Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

How To Get Rid of the BHO.AKY Trojan Horse

Started by Koukla1962 , Sep 27 2007 10:07 AM

This topic is locked

#1
Koukla1962

Posted 27 September 2007 - 10:07 AM

Member

Member
23 posts

Hello,

I would appreciate it very much if you guys could help me about a malware problem. I was randomly running a virus scan with AVG Free and found that there were many viruses on my computer, so automatically, the program got rid of them. To double check that I got rid of all my viruses, I did another scan and a virus that was supposed to be deleted in the last scan came back. The name of this virus/trojan is called " BHO.AKY " . I have done many scans to get rid of this item but just doesn't seem to be going away. What it's doing is letting my internet browser come up with millions of pop-ups, particulary the option to download WinAntiSpyware. I think the program is also bringing tracking cookies onto the computer. I have run CCleaner to get rid of them but doesn't seem to recognise them but AVG seems to and gets rid of them automatically. :wave:

Help on removing the BHO.AKY trojan would be great. I have pasted my HiJack This log below to help.

I have also got Ad- Aware installed and got the Latest Super Antispyware setup (27/09/07) saved onto my hard drive just to help you.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 16:56:29, on 27/09/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
D:\DOWNLOADED PROGRAMS\AVG AntiSpyWare\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
D:\Program Files\BlueSoleil\BTNtService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Protexis\License Service\PSIService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\vsnpstd3.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
D:\DOWNLOADED PROGRAMS\AVG AntiSpyWare\AVG Anti-Spyware 7.5\avgas.exe
D:\Program Files\iPod\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\uTorrent\uTorrent.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
D:\DOWNLOADED PROGRAMS\AdAware\aawservice.exe
D:\DOWNLOADED PROGRAMS\HiJack This\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://uk.yahoo.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O1 - Hosts: 66.98.148.65 auto.search.msn.com
O1 - Hosts: 66.98.148.65 auto.search.msn.es
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [snpstd3] C:\WINDOWS\vsnpstd3.exe
O4 - HKLM\..\Run: [QuickTime Task] "D:\DOWNLOADED PROGRAMS\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [MediaFace Integration] D:\Program Files\MediaFace\SetHook.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "D:\DOWNLOADED PROGRAMS\AVG AntiSpyWare\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [iTunesHelper] "D:\Program Files\iPod\iTunesHelper.exe"
O4 - HKLM\..\Run: [SearchIndexer] rundll32.exe "C:\WINDOWS\system32\ldrwhkum.dll",sitypnow
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [uTorrent] "C:\Program Files\uTorrent\uTorrent.exe"
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: BlueSoleil.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = D:\Program Files\HP Printer\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnote...ad/mnviewer.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://go.divx.com/p...owserPlugin.cab
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius....tiveXPlugin.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zon...nt.cab56907.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zon...er.cab56986.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - D:\DOWNLOADED PROGRAMS\AdAware\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - D:\DOWNLOADED PROGRAMS\AVG AntiSpyWare\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: BlueSoleil Hid Service - Unknown owner - D:\Program Files\BlueSoleil\BTNtService.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: DomainService - Unknown owner - C:\WINDOWS\system32\tiohnvpy.exe (file missing)
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: ProtexisLicensing - Unknown owner - C:\Program Files\Common Files\Protexis\License Service\PSIService.exe
O23 - Service: Windows Live Setup Service (WLSetupSvc) - Unknown owner - C:\Program Files\Windows Live\installer\WLSetupSvc.exe
O23 - Service: Broadcom Wireless LAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe

--
End of file - 7857 bytes

If anyone has any idea how to get rid of this virus, it would be very much appreciated as this trojan is annoying me SO SO SO much.

THANKS!!!!!!!!!!!!!

UPDATE (29/09/07) ; I have also seemed to have found the "trojan agent aoy" (C\WINDOWS\system32\tiohnvpy.exe). I think this has something to do with the WIN - ANTIVIRUS. :ranting It is not yet installed but the pop-ups keep irratating me.

Edited by Koukla1962, 29 September 2007 - 03:29 AM.

#2
racenutalways

Posted 02 October 2007 - 10:19 AM

Member 1K

Retired Staff
1,675 posts

Hello Koukla1962 and welcome to G2G.

Go to Start | Run and type this in the box: services.msc

Locate this service, 'DomainService
then right click and select properties.
Under Service Status: select Stop
In the drop down box labeled, Startup Type: select Disabled

Download ComboFix from Here or Here to your Desktop.

Double click combofix.exe and follow the prompts.
When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply

Note: Do not mouseclick combofix's window while its running. That may cause it to stall

#3
Koukla1962

Posted 02 October 2007 - 12:57 PM

Member

Topic Starter
Member
23 posts

Thank you for your reply.
Here is my Combofix log.

ComboFix 07-10-02.2 - caroline 2007-10-02 19:38:26.1 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.145 [GMT 1:00]
Running from: D:\DOWNLOADED PROGRAMS\Combofix\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\check_LSA7.txt
C:\Documents and Settings\caroline\Application Data\macromedia\Flash Player\#SharedObjects\7DZNV3F4\iforex.com
C:\Documents and Settings\caroline\Application Data\macromedia\Flash Player\#SharedObjects\7DZNV3F4\iforex.com\Emerp\Events\flash_object.swf\user_data.sol
C:\Documents and Settings\caroline\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#iforex.com
C:\Documents and Settings\caroline\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#iforex.com\settings.sol
C:\Documents and Settings\caroline\Desktop\internet.lnk
C:\WINDOWS\cookies.ini
C:\WINDOWS\system32\beulhkoy.exe
C:\WINDOWS\system32\dghkj.bak1
C:\WINDOWS\system32\dghkj.bak2
C:\WINDOWS\system32\dghkj.ini
C:\WINDOWS\system32\dngrqbkp.ini
C:\WINDOWS\system32\drivers\npf.sys
C:\WINDOWS\system32\gbxaoecw.exe
C:\WINDOWS\system32\jkhgd.dll
C:\WINDOWS\system32\kacmlnrc.exe
C:\WINDOWS\system32\ldrwhkum.dll
C:\WINDOWS\system32\mukhwrdl.ini
C:\WINDOWS\system32\Packet.dll
C:\WINDOWS\system32\pkbqrgnd.dll
C:\WINDOWS\system32\pskvnheu.exe
C:\WINDOWS\system32\WanPacket.dll
C:\WINDOWS\system32\wpcap.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

-------\LEGACY_DOMAINSERVICE
-------\LEGACY_NPF
-------\DomainService
-------\NPF

((((((((((((((((((((((((( Files Created from 2007-09-02 to 2007-10-02 )))))))))))))))))))))))))))))))
.

2007-10-02 19:36 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-10-01 20:41 87,104 --a------ C:\WINDOWS\system32\sacgurwn.dll
2007-09-29 19:19 <DIR> d--hs---- C:\FOUND.004
2007-09-29 10:47 <DIR> d-------- C:\Program Files\iPod
2007-09-28 00:47 <DIR> d-------- C:\Documents and Settings\caroline\Application Data\dvdcss
2007-09-27 21:56 <DIR> d-------- C:\Program Files\vso
2007-09-27 21:02 <DIR> d--hs---- C:\FOUND.003
2007-09-24 13:00 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-09-23 10:59 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-09-22 11:57 <DIR> d-------- C:\Program Files\Yahoo!
2007-09-21 09:08 34,816 --a------ C:\WINDOWS\system32\efccyxw.dll
2007-09-18 23:16 <DIR> d-------- C:\Program Files\Common Files\digidesign
2007-09-18 23:13 61,440 --a------ C:\WINDOWS\system32\NI_DFD_1_5.dll
2007-09-18 23:13 393,216 --a------ C:\WINDOWS\system32\NI_IRC_1_2.dll
2007-09-18 23:13 233,472 --a------ C:\WINDOWS\system32\REX Shared Library.dll
2007-09-18 23:13 2,045,952 --a------ C:\WINDOWS\system32\kconvert.dll
2007-09-18 17:00 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Transparent
2007-09-17 22:56 356,352 --a------ C:\WINDOWS\eSellerateEngine.dll
2007-09-17 19:48 395,776 --a------ C:\WINDOWS\system32\libmplayer.dll
2007-09-17 19:48 262,144 --a------ C:\WINDOWS\system32\TomsMoComp_ff.dll
2007-09-17 19:48 2,255,360 --a------ C:\WINDOWS\system32\libavcodec.dll
2007-09-17 19:48 112,640 --a------ C:\WINDOWS\system32\libmpeg2_ff.dll
2007-09-15 10:52 <DIR> d-------- C:\Program Files\Sibelius Software
2007-09-14 21:16 <DIR> d--hs---- C:\FOUND.002
2007-09-13 12:58 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Fellowes
2007-09-11 16:58 <DIR> d-------- C:\Program Files\Common Files\xing shared
2007-09-09 11:59 <DIR> d-------- C:\Program Files\Apple Software Update
2007-09-05 08:30 536 --a------ C:\WINDOWS\eReg.dat
2007-09-03 19:30 8,576 --a------ C:\WINDOWS\system32\drivers\hidgame.sys
2007-09-03 19:30 8,576 --a------ C:\WINDOWS\system32\dllcache\hidgame.sys
2007-09-03 19:28 9,600 --a------ C:\WINDOWS\system32\drivers\hidusb.sys
2007-09-03 19:28 9,600 --a------ C:\WINDOWS\system32\dllcache\hidusb.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-09-27 21:56 87608 --a------ C:\Documents and Settings\caroline\Application Data\ezpinst.exe
2007-09-27 21:56 47360 --a------ C:\WINDOWS\system32\drivers\pcouffin.sys
2007-09-27 21:56 47360 --a------ C:\Documents and Settings\caroline\Application Data\pcouffin.sys
2007-09-05 18:02 12400 --a------ C:\WINDOWS\system32\drivers\secdrv.sys
2007-08-30 16:56 --------- d-------- C:\Program Files\Microsoft Games
2007-08-29 21:46 --------- d-------- C:\Documents and Settings\caroline\Application Data\Vso
2007-08-29 17:58 --------- d-------- C:\Program Files\MOVAVI
2007-08-29 14:48 --------- d-------- C:\Documents and Settings\caroline\Application Data\CyberLink
2007-08-29 12:48 --------- d-------- C:\Documents and Settings\caroline\Application Data\Nero
2007-08-27 22:07 3192 --ahs---- C:\WINDOWS\system32\KGyGaAvL.sys
2007-08-27 19:20 --------- d-------- C:\Program Files\DivX
2007-08-27 17:57 --------- d-------- C:\Documents and Settings\All Users\Application Data\Elaborate Bytes
2007-08-26 20:44 --------- d-------- C:\Documents and Settings\caroline\Application Data\Bitstream
2007-08-25 21:14 --------- d-------- C:\Program Files\Corel
2007-08-25 21:14 --------- d-------- C:\Program Files\Common Files\Corel
2007-08-25 21:14 --------- d-------- C:\Documents and Settings\All Users\Application Data\Corel
2007-08-25 20:02 --------- d-------- C:\Documents and Settings\caroline\Application Data\Corel
2007-08-25 19:53 --------- d-------- C:\Documents and Settings\All Users\Application Data\InstallShield
2007-08-25 19:49 --------- d-------- C:\Program Files\Common Files\Protexis
2007-08-23 18:13 203776 --a------ C:\WINDOWS\system32\clrviddc.dll
2007-08-22 16:07 --------- d-------- C:\Program Files\Google
2007-08-20 20:23 682232 --a------ C:\WINDOWS\system32\drivers\sptd.sys
2007-08-20 19:55 --------- d-------- C:\Program Files\MSBuild
2007-08-20 19:43 --------- d-------- C:\Program Files\Reference Assemblies
2007-08-17 15:56 --------- d-------- C:\Documents and Settings\caroline\Application Data\uTorrent
2007-08-16 10:12 --------- d-------- C:\Documents and Settings\All Users\Application Data\FLEXnet
2007-08-16 09:20 --------- d-------- C:\Program Files\Bonjour
2007-08-16 08:58 --------- d-------- C:\Program Files\Common Files\Macrovision Shared
2007-08-15 17:10 --------- d-------- C:\Program Files\uTorrent
2007-08-12 18:16 --------- d-------- C:\Documents and Settings\All Users\Application Data\WindowsLiveInstaller
2007-08-12 18:15 --------- d-------- C:\Documents and Settings\All Users\Application Data\WLInstaller
2007-08-12 12:25 --------- d-------- C:\Program Files\ScanSoft
2007-08-10 20:56 93128 --a------ C:\WINDOWS\system32\ElbyCDIO.dll
2007-08-09 17:16 --------- d-------- C:\Documents and Settings\All Users\Application Data\Ahead
2007-08-09 17:13 --------- d-------- C:\Program Files\Nero
2007-08-09 17:13 --------- d-------- C:\Program Files\Common Files\Ahead
2007-08-09 17:13 --------- d-------- C:\Documents and Settings\All Users\Application Data\Nero
2007-08-09 13:22 --------- d-------- C:\Program Files\Common Files\Apple
2007-08-09 13:22 --------- d-------- C:\Documents and Settings\All Users\Application Data\Apple
2007-08-07 20:48 25160 --a------ C:\WINDOWS\system32\drivers\ElbyCDIO.sys
2007-08-07 17:10 --------- d-------- C:\Program Files\Common Files\Hewlett-Packard
2007-08-07 16:44 --------- d-------- C:\Program Files\Common Files\HP
2007-08-07 16:42 43488 --a------ C:\WINDOWS\system32\drivers\AFS2K.SYS
2007-08-07 16:12 --------- d-------- C:\Program Files\HP
2007-08-07 13:58 8320 --a------ C:\WINDOWS\system32\drivers\AWRTRD.sys
2007-08-07 13:56 9344 --a------ C:\WINDOWS\system32\drivers\NSDriver.sys
2007-08-05 20:15 --------- d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-08-04 18:44 --------- d-------- C:\Program Files\CustoMess
2007-08-03 23:05 --------- d-------- C:\Documents and Settings\caroline\Application Data\AdobeUM
2007-08-03 22:03 --------- d-------- C:\Documents and Settings\All Users\Application Data\Musicnotes
2007-08-03 17:46 --------- d-------- C:\Documents and Settings\All Users\Application Data\Messenger Plus!
2007-08-03 17:44 --------- d-------- C:\Program Files\Windows Media Connect 2
2007-08-03 17:30 --------- d-------- C:\Program Files\Real
2007-08-03 17:30 --------- d-------- C:\Program Files\Common Files\Real
2007-08-03 17:30 --------- d-------- C:\Documents and Settings\caroline\Application Data\Real
2007-08-03 17:13 --------- d-------- C:\Documents and Settings\caroline\Application Data\Google
2007-08-03 16:59 --------- d-------- C:\Documents and Settings\All Users\Application Data\Azureus
2007-08-03 16:58 --------- d-------- C:\Documents and Settings\caroline\Application Data\Azureus
2007-08-03 16:56 --------- d-------- C:\Documents and Settings\All Users\Application Data\WinZip
2007-08-03 15:35 --------- d-------- C:\Program Files\Windows Live
2007-08-03 15:28 --------- d-------- C:\Program Files\MSN Messenger
2007-08-03 15:16 --------- d-------- C:\Documents and Settings\All Users\Application Data\DVD Shrink
2007-08-03 15:13 --------- d-------- C:\Documents and Settings\caroline\Application Data\vlc
2007-08-03 14:46 --------- d-------- C:\Documents and Settings\All Users\Application Data\Bluetooth
2007-08-03 14:07 --------- d-------- C:\Program Files\Common Files\snpstd3
2007-08-03 02:37 604 --ah----- C:\Program Files\STLL Notifier
2007-08-03 02:37 --------- d-------- C:\Documents and Settings\All Users\Application Data\Sibelius Software
2007-08-03 02:36 --------- d-------- C:\Documents and Settings\caroline\Application Data\Sibelius Software
2007-08-03 02:15 --------- d-------- C:\Documents and Settings\caroline\Application Data\WinRAR
2007-08-03 01:00 --------- d-------- C:\Documents and Settings\caroline\Application Data\Apple Computer
2007-08-03 00:59 --------- d-------- C:\Program Files\QuickTime
2007-08-03 00:54 --------- d-------- C:\Documents and Settings\All Users\Application Data\Apple Computer
2007-08-03 00:33 17801 --a------ C:\WINDOWS\system32\drivers\AegisP.sys
2007-08-03 00:32 --------- d-------- C:\Program Files\BT Voyager
2007-08-01 22:26 499712 --a------ C:\WINDOWS\system32\msvcp71.dll
2007-08-01 22:26 348160 --a------ C:\WINDOWS\system32\msvcr71.dll
2007-07-30 19:19 92504 --a------ C:\WINDOWS\system32\dllcache\cdm.dll
2007-07-30 19:19 92504 --a------ C:\WINDOWS\system32\cdm.dll
2007-07-30 19:19 549720 --a------ C:\WINDOWS\system32\wuapi.dll
2007-07-30 19:19 549720 --a------ C:\WINDOWS\system32\dllcache\wuapi.dll
2007-07-30 19:19 53080 --a------ C:\WINDOWS\system32\wuauclt.exe
2007-07-30 19:19 53080 --a------ C:\WINDOWS\system32\dllcache\wuauclt.exe
2007-07-30 19:19 43352 --a------ C:\WINDOWS\system32\wups2.dll
2007-07-30 19:19 325976 --a------ C:\WINDOWS\system32\wucltui.dll
2007-07-30 19:19 325976 --a------ C:\WINDOWS\system32\dllcache\wucltui.dll
2007-07-30 19:19 271224 --a------ C:\WINDOWS\system32\mucltui.dll
2007-07-30 19:19 207736 --a------ C:\WINDOWS\system32\muweb.dll
2007-07-30 19:19 203096 --a------ C:\WINDOWS\system32\wuweb.dll
2007-07-30 19:19 203096 --a------ C:\WINDOWS\system32\dllcache\wuweb.dll
2007-07-30 19:19 1712984 --a------ C:\WINDOWS\system32\wuaueng.dll
2007-07-30 19:19 1712984 --a------ C:\WINDOWS\system32\dllcache\wuaueng.dll
2007-07-30 19:18 33624 --a------ C:\WINDOWS\system32\wups.dll
2007-07-30 19:18 33624 --a------ C:\WINDOWS\system32\dllcache\wups.dll
2007-07-26 03:53 200704 --a------ C:\WINDOWS\system32\ssldivx.dll
2007-07-26 03:53 1044480 --a------ C:\WINDOWS\system32\libdivx.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-01 15:57]
"snpstd3"="C:\WINDOWS\vsnpstd3.exe" [2006-09-19 09:07]
"QuickTime Task"="D:\DOWNLOADED PROGRAMS\QuickTime\QTTask.exe" [2007-06-29 06:24]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2005-02-16 16:15]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2005-02-16 16:15]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-09-11 16:56]
"MediaFace Integration"="D:\Program Files\MediaFace\SetHook.exe" [2005-10-27 04:43]
"!AVG Anti-Spyware"="D:\DOWNLOADED PROGRAMS\AVG AntiSpyWare\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 10:25]
"iTunesHelper"="D:\Program Files\iPod\iTunesHelper.exe" [2007-09-26 14:42]
"SearchIndexer"="C:\WINDOWS\system32\sacgurwn.dll" [2007-10-01 20:41]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 04:56]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2007-05-16 09:27]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 17:24]
"uTorrent"="C:\Program Files\uTorrent\uTorrent.exe" [2007-09-12 19:47]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Acrobat Assistant.lnk - C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe [2003-05-15 01:19:50]
BlueSoleil.lnk - D:\Program Files\BlueSoleil\BlueSoleil.exe [2007-08-03 14:43:35]
HP Digital Imaging Monitor.lnk - D:\Program Files\HP Printer\Digital Imaging\bin\hpqtra08.exe [2003-07-07 01:20:40]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Acrobat Assistant.lnk - C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe [2003-05-15 01:19:50]
BlueSoleil.lnk - D:\Program Files\BlueSoleil\BlueSoleil.exe [2007-08-03 14:43:35]
HP Digital Imaging Monitor.lnk - D:\Program Files\HP Printer\Digital Imaging\bin\hpqtra08.exe [2003-07-07 01:20:40]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{4F8C5BB1-8D81-497D-8E4C-4F81490B8FB8}"= C:\WINDOWS\system32\efccyxw.dll [2007-09-21 09:08 34816]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\efccyxw]
efccyxw.dll 2007-09-21 09:08 34816 C:\WINDOWS\system32\efccyxw.dll

R3 SiS300i;SiS300i;C:\WINDOWS\system32\DRIVERS\sis300ip.sys
R3 SiS7018;Service for AC'97 Sample Driver (WDM);C:\WINDOWS\system32\drivers\ac97sis.sys

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{11C47931-AA13-9746-0500-080600080400}]
C:\Exec.exe

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{83C93812-AC6F-32F0-F3FC-BE2113E1A6F1}]
C:\WINDOWS\system32\PELoader.exe
.
Contents of the 'Scheduled Tasks' folder
"2007-10-01 12:54:46 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
.
**************************************************************************

catchme 0.3.1169 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-10-02 19:48:12
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-10-02 19:51:53 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-10-02 19:51
.
--- E O F ---

Here is my HiJack This log.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19:56:45, on 02/10/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
D:\DOWNLOADED PROGRAMS\AdAware\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
D:\DOWNLOADED PROGRAMS\AVG AntiSpyWare\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
D:\Program Files\BlueSoleil\BTNtService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Common Files\Protexis\License Service\PSIService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\vsnpstd3.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
D:\DOWNLOADED PROGRAMS\AVG AntiSpyWare\AVG Anti-Spyware 7.5\avgas.exe
D:\Program Files\iPod\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\uTorrent\uTorrent.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
D:\Program Files\BlueSoleil\BlueSoleil.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
D:\Program Files\HP Printer\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\internet explorer\iexplore.exe
C:\WINDOWS\system32\rundll32.exe
D:\DOWNLOADED PROGRAMS\HiJack This\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://uk.yahoo.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [snpstd3] C:\WINDOWS\vsnpstd3.exe
O4 - HKLM\..\Run: [QuickTime Task] "D:\DOWNLOADED PROGRAMS\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [MediaFace Integration] D:\Program Files\MediaFace\SetHook.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "D:\DOWNLOADED PROGRAMS\AVG AntiSpyWare\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [iTunesHelper] "D:\Program Files\iPod\iTunesHelper.exe"
O4 - HKLM\..\Run: [SearchIndexer] rundll32.exe "C:\WINDOWS\system32\sacgurwn.dll",sitypnow
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [uTorrent] "C:\Program Files\uTorrent\uTorrent.exe"
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: BlueSoleil.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = D:\Program Files\HP Printer\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnote...ad/mnviewer.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://go.divx.com/p...owserPlugin.cab
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius....tiveXPlugin.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zon...nt.cab56907.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zon...er.cab56986.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - D:\DOWNLOADED PROGRAMS\AdAware\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - D:\DOWNLOADED PROGRAMS\AVG AntiSpyWare\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: BlueSoleil Hid Service - Unknown owner - D:\Program Files\BlueSoleil\BTNtService.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: ProtexisLicensing - Unknown owner - C:\Program Files\Common Files\Protexis\License Service\PSIService.exe
O23 - Service: Windows Live Setup Service (WLSetupSvc) - Unknown owner - C:\Program Files\Windows Live\installer\WLSetupSvc.exe
O23 - Service: Broadcom Wireless LAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe

--
End of file - 7931 bytes

#4
Koukla1962

Posted 03 October 2007 - 03:51 AM

Member

Topic Starter
Member
23 posts

I have done a scan and found several viruses.

(3/10/07)-UK (10/3/07)-USA

File : lkjh[1] (backup copy) Result/Infection : Trojan horse Downloader.Generic4.ZQI Path : C:\Documents and Settings\caroline\Local Settings\Temporary Internet Files\Content.IE5\WTSREX2Z\lkjh[1]

File : A0017931.dll (backup copy) Result/Infection : Trojan horse BHO.BHX Path : C:\System Volume Information\_restore{5A440762-F5D1-4B1E-9FD5-32BDC6BCB7FA}\RP99\A0017931.dll

File : A0017984.DLL (backup copy) Result/Infection : Trojan horse BHO.BIM Path : C:\System Volume Information\_restore{5A440762-F5D1-4B1E-9FD5-32BDC6BCB7FA}\RP99\A0017984.DLL

File : A0019105.DLL (backup copy) Result/Infection : Trojan horse Generic8.EBO Path : C:\System Volume Information\_restore{5A440762-F5D1-4B1E-9FD5-32BDC6BCB7FA}\RP99\A0019105.DLL

File : A0021394.dll (backup copy) Result/Infection : Trojan horse BHO.BIO Path : C:\System Volume Information\_restore{5A440762-F5D1-4B1E-9FD5-32BDC6BCB7FA}\RP103\A0021394.dll

I have noticed that many of the Infections have a "BHO" beginning which was the same one as before.

Thanks for any help!!!

#5
Koukla1962

Posted 03 October 2007 - 03:56 AM

Member

Topic Starter
Member
23 posts

I have just went on to a well used site (BBC) and the pop-ups came back. Not for WIN ANTIVIRUS but error protector.

Just to let you know.

#6
racenutalways

Posted 03 October 2007 - 08:02 AM

Member 1K

Retired Staff
1,675 posts

You been hit with Vundo among others, let's start with that.

Please download VundoFix.exe to your desktop

Double-click VundoFix.exe to run it.
Click the Scan for Vundo button.
Once it's done scanning, click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will reboot your computer, click OK.
Please post the contents of C:\vundofix.txt and a new HiJackThis log in a reply to this thread.

Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears upon rebooting.

Let's clean up some unwanted files;

Please download ATF Cleaner by Atribune.
This program is for XP and Windows 2000 onlyDouble-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you also use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you also use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

SUPERAntiSpyware Home Edition (free version) - Download - Home Page

1. Install it and double-click the icon on your desktop to run it.
2. It will ask if you want to update the program definitions, click Yes.
3. Under Configuration and Preferences, click the Preferences button.
4. Click the Scanning Control tab.
5. Under Scanner Options make sure the following are checked:

1. Close browsers before scanning
2. Scan for tracking cookies
3. Terminate memory threats before quarantining.
4. Please leave the others unchecked.
5. Click the Close button to leave the control center screen.

6. On the main screen, under Scan for Harmful Software click Scan your computer.
7. On the left check C:\Fixed Drive.
8. On the right, under Complete Scan, choose Perform Complete Scan.
9. Click Next to start the scan. Please be patient while it scans your computer.
10. After the scan is complete a summary box will appear. Click OK.
11. Make sure everything in the white box has a check next to it, then click Next.
12. It will quarantine what it found and if it asks if you want to reboot, click Yes.
13. To retrieve the removal information for me please do the following:

1. After reboot, double-click the SUPERAntispyware icon on your desktop.
2. Click Preferences. Click the Statistics/Logs tab.
3. Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
4. It will open in your default text editor (such as Notepad/Wordpad).
5. Please highlight everything in the notepad, then right-click and choose copy.

14. Click close and close again to exit the program.
15. Save the log information. If needed (still infected) paste this info along with your HijackThis log.

Please download Deckard's System Scanner (DSS) and save it to your Desktop.

Close all other windows before proceeding.
Double-click on dss.exe and follow the prompts.
When it has finished, dss will open two Notepads main.txt and extra.txt -- please copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents of main.txt and extra.txt in your next reply.

#7
Koukla1962

Posted 03 October 2007 - 09:13 AM

Member

Topic Starter
Member
23 posts

VundoFix V6.5.9

Checking Java version...

Scan started at 15:55:53 03/10/2007

Listing files found while scanning....

C:\WINDOWS\system32\gvumvmbc.dll
C:\WINDOWS\system32\jvkgqdtr.dll
C:\WINDOWS\system32\rtdqgkvj.ini

Beginning removal...

Attempting to delete C:\WINDOWS\system32\gvumvmbc.dll
C:\WINDOWS\system32\gvumvmbc.dll Could not be deleted.

Attempting to delete C:\WINDOWS\system32\jvkgqdtr.dll
C:\WINDOWS\system32\jvkgqdtr.dll Could not be deleted.

Attempting to delete C:\WINDOWS\system32\rtdqgkvj.ini
C:\WINDOWS\system32\rtdqgkvj.ini Has been deleted!

Performing Repairs to the registry.
Done!

Beginning removal...

Attempting to delete C:\WINDOWS\system32\gvumvmbc.dll
C:\WINDOWS\system32\gvumvmbc.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\jvkgqdtr.dll
C:\WINDOWS\system32\jvkgqdtr.dll Has been deleted!

__________________________________________________________

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 16:12:41, on 03/10/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
D:\DOWNLOADED PROGRAMS\AdAware\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\vsnpstd3.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
D:\DOWNLOADED PROGRAMS\AVG AntiSpyWare\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
D:\Program Files\iPod\iTunesHelper.exe
D:\DOWNLOADED PROGRAMS\AVG AntiSpyWare\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
D:\Program Files\BlueSoleil\BTNtService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Common Files\Protexis\License Service\PSIService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\internet explorer\iexplore.exe
D:\DOWNLOADED PROGRAMS\HiJack This\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://uk.yahoo.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [snpstd3] C:\WINDOWS\vsnpstd3.exe
O4 - HKLM\..\Run: [QuickTime Task] "D:\DOWNLOADED PROGRAMS\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [MediaFace Integration] D:\Program Files\MediaFace\SetHook.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "D:\DOWNLOADED PROGRAMS\AVG AntiSpyWare\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [iTunesHelper] "D:\Program Files\iPod\iTunesHelper.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [uTorrent] "C:\Program Files\uTorrent\uTorrent.exe"
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: BlueSoleil.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = D:\Program Files\HP Printer\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnote...ad/mnviewer.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://go.divx.com/p...owserPlugin.cab
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius....tiveXPlugin.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zon...nt.cab56907.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zon...er.cab56986.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - D:\DOWNLOADED PROGRAMS\AdAware\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - D:\DOWNLOADED PROGRAMS\AVG AntiSpyWare\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: BlueSoleil Hid Service - Unknown owner - D:\Program Files\BlueSoleil\BTNtService.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: DomainService - Unknown owner - C:\WINDOWS\system32\rurqqgqd.exe (file missing)
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: ProtexisLicensing - Unknown owner - C:\Program Files\Common Files\Protexis\License Service\PSIService.exe
O23 - Service: Windows Live Setup Service (WLSetupSvc) - Unknown owner - C:\Program Files\Windows Live\installer\WLSetupSvc.exe
O23 - Service: Broadcom Wireless LAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe

--
End of file - 7821 bytes

___________________________________________

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 10/03/2007 at 05:39 PM

Application Version : 3.9.1008

Core Rules Database Version : 3318
Trace Rules Database Version: 1319

Scan type : Complete Scan
Total Scan Time : 01:03:56

Memory items scanned : 464
Memory threats detected : 1
Registry items scanned : 7435
Registry threats detected : 0
File items scanned : 29415
File threats detected : 4

Adware.Vundo Variant/Resident
C:\WINDOWS\SYSTEM32\IIFDC.DLL
C:\WINDOWS\SYSTEM32\IIFDC.DLL

Adware.Tracking Cookie
C:\Documents and Settings\caroline\Cookies\caroline@atdmt[1].txt
C:\Documents and Settings\caroline\Cookies\caroline@doubleclick[1].txt
C:\Documents and Settings\caroline\Cookies\[email protected][1].txt

_______________________________________

main.txt

Deckard's System Scanner v20070905.67
Run by caroline on 2007-10-03 17:51:26
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.

-- Last 5 Restore Point(s) --
31: 2007-10-03 16:51:34 UTC - RP106 - Deckard's System Scanner Restore Point
30: 2007-10-03 15:18:39 UTC - RP105 - Installed SUPERAntiSpyware Free Edition
29: 2007-10-02 18:54:11 UTC - RP104 - Last known good configuration
28: 2007-10-02 18:54:05 UTC - RP103 - ComboFix created restore point
27: 2007-10-02 18:54:05 UTC - RP102 - System Checkpoint

-- First Restore Point --
1: 2007-10-02 18:54:00 UTC - RP76 - Removed Apple Mobile Device Support

Backed up registry hives.
Performed disk cleanup.

Total Physical Memory: 448 MiB (512 MiB recommended).

-- HijackThis (run as caroline.exe) --------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 17:54:03, on 03/10/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
D:\DOWNLOADED PROGRAMS\AdAware\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\vsnpstd3.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
D:\DOWNLOADED PROGRAMS\AVG AntiSpyWare\AVG Anti-Spyware 7.5\avgas.exe
D:\Program Files\iPod\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Messenger\msmsgs.exe
D:\DOWNLOADED PROGRAMS\Super AntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
D:\DOWNLOADED PROGRAMS\AVG AntiSpyWare\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
D:\Program Files\BlueSoleil\BTNtService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Common Files\Protexis\License Service\PSIService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\rundll32.exe
C:\Documents and Settings\caroline\Desktop\dss.exe
D:\DOWNLO~1\HIJACK~1\caroline.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://uk.yahoo.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: (no name) - {410AA48D-E4FD-44D5-90AC-D488D9388BAE} - C:\WINDOWS\system32\geeff.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: (no name) - {B3CD0EEE-174F-4B45-B57C-FA8C38BED449} - C:\WINDOWS\system32\iifdc.dll (file missing)
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [snpstd3] C:\WINDOWS\vsnpstd3.exe
O4 - HKLM\..\Run: [QuickTime Task] "D:\DOWNLOADED PROGRAMS\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [MediaFace Integration] D:\Program Files\MediaFace\SetHook.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "D:\DOWNLOADED PROGRAMS\AVG AntiSpyWare\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [iTunesHelper] "D:\Program Files\iPod\iTunesHelper.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [uTorrent] "C:\Program Files\uTorrent\uTorrent.exe"
O4 - HKCU\..\Run: [SUPERAntiSpyware] D:\DOWNLOADED PROGRAMS\Super AntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: BlueSoleil.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = D:\Program Files\HP Printer\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnote...ad/mnviewer.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://go.divx.com/p...owserPlugin.cab
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius....tiveXPlugin.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zon...nt.cab56907.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zon...er.cab56986.cab
O20 - Winlogon Notify: !SASWinLogon - D:\DOWNLOADED PROGRAMS\Super AntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: efccyxw - C:\WINDOWS\SYSTEM32\efccyxw.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - D:\DOWNLOADED PROGRAMS\AdAware\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - D:\DOWNLOADED PROGRAMS\AVG AntiSpyWare\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: BlueSoleil Hid Service - Unknown owner - D:\Program Files\BlueSoleil\BTNtService.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: DomainService - Unknown owner - C:\WINDOWS\system32\rurqqgqd.exe (file missing)
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: ProtexisLicensing - Unknown owner - C:\Program Files\Common Files\Protexis\License Service\PSIService.exe
O23 - Service: Windows Live Setup Service (WLSetupSvc) - Unknown owner - C:\Program Files\Windows Live\installer\WLSetupSvc.exe
O23 - Service: Broadcom Wireless LAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe

--
End of file - 8982 bytes

-- File Associations -----------------------------------------------------------

All associations okay.

-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R0 BTHidMgr (Bluetooth HID Manager Service) - c:\windows\system32\drivers\bthidmgr.sys <Not Verified; IVT Corporation; BlueSoleil©>
R1 SASDIFSV - d:\downloaded programs\super antispyware\sasdifsv.sys
R1 SASKUTIL - d:\downloaded programs\super antispyware\saskutil.sys
R1 SCDEmu - c:\windows\system32\drivers\scdemu.sys <Not Verified; PowerISO Computing, Inc.; scdemu>
R2 AegisP (AEGIS Protocol (IEEE 802.1x) v3.2.0.3) - c:\windows\system32\drivers\aegisp.sys <Not Verified; Meetinghouse Data Communications; AEGIS Client 3.2.0.3>
R3 BlueletAudio (Bluetooth Audio Service) - c:\windows\system32\drivers\blueletaudio.sys <Not Verified; IVT Corporation; Windows ® 2000 DDK driver>
R3 BT (Bluetooth PAN Network Adapter) - c:\windows\system32\drivers\btnetdrv.sys <Not Verified; IVT Corporation; BlueSoleil>
R3 BTHidEnum (Bluetooth HID Enumerator) - c:\windows\system32\drivers\vbtenum.sys
R3 pcouffin (VSO Software pcouffin) - c:\windows\system32\drivers\pcouffin.sys <Not Verified; VSO Software; Patin couffin engine>
R3 SASENUM - d:\downloaded programs\super antispyware\sasenum.sys <Not Verified; SuperAdBlocker, Inc.; SuperAntiSpyware>
R3 VComm (Virtual Serial port driver) - c:\windows\system32\drivers\vcomm.sys <Not Verified; IVT Corporation; BlueSoleil>
R3 VcommMgr (Bluetooth VComm Manager Service) - c:\windows\system32\drivers\vcommmgr.sys <Not Verified; IVT Corporation; BlueSoleil>

S3 Btcsrusb (Bluetooth USB For Bluetooth Service) - c:\windows\system32\drivers\btcusb.sys <Not Verified; IVT Corporation; Bluetooth USB Device Driver>
S3 catchme - c:\docume~1\caroline\locals~1\temp\catchme.sys (file missing)

-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 Apple Mobile Device - "c:\program files\common files\apple\mobile device support\bin\applemobiledeviceservice.exe" <Not Verified; Apple, Inc.; Apple Mobile Device Service>
R2 BlueSoleil Hid Service - d:\program files\bluesoleil\btntservice.exe
R2 Bonjour Service (##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762##) - "c:\program files\bonjour\mdnsresponder.exe" <Not Verified; Apple Computer, Inc.; Bonjour>
R2 ProtexisLicensing - "c:\program files\common files\protexis\license service\psiservice.exe" <Not Verified; ; PSIService>

S2 DomainService - c:\windows\system32\rurqqgqd.exe /service (file missing)
S3 FLEXnet Licensing Service - "c:\program files\common files\macrovision shared\flexnet publisher\fnplicensingservice.exe" <Not Verified; Macrovision Europe Ltd.; FLEXnet Publisher (32 bit)>
S3 NBService - c:\program files\nero\nero 7\nero backitup\nbservice.exe

-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.

-- Scheduled Tasks -------------------------------------------------------------

2007-10-01 13:54:46 284 --a------ C:\WINDOWS\Tasks\AppleSoftwareUpdate.job

-- Files created between 2007-09-03 and 2007-10-03 -----------------------------

2007-10-03 17:48:17 6513 ---hs---- C:\WINDOWS\system32\ffeeg.bak1
2007-10-03 17:47:49 320608 --a------ C:\WINDOWS\system32\geeff.dll
2007-10-03 16:31:35 0 d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2007-10-03 16:18:50 0 d-------- C:\Documents and Settings\caroline\Application Data\SUPERAntiSpyware.com
2007-10-03 15:55:53 0 d-------- C:\VundoFix Backups
2007-10-03 10:19:53 86080 --a------ C:\WINDOWS\system32\bcthsdlj.dll
2007-10-03 10:16:33 813186 ---hs---- C:\WINDOWS\system32\cdfii.bak2
2007-10-02 20:37:17 0 dr-h----- C:\Documents and Settings\caroline\Recent
2007-10-02 19:54:24 6513 ---hs---- C:\WINDOWS\system32\cdfii.bak1
2007-09-29 19:19:52 0 d--hs---- C:\FOUND.004
2007-09-29 10:47:39 0 d-------- C:\Program Files\iPod
2007-09-28 00:47:25 0 d-------- C:\Documents and Settings\caroline\Application Data\dvdcss
2007-09-27 21:56:25 0 d-------- C:\Program Files\vso
2007-09-27 21:02:52 0 d--hs---- C:\FOUND.003
2007-09-24 13:00:07 0 d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-09-23 11:04:17 0 d-------- C:\Documents and Settings\caroline\Application Data\Grisoft
2007-09-22 11:57:28 0 d-------- C:\Program Files\Yahoo!
2007-09-21 09:08:07 34816 --a------ C:\WINDOWS\system32\efccyxw.dll
2007-09-18 23:16:42 0 d-------- C:\Program Files\Common Files\digidesign
2007-09-18 23:13:36 393216 --a------ C:\WINDOWS\system32\NI_IRC_1_2.dll <Not Verified; Native Instruments Software GmbH; Native Instruments Software GmbH IRC (IR Convolution) extension>
2007-09-18 23:13:36 2045952 --a------ C:\WINDOWS\system32\kconvert.dll <Not Verified; Native Instruments Software Synthesis GmbH; Kontakt Convertor>
2007-09-18 23:13:35 233472 --a------ C:\WINDOWS\system32\REX Shared Library.dll <Not Verified; Propellerhead Software AB; REX SDK>
2007-09-18 23:13:35 61440 --a------ C:\WINDOWS\system32\NI_DFD_1_5.dll <Not Verified; Native Instruments Software GmbH; Native Instruments Software GmbH DFD (Direct From Disc) extension>
2007-09-18 17:00:26 0 d-------- C:\Documents and Settings\All Users\Application Data\Transparent
2007-09-17 22:56:06 356352 --a------ C:\WINDOWS\eSellerateEngine.dll <Not Verified; eSellerate Inc.; eSellerateEngine>
2007-09-17 19:48:03 262144 --a------ C:\WINDOWS\system32\TomsMoComp_ff.dll
2007-09-17 19:48:02 395776 --a------ C:\WINDOWS\system32\libmplayer.dll
2007-09-17 19:48:02 112640 --a------ C:\WINDOWS\system32\libmpeg2_ff.dll
2007-09-17 19:48:02 2255360 --a------ C:\WINDOWS\system32\libavcodec.dll
2007-09-15 10:52:04 0 d-------- C:\Program Files\Sibelius Software
2007-09-14 21:16:40 0 d--hs---- C:\FOUND.002
2007-09-13 12:58:22 0 d-------- C:\Documents and Settings\All Users\Application Data\Fellowes
2007-09-11 16:58:08 0 d-------- C:\Program Files\Common Files\xing shared
2007-09-09 11:59:24 0 d-------- C:\Program Files\Apple Software Update
2007-09-05 08:30:56 536 --a------ C:\WINDOWS\eReg.dat

-- Find3M Report ---------------------------------------------------------------

2007-10-03 17:41:22 12 --a------ C:\WINDOWS\bthservsdp.dat
2007-10-02 22:32:10 2068 --a------ C:\WINDOWS\system32\d3d9caps.dat
2007-10-02 21:07:02 1956 --a------ C:\WINDOWS\system32\d3d8caps.dat
2007-09-27 21:56:44 34 --a------ C:\Documents and Settings\caroline\Application Data\pcouffin.log
2007-09-27 21:56:34 47360 --a------ C:\Documents and Settings\caroline\Application Data\pcouffin.sys <Not Verified; VSO Software; Patin couffin engine>
2007-09-27 21:56:34 1144 --a------ C:\Documents and Settings\caroline\Application Data\pcouffin.inf
2007-09-27 21:56:34 7824 --a------ C:\Documents and Settings\caroline\Application Data\pcouffin.cat
2007-08-30 16:56:26 0 d-------- C:\Program Files\Microsoft Games
2007-08-29 22:31:40 2376 --a------ C:\WINDOWS\wmplayer.reg
2007-08-29 21:46:24 0 d-------- C:\Documents and Settings\caroline\Application Data\Vso
2007-08-29 17:58:10 0 d-------- C:\Program Files\MOVAVI
2007-08-29 14:48:24 0 d-------- C:\Documents and Settings\caroline\Application Data\CyberLink
2007-08-29 12:48:00 0 d-------- C:\Documents and Settings\caroline\Application Data\Nero
2007-08-27 22:07:58 3192 --ahs---- C:\WINDOWS\system32\KGyGaAvL.sys
2007-08-27 19:20:16 0 d-------- C:\Program Files\DivX
2007-08-27 18:51:26 4611 --a------ C:\Exec
2007-08-26 20:44:24 0 d-------- C:\Documents and Settings\caroline\Application Data\Bitstream
2007-08-25 21:20:16 88 -r-hs---- C:\WINDOWS\system32\352F49EAFA.sys
2007-08-25 21:14:30 0 d-------- C:\Program Files\Corel
2007-08-25 21:14:30 0 d-------- C:\Program Files\Common Files\Corel
2007-08-25 20:02:22 0 d-------- C:\Documents and Settings\caroline\Application Data\Corel
2007-08-25 19:49:06 0 d-------- C:\Program Files\Common Files\Protexis
2007-08-23 22:52:46 0 d-------- C:\Documents and Settings\caroline\Application Data\Sun
2007-08-23 18:13:08 203776 --a------ C:\WINDOWS\system32\clrviddc.dll <Not Verified; Iterated Systems, Inc.; ClearVideo Decoder DLL>
2007-08-22 16:07:48 0 d-------- C:\Program Files\Google
2007-08-20 19:55:40 0 d-------- C:\Program Files\MSBuild
2007-08-20 19:43:00 0 d-------- C:\Program Files\Reference Assemblies
2007-08-18 00:33:06 10398 --a------ C:\WINDOWS\system32\PELoader
2007-08-17 15:56:04 0 d-------- C:\Documents and Settings\caroline\Application Data\uTorrent
2007-08-16 09:20:30 0 d-------- C:\Program Files\Bonjour
2007-08-16 08:58:40 0 d-------- C:\Program Files\Common Files\Macrovision Shared
2007-08-15 17:10:48 0 d-------- C:\Program Files\uTorrent
2007-08-12 12:25:02 0 d-------- C:\Program Files\ScanSoft
2007-08-09 17:13:36 0 d-------- C:\Program Files\Nero
2007-08-09 17:13:36 0 d-------- C:\Program Files\Common Files\Ahead
2007-08-09 13:22:12 0 d-------- C:\Program Files\Common Files\Apple
2007-08-07 17:40:22 28942 -----n--- C:\WINDOWS\hpoins03.dat
2007-08-07 17:10:08 0 d-------- C:\Program Files\Common Files\Hewlett-Packard
2007-08-07 16:44:14 0 d-------- C:\Program Files\Common Files\HP
2007-08-07 16:12:34 0 d-------- C:\Program Files\HP
2007-08-05 20:15:50 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-08-04 18:44:20 0 d-------- C:\Program Files\CustoMess
2007-08-03 23:05:42 0 d-------- C:\Documents and Settings\caroline\Application Data\AdobeUM
2007-08-03 17:44:08 0 d-------- C:\Program Files\Windows Media Connect 2
2007-08-03 17:30:50 0 d-------- C:\Program Files\Real
2007-08-03 17:30:40 0 d-------- C:\Program Files\Common Files\Real
2007-08-03 17:30:30 0 d-------- C:\Documents and Settings\caroline\Application Data\Real
2007-08-03 17:13:32 0 d-------- C:\Documents and Settings\caroline\Application Data\Google
2007-08-03 16:58:58 0 d-------- C:\Documents and Settings\caroline\Application Data\Azureus
2007-08-03 15:35:56 0 d-------- C:\Program Files\Windows Live
2007-08-03 15:28:54 0 d-------- C:\Program Files\MSN Messenger
2007-08-03 15:13:34 0 d-------- C:\Documents and Settings\caroline\Application Data\vlc
2007-08-03 14:07:28 0 d-------- C:\Program Files\Common Files\snpstd3
2007-08-03 13:33:12 0 d-------- C:\Documents and Settings\caroline\Application Data\Macromedia
2007-08-03 02:37:52 604 --ah----- C:\WINDOWS\T4
2007-08-03 02:37:52 604 --ah----- C:\WINDOWS\system32\T3
2007-08-03 02:37:52 604 --ah----- C:\Program Files\STLL Notifier
2007-08-03 02:36:46 0 d-------- C:\Documents and Settings\caroline\Application Data\Sibelius Software
2007-08-03 02:15:18 0 d-------- C:\Documents and Settings\caroline\Application Data\WinRAR
2007-08-03 01:00:24 0 d-------- C:\Documents and Settings\caroline\Application Data\Apple Computer
2007-08-03 00:59:30 0 d-------- C:\Program Files\QuickTime
2007-08-03 00:32:02 0 d-------- C:\Program Files\BT Voyager
2007-08-02 16:58:00 12290511 -----n--- C:\AVG7QT.DAT
2007-08-01 21:15:10 0 -rahs---- C:\MSDOS.SYS
2007-08-01 21:15:10 0 -rahs---- C:\IO.SYS
2007-08-01 21:15:10 0 --a------ C:\CONFIG.SYS
2007-08-01 21:15:10 0 --a------ C:\AUTOEXEC.BAT
2007-08-01 21:10:18 21640 --a------ C:\WINDOWS\system32\emptyregdb.dat
2007-08-01 20:57:18 62 --ahs---- C:\Documents and Settings\caroline\Application Data\desktop.ini

-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{410AA48D-E4FD-44D5-90AC-D488D9388BAE}]
03/10/2007 17:47 320608 --a------ C:\WINDOWS\system32\geeff.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B3CD0EEE-174F-4B45-B57C-FA8C38BED449}]
C:\WINDOWS\system32\iifdc.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [01/03/2007 15:57]
"snpstd3"="C:\WINDOWS\vsnpstd3.exe" [19/09/2006 09:07]
"QuickTime Task"="D:\DOWNLOADED PROGRAMS\QuickTime\QTTask.exe" [29/06/2007 06:24]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [16/02/2005 16:15]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [16/02/2005 16:15]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [11/09/2007 16:56]
"MediaFace Integration"="D:\Program Files\MediaFace\SetHook.exe" [27/10/2005 04:43]
"!AVG Anti-Spyware"="D:\DOWNLOADED PROGRAMS\AVG AntiSpyWare\AVG Anti-Spyware 7.5\avgas.exe" [11/06/2007 10:25]
"iTunesHelper"="D:\Program Files\iPod\iTunesHelper.exe" [26/09/2007 14:42]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [04/08/2004 04:56]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [16/05/2007 09:27]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [13/10/2004 17:24]
"uTorrent"="C:\Program Files\uTorrent\uTorrent.exe" [12/09/2007 19:47]
"SUPERAntiSpyware"="D:\DOWNLOADED PROGRAMS\Super AntiSpyware\SUPERAntiSpyware.exe" [21/06/2007 14:06]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Acrobat Assistant.lnk - C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe [15/05/2003 01:19:50]
BlueSoleil.lnk - D:\Program Files\BlueSoleil\BlueSoleil.exe [03/08/2007 14:43:35]
HP Digital Imaging Monitor.lnk - D:\Program Files\HP Printer\Digital Imaging\bin\hpqtra08.exe [07/07/2003 01:20:40]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{4F8C5BB1-8D81-497D-8E4C-4F81490B8FB8}"= C:\WINDOWS\system32\efccyxw.dll [21/09/2007 09:08 34816]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= D:\DOWNLOADED PROGRAMS\Super AntiSpyware\SASSEH.DLL [20/12/2006 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
D:\DOWNLOADED PROGRAMS\Super AntiSpyware\SASWINLO.dll 19/04/2007 13:41 294912 D:\DOWNLOADED PROGRAMS\Super AntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\efccyxw]
efccyxw.dll 21/09/2007 09:08 34816 C:\WINDOWS\system32\efccyxw.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\\WINDOWS\\system32\\iifdc

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
bthsvcs BthServ

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{11C47931-AA13-9746-0500-080600080400}]
C:\Exec.exe

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{83C93812-AC6F-32F0-F3FC-BE2113E1A6F1}]
C:\WINDOWS\system32\PELoader.exe

-- End of Deckard's System Scanner: finished at 2007-10-03 17:56:06 ------------

_____________________________________

extra.txt

Deckard's System Scanner v20070905.67
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Professional (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: AMD Duron™ Processor
Percentage of Memory in Use: 64%
Physical Memory (total/avail): 447.48 MiB / 159.32 MiB
Pagefile Memory (total/avail): 1058.14 MiB / 694.27 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1961.21 MiB

A: is Removable (No Media)
C: is Fixed (FAT32) - 18.63 GiB total, 7.94 GiB free.
D: is Fixed (FAT32) - 76.31 GiB total, 6.86 GiB free.
E: is Fixed (FAT32) - 18.62 GiB total, 15.95 GiB free.
F: is CDROM (Unformatted)
G: is CDROM (No Media)

\\.\PHYSICALDRIVE0 - Maxtor 6E040L0 - 37.27 GiB - 2 partitions
\PARTITION0 (bootable) - Unknown - 18.64 GiB - C:
\PARTITION1 - Extended w/Extended Int 13 - 18.63 GiB - E:

\\.\PHYSICALDRIVE1 - Maxtor 6Y080L0 - 76.33 GiB - 1 partition
\PARTITION0 (bootable) - Unknown - 76.33 GiB - D:

-- Security Center -------------------------------------------------------------

AUOptions is set to notify before download.
Windows Internal Firewall is enabled.

FirstRunDisabled is set.

AV: AVG 7.5.488 v7.5.488 (GRISOFT)

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"D:\\DOWNLOADED PROGRAMS\\LimeWire\\LimeWire.exe"="D:\\DOWNLOADED PROGRAMS\\LimeWire\\LimeWire.exe:*:Enabled:LimeWire"
"D:\\Program Files\\iPod\\iTunes.exe"="D:\\Program Files\\iPod\\iTunes.exe:*:Enabled:iTunes"
"C:\\WINDOWS\\system32\\rurqqgqd.exe"="C:\\WINDOWS\\system32\\rur"

-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\caroline\Application Data
CLASSPATH=.;C:\Program Files\Java\jre1.6.0_02\lib\ext\QTJava.zip
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=E3854FD522
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\caroline
LOGONSERVER=\\E3854FD522
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\system32\wbem;D:\DOWNLOADED PROGRAMS\QuickTime\QTSystem"
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 6 Model 7 Stepping 1, AuthenticAMD
PROCESSOR_LEVEL=6
PROCESSOR_REVISION=0701
ProgramFiles=C:\Program Files
PROMPT=$P$G
QTJAVA=C:\Program Files\Java\jre1.6.0_02\lib\ext\QTJava.zip
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\caroline\LOCALS~1\Temp
TMP=C:\DOCUME~1\caroline\LOCALS~1\Temp
USERDOMAIN=E3854FD522
USERNAME=caroline
USERPROFILE=C:\Documents and Settings\caroline
windir=C:\WINDOWS

-- User Profiles ---------------------------------------------------------------

caroline (admin)

-- Add/Remove Programs ---------------------------------------------------------

--> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
--> C:\Program Files\Nero\Nero 7\\nero\uninstall\UNNERO.exe /UNINSTALL
--> C:\WINDOWS\UNNeroBackItUp.exe /UNINSTALL
--> C:\WINDOWS\UNNeroMediaHome.exe /UNINSTALL
--> C:\WINDOWS\UNNeroShowTime.exe /UNINSTALL
--> C:\WINDOWS\UNNeroVision.exe /UNINSTALL
--> C:\WINDOWS\UNRecode.exe /UNINSTALL
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
µTorrent --> "C:\Program Files\uTorrent\uTorrent.exe" /UNINSTALL
Ad-Aware 2007 --> MsiExec.exe /X{DED53B0B-B67C-4244-AE6A-D6FD3C28D1EF}
Adobe Acrobat 6.0 Professional --> MsiExec.exe /I{AC76BA86-1033-0000-7760-000000000001}
Adobe Anchor Service CS3 --> MsiExec.exe /I{90176341-0A8B-4CCC-A78D-F862228A6B95}
Adobe Asset Services CS3 --> MsiExec.exe /I{6FF5DD7A-FE28-4439-B8CF-1E9AF4EA0A61}
Adobe Bridge CS3 --> MsiExec.exe /I{9C9824D9-9000-4373-A6A5-D0E5D4831394}
Adobe Bridge Start Meeting --> MsiExec.exe /I{08B32819-6EEF-4057-AEDA-5AB681A36A23}
Adobe Camera Raw 4.0 --> MsiExec.exe /I{B3BF6689-A81D-40D8-9A86-4AC4ACD9FC1C}
Adobe CMaps --> MsiExec.exe /I{A2B242BD-FF8D-4840-9DAA-9170EABEC59C}
Adobe Color - Photoshop Specific --> MsiExec.exe /I{A2D81E70-2A98-4A08-A628-94388B063C5E}
Adobe Color Common Settings --> MsiExec.exe /I{DADD7B8A-BCB0-44F5-967A-ECB6B4F2ECD9}
Adobe Color EU Extra Settings --> MsiExec.exe /I{51846830-E7B2-4218-8968-B77F0FF475B8}
Adobe Color JA Extra Settings --> MsiExec.exe /I{DD7DB3C5-6FA3-4FA3-8A71-C2F2940EB029}
Adobe Color NA Recommended Settings --> MsiExec.exe /I{95655ED4-7CA5-46DF-907F-7144877A32E5}
Adobe Default Language CS3 --> MsiExec.exe /I{B9B35331-B7E4-4E5C-BF4C-7BC87856124D}
Adobe Device Central CS3 --> MsiExec.exe /I{8D2BA474-F406-4710-9AE4-D4F22D21F0DD}
Adobe ExtendScript Toolkit 2 --> MsiExec.exe /I{C2D69781-F392-4118-A5A7-C7E9C38DBFC2}
Adobe Flash Player 9 ActiveX --> C:\WINDOWS\system32\Macromed\Flash\FlashUtil9c.exe -uninstallUnlock
Adobe Fonts All --> MsiExec.exe /I{6ABE0BEE-D572-4FE8-B434-9E72A289431B}
Adobe Help Viewer CS3 --> MsiExec.exe /I{04AF207D-9A77-465A-8B76-991F6AB66245}
Adobe Linguistics CS3 --> MsiExec.exe /I{54793AA1-5001-42F4-ABB6-C364617C6078}
Adobe PDF Library Files --> MsiExec.exe /I{D2559B88-CC9D-4B48-81BB-F492BAA9C48C}
Adobe Photoshop CS3 --> C:\Program Files\Common Files\Adobe\Installers\719d6f144d0c086a0dfa7ff76bb9ac1\Setup.exe
Adobe Photoshop CS3 --> MsiExec.exe /I{3D7E3EC9-46CF-4359-9289-39CE01DFB82F}
Adobe Setup --> MsiExec.exe /I{FF11004C-F42A-4A31-9BCF-7F5C8FDBE53C}
Adobe Stock Photos CS3 --> MsiExec.exe /I{29E5EA97-5F74-4A57-B8B2-D4F169117183}
Adobe SVG Viewer 3.0 --> C:\Program Files\Common Files\Adobe\SVG Viewer 3.0\Uninstall\Winstall.exe -u -fC:\Program Files\Common Files\Adobe\SVG Viewer 3.0\Uninstall\Install.log
Adobe Type Support --> MsiExec.exe /I{8E6808E2-613D-4FCD-81A2-6C8FA8E03312}
Adobe Update Manager CS3 --> MsiExec.exe /I{E69AE897-9E0B-485C-8552-7841F48D42D8}
Adobe Version Cue CS3 Client --> MsiExec.exe /I{D0DFF92A-492E-4C40-B862-A74A173C25C5}
Adobe WinSoft Linguistics Plugin --> MsiExec.exe /I{184CE391-7E0E-4C63-9935-D7A10EDFD3C6}
Adobe XMP Panels CS3 --> MsiExec.exe /I{802771A9-A856-4A41-ACF7-1450E523C923}
Age of Mythology --> "E:\AOM\UNINSTAL.EXE" /runtemp /addremove
Age of Mythology - The Titans Expansion --> "E:\AOM\UNINSTXP.EXE" /runtemp /addremove
Apple Mobile Device Support --> MsiExec.exe /I{3EBD3749-304E-4A4C-9575-C00E5F015217}
Apple Software Update --> MsiExec.exe /I{B74F042E-E1B9-4A5B-8D46-387BB172F0A4}
AVG Anti-Spyware 7.5 --> D:\DOWNLOADED PROGRAMS\AVG AntiSpyWare\AVG Anti-Spyware 7.5\Uninstall.exe
AVG Free Edition --> C:\Program Files\Grisoft\AVG Free\setup.exe /UNINSTALL
Azureus Vuze --> D:\DOWNLOADED PROGRAMS\Azureus\Azureus\uninstall.exe
Before You Know It 3.6 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{C647DDC9-B9EB-4DFF-9009-614C8ED62CD0}\Setup.exe" -l0x9
BlueSoleil --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{B9F499B8-D1F0-42FC-84BE-CC552123CCCB}\Setup.exe" -l0x9
BT Voyager Wireless Utility --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{0FD0FF9D-C87C-47C4-AEC5-98C760E783E7}\setup.exe" -l0x9
CCleaner (remove only) --> "D:\DOWNLOADED PROGRAMS\CCleaner\uninst.exe"
CloneDVD2 --> "D:\DOWNLOADED PROGRAMS\Clone DVD\SlySoft.CloneDVD.v2.9.1.2.Incl.KeyMaker-DVT\CloneDVD2\CloneDVD2-uninst.exe" /D="D:\DOWNLOADED PROGRAMS\Clone DVD\SlySoft.CloneDVD.v2.9.1.2.Incl.KeyMaker-DVT\CloneDVD2"
ConvertXtoDVD 2.1.8.191 --> "D:\DOWNLOADED PROGRAMS\Convert X To DVD\ConvertXtoDVD\unins000.exe"
CorelDRAW Graphics Suite X3 --> C:\Program Files\Corel\CorelDRAW Graphics Suite 13\Programs\MSILauncher {63218538-4A69-497F-8455-904261B0E9E4} C:\DOCUME~1\caroline\LOCALS~1\Temp\CGSX3.log
CorelDRAW Graphics Suite X3 --> MsiExec.exe /I{63218538-4A69-497F-8455-904261B0E9E4}
Cucusoft MPEG/MOV/RM/DivX/AVI to DVD/VCD/SVCD Creator Pro 7.07 --> "D:\DOWNLOADED PROGRAMS\Cucusoft\unins000.exe"
DivX Content Uploader --> C:\Program Files\DivX\DivXContentUploaderUninstall.exe /CUPLOADER
DivX Web Player --> C:\Program Files\DivX\DivXWebPlayerUninstall.exe /PLUGIN
Dolet for Finale --> MsiExec.exe /X{BC8116C3-3C76-48BD-BFF1-C9359F60F673}
DVD Shrink 3.2 --> "D:\DOWNLOADED PROGRAMS\DVD Shrinker\DVD Shrink\unins000.exe"
Easy WiFi Radar 1.0.5 --> D:\DOWNLO~1\EASYWI~1\EASYWI~1\EASYWI~1\Setup.exe /remove /q0
EN --> MsiExec.exe /I{32A72502-BC2C-4C39-ACEA-BC3D463F0697}
FontNav --> MsiExec.exe /I{4E98F23B-1328-4322-A6EC-2EDC8FC3A4FE}
GNU Ghostscript 7.06 --> d:\downloaded programs\photoscore\gs\uninstgs.exe "d:\downloaded programs\photoscore\gs\gs7.06\uninstal.txt"
GNU Ghostscript Fonts --> d:\downloaded programs\photoscore\gs\uninstgs.exe "d:\downloaded programs\photoscore\gs\fonts\uninstal.txt"
Google Earth --> MsiExec.exe /I{1E04F83B-2AB9-4301-9EF7-E86307F79C72}
HijackThis 2.0.2 --> "D:\DOWNLOADED PROGRAMS\HiJack This\HijackThis.exe" /uninstall
HP Photo & Imaging 3.1 --> D:\Program Files\HP Printer\Digital Imaging\uninstall\hpzscr01.exe -datfile hpqscr01.dat
HP PSC & OfficeJet 3.0 --> "D:\Program Files\HP Printer\Digital Imaging\{F38FA38A-7E5A-4209-88ED-4DE21CD20EEF}\setup\hpzscr01.exe" -datfile hposcr03.dat
HP Software Update --> MsiExec.exe /X{CC0A24CB-87C9-4F1C-A1F2-F87D8D4DDCAF}
iPod for Windows 2006-03-23 --> C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{2070F79D-46BC-4EEA-8F02-9B4DCABAE7CB} /l1033
iTunes --> MsiExec.exe /I{B045B608-4A47-4C77-9EAD-06C394503306}
Java™ 6 Update 2 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160020}
LimeWire PRO 4.14.10 --> "D:\DOWNLOADED PROGRAMS\LimeWire\uninstall.exe"
Magic DVD Copier V4.4.3 --> "D:\DOWNLOADED PROGRAMS\Magic Copier\MagicDVDCopier\unins000.exe"
Magic ISO Maker v5.4 (build 0239) --> D:\DOWNLO~1\MAGICO~1.3\MAGICISO\UNWISE.EXE D:\DOWNLO~1\MAGICO~1.3\MAGICISO\INSTALL.LOG
MediaFACE 4.0 Business Image Library --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{FED4E1E2-9E19-44FE-8265-E4AAE03EBC80} /l1033
MediaFACE 4.0 General Image Library --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{268D18A2-4539-4530-8192-F13EDD876FFC} /l1033
MediaFACE 4.0 Lifestyle Image Library --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{9AD92782-CAC6-48DF-A060-BFD6FE7689E7} /l1033
MediaFACE 4.0 Music Image Library --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{8739235F-201D-449C-A03F-277A85F0FE1E} /l1033
MediaFACE 4.0 Special Occasion Image Library --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{DA84434F-25B6-4716-A390-AC678FB6516D} /l1033
MediaFACE 4.0 Spiritual Image Library --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\7\INTEL3~1\IDriver.exe /M{1DA6AB38-2876-4AE4-8236-24C2CF66601B} /l1033
MediaFACE 5.0 --> C:\PROGRA~1\COMMON~1\INSTAL~1\Driver\1050\INTEL3~1\IDriver.exe /M{70A3C0E1-1953-4A95-9C66-99FDCDD5E357}
Memories Disc Creator 2.0 --> MsiExec.exe /X{2E132061-C78A-48D4-A899-1D13B9D189FA}
Messenger Plus! Live --> "D:\DOWNLOADED PROGRAMS\MSN Messenger\Messenger Plus! Live\Uninstall.exe"
Microsoft AutoRoute 2007 --> MsiExec.exe /I{C82185E8-C27B-4EF4-2007-3333BC2C2B6D}
Microsoft Compression Client Pack 1.0 for Windows XP --> "C:\WINDOWS\$NtUninstallMSCompPackV1$\spuninst\spuninst.exe"
Microsoft Office Professional Edition 2003 --> MsiExec.exe /I{90110409-6000-11D3-8CFE-0150048383C9}
Microsoft Plus! for Windows XP --> MsiExec.exe /I{EEC2DAFD-5558-40AC-8E9C-5005C8F810E8}
Microsoft User-Mode Driver Framework Feature Pack 1.0 --> "C:\WINDOWS\$NtUninstallWudf01000$\spuninst\spuninst.exe"
MOVAVI VideoSuite 3.4 --> D:\DOWNLOADED PROGRAMS\Movavi.Video.Suite.v3.4\MOVAVI VideoSuite 3.4\uninst.exe
MSXML 6.0 Parser (KB925673) --> MsiExec.exe /I{FE9126DB-5F84-495A-BB46-3C724F1C2D08}
MSXML4 Parser --> MsiExec.exe /I{01501EBA-EC35-4F9F-8889-3BE346E5DA13}
Musicnotes Player V1.23.1 --> "D:\NEW DOWNLOADS\MusicNotes\Player\unins000.exe"
Native Instruments Kontakt 2 --> D:\DOWNLO~1\KONTAK~1\UNWISE.EXE D:\DOWNLO~1\KONTAK~1\INSTALL.LOG
Nero 7 Premium --> MsiExec.exe /X{293C9DF5-7669-4826-BBB2-E1F182D71033}
neroxml --> MsiExec.exe /I{56C049BE-79E9-4502-BEA7-9754A3E60F9B}
Neuratron PhotoScore --> D:\DOWNLO~1\PHOTOS~1\NEURAT~1\UNWISE.EXE D:\DOWNLO~1\PHOTOS~1\NEURAT~1\INSTALL.LOG
PDF Settings --> MsiExec.exe /I{AC5B0C19-D851-42F4-BDA0-410ECF7F70A5}
PowerDVD --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}\Setup.exe" -uninstall
PowerISO --> "D:\DOWNLOADED PROGRAMS\PowerISO\uninstall.exe"
QuickTime --> MsiExec.exe /I{95A890AA-B3B1-44B6-9C18-A8F7AB3EE7FC}
RealPlayer --> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
RealSpeak Solo for UK English Emily --> MsiExec.exe /I{A182077A-8D6B-4194-B48A-B4DC37C69907}
Recuva (remove only) --> "D:\DOWNLOADED PROGRAMS\Recuva\uninst.exe"
Rhapsody Player Engine --> MsiExec.exe /I{2DFF31F9-7893-4922-AF66-C9A1EB4EBB31}
Sibelius 5 --> MsiExec.exe /I{C23B8C30-E05E-4CB5-8188-F27CC3B2DD3E}
Sibelius Scorch (ActiveX Only) --> MsiExec.exe /I{C8E4455F-0F70-4DA2-A9F9-2D56C80E10AD}
SimCity 4 Deluxe --> E:\Simcity4\EAUninstall.exe
SUPERAntiSpyware Free Edition --> MsiExec.exe /X{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}
Update Manager --> MsiExec.exe /I{F428D0FB-765D-40EB-BDD8-A1E7F5C597FA}
USB PC CAM-168 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime701\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{ECD03DA7-5952-406A-8156-5F0C93618D1F}\Setup.exe" -l0x9
vanBasco's Karaoke Player --> D:\DOWNLOADED PROGRAMS\vkaraoke\vanBasco's Karaoke Player\uninst.exe
VBA --> MsiExec.exe /I{C94E45B0-6AA6-4FB9-9AAE-22085F631880}
Windows Communication Foundation --> MsiExec.exe /X{491DD792-AD81-429C-9EB4-86DD3D22E333}
Windows Imaging Component --> "C:\WINDOWS\$NtUninstallWIC$\spuninst\spuninst.exe"
Windows Live installer --> MsiExec.exe /X{7BC43F11-02C8-45FA-ABDC-E2F9FF31F825}
Windows Live Messenger --> MsiExec.exe /X{33F8EAD4-B6EC-498B-B487-696B973D1C0C}
Windows Presentation Foundation --> MsiExec.exe /X{BAF78226-3200-4DB4-BE33-4D922A799840}
Windows Workflow Foundation --> MsiExec.exe /I{7D1B85BD-AA07-48B8-808D-67A4067FC6BD}
WinRAR archiver --> D:\DOWNLOADED PROGRAMS\WinRAR\uninstall.exe

Edited by Koukla1962, 03 October 2007 - 10:58 AM.

#8
racenutalways

Posted 03 October 2007 - 12:15 PM

Member 1K

Retired Staff
1,675 posts

Vundo has reappeared, let's go at it in a different way.

Go to Start | Run and type this in the box: services.msc

Locate this service, 'DomainService
then right click and select properties.
Under Service Status: select Stop
In the drop down box labeled, Startup Type: select Disabled

Please download the OTMoveIt by OldTimer.

Save it to your desktop.
Please double-click OTMoveIt.exe to run it.
Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

C:\WINDOWS\system32\rurqqgqd.exe
C:\WINDOWS\system32\geeff.dll
C:\WINDOWS\system32\iifdc.dll (file missing)
C:\WINDOWS\system32\ffeeg.bak
C:\WINDOWS\system32\geeff.dll
C:\WINDOWS\system32\bcthsdlj.dll
C:\WINDOWS\system32\cdfii.bak2
C:\WINDOWS\system32\cdfii.bak1
C:\WINDOWS\system32\efccyxw.dll
C:\FOUND.004
C:\FOUND.003
C:\FOUND.002
C:\WINDOWS\eReg.dat
C:\WINDOWS\T4
C:\WINDOWS\system32\T3
C:\Exec.exe
C:\\WINDOWS\system32\rur
Return to OTMoveIt, right click on the "Paste List of Files/Folders to be moved" window and choose Paste.
Click the red Moveit! button.
Copy everything on the Results window to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it on your next reply.
Close OTMoveIt

*If a file or folder cannot be moved immediately, you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine, choose Yes.
**If a reboot was necessary or you needed to Exit before posting the log, you will find a copy of the log at the root of the drive where OTMoveIt is installed, usually at :
C:\_OTMoveIt\MovedFiles\********_******.log
(where "********_******" is the "date_time")

Click "Exit" to close OTMoveIt.

Download ComboFix from Here or Here to your Desktop.

Double click combofix.exe and follow the prompts.
When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply

Note: Do not mouseclick combofix's window while its running. That may cause it to stall

#9
Koukla1962

Posted 03 October 2007 - 01:19 PM

Member

Topic Starter
Member
23 posts

Thanks in advance.

Here is my OTmoveit log.

File/Folder C:\WINDOWS\system32\rurqqgqd.exe not found.
LoadLibrary failed for C:\WINDOWS\system32\geeff.dll
C:\WINDOWS\system32\geeff.dll NOT unregistered.
C:\WINDOWS\system32\geeff.dll moved successfully.
File/Folder C:\WINDOWS\system32\iifdc.dll (file missing) not found.
File/Folder C:\WINDOWS\system32\ffeeg.bak not found.
File/Folder C:\WINDOWS\system32\geeff.dll not found.
LoadLibrary failed for C:\WINDOWS\system32\bcthsdlj.dll
C:\WINDOWS\system32\bcthsdlj.dll NOT unregistered.
C:\WINDOWS\system32\bcthsdlj.dll moved successfully.
C:\WINDOWS\system32\cdfii.bak2 moved successfully.
C:\WINDOWS\system32\cdfii.bak1 moved successfully.
LoadLibrary failed for C:\WINDOWS\system32\efccyxw.dll
C:\WINDOWS\system32\efccyxw.dll NOT unregistered.
C:\WINDOWS\system32\efccyxw.dll moved successfully.
C:\FOUND.004 moved successfully.
C:\FOUND.003 moved successfully.
C:\FOUND.002 moved successfully.
C:\WINDOWS\eReg.dat moved successfully.
C:\WINDOWS\T4 moved successfully.
C:\WINDOWS\system32\T3 moved successfully.
File/Folder C:\Exec.exe not found.
File/Folder C:\\WINDOWS\system32\rur not found.
File/Folder not found.
File/Folder not found.

Created on 10/03/2007 20:16:23

___________________________________________________

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 20:17:45, on 03/10/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
D:\DOWNLOADED PROGRAMS\AdAware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\vsnpstd3.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
D:\DOWNLOADED PROGRAMS\AVG AntiSpyWare\AVG Anti-Spyware 7.5\avgas.exe
D:\Program Files\iPod\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Messenger\msmsgs.exe
D:\DOWNLOADED PROGRAMS\Super AntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
D:\DOWNLOADED PROGRAMS\AVG AntiSpyWare\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
D:\Program Files\BlueSoleil\BTNtService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Common Files\Protexis\License Service\PSIService.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\WISPTIS.EXE
C:\Program Files\Skyline\TerraExplorer\TerraExplorer.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
D:\DOWNLOADED PROGRAMS\HiJack This\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://uk.yahoo.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: (no name) - {B3CD0EEE-174F-4B45-B57C-FA8C38BED449} - C:\WINDOWS\system32\iifdc.dll (file missing)
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [snpstd3] C:\WINDOWS\vsnpstd3.exe
O4 - HKLM\..\Run: [QuickTime Task] "D:\DOWNLOADED PROGRAMS\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [MediaFace Integration] D:\Program Files\MediaFace\SetHook.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "D:\DOWNLOADED PROGRAMS\AVG AntiSpyWare\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [iTunesHelper] "D:\Program Files\iPod\iTunesHelper.exe"
O4 - HKLM\..\Run: [SearchIndexer] rundll32.exe "C:\WINDOWS\system32\xhghewck.dll",sitypnow
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [uTorrent] "C:\Program Files\uTorrent\uTorrent.exe"
O4 - HKCU\..\Run: [SUPERAntiSpyware] D:\DOWNLOADED PROGRAMS\Super AntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: BlueSoleil.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = D:\Program Files\HP Printer\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnote...ad/mnviewer.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://go.divx.com/p...owserPlugin.cab
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius....tiveXPlugin.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zon...nt.cab56907.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zon...er.cab56986.cab
O20 - Winlogon Notify: !SASWinLogon - D:\DOWNLOADED PROGRAMS\Super AntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: efccyxw - efccyxw.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - D:\DOWNLOADED PROGRAMS\AdAware\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - D:\DOWNLOADED PROGRAMS\AVG AntiSpyWare\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: BlueSoleil Hid Service - Unknown owner - D:\Program Files\BlueSoleil\BTNtService.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: ProtexisLicensing - Unknown owner - C:\Program Files\Common Files\Protexis\License Service\PSIService.exe
O23 - Service: Windows Live Setup Service (WLSetupSvc) - Unknown owner - C:\Program Files\Windows Live\installer\WLSetupSvc.exe
O23 - Service: Broadcom Wireless LAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe

--
End of file - 8949 bytes

______________________________________

ComboFix 07-10-02.2 - caroline 2007-10-03 20:21:25.2 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.185 [GMT 1:00]
Running from: D:\DOWNLOADED PROGRAMS\Combofix\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\check_LSA7.txt
C:\WINDOWS\cookies.ini
C:\WINDOWS\system32\kcwehghx.ini
C:\WINDOWS\system32\twjefsxu.exe
C:\WINDOWS\system32\xhghewck.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

-------\LEGACY_DOMAINSERVICE
-------\DomainService

((((((((((((((((((((((((( Files Created from 2007-09-03 to 2007-10-03 )))))))))))))))))))))))))))))))
.

2007-10-03 20:10 321 ---hs---- C:\WINDOWS\system32\ffeeg.ini2
2007-10-03 20:04 <DIR> d-------- C:\Documents and Settings\caroline\Application Data\Skyline
2007-10-03 19:56 <DIR> d-------- C:\Program Files\Skyline
2007-10-03 19:56 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Skyline
2007-10-03 17:51 <DIR> d-------- C:\Deckard
2007-10-03 16:31 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2007-10-03 16:18 <DIR> d-------- C:\Documents and Settings\caroline\Application Data\SUPERAntiSpyware.com
2007-10-03 15:55 <DIR> d-------- C:\VundoFix Backups
2007-10-02 19:36 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-09-29 10:47 <DIR> d-------- C:\Program Files\iPod
2007-09-28 00:47 <DIR> d-------- C:\Documents and Settings\caroline\Application Data\dvdcss
2007-09-27 21:56 <DIR> d-------- C:\Program Files\vso
2007-09-24 13:00 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-09-23 10:59 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-09-22 11:57 <DIR> d-------- C:\Program Files\Yahoo!
2007-09-18 23:16 <DIR> d-------- C:\Program Files\Common Files\digidesign
2007-09-18 23:13 61,440 --a------ C:\WINDOWS\system32\NI_DFD_1_5.dll
2007-09-18 23:13 393,216 --a------ C:\WINDOWS\system32\NI_IRC_1_2.dll
2007-09-18 23:13 233,472 --a------ C:\WINDOWS\system32\REX Shared Library.dll
2007-09-18 23:13 2,045,952 --a------ C:\WINDOWS\system32\kconvert.dll
2007-09-18 17:00 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Transparent
2007-09-17 22:56 356,352 --a------ C:\WINDOWS\eSellerateEngine.dll
2007-09-17 19:48 395,776 --a------ C:\WINDOWS\system32\libmplayer.dll
2007-09-17 19:48 262,144 --a------ C:\WINDOWS\system32\TomsMoComp_ff.dll
2007-09-17 19:48 2,255,360 --a------ C:\WINDOWS\system32\libavcodec.dll
2007-09-17 19:48 112,640 --a------ C:\WINDOWS\system32\libmpeg2_ff.dll
2007-09-15 10:52 <DIR> d-------- C:\Program Files\Sibelius Software
2007-09-13 12:58 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Fellowes
2007-09-11 16:58 <DIR> d-------- C:\Program Files\Common Files\xing shared
2007-09-09 11:59 <DIR> d-------- C:\Program Files\Apple Software Update
2007-09-03 19:30 8,576 --a------ C:\WINDOWS\system32\drivers\hidgame.sys
2007-09-03 19:30 8,576 --a------ C:\WINDOWS\system32\dllcache\hidgame.sys
2007-09-03 19:28 9,600 --a------ C:\WINDOWS\system32\drivers\hidusb.sys
2007-09-03 19:28 9,600 --a------ C:\WINDOWS\system32\dllcache\hidusb.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-09-27 21:56 87608 --a------ C:\Documents and Settings\caroline\Application Data\ezpinst.exe
2007-09-27 21:56 47360 --a------ C:\WINDOWS\system32\drivers\pcouffin.sys
2007-09-27 21:56 47360 --a------ C:\Documents and Settings\caroline\Application Data\pcouffin.sys
2007-09-05 18:02 12400 --a------ C:\WINDOWS\system32\drivers\secdrv.sys
2007-08-30 16:56 --------- d-------- C:\Program Files\Microsoft Games
2007-08-29 21:46 --------- d-------- C:\Documents and Settings\caroline\Application Data\Vso
2007-08-29 17:58 --------- d-------- C:\Program Files\MOVAVI
2007-08-29 14:48 --------- d-------- C:\Documents and Settings\caroline\Application Data\CyberLink
2007-08-29 12:48 --------- d-------- C:\Documents and Settings\caroline\Application Data\Nero
2007-08-27 22:07 3192 --ahs---- C:\WINDOWS\system32\KGyGaAvL.sys
2007-08-27 19:20 --------- d-------- C:\Program Files\DivX
2007-08-27 17:57 --------- d-------- C:\Documents and Settings\All Users\Application Data\Elaborate Bytes
2007-08-26 20:44 --------- d-------- C:\Documents and Settings\caroline\Application Data\Bitstream
2007-08-25 21:14 --------- d-------- C:\Program Files\Corel
2007-08-25 21:14 --------- d-------- C:\Program Files\Common Files\Corel
2007-08-25 21:14 --------- d-------- C:\Documents and Settings\All Users\Application Data\Corel
2007-08-25 20:02 --------- d-------- C:\Documents and Settings\caroline\Application Data\Corel
2007-08-25 19:53 --------- d-------- C:\Documents and Settings\All Users\Application Data\InstallShield
2007-08-25 19:49 --------- d-------- C:\Program Files\Common Files\Protexis
2007-08-23 18:13 203776 --a------ C:\WINDOWS\system32\clrviddc.dll
2007-08-22 16:07 --------- d-------- C:\Program Files\Google
2007-08-20 20:23 682232 --a------ C:\WINDOWS\system32\drivers\sptd.sys
2007-08-20 19:55 --------- d-------- C:\Program Files\MSBuild
2007-08-20 19:43 --------- d-------- C:\Program Files\Reference Assemblies
2007-08-17 15:56 --------- d-------- C:\Documents and Settings\caroline\Application Data\uTorrent
2007-08-16 10:12 --------- d-------- C:\Documents and Settings\All Users\Application Data\FLEXnet
2007-08-16 09:20 --------- d-------- C:\Program Files\Bonjour
2007-08-16 08:58 --------- d-------- C:\Program Files\Common Files\Macrovision Shared
2007-08-15 17:10 --------- d-------- C:\Program Files\uTorrent
2007-08-12 18:16 --------- d-------- C:\Documents and Settings\All Users\Application Data\WindowsLiveInstaller
2007-08-12 18:15 --------- d-------- C:\Documents and Settings\All Users\Application Data\WLInstaller
2007-08-12 12:25 --------- d-------- C:\Program Files\ScanSoft
2007-08-10 20:56 93128 --a------ C:\WINDOWS\system32\ElbyCDIO.dll
2007-08-09 17:16 --------- d-------- C:\Documents and Settings\All Users\Application Data\Ahead
2007-08-09 17:13 --------- d-------- C:\Program Files\Nero
2007-08-09 17:13 --------- d-------- C:\Program Files\Common Files\Ahead
2007-08-09 17:13 --------- d-------- C:\Documents and Settings\All Users\Application Data\Nero
2007-08-09 13:22 --------- d-------- C:\Program Files\Common Files\Apple
2007-08-09 13:22 --------- d-------- C:\Documents and Settings\All Users\Application Data\Apple
2007-08-07 20:48 25160 --a------ C:\WINDOWS\system32\drivers\ElbyCDIO.sys
2007-08-07 17:10 --------- d-------- C:\Program Files\Common Files\Hewlett-Packard
2007-08-07 16:44 --------- d-------- C:\Program Files\Common Files\HP
2007-08-07 16:42 43488 --a------ C:\WINDOWS\system32\drivers\AFS2K.SYS
2007-08-07 16:12 --------- d-------- C:\Program Files\HP
2007-08-07 13:58 8320 --a------ C:\WINDOWS\system32\drivers\AWRTRD.sys
2007-08-07 13:56 9344 --a------ C:\WINDOWS\system32\drivers\NSDriver.sys
2007-08-05 20:15 --------- d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-08-04 18:44 --------- d-------- C:\Program Files\CustoMess
2007-08-03 23:05 --------- d-------- C:\Documents and Settings\caroline\Application Data\AdobeUM
2007-08-03 22:03 --------- d-------- C:\Documents and Settings\All Users\Application Data\Musicnotes
2007-08-03 17:46 --------- d-------- C:\Documents and Settings\All Users\Application Data\Messenger Plus!
2007-08-03 17:44 --------- d-------- C:\Program Files\Windows Media Connect 2
2007-08-03 17:30 --------- d-------- C:\Program Files\Real
2007-08-03 17:30 --------- d-------- C:\Program Files\Common Files\Real
2007-08-03 17:30 --------- d-------- C:\Documents and Settings\caroline\Application Data\Real
2007-08-03 17:13 --------- d-------- C:\Documents and Settings\caroline\Application Data\Google
2007-08-03 16:59 --------- d-------- C:\Documents and Settings\All Users\Application Data\Azureus
2007-08-03 16:58 --------- d-------- C:\Documents and Settings\caroline\Application Data\Azureus
2007-08-03 16:56 --------- d-------- C:\Documents and Settings\All Users\Application Data\WinZip
2007-08-03 15:35 --------- d-------- C:\Program Files\Windows Live
2007-08-03 15:28 --------- d-------- C:\Program Files\MSN Messenger
2007-08-03 15:16 --------- d-------- C:\Documents and Settings\All Users\Application Data\DVD Shrink
2007-08-03 15:13 --------- d-------- C:\Documents and Settings\caroline\Application Data\vlc
2007-08-03 14:46 --------- d-------- C:\Documents and Settings\All Users\Application Data\Bluetooth
2007-08-03 14:07 --------- d-------- C:\Program Files\Common Files\snpstd3
2007-08-03 02:37 604 --ah----- C:\Program Files\STLL Notifier
2007-08-03 02:37 --------- d-------- C:\Documents and Settings\All Users\Application Data\Sibelius Software
2007-08-03 02:36 --------- d-------- C:\Documents and Settings\caroline\Application Data\Sibelius Software
2007-08-03 02:15 --------- d-------- C:\Documents and Settings\caroline\Application Data\WinRAR
2007-08-03 01:00 --------- d-------- C:\Documents and Settings\caroline\Application Data\Apple Computer
2007-08-01 22:26 499712 --a------ C:\WINDOWS\system32\msvcp71.dll
2007-08-01 22:26 348160 --a------ C:\WINDOWS\system32\msvcr71.dll
2007-07-30 19:19 92504 --a------ C:\WINDOWS\system32\dllcache\cdm.dll
2007-07-30 19:19 92504 --a------ C:\WINDOWS\system32\cdm.dll
2007-07-30 19:19 549720 --a------ C:\WINDOWS\system32\wuapi.dll
2007-07-30 19:19 549720 --a------ C:\WINDOWS\system32\dllcache\wuapi.dll
2007-07-30 19:19 53080 --a------ C:\WINDOWS\system32\wuauclt.exe
2007-07-30 19:19 53080 --a------ C:\WINDOWS\system32\dllcache\wuauclt.exe
2007-07-30 19:19 43352 --a------ C:\WINDOWS\system32\wups2.dll
2007-07-30 19:19 325976 --a------ C:\WINDOWS\system32\wucltui.dll
2007-07-30 19:19 325976 --a------ C:\WINDOWS\system32\dllcache\wucltui.dll
2007-07-30 19:19 271224 --a------ C:\WINDOWS\system32\mucltui.dll
2007-07-30 19:19 207736 --a------ C:\WINDOWS\system32\muweb.dll
2007-07-30 19:19 203096 --a------ C:\WINDOWS\system32\wuweb.dll
2007-07-30 19:19 203096 --a------ C:\WINDOWS\system32\dllcache\wuweb.dll
2007-07-30 19:19 1712984 --a------ C:\WINDOWS\system32\wuaueng.dll
2007-07-30 19:19 1712984 --a------ C:\WINDOWS\system32\dllcache\wuaueng.dll
2007-07-30 19:18 33624 --a------ C:\WINDOWS\system32\wups.dll
2007-07-30 19:18 33624 --a------ C:\WINDOWS\system32\dllcache\wups.dll
2007-07-26 03:53 200704 --a------ C:\WINDOWS\system32\ssldivx.dll
2007-07-26 03:53 1044480 --a------ C:\WINDOWS\system32\libdivx.dll
.

((((((((((((((((((((((((((((( snapshot@2007-10-02_19.50.14.13 )))))))))))))))))))))))))))))))))))))))))
.
----a-r 18,944 2007-10-03 15:19:20 C:\WINDOWS\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF13.exe
----a-r 29,696 2007-10-03 15:19:20 C:\WINDOWS\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF11.exe
----a-r 65,024 2007-10-03 15:19:20 C:\WINDOWS\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF15.exe
.
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B3CD0EEE-174F-4B45-B57C-FA8C38BED449}]
C:\WINDOWS\system32\iifdc.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-01 15:57]
"snpstd3"="C:\WINDOWS\vsnpstd3.exe" [2006-09-19 09:07]
"QuickTime Task"="D:\DOWNLOADED PROGRAMS\QuickTime\qttask.exe" [2007-06-29 06:24]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2005-02-16 16:15]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2005-02-16 16:15]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-09-11 16:56]
"MediaFace Integration"="D:\Program Files\MediaFace\SetHook.exe" [2005-10-27 04:43]
"!AVG Anti-Spyware"="D:\DOWNLOADED PROGRAMS\AVG AntiSpyWare\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 10:25]
"iTunesHelper"="D:\Program Files\iPod\iTunesHelper.exe" [2007-09-26 14:42]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 04:56]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2007-05-16 09:27]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 17:24]
"uTorrent"="C:\Program Files\uTorrent\uTorrent.exe" [2007-09-12 19:47]
"SUPERAntiSpyware"="D:\DOWNLOADED PROGRAMS\Super AntiSpyware\SUPERAntiSpyware.exe" [2007-06-21 14:06]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Acrobat Assistant.lnk - C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe [2003-05-15 01:19:50]
BlueSoleil.lnk - D:\Program Files\BlueSoleil\BlueSoleil.exe [2007-08-03 14:43:35]
HP Digital Imaging Monitor.lnk - D:\Program Files\HP Printer\Digital Imaging\bin\hpqtra08.exe [2003-07-07 01:20:40]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Acrobat Assistant.lnk - C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe [2003-05-15 01:19:50]
BlueSoleil.lnk - D:\Program Files\BlueSoleil\BlueSoleil.exe [2007-08-03 14:43:35]
HP Digital Imaging Monitor.lnk - D:\Program Files\HP Printer\Digital Imaging\bin\hpqtra08.exe [2003-07-07 01:20:40]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=0 (0x0)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{4F8C5BB1-8D81-497D-8E4C-4F81490B8FB8}"= C:\WINDOWS\system32\efccyxw.dll [ ]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= D:\DOWNLOADED PROGRAMS\Super AntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
D:\DOWNLOADED PROGRAMS\Super AntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 D:\DOWNLOADED PROGRAMS\Super AntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\efccyxw]
efccyxw.dll

R3 SiS300i;SiS300i;C:\WINDOWS\system32\DRIVERS\sis300ip.sys
R3 SiS7018;Service for AC'97 Sample Driver (WDM);C:\WINDOWS\system32\drivers\ac97sis.sys

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{11C47931-AA13-9746-0500-080600080400}]
C:\Exec.exe

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{83C93812-AC6F-32F0-F3FC-BE2113E1A6F1}]
C:\WINDOWS\system32\PELoader.exe
.
Contents of the 'Scheduled Tasks' folder
"2007-10-01 12:54:46 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
.
**************************************************************************

catchme 0.3.1169 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-10-03 20:30:12
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-10-03 20:34:20 - machine was rebooted
C:\ComboFix2.txt ... 2007-10-02 19:51
C:\ComboFix-quarantined-files.txt ... 2007-10-03 20:34
.
--- E O F ---

Edited by Koukla1962, 03 October 2007 - 01:35 PM.

#10
racenutalways

Posted 04 October 2007 - 12:03 PM

Member 1K

Retired Staff
1,675 posts

Copy the entire contents of the Quote Box below to Notepad.
Name the file as CFScript.txt
Change the Save as Type to All Files
and Save it on the desktop

File::
C:\WINDOWS\system32\ffeeg.ini2
C:\WINDOWS\system32\iifdc.dll
C:\WINDOWS\system32\efccyxw.dll

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B3CD0EEE-174F-4B45-B57C-FA8C38BED449}]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{4F8C5BB1-8D81-497D-8E4C-4F81490B8FB8}"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\efccyxw]
[-HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{11C47931-AA13-9746-0500-080600080400}]

Once saved, refering to the picture above, drag CFScript.txt into ComboFix.exe, and post back the resulting report.

Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.

O2 - BHO: (no name) - {B3CD0EEE-174F-4B45-B57C-FA8C38BED449} - C:\WINDOWS\system32\iifdc.dll (file missing)
O20 - Winlogon Notify: efccyxw - efccyxw.dll (file missing)

Now close all windows other than HiJackThis, then click Fix Checked. Close HiJackThis.

Run HJT again and post those results along with a new combofix scan.

#11
Koukla1962

Posted 04 October 2007 - 01:24 PM

Member

Topic Starter
Member
23 posts

ComboFix 07-10-02.2 - caroline 2007-10-04 19:47:15.3 - FAT32x86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.102 [GMT 1:00]
Running from: D:\DOWNLOADED PROGRAMS\Combofix\ComboFix.exe
Command switches used :: C:\Documents and Settings\caroline\Desktop\CFScript.txt
* Created a new restore point

FILE::
C:\WINDOWS\system32\ffeeg.ini2
C:\WINDOWS\system32\iifdc.dll
C:\WINDOWS\system32\efccyxw.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\ffeeg.ini2

.
((((((((((((((((((((((((( Files Created from 2007-09-04 to 2007-10-04 )))))))))))))))))))))))))))))))
.

2007-10-03 20:04 <DIR> d-------- C:\Documents and Settings\caroline\Application Data\Skyline
2007-10-03 19:56 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Skyline
2007-10-03 17:51 <DIR> d-------- C:\Deckard
2007-10-03 16:31 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2007-10-03 16:18 <DIR> d-------- C:\Documents and Settings\caroline\Application Data\SUPERAntiSpyware.com
2007-10-03 15:55 <DIR> d-------- C:\VundoFix Backups
2007-10-02 19:36 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-09-29 10:47 <DIR> d-------- C:\Program Files\iPod
2007-09-28 00:47 <DIR> d-------- C:\Documents and Settings\caroline\Application Data\dvdcss
2007-09-27 21:56 <DIR> d-------- C:\Program Files\vso
2007-09-24 13:00 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-09-23 10:59 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-09-22 11:57 <DIR> d-------- C:\Program Files\Yahoo!
2007-09-18 23:16 <DIR> d-------- C:\Program Files\Common Files\digidesign
2007-09-18 23:13 61,440 --a------ C:\WINDOWS\system32\NI_DFD_1_5.dll
2007-09-18 23:13 393,216 --a------ C:\WINDOWS\system32\NI_IRC_1_2.dll
2007-09-18 23:13 233,472 --a------ C:\WINDOWS\system32\REX Shared Library.dll
2007-09-18 23:13 2,045,952 --a------ C:\WINDOWS\system32\kconvert.dll
2007-09-18 17:00 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Transparent
2007-09-17 22:56 356,352 --a------ C:\WINDOWS\eSellerateEngine.dll
2007-09-17 19:48 395,776 --a------ C:\WINDOWS\system32\libmplayer.dll
2007-09-17 19:48 262,144 --a------ C:\WINDOWS\system32\TomsMoComp_ff.dll
2007-09-17 19:48 2,255,360 --a------ C:\WINDOWS\system32\libavcodec.dll
2007-09-17 19:48 112,640 --a------ C:\WINDOWS\system32\libmpeg2_ff.dll
2007-09-15 10:52 <DIR> d-------- C:\Program Files\Sibelius Software
2007-09-13 12:58 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Fellowes
2007-09-11 16:58 <DIR> d-------- C:\Program Files\Common Files\xing shared
2007-09-09 11:59 <DIR> d-------- C:\Program Files\Apple Software Update

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-09-27 21:56 87608 --a------ C:\Documents and Settings\caroline\Application Data\ezpinst.exe
2007-09-27 21:56 47360 --a------ C:\WINDOWS\system32\drivers\pcouffin.sys
2007-09-27 21:56 47360 --a------ C:\Documents and Settings\caroline\Application Data\pcouffin.sys
2007-09-05 18:02 12400 --a------ C:\WINDOWS\system32\drivers\secdrv.sys
2007-08-30 16:56 --------- d-------- C:\Program Files\Microsoft Games
2007-08-29 21:46 --------- d-------- C:\Documents and Settings\caroline\Application Data\Vso
2007-08-29 17:58 --------- d-------- C:\Program Files\MOVAVI
2007-08-29 14:48 --------- d-------- C:\Documents and Settings\caroline\Application Data\CyberLink
2007-08-29 12:48 --------- d-------- C:\Documents and Settings\caroline\Application Data\Nero
2007-08-27 22:07 3192 --ahs---- C:\WINDOWS\system32\KGyGaAvL.sys
2007-08-27 19:20 --------- d-------- C:\Program Files\DivX
2007-08-27 17:57 --------- d-------- C:\Documents and Settings\All Users\Application Data\Elaborate Bytes
2007-08-26 20:44 --------- d-------- C:\Documents and Settings\caroline\Application Data\Bitstream
2007-08-25 21:14 --------- d-------- C:\Program Files\Corel
2007-08-25 21:14 --------- d-------- C:\Program Files\Common Files\Corel
2007-08-25 21:14 --------- d-------- C:\Documents and Settings\All Users\Application Data\Corel
2007-08-25 20:02 --------- d-------- C:\Documents and Settings\caroline\Application Data\Corel
2007-08-25 19:53 --------- d-------- C:\Documents and Settings\All Users\Application Data\InstallShield
2007-08-25 19:49 --------- d-------- C:\Program Files\Common Files\Protexis
2007-08-23 18:13 203776 --a------ C:\WINDOWS\system32\clrviddc.dll
2007-08-22 16:07 --------- d-------- C:\Program Files\Google
2007-08-20 20:23 682232 --a------ C:\WINDOWS\system32\drivers\sptd.sys
2007-08-20 19:55 --------- d-------- C:\Program Files\MSBuild
2007-08-20 19:43 --------- d-------- C:\Program Files\Reference Assemblies
2007-08-17 15:56 --------- d-------- C:\Documents and Settings\caroline\Application Data\uTorrent
2007-08-16 10:12 --------- d-------- C:\Documents and Settings\All Users\Application Data\FLEXnet
2007-08-16 09:20 --------- d-------- C:\Program Files\Bonjour
2007-08-16 08:58 --------- d-------- C:\Program Files\Common Files\Macrovision Shared
2007-08-15 17:10 --------- d-------- C:\Program Files\uTorrent
2007-08-12 18:16 --------- d-------- C:\Documents and Settings\All Users\Application Data\WindowsLiveInstaller
2007-08-12 18:15 --------- d-------- C:\Documents and Settings\All Users\Application Data\WLInstaller
2007-08-12 12:25 --------- d-------- C:\Program Files\ScanSoft
2007-08-10 20:56 93128 --a------ C:\WINDOWS\system32\ElbyCDIO.dll
2007-08-09 17:16 --------- d-------- C:\Documents and Settings\All Users\Application Data\Ahead
2007-08-09 17:13 --------- d-------- C:\Program Files\Nero
2007-08-09 17:13 --------- d-------- C:\Program Files\Common Files\Ahead
2007-08-09 17:13 --------- d-------- C:\Documents and Settings\All Users\Application Data\Nero
2007-08-09 13:22 --------- d-------- C:\Program Files\Common Files\Apple
2007-08-09 13:22 --------- d-------- C:\Documents and Settings\All Users\Application Data\Apple
2007-08-07 20:48 25160 --a------ C:\WINDOWS\system32\drivers\ElbyCDIO.sys
2007-08-07 17:10 --------- d-------- C:\Program Files\Common Files\Hewlett-Packard
2007-08-07 16:44 --------- d-------- C:\Program Files\Common Files\HP
2007-08-07 16:42 43488 --a------ C:\WINDOWS\system32\drivers\AFS2K.SYS
2007-08-07 16:12 --------- d-------- C:\Program Files\HP
2007-08-07 13:58 8320 --a------ C:\WINDOWS\system32\drivers\AWRTRD.sys
2007-08-07 13:56 9344 --a------ C:\WINDOWS\system32\drivers\NSDriver.sys
2007-08-05 20:15 --------- d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-08-04 18:44 --------- d-------- C:\Program Files\CustoMess
2007-08-03 02:37 604 --ah----- C:\Program Files\STLL Notifier
2007-08-01 22:26 499712 --a------ C:\WINDOWS\system32\msvcp71.dll
2007-08-01 22:26 348160 --a------ C:\WINDOWS\system32\msvcr71.dll
2007-07-30 19:19 92504 --a------ C:\WINDOWS\system32\dllcache\cdm.dll
2007-07-30 19:19 92504 --a------ C:\WINDOWS\system32\cdm.dll
2007-07-30 19:19 549720 --a------ C:\WINDOWS\system32\wuapi.dll
2007-07-30 19:19 549720 --a------ C:\WINDOWS\system32\dllcache\wuapi.dll
2007-07-30 19:19 53080 --a------ C:\WINDOWS\system32\wuauclt.exe
2007-07-30 19:19 53080 --a------ C:\WINDOWS\system32\dllcache\wuauclt.exe
2007-07-30 19:19 43352 --a------ C:\WINDOWS\system32\wups2.dll
2007-07-30 19:19 325976 --a------ C:\WINDOWS\system32\wucltui.dll
2007-07-30 19:19 325976 --a------ C:\WINDOWS\system32\dllcache\wucltui.dll
2007-07-30 19:19 271224 --a------ C:\WINDOWS\system32\mucltui.dll
2007-07-30 19:19 207736 --a------ C:\WINDOWS\system32\muweb.dll
2007-07-30 19:19 203096 --a------ C:\WINDOWS\system32\wuweb.dll
2007-07-30 19:19 203096 --a------ C:\WINDOWS\system32\dllcache\wuweb.dll
2007-07-30 19:19 1712984 --a------ C:\WINDOWS\system32\wuaueng.dll
2007-07-30 19:19 1712984 --a------ C:\WINDOWS\system32\dllcache\wuaueng.dll
2007-07-30 19:18 33624 --a------ C:\WINDOWS\system32\wups.dll
2007-07-30 19:18 33624 --a------ C:\WINDOWS\system32\dllcache\wups.dll
2007-07-26 03:53 200704 --a------ C:\WINDOWS\system32\ssldivx.dll
2007-07-26 03:53 1044480 --a------ C:\WINDOWS\system32\libdivx.dll
.

((((((((((((((((((((((((((((( snapshot@2007-10-02_19.50.14.13 )))))))))))))))))))))))))))))))))))))))))
.
----a-r 26,694 2007-10-03 19:51:56 C:\WINDOWS\Installer\{1E04F83B-2AB9-4301-9EF7-E86307F79C72}\ARPPRODUCTICON.exe
----a-r 26,694 2007-10-03 19:51:56 C:\WINDOWS\Installer\{1E04F83B-2AB9-4301-9EF7-E86307F79C72}\googleearth.exe_407B9B5CDAC54F44A756B57CAB4E6A8B.exe
----a-r 26,694 2007-10-03 19:51:56 C:\WINDOWS\Installer\{1E04F83B-2AB9-4301-9EF7-E86307F79C72}\UNINST_Uninstall_G_3DE5E7D47B88403CA3FD2017A8240C5B.exe
----a-r 65,536 2007-10-03 19:51:56 C:\WINDOWS\Installer\{1E04F83B-2AB9-4301-9EF7-E86307F79C72}\NewShortcut1_407B9B5CDAC54F44A756B57CAB4E6A8B.exe
----a-r 65,536 2007-10-03 19:51:56 C:\WINDOWS\Installer\{1E04F83B-2AB9-4301-9EF7-E86307F79C72}\NewShortcut2_407B9B5CDAC54F44A756B57CAB4E6A8B.exe
----a-r 26,694 2007-10-03 19:51:58 C:\WINDOWS\Installer\{1E04F83B-2AB9-4301-9EF7-E86307F79C72}\googleearth.exe1_407B9B5CDAC54F44A756B57CAB4E6A8B.exe
----a-r 18,944 2007-10-03 15:19:20 C:\WINDOWS\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF13.exe
----a-r 29,696 2007-10-03 15:19:20 C:\WINDOWS\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF11.exe
----a-r 65,024 2007-10-03 15:19:20 C:\WINDOWS\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF15.exe
.
----a-r 26,694 2007-09-12 19:00:58 C:\WINDOWS\Installer\{1E04F83B-2AB9-4301-9EF7-E86307F79C72}\ARPPRODUCTICON.exe
----a-r 26,694 2007-09-12 19:01:00 C:\WINDOWS\Installer\{1E04F83B-2AB9-4301-9EF7-E86307F79C72}\googleearth.exe_407B9B5CDAC54F44A756B57CAB4E6A8B.exe
----a-r 26,694 2007-09-12 19:01:00 C:\WINDOWS\Installer\{1E04F83B-2AB9-4301-9EF7-E86307F79C72}\UNINST_Uninstall_G_3DE5E7D47B88403CA3FD2017A8240C5B.exe
----a-r 65,536 2007-09-12 19:01:00 C:\WINDOWS\Installer\{1E04F83B-2AB9-4301-9EF7-E86307F79C72}\NewShortcut1_407B9B5CDAC54F44A756B57CAB4E6A8B.exe
----a-r 65,536 2007-09-12 19:01:00 C:\WINDOWS\Installer\{1E04F83B-2AB9-4301-9EF7-E86307F79C72}\NewShortcut2_407B9B5CDAC54F44A756B57CAB4E6A8B.exe
----a-r 26,694 2007-09-12 19:01:00 C:\WINDOWS\Installer\{1E04F83B-2AB9-4301-9EF7-E86307F79C72}\googleearth.exe1_407B9B5CDAC54F44A756B57CAB4E6A8B.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-01 15:57]
"snpstd3"="C:\WINDOWS\vsnpstd3.exe" [2006-09-19 09:07]
"QuickTime Task"="D:\DOWNLOADED PROGRAMS\QuickTime\qttask.exe" [2007-06-29 06:24]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2005-02-16 16:15]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2005-02-16 16:15]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-09-11 16:56]
"MediaFace Integration"="D:\Program Files\MediaFace\SetHook.exe" [2005-10-27 04:43]
"!AVG Anti-Spyware"="D:\DOWNLOADED PROGRAMS\AVG AntiSpyWare\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 10:25]
"iTunesHelper"="D:\Program Files\iPod\iTunesHelper.exe" [2007-09-26 14:42]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 04:56]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2007-05-16 09:27]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 17:24]
"uTorrent"="C:\Program Files\uTorrent\uTorrent.exe" [2007-09-12 19:47]
"SUPERAntiSpyware"="D:\DOWNLOADED PROGRAMS\Super AntiSpyware\SUPERAntiSpyware.exe" [2007-06-21 14:06]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Acrobat Assistant.lnk - C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe [2003-05-15 01:19:50]
BlueSoleil.lnk - D:\Program Files\BlueSoleil\BlueSoleil.exe [2007-08-03 14:43:35]
HP Digital Imaging Monitor.lnk - D:\Program Files\HP Printer\Digital Imaging\bin\hpqtra08.exe [2003-07-07 01:20:40]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Acrobat Assistant.lnk - C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe [2003-05-15 01:19:50]
BlueSoleil.lnk - D:\Program Files\BlueSoleil\BlueSoleil.exe [2007-08-03 14:43:35]
HP Digital Imaging Monitor.lnk - D:\Program Files\HP Printer\Digital Imaging\bin\hpqtra08.exe [2003-07-07 01:20:40]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= D:\DOWNLOADED PROGRAMS\Super AntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
D:\DOWNLOADED PROGRAMS\Super AntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 D:\DOWNLOADED PROGRAMS\Super AntiSpyware\SASWINLO.dll

R3 SiS300i;SiS300i;C:\WINDOWS\system32\DRIVERS\sis300ip.sys
R3 SiS7018;Service for AC'97 Sample Driver (WDM);C:\WINDOWS\system32\drivers\ac97sis.sys

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{83C93812-AC6F-32F0-F3FC-BE2113E1A6F1}]
C:\WINDOWS\system32\PELoader.exe
.
Contents of the 'Scheduled Tasks' folder
"2007-10-01 12:54:46 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
.
**************************************************************************

catchme 0.3.1169 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-10-04 19:52:27
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-10-04 19:54:50
C:\ComboFix3.txt ... 2007-10-02 19:51
C:\ComboFix2.txt ... 2007-10-03 20:34
C:\ComboFix-quarantined-files.txt ... 2007-10-04 19:54
.
--- E O F ---

________________________________________________________________________________
_______

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 20:23:51, on 04/10/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
D:\DOWNLOADED PROGRAMS\AdAware\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
D:\DOWNLOADED PROGRAMS\AVG AntiSpyWare\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
D:\Program Files\BlueSoleil\BTNtService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Common Files\Protexis\License Service\PSIService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\vsnpstd3.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\System32\svchost.exe
D:\DOWNLOADED PROGRAMS\AVG AntiSpyWare\AVG Anti-Spyware 7.5\avgas.exe
D:\Program Files\iPod\iTunesHelper.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\uTorrent\uTorrent.exe
D:\DOWNLOADED PROGRAMS\Super AntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\internet explorer\iexplore.exe
C:\WINDOWS\explorer.exe
D:\DOWNLOADED PROGRAMS\HiJack This\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://uk.yahoo.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [snpstd3] C:\WINDOWS\vsnpstd3.exe
O4 - HKLM\..\Run: [QuickTime Task] "D:\DOWNLOADED PROGRAMS\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [MediaFace Integration] D:\Program Files\MediaFace\SetHook.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "D:\DOWNLOADED PROGRAMS\AVG AntiSpyWare\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [iTunesHelper] "D:\Program Files\iPod\iTunesHelper.exe"
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [uTorrent] "C:\Program Files\uTorrent\uTorrent.exe"
O4 - HKCU\..\Run: [SUPERAntiSpyware] D:\DOWNLOADED PROGRAMS\Super AntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: BlueSoleil.lnk = ?
O4 - Global Startup: HP Digital Imaging Monitor.lnk = D:\Program Files\HP Printer\Digital Imaging\bin\hpqtra08.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {1239CC52-59EF-4DFA-8C61-90FFA846DF7E} (Musicnotes Viewer) - http://www.musicnote...ad/mnviewer.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://go.divx.com/p...owserPlugin.cab
O16 - DPF: {A8F2B9BD-A6A0-486A-9744-18920D898429} (ScorchPlugin Class) - http://www.sibelius....tiveXPlugin.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zon...nt.cab56907.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zon...er.cab56986.cab
O20 - Winlogon Notify: !SASWinLogon - D:\DOWNLOADED PROGRAMS\Super AntiSpyware\SASWINLO.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - D:\DOWNLOADED PROGRAMS\AdAware\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - D:\DOWNLOADED PROGRAMS\AVG AntiSpyWare\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: BlueSoleil Hid Service - Unknown owner - D:\Program Files\BlueSoleil\BTNtService.exe
O23 - Service: ##Id_String1.6844F930_1628_4223_B5CC_5BB94B879762## (Bonjour Service) - Apple Computer, Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: ProtexisLicensing - Unknown owner - C:\Program Files\Common Files\Protexis\License Service\PSIService.exe
O23 - Service: Windows Live Setup Service (WLSetupSvc) - Unknown owner - C:\Program Files\Windows Live\installer\WLSetupSvc.exe
O23 - Service: Broadcom Wireless LAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe

--
End of file - 8685 bytes

#12
Koukla1962

Posted 04 October 2007 - 04:39 PM

Member

Topic Starter
Member
23 posts

I have just done a scan to see and found a lop virus in C's system volume info. Thanks for any help

#13
Koukla1962

Posted 08 October 2007 - 09:43 AM

Member

Topic Starter
Member
23 posts

Thank you very much. I have seemed to have gotten rid of these BHO. Viruses.

But I am haing problems with another type of virus.
It is called a "lop"virus.
I did a scan and found that there were 3 of these viruses in C:\System Volume Information\_restore{5A440762-F5D1-4B1E-9FD5-32BDC6BCB7FA}\(RP103/RP104/RP101)\
and are named :AOO21369.dll
A0021558.DLL
A0021581.dll

AVG says that these files are high risk.

These files are not backup copies but are moved objects.
If you have any advice on what to do, that would be great!!!!!

Edited by Koukla1962, 08 October 2007 - 09:52 AM.

#14
racenutalways

Posted 08 October 2007 - 10:12 AM

Member 1K

Retired Staff
1,675 posts

Hi those are no threat, they are in your system restore, which we will flush as soon as I make certain there no more infections, gimme a few minutes and I will get back to you.

#15
racenutalways

Posted 08 October 2007 - 10:27 AM

Member 1K

Retired Staff
1,675 posts

Went over the logs and all looks well. Let's flush out the System Restore, delete unwanted files and run an online scanner to make sure all is gone.

To reset your restore points, please note that you will need to log into your computer with an account which has full administrator access. You will know if the account has administrator access because you will be able to see the System Restore tab. If the tab is missing, you are logged in under a limited account.

(Windows XP)
1. Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

2. Reboot.

3. Turn ON System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK.

How to Turn On and Turn Off System Restore in Windows XP
http://support.micro...kb;en-us;310405

Please download ATF Cleaner by Atribune.
This program is for XP and Windows 2000 onlyDouble-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.
If you also use Firefox browserClick Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you also use Opera browserClick Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

Panda only works if you are using Internet Explorer.

Please go HERE to run Panda's ActiveScan

Once you are on the Panda site click the Scan your PC button
A new window will open...click the Check Now button
Enter your Country
Enter your State/Province
Enter your e-mail address and click send
Select either Home User or Company
Click the big Scan Now button
If it wants to install an ActiveX component allow it
It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
When download is complete, click on My Computer to start the scan
When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location. Post the contents of the ActiveScan report