaSrv - C-Dilla Ltd - C:\WINDOWS\system32\DRIVERS\CDANTSRV.EXE
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Hotspot Shield Service (HotspotShieldService) - Unknown owner - C:\Program Files\Hotspot Shield\bin\openvpnas.exe
O23 - Service: IAA Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: RaySat_3dsmax8 Server (mi-raysat_3dsmax8) - Unknown owner - C:\Program Files\Autodesk\3dsMax8\mentalray\satellite\raysat_3dsmax8server.exe (file missing)
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe

____________________________________________________________

Edited by twentysomething, 01 May 2007 - 12:24 PM.

#6
Crustyoldbloke

Posted 01 May 2007 - 01:28 PM

Old Malware Surgeon with a shaky scalpel

Retired Staff
15,131 posts

Hello again Bahar

You are doing really well, and your good manners do you credit.

Did you have Norton antivirus on this PC at some stage in the past? I am seeing what look like remnants with Symantec Live Update. Yopu can uninstall that programme from the Add or Remove Programs in the Control Panel.

There is a file in your log of which I am unsure. For that reason, I need you to submit it to Jotti's for analysis.

1. Click HERE to get to Jotti's site.

2. At the top of the Jotti window, use the Browse button to locate the following file on your system:

C:\WINDOWS\SYSTEM32\ssleay32.dll

3. Once you have located the file, click SUBMIT and the content of the file will be uploaded by the site and analysed.

4. Please provide me with the results of the analysis.

Run MSCONFIG and enable everything in the startup area. To get to MSCONFIG, click on Start -> Run -> type in MSCONFIG -> click OK

Under the "General" Tab

Ensure "Normal Startup-load all device drivers and services" is checked.

Click Apply->OK->Follow the prompts to Restart

Rescan with HijackThis. Close all programmes leaving only HijackThis running. Place a checkmark or tick against the following:

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: (no name) - {9CB65206-89C4-402c-BA80-02D8C59F9B1D} - (no file)

Click on Fix Checked when finished and exit HijackThis.

Please install Killbox by Option^Explicit.

Please double-click Killbox.exe to run it.
Select Delete on Reboot
then Click on the All Files button.
Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

C:\WINDOWS\SYSTEM32\rcwaguol.dll
C:\WINDOWS\SYSTEM32\pbpsrujg.dll
C:\WINDOWS\SYSTEM32\libeay32.dll
C:\WINDOWS\SYSTEM32\oqtss.ini2
C:\WINDOWS\SYSTEM32\dvcstatebkp-{00000004-00000000-00000002-00001102-00000004-10031102}.dat
C:\WINDOWS\SYSTEM32\dvcstate-{00000004-00000000-00000002-00001102-00000004-10031102}.dat
C:\WINDOWS\SYSTEM32\rcwaguol.vdll
C:\WINDOWS\SYSTEM32\vbqrqvas.vdll
C:\WINDOWS\SYSTEM32\uvrdmdmi.vdll
C:\WINDOWS\SYSTEM32\ululeihj.vdll
C:\WINDOWS\SYSTEM32\thidmfgs.vdll
C:\WINDOWS\SYSTEM32\oufqeumu.vdll
C:\WINDOWS\SYSTEM32\msjhiiju.vdll
C:\WINDOWS\SYSTEM32\kkotkcsh.vdll
C:\WINDOWS\SYSTEM32\jyvvwxbb.vdll
C:\WINDOWS\SYSTEM32\jnfohvkt.vdll
C:\WINDOWS\SYSTEM32\hbmddhlq.vdll
C:\WINDOWS\SYSTEM32\gxelllek.vdll
C:\WINDOWS\SYSTEM32\gsuukmff.vdll
C:\WINDOWS\SYSTEM32\fqioivvm.vdll
C:\WINDOWS\SYSTEM32\dwrfplfw.vdll
C:\WINDOWS\SYSTEM32\dtdliepn.vdll
C:\WINDOWS\SYSTEM32\cevfljti.vdll
C:\WINDOWS\SYSTEM32\bfxaexdf.vdll

Return to Killbox, go to the File menu, and choose Paste from Clipboard.
Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt. Click OK at any PendingFileRenameOperations prompt (and please let me know if you receive this message!).

#7
twentysomething

Posted 02 May 2007 - 04:50 AM

Member

Topic Starter
Member
19 posts

hi there Crustyoldbloke! :whistling:

Wow thanks again for the reply... by the way, before i use the Norton Antivirus software on my PC, but i already removed it coz somebody told me that software is not good as Anti-virus so i switched to NOD32... And when i checked the Add-remove programs i didnt see any Norton or Symantec installed on my PC...

I just accomplished those instructions u gave me, and here are the results... :blink:

_________________________________________________________

>> Jotti's Scan

Service load: 0% 100%

File: ssleay32.dll
Status: OK
MD5 4adaa6bf3e4658045f8c09b75956b83b
Packers detected: -

Scan taken on 02 May 2007 09:01:30 (GMT)
A-Squared Found nothing
AntiVir Found nothing
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
F-Secure Anti-Virus Found nothing
Fortinet Found nothing
Kaspersky Anti-Virus Found nothing
NOD32 Found nothing
Norman Virus Control Found nothing
Panda Antivirus Found nothing
Rising Antivirus Found nothing
VirusBuster Found nothing
VBA32 Found nothing

_________________________________________________________

>> Hijack This

Logfile of HijackThis v1.99.1
Scan saved at 1:23:41 PM, on 5/2/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\DRIVERS\CDANTSRV.EXE
C:\WINDOWS\system32\CTsvcCDA.exe
C:\Program Files\Hotspot Shield\bin\openvpnas.exe
C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe
C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe
C:\Program Files\Dell\Media Experience\PCMService.exe
C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe
C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe
C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE
C:\WINDOWS\system32\CTHELPER.EXE
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\Program Files\Common Files\PCSuite\DataLayer\DataLayer.exe
C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\COMMON~1\PCSuite\Services\SERVIC~1.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Documents and Settings\Bahar\Desktop\GEEKS\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wuauclt.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.c...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.c...rch/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.c...//www.yahoo.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn3\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn3\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: AF BHO - {B7154C4D-87C0-4A2C-AB64-DA132BAC2EE6} - C:\Program Files\AnchorFree\bin\AFBho.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn3\yt.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: AFToolbar - {1F385865-F3D4-41ff-960D-7B7D0A7A72F6} - C:\Program Files\AnchorFree\bin\AFToolbar.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
O4 - HKLM\..\Run: [IAAnotif] "C:\Program Files\Intel\Intel Application Accelerator\iaanotif.exe"
O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\Media Experience\PCMService.exe"
O4 - HKLM\..\Run: [ATIPTA] "C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe"
O4 - HKLM\..\Run: [IntelMeM] "C:\Program Files\Intel\Modem Event Monitor\IntelMEM.exe"
O4 - HKLM\..\Run: [CTSysVol] "C:\Program Files\Creative\SBAudigy2\Surround Mixer\CTSysVol.exe"
O4 - HKLM\..\Run: [CTDVDDet] "C:\Program Files\Creative\SBAudigy2\DVDAudio\CTDVDDet.EXE"
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [AsioReg] "REGSVR32.EXE" /S CTASIO.DLL
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [UpdateManager] "C:\Program Files\Common Files\Sonic\Update Manager\sgtray.exe" /r
O4 - HKLM\..\Run: [DVDLauncher] "C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe"
O4 - HKLM\..\Run: [DataLayer] "C:\Program Files\Common Files\PCSuite\DataLayer\DataLayer.exe"
O4 - HKLM\..\Run: [PCSuiteTrayApplication] "C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe" -onlytray
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] "C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe"
O4 - HKCU\..\Run: [SB Audigy 2 Startup Menu] /L:ENG
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Open in new background tab - res://C:\Program Files\Windows Live Toolbar\Components\en-us\msntabres.dll.mui/229?afdc4a8f81594853b2254498be87e4e6
O8 - Extra context menu item: Open in new foreground tab - res://C:\Program Files\Windows Live Toolbar\Components\en-us\msntabres.dll.mui/230?afdc4a8f81594853b2254498be87e4e6
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\program files\bonjour\mdnsnsp.dll
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {A18962F6-E6ED-40B1-97C9-1FB36F38BFA8} (Aurigma Image Uploader 3.0 Control) - http://ernicole.mult...os/uploader.cab
O16 - DPF: {AE563720-B4F5-11D4-A415-00108302FDFD} (NOXLATE-BANR) - file://C:\Program Files\AutoCAD 2002\InstBanr.ocx
O16 - DPF: {C6637286-300D-11D4-AE0A-0010830243BD} (InstaFred) - file://C:\Program Files\AutoCAD 2002\InstFred.ocx
O16 - DPF: {F281A59C-7B65-11D3-8617-0010830243BD} (AcPreview Control) - file://C:\Program Files\AutoCAD 2002\AcPreview.ocx
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: Autodesk Licensing Service - Autodesk - C:\Program Files\Common Files\Autodesk Shared\Service\AdskScSrv.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Belkin High-Speed Mode Wireless G USB Driver (Belkin High-Speed Mode Wireless G USB Network Adapter Service) - Unknown owner - C:\Program Files\Belkin\F5D7051\WLService.exe (file missing)
O23 - Service: C-DillaSrv - C-Dilla Ltd - C:\WINDOWS\system32\DRIVERS\CDANTSRV.EXE
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Hotspot Shield Service (HotspotShieldService) - Unknown owner - C:\Program Files\Hotspot Shield\bin\openvpnas.exe
O23 - Service: IAA Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Application Accelerator\iaantmon.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: RaySat_3dsmax8 Server (mi-raysat_3dsmax8) - Unknown owner - C:\Program Files\Autodesk\3dsMax8\mentalray\satellite\raysat_3dsmax8server.exe (file missing)
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe

#8
twentysomething

Posted 02 May 2007 - 04:52 AM

Member

Topic Starter
Member
19 posts

(Sorry i just made a double post... i guess i press the add reply twice... anyway please delete this post... Sorry Again... :blink:

)

hi there Crustyoldbloke! :whistling:

Edited by twentysomething, 02 May 2007 - 04:55 AM.

#9
Crustyoldbloke

Posted 02 May 2007 - 06:38 AM

Old Malware Surgeon with a shaky scalpel

Retired Staff
15,131 posts

Hello again Bahar

Don't concern yourself over the double post, we all make mistakes and it was a genuine accident.

Your logs look really good now. Please have a look for this folder and delete it: C:\Program Files\Symantec\

We need to close an exploit with Java.

Updating Java and Clearing Cache

Go to Start > Control Panel double-click on the Java Icon (coffee cup) in the Control Panel.
It will say "Java Plug-in" under the icon.
Please find the update button or tab in the Java Control Panel. Update your Java then reboot.
If you are unable to update you can manually update by going here:
- http://www.java.com/en/download/manual.jsp
After the reboot, go back into the Control Panel and double-click the Java Icon.
Under Temporary Internet Files, click the Delete Files button.
There are three options in the window to clear the cache - Leave ALL 3 CheckedDownloaded Applets
Downloaded Applications
Other Files
Click OK on Delete Temporary Files Window
Note: This deletes ALL the Downloaded Applications and Applets from the CACHE.
Click OK to leave the Java Control Panel.

I don't need to see further logs providing you tell me that all is well and that your PC is now running normally. I will then give you final instructions for the clean up.

#10
twentysomething

Posted 02 May 2007 - 11:47 AM

Member

Topic Starter
Member
19 posts

Wow really! my logs are clear now! that was great! :whistling:

By the way, I followed your last instructions to update my Java & the rest of the steps you gave, & its already done... But the other thing i havent accomplish is, i cannot delete the Symantec folder in my Program files, when i try to delete it there is message coming out "Cannot delete AluSchedulerSvc.exe" what would I do with this one?

As of now my PC is running smoothly... No pop-ups of Virtumonde adware infection files, & i hope everything is fine now...

Thank You again Crustyoldbloke!!! You are so kind... :blink:

Edited by twentysomething, 02 May 2007 - 11:52 AM.

#11
Crustyoldbloke

Posted 02 May 2007 - 01:18 PM

Old Malware Surgeon with a shaky scalpel

Retired Staff
15,131 posts

Hello again Bahar

AluSchedulerSvc.exe is part of LIVE UPDATE from Symantec. Look for it in the Add or Remove Programs in the Control Panel. If it is not there, delete the folder as advised before in safe mode.

Congratulations! your new log is clean. :whistling:

Just a little bit more to do to prevent further infection.

Reset and Re-enable your System Restore to remove bad files that have been backed up by Windows. The files in System Restore are protected to prevent any programmes changing them. This is the only way to clean these files: (You will lose all previous restore points which are likely to be infected.)

To reset your restore points, please note that you will need to log into your computer with an account which has full administrator access. You will know if the account has administrator access because you will be able to see the System Restore tab. If the tab is missing, you are logged in under a limited account.

(Windows XP)
1. Turn OFF System Restore.

On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check *Turn off System Restore*.
Click Apply, and then click OK.

2. Reboot.

3. Turn ON System Restore.

On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK.

I recommend going to the following link and update as recommended by Microsoft. This adds more security and extra features including a pop-up blocker for Internet Explorer. Microsoft Update

MVPS Hosts file This replaces your current HOSTS file with one that will restrict known ad sites from serving you unsolicited advertisements. Basically, this prevents your computer from connecting to those sites by redirecting them to 127.0.0.1 which is the IP of your local computer. Please bookmark/add to favourite this site as the file is updated every 14 days, so you need to do this once a month. There is now a facility for you to register your email address with the site to be informed of updates. The link is towards the foot of the page.

SiteAdvisor download this plug-in for your browser and it will alert you of a known bad site for FREE.

Now that everything is fixed, I suggest that you consider getting these programmes to help keep the computer clean:

SPYWARE BLASTER - Blocks bad ActiveX items from installing on your computer.
WINDOWS DEFENDER - With daily updates and scans, this programme offers good security against malware.
AD-AWARE PERSONAL – A fine free malware detector and removal programme
SPYBOT S&D – Excellent free spyware detector and removal programme
GOOGLE TOOLBAR - Blocks many unwanted pop-ups in Internet Explorer.
FIREFOX - Safer alternative to the Internet Explorer web browser.
AVG ANTIVIRUS FREE EDITION - Free antivirus programme if you currently are not using one.
ZONEALARM - Free firewall programme if you currently are not using one (Windows XP has a built-in firewall).

Remember to update these frequently.

Please note that whilst there is nothing wrong in having more than one antispyware programme for “on demand” scanning, having two or more antivirus systems is not recommended as they may well cause conflicts and slowness.

You may also want to read "How did I get infected in the first place" to learn how to better secure your computer.

Be sure to keep your Windows, antispyware and antivirus updated. :blink:

If you used ComboFix during the fix and have files quarantined at C:\qoobox\, you may delete that folder and its content.

It just remains for me to wish you happy safe surfing; I hope you found my advice helpful.

#12
twentysomething

Posted 03 May 2007 - 08:47 AM

Member

Topic Starter
Member
19 posts

Thank you very much Crustyoldbloke! :help:

My PC is running normally now... I already installed some of the programs you told me & I guess im completely secured from spywares, adware, trojans, etc... Thats a lot of anti-spyware programs, are you sure its okay if i install it all or ill just select some of it... Anyway I really thank you for your great help & patience for answering my PC problem... Before I was in deep problem on how will I get rid of that adware infections, and my last chance is to re-format my PC, until I found this site... Now I can work well with my PC again... :blink:

Well till next time again friend... More power to you & this site! :whistling:

#13
Crustyoldbloke

Posted 03 May 2007 - 08:58 AM

Old Malware Surgeon with a shaky scalpel

Retired Staff
15,131 posts

Hello Bahar

The rule is only one antivirus, and you have the best already with NOD32 and only one antispyware to run in real-time. You can have as many as you like for "on-demand" scanning but more than one running with real-time protection will cause problems. You have Windows Defender fulfilling that role now, so unless you change it, then any others must only be used for on-demand scanning.

Spyware Blaster doesn't work in the same way as the others, so you can have that along with Windows Defender.

I think MVPS hosts file, is one of the best security measures for FREE, and it doesn't cause any conflicts - it's a must have.

You are welcome to the help.

I will leave this thread open for a few days in case of misfortune.

#14
Crustyoldbloke

Posted 13 May 2007 - 08:01 AM

Old Malware Surgeon with a shaky scalpel

Retired Staff
15,131 posts

Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :whistling:

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.