1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Hijackthis, Fixwareout and VundoFix Logs. Can anyone help please?

Discussion in 'Windows - Virus and spyware problems' started by lida07, Apr 16, 2007.

  1. lida07

    lida07 Member

    Joined:
    Apr 15, 2007
    Messages:
    11
    Likes Received:
    0
    Trophy Points:
    11
    Logfile of Trend Micro HijackThis v2.0.0 (BETA)
    Scan saved at 9:51:47 PM, on 4/16/2007
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
    C:\Program Files\Alwil Software\Avast4\ashServ.exe
    C:\Program Files\Comodo\Firewall\cmdagent.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\WINDOWS\system32\slserv.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
    C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\System32\khooker.exe
    C:\WINDOWS\SOUNDMAN.EXE
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\WINDOWS\System32\svehost.exe
    C:\WINDOWS\System32\clcl3.exe
    C:\Program Files\Comodo\Firewall\CPF.exe
    C:\WINDOWS\System32\ctfmon.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\WinZip\WZQKPICK.EXE
    C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Documents and Settings\Lida\My Documents\Hijack This\HiJackThis_v2.0.0.0.exe

    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {67C55A8D-E808-4caa-9EA7-F77102DE0BB6} - C:\WINDOWS\System32\tmp3.tmp.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
    O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
    O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    O2 - BHO: Yahoo ToolBar - {BE756CFF-ADB4-4bc5-A35F-19E546E5710E} - C:\WINDOWS\System32\winnet.dll (file missing)
    O2 - BHO: (no name) - {f9202b19-83c3-4d26-aa08-4bf33b425343} - C:\WINDOWS\system32\cryiqv.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [SiS KHooker] C:\WINDOWS\System32\khooker.exe
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
    O4 - HKLM\..\Run: [dmyzy.exe] C:\WINDOWS\System32\dmyzy.exe
    O4 - HKLM\..\Run: [Lexmark_X79-55] C:\WINDOWS\System32\lsasss.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [Intel system tool] C:\WINDOWS\System32\svehost.exe
    O4 - HKLM\..\Run: [clcl3] C:\WINDOWS\System32\clcl3.exe
    O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\Comodo\Firewall\CPF.exe" /background
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
    O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - Startup: Cyber-shot Viewer Media Check Tool.lnk = C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
    O8 - Extra context menu item: ???QQ?? - C:\Documents and Settings\Lida\My Documents\AddEmotion.htm
    O8 - Extra context menu item: ???QQ???? - C:\Documents and Settings\Lida\My Documents\AddToNetDisk.htm
    O8 - Extra context menu item: ???QQ????? - C:\Documents and Settings\Lida\My Documents\AddPanel.htm
    O8 - Extra context menu item: ?QQ??????? - C:\Documents and Settings\Lida\My Documents\SendMMS.htm
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O8 - Extra context menu item: Ìí¼Óµ½QQ±íÇé - C:\Documents and Settings\Lida\My Documents\AddEmotion.htm
    O8 - Extra context menu item: Ìí¼Óµ½QQ×Ô¶¨ÒåÃæ°å - C:\Documents and Settings\Lida\My Documents\AddPanel.htm
    O8 - Extra context menu item: ÓÃQQ²ÊÐÅ·¢Ë͸ÃͼƬ - C:\Documents and Settings\Lida\My Documents\SendMMS.htm
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
    O9 - Extra button: kele8 - {84920E5F-3788-49cd-A274-E365578DF174} - http://www.kele8.com/ (file missing)
    O9 - Extra 'Tools' menuitem: kele8 - {84920E5F-3788-49cd-A274-E365578DF174} - http://www.kele8.com/ (file missing)
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
    O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
    O9 - Extra button: QQ - {c95fe080-8f5d-11d2-a20b-00aa003c157b} - C:\Documents and Settings\Lida\My Documents\QQ.EXE (file missing)
    O9 - Extra 'Tools' menuitem: ÌÚѶQQ - {c95fe080-8f5d-11d2-a20b-00aa003c157b} - C:\Documents and Settings\Lida\My Documents\QQ.EXE (file missing)
    O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
    O16 - DPF: {55027008-315F-4F45-BBC3-8BE119764741} (Slide Image Uploader Control) - http://www.slide.com/uploader/SlideImageUploader.cab
    O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-US/a-UNO1/GAME_UNO1.cab
    O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
    O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zone.msn.com/binary/ZIntro.cab56649.cab
    O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
    O16 - DPF: {D54160C3-DB7B-4534-9B65-190EE4A9C7F7} (SproutLauncherCtrl Class) - http://download.games.yahoo.com/games/web_games/gamehouse/frenzy/SproutLauncher.cab
    O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.popcap.com/games/popcaploader_v6.cab
    O17 - HKLM\System\CCS\Services\Tcpip\..\{84BDD69D-0D91-4DAC-9E02-3A789CB29EF2}: NameServer = 85.255.115.85,85.255.112.236
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.115.85 85.255.112.236
    O17 - HKLM\System\CS1\Services\Tcpip\..\{84BDD69D-0D91-4DAC-9E02-3A789CB29EF2}: NameServer = 85.255.115.85,85.255.112.236
    O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.115.85 85.255.112.236
    O17 - HKLM\System\CS2\Services\Tcpip\..\{84BDD69D-0D91-4DAC-9E02-3A789CB29EF2}: NameServer = 85.255.115.85,85.255.112.236
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.115.85 85.255.112.236
    O20 - AppInit_DLLs:
    O20 - Winlogon Notify: cryiqv - C:\WINDOWS\SYSTEM32\cryiqv.dll
    O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
    O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
    O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
    O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
    O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
    O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
    O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - C:\Program Files\Comodo\Firewall\cmdagent.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
    O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
    O23 - Service: Windows Task Manager (Taskmng) - Unknown owner - C:\WINDOWS\System32\taskmang.exe

    --
    End of file - 8888 bytes
     
  2. muuli123

    muuli123 Regular member

    Joined:
    Jan 13, 2007
    Messages:
    154
    Likes Received:
    0
    Trophy Points:
    26
    Hi lida07

    Download previous version(1.99.1) of HijackThis and rename HijackThis.exe to Scanner.exe, Link.

    Please download FixWareout from one of these sites:
    http://downloads.subratam.org/Fixwareout.exe
    http://www.bleepingcomputer.com/files/lonny/Fixwareout.exe

    Save it to your desktop and run it. Click Next, then Install, then make sure "Run fixit" is checked and click Finish. The fix will begin; follow the prompts. You will be asked to reboot your computer; please do so. Your system may take longer than usual to load; this is normal.

    At the end of the fix, you may need to restart your computer again.

    [*] Run HijackThis
    [*] Click on the Scan button
    [*] Put a check beside all of the items listed below (if present):

    O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
    O2 - BHO: Yahoo ToolBar - {BE756CFF-ADB4-4bc5-A35F-19E546E5710E} - C:\WINDOWS\System32\winnet.dll (file missing)
    O17 - HKLM\System\CCS\Services\Tcpip\..\{84BDD69D-0D91-4DAC-9E02-3A789CB29EF2}: NameServer = 85.255.115.85,85.255.112.236
    O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 85.255.115.85 85.255.112.236
    O17 - HKLM\System\CS1\Services\Tcpip\..\{84BDD69D-0D91-4DAC-9E02-3A789CB29EF2}: NameServer = 85.255.115.85,85.255.112.236
    O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 85.255.115.85 85.255.112.236
    O17 - HKLM\System\CS2\Services\Tcpip\..\{84BDD69D-0D91-4DAC-9E02-3A789CB29EF2}: NameServer = 85.255.115.85,85.255.112.236
    O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 85.255.115.85 85.255.112.236


    [*] Close all open windows and browsers/email, etc...
    [*] Click on the "Fix Checked" button
    [*] When completed, close the application.

    Now lets check some settings on your system.
    (2000/XP) Only
    In the windows control panel. If you are using Windows XP's Category View, select the Network and Internet Connections category otherwise double click on Network Connections. Then right click on your default connection, usually local area connection for cable and dsl, and left click on properties. Click the Networking tab. Double-click on the Internet Protocol (TCP/IP) item and select the radio dial that says Obtain DNS servers automatically
    Press OK twice to get out of the properties screen and reboot if it asks.
    That option might not be avaiable on some systems
    Next Go start run type cmd and hit OK
    type
    ipconfig /flushdns
    then hit enter, type exit hit enter
    (that space between g and / is needed)

    Please download VundoFix.exe to your desktop.

    [*]Double-click VundoFix.exe to run it.
    [*]Click the Scan for Vundo button.
    [*]Once it's done scanning, click the Remove Vundo button.
    [*]You will receive a prompt asking if you want to remove the files, click YES
    [*]Once you click yes, your desktop will go blank as it starts removing Vundo.
    [*]When completed, it will prompt that it will reboot your computer, click OK.
    [*]Please post the contents of C:\vundofix.txt and a new HiJackThis log.

    Note: It is possible that VundoFix encountered a file it could not remove.
    In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.

    Post a fresh HijackThis log(version 1.99.1), FixWareout report(C:\fixwareout\report.txt) and VundoFix report.
     
  3. lida07

    lida07 Member

    Joined:
    Apr 15, 2007
    Messages:
    11
    Likes Received:
    0
    Trophy Points:
    11
    Logfile of HijackThis v1.99.1
    Scan saved at 2:06:58 AM, on 4/17/2007
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
    C:\Program Files\Alwil Software\Avast4\ashServ.exe
    C:\Program Files\Comodo\Firewall\cmdagent.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\WINDOWS\system32\slserv.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
    C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
    C:\WINDOWS\System32\khooker.exe
    C:\WINDOWS\SOUNDMAN.EXE
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\WINDOWS\System32\svehost.exe
    C:\WINDOWS\System32\clcl3.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\WINDOWS\System32\ctfmon.exe
    C:\Documents and Settings\Lida\Desktop\HijackThis.exe

    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {67C55A8D-E808-4caa-9EA7-F77102DE0BB6} - C:\WINDOWS\System32\tmp3.tmp.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
    O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    O2 - BHO: (no name) - {f9202b19-83c3-4d26-aa08-4bf33b425343} - C:\WINDOWS\system32\cryiqv.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [SiS KHooker] C:\WINDOWS\System32\khooker.exe
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
    O4 - HKLM\..\Run: [Lexmark_X79-55] C:\WINDOWS\System32\lsasss.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [Intel system tool] C:\WINDOWS\System32\svehost.exe
    O4 - HKLM\..\Run: [clcl3] C:\WINDOWS\System32\clcl3.exe
    O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\Comodo\Firewall\CPF.exe" /background
    O4 - HKLM\..\Run: [BootService] rundll32.exe "C:\WINDOWS\urppqo.dll",realset
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
    O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - Startup: Cyber-shot Viewer Media Check Tool.lnk = C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
    O8 - Extra context menu item: ???QQ?? - C:\Documents and Settings\Lida\My Documents\AddEmotion.htm
    O8 - Extra context menu item: ???QQ???? - C:\Documents and Settings\Lida\My Documents\AddToNetDisk.htm
    O8 - Extra context menu item: ???QQ????? - C:\Documents and Settings\Lida\My Documents\AddPanel.htm
    O8 - Extra context menu item: ?QQ??????? - C:\Documents and Settings\Lida\My Documents\SendMMS.htm
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O8 - Extra context menu item: Ìí¼Óµ½QQ±íÇé - C:\Documents and Settings\Lida\My Documents\AddEmotion.htm
    O8 - Extra context menu item: Ìí¼Óµ½QQ×Ô¶¨ÒåÃæ°å - C:\Documents and Settings\Lida\My Documents\AddPanel.htm
    O8 - Extra context menu item: ÓÃQQ²ÊÐÅ·¢Ë͸ÃͼƬ - C:\Documents and Settings\Lida\My Documents\SendMMS.htm
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
    O9 - Extra button: kele8 - {84920E5F-3788-49cd-A274-E365578DF174} - http://www.kele8.com/ (file missing)
    O9 - Extra 'Tools' menuitem: kele8 - {84920E5F-3788-49cd-A274-E365578DF174} - http://www.kele8.com/ (file missing)
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
    O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
    O9 - Extra button: QQ - {c95fe080-8f5d-11d2-a20b-00aa003c157b} - C:\Documents and Settings\Lida\My Documents\QQ.EXE (file missing)
    O9 - Extra 'Tools' menuitem: ÌÚѶQQ - {c95fe080-8f5d-11d2-a20b-00aa003c157b} - C:\Documents and Settings\Lida\My Documents\QQ.EXE (file missing)
    O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
    O16 - DPF: {55027008-315F-4F45-BBC3-8BE119764741} (Slide Image Uploader Control) - http://www.slide.com/uploader/SlideImageUploader.cab
    O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-US/a-UNO1/GAME_UNO1.cab
    O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
    O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zone.msn.com/binary/ZIntro.cab56649.cab
    O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
    O16 - DPF: {D54160C3-DB7B-4534-9B65-190EE4A9C7F7} (SproutLauncherCtrl Class) - http://download.games.yahoo.com/games/web_games/gamehouse/frenzy/SproutLauncher.cab
    O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.popcap.com/games/popcaploader_v6.cab
    O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
    O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
    O20 - AppInit_DLLs:
    O20 - Winlogon Notify: cryiqv - C:\WINDOWS\SYSTEM32\cryiqv.dll
    O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
    O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
    O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
    O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
    O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - C:\Program Files\Comodo\Firewall\cmdagent.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
    O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
    O23 - Service: Windows Task Manager (Taskmng) - Unknown owner - C:\WINDOWS\System32\taskmang.exe

    .................


    Fixwareout Last edited 4/5/2007
    Post this report in the forums please
    ...
    »»»»»Prerun check
    HKLM\SOFTWARE\~\CurrentVersion\Run\ ="dmyzy"
    HKLM\SOFTWARE\~\Winlogon\ "System"="csbeh.exe"

    »»»»» System restarted

    »»»»» Postrun check
    HKLM\SOFTWARE\~\version\Run\ "dmyzy"
    HKLM\SOFTWARE\~\Winlogon\ "system"=""
    ....
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "}480B9B645ABF-4EFA-4EB4-0284-50FE8D8E{" Deleted
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "}982E833F86CB-0D8A-65A4-9524-F0F74123{" Deleted
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Ruins "yzymd" Deleted
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls "0mdm" Deleted
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Urls "1mdm" Deleted
    HKLM\~\currentversion\run "dmyzy.exe" Deleted
    ....
    »»»»» Misc files.
    ....
    »»»»» Checking for older varients.
    ....

    Search five digit cs, dm, kd, jb, other, files.
    The following files NEED TO BE SUBMITTED to one of the following URL'S for further inspection.



    Click browse, find the file then click submit.
    http://www.virustotal.com/flash/index_en.html
    Or http://virusscan.jotti.org/

    »»»»» Other



    »»»»» Current runs
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "SiS KHooker"="C:\\WINDOWS\\System32\\khooker.exe"
    "SoundMan"="SOUNDMAN.EXE"
    "avast!"="C:\\PROGRA~1\\ALWILS~1\\Avast4\\ashDisp.exe"
    "SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.5.0_10\\bin\\jusched.exe\""
    "Lexmark_X79-55"="C:\\WINDOWS\\System32\\lsasss.exe"
    "QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
    "iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
    "Intel system tool"="C:\\WINDOWS\\System32\\svehost.exe"
    "clcl3"="C:\\WINDOWS\\System32\\clcl3.exe"
    "COMODO Firewall Pro"="\"C:\\Program Files\\Comodo\\Firewall\\CPF.exe\" /background"
    "BootService"="rundll32.exe \"C:\\WINDOWS\\urppqo.dll\",realset"

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "MsnMsgr"="\"C:\\Program Files\\MSN Messenger\\MsnMsgr.Exe\" /background"
    "ctfmon.exe"="C:\\WINDOWS\\System32\\ctfmon.exe"
    "BitTorrent"="\"C:\\Program Files\\BitTorrent\\bittorrent.exe\" --force_start_minimized"
    "MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
    ....
    Hosts file was reset, If you use a custom hosts file please replace it
    »»»»» End report »»»»»

    .............


    VundoFix V6.3.19

    Checking Java version...

    Java version is 1.5.0.3
    Old versions of java are exploitable and should be removed.

    Java version is 1.5.0.10

    Scan started at 2:12:42 AM 4/17/2007

    Listing files found while scanning....


    VundoFix V6.3.19

    Checking Java version...

    Java version is 1.5.0.3
    Old versions of java are exploitable and should be removed.

    Java version is 1.5.0.10

    Scan started at 2:18:16 AM 4/17/2007

    Listing files found while scanning....

    No infected files were found.


    Beginning removal...
     
  4. muuli123

    muuli123 Regular member

    Joined:
    Jan 13, 2007
    Messages:
    154
    Likes Received:
    0
    Trophy Points:
    26
    Hello lida07

    Please do a new scan with FixWareOut and post log.

    Please download the following program and save it to your desktop:

    http://noahdfear.geekstogo.com/FindAWF.exe

    Once downloaded, double-click on the file to run it. When it is done there will be a file called awf.txt on your desktop. Please post the contents of that file as a reply to this topic.

    1. Download this file - combofix.exe
    and save it to your desktop.

    2. Go to start -> run.
    type this in box and click ok

    "%userprofile%\desktop\combofix.exe" /v cryiqv vqiyrc tmp3.tmp

    3. When finished, it shall produce a log for you. Post that log in your next reply

    4. Reboot

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall

    Open HijackThis, press do a system scan only, checkmark these lines:
    O4 - HKLM\..\Run: [Lexmark_X79-55] C:\WINDOWS\System32\lsasss.exe
    O4 - HKLM\..\Run: [Intel system tool] C:\WINDOWS\System32\svehost.exe
    O4 - HKLM\..\Run: [clcl3] C:\WINDOWS\System32\clcl3.exe
    O4 - HKLM\..\Run: [BootService] rundll32.exe "C:\WINDOWS\urppqo.dll",realset
    O20 - AppInit_DLLs:

    Next, close all others windows and press Fix checked.

    Please do a hidden files be seems:
    1. Close all programs so that you are at your desktop.
    2. Double-click on the My Computer icon.
    3. Select the Tools menu and click Folder Options.
    4. After the new window appears select the View tab.
    5. Put a checkmark in the checkbox labeled Display the contents of system folders.
    6. Under the Hidden files and folders section select the radio button labeled Show hidden files and folders.
    7. Remove the checkmark from the checkbox labeled Hide file extensions for known file types.
    8. Remove the checkmark from the checkbox labeled Hide protected operating system files.
    9. Press the Apply button and then the OK button and shutdown My Computer.
    10. Now your computer is configured to show all hidden files.

    Reboot your computer in Safe mode:
    1. Restart your computer.
    2. When the machine first starts again it will generally list some equipment that is installed in your machine, amount of memory, hard drives installed etc. At this point you should gently tap the F8 key repeatedly until you are presented with a Windows XP Advanced Options menu.
    3. Select the option for Safe Mode using the arrow keys.
    4. Then press enter on your keyboard to boot into Safe Mode.

    Once in Safe mode:

    Delete these files:
    C:\WINDOWS\System32\lsasss.exe
    C:\WINDOWS\System32\svehost.exe
    C:\WINDOWS\System32\clcl3.exe
    C:\WINDOWS\urppqo.dll

    Reboot in Normal mode.

    Post a fresh HijackThis log, FixWareOut log, FindAWF log and ComboFix log.
     
  5. lida07

    lida07 Member

    Joined:
    Apr 15, 2007
    Messages:
    11
    Likes Received:
    0
    Trophy Points:
    11
    Hi muuli123.

    Thanks for all the help however I did encounter a few problems during the process.

    I did as you said except I couldn't seem to run Combofix and therefore couldn't get a log. When I typed "%userprofile%\desktop\combofix.exe" /v cryiqv vqiyrc tmp3.tmp into 'Run', the Combofix Window would only flash on my screen for a second and nothing else would happen.

    Also, when I rebooted my computer in Safe Mode to delete the files that you mentioned, my computer wouldn't allow me to delete C:\WINDOWS\System32\lsasss.exe or C:\WINDOWS\System32\svehost.exe . When I tried to delete those two files an error would come up reading "Cannot delete: Access is denied. Make sure the disk is not full or write-protected and that the file is not currently in use." I also couldn't find the C:\WINDOWS\urppqo.dll file.


    Anyway, here is the fresh HijackThis log, FixWareOut log and FindAWF log that I could get.

    Logfile of HijackThis v1.99.1
    Scan saved at 3:44:20 PM, on 4/17/2007
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
    C:\Program Files\Alwil Software\Avast4\ashServ.exe
    C:\Program Files\Comodo\Firewall\cmdagent.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\WINDOWS\system32\slserv.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
    C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\System32\khooker.exe
    C:\WINDOWS\SOUNDMAN.EXE
    C:\Program Files\iTunes\iTunesHelper.exe
    c:\program files\internet explorer\iexplore.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\WINDOWS\System32\ctfmon.exe
    C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    C:\Documents and Settings\Lida\Desktop\Virus Help\HijackThis.exe

    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {67C55A8D-E808-4caa-9EA7-F77102DE0BB6} - C:\WINDOWS\System32\tmp2.tmp.dll (file missing)
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
    O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    O2 - BHO: (no name) - {f9202b19-83c3-4d26-aa08-4bf33b425343} - C:\WINDOWS\system32\cryiqv.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [SiS KHooker] C:\WINDOWS\System32\khooker.exe
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\Comodo\Firewall\CPF.exe" /background
    O4 - HKLM\..\Run: [BootService] rundll32.exe "C:\WINDOWS\efffdc.dll",realset
    O4 - HKLM\..\Run: [PCSuiteTrayApplication] C:\Program Files\Nokia\Nokia PC Suite 6\LaunchApplication.exe -startup
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
    O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [PcSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog
    O4 - Startup: Cyber-shot Viewer Media Check Tool.lnk = C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
    O8 - Extra context menu item: ???QQ?? - C:\Documents and Settings\Lida\My Documents\AddEmotion.htm
    O8 - Extra context menu item: ???QQ???? - C:\Documents and Settings\Lida\My Documents\AddToNetDisk.htm
    O8 - Extra context menu item: ???QQ????? - C:\Documents and Settings\Lida\My Documents\AddPanel.htm
    O8 - Extra context menu item: ?QQ??????? - C:\Documents and Settings\Lida\My Documents\SendMMS.htm
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O8 - Extra context menu item: Ìí¼Óµ½QQ±íÇé - C:\Documents and Settings\Lida\My Documents\AddEmotion.htm
    O8 - Extra context menu item: Ìí¼Óµ½QQ×Ô¶¨ÒåÃæ°å - C:\Documents and Settings\Lida\My Documents\AddPanel.htm
    O8 - Extra context menu item: ÓÃQQ²ÊÐÅ·¢Ë͸ÃͼƬ - C:\Documents and Settings\Lida\My Documents\SendMMS.htm
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
    O9 - Extra button: kele8 - {84920E5F-3788-49cd-A274-E365578DF174} - http://www.kele8.com/ (file missing)
    O9 - Extra 'Tools' menuitem: kele8 - {84920E5F-3788-49cd-A274-E365578DF174} - http://www.kele8.com/ (file missing)
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: QQ - {c95fe080-8f5d-11d2-a20b-00aa003c157b} - C:\Documents and Settings\Lida\My Documents\QQ.EXE (file missing)
    O9 - Extra 'Tools' menuitem: ÌÚѶQQ - {c95fe080-8f5d-11d2-a20b-00aa003c157b} - C:\Documents and Settings\Lida\My Documents\QQ.EXE (file missing)
    O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
    O16 - DPF: {55027008-315F-4F45-BBC3-8BE119764741} (Slide Image Uploader Control) - http://www.slide.com/uploader/SlideImageUploader.cab
    O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-US/a-UNO1/GAME_UNO1.cab
    O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
    O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zone.msn.com/binary/ZIntro.cab56649.cab
    O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
    O16 - DPF: {D54160C3-DB7B-4534-9B65-190EE4A9C7F7} (SproutLauncherCtrl Class) - http://download.games.yahoo.com/games/web_games/gamehouse/frenzy/SproutLauncher.cab
    O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.popcap.com/games/popcaploader_v6.cab
    O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
    O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
    O20 - Winlogon Notify: cryiqv - C:\WINDOWS\SYSTEM32\cryiqv.dll
    O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
    O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
    O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
    O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
    O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - C:\Program Files\Comodo\Firewall\cmdagent.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
    O23 - Service: Windows Task Manager (Taskmng) - Unknown owner - C:\WINDOWS\System32\taskmang.exe

    .....


    Fixwareout Last edited 4/5/2007
    Post this report in the forums please
    ...
    »»»»»Prerun check

    »»»»» System restarted

    »»»»» Postrun check
    HKLM\SOFTWARE\~\Winlogon\ "system"=""
    ....
    ....
    »»»»» Misc files.
    ....
    »»»»» Checking for older varients.
    ....

    Search five digit cs, dm, kd, jb, other, files.
    The following files NEED TO BE SUBMITTED to one of the following URL'S for further inspection.



    Click browse, find the file then click submit.
    http://www.virustotal.com/flash/index_en.html
    Or http://virusscan.jotti.org/

    »»»»» Other



    »»»»» Current runs
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "SiS KHooker"="C:\\WINDOWS\\System32\\khooker.exe"
    "SoundMan"="SOUNDMAN.EXE"
    "avast!"="C:\\PROGRA~1\\ALWILS~1\\Avast4\\ashDisp.exe"
    "SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.5.0_10\\bin\\jusched.exe\""
    "QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
    "iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
    "BootService"="rundll32.exe \"C:\\WINDOWS\\efffdc.dll\",realset"
    "PCSuiteTrayApplication"="C:\\Program Files\\Nokia\\Nokia PC Suite 6\\LaunchApplication.exe -startup"

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ctfmon.exe"="C:\\WINDOWS\\System32\\ctfmon.exe"
    "BitTorrent"="\"C:\\Program Files\\BitTorrent\\bittorrent.exe\" --force_start_minimized"
    "MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
    "PcSync"="C:\\Program Files\\Nokia\\Nokia PC Suite 6\\PcSync2.exe /NoDialog"
    ....
    Hosts file was reset, If you use a custom hosts file please replace it
    »»»»» End report »»»»»

    .....


    Find AWF report by noahdfear ©2006


    bak folders found
    ~~~~~~~~~~~


    Directory of C:\PROGRA~1\ITUNES\BAK

    10/30/2006 08:36 AM 256,576 iTunesHelper.exe
    1 File(s) 256,576 bytes

    Directory of C:\PROGRA~1\MESSEN~1\BAK

    08/20/2002 03:08 PM 1,511,453 msmsgs.exe
    1 File(s) 1,511,453 bytes

    Directory of C:\PROGRA~1\MSNMES~1\BAK

    0 File(s) 0 bytes

    Directory of C:\PROGRA~1\QUICKT~1\BAK

    12/11/2006 08:25 PM 282,624 qttask.exe
    1 File(s) 282,624 bytes

    Directory of C:\WINDOWS\SYSTEM32\BAK

    08/29/2002 01:41 PM 13,312 ctfmon.exe
    01/25/2002 02:30 AM 290,816 khooker.exe
    2 File(s) 304,128 bytes

    Directory of C:\PROGRA~1\ALWILS~1\AVAST4\BAK

    05/31/2006 08:02 PM 108,160 ashDisp.exe
    1 File(s) 108,160 bytes

    Directory of C:\PROGRA~1\NOKIA\NOKIAP~1\BAK

    11/08/2006 12:27 PM 222,208 LaunchApplication.exe
    1 File(s) 222,208 bytes

    Directory of C:\PROGRA~1\PANICW~1\POP-UP~1\BAK

    03/17/2005 10:10 AM 536,576 PSFree.exe
    1 File(s) 536,576 bytes

    Directory of C:\PROGRA~1\JAVA\JRE15~1.0_1\BIN\BAK

    11/09/2006 02:07 PM 49,263 jusched.exe
    1 File(s) 49,263 bytes


    Duplicate files of bak directory contents
    ~~~~~~~~~~~~~~~~~~~~~~~

    257088 Mar 14 2007 "C:\Program Files\iTunes\iTunesHelper.exe"
    256576 Oct 30 2006 "C:\Program Files\iTunes\bak\iTunesHelper.exe"
    102400 Mar 26 2007 "C:\WINDOWS\Installer\{AB90749C-7422-4580-8A7A-66CC5E9E5F98}\iTunesIco.exe"
    116288 Mar 26 2007 "C:\Documents and Settings\All Users\Application Data\Apple Computer\Installer Cache\iTunes 7.1.1.5\iTunesSetupAdmin.exe"
    108096 Nov 9 2006 "C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\5GIKOO96\iTunesSetupAdmin[1].exe"
    1511453 Aug 20 2002 "C:\Program Files\Messenger\bak\msmsgs.exe"
    282624 Feb 16 2007 "C:\Program Files\QuickTime\qttask.exe"
    282624 Dec 11 2006 "C:\Program Files\QuickTime\bak\qttask.exe"
    13312 Aug 29 2002 "C:\WINDOWS\system32\ctfmon.exe"
    13312 Aug 29 2002 "C:\WINDOWS\system32\bak\ctfmon.exe"
    37296 Mar 11 2007 "C:\WINDOWS\system32\khooker.exe"
    290816 Jan 25 2002 "C:\WINDOWS\system32\bak\khooker.exe"
    108160 May 31 2006 "C:\Program Files\Alwil Software\Avast4\bak\ashDisp.exe"
    222208 Nov 8 2006 "C:\Program Files\Nokia\Nokia PC Suite 6\bak\LaunchApplication.exe"
    536576 Mar 17 2005 "C:\Program Files\Panicware\Pop-Up Stopper Free Edition\bak\PSFree.exe"
    36975 Apr 13 2005 "C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe"
    49263 Nov 9 2006 "C:\Program Files\Java\jre1.5.0_10\bin\bak\jusched.exe"


    end of report

    .....

    Thanks again, any further help would be much appreciated.

    Lida
     
  6. muuli123

    muuli123 Regular member

    Joined:
    Jan 13, 2007
    Messages:
    154
    Likes Received:
    0
    Trophy Points:
    26
    Hello again...

    Okay... Try this :)

    Please save this instruction to Notepad on Desktop, because you must to reboot in Safe mode.

    Copy black text below to Notepad and save it as delete.bat (save it as all files, *.*)

    @ECHO OFF
    move /Y "C:\Program Files\iTunes\bak\iTunesHelper.exe"
    "C:\Program Files\iTunes"
    RD /s /q "C:\Program Files\iTunes\bak"
    move /Y "C:\Program Files\Messenger\bak\msmsgs.exe"
    "C:\Program Files\Messenger"
    RD /s /q "C:\Program Files\Messenger\bak"
    move /Y "C:\Program Files\QuickTime\bak\qttask.exe"
    "C:\Program Files\QuickTime\bak"
    RD /s /q "C:\Program Files\QuickTime\bak"
    move /Y "C:\WINDOWS\system32\bak\ctfmon.exe"
    "C:\WINDOWS\system32"
    RD /s /q "C:\WINDOWS\system32\bak"
    move /Y "C:\WINDOWS\system32\bak\khooker.exe"
    "C:\WINDOWS\system32"
    RD /s /q "C:\WINDOWS\system32\bak"
    move /Y"C:\Program Files\Nokia\Nokia PC Suite 6\bak\LaunchApplication.exe"
    "C:\Program Files\Nokia\Nokia PC Suite 6"
    RD /s /q "C:\Program Files\Nokia\Nokia PC Suite 6\bak"
    move /Y "C:\Program Files\Panicware\Pop-Up Stopper Free Edition\bak\PSFree.exe"
    "C:\Program Files\Panicware\Pop-Up Stopper Free Edition"
    RD /s /q "C:\Program Files\Panicware\Pop-Up Stopper Free Edition\bak"
    move /Y "C:\Program Files\Java\jre1.5.0_10\bin\bak\jusched.exe"
    "C:\Program Files\Java\jre1.5.0_10\bin"
    RD /s /q "C:\Program Files\Java\jre1.5.0_10\bin\bak"


    It should look like this -> [​IMG] Do NOT click this yet, because this file must be to run in Safe mode.

    Please download the Killbox.
    Unzip it to the desktop but do NOT run it yet.

    [*]Double-click VundoFix.exe to run it.
    [*]Click the Scan for Vundo button.
    [*]Once the scan is complete, Right Click inside the listbox (white box) and click add more files
    [*]Copy&Paste the entry below into the top box:

    [*]C:\WINDOWS\system32\cryiqv.dll
    [*]C:\WINDOWS\SYSTEM32\vqiyrc.*

    [*]Click Add Files and Click Close Window
    [*]Click the Remove Vundo button.
    [*]You will receive a prompt asking if you want to remove the files, click YES
    [*]Once you click yes, your desktop will go blank as it starts removing Vundo.
    [*]When completed, it will prompt that it will reboot your computer, click OK.
    [*]Please post the contents of C:\vundofix.txt and a new HijackThis log.

    Note: It is possible that VundoFix encountered a file it could not remove.
    In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.

    Then please reboot into Safe Mode by restarting your computer and pressing F8 as your computer is booting up. Then select the Safe Mode option.

    Once in Safe Mode

    Doubleclick delete.bat; black dos windows will flash, that's normal.

    Please run Killbox.

    Select "Delete on Reboot".
    click All Files

    Open the text file with these instructions in it, and copy the file names below to the clipboard by highlighting them and pressing Control-C:

    C:\WINDOWS\System32\lsasss.exe
    C:\WINDOWS\System32\svehost.exe


    Return to Killbox, go to the File menu, and choose "Paste from Clipboard".

    Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.

    Reboot your computer in Normal mode.

    Please post a fresh HijackThis log, VundoFix log and FindAWF log.
     
  7. lida07

    lida07 Member

    Joined:
    Apr 15, 2007
    Messages:
    11
    Likes Received:
    0
    Trophy Points:
    11
    Hi and thanks again.

    I couldn't get a VundoFix Log as when I ran VundoFix it reported that my computer had no infected files...however here is the HijackThis and FindAWF Log as requested.

    Logfile of HijackThis v1.99.1
    Scan saved at 2:52:13 AM, on 4/18/2007
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
    C:\Program Files\Alwil Software\Avast4\ashServ.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\WINDOWS\system32\slserv.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\System32\khooker.exe
    C:\WINDOWS\SOUNDMAN.EXE
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\WINDOWS\System32\ctfmon.exe
    C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
    C:\WINDOWS\System32\msiexec.exe
    C:\Documents and Settings\Lida\Desktop\Virus Help\HijackThis.exe

    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {67C55A8D-E808-4caa-9EA7-F77102DE0BB6} - C:\WINDOWS\System32\tmp2.tmp.dll (file missing)
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
    O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    O2 - BHO: (no name) - {f9202b19-83c3-4d26-aa08-4bf33b425343} - C:\WINDOWS\system32\cryiqv.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [SiS KHooker] C:\WINDOWS\System32\khooker.exe
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [BootService] rundll32.exe "C:\WINDOWS\efffdc.dll",realset
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
    O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [PcSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog
    O4 - Startup: Cyber-shot Viewer Media Check Tool.lnk = C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
    O8 - Extra context menu item: ???QQ?? - C:\Documents and Settings\Lida\My Documents\AddEmotion.htm
    O8 - Extra context menu item: ???QQ???? - C:\Documents and Settings\Lida\My Documents\AddToNetDisk.htm
    O8 - Extra context menu item: ???QQ????? - C:\Documents and Settings\Lida\My Documents\AddPanel.htm
    O8 - Extra context menu item: ?QQ??????? - C:\Documents and Settings\Lida\My Documents\SendMMS.htm
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O8 - Extra context menu item: Ìí¼Óµ½QQ±íÇé - C:\Documents and Settings\Lida\My Documents\AddEmotion.htm
    O8 - Extra context menu item: Ìí¼Óµ½QQ×Ô¶¨ÒåÃæ°å - C:\Documents and Settings\Lida\My Documents\AddPanel.htm
    O8 - Extra context menu item: ÓÃQQ²ÊÐÅ·¢Ë͸ÃͼƬ - C:\Documents and Settings\Lida\My Documents\SendMMS.htm
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
    O9 - Extra button: kele8 - {84920E5F-3788-49cd-A274-E365578DF174} - http://www.kele8.com/ (file missing)
    O9 - Extra 'Tools' menuitem: kele8 - {84920E5F-3788-49cd-A274-E365578DF174} - http://www.kele8.com/ (file missing)
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: QQ - {c95fe080-8f5d-11d2-a20b-00aa003c157b} - C:\Documents and Settings\Lida\My Documents\QQ.EXE (file missing)
    O9 - Extra 'Tools' menuitem: ÌÚѶQQ - {c95fe080-8f5d-11d2-a20b-00aa003c157b} - C:\Documents and Settings\Lida\My Documents\QQ.EXE (file missing)
    O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
    O16 - DPF: {55027008-315F-4F45-BBC3-8BE119764741} (Slide Image Uploader Control) - http://www.slide.com/uploader/SlideImageUploader.cab
    O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-US/a-UNO1/GAME_UNO1.cab
    O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
    O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zone.msn.com/binary/ZIntro.cab56649.cab
    O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
    O16 - DPF: {D54160C3-DB7B-4534-9B65-190EE4A9C7F7} (SproutLauncherCtrl Class) - http://download.games.yahoo.com/games/web_games/gamehouse/frenzy/SproutLauncher.cab
    O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.popcap.com/games/popcaploader_v6.cab
    O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
    O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
    O20 - Winlogon Notify: cryiqv - C:\WINDOWS\SYSTEM32\cryiqv.dll
    O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
    O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
    O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
    O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe
    O23 - Service: Windows Task Manager (Taskmng) - Unknown owner - C:\WINDOWS\System32\taskmang.exe

    .....


    Find AWF report by noahdfear ©2006


    bak folders found
    ~~~~~~~~~~~


    Directory of C:\PROGRA~1\MSNMES~1\BAK

    0 File(s) 0 bytes

    Directory of C:\PROGRA~1\ALWILS~1\AVAST4\BAK

    05/31/2006 08:02 PM 108,160 ashDisp.exe
    1 File(s) 108,160 bytes


    Duplicate files of bak directory contents
    ~~~~~~~~~~~~~~~~~~~~~~~

    108160 May 31 2006 "C:\Program Files\Alwil Software\Avast4\bak\ashDisp.exe"


    end of report
     
  8. muuli123

    muuli123 Regular member

    Joined:
    Jan 13, 2007
    Messages:
    154
    Likes Received:
    0
    Trophy Points:
    26
    Hello lida07

    First remove previous delete.bat file.

    Copy black text below to Notepad and save it as xxxx.bat (save it as all files, *.*)

    @ECHO OFF
    move /Y "C:\Program Files\Alwil Software\Avast4\bak\ashDisp.exe"
    "C:\Program Files\Alwil Software\Avast4"
    RD /s /q "C:\Program Files\Alwil Software\Avast4\bak"


    It should look like this -> [​IMG]

    Download SDFix and save it to your Desktop.

    Double click SDFix.exe and it will extract the files to %systemdrive%
    (Drive that contains the Windows Directory, typically C:\SDFix)

    Please then reboot your computer in Safe Mode by doing the following :

    [*]Restart your computer
    [*]After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
    [*]Instead of Windows loading as normal, the Advanced Options Menu should appear;
    [*]Select the first option, to run Windows in Safe Mode, then press Enter.
    [*]Choose your usual account.

    Doubleclick delete.bat; black dos windows will flash, that's normal.

    Delete this folder:
    C:\PROGRA~1\MSNMES~1\BAK

    [*] Open the extracted SDFix folder and double click RunThis.bat to start the script.
    [*] Type Y to begin the cleanup process.
    [*] It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
    [*] Press any Key and it will restart the PC.
    [*] When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
    [*] Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
    (Report.txt will also be copied to Clipboard ready for posting back on the forum).

    Post a fresh HijackThis log, SDFix log and FindAWF log.
     
  9. lida07

    lida07 Member

    Joined:
    Apr 15, 2007
    Messages:
    11
    Likes Received:
    0
    Trophy Points:
    11
    Hi again and again, thanks for all your help.
    Here is the HijackThis log, SD Fix log and FindAWF log.

    Logfile of HijackThis v1.99.1
    Scan saved at 10:57:12 PM, on 4/18/2007
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
    C:\Program Files\Alwil Software\Avast4\ashServ.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\WINDOWS\system32\slserv.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
    C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\System32\khooker.exe
    C:\WINDOWS\SOUNDMAN.EXE
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\WINDOWS\System32\ctfmon.exe
    C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\WinZip\WZQKPICK.EXE
    C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Documents and Settings\Lida\Desktop\Virus Help\HijackThis.exe

    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {67C55A8D-E808-4caa-9EA7-F77102DE0BB6} - C:\WINDOWS\System32\tmp1.tmp.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
    O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    O2 - BHO: (no name) - {f9202b19-83c3-4d26-aa08-4bf33b425343} - C:\WINDOWS\system32\cryiqv.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [SiS KHooker] C:\WINDOWS\System32\khooker.exe
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [BootService] rundll32.exe "C:\WINDOWS\geeefc.dll",realset
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
    O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [PcSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog
    O4 - Startup: Cyber-shot Viewer Media Check Tool.lnk = C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
    O8 - Extra context menu item: ???QQ?? - C:\Documents and Settings\Lida\My Documents\AddEmotion.htm
    O8 - Extra context menu item: ???QQ???? - C:\Documents and Settings\Lida\My Documents\AddToNetDisk.htm
    O8 - Extra context menu item: ???QQ????? - C:\Documents and Settings\Lida\My Documents\AddPanel.htm
    O8 - Extra context menu item: ?QQ??????? - C:\Documents and Settings\Lida\My Documents\SendMMS.htm
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O8 - Extra context menu item: Ìí¼Óµ½QQ±íÇé - C:\Documents and Settings\Lida\My Documents\AddEmotion.htm
    O8 - Extra context menu item: Ìí¼Óµ½QQ×Ô¶¨ÒåÃæ°å - C:\Documents and Settings\Lida\My Documents\AddPanel.htm
    O8 - Extra context menu item: ÓÃQQ²ÊÐÅ·¢Ë͸ÃͼƬ - C:\Documents and Settings\Lida\My Documents\SendMMS.htm
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
    O9 - Extra button: kele8 - {84920E5F-3788-49cd-A274-E365578DF174} - http://www.kele8.com/ (file missing)
    O9 - Extra 'Tools' menuitem: kele8 - {84920E5F-3788-49cd-A274-E365578DF174} - http://www.kele8.com/ (file missing)
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: QQ - {c95fe080-8f5d-11d2-a20b-00aa003c157b} - C:\Documents and Settings\Lida\My Documents\QQ.EXE (file missing)
    O9 - Extra 'Tools' menuitem: ÌÚѶQQ - {c95fe080-8f5d-11d2-a20b-00aa003c157b} - C:\Documents and Settings\Lida\My Documents\QQ.EXE (file missing)
    O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
    O16 - DPF: {55027008-315F-4F45-BBC3-8BE119764741} (Slide Image Uploader Control) - http://www.slide.com/uploader/SlideImageUploader.cab
    O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-US/a-UNO1/GAME_UNO1.cab
    O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
    O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zone.msn.com/binary/ZIntro.cab56649.cab
    O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
    O16 - DPF: {D54160C3-DB7B-4534-9B65-190EE4A9C7F7} (SproutLauncherCtrl Class) - http://download.games.yahoo.com/games/web_games/gamehouse/frenzy/SproutLauncher.cab
    O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.popcap.com/games/popcaploader_v6.cab
    O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
    O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
    O20 - Winlogon Notify: cryiqv - C:\WINDOWS\SYSTEM32\cryiqv.dll
    O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
    O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
    O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
    O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe

    .....


    SDFix: Version 1.79

    Run by Lida - Wed 04/18/2007 - 22:38:55.61

    Microsoft Windows XP [Version 5.1.2600]

    Running From: C:\SDFix

    Safe Mode:
    Checking Services:

    Name:
    Taskmng

    ImagePath:
    C:\WINDOWS\System32\taskmang.exe

    Taskmng - Deleted



    Restoring Windows Registry Values
    Restoring Windows Default Hosts File


    Rebooting...

    Normal Mode:
    Checking Files:

    Below files will be copied to Backups folder then removed:

    C:\DOCUME~1\Lida\LOCALS~1\Temp\tmp1.tmp.exe - Deleted
    C:\DOCUME~1\Lida\LOCALS~1\Temp\tmp1C.tmp.exe - Deleted
    C:\DOCUME~1\Lida\LOCALS~1\Temp\tmp2.tmp.exe - Deleted
    C:\DOCUME~1\Lida\LOCALS~1\Temp\tmp4.tmp.exe - Deleted
    C:\DOCUME~1\Lida\LOCALS~1\Temp\tmpDD.tmp.exe - Deleted
    C:\DOCUME~1\Lida\LOCALS~1\Temp\abc123.pid - Deleted
    C:\DOCUME~1\Lida\LOCALS~1\Temp\setup.exe - Deleted
    C:\WINDOWS\system32\taskmang.exe - Deleted


    Folder C:\DOCUME~1\Lida\LOCALS~1\Temp\ICD1.tmp - Removed

    Removing Temp Files

    ADS Check:

    Checking if ADS is attached to system32 Folder
    C:\WINDOWS\system32
    No streams found.

    Checking if ADS is attached to svchost.exe
    C:\WINDOWS\system32\svchost.exe
    No streams found.



    Final Check:

    Remaining Services:
    ------------------



    Authorized Application Key Export:

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
    "C:\\Program Files\\BitTorrent\\bittorrent.exe"="C:\\Program Files\\BitTorrent\\bittorrent.exe:*:Enabled:BitTorrent"


    Remaining Files:
    ---------------

    Backups Folder: - C:\SDFix\backups\backups.zip

    Checking For Files with Hidden Attributes:

    C:\Documents and Settings\Lida\Local Settings\Application Data\Microsoft\Messenger\lead_wu@hotmail.com\Sharing Folders\etphone40@hotmail.com\Thumbs.db
    C:\Documents and Settings\Lida\Local Settings\Application Data\Microsoft\Messenger\lead_wu@hotmail.com\Sharing Folders\pubeface04@hotmail.com\Thumbs.db
    C:\Documents and Settings\Lida\Local Settings\Application Data\Microsoft\Messenger\lil_xrcist@hotmail.com\Sharing Folders\lead_wu@hotmail.com\Thumbs.db
    C:\Program Files\Common Files\Adobe\ESD\DLMCleanup.exe
    C:\WINDOWS\system32\AE98483D86.sys
    C:\WINDOWS\system32\KGyGaAvL.sys
    C:\WINDOWS\LastGood.Tmp\INF\oem13.inf
    C:\WINDOWS\LastGood.Tmp\INF\oem13.PNF

    Finished
    .....


    Find AWF report by noahdfear ©2006


    bak folders found
    ~~~~~~~~~~~



    Duplicate files of bak directory contents
    ~~~~~~~~~~~~~~~~~~~~~~~



    end of report

     
  10. muuli123

    muuli123 Regular member

    Joined:
    Jan 13, 2007
    Messages:
    154
    Likes Received:
    0
    Trophy Points:
    26
    Please send this file to virustotal and post the results here:
    C:\WINDOWS\system32\AE98483D86.sys

    1. Download this file - combofix.exe
    2. Double click combofix.exe & follow the prompts.
    3. When finished, it shall produce a log for you. Post that log in your next reply.

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

    Please download F-Secure Blacklight (blbeta.exe) and save to your C:\ drive.
    1. Open a command window by going to Start > Run and typing: cmd
    2. Copy/paste or type the following in the command window:

    C:\blbeta.exe /expert

    3. Hit "Enter" to start the program and then close the cmd box.
    4. Accept the user agreement and click "Next".
    5 Click "Scan".
    6. After the scan is complete, click "Next", then "Exit". BlackLight will create a log in C:\ drive named "fsbl-xxxxxxx.log" (the xxxxxxx will be the date and time of the scan).
    7. The log will have a list of all items found. Do not choose to rename any yet! I want to see the log first because legitimate items can also be present...like "wbemtest.exe".
    8. Exit Blacklight and post the contents of the log in your next reply.

    Note: If you download Blacklight to your desktop, just double-click to run from there and it will create the "fsbl-xxxxxxx.log" on your desktop.

    Post a fresh HijackThis log, ComboFix log, Blacklight log and virustotal results.
     
  11. muuli123

    muuli123 Regular member

    Joined:
    Jan 13, 2007
    Messages:
    154
    Likes Received:
    0
    Trophy Points:
    26
    Hey...

    I notice that links not to work, I'm so sorry for this, but I sent new links with below.

    Download Blacklight here.

    And ComboFix here.
     
  12. lida07

    lida07 Member

    Joined:
    Apr 15, 2007
    Messages:
    11
    Likes Received:
    0
    Trophy Points:
    11
    Thanks muuli123
    Here are the logs as requested.

    Logfile of HijackThis v1.99.1
    Scan saved at 2:52:16 AM, on 4/20/2007
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
    C:\Program Files\Alwil Software\Avast4\ashServ.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\WINDOWS\system32\slserv.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\System32\khooker.exe
    C:\WINDOWS\SOUNDMAN.EXE
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\WINDOWS\System32\ctfmon.exe
    C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Documents and Settings\Lida\Desktop\Virus Help\HijackThis.exe

    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
    O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [SiS KHooker] C:\WINDOWS\System32\khooker.exe
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
    O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [PcSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog
    O4 - Startup: Cyber-shot Viewer Media Check Tool.lnk = C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
    O8 - Extra context menu item: ???QQ?? - C:\Documents and Settings\Lida\My Documents\AddEmotion.htm
    O8 - Extra context menu item: ???QQ???? - C:\Documents and Settings\Lida\My Documents\AddToNetDisk.htm
    O8 - Extra context menu item: ???QQ????? - C:\Documents and Settings\Lida\My Documents\AddPanel.htm
    O8 - Extra context menu item: ?QQ??????? - C:\Documents and Settings\Lida\My Documents\SendMMS.htm
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O8 - Extra context menu item: Ìí¼Óµ½QQ±íÇé - C:\Documents and Settings\Lida\My Documents\AddEmotion.htm
    O8 - Extra context menu item: Ìí¼Óµ½QQ×Ô¶¨ÒåÃæ°å - C:\Documents and Settings\Lida\My Documents\AddPanel.htm
    O8 - Extra context menu item: ÓÃQQ²ÊÐÅ·¢Ë͸ÃͼƬ - C:\Documents and Settings\Lida\My Documents\SendMMS.htm
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
    O9 - Extra button: kele8 - {84920E5F-3788-49cd-A274-E365578DF174} - http://www.kele8.com/ (file missing)
    O9 - Extra 'Tools' menuitem: kele8 - {84920E5F-3788-49cd-A274-E365578DF174} - http://www.kele8.com/ (file missing)
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
    O16 - DPF: {55027008-315F-4F45-BBC3-8BE119764741} (Slide Image Uploader Control) - http://www.slide.com/uploader/SlideImageUploader.cab
    O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-US/a-UNO1/GAME_UNO1.cab
    O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
    O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zone.msn.com/binary/ZIntro.cab56649.cab
    O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
    O16 - DPF: {D54160C3-DB7B-4534-9B65-190EE4A9C7F7} (SproutLauncherCtrl Class) - http://download.games.yahoo.com/games/web_games/gamehouse/frenzy/SproutLauncher.cab
    O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.popcap.com/games/popcaploader_v6.cab
    O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
    O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
    O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
    O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
    O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
    O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe

    .....

    "Lida" - 07-04-20 2:33:41 Service Pack 1
    ComboFix 07-04-19.2V - Running from: C:\Documents and Settings\Lida\Desktop\

    /wow section - STAGE #3

    (((((((((((((((((((((((((((((((((((((((((((((((((( V Log )))))))))))))))))))))))))))))))))))))))))))))))))))))))


    C:\WINDOWS\system32\tmp1.tmp.dll
    C:\WINDOWS\system32\tmp39.tmp.dll
    C:\WINDOWS\system32\cryiqv.dll


    * * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *



    (((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


    C:\WINDOWS\system32\tmp1.tmp.dll
    C:\WINDOWS\system32\tmp39.tmp.dll
    C:\install.log


    ((((((((((((((((((((((((((((((( Files Created from 2007-03-20 to 2007-04-20 ))))))))))))))))))))))))))))))))))


    2007-04-20 02:36 899,952 --a------ C:\fsbl.exe
    2007-04-18 02:57 106,767 --a------ C:\WINDOWS\geeefc.dll
    2007-04-18 02:33 <DIR> d-------- C:\!KillBox
    2007-04-17 02:55 <DIR> d-------- C:\DOCUME~1\Lida\APPLIC~1\Lavasoft
    2007-04-17 02:12 <DIR> d-------- C:\VundoFix Backups
    2007-04-16 20:05 <DIR> d-------- C:\DOCUME~1\Lida\APPLIC~1\Comodo
    2007-04-16 20:04 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Comodo
    2007-04-16 16:58 <DIR> d-------- C:\Program Files\Comodo
    2007-04-16 16:35 76,560 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
    2007-04-16 16:23 <DIR> d-------- C:\DOCUME~1\Lida\.housecall6.6
    2007-04-14 23:51 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\GameHouse
    2007-04-14 22:21 <DIR> d-------- C:\DOCUME~1\Lida\APPLIC~1\PlayFirst
    2007-04-14 22:21 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\PlayFirst
    2007-04-14 22:20 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Trymedia
    2007-04-13 01:46 <DIR> d-------- C:\Program Files\Easy GIF Animator
    2007-03-26 16:21 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\WinZip
    2007-03-26 13:47 <DIR> d-------- C:\Program Files\iPod


    (((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


    2007-04-18 22:27 5406 --a------ C:\WINDOWS\system32\mt_32.dll
    2007-04-18 22:23 -------- d-------- C:\Program Files\msn messenger
    2007-04-16 20:02 -------- d-------- C:\Program Files\messenger
    2007-04-16 16:21 -------- d--h----- C:\Program Files\installshield installation information
    2007-04-16 02:17 -------- d-------- C:\Program Files\vvsn
    2007-04-15 22:14 -------- d-------- C:\Program Files\popcap games
    2007-04-15 20:18 66 --a------ C:\WINDOWS\popcinfo.dat
    2007-03-26 13:49 -------- d-------- C:\Program Files\itunes
    2007-03-18 00:24 -------- d-------- C:\DOCUME~1\Lida\APPLIC~1\msn6
    2007-03-12 12:09 -------- d-------- C:\Program Files\quicktime
    2007-03-11 20:04 37296 --a------ C:\WINDOWS\system32\khooker.exe
    2007-03-03 01:52 -------- d-------- C:\Program Files\divx


    (((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))


    *Note* empty entries & legit default entries are not shown

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
    {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
    {9030D464-4C02-4ABF-8ECC-5164760863C6} C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
    "SiS KHooker"="C:\\WINDOWS\\System32\\khooker.exe"
    "SoundMan"="SOUNDMAN.EXE"
    "avast!"="C:\\PROGRA~1\\ALWILS~1\\Avast4\\ashDisp.exe"
    "SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.5.0_10\\bin\\jusched.exe\""
    "QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
    "iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
    "ctfmon.exe"="C:\\WINDOWS\\System32\\ctfmon.exe"
    "BitTorrent"="\"C:\\Program Files\\BitTorrent\\bittorrent.exe\" --force_start_minimized"
    "MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
    "PcSync"="C:\\Program Files\\Nokia\\Nokia PC Suite 6\\PcSync2.exe /NoDialog"

    HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa
    Authentication Packages REG_MULTI_SZ msv1_0\0\0
    Security Packages REG_MULTI_SZ kerberos\0msv1_0\0schannel\0wdigest\0\0
    Notification Packages REG_MULTI_SZ scecli\0\0


    [HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
    LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
    NetworkService REG_MULTI_SZ DnsCache\0\0
    rpcss REG_MULTI_SZ RpcSs\0\0
    imgsvc REG_MULTI_SZ StiSvc\0\0
    termsvcs REG_MULTI_SZ TermService\0\0



    Contents of the 'Scheduled Tasks' folder
    C:\WINDOWS\tasks\AppleSoftwareUpdate.job

    ********************************************************************

    catchme 0.2 W2K/XP/Vista - userland rootkit detector by Gmer, 17 October 2006
    http://www.gmer.net

    scanning hidden processes ...

    scanning hidden services ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden processes: 0
    hidden services: 0
    hidden files: 0

    ********************************************************************

    Completion time: 07-04-20 2:41:10 - machine was rebooted
    C:\ComboFix-quarantined-files.txt ... 07-04-20 02:41

    .....

    04/20/07 02:45:20 [Info]: BlackLight Engine 1.0.61 initialized
    04/20/07 02:45:20 [Info]: OS: 5.1 build 2600 (Service Pack 1)
    04/20/07 02:45:20 [Note]: 7019 4
    04/20/07 02:45:20 [Note]: 7005 0
    04/20/07 02:45:23 [Note]: 7006 0
    04/20/07 02:45:23 [Note]: 7022 0
    04/20/07 02:45:24 [Note]: 7011 1640
    04/20/07 02:45:24 [Note]: 7026 0
    04/20/07 02:45:24 [Note]: 7026 0
    04/20/07 02:45:33 [Note]: FSRAW library version 1.7.1021
    04/20/07 02:49:41 [Note]: 2000 1012
    04/20/07 02:49:41 [Note]: 2000 1012
    04/20/07 02:49:41 [Note]: 2000 1012
    04/20/07 02:49:41 [Note]: 2000 1012
    04/20/07 02:49:41 [Note]: 2000 1012
    04/20/07 02:49:41 [Note]: 2000 1012
    04/20/07 02:49:41 [Note]: 2000 1012
    04/20/07 02:50:59 [Note]: 7007 0

    .....

    Antivirus Version Update Result
    AhnLab-V3 2007.4.19.1 04.19.2007 no virus found
    AntiVir 7.3.1.53 04.19.2007 no virus found
    Authentium 4.93.8 04.18.2007 no virus found
    Avast 4.7.981.0 04.19.2007 no virus found
    AVG 7.5.0.447 04.18.2007 no virus found
    BitDefender 7.2 04.19.2007 no virus found
    CAT-QuickHeal 9.00 04.19.2007 no virus found
    ClamAV devel-20070416 04.19.2007 no virus found
    DrWeb 4.33 04.19.2007 no virus found
    eSafe 7.0.15.0 04.19.2007 no virus found
    eTrust-Vet 30.7.3579 04.19.2007 no virus found
    Ewido 4.0 04.19.2007 no virus found
    FileAdvisor 1 04.19.2007 no virus found
    Fortinet 2.85.0.0 04.19.2007 no virus found
    F-Prot 4.3.2.48 04.18.2007 no virus found
    F-Secure 6.70.13030.0 04.19.2007 no virus found
    Ikarus T3.1.1.5 04.19.2007 no virus found
    Kaspersky 4.0.2.24 04.19.2007 no virus found
    McAfee 5012 04.18.2007 no virus found
    Microsoft 1.2405 04.19.2007 no virus found
    NOD32v2 2205 04.19.2007 no virus found
    Norman 5.80.02 04.19.2007 no virus found
    Panda 9.0.0.4 04.19.2007 no virus found
    Prevx1 V2 04.19.2007 no virus found
    Sophos 4.16.0 04.17.2007 no virus found
    Sunbelt 2.2.907.0 04.07.2007 no virus found
    Symantec 10 04.19.2007 no virus found
    TheHacker 6.1.6.095 04.15.2007 no virus found
    VBA32 3.11.3 04.19.2007 no virus found
    VirusBuster 4.3.7:9 04.18.2007 no virus found
    Webwasher-Gateway 6.0.1 04.19.2007 no virus found

    Aditional Information
    File size: 56 bytes
    MD5: af270ea6fa5856d2cacbe0711427accf
    SHA1: 7a4b6d2e21dae2177853c1b81c5f08b20f66bfc3
     
  13. muuli123

    muuli123 Regular member

    Joined:
    Jan 13, 2007
    Messages:
    154
    Likes Received:
    0
    Trophy Points:
    26
    Hello lida07

    Rename HijackThis to Scanner.

    Reboot your computer in Safe mode.

    Once in Safe mode:
    Delete this file:
    C:\WINDOWS\system32\mt_32.dll

    Reboot in Normal mode.

    Open HijackThis, press do a system scan only, checkmark these lines:
    O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.popcap.com/games/popcaploader_v6.cab
    O8 - Extra context menu item: ???QQ?? - C:\Documents and Settings\Lida\My Documents\AddEmotion.htm
    O8 - Extra context menu item: ???QQ???? - C:\Documents and Settings\Lida\My Documents\AddToNetDisk.htm
    O8 - Extra context menu item: ???QQ????? - C:\Documents and Settings\Lida\My Documents\AddPanel.htm
    O8 - Extra context menu item: ?QQ??????? - C:\Documents and Settings\Lida\My Documents\SendMMS.htm
    O8 - Extra context menu item: Ìí¼Óµ½QQ±íÇé - C:\Documents and Settings\Lida\My Documents\AddEmotion.htm
    O8 - Extra context menu item: Ìí¼Óµ½QQ×Ô¶¨ÒåÃæ°å - C:\Documents and Settings\Lida\My Documents\AddPanel.htm
    O8 - Extra context menu item: ÓÃQQ²ÊÐÅ·¢Ë͸ÃͼƬ - C:\Documents and Settings\Lida\My Documents\SendMMS.htm

    Next, close all others windows and press Fix checked.

    2. Go to start -> run.
    type this in box and click ok

    "%userprofile%\desktop\combofix.exe" /v geeefc

    3. When finished, it shall produce a log for you. Post that log in your next reply

    4. Reboot

    Note:
    Do not mouseclick combofix's window whilst it's running. That may cause it to stall

    Please post a fresh HijackThis log and Combofix log.
     
  14. lida07

    lida07 Member

    Joined:
    Apr 15, 2007
    Messages:
    11
    Likes Received:
    0
    Trophy Points:
    11
    Hi muuli123
    thanks for your help
    here is the ComboFix log

    "Lida" - 07-04-27 18:48:48 Service Pack 1
    ComboFix 07-04-19.2V - Running from: C:\Documents and Settings\Lida\Desktop\
    Command switches used :: /v geeefc

    /wow section - STAGE #3

    ((((((((((((((((((((((((((((((( Files Created from 2007-03-27 to 2007-04-27 ))))))))))))))))))))))))))))))))))


    2007-04-20 02:36 899,952 --a------ C:\blbeta.exe
    2007-04-18 02:57 106,767 --a------ C:\WINDOWS\geeefc.dll
    2007-04-18 02:33 <DIR> d-------- C:\!KillBox
    2007-04-17 02:55 <DIR> d-------- C:\DOCUME~1\Lida\APPLIC~1\Lavasoft
    2007-04-17 02:12 <DIR> d-------- C:\VundoFix Backups
    2007-04-16 20:05 <DIR> d-------- C:\DOCUME~1\Lida\APPLIC~1\Comodo
    2007-04-16 20:04 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Comodo
    2007-04-16 16:58 <DIR> d-------- C:\Program Files\Comodo
    2007-04-16 16:35 76,560 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
    2007-04-16 16:23 <DIR> d-------- C:\DOCUME~1\Lida\.housecall6.6
    2007-04-14 23:51 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\GameHouse
    2007-04-14 22:21 <DIR> d-------- C:\DOCUME~1\Lida\APPLIC~1\PlayFirst
    2007-04-14 22:21 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\PlayFirst
    2007-04-14 22:20 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Trymedia
    2007-04-13 01:46 <DIR> d-------- C:\Program Files\Easy GIF Animator


    (((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


    2007-04-18 22:23 -------- d-------- C:\Program Files\msn messenger
    2007-04-16 20:02 -------- d-------- C:\Program Files\messenger
    2007-04-16 16:21 -------- d--h----- C:\Program Files\installshield installation information
    2007-04-16 02:17 -------- d-------- C:\Program Files\vvsn
    2007-04-15 22:14 -------- d-------- C:\Program Files\popcap games
    2007-04-15 20:18 66 --a------ C:\WINDOWS\popcinfo.dat
    2007-03-26 13:49 -------- d-------- C:\Program Files\itunes
    2007-03-26 13:47 -------- d-------- C:\Program Files\ipod
    2007-03-18 00:24 -------- d-------- C:\DOCUME~1\Lida\APPLIC~1\msn6
    2007-03-12 12:09 -------- d-------- C:\Program Files\quicktime
    2007-03-11 20:04 37296 --a------ C:\WINDOWS\system32\khooker.exe
    2007-03-03 01:52 -------- d-------- C:\Program Files\divx


    (((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))


    *Note* empty entries & legit default entries are not shown

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
    {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
    {9030D464-4C02-4ABF-8ECC-5164760863C6} C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
    "SiS KHooker"="C:\\WINDOWS\\System32\\khooker.exe"
    "SoundMan"="SOUNDMAN.EXE"
    "avast!"="C:\\PROGRA~1\\ALWILS~1\\Avast4\\ashDisp.exe"
    "SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.5.0_10\\bin\\jusched.exe\""
    "QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
    "iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
    "ctfmon.exe"="C:\\WINDOWS\\System32\\ctfmon.exe"
    "BitTorrent"="\"C:\\Program Files\\BitTorrent\\bittorrent.exe\" --force_start_minimized"
    "MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
    "PcSync"="C:\\Program Files\\Nokia\\Nokia PC Suite 6\\PcSync2.exe /NoDialog"

    HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa
    Authentication Packages REG_MULTI_SZ msv1_0\0\0
    Security Packages REG_MULTI_SZ kerberos\0msv1_0\0schannel\0wdigest\0\0
    Notification Packages REG_MULTI_SZ scecli\0\0


    [HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
    LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
    NetworkService REG_MULTI_SZ DnsCache\0\0
    rpcss REG_MULTI_SZ RpcSs\0\0
    imgsvc REG_MULTI_SZ StiSvc\0\0
    termsvcs REG_MULTI_SZ TermService\0\0



    Contents of the 'Scheduled Tasks' folder
    C:\WINDOWS\tasks\AppleSoftwareUpdate.job

    ********************************************************************

    catchme 0.2 W2K/XP/Vista - userland rootkit detector by Gmer, 17 October 2006
    http://www.gmer.net

    scanning hidden processes ...

    scanning hidden services ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden processes: 0
    hidden services: 0
    hidden files: 0

    ********************************************************************

    Completion time: 07-04-27 18:51:55
    C:\ComboFix-quarantined-files.txt ... 07-04-27 18:51
    C:\ComboFix2.txt ... 07-04-20 02:41
     
  15. muuli123

    muuli123 Regular member

    Joined:
    Jan 13, 2007
    Messages:
    154
    Likes Received:
    0
    Trophy Points:
    26
    Please post a fresh HijackThis log too :)
     
  16. lida07

    lida07 Member

    Joined:
    Apr 15, 2007
    Messages:
    11
    Likes Received:
    0
    Trophy Points:
    11
    Logfile of HijackThis v1.99.1
    Scan saved at 2:14:41 AM, on 4/28/2007
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
    C:\Program Files\Alwil Software\Avast4\ashServ.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\WINDOWS\system32\slserv.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\System32\khooker.exe
    C:\WINDOWS\SOUNDMAN.EXE
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\WINDOWS\System32\ctfmon.exe
    C:\Program Files\WinZip\WZQKPICK.EXE
    C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe
    C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
    C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\MSN Messenger\msnmsgr.exe
    C:\Program Files\MSN Messenger\usnsvc.exe
    C:\WINDOWS\System32\WISPTIS.EXE
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\HijackThis\HijackThis.exe

    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
    O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [SiS KHooker] C:\WINDOWS\System32\khooker.exe
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
    O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [PcSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog
    O4 - Startup: Cyber-shot Viewer Media Check Tool.lnk = C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
    O9 - Extra button: kele8 - {84920E5F-3788-49cd-A274-E365578DF174} - http://www.kele8.com/ (file missing)
    O9 - Extra 'Tools' menuitem: kele8 - {84920E5F-3788-49cd-A274-E365578DF174} - http://www.kele8.com/ (file missing)
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
    O16 - DPF: {55027008-315F-4F45-BBC3-8BE119764741} (Slide Image Uploader Control) - http://www.slide.com/uploader/SlideImageUploader.cab
    O16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab56986.cab
    O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-US/a-UNO1/GAME_UNO1.cab
    O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
    O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zone.msn.com/binary/ZIntro.cab56649.cab
    O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
    O16 - DPF: {D54160C3-DB7B-4534-9B65-190EE4A9C7F7} (SproutLauncherCtrl Class) - http://download.games.yahoo.com/games/web_games/gamehouse/frenzy/SproutLauncher.cab
    O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
    O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
    O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
    O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
    O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
    O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe

     
  17. muuli123

    muuli123 Regular member

    Joined:
    Jan 13, 2007
    Messages:
    154
    Likes Received:
    0
    Trophy Points:
    26
    Hello again...

    [*]Open HijackThis
    [*]Press Open the Misc Tools section
    [*]Press Delete a file on reboot
    [*]Find this file:
    C:\WINDOWS\geeefc.dll
    [*]Press Open
    [*]Computer ask for you that do you want to restart your computer
    [*]Press Yes

    Please post a fresh HijackThis log and ComboFix log :D
     
  18. lida07

    lida07 Member

    Joined:
    Apr 15, 2007
    Messages:
    11
    Likes Received:
    0
    Trophy Points:
    11
    thanks again muuli123
    here is the HijackThis and ComboFix logs

    Logfile of HijackThis v1.99.1
    Scan saved at 12:05:20 PM, on 4/28/2007
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
    C:\Program Files\Alwil Software\Avast4\ashServ.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\WINDOWS\system32\slserv.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\System32\khooker.exe
    C:\WINDOWS\SOUNDMAN.EXE
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\WINDOWS\System32\ctfmon.exe
    C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    C:\Program Files\WinZip\WZQKPICK.EXE
    C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
    C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
    C:\Program Files\iPod\bin\iPodService.exe
    c:\program files\internet explorer\iexplore.exe
    C:\Program Files\HijackThis\HijackThis.exe

    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
    O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [SiS KHooker] C:\WINDOWS\System32\khooker.exe
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_10\bin\jusched.exe"
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
    O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [PcSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog
    O4 - Startup: Cyber-shot Viewer Media Check Tool.lnk = C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
    O9 - Extra button: kele8 - {84920E5F-3788-49cd-A274-E365578DF174} - http://www.kele8.com/ (file missing)
    O9 - Extra 'Tools' menuitem: kele8 - {84920E5F-3788-49cd-A274-E365578DF174} - http://www.kele8.com/ (file missing)
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
    O16 - DPF: {55027008-315F-4F45-BBC3-8BE119764741} (Slide Image Uploader Control) - http://www.slide.com/uploader/SlideImageUploader.cab
    O16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab56986.cab
    O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-US/a-UNO1/GAME_UNO1.cab
    O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
    O16 - DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} (MJLauncherCtrl Class) - http://messenger.zone.msn.com/EN-US/a-LUXR/mjolauncher.cab
    O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zone.msn.com/binary/ZIntro.cab56649.cab
    O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
    O16 - DPF: {D54160C3-DB7B-4534-9B65-190EE4A9C7F7} (SproutLauncherCtrl Class) - http://download.games.yahoo.com/games/web_games/gamehouse/frenzy/SproutLauncher.cab
    O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
    O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
    O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
    O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
    O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
    O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe

    .....

    "Lida" - 07-04-28 12:06:24 Service Pack 1
    ComboFix 07-04-19.2V - Running from: C:\Documents and Settings\Lida\Desktop\

    /wow section - STAGE #3

    ((((((((((((((((((((((((((((((( Files Created from 2007-03-28 to 2007-04-28 ))))))))))))))))))))))))))))))))))


    2007-04-20 02:36 899,952 --a------ C:\blbeta.exe
    2007-04-18 02:33 <DIR> d-------- C:\!KillBox
    2007-04-17 02:55 <DIR> d-------- C:\DOCUME~1\Lida\APPLIC~1\Lavasoft
    2007-04-17 02:12 <DIR> d-------- C:\VundoFix Backups
    2007-04-16 20:05 <DIR> d-------- C:\DOCUME~1\Lida\APPLIC~1\Comodo
    2007-04-16 20:04 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Comodo
    2007-04-16 16:58 <DIR> d-------- C:\Program Files\Comodo
    2007-04-16 16:35 76,560 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
    2007-04-16 16:23 <DIR> d-------- C:\DOCUME~1\Lida\.housecall6.6
    2007-04-14 23:51 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\GameHouse
    2007-04-14 22:21 <DIR> d-------- C:\DOCUME~1\Lida\APPLIC~1\PlayFirst
    2007-04-14 22:21 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\PlayFirst
    2007-04-14 22:20 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Trymedia
    2007-04-13 01:46 <DIR> d-------- C:\Program Files\Easy GIF Animator


    (((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


    2007-04-18 22:23 -------- d-------- C:\Program Files\msn messenger
    2007-04-16 20:02 -------- d-------- C:\Program Files\messenger
    2007-04-16 16:21 -------- d--h----- C:\Program Files\installshield installation information
    2007-04-16 02:17 -------- d-------- C:\Program Files\vvsn
    2007-04-15 22:14 -------- d-------- C:\Program Files\popcap games
    2007-04-15 20:18 66 --a------ C:\WINDOWS\popcinfo.dat
    2007-03-26 13:49 -------- d-------- C:\Program Files\itunes
    2007-03-26 13:47 -------- d-------- C:\Program Files\ipod
    2007-03-18 00:24 -------- d-------- C:\DOCUME~1\Lida\APPLIC~1\msn6
    2007-03-12 12:09 -------- d-------- C:\Program Files\quicktime
    2007-03-11 20:04 37296 --a------ C:\WINDOWS\system32\khooker.exe
    2007-03-03 01:52 -------- d-------- C:\Program Files\divx


    (((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))


    *Note* empty entries & legit default entries are not shown

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
    {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
    {9030D464-4C02-4ABF-8ECC-5164760863C6} C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
    "SiS KHooker"="C:\\WINDOWS\\System32\\khooker.exe"
    "SoundMan"="SOUNDMAN.EXE"
    "avast!"="C:\\PROGRA~1\\ALWILS~1\\Avast4\\ashDisp.exe"
    "SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.5.0_10\\bin\\jusched.exe\""
    "QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
    "iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
    "ctfmon.exe"="C:\\WINDOWS\\System32\\ctfmon.exe"
    "BitTorrent"="\"C:\\Program Files\\BitTorrent\\bittorrent.exe\" --force_start_minimized"
    "MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
    "PcSync"="C:\\Program Files\\Nokia\\Nokia PC Suite 6\\PcSync2.exe /NoDialog"

    HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa
    Authentication Packages REG_MULTI_SZ msv1_0\0\0
    Security Packages REG_MULTI_SZ kerberos\0msv1_0\0schannel\0wdigest\0\0
    Notification Packages REG_MULTI_SZ scecli\0\0


    [HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
    LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
    NetworkService REG_MULTI_SZ DnsCache\0\0
    rpcss REG_MULTI_SZ RpcSs\0\0
    imgsvc REG_MULTI_SZ StiSvc\0\0
    termsvcs REG_MULTI_SZ TermService\0\0



    Contents of the 'Scheduled Tasks' folder
    C:\WINDOWS\tasks\AppleSoftwareUpdate.job

    ********************************************************************

    catchme 0.2 W2K/XP/Vista - userland rootkit detector by Gmer, 17 October 2006
    http://www.gmer.net

    scanning hidden processes ...

    scanning hidden services ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden processes: 0
    hidden services: 0
    hidden files: 0

    ********************************************************************

    Completion time: 07-04-28 12:10:24
    C:\ComboFix-quarantined-files.txt ... 07-04-28 12:10
    C:\ComboFix2.txt ... 07-04-27 18:51
    C:\ComboFix3.txt ... 07-04-20 02:41
     
  19. muuli123

    muuli123 Regular member

    Joined:
    Jan 13, 2007
    Messages:
    154
    Likes Received:
    0
    Trophy Points:
    26
    Hello :D

    What firewall you use? If you don't use anything firewall, please download one.
    I recommend one of these:
    Link
    Link
    Link

    Please download AVG anti-spyware to your Desktop or to your usual Download Folder, from HERE
    [*]Install AVG Anti-Spyware by double clicking the installer.
    [*]Follow the prompts. Make sure that Launch AVG Anti-Spyware is checked.
    [*]On the main screen under Your Computer's security.
    [*]Click on Change state next to Resident shield. It should now change to inactive.
    [*]Click on Change state next to Automatic updates. It should now change to inactive.
    [*]Next to Last Update, click on Update now. (You will need an active internet connection to perform this)
    [*]Wait until you see the Update succesfull message.
    [*]Right-click the AVG Anti-Spyware Tray Icon and uncheck Start with Windows.
    [*]Right-click the AVG Anti-Spyware Tray Icon and select Exit. Confirm by clicking Yes.
    If you are having problems with the updater, you can use this link to manually update AVG.
    AVG Anti-Spyware manual updates.
    Download the Full database to your Desktop or to your usual Download Folder and install it by double clicking the file. Make sure that AVG Anti-Spyware is closed before installing the update.
    Don't run a scan yet.

    Remove via Add/Remove application:
    WhenUSave, WhenU, SaveNow(or something similar name)

    Reboot your computer in Safe mode.

    Once in Safe mode:
    Delete this files/folders:
    C:\Program Files\vvsn
    C:\Program Files\popcap games
    C:\WINDOWS\popcinfo.dat

    RUN AVG ANTI-SPYWARE
    Close ALL open Windows / Programs / Folders. Please start AVG Anti-Spyware and run a full scan.
    [*]Click on Scanner on the toolbar.
    [*]Click on the Settings tab.
    [*]Under How to act?
    [*]Click on Recommended Action and choose Quarantine from the popup menu.
    [*]Under How to scan?
    [*]All checkboxes should be ticked.
    [*]Under Possibly unwanted software:
    [*]All checkboxes should be ticked.
    [*]Under Reports:
    [*]Select Automatically generate report after every scan and uncheck Only if threats were found.
    [*]Under What to scan?
    [*]Select Scan every file.
    [*]Click on the Scan tab.
    [*]Click on Complete System Scan to start the scan process.
    [*]Let the program scan the machine.
    [*]When the scan has finished, follow the instructions below.
    IMPORTANT : Don't click on the "Save Scan Report" button before you did hit the "Apply all Actions" button.
    [*]Make sure that Set all elements to: shows Quarantine (1), if not click on the link and choose Quarantine from the popup menu. (2)
    [*]At the bottom of the window click on the Apply all Actions button. (3)
    [​IMG]
    [*]When done, click the Save Scan Report button. (4)
    [*]Click the Save Report as button.
    [*]Save the report to your Desktop.
    [*]Right-click the AVG Anti-Spyware Tray Icon and select Exit. Confirm by clicking Yes.

    Reboot in Normal mode.

    Please Update your Java and Remove old Java Versions

    [*] Download the latest version of Java Runtime Environment (JRE) 6u1 .<== scroll down the list to find THIS entry
    [*] Click the "Download" button to the right.
    [*] Check the box that says: "Accept License Agreement".
    [*] The page will refresh.
    [*] Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.

    Remove older Java Versions:

    [*] Close any programs you may have running - especially your web browser.
    [*] Go to Start >> Control Panel double-click on Add/Remove Programs and remove all older versions of Java.
    [*] Check any item with Java Runtime Environment (JRE or J2SE) in the name.
    [*] Click the Remove or Change/Remove button.
    [*] Repeat as many times as necessary to remove each Java versions.
    [*] Reboot your computer once all Java components are removed.

    Install latest Java Version:

    [*] From your desktop, double-click on jre-6-windows-i586.exe to install the newest version.

    Please post a fresh HijackThis log, ComboFix log and AVG Anti-Spyware report.
     
    Last edited: Apr 28, 2007
  20. lida07

    lida07 Member

    Joined:
    Apr 15, 2007
    Messages:
    11
    Likes Received:
    0
    Trophy Points:
    11
    Hi again :)
    I downloaded the AVG Anti Spyware Program
    however, i couldn't change the 'change state' next to the 'Resident Shield' and 'Automatic updates' to 'inactive' because it said n/a
    i also couldn't 'update' it, because when i clicked on the 'Update Now' button an error appeared.
    Anyway i was able to complete perform the rest of what was asked so here are the logs you requested.


    ---------------------------------------------------------
    AVG Anti-Spyware - Scan Report
    ---------------------------------------------------------

    + Created at: 1:55:31 AM 4/29/2007

    + Scan result:



    HKLM\SOFTWARE\AntivirusGold -> Adware.AntiVirusGolden : Cleaned with backup (quarantined).
    C:\System Volume Information\_restore{C7931D03-347C-4C29-AF15-7571CDB95FC9}\RP221\A0090691.exe -> Adware.NewDotNet : Cleaned with backup (quarantined).
    C:\System Volume Information\_restore{C7931D03-347C-4C29-AF15-7571CDB95FC9}\RP221\A0090692.exe -> Adware.SaveNow : Cleaned with backup (quarantined).
    C:\System Volume Information\_restore{C7931D03-347C-4C29-AF15-7571CDB95FC9}\RP221\A0090693.exe -> Adware.SaveNow : Cleaned with backup (quarantined).
    C:\SDFix\backups\backups.zip/backups/tmp1C.tmp.exe -> Adware.Virtumonde : Cleaned with backup (quarantined).
    C:\SDFix\backups\backups.zip/backups/tmpDD.tmp.exe -> Adware.Virtumonde : Cleaned with backup (quarantined).
    C:\System Volume Information\_restore{C7931D03-347C-4C29-AF15-7571CDB95FC9}\RP231\A0094176.exe -> Adware.Virtumonde : Cleaned with backup (quarantined).
    C:\System Volume Information\_restore{C7931D03-347C-4C29-AF15-7571CDB95FC9}\RP231\A0094179.exe -> Adware.Virtumonde : Cleaned with backup (quarantined).
    C:\System Volume Information\_restore{C7931D03-347C-4C29-AF15-7571CDB95FC9}\RP177\A0068214.dll -> Adware.Yatool : Cleaned with backup (quarantined).
    C:\System Volume Information\_restore{C7931D03-347C-4C29-AF15-7571CDB95FC9}\RP178\A0068470.dll -> Adware.Yatool : Cleaned with backup (quarantined).
    C:\System Volume Information\_restore{C7931D03-347C-4C29-AF15-7571CDB95FC9}\RP179\A0068485.dll -> Adware.Yatool : Cleaned with backup (quarantined).
    C:\System Volume Information\_restore{C7931D03-347C-4C29-AF15-7571CDB95FC9}\RP184\A0069665.dll -> Adware.Yatool : Cleaned with backup (quarantined).
    C:\System Volume Information\_restore{C7931D03-347C-4C29-AF15-7571CDB95FC9}\RP224\A0091710.dll -> Adware.Yatool : Cleaned with backup (quarantined).
    C:\SDFix\backups\backups.zip/backups/taskmang.exe -> Downloader.Agent.beh : Cleaned with backup (quarantined).
    C:\System Volume Information\_restore{C7931D03-347C-4C29-AF15-7571CDB95FC9}\RP177\A0068213.exe -> Downloader.Agent.beh : Cleaned with backup (quarantined).
    C:\System Volume Information\_restore{C7931D03-347C-4C29-AF15-7571CDB95FC9}\RP179\A0068484.exe -> Downloader.Agent.beh : Cleaned with backup (quarantined).
    C:\System Volume Information\_restore{C7931D03-347C-4C29-AF15-7571CDB95FC9}\RP231\A0094164.exe -> Downloader.Agent.beh : Cleaned with backup (quarantined).
    C:\System Volume Information\_restore{C7931D03-347C-4C29-AF15-7571CDB95FC9}\RP231\A0094174.exe -> Downloader.Agent.beh : Cleaned with backup (quarantined).
    C:\SDFix\backups\backups.zip/backups/tmp4.tmp.exe -> Downloader.Agent.bjk : Cleaned with backup (quarantined).
    C:\System Volume Information\_restore{C7931D03-347C-4C29-AF15-7571CDB95FC9}\RP231\A0094178.exe -> Downloader.Agent.bjk : Cleaned with backup (quarantined).
    C:\System Volume Information\_restore{C7931D03-347C-4C29-AF15-7571CDB95FC9}\RP227\A0093889.exe -> Downloader.Agent.es : Cleaned with backup (quarantined).
    C:\QooBox\Quarantine\C\WINDOWS\system32\cryiqv.dll.vir -> Downloader.ConHook : Cleaned with backup (quarantined).
    C:\System Volume Information\_restore{C7931D03-347C-4C29-AF15-7571CDB95FC9}\RP231\A0095254.dll -> Downloader.ConHook : Cleaned with backup (quarantined).
    C:\System Volume Information\_restore{C7931D03-347C-4C29-AF15-7571CDB95FC9}\RP177\A0068215.dll -> Downloader.Small.ehe : Cleaned with backup (quarantined).
    C:\System Volume Information\_restore{C7931D03-347C-4C29-AF15-7571CDB95FC9}\RP177\A0068217.dll -> Downloader.Small.ehe : Cleaned with backup (quarantined).
    C:\System Volume Information\_restore{C7931D03-347C-4C29-AF15-7571CDB95FC9}\RP177\A0068218.dll -> Downloader.Small.ehe : Cleaned with backup (quarantined).
    C:\System Volume Information\_restore{C7931D03-347C-4C29-AF15-7571CDB95FC9}\RP178\A0068471.dll -> Downloader.Small.ehe : Cleaned with backup (quarantined).
    C:\System Volume Information\_restore{C7931D03-347C-4C29-AF15-7571CDB95FC9}\RP178\A0068473.dll -> Downloader.Small.ehe : Cleaned with backup (quarantined).
    C:\System Volume Information\_restore{C7931D03-347C-4C29-AF15-7571CDB95FC9}\RP178\A0068474.dll -> Downloader.Small.ehe : Cleaned with backup (quarantined).
    C:\System Volume Information\_restore{C7931D03-347C-4C29-AF15-7571CDB95FC9}\RP179\A0068486.dll -> Downloader.Small.ehe : Cleaned with backup (quarantined).
    C:\System Volume Information\_restore{C7931D03-347C-4C29-AF15-7571CDB95FC9}\RP179\A0068488.dll -> Downloader.Small.ehe : Cleaned with backup (quarantined).
    C:\System Volume Information\_restore{C7931D03-347C-4C29-AF15-7571CDB95FC9}\RP179\A0068489.dll -> Downloader.Small.ehe : Cleaned with backup (quarantined).
    C:\System Volume Information\_restore{C7931D03-347C-4C29-AF15-7571CDB95FC9}\RP184\A0069667.dll -> Downloader.Small.ehe : Cleaned with backup (quarantined).
    C:\System Volume Information\_restore{C7931D03-347C-4C29-AF15-7571CDB95FC9}\RP184\A0069669.dll -> Downloader.Small.ehe : Cleaned with backup (quarantined).
    C:\System Volume Information\_restore{C7931D03-347C-4C29-AF15-7571CDB95FC9}\RP184\A0069670.dll -> Downloader.Small.ehe : Cleaned with backup (quarantined).
    C:\System Volume Information\_restore{C7931D03-347C-4C29-AF15-7571CDB95FC9}\RP224\A0091703.dll -> Downloader.Small.ehe : Cleaned with backup (quarantined).
    C:\System Volume Information\_restore{C7931D03-347C-4C29-AF15-7571CDB95FC9}\RP224\A0091705.dll -> Downloader.Small.ehe : Cleaned with backup (quarantined).
    C:\System Volume Information\_restore{C7931D03-347C-4C29-AF15-7571CDB95FC9}\RP224\A0091711.dll -> Downloader.Small.ehe : Cleaned with backup (quarantined).
    C:\System Volume Information\_restore{C7931D03-347C-4C29-AF15-7571CDB95FC9}\RP204\A0074474.rbf -> Hijacker.Agent.jh : Cleaned with backup (quarantined).
    C:\System Volume Information\_restore{C7931D03-347C-4C29-AF15-7571CDB95FC9}\RP205\A0074616.rbf -> Hijacker.Agent.jh : Cleaned with backup (quarantined).
    C:\System Volume Information\_restore{C7931D03-347C-4C29-AF15-7571CDB95FC9}\RP220\A0088535.exe -> Hijacker.Agent.jh : Cleaned with backup (quarantined).
    C:\System Volume Information\_restore{C7931D03-347C-4C29-AF15-7571CDB95FC9}\RP224\A0091695.exe -> Hijacker.Agent.jh : Cleaned with backup (quarantined).
    C:\System Volume Information\_restore{C7931D03-347C-4C29-AF15-7571CDB95FC9}\RP224\A0091697.exe -> Hijacker.Agent.jh : Cleaned with backup (quarantined).
    C:\System Volume Information\_restore{C7931D03-347C-4C29-AF15-7571CDB95FC9}\RP224\A0091698.exe -> Hijacker.Agent.jh : Cleaned with backup (quarantined).
    C:\System Volume Information\_restore{C7931D03-347C-4C29-AF15-7571CDB95FC9}\RP224\A0091699.exe -> Hijacker.Agent.jh : Cleaned with backup (quarantined).
    C:\System Volume Information\_restore{C7931D03-347C-4C29-AF15-7571CDB95FC9}\RP224\A0091702.exe -> Hijacker.Agent.jh : Cleaned with backup (quarantined).
    C:\WINDOWS\system32\khooker.exe -> Hijacker.Agent.jh : Cleaned with backup (quarantined).
    C:\Program Files\HijackThis\backups\backup-20070427-184535-350.dll -> Not-A-Virus.Downloader.Win32.PopCap.b : Cleaned with backup (quarantined).
    C:\WINDOWS\Downloaded Program Files\popcaploader.dll -> Not-A-Virus.Downloader.Win32.PopCap.b : Cleaned with backup (quarantined).
    :mozilla.116:C:\Documents and Settings\Lida\Application Data\Mozilla\Firefox\Profiles\gxmmsdrg.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
    :mozilla.117:C:\Documents and Settings\Lida\Application Data\Mozilla\Firefox\Profiles\gxmmsdrg.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
    :mozilla.118:C:\Documents and Settings\Lida\Application Data\Mozilla\Firefox\Profiles\gxmmsdrg.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
    :mozilla.119:C:\Documents and Settings\Lida\Application Data\Mozilla\Firefox\Profiles\gxmmsdrg.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
    :mozilla.120:C:\Documents and Settings\Lida\Application Data\Mozilla\Firefox\Profiles\gxmmsdrg.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
    :mozilla.121:C:\Documents and Settings\Lida\Application Data\Mozilla\Firefox\Profiles\gxmmsdrg.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
    :mozilla.139:C:\Documents and Settings\Lida\Application Data\Mozilla\Firefox\Profiles\gxmmsdrg.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
    :mozilla.167:C:\Documents and Settings\Lida\Application Data\Mozilla\Firefox\Profiles\gxmmsdrg.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
    C:\Documents and Settings\Lida\Cookies\lida@msnportal.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
    :mozilla.49:C:\Documents and Settings\Lida\Application Data\Mozilla\Firefox\Profiles\gxmmsdrg.default\cookies.txt -> TrackingCookie.Adbrite : Cleaned.
    :mozilla.50:C:\Documents and Settings\Lida\Application Data\Mozilla\Firefox\Profiles\gxmmsdrg.default\cookies.txt -> TrackingCookie.Adbrite : Cleaned.
    :mozilla.51:C:\Documents and Settings\Lida\Application Data\Mozilla\Firefox\Profiles\gxmmsdrg.default\cookies.txt -> TrackingCookie.Adbrite : Cleaned.
    :mozilla.53:C:\Documents and Settings\Lida\Application Data\Mozilla\Firefox\Profiles\gxmmsdrg.default\cookies.txt -> TrackingCookie.Adbrite : Cleaned.
    :mozilla.71:C:\Documents and Settings\Lida\Application Data\Mozilla\Firefox\Profiles\gxmmsdrg.default\cookies.txt -> TrackingCookie.Adbrite : Cleaned.
    :mozilla.72:C:\Documents and Settings\Lida\Application Data\Mozilla\Firefox\Profiles\gxmmsdrg.default\cookies.txt -> TrackingCookie.Adbrite : Cleaned.
    :mozilla.73:C:\Documents and Settings\Lida\Application Data\Mozilla\Firefox\Profiles\gxmmsdrg.default\cookies.txt -> TrackingCookie.Adbrite : Cleaned.
    C:\Documents and Settings\Lida\Cookies\lida@ads.addynamix[1].txt -> TrackingCookie.Addynamix : Cleaned.
    :mozilla.144:C:\Documents and Settings\Lida\Application Data\Mozilla\Firefox\Profiles\gxmmsdrg.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
    :mozilla.145:C:\Documents and Settings\Lida\Application Data\Mozilla\Firefox\Profiles\gxmmsdrg.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
    :mozilla.146:C:\Documents and Settings\Lida\Application Data\Mozilla\Firefox\Profiles\gxmmsdrg.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
    :mozilla.147:C:\Documents and Settings\Lida\Application Data\Mozilla\Firefox\Profiles\gxmmsdrg.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
    :mozilla.148:C:\Documents and Settings\Lida\Application Data\Mozilla\Firefox\Profiles\gxmmsdrg.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
    :mozilla.57:C:\Documents and Settings\Lida\Application Data\Mozilla\Firefox\Profiles\gxmmsdrg.default\cookies.txt -> TrackingCookie.Atdmt : Cleaned.
    C:\Documents and Settings\Lida\Cookies\lida@atdmt[2].txt -> TrackingCookie.Atdmt : Cleaned.
    :mozilla.54:C:\Documents and Settings\Lida\Application Data\Mozilla\Firefox\Profiles\gxmmsdrg.default\cookies.txt -> TrackingCookie.Burstnet : Cleaned.
    :mozilla.55:C:\Documents and Settings\Lida\Application Data\Mozilla\Firefox\Profiles\gxmmsdrg.default\cookies.txt -> TrackingCookie.Burstnet : Cleaned.
    :mozilla.56:C:\Documents and Settings\Lida\Application Data\Mozilla\Firefox\Profiles\gxmmsdrg.default\cookies.txt -> TrackingCookie.Burstnet : Cleaned.
    C:\Documents and Settings\Lida\Cookies\lida@burstnet[2].txt -> TrackingCookie.Burstnet : Cleaned.
    C:\Documents and Settings\Lida\Cookies\lida@www.burstnet[2].txt -> TrackingCookie.Burstnet : Cleaned.
    :mozilla.19:C:\Documents and Settings\Lida\Application Data\Mozilla\Firefox\Profiles\gxmmsdrg.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned.
    :mozilla.20:C:\Documents and Settings\Lida\Application Data\Mozilla\Firefox\Profiles\gxmmsdrg.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned.
    :mozilla.21:C:\Documents and Settings\Lida\Application Data\Mozilla\Firefox\Profiles\gxmmsdrg.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned.
    :mozilla.22:C:\Documents and Settings\Lida\Application Data\Mozilla\Firefox\Profiles\gxmmsdrg.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned.
    :mozilla.23:C:\Documents and Settings\Lida\Application Data\Mozilla\Firefox\Profiles\gxmmsdrg.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned.
    :mozilla.24:C:\Documents and Settings\Lida\Application Data\Mozilla\Firefox\Profiles\gxmmsdrg.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned.
    :mozilla.25:C:\Documents and Settings\Lida\Application Data\Mozilla\Firefox\Profiles\gxmmsdrg.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned.
    C:\Documents and Settings\Lida\Cookies\lida@as.casalemedia[2].txt -> TrackingCookie.Casalemedia : Cleaned.
    C:\Documents and Settings\Lida\Cookies\lida@casalemedia[1].txt -> TrackingCookie.Casalemedia : Cleaned.
    :mozilla.176:C:\Documents and Settings\Lida\Application Data\Mozilla\Firefox\Profiles\gxmmsdrg.default\cookies.txt -> TrackingCookie.Clickbank : Cleaned.
    C:\Documents and Settings\Lida\Cookies\lida@cpvfeed[2].txt -> TrackingCookie.Cpvfeed : Cleaned.
    :mozilla.52:C:\Documents and Settings\Lida\Application Data\Mozilla\Firefox\Profiles\gxmmsdrg.default\cookies.txt -> TrackingCookie.Doubleclick : Cleaned.
    C:\Documents and Settings\Lida\Cookies\lida@doubleclick[2].txt -> TrackingCookie.Doubleclick : Cleaned.
    :mozilla.170:C:\Documents and Settings\Lida\Application Data\Mozilla\Firefox\Profiles\gxmmsdrg.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned.
    :mozilla.171:C:\Documents and Settings\Lida\Application Data\Mozilla\Firefox\Profiles\gxmmsdrg.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned.
    :mozilla.172:C:\Documents and Settings\Lida\Application Data\Mozilla\Firefox\Profiles\gxmmsdrg.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned.
    C:\Documents and Settings\Lida\Cookies\lida@fastclick[2].txt -> TrackingCookie.Fastclick : Cleaned.
    C:\Documents and Settings\Lida\Cookies\lida@media.fastclick[1].txt -> TrackingCookie.Fastclick : Cleaned.
    :mozilla.122:C:\Documents and Settings\Lida\Application Data\Mozilla\Firefox\Profiles\gxmmsdrg.default\cookies.txt -> TrackingCookie.Imrworldwide : Cleaned.
    :mozilla.125:C:\Documents and Settings\Lida\Application Data\Mozilla\Firefox\Profiles\gxmmsdrg.default\cookies.txt -> TrackingCookie.Imrworldwide : Cleaned.
    C:\Documents and Settings\Lida\Cookies\lida@mediaplex[1].txt -> TrackingCookie.Mediaplex : Cleaned.
    C:\Documents and Settings\Lida\Cookies\lida@search.msn[1].txt -> TrackingCookie.Msn : Cleaned.
    C:\Documents and Settings\Lida\Cookies\lida@www.paypal[1].txt -> TrackingCookie.Paypal : Cleaned.
    :mozilla.185:C:\Documents and Settings\Lida\Application Data\Mozilla\Firefox\Profiles\gxmmsdrg.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned.
    :mozilla.186:C:\Documents and Settings\Lida\Application Data\Mozilla\Firefox\Profiles\gxmmsdrg.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned.
    :mozilla.187:C:\Documents and Settings\Lida\Application Data\Mozilla\Firefox\Profiles\gxmmsdrg.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned.
    :mozilla.188:C:\Documents and Settings\Lida\Application Data\Mozilla\Firefox\Profiles\gxmmsdrg.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned.
    C:\Documents and Settings\Lida\Cookies\lida@stats1.reliablestats[2].txt -> TrackingCookie.Reliablestats : Cleaned.
    :mozilla.90:C:\Documents and Settings\Lida\Application Data\Mozilla\Firefox\Profiles\gxmmsdrg.default\cookies.txt -> TrackingCookie.Revsci : Cleaned.
    :mozilla.27:C:\Documents and Settings\Lida\Application Data\Mozilla\Firefox\Profiles\gxmmsdrg.default\cookies.txt -> TrackingCookie.Specificclick : Cleaned.
    :mozilla.28:C:\Documents and Settings\Lida\Application Data\Mozilla\Firefox\Profiles\gxmmsdrg.default\cookies.txt -> TrackingCookie.Specificclick : Cleaned.
    :mozilla.29:C:\Documents and Settings\Lida\Application Data\Mozilla\Firefox\Profiles\gxmmsdrg.default\cookies.txt -> TrackingCookie.Specificclick : Cleaned.
    :mozilla.30:C:\Documents and Settings\Lida\Application Data\Mozilla\Firefox\Profiles\gxmmsdrg.default\cookies.txt -> TrackingCookie.Specificclick : Cleaned.
    :mozilla.68:C:\Documents and Settings\Lida\Application Data\Mozilla\Firefox\Profiles\gxmmsdrg.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned.
    C:\Documents and Settings\Lida\Cookies\lida@tradedoubler[1].txt -> TrackingCookie.Tradedoubler : Cleaned.
    C:\Documents and Settings\Lida\Cookies\lida@trafficmp[2].txt -> TrackingCookie.Trafficmp : Cleaned.
    :mozilla.174:C:\Documents and Settings\Lida\Application Data\Mozilla\Firefox\Profiles\gxmmsdrg.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned.
    C:\Documents and Settings\Lida\Cookies\lida@tribalfusion[1].txt -> TrackingCookie.Tribalfusion : Cleaned.
    :mozilla.160:C:\Documents and Settings\Lida\Application Data\Mozilla\Firefox\Profiles\gxmmsdrg.default\cookies.txt -> TrackingCookie.Webtrendslive : Cleaned.
    C:\Documents and Settings\Lida\Cookies\lida@statse.webtrendslive[2].txt -> TrackingCookie.Webtrendslive : Cleaned.
    :mozilla.61:C:\Documents and Settings\Lida\Application Data\Mozilla\Firefox\Profiles\gxmmsdrg.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
    :mozilla.62:C:\Documents and Settings\Lida\Application Data\Mozilla\Firefox\Profiles\gxmmsdrg.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
    :mozilla.63:C:\Documents and Settings\Lida\Application Data\Mozilla\Firefox\Profiles\gxmmsdrg.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
    :mozilla.64:C:\Documents and Settings\Lida\Application Data\Mozilla\Firefox\Profiles\gxmmsdrg.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
    :mozilla.65:C:\Documents and Settings\Lida\Application Data\Mozilla\Firefox\Profiles\gxmmsdrg.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
    :mozilla.66:C:\Documents and Settings\Lida\Application Data\Mozilla\Firefox\Profiles\gxmmsdrg.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
    :mozilla.67:C:\Documents and Settings\Lida\Application Data\Mozilla\Firefox\Profiles\gxmmsdrg.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
    C:\Documents and Settings\Lida\Cookies\lida@ad.yieldmanager[1].txt -> TrackingCookie.Yieldmanager : Cleaned.
    C:\Documents and Settings\Lida\Cookies\lida@zedo[2].txt -> TrackingCookie.Zedo : Cleaned.
    C:\System Volume Information\_restore{C7931D03-347C-4C29-AF15-7571CDB95FC9}\RP177\A0068216.dll -> Trojan.Agent.aet : Cleaned with backup (quarantined).
    C:\System Volume Information\_restore{C7931D03-347C-4C29-AF15-7571CDB95FC9}\RP178\A0068472.dll -> Trojan.Agent.aet : Cleaned with backup (quarantined).
    C:\System Volume Information\_restore{C7931D03-347C-4C29-AF15-7571CDB95FC9}\RP179\A0068487.dll -> Trojan.Agent.aet : Cleaned with backup (quarantined).
    C:\System Volume Information\_restore{C7931D03-347C-4C29-AF15-7571CDB95FC9}\RP184\A0069668.dll -> Trojan.Agent.aet : Cleaned with backup (quarantined).
    C:\System Volume Information\_restore{C7931D03-347C-4C29-AF15-7571CDB95FC9}\RP224\A0091704.dll -> Trojan.Agent.aet : Cleaned with backup (quarantined).
    C:\System Volume Information\_restore{C7931D03-347C-4C29-AF15-7571CDB95FC9}\RP220\A0089536.dll -> Trojan.Agent.agv : Cleaned with backup (quarantined).
    C:\System Volume Information\_restore{C7931D03-347C-4C29-AF15-7571CDB95FC9}\RP221\A0089578.dll -> Trojan.Agent.agv : Cleaned with backup (quarantined).
    C:\System Volume Information\_restore{C7931D03-347C-4C29-AF15-7571CDB95FC9}\RP221\A0091662.dll -> Trojan.Agent.agv : Cleaned with backup (quarantined).
    C:\System Volume Information\_restore{C7931D03-347C-4C29-AF15-7571CDB95FC9}\RP222\A0091681.dll -> Trojan.Agent.agv : Cleaned with backup (quarantined).
    C:\System Volume Information\_restore{C7931D03-347C-4C29-AF15-7571CDB95FC9}\RP224\A0091712.dll -> Trojan.Agent.agv : Cleaned with backup (quarantined).
    C:\System Volume Information\_restore{C7931D03-347C-4C29-AF15-7571CDB95FC9}\RP227\A0092817.dll -> Trojan.Agent.agv : Cleaned with backup (quarantined).
    C:\System Volume Information\_restore{C7931D03-347C-4C29-AF15-7571CDB95FC9}\RP231\A0094106.dll -> Trojan.Agent.agv : Cleaned with backup (quarantined).
    C:\System Volume Information\_restore{C7931D03-347C-4C29-AF15-7571CDB95FC9}\RP234\A0095506.dll -> Trojan.Agent.agv : Cleaned with backup (quarantined).
    C:\QooBox\Quarantine\C\WINDOWS\system32\tmp39.tmp.dll.vir -> Trojan.BHO.g : Cleaned with backup (quarantined).
    C:\System Volume Information\_restore{C7931D03-347C-4C29-AF15-7571CDB95FC9}\RP231\A0095249.dll -> Trojan.BHO.g : Cleaned with backup (quarantined).
    C:\QooBox\Quarantine\C\WINDOWS\system32\tmp1.tmp.dll.vir -> Trojan.BHo_O : Cleaned with backup (quarantined).
    C:\SDFix\backups\backups.zip/backups/tmp1.tmp.exe -> Trojan.BHo_O : Cleaned with backup (quarantined).
    C:\SDFix\backups\backups.zip/backups/tmp2.tmp.exe -> Trojan.BHo_O : Cleaned with backup (quarantined).
    C:\System Volume Information\_restore{C7931D03-347C-4C29-AF15-7571CDB95FC9}\RP224\A0091706.dll -> Trojan.BHo_O : Cleaned with backup (quarantined).
    C:\System Volume Information\_restore{C7931D03-347C-4C29-AF15-7571CDB95FC9}\RP224\A0091707.dll -> Trojan.BHo_O : Cleaned with backup (quarantined).
    C:\System Volume Information\_restore{C7931D03-347C-4C29-AF15-7571CDB95FC9}\RP224\A0091708.dll -> Trojan.BHo_O : Cleaned with backup (quarantined).
    C:\System Volume Information\_restore{C7931D03-347C-4C29-AF15-7571CDB95FC9}\RP224\A0091709.dll -> Trojan.BHo_O : Cleaned with backup (quarantined).
    C:\System Volume Information\_restore{C7931D03-347C-4C29-AF15-7571CDB95FC9}\RP227\A0092814.dll -> Trojan.BHo_O : Cleaned with backup (quarantined).
    C:\System Volume Information\_restore{C7931D03-347C-4C29-AF15-7571CDB95FC9}\RP227\A0092825.dll -> Trojan.BHo_O : Cleaned with backup (quarantined).
    C:\System Volume Information\_restore{C7931D03-347C-4C29-AF15-7571CDB95FC9}\RP231\A0094175.exe -> Trojan.BHo_O : Cleaned with backup (quarantined).
    C:\System Volume Information\_restore{C7931D03-347C-4C29-AF15-7571CDB95FC9}\RP231\A0094177.exe -> Trojan.BHo_O : Cleaned with backup (quarantined).
    C:\System Volume Information\_restore{C7931D03-347C-4C29-AF15-7571CDB95FC9}\RP231\A0095248.dll -> Trojan.BHo_O : Cleaned with backup (quarantined).
    C:\System Volume Information\_restore{C7931D03-347C-4C29-AF15-7571CDB95FC9}\RP224\A0091696.exe -> Trojan.Dialer.cj : Cleaned with backup (quarantined).
    C:\System Volume Information\_restore{C7931D03-347C-4C29-AF15-7571CDB95FC9}\RP224\A0091700.exe -> Trojan.Small.fb : Cleaned with backup (quarantined).
    C:\System Volume Information\_restore{C7931D03-347C-4C29-AF15-7571CDB95FC9}\RP224\A0091701.exe -> Trojan.Small.fb : Cleaned with backup (quarantined).


    ::Report end


    . . . . .


    Logfile of HijackThis v1.99.1
    Scan saved at 02:40, on 07-04-29
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
    C:\Program Files\Alwil Software\Avast4\ashServ.exe
    C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
    C:\WINDOWS\Explorer.EXE
    C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
    C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
    C:\Program Files\Comodo\Firewall\cmdagent.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\WINDOWS\system32\slserv.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\SOUNDMAN.EXE
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\Comodo\Firewall\CPF.exe
    C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
    C:\WINDOWS\System32\ctfmon.exe
    C:\Program Files\WinZip\WZQKPICK.EXE
    C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe
    C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
    C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\WINDOWS\system32\cmd.exe
    C:\WINDOWS\system32\cmd.exe
    C:\Program Files\HijackThis\HijackThis.exe

    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
    O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
    O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\Comodo\Firewall\CPF.exe" /background
    O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
    O4 - HKCU\..\Run: [BitTorrent] "C:\Program Files\BitTorrent\bittorrent.exe" --force_start_minimized
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [PcSync] C:\Program Files\Nokia\Nokia PC Suite 6\PcSync2.exe /NoDialog
    O4 - Startup: Cyber-shot Viewer Media Check Tool.lnk = C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\npjpi160_01.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\npjpi160_01.dll
    O9 - Extra button: kele8 - {84920E5F-3788-49cd-A274-E365578DF174} - http://www.kele8.com/ (file missing)
    O9 - Extra 'Tools' menuitem: kele8 - {84920E5F-3788-49cd-A274-E365578DF174} - http://www.kele8.com/ (file missing)
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
    O16 - DPF: {55027008-315F-4F45-BBC3-8BE119764741} (Slide Image Uploader Control) - http://www.slide.com/uploader/SlideImageUploader.cab
    O16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab56986.cab
    O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-US/a-UNO1/GAME_UNO1.cab
    O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www3.ca.com/securityadvisor/virusinfo/webscan.cab
    O16 - DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} (MJLauncherCtrl Class) - http://messenger.zone.msn.com/EN-US/a-LUXR/mjolauncher.cab
    O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zone.msn.com/binary/ZIntro.cab56649.cab
    O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
    O16 - DPF: {D54160C3-DB7B-4534-9B65-190EE4A9C7F7} (SproutLauncherCtrl Class) - http://download.games.yahoo.com/games/web_games/gamehouse/frenzy/SproutLauncher.cab
    O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
    O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
    O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
    O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
    O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
    O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
    O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
    O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
    O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
    O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - C:\Program Files\Comodo\Firewall\cmdagent.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: SmartLinkService (SLService) - - C:\WINDOWS\SYSTEM32\slserv.exe



    . . . . .



    "Lida" - 07-04-29 2:37:55 Service Pack 1
    ComboFix 07-04-19.2V - Running from: C:\Documents and Settings\Lida\Desktop\

    /wow section - STAGE #3

    ((((((((((((((((((((((((((((((( Files Created from 2007-03-28 to 2007-04-29 ))))))))))))))))))))))))))))))))))


    2007-04-29 02:26 <DIR> d-------- C:\Program Files\Common Files\Java
    2007-04-28 23:49 51,328 --a------ C:\WINDOWS\system32\drivers\inspect.sys
    2007-04-28 23:31 3,968 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
    2007-04-20 02:36 899,952 --a------ C:\blbeta.exe
    2007-04-18 02:33 <DIR> d-------- C:\!KillBox
    2007-04-17 02:55 <DIR> d-------- C:\DOCUME~1\Lida\APPLIC~1\Lavasoft
    2007-04-17 02:12 <DIR> d-------- C:\VundoFix Backups
    2007-04-16 20:05 <DIR> d-------- C:\DOCUME~1\Lida\APPLIC~1\Comodo
    2007-04-16 20:04 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Comodo
    2007-04-16 16:58 <DIR> d-------- C:\Program Files\Comodo
    2007-04-16 16:35 76,560 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
    2007-04-16 16:23 <DIR> d-------- C:\DOCUME~1\Lida\.housecall6.6
    2007-04-14 23:51 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\GameHouse
    2007-04-14 22:21 <DIR> d-------- C:\DOCUME~1\Lida\APPLIC~1\PlayFirst
    2007-04-14 22:21 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\PlayFirst
    2007-04-14 22:20 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Trymedia
    2007-04-13 01:46 <DIR> d-------- C:\Program Files\Easy GIF Animator


    (((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


    2007-04-29 02:28 -------- d-------- C:\Program Files\java
    2007-04-18 22:23 -------- d-------- C:\Program Files\msn messenger
    2007-04-16 20:02 -------- d-------- C:\Program Files\messenger
    2007-04-16 16:21 -------- d--h----- C:\Program Files\installshield installation information
    2007-03-26 13:49 -------- d-------- C:\Program Files\itunes
    2007-03-26 13:47 -------- d-------- C:\Program Files\ipod
    2007-03-18 00:24 -------- d-------- C:\DOCUME~1\Lida\APPLIC~1\msn6
    2007-03-12 12:09 -------- d-------- C:\Program Files\quicktime
    2007-03-03 01:52 -------- d-------- C:\Program Files\divx


    (((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))


    *Note* empty entries & legit default entries are not shown

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
    {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
    {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
    {9030D464-4C02-4ABF-8ECC-5164760863C6} C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
    "SoundMan"="SOUNDMAN.EXE"
    "avast!"="C:\\PROGRA~1\\ALWILS~1\\Avast4\\ashDisp.exe"
    "QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
    "iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
    "COMODO Firewall Pro"="\"C:\\Program Files\\Comodo\\Firewall\\CPF.exe\" /background"
    "AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVG7\\avgcc.exe /STARTUP"
    "SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.6.0_01\\bin\\jusched.exe\""

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
    "ctfmon.exe"="C:\\WINDOWS\\System32\\ctfmon.exe"
    "BitTorrent"="\"C:\\Program Files\\BitTorrent\\bittorrent.exe\" --force_start_minimized"
    "MSMSGS"="\"C:\\Program Files\\Messenger\\msmsgs.exe\" /background"
    "PcSync"="C:\\Program Files\\Nokia\\Nokia PC Suite 6\\PcSync2.exe /NoDialog"

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
    "{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"

    HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa
    Authentication Packages REG_MULTI_SZ msv1_0\0\0
    Security Packages REG_MULTI_SZ kerberos\0msv1_0\0schannel\0wdigest\0\0
    Notification Packages REG_MULTI_SZ scecli\0\0


    [HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
    LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
    NetworkService REG_MULTI_SZ DnsCache\0\0
    rpcss REG_MULTI_SZ RpcSs\0\0
    imgsvc REG_MULTI_SZ StiSvc\0\0
    termsvcs REG_MULTI_SZ TermService\0\0



    Contents of the 'Scheduled Tasks' folder
    C:\WINDOWS\tasks\AppleSoftwareUpdate.job

    ********************************************************************

    catchme 0.2 W2K/XP/Vista - userland rootkit detector by Gmer, 17 October 2006
    http://www.gmer.net

    scanning hidden processes ...

    scanning hidden services ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden processes: 0
    hidden services: 0
    hidden files: 0

    ********************************************************************

    Completion time: 07-04-29 2:43:20
    C:\ComboFix-quarantined-files.txt ... 07-04-29 02:43
    C:\ComboFix2.txt ... 07-04-28 12:10
    C:\ComboFix3.txt ... 07-04-27 18:51

     

Share This Page