Hijackthis log - help!

Begley · 2006/08/19

Help! I have a lot of spyware and adware on my computer. The main problems are the sheer amount of popups which interrupt other programs as well. Popups seem to be coming from something called "oinadserver ". my homepage has been changed without my permission to "www.syssecuritypage.com" and everytime I open internet explorer I get a alert saying: "W32.Myzor.FK@yf is a virus that infects files with .exe extentions. It attempts to steal passwords and private information from the infected computer" However, I do not trust what it says and have just closed the alert every time. I also have the program ZoneAlarm Pro running but I am still getting popups

here is the hijackthis log:

Logfile of HijackThis v1.99.1
Scan saved at 1:15:50 PM, on 20/08/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\issearch.exe
C:\WINDOWS\system32\isnotify.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\ismon.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\HPQ\HP ProtectTools Security Manager\PTHOSTTR.EXE
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Common Files\{A04597B6-0AE7-1033-0518-05032520003d}\Update.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\SEMBLY~1\rundll32.exe
C:\DOCUME~1\ADMINI~1\APPLIC~1\FNTS~1\services.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\ishost.exe
C:\Documents and Settings\Administrator\Desktop\Vicious ware removers\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ninemsn.com.au/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O3 - Toolbar: (no name) - {CBCC61FA-0221-4ccc-B409-CEE865CACA3A} - (no file)
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [PTHOSTTR] C:\Program Files\HPQ\HP ProtectTools Security Manager\PTHOSTTR.EXE /Start
O4 - HKLM\..\Run: [SetRefresh] C:\Program Files\Compaq\SetRefresh\SetRefresh.exe
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe "
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [efd61a02.exe] C:\WINDOWS\system32\efd61a02.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe "
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Snte] "C:\WINDOWS\system32\SEMBLY~1\rundll32.exe" -vt yazr
O4 - HKCU\..\Run: [Nzfzvq] C:\DOCUME~1\ADMINI~1\APPLIC~1\FNTS~1\services.exe
O4 - HKCU\..\Run: [efd61a02.exe] C:\Documents and Settings\Administrator\Local Settings\Application Data\efd61a02.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: hxxp://www.amaena.com
O15 - Trusted Zone: hxxp://locator.cdn.imageservr.com
O15 - Trusted Zone: hxxp://scanner.sysprotect.com
O15 - Trusted Zone: hxxp://*.systemdoctor.com
O15 - Trusted Zone: hxxp://www.winantivirus.com
O15 - Trusted Zone: hxxp://www.winantiviruspro.com
O15 - Trusted Zone: hxxp://download.cdn.winsoftware.com
O15 - Trusted IP range: hxxp://202.67.220.225
O15 - Trusted IP range: hxxp://59.148.220.121
O15 - Trusted IP range: hxxp://62.4.84.53
O15 - Trusted IP range: hxxp://82.98.235.58
O15 - Trusted IP range: hxxp://85.12.25.90
O16 - DPF: {74CD40EA-EF77-4BAD-808A-B5982DA73F20} - hxxp://yax-download.yazzle.net/YazzleActiveX.cab?refid=1123
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - AppInit_DLLs: winspool.dll
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\Shared\hpqwmi.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

Please Help - It is a new computer and it is already weighed down by adware!
Thanks

**Edit by moderator to disable live links to malware sites.

TeMerc · 2006/08/20

Welcome to WindowsBBS Forums.

Looks like you have a couple of things going on here. I see SmithFraud and perhaps vundo along with Purity scan. So, lets first rid you of SmithFraud, it's first step will be eblow, but first a couple of things we need to do.

Please follow these instructions, exactly, for proper HJT installation. Please place HJT into ITS OWN PERMANANT FOLDER. It also needs to be removed from the desktop.
You can do this by going to My Computer (Windows key+e) then double click on C: then right click and select New then Folder and name it HJT. (C:\HJT\HijackThis.exe)Move HijackThis.exe into this folder. When you run HijackThis.exe from C:\HJT folder and have it "Fixed checked" it will create a backup file of modifications to use if restore is necessary which is easily accessible.

We need to disable your Windows Defender Real-time Protection as it may interfere with the fixes that we need to make.

Open Windows Defender.

Click on Tools, General Settings.

Scroll down and uncheck Turn on real-time protection (recommended).

After you uncheck this, click on the Save button and close Windows Defender.

After all of the fixes are complete it is very important that you re-enable Real-time Protection again.

Please download SmitfraudFix (by S!Ri)
Extract the content (a folder named SmitfraudFix) to your Desktop.

Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Select option #1 - Search by typing 1 and press "Enter "; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.

Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool "; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore you may get an alert.

Begley · 2006/08/21

reply1

here is the SmitfraudFix report:

SmitFraudFix v2.81

Scan done at 18:28:04.06, Mon 21/08/2006
Run from C:\Documents and Settings\Administrator\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
Fix ran in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» C:\

C:\dfndr?_?.exe FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32

C:\WINDOWS\system32\ishost.exe FOUND !
C:\WINDOWS\system32\ismon.exe FOUND !
C:\WINDOWS\system32\isnotify.exe FOUND !
C:\WINDOWS\system32\issearch.exe FOUND !
C:\WINDOWS\system32\ixt?.dll FOUND !
C:\WINDOWS\system32\ixt??.dll FOUND !
C:\WINDOWS\system32\ot.ico FOUND !
C:\WINDOWS\system32\ts.ico FOUND !
C:\WINDOWS\system32\components\flx?.dll FOUND !
C:\WINDOWS\system32\components\flx??.dll FOUND !
C:\WINDOWS\system32\components\flx???.dll FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Administrator\Application Data

»»»»»»»»»»»»»»»»»»»»»»»» Start Menu

C:\DOCUME~1\ALLUSE~1\STARTM~1\Online Security Guide.url FOUND !
C:\DOCUME~1\ALLUSE~1\STARTM~1\Security Troubleshooting.url FOUND !

»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\ADMINI~1\FAVORI~1

»»»»»»»»»»»»»»»»»»»»»»»» Desktop

»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files

»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys

»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source "= "About:Home "
"SubscribedURL "= "About:Home "
"FriendlyName "= "My Current Home Page "

»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» Scanning wininet.dll infection

»»»»»»»»»»»»»»»»»»»»»»»» End

also, I did what you said about Hijackthis but I don't think that I was supposed to check any of the boxes yet. Here is the new Hijackthis log just in case:

Logfile of HijackThis v1.99.1
Scan saved at 6:36:41 PM, on 21/08/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\issearch.exe
C:\WINDOWS\system32\ismon.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\HPQ\HP ProtectTools Security Manager\PTHOSTTR.EXE
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Common Files\{A04597B6-0AE7-1033-0518-05032520003d}\Update.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\SEMBLY~1\rundll32.exe
C:\DOCUME~1\ADMINI~1\APPLIC~1\FNTS~1\services.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\ishost.exe
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ninemsn.com.au/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O3 - Toolbar: (no name) - {CBCC61FA-0221-4ccc-B409-CEE865CACA3A} - (no file)
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [PTHOSTTR] C:\Program Files\HPQ\HP ProtectTools Security Manager\PTHOSTTR.EXE /Start
O4 - HKLM\..\Run: [SetRefresh] C:\Program Files\Compaq\SetRefresh\SetRefresh.exe
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe "
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [efd61a02.exe] C:\WINDOWS\system32\efd61a02.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe "
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [Snte] "C:\WINDOWS\system32\SEMBLY~1\rundll32.exe" -vt yazr
O4 - HKCU\..\Run: [Nzfzvq] C:\DOCUME~1\ADMINI~1\APPLIC~1\FNTS~1\services.exe
O4 - HKCU\..\Run: [efd61a02.exe] C:\Documents and Settings\Administrator\Local Settings\Application Data\efd61a02.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://www.amaena.com
O15 - Trusted Zone: http://locator.cdn.imageservr.com
O15 - Trusted Zone: http://scanner.sysprotect.com
O15 - Trusted Zone: http://*.systemdoctor.com
O15 - Trusted Zone: http://www.winantivirus.com
O15 - Trusted Zone: http://www.winantiviruspro.com
O15 - Trusted Zone: http://download.cdn.winsoftware.com
O15 - Trusted IP range: http://202.67.220.225
O15 - Trusted IP range: http://59.148.220.121
O15 - Trusted IP range: http://62.4.84.53
O15 - Trusted IP range: http://82.98.235.58
O15 - Trusted IP range: http://85.12.25.90
O16 - DPF: {74CD40EA-EF77-4BAD-808A-B5982DA73F20} - http://yax-download.yazzle.net/YazzleActiveX.cab?refid=1123
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - AppInit_DLLs: winspool.dll
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\Shared\hpqwmi.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

Thankyou!

TeMerc · 2006/08/21

And now the second half of the fix:

You should print out these instructions, or copy them to a Notepad file for reading while in Safe Mode, because you will not be able to connect to the Internet to read from this site. Please follow the instructions exactly in the order listed; this is very important!

Please download, install, and update the free version of Ewido Anti-Malware:

When installing, under "Additional Options" uncheck "Install background guard" and "Install scan via context menu ".

When you run Ewido for the first time, you will get a warning "Database could not be found! ". Click OK. We will fix this in a moment.

From the main Ewido screen, click on update in the left menu, then click the Start update button.

After the update finishes, the status bar at the bottom will display "Update successful "

Exit Ewido. DO NOT run a scan yet.

Reboot, into safe mode, this way:
Turn on the computer
Immediately begin tapping the F8 key.
Use the arrow keys to highlight Safe Mode and press the Enter key.

Once in Safe Mode, open the SmitfraudFix folder again and double-click smitfraudfix.cmd
Select option #2 - Clean by typing 2 and press "Enter" to delete infected files.

You will be prompted : "Registry cleaning - Do you want to clean the registry ? "; answer "Yes" by typing Y and press "Enter" in order to remove the Desktop background and clean registry keys associated with the infection.

The tool will now check if wininet.dll is infected. You may be prompted to replace the infected file (if found); answer "Yes" by typing Y and press "Enter ".

The tool may need to restart your computer to finish the cleaning process. A text file will appear onscreen, with results from the cleaning process; please copy/paste the content of that report into your next reply.

AFTER SmitfraudFix finishes (and after a reboot if required), please open Ewido. (If a reboot is required, please boot BACK into Safe Mode.)

Click on Scanner

Click on Complete System Scan and the scan will begin.

If ewido finds anything, it will pop up a notification. You can select "Remove" and check the boxes "Perform action with all infections" and "Create encrypted backup" before clicking on OK.

When the scan is finished, click the Save report button at the bottom of the screen.

Save the report to your desktop

Close Ewido

Then please restart it into Normal Windows. Please post the contents of the SmitfraudFix log located at C:\rapport.txt into this thread, along with the Ewido report and a new HijackThis log.

Begley · 2006/08/22

Reply 2

Hi,
After I completed the last step my interent homepage was returned to normal! thankyou.

Here is the SmitfraudFix log

SmitFraudFix v2.81

Scan done at 16:50:50.53, Tue 22/08/2006
Run from C:\Documents and Settings\Administrator\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
Fix ran in safe mode

»»»»»»»»»»»»»»»»»»»»»»»» Before SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» Killing process

»»»»»»»»»»»»»»»»»»»»»»»» Generic Renos Fix

GenericRenosFix by S!Ri

»»»»»»»»»»»»»»»»»»»»»»»» Deleting infected files

C:\dfndr?_?.exe Deleted
C:\WINDOWS\system32\ishost.exe Deleted
C:\WINDOWS\system32\ismon.exe Deleted
C:\WINDOWS\system32\isnotify.exe Deleted
C:\WINDOWS\system32\issearch.exe Deleted
C:\WINDOWS\system32\ixt?.dll Deleted
C:\WINDOWS\system32\ot.ico Deleted
C:\WINDOWS\system32\ts.ico Deleted
C:\WINDOWS\system32\components\flx?.dll Deleted
C:\WINDOWS\system32\components\flx??.dll Deleted
C:\DOCUME~1\ALLUSE~1\STARTM~1\Online Security Guide.url Deleted
C:\DOCUME~1\ALLUSE~1\STARTM~1\Security Troubleshooting.url Deleted

»»»»»»»»»»»»»»»»»»»»»»»» Deleting Temp Files

»»»»»»»»»»»»»»»»»»»»»»»» Registry Cleaning

Registry Cleaning done.

»»»»»»»»»»»»»»»»»»»»»»»» After SmitFraudFix
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» End

Here is the Ewido report:

---------------------------------------------------------
ewido anti-spyware - Scan Report
---------------------------------------------------------

+ Created at: 5:31:04 PM 22/08/2006

+ Scan result:

HKU\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{873EB32D-AE1A-4183-89BD-45A77F761BE4} -> Adware.Generic : Cleaned.
HKU\S-1-5-18\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{873EB32D-AE1A-4183-89BD-45A77F761BE4} -> Adware.Generic : Cleaned.
HKU\S-1-5-21-1623046410-950976766-3220615424-500\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{052B12F7-86FA-4921-8482-26C42316B522} -> Adware.Generic : Cleaned.
HKU\S-1-5-21-1623046410-950976766-3220615424-500\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{873EB32D-AE1A-4183-89BD-45A77F761BE4} -> Adware.Generic : Cleaned.
C:\Documents and Settings\Administrator\Application Data\Fοnts\services.exe -> Adware.PurityScan : Cleaned.
C:\Program Files\Таsks\netdde.exe -> Adware.PurityScan : Cleaned.
C:\RECYCLER\NPROTECT\00002160.dll -> Adware.PurityScan : Cleaned.
C:\Program Files\Common Files\Sandlot Shared\slghex.dll -> Adware.SpywareStorm : Cleaned.
C:\WINDOWS\system32\iifgffe.dll -> Adware.Virtumonde : Cleaned.
C:\t.rar/Setup.exe -> Backdoor.IRCBot.dd : Error during cleaning.
C:\Documents and Settings\Administrator\dr.exe -> Downloader.Adload.cw : Cleaned.
C:\RECYCLER\NPROTECT\00003159.EXE -> Downloader.Adload.cw : Cleaned.
C:\RECYCLER\NPROTECT\00003162.EXE -> Downloader.Adload.cw : Cleaned.
C:\RECYCLER\NPROTECT\00003165.EXE -> Downloader.Adload.cw : Cleaned.
C:\RECYCLER\NPROTECT\00003168.EXE -> Downloader.Adload.cw : Cleaned.
C:\RECYCLER\NPROTECT\00003171.EXE -> Downloader.Adload.cw : Cleaned.
C:\RECYCLER\NPROTECT\00003174.EXE -> Downloader.Adload.cw : Cleaned.
C:\RECYCLER\NPROTECT\00003177.EXE -> Downloader.Adload.cw : Cleaned.
C:\RECYCLER\NPROTECT\00003180.EXE -> Downloader.Adload.cw : Cleaned.
C:\RECYCLER\NPROTECT\00003183.EXE -> Downloader.Adload.cw : Cleaned.
C:\RECYCLER\NPROTECT\00003186.EXE -> Downloader.Adload.cw : Cleaned.
C:\RECYCLER\NPROTECT\00003189.EXE -> Downloader.Adload.cw : Cleaned.
C:\RECYCLER\NPROTECT\00003192.EXE -> Downloader.Adload.cw : Cleaned.
C:\RECYCLER\NPROTECT\00003195.EXE -> Downloader.Adload.cw : Cleaned.
C:\RECYCLER\NPROTECT\00003198.EXE -> Downloader.Adload.cw : Cleaned.
C:\RECYCLER\NPROTECT\00003201.EXE -> Downloader.Adload.cy : Cleaned.
C:\Documents and Settings\Administrator\Local Settings\Application Data\efd61a02.exe -> Downloader.Obfuscated.a : Cleaned.
C:\WINDOWS\system32\efd61a02.exe -> Downloader.Obfuscated.a : Cleaned.
C:\WINDOWS\temp\win56.tmp.exe -> Downloader.Obfuscated.a : Cleaned.
C:\RECYCLER\NPROTECT\00001940.exe -> Downloader.PurityScan.bv : Cleaned.
C:\RECYCLER\S-1-5-21-1623046410-950976766-3220615424-500\Dc25\OINSetup.exe -> Downloader.PurityScan.bv : Cleaned.
C:\RECYCLER\NPROTECT\00001946.exe -> Downloader.PurityScan.cr : Cleaned.
C:\WINDOWS\system32\аѕsembly\rundll32.exe -> Downloader.PurityScan.cu : Cleaned.
C:\WINDOWS\temp\!update.exe -> Downloader.PurityScan.cy : Cleaned.
C:\WINDOWS\Αdobe\mshta.exe -> Downloader.PurityScan.cy : Cleaned.
C:\Documents and Settings\Administrator\setup.exe -> Downloader.VB.aik : Cleaned.
C:\RECYCLER\NPROTECT\00001961.dll -> Downloader.Zlob.aab : Cleaned.
C:\RECYCLER\NPROTECT\00003346.dll -> Downloader.Zlob.aae : Cleaned.
C:\RECYCLER\NPROTECT\00003656.dll -> Downloader.Zlob.aae : Cleaned.
C:\RECYCLER\NPROTECT\00003805.exe -> Downloader.Zlob.aae : Cleaned.
C:\RECYCLER\NPROTECT\00003806.dll -> Downloader.Zlob.aae : Cleaned.
C:\RECYCLER\NPROTECT\00003899.dll -> Downloader.Zlob.aak : Cleaned.
C:\RECYCLER\NPROTECT\00004146.dll -> Downloader.Zlob.aak : Cleaned.
C:\RECYCLER\NPROTECT\00004149.dll -> Downloader.Zlob.aas : Cleaned.
C:\RECYCLER\NPROTECT\00004462.exe -> Downloader.Zlob.aas : Cleaned.
C:\RECYCLER\NPROTECT\00004463.dll -> Downloader.Zlob.aas : Cleaned.
C:\RECYCLER\NPROTECT\00004465.dll -> Downloader.Zlob.aas : Cleaned.
C:\RECYCLER\NPROTECT\00004150.dll -> Downloader.Zlob.aat : Cleaned.
C:\RECYCLER\NPROTECT\00001965.dll -> Downloader.Zlob.ue : Cleaned.
C:\RECYCLER\NPROTECT\00001967.exe -> Downloader.Zlob.ue : Cleaned.
C:\RECYCLER\NPROTECT\00002373.exe -> Downloader.Zlob.zy : Cleaned.
C:\RECYCLER\NPROTECT\00002374.exe -> Downloader.Zlob.zy : Cleaned.
C:\RECYCLER\NPROTECT\00002375.dll -> Downloader.Zlob.zy : Cleaned.
C:\RECYCLER\NPROTECT\00001960.dll -> Downloader.Zlob.zz : Cleaned.
C:\WINDOWS\system32\mayoiqnu.exe -> Not-A-Virus.Downloader.Win32.WinFixer.i : Cleaned.
C:\WINDOWS\system32\mjuscyfv.exe -> Not-A-Virus.Downloader.Win32.WinFixer.i : Cleaned.
C:\WINDOWS\system32\mypcngui.exe -> Not-A-Virus.Downloader.Win32.WinFixer.i : Cleaned.
C:\Documents and Settings\Administrator\Application Data\sysprotectscannerinstall2[1].exe -> Not-A-Virus.Downloader.Win32.WinFixer.o : Cleaned.
C:\WINDOWS\Downloaded Program Files\UWA6P_0001_N91M1807NetInstaller.exe -> Not-A-Virus.Downloader.Win32.WinFixer.o : Cleaned.
C:\RECYCLER\NPROTECT\00002772.dll -> Not-A-Virus.Hoax.Win32.Renos.dw : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@install.bestoffersnetworks[2].txt -> TrackingCookie.Bestoffersnetworks : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@cpvfeed[2].txt -> TrackingCookie.Cpvfeed : Cleaned.
C:\RECYCLER\NPROTECT\00003045.TXT -> TrackingCookie.Findwhat : Cleaned.
C:\Documents and Settings\LocalService\Cookies\system@c.goclick[2].txt -> TrackingCookie.Goclick : Cleaned.
C:\RECYCLER\NPROTECT\00001919.TXT -> TrackingCookie.Goclick : Cleaned.
C:\RECYCLER\NPROTECT\00002939.TXT -> TrackingCookie.Goclick : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@stats1.reliablestats[2].txt -> TrackingCookie.Reliablestats : Cleaned.
C:\Documents and Settings\Administrator\Cookies\administrator@ad.yieldmanager[2].txt -> TrackingCookie.Yieldmanager : Cleaned.
C:\Program Files\winupdates\a.zip/Setup.exe -> Worm.VB.an : Error during cleaning.

::Report end

Here is the Hijackthis Log

Logfile of HijackThis v1.99.1
Scan saved at 5:37:50 PM, on 22/08/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\HPQ\HP ProtectTools Security Manager\PTHOSTTR.EXE
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Common Files\{A04597B6-0AE7-1033-0518-05032520003d}\Update.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\HJT\HijackThis.exe

R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O3 - Toolbar: (no name) - {CBCC61FA-0221-4ccc-B409-CEE865CACA3A} - (no file)
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [PTHOSTTR] C:\Program Files\HPQ\HP ProtectTools Security Manager\PTHOSTTR.EXE /Start
O4 - HKLM\..\Run: [SetRefresh] C:\Program Files\Compaq\SetRefresh\SetRefresh.exe
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe "
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe "
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [efd61a02.exe] C:\Documents and Settings\Administrator\Local Settings\Application Data\efd61a02.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://www.amaena.com
O15 - Trusted Zone: http://locator.cdn.imageservr.com
O15 - Trusted Zone: http://scanner.sysprotect.com
O15 - Trusted Zone: http://*.systemdoctor.com
O15 - Trusted Zone: http://www.winantivirus.com
O15 - Trusted Zone: http://www.winantiviruspro.com
O15 - Trusted Zone: http://download.cdn.winsoftware.com
O15 - Trusted IP range: http://202.67.220.225
O15 - Trusted IP range: http://59.148.220.121
O15 - Trusted IP range: http://62.4.84.53
O15 - Trusted IP range: http://82.98.235.58
O15 - Trusted IP range: http://85.12.25.90
O16 - DPF: {74CD40EA-EF77-4BAD-808A-B5982DA73F20} - http://yax-download.yazzle.net/YazzleActiveX.cab?refid=1123
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - AppInit_DLLs: winspool.dll
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\Shared\hpqwmi.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

Thankyou again!

TeMerc · 2006/08/22

Well we got a good amount of cleaning done with Ewido, lets finish up.

Below you will find my results and recommendations. Please read ALL instructions carefully BEFORE proceeding.

We need to disable your Windows Defender Real-time Protection as it may interfere with the fixes that we need to make.

Open Windows Defender.

Click on Tools, General Settings.

Scroll down and uncheck Turn on real-time protection (recommended).

After you uncheck this, click on the Save button and close Windows Defender.

After all of the fixes are complete it is very important that you re-enable Real-time Protection again.

Please go to Add/Remove, and if found, uninstall the following:
winupdates

Please hit Hit 'Ctrl' + 'Alt' + 'Delete' to bring up running processes and 'End Task' on the following process(es) if present:
C:\Program Files\Common Files\{A04597B6-0AE7-1033-0518-05032520003d}\Update.exe

Run Hijackthis and look over the following entries I have listed, check the boxes next to them and press the "Fix Checked" button with HijackThis. When you are doing this, make sure you have No IE windows, or other browsers open, including this one. Reboot if I have specified below, and post a fresh HijackThis log.

R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)

O3 - Toolbar: (no name) - {CBCC61FA-0221-4ccc-B409-CEE865CACA3A} - (no file)

O4 - HKCU\..\Run: [efd61a02.exe] C:\Documents and Settings\Administrator\Local Settings\Application Data\efd61a02.exe

O15 - Trusted Zone: http://www.amaena.com
O15 - Trusted Zone: http://locator.cdn.imageservr.com
O15 - Trusted Zone: http://scanner.sysprotect.com
O15 - Trusted Zone: http://*.systemdoctor.com
O15 - Trusted Zone: http://www.winantivirus.com
O15 - Trusted Zone: http://www.winantiviruspro.com
O15 - Trusted Zone: http://download.cdn.winsoftware.com
O15 - Trusted IP range: http://202.67.220.225
O15 - Trusted IP range: http://59.148.220.121
O15 - Trusted IP range: http://62.4.84.53
O15 - Trusted IP range: http://82.98.235.58
O15 - Trusted IP range: http://85.12.25.90

O16 - DPF: {74CD40EA-EF77-4BAD-808A-B5982DA73F20} - http://yax-download.yazzle.net/Yazzl...cab?refid=1123

O20 - AppInit_DLLs: winspool.dll

Reboot, into safe mode, this way:
Turn on the computer
Immediately begin tapping the <F8> key.
Use the arrow keys to highlight Safe Mode and press the <Enter> key.

Also, enable the 'Show Hidden Folders' option, like this:
Click Start.
Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading select Show hidden files and folders.
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm.
Click OK.

And search for, then delete, if found, (some may not be present after previous steps) the following files/folders:
C:\Program Files\winupdates<<<<---this folder
C:\Program Files\Common Files\{A04597B6-0AE7-1033-0518-05032520003d}<<<<---this folder
C:\Documents and Settings\Administrator\Local Settings\Application Data\efd61a02.exe<<<--this file
winspool.dll<<<--this file

To exit Safe Mode, click the Start button, click Turn Off Computer, click Restart.

Post a new HJT log back into this thread please.

Upon rebooting, it may be the O15 entries will still be present, if so, please do the following:

Download DelDomainszip and unzip it to your desktop.

Right-click on the deldomains.inf file and select 'Install'

Once it is finished your Zones should be reset.

Note, if you use SpywareBlaster and/or IE/SPYAD, it will be necessary to re-install the protection both afford. For SpywareBlaster, run the program and re-protect all items. For IE/SPYAD, run the batch file and reinstall the protection.

Begley · 2006/08/27

reply 3

Here is the new Hijackthis Log

Logfile of HijackThis v1.99.1
Scan saved at 4:26:42 PM, on 27/08/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\HPQ\HP ProtectTools Security Manager\PTHOSTTR.EXE
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\HJT\HijackThis.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {7404F83A-37CF-490F-B1A8-D92B653B07DB} - C:\WINDOWS\system32\vtsqo.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [PTHOSTTR] C:\Program Files\HPQ\HP ProtectTools Security Manager\PTHOSTTR.EXE /Start
O4 - HKLM\..\Run: [SetRefresh] C:\Program Files\Compaq\SetRefresh\SetRefresh.exe
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe "
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe "
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: vtsqo - C:\WINDOWS\system32\vtsqo.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: winopn32 - C:\WINDOWS\SYSTEM32\winopn32.dll
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\Shared\hpqwmi.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

thanks

TeMerc · 2006/08/27

Looks like we have a vundo infection here now.

Lets run the fix.

Please download VundoFix.exe to your desktop.

Double-click *VundoFix.exe* to run it.

Click the *Scan for Vundo* button.

Once it's done scanning, click the *Remove Vundo* button.

You will receive a prompt asking if you want to remove the files, click *YES*

Once you click yes, your desktop will go blank as it starts removing Vundo.

When completed, it will prompt that it will reboot your computer, click *OK*.

Please post the contents of C:\*vundofix.txt* and a new HiJackThis log.

Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will run on reboot, simply follow the above
instructions starting from "Click the *Scan for Vundo* button." when
VundoFix appears at reboot.

Begley · 2006/08/27

reply 4

Here is Vundofix log

VundoFix V6.1.2

Checking Java version...

Scan started at 7:51:28 PM 27/08/2006

Listing files found while scanning....

C:\WINDOWS\system32\vtsqo.dll
C:\WINDOWS\system32\oqstv.ini
C:\WINDOWS\system32\oqstv.bak1
C:\WINDOWS\system32\oqstv.bak2

Beginning removal...

Attempting to delete C:\WINDOWS\system32\vtsqo.dll
C:\WINDOWS\system32\vtsqo.dll Could not be deleted.

Attempting to delete C:\WINDOWS\system32\oqstv.ini
C:\WINDOWS\system32\oqstv.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\oqstv.bak1
C:\WINDOWS\system32\oqstv.bak1 Has been deleted!

Attempting to delete C:\WINDOWS\system32\oqstv.bak2
C:\WINDOWS\system32\oqstv.bak2 Has been deleted!

Performing Repairs to the registry.
Done!

VundoFix V6.1.2

Checking Java version...

Scan started at 7:55:52 PM 27/08/2006

Listing files found while scanning....

C:\WINDOWS\system32\vtsqo.dll

Beginning removal...

Attempting to delete C:\WINDOWS\system32\vtsqo.dll
C:\WINDOWS\system32\vtsqo.dll Has been deleted!

Performing Repairs to the registry.
Done!

Here is a Hijacklog just in case

Logfile of HijackThis v1.99.1
Scan saved at 8:17:04 PM, on 27/08/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\HPQ\HP ProtectTools Security Manager\PTHOSTTR.EXE
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\MICROS~3\OFFICE11\OUTLOOK.EXE
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\HJT\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {7404F83A-37CF-490F-B1A8-D92B653B07DB} - C:\WINDOWS\system32\vtsqo.dll (file missing)
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [PTHOSTTR] C:\Program Files\HPQ\HP ProtectTools Security Manager\PTHOSTTR.EXE /Start
O4 - HKLM\..\Run: [SetRefresh] C:\Program Files\Compaq\SetRefresh\SetRefresh.exe
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe "
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe "
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: winopn32 - C:\WINDOWS\SYSTEM32\winopn32.dll
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\Shared\hpqwmi.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

thanks

TeMerc · 2006/08/27

Ok, looks like Vundo Fix removed everything. Lets fix what remains.

Below you will find my results and recommendations. Please read ALL instructions carefully BEFORE proceeding.

We need to disable your Windows Defender Real-time Protection as it may interfere with the fixes that we need to make.

Open Windows Defender.

Click on Tools, General Settings.

Scroll down and uncheck Turn on real-time protection (recommended).

After you uncheck this, click on the Save button and close Windows Defender.

After all of the fixes are complete it is very important that you re-enable Real-time Protection again.

Run Hijackthis and look over the following entries I have listed, check the boxes next to them and press the "Fix Checked" button with HijackThis. When you are doing this, make sure you have No IE windows, or other browsers open, including this one. Reboot if I have specified below, and post a fresh HijackThis log.

O2 - BHO: (no name) - {7404F83A-37CF-490F-B1A8-D92B653B07DB} - C:\WINDOWS\system32\vtsqo.dll (file missing)

O20 - Winlogon Notify: winopn32 - C:\WINDOWS\SYSTEM32\winopn32.dll

Reboot, into safe mode, this way:
Turn on the computer
Immediately begin tapping the <F8> key.
Use the arrow keys to highlight Safe Mode and press the <Enter> key.

Also, enable the 'Show Hidden Folders' option, like this:
Click Start.
Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading select Show hidden files and folders.
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm.
Click OK.

And search for, then delete, if found, (some may not be present after previous steps) the following files/folders:
C:\WINDOWS\SYSTEM32\winopn32.dll<<<--this file
C:\WINDOWS\system32\vtsqo.dll <<<--this file <<<--double checking

To exit Safe Mode, click the Start button, click Turn Off Computer, click Restart.

Post a new HJT log back into this thread please.

Begley · 2006/08/30

reply4

Hi, unfortunately, the winopn32.dll file would not delete when I was in safe mode.

here is the hijack this log
Logfile of HijackThis v1.99.1
Scan saved at 7:03:27 PM, on 30/08/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\HPQ\HP ProtectTools Security Manager\PTHOSTTR.EXE
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\MICROS~3\OFFICE11\OUTLOOK.EXE
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\HJT\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [PTHOSTTR] C:\Program Files\HPQ\HP ProtectTools Security Manager\PTHOSTTR.EXE /Start
O4 - HKLM\..\Run: [SetRefresh] C:\Program Files\Compaq\SetRefresh\SetRefresh.exe
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe "
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe "
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: winopn32 - C:\WINDOWS\SYSTEM32\winopn32.dll
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\Shared\hpqwmi.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

thankyou

TeMerc · 2006/08/30

Ok, lets try a more forceful method.

1) Please download the Killbox.
Save it to the desktop and run it.

2) Select "Delete on Reboot ", and then select "All files ".

3) Copy the file names below to the clipboard by highlighting them and pressing Control-C:
C:\WINDOWS\SYSTEM32\winopn32.dll

4) Return to Killbox, go to the File menu, and choose "Paste from Clipboard ".

5) Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.

Reboot and run HJT to see if it's still there. If it is, lets look a little bit deeper. (No need to post log from HJT)

Download combofix.exe

Double click combofix.exe & follow the prompts.

When finished, it shall produce a log for you. Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Begley · 2006/08/31

reply 5

Administrator - 06-08-31 18:54:57.37
ComboFix 06.08.30BT - Running from: C:\Documents and Settings\Administrator\Desktop

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

C:\WINDOWS\system32\mc-110-12-0000137.exe
C:\Mendoza1.exe
C:\WINDOWS\system32\ishost.exe
C:\WINDOWS\system32\ismon.exe
C:\Program Files\Inetget2
C:\WINDOWS\system32\components

~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ Purity ~ ~ ~ ~ ~ ~ ~ ~~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~

Folders Quarantined:

C:\QooBox\Purity\Documents and Settings\Administrator\Application Data\FNTS~1
C:\QooBox\Purity\Documents and Settings\Administrator\My Documents\RACLE~1
C:\QooBox\Purity\Documents and Settings\Administrator\My Documents\SCURIT~1
C:\QooBox\Purity\Documents and Settings\Administrator\My Documents\SMBOLS~1
C:\QooBox\Purity\Program Files\SKS~1
C:\QooBox\Purity\Program Files\Common Files\APPATC~1
C:\QooBox\Purity\WINDOWS\system32\ASEMBL~1
C:\QooBox\Purity\WINDOWS\system32\CROSOF~1
C:\QooBox\Purity\WINDOWS\system32\SEMBLY~1
C:\QooBox\Purity\WINDOWS\system32\SEMBLY~1\SEMBLY~1

((((((((((((((((((((((((((((((( Files Created from 2006-07-31 to 2006-08-31 ))))))))))))))))))))))))))))))))))

2006-08-22 19:53 13,844 --a------ C:\WINDOWS\system32\gskottge.exe
2006-08-21 18:27 53,248 --a------ C:\WINDOWS\system32\Process.exe
2006-08-21 18:27 42,496 --a------ C:\WINDOWS\system32\swreg.exe
2006-08-21 18:27 40,960 --a------ C:\WINDOWS\system32\swsc.exe
2006-08-21 18:27 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2006-08-14 17:59 292 --a------ C:\WINDOWS\regfix.reg
2006-08-12 22:08 73,216 --a------ C:\WINDOWS\system32\lffax13n.dll
2006-08-12 22:08 446,464 --a------ C:\WINDOWS\system32\ltimg13n.dll
2006-08-12 22:08 443,392 --a------ C:\WINDOWS\system32\ltkrn13n.dll
2006-08-12 22:08 393,216 --a------ C:\WINDOWS\system32\LFCMP13n.DLL
2006-08-12 22:08 30,208 --a------ C:\WINDOWS\system32\lfbmp13n.dll
2006-08-12 22:08 279,552 --a------ C:\WINDOWS\system32\LFJ2K13n.dll
2006-08-12 22:08 265,728 --a------ C:\WINDOWS\system32\LTDIS13n.dll
2006-08-12 22:08 26,112 --a------ C:\WINDOWS\system32\lfpcx13n.dll
2006-08-12 22:08 24,576 --a------ C:\WINDOWS\system32\lftga13n.dll
2006-08-12 22:08 205,824 --a------ C:\WINDOWS\system32\ltefx13n.dll
2006-08-12 22:08 181,248 --a------ C:\WINDOWS\system32\Lfpng13n.dll
2006-08-12 22:08 18,944 --a------ C:\WINDOWS\system32\lfmsp13n.dll
2006-08-12 22:08 17,920 --a------ C:\WINDOWS\system32\lfRaw13n.dll
2006-08-12 22:08 139,776 --a------ C:\WINDOWS\system32\ltfil13n.DLL
2006-08-12 22:08 126,464 --a------ C:\WINDOWS\system32\lftif13n.dll
2006-08-12 22:08 1,013,760 --a------ C:\WINDOWS\system32\Ltwvc13n.dll
2006-08-04 18:04 223,601 --a------ C:\WINDOWS\Little_Fighter_2_Toolbar_Uninstaller_2984.exe
2006-08-04 17:48 223,601 --a------ C:\WINDOWS\Little_Fighter_2_Toolbar_Uninstaller_500.exe
2006-08-03 21:19 223,601 --a------ C:\WINDOWS\Little_Fighter_2_Toolbar_Uninstaller_2125.exe

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

TeMerc · 2006/08/31

Looks like the ComboFix log got cut off, can you please run it again and post the whole thing. These forums have a very small limitation for these type of tools, so you may have to post more than one reply to get all the info. Sorry about that.

Begley · 2006/09/01

reply 6

yes, it worked now

Administrator - 06-09-01 18:21:05.15
ComboFix 06.08.30BT - Running from: C:\Vundo Fix

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ Purity ~ ~ ~ ~ ~ ~ ~ ~~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~

Folders Quarantined:

C:\QooBox\Purity\Documents and Settings\Administrator\Application Data\FNTS~1
C:\QooBox\Purity\Documents and Settings\Administrator\My Documents\RACLE~1
C:\QooBox\Purity\Documents and Settings\Administrator\My Documents\SCURIT~1
C:\QooBox\Purity\Documents and Settings\Administrator\My Documents\SMBOLS~1
C:\QooBox\Purity\Program Files\SKS~1
C:\QooBox\Purity\Program Files\Common Files\APPATC~1
C:\QooBox\Purity\WINDOWS\system32\ASEMBL~1
C:\QooBox\Purity\WINDOWS\system32\CROSOF~1
C:\QooBox\Purity\WINDOWS\system32\SEMBLY~1
C:\QooBox\Purity\WINDOWS\system32\SEMBLY~1\SEMBLY~1

((((((((((((((((((((((((((((((( Files Created from 2006-08-01 to 2006-09-01 ))))))))))))))))))))))))))))))))))

2006-08-22 19:53 13,844 --a------ C:\WINDOWS\system32\gskottge.exe
2006-08-21 18:27 53,248 --a------ C:\WINDOWS\system32\Process.exe
2006-08-21 18:27 42,496 --a------ C:\WINDOWS\system32\swreg.exe
2006-08-21 18:27 40,960 --a------ C:\WINDOWS\system32\swsc.exe
2006-08-21 18:27 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2006-08-14 17:59 292 --a------ C:\WINDOWS\regfix.reg
2006-08-12 22:08 73,216 --a------ C:\WINDOWS\system32\lffax13n.dll
2006-08-12 22:08 446,464 --a------ C:\WINDOWS\system32\ltimg13n.dll
2006-08-12 22:08 443,392 --a------ C:\WINDOWS\system32\ltkrn13n.dll
2006-08-12 22:08 393,216 --a------ C:\WINDOWS\system32\LFCMP13n.DLL
2006-08-12 22:08 30,208 --a------ C:\WINDOWS\system32\lfbmp13n.dll
2006-08-12 22:08 279,552 --a------ C:\WINDOWS\system32\LFJ2K13n.dll
2006-08-12 22:08 265,728 --a------ C:\WINDOWS\system32\LTDIS13n.dll
2006-08-12 22:08 26,112 --a------ C:\WINDOWS\system32\lfpcx13n.dll
2006-08-12 22:08 24,576 --a------ C:\WINDOWS\system32\lftga13n.dll
2006-08-12 22:08 205,824 --a------ C:\WINDOWS\system32\ltefx13n.dll
2006-08-12 22:08 181,248 --a------ C:\WINDOWS\system32\Lfpng13n.dll
2006-08-12 22:08 18,944 --a------ C:\WINDOWS\system32\lfmsp13n.dll
2006-08-12 22:08 17,920 --a------ C:\WINDOWS\system32\lfRaw13n.dll
2006-08-12 22:08 139,776 --a------ C:\WINDOWS\system32\ltfil13n.DLL
2006-08-12 22:08 126,464 --a------ C:\WINDOWS\system32\lftif13n.dll
2006-08-12 22:08 1,013,760 --a------ C:\WINDOWS\system32\Ltwvc13n.dll
2006-08-04 18:04 223,601 --a------ C:\WINDOWS\Little_Fighter_2_Toolbar_Uninstaller_2984.exe
2006-08-04 17:48 223,601 --a------ C:\WINDOWS\Little_Fighter_2_Toolbar_Uninstaller_500.exe
2006-08-03 21:19 223,601 --a------ C:\WINDOWS\Little_Fighter_2_Toolbar_Uninstaller_2125.exe

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

2006-08-31 18:55 -------- d-------- C:\Program Files\Common Files
2006-08-22 17:30 -------- d-------- C:\Program Files\Common Files\Sandlot Shared
2006-08-22 16:49 -------- d-------- C:\Program Files\ewido anti-spyware 4.0
2006-08-20 20:15 -------- d--h----- C:\Program Files\InstallShield Installation Information
2006-08-13 20:33 -------- d-------- C:\Program Files\Zone Labs
2006-08-13 10:31 -------- d-------- C:\Program Files\Internet Explorer
2006-08-12 17:31 2 --a------ C:\WINDOWS\system32\wnsapisu.exe
2006-08-11 18:45 -------- d-------- C:\Documents and Settings\Administrator\Application Data\Help
2006-08-11 18:44 -------- d-------- C:\Program Files\IrfanView
2006-08-09 17:10 -------- d---s---- C:\Documents and Settings\Administrator\Application Data\Microsoft
2006-08-06 15:50 -------- d-------- C:\Program Files\Messenger
2006-08-05 18:54 -------- d-------- C:\Program Files\Three Rings Design
2006-08-05 18:51 -------- d-------- C:\Documents and Settings\Administrator\Application Data\yoclient
2006-08-03 21:19 -------- d-------- C:\Program Files\LittleFighter2
2006-08-03 21:19 -------- d-------- C:\Program Files\Little Fighter 2 Toolbar
2006-08-03 20:22 -------- d-------- C:\Program Files\ReflexiveArcade
2006-07-27 23:24 679424 --a------ C:\WINDOWS\system32\inetcomm.dll
2006-07-26 21:51 -------- d-------- C:\Program Files\MacroVirus
2006-07-26 19:22 -------- d-------- C:\Program Files\Windows Defender
2006-07-26 18:25 -------- d-------- C:\Program Files\Common Files\Symantec Shared
2006-07-26 18:10 -------- d-------- C:\Program Files\Norton SystemWorks
2006-07-23 12:34 -------- d-------- C:\Program Files\Common Files\kozr
2006-07-23 12:25 -------- d-------- C:\Program Files\Lavasoft
2006-07-23 12:25 -------- d-------- C:\Documents and Settings\Administrator\Application Data\Lavasoft
2006-07-23 11:41 -------- d-------- C:\Documents and Settings\Administrator\Application Data\MSNInstaller
2006-07-23 11:24 -------- d-------- C:\Program Files\Compaq
2006-07-23 10:18 -------- d-------- C:\Program Files\Roguescanfix
2006-07-23 10:11 -------- d-------- C:\Program Files\MSN Messenger
2006-07-22 13:30 -------- d-------- C:\Documents and Settings\Administrator\Application Data\Macromedia
2006-07-21 18:24 72704 --a------ C:\WINDOWS\system32\hlink.dll
2006-07-19 06:44 -------- d-------- C:\Program Files\SpywareDetector
2006-07-18 21:22 -------- d-------- C:\Program Files\MYOB
2006-07-17 21:42 -------- d-------- C:\Program Files\Common Files\Smith Micro Shared
2006-07-17 21:40 -------- d-------- C:\Documents and Settings\Administrator\Application Data\Symantec
2006-07-14 18:37 -------- d-------- C:\Program Files\EA GAMES
2006-07-14 18:04 -------- d-------- C:\Documents and Settings\Administrator\Application Data\AdobeUM
2006-07-14 18:03 -------- d-------- C:\Program Files\Common Files\Adobe
2006-07-14 18:03 -------- d-------- C:\Documents and Settings\Administrator\Application Data\Adobe
2006-07-14 18:02 -------- d-------- C:\Program Files\Adobe
2006-07-12 18:33 -------- d-------- C:\Program Files\iPod
2006-07-12 18:17 -------- d-------- C:\Program Files\QuickTime
2006-07-12 18:17 -------- d-------- C:\Documents and Settings\Administrator\Application Data\Apple Computer
2006-07-12 18:16 -------- d-------- C:\Program Files\iTunes
2006-07-12 18:16 -------- d-------- C:\Program Files\Common Files\InstallShield
2006-07-12 10:33 -------- d-------- C:\Documents and Settings\Administrator\Application Data\Registry Booster
2006-07-10 15:49 -------- d-------- C:\Program Files\MSN
2006-07-10 15:25 -------- d-------- C:\Documents and Settings\Administrator\Application Data\Sun
2006-07-10 14:05 90624 --a------ C:\WINDOWS\VSUNINST.EXE
2006-07-10 14:05 -------- d-------- C:\Program Files\FOX
2006-07-09 13:44 248 --a------ C:\WINDOWS\system32\n.bat
2006-07-09 13:44 20480 --a------ C:\WINDOWS\system32\dr.exe
2006-07-09 13:44 147456 --a------ C:\WINDOWS\system32\vbzip10.dll
2006-07-09 12:49 -------- d-------- C:\Program Files\WinAce
2006-07-09 12:35 -------- d-------- C:\Program Files\Microsoft ActiveSync
2006-07-09 12:35 -------- d-------- C:\Program Files\Common Files\Microsoft Shared
2006-07-09 12:34 -------- d-------- C:\Program Files\Microsoft.NET
2006-07-09 12:34 -------- d-------- C:\Program Files\Microsoft Office
2006-07-09 12:34 -------- d-------- C:\Program Files\Common Files\System
2006-07-09 12:34 -------- d-------- C:\Program Files\Common Files\DESIGNER
2006-07-07 22:44 -------- d-------- C:\Program Files\Outlook Express
2006-07-07 10:05 -------- d-------- C:\Program Files\Windows Media Player
2006-07-06 17:56 -------- d-------- C:\Program Files\Activision
2006-07-06 16:44 -------- d-------- C:\Program Files\TryMedia
2006-07-06 15:34 -------- d-------- C:\Program Files\Core Design
2006-07-06 15:09 -------- d-------- C:\Program Files\Program Shortcuts
2006-07-06 11:05 -------- d-------- C:\Program Files\Microsoft Sports
2006-07-06 11:02 0 -rahs---- C:\MSDOS.SYS
2006-07-06 11:02 0 -rahs---- C:\IO.SYS
2006-07-05 22:26 -------- d-------- C:\Program Files\Thomson
2006-07-04 18:28 921600 --a------ C:\WINDOWS\system32\VchReg.dll
2006-06-16 14:34 48936 --a------ C:\WINDOWS\system32\sirenacm.dll

(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray "= "C:\\WINDOWS\\system32\\igfxtray.exe "
"HotKeysCmds "= "C:\\WINDOWS\\system32\\hkcmd.exe "
"Persistence "= "C:\\WINDOWS\\system32\\igfxpers.exe "
"High Definition Audio Property Page Shortcut "= "HDAShCut.exe "
"PTHOSTTR "= "C:\\Program Files\\HPQ\\HP ProtectTools Security Manager\\PTHOSTTR.EXE /Start "
"SetRefresh "= "C:\\Program Files\\Compaq\\SetRefresh\\SetRefresh.exe "
"SpeedTouch USB Diagnostics "= "\ "C:\\Program Files\\Thomson\\SpeedTouch USB\\Dragdiag.exe\" /icon "
"iTunesHelper "= "\ "C:\\Program Files\\iTunes\\iTunesHelper.exe\" "
"QuickTime Task "= "\ "C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime "
"Windows Defender "= "\ "C:\\Program Files\\Windows Defender\\MSASCui.exe\" -hide "
"Zone Labs Client "= "\ "C:\\Program Files\\Zone Labs\\ZoneAlarm\\zlclient.exe\" "

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed "= "1 "

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"Installed "= "1 "
"NoChange "= "1 "

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed "= "1 "

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr "= "\ "C:\\Program Files\\MSN Messenger\\MsnMsgr.Exe\" /background "

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"dontdisplaylastusername "=dword:00000000
"legalnoticecaption "=" "
"legalnoticetext "=" "
"shutdownwithoutlogon "=dword:00000001
"undockwithoutlogon "=dword:00000001
"DisableTaskMgr "=dword:00000000

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun "=dword:00000091

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components]
"DeskHtmlVersion "=dword:00000110
"DeskHtmlMinorVersion "=dword:00000005
"Settings "=dword:00000001
"GeneralFlags "=dword:00000004

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Snte "= "\ "C:\\WINDOWS\\DOBE~1\\mshta.exe\" -vt ndrv "
@= "C:\\DOCUME~1\\ADMINI~1\\APPLIC~1\\FNTS~1\\services.exe "
"Biazxz "= "C:\\Program Files\\??sks\\netdde.exe "

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Runonce]
"RunNarrator "= "Narrator.exe "

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun "=dword:00000091

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Snte "= "\ "C:\\WINDOWS\\DOBE~1\\mshta.exe\" -vt ndrv "
@= "C:\\DOCUME~1\\ADMINI~1\\APPLIC~1\\FNTS~1\\services.exe "
"Biazxz "= "C:\\Program Files\\??sks\\netdde.exe "

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Runonce]
"RunNarrator "= "Narrator.exe "

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun "=dword:00000091

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972} "=" "
"{091EB208-39DD-417D-A5DD-7E2C2D8FB9CB} "= "Microsoft AntiMalware ShellExecuteHook "
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8} "= "ewido anti-spyware 4.0 "

Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\MP Scheduled Scan.job

Completion time: Fri 01/09/2006 18:22:25.45
ComboFix.txt
ComboFix2.txt

thankyou

TeMerc · 2006/09/01

Ok, lets get to cleaning what has remained.

Lets run Killbox again inserting the following files for deletion, please use the same instructions as I previuosly stated.
C:\WINDOWS\system32\gskottge.exe
C:\Documents and Settings\Administrator\Application Data\yoclient
C:\Program Files\Common Files\kozr
C:\WINDOWS\system32\dr.exe
Narrator.exe

Reboot and run ComboFix first, then HJT and post both logs back into this thread.

Begley · 2006/09/01

Combofix log:

Administrator - 06-09-02 12:33:56.46
ComboFix 06.08.30BT - Running from: C:\Vundo Fix

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ Purity ~ ~ ~ ~ ~ ~ ~ ~~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~

Folders Quarantined:

C:\QooBox\Purity\Documents and Settings\Administrator\Application Data\FNTS~1
C:\QooBox\Purity\Documents and Settings\Administrator\My Documents\RACLE~1
C:\QooBox\Purity\Documents and Settings\Administrator\My Documents\SCURIT~1
C:\QooBox\Purity\Documents and Settings\Administrator\My Documents\SMBOLS~1
C:\QooBox\Purity\Program Files\SKS~1
C:\QooBox\Purity\Program Files\Common Files\APPATC~1
C:\QooBox\Purity\WINDOWS\system32\ASEMBL~1
C:\QooBox\Purity\WINDOWS\system32\CROSOF~1
C:\QooBox\Purity\WINDOWS\system32\SEMBLY~1
C:\QooBox\Purity\WINDOWS\system32\SEMBLY~1\SEMBLY~1

((((((((((((((((((((((((((((((( Files Created from 2006-08-02 to 2006-09-02 ))))))))))))))))))))))))))))))))))

2006-08-21 18:27 53,248 --a------ C:\WINDOWS\system32\Process.exe
2006-08-21 18:27 42,496 --a------ C:\WINDOWS\system32\swreg.exe
2006-08-21 18:27 40,960 --a------ C:\WINDOWS\system32\swsc.exe
2006-08-21 18:27 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2006-08-14 17:59 292 --a------ C:\WINDOWS\regfix.reg
2006-08-12 22:08 73,216 --a------ C:\WINDOWS\system32\lffax13n.dll
2006-08-12 22:08 446,464 --a------ C:\WINDOWS\system32\ltimg13n.dll
2006-08-12 22:08 443,392 --a------ C:\WINDOWS\system32\ltkrn13n.dll
2006-08-12 22:08 393,216 --a------ C:\WINDOWS\system32\LFCMP13n.DLL
2006-08-12 22:08 30,208 --a------ C:\WINDOWS\system32\lfbmp13n.dll
2006-08-12 22:08 279,552 --a------ C:\WINDOWS\system32\LFJ2K13n.dll
2006-08-12 22:08 265,728 --a------ C:\WINDOWS\system32\LTDIS13n.dll
2006-08-12 22:08 26,112 --a------ C:\WINDOWS\system32\lfpcx13n.dll
2006-08-12 22:08 24,576 --a------ C:\WINDOWS\system32\lftga13n.dll
2006-08-12 22:08 205,824 --a------ C:\WINDOWS\system32\ltefx13n.dll
2006-08-12 22:08 181,248 --a------ C:\WINDOWS\system32\Lfpng13n.dll
2006-08-12 22:08 18,944 --a------ C:\WINDOWS\system32\lfmsp13n.dll
2006-08-12 22:08 17,920 --a------ C:\WINDOWS\system32\lfRaw13n.dll
2006-08-12 22:08 139,776 --a------ C:\WINDOWS\system32\ltfil13n.DLL
2006-08-12 22:08 126,464 --a------ C:\WINDOWS\system32\lftif13n.dll
2006-08-12 22:08 1,013,760 --a------ C:\WINDOWS\system32\Ltwvc13n.dll
2006-08-04 18:04 223,601 --a------ C:\WINDOWS\Little_Fighter_2_Toolbar_Uninstaller_2984.exe
2006-08-04 17:48 223,601 --a------ C:\WINDOWS\Little_Fighter_2_Toolbar_Uninstaller_500.exe
2006-08-03 21:19 223,601 --a------ C:\WINDOWS\Little_Fighter_2_Toolbar_Uninstaller_2125.exe

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

2006-09-01 19:46 -------- d-------- C:\Documents and Settings\Administrator\Application Data\IMVU
2006-09-01 19:45 -------- d-------- C:\Program Files\IMVU
2006-08-31 18:55 -------- d-------- C:\Program Files\Common Files
2006-08-22 17:30 -------- d-------- C:\Program Files\Common Files\Sandlot Shared
2006-08-22 16:49 -------- d-------- C:\Program Files\ewido anti-spyware 4.0
2006-08-20 20:15 -------- d--h----- C:\Program Files\InstallShield Installation Information
2006-08-13 20:33 -------- d-------- C:\Program Files\Zone Labs
2006-08-13 10:31 -------- d-------- C:\Program Files\Internet Explorer
2006-08-12 17:31 2 --a------ C:\WINDOWS\system32\wnsapisu.exe
2006-08-11 18:45 -------- d-------- C:\Documents and Settings\Administrator\Application Data\Help
2006-08-11 18:44 -------- d-------- C:\Program Files\IrfanView
2006-08-09 17:10 -------- d---s---- C:\Documents and Settings\Administrator\Application Data\Microsoft
2006-08-06 15:50 -------- d-------- C:\Program Files\Messenger
2006-08-05 18:54 -------- d-------- C:\Program Files\Three Rings Design
2006-08-05 18:51 -------- d-------- C:\Documents and Settings\Administrator\Application Data\yoclient
2006-08-03 21:19 -------- d-------- C:\Program Files\LittleFighter2
2006-08-03 21:19 -------- d-------- C:\Program Files\Little Fighter 2 Toolbar
2006-08-03 20:22 -------- d-------- C:\Program Files\ReflexiveArcade
2006-07-27 23:24 679424 --a------ C:\WINDOWS\system32\inetcomm.dll
2006-07-26 21:51 -------- d-------- C:\Program Files\MacroVirus
2006-07-26 19:22 -------- d-------- C:\Program Files\Windows Defender
2006-07-26 18:25 -------- d-------- C:\Program Files\Common Files\Symantec Shared
2006-07-26 18:10 -------- d-------- C:\Program Files\Norton SystemWorks
2006-07-23 12:34 -------- d-------- C:\Program Files\Common Files\kozr
2006-07-23 12:25 -------- d-------- C:\Program Files\Lavasoft
2006-07-23 12:25 -------- d-------- C:\Documents and Settings\Administrator\Application Data\Lavasoft
2006-07-23 11:41 -------- d-------- C:\Documents and Settings\Administrator\Application Data\MSNInstaller
2006-07-23 11:24 -------- d-------- C:\Program Files\Compaq
2006-07-23 10:18 -------- d-------- C:\Program Files\Roguescanfix
2006-07-23 10:11 -------- d-------- C:\Program Files\MSN Messenger
2006-07-22 13:30 -------- d-------- C:\Documents and Settings\Administrator\Application Data\Macromedia
2006-07-21 18:24 72704 --a------ C:\WINDOWS\system32\hlink.dll
2006-07-19 06:44 -------- d-------- C:\Program Files\SpywareDetector
2006-07-18 21:22 -------- d-------- C:\Program Files\MYOB
2006-07-17 21:42 -------- d-------- C:\Program Files\Common Files\Smith Micro Shared
2006-07-17 21:40 -------- d-------- C:\Documents and Settings\Administrator\Application Data\Symantec
2006-07-14 18:37 -------- d-------- C:\Program Files\EA GAMES
2006-07-14 18:04 -------- d-------- C:\Documents and Settings\Administrator\Application Data\AdobeUM
2006-07-14 18:03 -------- d-------- C:\Program Files\Common Files\Adobe
2006-07-14 18:03 -------- d-------- C:\Documents and Settings\Administrator\Application Data\Adobe
2006-07-14 18:02 -------- d-------- C:\Program Files\Adobe
2006-07-12 18:33 -------- d-------- C:\Program Files\iPod
2006-07-12 18:17 -------- d-------- C:\Program Files\QuickTime
2006-07-12 18:17 -------- d-------- C:\Documents and Settings\Administrator\Application Data\Apple Computer
2006-07-12 18:16 -------- d-------- C:\Program Files\iTunes
2006-07-12 18:16 -------- d-------- C:\Program Files\Common Files\InstallShield
2006-07-12 10:33 -------- d-------- C:\Documents and Settings\Administrator\Application Data\Registry Booster
2006-07-10 15:49 -------- d-------- C:\Program Files\MSN
2006-07-10 15:25 -------- d-------- C:\Documents and Settings\Administrator\Application Data\Sun
2006-07-10 14:05 90624 --a------ C:\WINDOWS\VSUNINST.EXE
2006-07-10 14:05 -------- d-------- C:\Program Files\FOX
2006-07-09 13:44 248 --a------ C:\WINDOWS\system32\n.bat
2006-07-09 13:44 147456 --a------ C:\WINDOWS\system32\vbzip10.dll
2006-07-09 12:49 -------- d-------- C:\Program Files\WinAce
2006-07-09 12:35 -------- d-------- C:\Program Files\Microsoft ActiveSync
2006-07-09 12:35 -------- d-------- C:\Program Files\Common Files\Microsoft Shared
2006-07-09 12:34 -------- d-------- C:\Program Files\Microsoft.NET
2006-07-09 12:34 -------- d-------- C:\Program Files\Microsoft Office
2006-07-09 12:34 -------- d-------- C:\Program Files\Common Files\System
2006-07-09 12:34 -------- d-------- C:\Program Files\Common Files\DESIGNER
2006-07-07 22:44 -------- d-------- C:\Program Files\Outlook Express
2006-07-07 10:05 -------- d-------- C:\Program Files\Windows Media Player
2006-07-06 17:56 -------- d-------- C:\Program Files\Activision
2006-07-06 16:44 -------- d-------- C:\Program Files\TryMedia
2006-07-06 15:34 -------- d-------- C:\Program Files\Core Design
2006-07-06 15:09 -------- d-------- C:\Program Files\Program Shortcuts
2006-07-06 11:05 -------- d-------- C:\Program Files\Microsoft Sports
2006-07-06 11:02 0 -rahs---- C:\MSDOS.SYS
2006-07-06 11:02 0 -rahs---- C:\IO.SYS
2006-07-05 22:26 -------- d-------- C:\Program Files\Thomson
2006-07-04 18:28 921600 --a------ C:\WINDOWS\system32\VchReg.dll
2006-06-16 14:34 48936 --a------ C:\WINDOWS\system32\sirenacm.dll

(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray "= "C:\\WINDOWS\\system32\\igfxtray.exe "
"HotKeysCmds "= "C:\\WINDOWS\\system32\\hkcmd.exe "
"Persistence "= "C:\\WINDOWS\\system32\\igfxpers.exe "
"High Definition Audio Property Page Shortcut "= "HDAShCut.exe "
"PTHOSTTR "= "C:\\Program Files\\HPQ\\HP ProtectTools Security Manager\\PTHOSTTR.EXE /Start "
"SetRefresh "= "C:\\Program Files\\Compaq\\SetRefresh\\SetRefresh.exe "
"SpeedTouch USB Diagnostics "= "\ "C:\\Program Files\\Thomson\\SpeedTouch USB\\Dragdiag.exe\" /icon "
"iTunesHelper "= "\ "C:\\Program Files\\iTunes\\iTunesHelper.exe\" "
"QuickTime Task "= "\ "C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime "
"Windows Defender "= "\ "C:\\Program Files\\Windows Defender\\MSASCui.exe\" -hide "
"Zone Labs Client "= "\ "C:\\Program Files\\Zone Labs\\ZoneAlarm\\zlclient.exe\" "

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed "= "1 "

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"Installed "= "1 "
"NoChange "= "1 "

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed "= "1 "

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr "= "\ "C:\\Program Files\\MSN Messenger\\MsnMsgr.Exe\" /background "

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"dontdisplaylastusername "=dword:00000000
"legalnoticecaption "=" "
"legalnoticetext "=" "
"shutdownwithoutlogon "=dword:00000001
"undockwithoutlogon "=dword:00000001
"DisableTaskMgr "=dword:00000000

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun "=dword:00000091

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components]
"DeskHtmlVersion "=dword:00000110
"DeskHtmlMinorVersion "=dword:00000005
"Settings "=dword:00000001
"GeneralFlags "=dword:00000004

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Snte "= "\ "C:\\WINDOWS\\DOBE~1\\mshta.exe\" -vt ndrv "
@= "C:\\DOCUME~1\\ADMINI~1\\APPLIC~1\\FNTS~1\\services.exe "
"Biazxz "= "C:\\Program Files\\??sks\\netdde.exe "

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Runonce]
"RunNarrator "= "Narrator.exe "

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun "=dword:00000091

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Snte "= "\ "C:\\WINDOWS\\DOBE~1\\mshta.exe\" -vt ndrv "
@= "C:\\DOCUME~1\\ADMINI~1\\APPLIC~1\\FNTS~1\\services.exe "
"Biazxz "= "C:\\Program Files\\??sks\\netdde.exe "

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Runonce]
"RunNarrator "= "Narrator.exe "

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun "=dword:00000091

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972} "=" "
"{091EB208-39DD-417D-A5DD-7E2C2D8FB9CB} "= "Microsoft AntiMalware ShellExecuteHook "
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8} "= "ewido anti-spyware 4.0 "

Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\MP Scheduled Scan.job

Completion time: Sat 02/09/2006 12:36:26.92
ComboFix.txt
ComboFix2.txt
ComboFix3.txt

Hijackthis log:

Logfile of HijackThis v1.99.1
Scan saved at 12:39:14 PM, on 2/09/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\HPQ\HP ProtectTools Security Manager\PTHOSTTR.EXE
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\svchost.exe
C:\HJT\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [PTHOSTTR] C:\Program Files\HPQ\HP ProtectTools Security Manager\PTHOSTTR.EXE /Start
O4 - HKLM\..\Run: [SetRefresh] C:\Program Files\Compaq\SetRefresh\SetRefresh.exe
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe "
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe "
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Administrator\Start Menu\Programs\IMVU\Run IMVU.lnk
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\Shared\hpqwmi.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

thanks

TeMerc · 2006/09/02

Okie dokie, looks like all we have is some registry hacking to do.

But lets first back up your registry.

Click the 'Start' button, select 'Run', hit 'Enter'.

When box appears, type 'regedit', hit 'Enter'.

Navigate to the following key, by unticking the '+' next to each subkey:
HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\Cur rentVersion\Run

In the left hand side of the window, look for:
Snte
Biazxz

Right-click each, and select 'Delete'

Perform the same process with the following registry keys:

HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\Cur rentVersion\Runonce

Delete RunNarrator

HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Look for:
Snte
Biazxz

Right-click each, and select 'Delete'

Then this key:
HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Runon ce
Lock for:
RunNarrator

Right-click, and select 'Delete'

Close out the registry editor and reboot and run ComboFix first, then HJT and post both logs back into this thread.

Begley · 2006/09/02

Combofix:

Administrator - 06-09-02 22:30:28.71
ComboFix 06.08.30BT - Running from: C:\Vundo Fix

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ Purity ~ ~ ~ ~ ~ ~ ~ ~~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~

Folders Quarantined:

C:\QooBox\Purity\Documents and Settings\Administrator\Application Data\FNTS~1
C:\QooBox\Purity\Documents and Settings\Administrator\My Documents\RACLE~1
C:\QooBox\Purity\Documents and Settings\Administrator\My Documents\SCURIT~1
C:\QooBox\Purity\Documents and Settings\Administrator\My Documents\SMBOLS~1
C:\QooBox\Purity\Program Files\SKS~1
C:\QooBox\Purity\Program Files\Common Files\APPATC~1
C:\QooBox\Purity\WINDOWS\system32\ASEMBL~1
C:\QooBox\Purity\WINDOWS\system32\CROSOF~1
C:\QooBox\Purity\WINDOWS\system32\SEMBLY~1
C:\QooBox\Purity\WINDOWS\system32\SEMBLY~1\SEMBLY~1

((((((((((((((((((((((((((((((( Files Created from 2006-08-02 to 2006-09-02 ))))))))))))))))))))))))))))))))))

2006-08-21 18:27 53,248 --a------ C:\WINDOWS\system32\Process.exe
2006-08-21 18:27 42,496 --a------ C:\WINDOWS\system32\swreg.exe
2006-08-21 18:27 40,960 --a------ C:\WINDOWS\system32\swsc.exe
2006-08-21 18:27 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2006-08-14 17:59 292 --a------ C:\WINDOWS\regfix.reg
2006-08-12 22:08 73,216 --a------ C:\WINDOWS\system32\lffax13n.dll
2006-08-12 22:08 446,464 --a------ C:\WINDOWS\system32\ltimg13n.dll
2006-08-12 22:08 443,392 --a------ C:\WINDOWS\system32\ltkrn13n.dll
2006-08-12 22:08 393,216 --a------ C:\WINDOWS\system32\LFCMP13n.DLL
2006-08-12 22:08 30,208 --a------ C:\WINDOWS\system32\lfbmp13n.dll
2006-08-12 22:08 279,552 --a------ C:\WINDOWS\system32\LFJ2K13n.dll
2006-08-12 22:08 265,728 --a------ C:\WINDOWS\system32\LTDIS13n.dll
2006-08-12 22:08 26,112 --a------ C:\WINDOWS\system32\lfpcx13n.dll
2006-08-12 22:08 24,576 --a------ C:\WINDOWS\system32\lftga13n.dll
2006-08-12 22:08 205,824 --a------ C:\WINDOWS\system32\ltefx13n.dll
2006-08-12 22:08 181,248 --a------ C:\WINDOWS\system32\Lfpng13n.dll
2006-08-12 22:08 18,944 --a------ C:\WINDOWS\system32\lfmsp13n.dll
2006-08-12 22:08 17,920 --a------ C:\WINDOWS\system32\lfRaw13n.dll
2006-08-12 22:08 139,776 --a------ C:\WINDOWS\system32\ltfil13n.DLL
2006-08-12 22:08 126,464 --a------ C:\WINDOWS\system32\lftif13n.dll
2006-08-12 22:08 1,013,760 --a------ C:\WINDOWS\system32\Ltwvc13n.dll
2006-08-04 18:04 223,601 --a------ C:\WINDOWS\Little_Fighter_2_Toolbar_Uninstaller_2984.exe
2006-08-04 17:48 223,601 --a------ C:\WINDOWS\Little_Fighter_2_Toolbar_Uninstaller_500.exe
2006-08-03 21:19 223,601 --a------ C:\WINDOWS\Little_Fighter_2_Toolbar_Uninstaller_2125.exe

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

2006-09-02 14:08 -------- d-------- C:\Documents and Settings\Administrator\Application Data\IMVU
2006-09-02 13:34 -------- d-------- C:\Program Files\IMVU
2006-08-31 18:55 -------- d-------- C:\Program Files\Common Files
2006-08-22 17:30 -------- d-------- C:\Program Files\Common Files\Sandlot Shared
2006-08-22 16:49 -------- d-------- C:\Program Files\ewido anti-spyware 4.0
2006-08-20 20:15 -------- d--h----- C:\Program Files\InstallShield Installation Information
2006-08-13 20:33 -------- d-------- C:\Program Files\Zone Labs
2006-08-13 10:31 -------- d-------- C:\Program Files\Internet Explorer
2006-08-12 17:31 2 --a------ C:\WINDOWS\system32\wnsapisu.exe
2006-08-11 18:45 -------- d-------- C:\Documents and Settings\Administrator\Application Data\Help
2006-08-11 18:44 -------- d-------- C:\Program Files\IrfanView
2006-08-09 17:10 -------- d---s---- C:\Documents and Settings\Administrator\Application Data\Microsoft
2006-08-06 15:50 -------- d-------- C:\Program Files\Messenger
2006-08-05 18:54 -------- d-------- C:\Program Files\Three Rings Design
2006-08-05 18:51 -------- d-------- C:\Documents and Settings\Administrator\Application Data\yoclient
2006-08-03 21:19 -------- d-------- C:\Program Files\LittleFighter2
2006-08-03 21:19 -------- d-------- C:\Program Files\Little Fighter 2 Toolbar
2006-08-03 20:22 -------- d-------- C:\Program Files\ReflexiveArcade
2006-07-27 23:24 679424 --a------ C:\WINDOWS\system32\inetcomm.dll
2006-07-26 21:51 -------- d-------- C:\Program Files\MacroVirus
2006-07-26 19:22 -------- d-------- C:\Program Files\Windows Defender
2006-07-26 18:25 -------- d-------- C:\Program Files\Common Files\Symantec Shared
2006-07-26 18:10 -------- d-------- C:\Program Files\Norton SystemWorks
2006-07-23 12:34 -------- d-------- C:\Program Files\Common Files\kozr
2006-07-23 12:25 -------- d-------- C:\Program Files\Lavasoft
2006-07-23 12:25 -------- d-------- C:\Documents and Settings\Administrator\Application Data\Lavasoft
2006-07-23 11:41 -------- d-------- C:\Documents and Settings\Administrator\Application Data\MSNInstaller
2006-07-23 11:24 -------- d-------- C:\Program Files\Compaq
2006-07-23 10:18 -------- d-------- C:\Program Files\Roguescanfix
2006-07-23 10:11 -------- d-------- C:\Program Files\MSN Messenger
2006-07-22 13:30 -------- d-------- C:\Documents and Settings\Administrator\Application Data\Macromedia
2006-07-21 18:24 72704 --a------ C:\WINDOWS\system32\hlink.dll
2006-07-19 06:44 -------- d-------- C:\Program Files\SpywareDetector
2006-07-18 21:22 -------- d-------- C:\Program Files\MYOB
2006-07-17 21:42 -------- d-------- C:\Program Files\Common Files\Smith Micro Shared
2006-07-17 21:40 -------- d-------- C:\Documents and Settings\Administrator\Application Data\Symantec
2006-07-14 18:37 -------- d-------- C:\Program Files\EA GAMES
2006-07-14 18:04 -------- d-------- C:\Documents and Settings\Administrator\Application Data\AdobeUM
2006-07-14 18:03 -------- d-------- C:\Program Files\Common Files\Adobe
2006-07-14 18:03 -------- d-------- C:\Documents and Settings\Administrator\Application Data\Adobe
2006-07-14 18:02 -------- d-------- C:\Program Files\Adobe
2006-07-12 18:33 -------- d-------- C:\Program Files\iPod
2006-07-12 18:17 -------- d-------- C:\Program Files\QuickTime
2006-07-12 18:17 -------- d-------- C:\Documents and Settings\Administrator\Application Data\Apple Computer
2006-07-12 18:16 -------- d-------- C:\Program Files\iTunes
2006-07-12 18:16 -------- d-------- C:\Program Files\Common Files\InstallShield
2006-07-12 10:33 -------- d-------- C:\Documents and Settings\Administrator\Application Data\Registry Booster
2006-07-10 15:49 -------- d-------- C:\Program Files\MSN
2006-07-10 15:25 -------- d-------- C:\Documents and Settings\Administrator\Application Data\Sun
2006-07-10 14:05 90624 --a------ C:\WINDOWS\VSUNINST.EXE
2006-07-10 14:05 -------- d-------- C:\Program Files\FOX
2006-07-09 13:44 248 --a------ C:\WINDOWS\system32\n.bat
2006-07-09 13:44 147456 --a------ C:\WINDOWS\system32\vbzip10.dll
2006-07-09 12:49 -------- d-------- C:\Program Files\WinAce
2006-07-09 12:35 -------- d-------- C:\Program Files\Microsoft ActiveSync
2006-07-09 12:35 -------- d-------- C:\Program Files\Common Files\Microsoft Shared
2006-07-09 12:34 -------- d-------- C:\Program Files\Microsoft.NET
2006-07-09 12:34 -------- d-------- C:\Program Files\Microsoft Office
2006-07-09 12:34 -------- d-------- C:\Program Files\Common Files\System
2006-07-09 12:34 -------- d-------- C:\Program Files\Common Files\DESIGNER
2006-07-07 22:44 -------- d-------- C:\Program Files\Outlook Express
2006-07-07 10:05 -------- d-------- C:\Program Files\Windows Media Player
2006-07-06 17:56 -------- d-------- C:\Program Files\Activision
2006-07-06 16:44 -------- d-------- C:\Program Files\TryMedia
2006-07-06 15:34 -------- d-------- C:\Program Files\Core Design
2006-07-06 15:09 -------- d-------- C:\Program Files\Program Shortcuts
2006-07-06 11:05 -------- d-------- C:\Program Files\Microsoft Sports
2006-07-06 11:02 0 -rahs---- C:\MSDOS.SYS
2006-07-06 11:02 0 -rahs---- C:\IO.SYS
2006-07-05 22:26 -------- d-------- C:\Program Files\Thomson
2006-07-04 18:28 921600 --a------ C:\WINDOWS\system32\VchReg.dll
2006-06-16 14:34 48936 --a------ C:\WINDOWS\system32\sirenacm.dll

(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"IgfxTray "= "C:\\WINDOWS\\system32\\igfxtray.exe "
"HotKeysCmds "= "C:\\WINDOWS\\system32\\hkcmd.exe "
"Persistence "= "C:\\WINDOWS\\system32\\igfxpers.exe "
"High Definition Audio Property Page Shortcut "= "HDAShCut.exe "
"PTHOSTTR "= "C:\\Program Files\\HPQ\\HP ProtectTools Security Manager\\PTHOSTTR.EXE /Start "
"SetRefresh "= "C:\\Program Files\\Compaq\\SetRefresh\\SetRefresh.exe "
"SpeedTouch USB Diagnostics "= "\ "C:\\Program Files\\Thomson\\SpeedTouch USB\\Dragdiag.exe\" /icon "
"iTunesHelper "= "\ "C:\\Program Files\\iTunes\\iTunesHelper.exe\" "
"QuickTime Task "= "\ "C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime "
"Windows Defender "= "\ "C:\\Program Files\\Windows Defender\\MSASCui.exe\" -hide "
"Zone Labs Client "= "\ "C:\\Program Files\\Zone Labs\\ZoneAlarm\\zlclient.exe\" "

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed "= "1 "

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"Installed "= "1 "
"NoChange "= "1 "

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed "= "1 "

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr "= "\ "C:\\Program Files\\MSN Messenger\\MsnMsgr.Exe\" /background "

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"dontdisplaylastusername "=dword:00000000
"legalnoticecaption "=" "
"legalnoticetext "=" "
"shutdownwithoutlogon "=dword:00000001
"undockwithoutlogon "=dword:00000001
"DisableTaskMgr "=dword:00000000

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun "=dword:00000091

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components]
"DeskHtmlVersion "=dword:00000110
"DeskHtmlMinorVersion "=dword:00000005
"Settings "=dword:00000001
"GeneralFlags "=dword:00000004

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
@= "C:\\DOCUME~1\\ADMINI~1\\APPLIC~1\\FNTS~1\\services.exe "

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun "=dword:00000091

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
@= "C:\\DOCUME~1\\ADMINI~1\\APPLIC~1\\FNTS~1\\services.exe "

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun "=dword:00000091

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972} "=" "
"{091EB208-39DD-417D-A5DD-7E2C2D8FB9CB} "= "Microsoft AntiMalware ShellExecuteHook "
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8} "= "ewido anti-spyware 4.0 "

Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\MP Scheduled Scan.job

Completion time: Sat 02/09/2006 22:32:05.31
ComboFix.txt
ComboFix2.txt
ComboFix3.txt

Hijack this:

Logfile of HijackThis v1.99.1
Scan saved at 10:33:55 PM, on 2/09/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\HPQ\HP ProtectTools Security Manager\PTHOSTTR.EXE
C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\MSN Messenger\MsnMsgr.Exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\HJT\HijackThis.exe
C:\HJT\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [High Definition Audio Property Page Shortcut] HDAShCut.exe
O4 - HKLM\..\Run: [PTHOSTTR] C:\Program Files\HPQ\HP ProtectTools Security Manager\PTHOSTTR.EXE /Start
O4 - HKLM\..\Run: [SetRefresh] C:\Program Files\Compaq\SetRefresh\SetRefresh.exe
O4 - HKLM\..\Run: [SpeedTouch USB Diagnostics] "C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe" /icon
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe "
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe "
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\Administrator\Start Menu\Programs\IMVU\Run IMVU.lnk
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: HP WMI Interface (hpqwmi) - Hewlett-Packard Development Company, L.P. - C:\Program Files\HPQ\Shared\hpqwmi.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

Thanks!

TeMerc · 2006/09/02

OOppss....looks like I missed one file. Sorry.

Search for, and delete, if found, the following files/folders:
C:\WINDOWS\system32\wnsapisu.exe<<<--this file

Run ComboFix again, and look for that file in the 'Find3M Report' section, if it's not there, then no need to post that log.

Aside from that file, and it isn't one that would create anything new, your machine appears to be clean, how is it running at this point?

Let us know please.

Log in or Sign up

Hijackthis log - help!

Begley Inactive Thread Starter

TeMerc Inactive Alumni

Begley Inactive Thread Starter

TeMerc Inactive Alumni

Begley Inactive Thread Starter

TeMerc Inactive Alumni

Begley Inactive Thread Starter

TeMerc Inactive Alumni

Begley Inactive Thread Starter

TeMerc Inactive Alumni

Begley Inactive Thread Starter

TeMerc Inactive Alumni

Begley Inactive Thread Starter

TeMerc Inactive Alumni

Begley Inactive Thread Starter

TeMerc Inactive Alumni

Begley Inactive Thread Starter

TeMerc Inactive Alumni

Begley Inactive Thread Starter

TeMerc Inactive Alumni

Share This Page

Log in or Sign up

Hijackthis log - help!

Begley Inactive Thread Starter

TeMerc Inactive Alumni

Begley Inactive Thread Starter

TeMerc Inactive Alumni

Begley Inactive Thread Starter

TeMerc Inactive Alumni

Begley Inactive Thread Starter

TeMerc Inactive Alumni

Begley Inactive Thread Starter

TeMerc Inactive Alumni

Begley Inactive Thread Starter

TeMerc Inactive Alumni

Begley Inactive Thread Starter

TeMerc Inactive Alumni

Begley Inactive Thread Starter

TeMerc Inactive Alumni

Begley Inactive Thread Starter

TeMerc Inactive Alumni

Begley Inactive Thread Starter

TeMerc Inactive Alumni

Share This Page

Useful Searches