Trojan and Vundu big problem!

fball · 2007/04/29

but there is a problem.when i uncheck the Hide protected operating system files (recommended) option and reboot comp and go to safe mode,i cant start it.its just a black background and nothing else.

what should i do?

fball · 2007/04/29

i cant log into safe mode but i have done some scans in normal mode and i havent found any viruses.but i tried to delete this 3 files in system32:

C:\WINDOWS\system32\ddayx.dll
C:\WINDOWS\system32\xyadd.bak2
C:\WINDOWS\system32\xyadd.ini2

but i couldnt cos access is denied.so i obviously need to get to safe mode but i cant.i dont understand how.i tried to delete them with killbox too but it doesnt want to delete them.

here are some logs.

---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 21:56:19 29.4.2007

+ Scan result:

:mozilla.17:C:\Documents and Settings\Dean\Application Data\Mozilla\Firefox\Profiles\orctglbd.default\cookies.txt -> TrackingCookie.Burstnet : Cleaned.
:mozilla.18:C:\Documents and Settings\Dean\Application Data\Mozilla\Firefox\Profiles\orctglbd.default\cookies.txt -> TrackingCookie.Burstnet : Cleaned.
:mozilla.29:C:\Documents and Settings\Dean\Application Data\Mozilla\Firefox\Profiles\orctglbd.default\cookies.txt -> TrackingCookie.Burstnet : Cleaned.
:mozilla.91:C:\Documents and Settings\Dean\Application Data\Mozilla\Firefox\Profiles\orctglbd.default\cookies.txt -> TrackingCookie.Mediaplex : Cleaned.
:mozilla.13:C:\Documents and Settings\Dean\Application Data\Mozilla\Firefox\Profiles\orctglbd.default\cookies.txt -> TrackingCookie.Realmedia : Cleaned.
:mozilla.16:C:\Documents and Settings\Dean\Application Data\Mozilla\Firefox\Profiles\orctglbd.default\cookies.txt -> TrackingCookie.Realmedia : Cleaned.
:mozilla.6:C:\Documents and Settings\Dean\Application Data\Mozilla\Firefox\Profiles\orctglbd.default\cookies.txt -> TrackingCookie.Realmedia : Cleaned.
:mozilla.7:C:\Documents and Settings\Dean\Application Data\Mozilla\Firefox\Profiles\orctglbd.default\cookies.txt -> TrackingCookie.Realmedia : Cleaned.
:mozilla.9:C:\Documents and Settings\Dean\Application Data\Mozilla\Firefox\Profiles\orctglbd.default\cookies.txt -> TrackingCookie.Realmedia : Cleaned.
:mozilla.44:C:\Documents and Settings\Dean\Application Data\Mozilla\Firefox\Profiles\orctglbd.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned.
:mozilla.19:C:\Documents and Settings\Dean\Application Data\Mozilla\Firefox\Profiles\orctglbd.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.20:C:\Documents and Settings\Dean\Application Data\Mozilla\Firefox\Profiles\orctglbd.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.21:C:\Documents and Settings\Dean\Application Data\Mozilla\Firefox\Profiles\orctglbd.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.22:C:\Documents and Settings\Dean\Application Data\Mozilla\Firefox\Profiles\orctglbd.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.23:C:\Documents and Settings\Dean\Application Data\Mozilla\Firefox\Profiles\orctglbd.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.24:C:\Documents and Settings\Dean\Application Data\Mozilla\Firefox\Profiles\orctglbd.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.

::Report end

fball · 2007/04/29

"Dean" - 07-04-29 22:56:14 Service Pack 2
ComboFix 07-04-25.4V - Running from: "C:\Documents and Settings\Dean\Desktop\ "

((((((((((((((((((((((((((((((( Files Created from 2007-03-28 to 2007-04-29 ))))))))))))))))))))))))))))))))))

2007-04-29 21:26 493,631 ---hs---- C:\WINDOWS\system32\xyadd.ini2
2007-04-29 20:00 3,968 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-04-29 10:12 <DIR> d-------- C:\!KillBox
2007-04-28 20:53 <DIR> d-------- C:\DOCUME~1\Dean\New Folder
2007-04-28 19:04 49,152 --a------ C:\WINDOWS\nircmd.exe
2007-04-28 12:34 0 --a------ C:\WINDOWS\system32\CMMGR32.EXE
2007-04-28 11:14 <DIR> d--h----- C:\Program Files\WindowsUpdate
2007-04-28 11:14 <DIR> d-------- C:\WINDOWS\system32\SoftwareDistribution
2007-04-28 10:11 <DIR> d-------- C:\VundoFix Backups
2007-04-27 23:18 491,136 ---hs---- C:\WINDOWS\system32\xyadd.bak2
2007-04-27 23:18 284,244 --------- C:\WINDOWS\system32\ddayx.dll
2007-04-27 14:39 <DIR> d---s---- C:\DOCUME~1\Dean\UserData
2007-04-27 14:24 <DIR> d-------- C:\Program Files\Scorpio Software
2007-04-27 14:24 <DIR> d-------- C:\Program Files\Common Files\scosoft.com
2007-04-27 14:16 76,560 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2007-04-26 15:43 <DIR> d-------- C:\DOCUME~1\Dean\APPLIC~1\SuperAdBlocker.com
2007-04-24 00:49 <DIR> d-------- C:\Program Files\Enigma Software Group
2007-04-23 21:38 <DIR> d-------- C:\Program Files\Trustix
2007-04-23 20:57 <DIR> d-------- C:\DOCUME~1\Dean\APPLIC~1\Comodo
2007-04-23 20:57 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Comodo
2007-04-23 18:12 28 --a------ C:\WINDOWS\system32\substpntx8.dll
2007-04-23 18:11 <DIR> d-------- C:\Program Files\WinTools
2007-04-23 17:42 <DIR> d-------- C:\DOCUME~1\Dean\APPLIC~1\Sereniti
2007-04-21 12:21 <DIR> d-------- C:\Program Files\CatchTheSperm2
2007-04-21 12:21 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Phenomedia
2007-04-21 12:20 <DIR> d-------- C:\Program Files\KraiSoft
2007-04-21 12:05 <DIR> d-------- C:\DOCUME~1\Dean\APPLIC~1\Oxford
2007-04-21 12:04 99,092 --a------ C:\WINDOWS\system32\bass.dll
2007-04-21 12:04 88,064 --a------ C:\WINDOWS\system32\idiom010227.dll
2007-04-21 12:04 34,304 --a------ C:\WINDOWS\system32\lfbmp10N.dll
2007-04-21 12:04 297,472 --a------ C:\WINDOWS\system32\ltkrn10N.dll
2007-04-21 12:04 266,752 --a------ C:\WINDOWS\system32\LFCMP10N.DLL
2007-04-21 12:04 231,424 --a------ C:\WINDOWS\system32\LTDIS10N.dll
2007-04-21 12:04 199,168 --a------ C:\WINDOWS\system32\Illprs.dll
2007-04-21 12:04 160,768 --a------ C:\WINDOWS\system32\ILLKRN.DLL
2007-04-21 12:04 147,456 --a------ C:\WINDOWS\system32\Twavbx32.dll
2007-04-21 12:04 143,360 --a------ C:\WINDOWS\system32\ILXTBS.DLL
2007-04-21 12:04 134,144 --a------ C:\WINDOWS\system32\lfpng10N.dll
2007-04-21 12:04 115,200 --a------ C:\WINDOWS\system32\UnzDll.dll
2007-04-21 12:04 114,176 --a------ C:\WINDOWS\system32\ltimg10N.dll
2007-04-21 12:04 103,424 --a------ C:\WINDOWS\system32\ltfil10N.DLL
2007-04-21 12:04 <DIR> d-------- C:\Program Files\TEXTware
2007-04-21 12:01 <DIR> d-------- C:\Program Files\Oxford
2007-04-14 20:13 <DIR> d-------- C:\Program Files\Common Files\Teleca Shared
2007-04-14 15:55 409,600 --a------ C:\WINDOWS\system32\wrap_oal.dll
2007-04-14 15:55 114,688 --a------ C:\WINDOWS\system32\OpenAL32.dll
2007-04-14 15:55 <DIR> d-------- C:\Program Files\OpenAL
2007-04-12 13:07 <DIR> d-------- C:\Program Files\LittleFighter2
2007-04-10 08:56 <DIR> d-------- C:\games
2007-04-09 15:46 <DIR> d-------- C:\DOCUME~1\Dean\dwhelper
2007-04-09 15:35 <DIR> d-------- C:\WINDOWS\FLV Player
2007-04-09 15:35 <DIR> d-------- C:\Program Files\FLV Player
2007-04-09 10:18 845,312 --a------ C:\WINDOWS\system32\Smab.dll
2007-04-09 10:18 719,872 --a------ C:\WINDOWS\system32\devil.dll
2007-04-09 10:18 70,656 --a------ C:\WINDOWS\system32\yv12vfw.dll
2007-04-09 10:18 70,656 --a------ C:\WINDOWS\system32\i420vfw.dll
2007-04-09 10:18 66,560 --a------ C:\WINDOWS\MOTA113.exe
2007-04-09 10:18 502,784 --a------ C:\WINDOWS\x2.64.exe
2007-04-09 10:18 306,688 --a------ C:\WINDOWS\system32\avisynth.dll
2007-04-09 10:18 27,648 --a------ C:\WINDOWS\system32\AVSredirect.dll
2007-04-09 10:18 240,128 --a------ C:\WINDOWS\system32\x.264.exe
2007-04-09 10:18 217,073 --a------ C:\WINDOWS\meta4.exe
2007-04-09 10:18 <DIR> d--hs---- C:\WINDOWS\system32\ShellDHCP
2007-04-09 10:08 <DIR> d-------- C:\Program Files\eRightSoft
2007-04-07 13:15 <DIR> d-------- C:\Program Files\Network Stumbler
2007-04-07 13:02 <DIR> d-------- C:\Program Files\WorldUnlock Codes Calculator
2007-04-05 14:55 <DIR> d-------- C:\Bug
2007-04-02 14:42 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Yahoo! Companion
2007-04-02 14:41 <DIR> d-------- C:\Program Files\Yahoo!
2007-03-31 18:23 <DIR> d-------- C:\Program Files\uTorrent
2007-03-31 18:23 <DIR> d-------- C:\DOCUME~1\Dean\APPLIC~1\uTorrent
2007-03-28 15:34 <DIR> d-------- C:\Program Files\BitTorrent

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-04-29 21:57 -------- d-------- C:\Program Files\superantispyware
2007-04-29 21:25 1393 --ahs---- C:\WINDOWS\system32\mmf.sys
2007-04-29 12:44 -------- d-------- C:\Program Files\messengerskinner
2007-04-27 19:44 -------- d-------- C:\Program Files\system control manager
2007-04-27 19:43 -------- d-------- C:\Program Files\messenger
2007-04-27 19:42 -------- d-------- C:\Program Files\msn messenger
2007-04-27 19:41 -------- d-------- C:\Program Files\google
2007-04-26 20:56 810 --a------ C:\WINDOWS\mozver.dat
2007-04-26 20:36 248988 --a------ C:\WINDOWS\system32\hogupelx_nav.dat
2007-04-26 16:25 -------- d-------- C:\Program Files\Common Files\wise installation wizard
2007-04-22 18:10 -------- d-------- C:\Program Files\speedfan
2007-04-14 15:55 108144 --a------ C:\WINDOWS\system32\cmdlineext.dll
2007-04-12 12:58 -------- d--h----- C:\Program Files\installshield installation information
2007-04-05 10:17 -------- d-------- C:\Program Files\konami
2007-03-31 18:15 1386496 --a------ C:\WINDOWS\system32\msvbvm60.dll
2007-03-28 15:10 737280 --a------ C:\WINDOWS\iun6002.exe
2007-03-26 22:27 -------- d-------- C:\DOCUME~1\Dean\APPLIC~1\talkback
2007-03-19 19:52 -------- d-------- C:\Program Files\Common Files\systemrequirementslab
2007-03-15 12:23 497496 --a------ C:\WINDOWS\system32\xceedzip.dll
2007-03-15 12:19 526184 --a------ C:\WINDOWS\system32\xceedcry.dll
2007-03-13 16:42 -------- d-------- C:\Program Files\ea sports
2007-03-13 16:39 -------- d-------- C:\Program Files\codec pack - all in 1
2007-03-10 09:10 -------- d-------- C:\DOCUME~1\Dean\APPLIC~1\desksoft
2007-03-08 18:40 -------- d-------- C:\Program Files\codemasters
2007-03-08 16:23 512096 --a------ C:\WINDOWS\system32\drivers\amon.sys
2007-03-08 16:23 298104 --a------ C:\WINDOWS\system32\imon.dll
2007-03-08 16:23 15424 --a------ C:\WINDOWS\system32\drivers\nod32drv.sys
2007-03-04 17:34 -------- d-------- C:\DOCUME~1\Dean\APPLIC~1\hamachi
2007-03-04 13:21 18048 --a------ C:\WINDOWS\system32\drivers\lirsgt.sys
2007-03-04 13:21 165376 --a------ C:\WINDOWS\system32\drivers\atksgt.sys
2007-02-21 20:08 967 --a------ C:\WINDOWS\scunin.pif
2007-02-21 20:08 94208 --a------ C:\WINDOWS\scunin.exe
2007-02-21 20:08 35382 --a------ C:\WINDOWS\scunin.dat
2007-02-06 15:31 43520 --a------ C:\WINDOWS\system32\cmdlineext03.dll
2007-02-06 15:05 855 --a------ C:\WINDOWS\ereg.dat
2007-02-01 16:28 5501 --a------ C:\WINDOWS\system32\rtclcmg32.dll
2007-01-05 21:19 62 --ahs---- C:\DOCUME~1\Dean\APPLIC~1\desktop.ini

(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{20F39C35-1B87-40B4-9C63-FA8B637D13C8} C:\WINDOWS\system32\ddayx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"ATICCC "= "\ "C:\\Program Files\\ATI Technologies\\ATI.ACE\\cli.exe\" runtime -Delay "
"nod32kui "= "\ "C:\\Program Files\\Eset\\nod32kui.exe\" /WAITSERVICE "
"RemoteControl "= "\ "C:\\Program Files\\CyberLink\\PowerDVD\\PDVDServ.exe\" "
"MGSysCtrl "= "C:\\Program Files\\System Control Manager\\MGSysCtrl.exe "
"NeroFilterCheck "= "C:\\WINDOWS\\system32\\NeroCheck.exe "
"vcdplayx "= "\ "C:\\WINDOWS\\vcdplayx.exe\" "
"SunJavaUpdateSched "= "\ "C:\\Program Files\\Java\\jre1.5.0_11\\bin\\jusched.exe\" "
"Comodo Firewall "= "\ "C:\\Program Files\\Comodo\\Firewall\\CPF.exe\" /background "
"tsnp2std "= "C:\\WINDOWS\\tsnp2std.exe "
"snp2std "= "C:\\WINDOWS\\vsnp2std.exe "
"RTHDCPL "= "RTHDCPL.EXE "
"Alcmtr "= "ALCMTR.EXE "
"AGRSMMSG "= "AGRSMMSG.exe "
"VirtualDrive "= "\ "C:\\Program Files\\FarStone\\VirtualDrive\\VDTask.exe\" /AutoRestore "
"!AVG Anti-Spyware "= "\ "C:\\Program Files\\Grisoft\\AVG Anti-Spyware 7.5\\avgas.exe\" /minimized "

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"CTFMON.EXE "= "C:\\WINDOWS\\system32\\ctfmon.exe "
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA} "= "\ "C:\\Program Files\\Common Files\\Ahead\\lib\\NMBgMonitor.exe\" "
"MSMSGS "= "\ "C:\\Program Files\\Messenger\\msmsgs.exe\" /background "
"Power2GoExpress "= "\ "C:\\Program Files\\CyberLink\\Power2Go\\Power2GoExpress.exe\" /Startup "
"messengerskinner "= "C:\\Program Files\\MessengerSkinner\\MessengerSkinner.exe "

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"HideClock "=dword:00000000
"NoManageMyComputerVerb "=dword:00000000
"NoLowDiskSpaceChecks "=dword:00000000
"NoCDBurning "=dword:00000000
"NoStartMenuPinnedList "=dword:00000000
"NoStartMenuMFUprogramsList "=dword:00000000
"NoUserNameInStartMenu "=dword:00000000
"StartmenuLogoff "=dword:00000000
"NoStartMenuSubFolders "=dword:00000000
"NoCommonGroups "=dword:00000000
"NoRecentDocsMenu "=dword:00000000
"ClearRecentDocsOnExit "=dword:00000000
"NoPrinterTabs "=dword:00000000
"NoDeletePrinter "=dword:00000000
"NoAddPrinter "=dword:00000000
"NoPrinters "=dword:00000000
"NoNetworkConnections "=dword:00000000
"NoFavoritesMenu "=dword:00000000
"NoSMHelp "=dword:00000000
"NoChangeStartMenu "=dword:00000000
"NoFileMenu "=dword:00000000
"NoShellSearchButton "=dword:00000000
"NoToolbarCustomize "=dword:00000000
"NoRecentDocsNetHood "=dword:00000000
"NoChangeAnimation "=dword:00000000
"NoChangeKeyboardNavigationIndicators "=dword:00000000
"NoThemesTab "=dword:00000000

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\run]

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
Source REG_SZ http://www.moljac.hr/skripte/phpAdsNew/adview.php?what=zone:22&n=a871ad19

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\1]
Source REG_SZ file:///C:/DOCUME~1/Dean/LOCALS~1/Temp/msohtml1/01/clip_image002.jpg

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} "=" "
"{058DB58B-1A37-44F6-8910-04332FECADCB} "=" "
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8} "= "AVG Anti-Spyware 7.5 "

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ddayx

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa
Authentication Packages REG_MULTI_SZ msv1_0\0\0
Security Packages REG_MULTI_SZ kerberos\0msv1_0\0schannel\0wdigest\0\0
Notification Packages REG_MULTI_SZ scecli\0\0

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BlueSoleil.lnk]
"backup "= "C:\\WINDOWS\\pss\\BlueSoleil.lnkCommon Startup "
"location "= "Common Startup "
"command "= "C:\\PROGRA~1\\IVTCOR~1\\BLUESO~1\\BLUESO~1.EXE "
"item "= "BlueSoleil "

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]
"key "= "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run "
"item "= "SUPERAntiSpyware "
"hkey "= "HKCU "
"command "= "C:\\Program Files\\SUPERAntiSpyware\\SUPERAntiSpyware.exe "
"inimapping "= "0 "

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
"key "= "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run "
"item "= "GoogleToolbarNotifier "
"hkey "= "HKCU "
"command "= "C:\\Program Files\\Google\\GoogleToolbarNotifier\\1.2.908.8472\\GoogleToolbarNotifier.exe "
"inimapping "= "0 "

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{ba35f815-a715-11db-b499-0013d38082ec}]
Shell\AutoRun\command E:\PStart.exe

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{d7089da8-9d05-11db-b438-0013d38082ec}]
Shell\AutoRun\command E:\PStart.exe

Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\Check Updates for Windows Live Toolbar.job

********************************************************************

catchme 0.3.660 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-04-29 22:59:26
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0

********************************************************************

Completion time: 07-04-29 22:59:29
C:\ComboFix-quarantined-files.txt ... 07-04-29 22:59

Logfile of HijackThis v1.99.1
Scan saved at 23:00:38, on 29.4.2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\System Control Manager\MGSysCtrl.exe
C:\WINDOWS\vcdplayx.exe
C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
C:\WINDOWS\tsnp2std.exe
C:\WINDOWS\vsnp2std.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\FarStone\VirtualDrive\VDTask.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\CyberLink\Power2Go\Power2GoExpress.exe
C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
C:\Program Files\RALINK\Common\RaUI.exe
C:\WINDOWS\runservice.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\System Control Manager\edd.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\o2flash.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\HijackThis\Killer.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: (no name) - {058DB58B-1A37-44F6-8910-04332FECADCB} - (no file)
O2 - BHO: (no name) - {20F39C35-1B87-40B4-9C63-FA8B637D13C8} - C:\WINDOWS\system32\ddayx.dll
O2 - BHO: (no name) - {D651AFF4-9590-424d-BD1E-8E33E090DFB3} - (no file)
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe "
O4 - HKLM\..\Run: [MGSysCtrl] C:\Program Files\System Control Manager\MGSysCtrl.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [vcdplayx] "C:\WINDOWS\vcdplayx.exe "
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe "
O4 - HKLM\..\Run: [Comodo Firewall] "C:\Program Files\Comodo\Firewall\CPF.exe" /background
O4 - HKLM\..\Run: [tsnp2std] C:\WINDOWS\tsnp2std.exe
O4 - HKLM\..\Run: [snp2std] C:\WINDOWS\vsnp2std.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [VirtualDrive] "C:\Program Files\FarStone\VirtualDrive\VDTask.exe" /AutoRestore
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe "
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Power2GoExpress] "C:\Program Files\CyberLink\Power2Go\Power2GoExpress.exe" /Startup
O4 - HKCU\..\Run: [messengerskinner] C:\Program Files\MessengerSkinner\MessengerSkinner.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Ralink Wireless Utility.lnk = C:\Program Files\RALINK\Common\RaUI.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Download all links using BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: Download link using &BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O16 - DPF: {BE833F39-1E0C-468C-BA70-25AAEE55775E} (System Requirements Lab) - http://www.systemrequirementslab.com/sysreqlab.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{18C3EE64-0931-4A86-9115-58A617B994F2}: NameServer = 195.29.150.3,195.29.150.4
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: ddayx - C:\WINDOWS\system32\ddayx.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LicCtrl Service (LicCtrlService) - Unknown owner - C:\WINDOWS\runservice.exe
O23 - Service: SCM Driver Daemon (NishService) - Unknown owner - C:\Program Files\System Control Manager\edd.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: O2Micro Flash Memory (O2Flash) - Unknown owner - C:\WINDOWS\system32\o2flash.exe

thanks!

Geri · 2007/04/29

OK Lets try this one.

Unlocker
Download Unlocker
Once installed:
Locate the file
Click Start> my computer> Double click C Drive> Double click Windows Folder> double click System32 folder.
Then on these files'
ddayx.dll
xyadd.bak2
xyadd.ini2
Right-click and select 'Unlocker'
In the window that appears select 'Unlock All'
In the drop down menu select 'delete'.

Please also run this.

Download SafeBoot Key Repair from here.
Save it to your desktop and run it, post the log when it is done.

Reboot your computer Post a new combofix log.

Geri

fball · 2007/04/30

"Dean" - 07-04-30 10:19:20 Service Pack 2
ComboFix 07-04-25.4V - Running from: "C:\Documents and Settings\Dean\Desktop\ "

((((((((((((((((((((((((((((((( Files Created from 2007-03-28 to 2007-04-30 ))))))))))))))))))))))))))))))))))

2007-04-29 23:21 524,288 --ah----- C:\DOCUME~1\ADMINI~1\NTUSER.DAT
2007-04-29 20:00 3,968 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-04-28 20:53 <DIR> d-------- C:\DOCUME~1\Dean\New Folder
2007-04-28 19:04 49,152 --a------ C:\WINDOWS\nircmd.exe
2007-04-28 12:34 0 --a------ C:\WINDOWS\system32\CMMGR32.EXE
2007-04-28 11:14 <DIR> d--h----- C:\Program Files\WindowsUpdate
2007-04-28 11:14 <DIR> d-------- C:\WINDOWS\system32\SoftwareDistribution
2007-04-28 10:11 <DIR> d-------- C:\VundoFix Backups
2007-04-27 14:39 <DIR> d---s---- C:\DOCUME~1\Dean\UserData
2007-04-27 14:24 <DIR> d-------- C:\Program Files\Scorpio Software
2007-04-27 14:24 <DIR> d-------- C:\Program Files\Common Files\scosoft.com
2007-04-27 14:16 76,560 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2007-04-26 15:43 <DIR> d-------- C:\DOCUME~1\Dean\APPLIC~1\SuperAdBlocker.com
2007-04-24 00:49 <DIR> d-------- C:\Program Files\Enigma Software Group
2007-04-23 21:38 <DIR> d-------- C:\Program Files\Trustix
2007-04-23 20:57 <DIR> d-------- C:\DOCUME~1\Dean\APPLIC~1\Comodo
2007-04-23 20:57 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Comodo
2007-04-23 18:12 28 --a------ C:\WINDOWS\system32\substpntx8.dll
2007-04-23 18:11 <DIR> d-------- C:\Program Files\WinTools
2007-04-23 17:42 <DIR> d-------- C:\DOCUME~1\Dean\APPLIC~1\Sereniti
2007-04-21 12:21 <DIR> d-------- C:\Program Files\CatchTheSperm2
2007-04-21 12:21 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Phenomedia
2007-04-21 12:20 <DIR> d-------- C:\Program Files\KraiSoft
2007-04-21 12:05 <DIR> d-------- C:\DOCUME~1\Dean\APPLIC~1\Oxford
2007-04-21 12:04 99,092 --a------ C:\WINDOWS\system32\bass.dll
2007-04-21 12:04 88,064 --a------ C:\WINDOWS\system32\idiom010227.dll
2007-04-21 12:04 34,304 --a------ C:\WINDOWS\system32\lfbmp10N.dll
2007-04-21 12:04 297,472 --a------ C:\WINDOWS\system32\ltkrn10N.dll
2007-04-21 12:04 266,752 --a------ C:\WINDOWS\system32\LFCMP10N.DLL
2007-04-21 12:04 231,424 --a------ C:\WINDOWS\system32\LTDIS10N.dll
2007-04-21 12:04 199,168 --a------ C:\WINDOWS\system32\Illprs.dll
2007-04-21 12:04 160,768 --a------ C:\WINDOWS\system32\ILLKRN.DLL
2007-04-21 12:04 147,456 --a------ C:\WINDOWS\system32\Twavbx32.dll
2007-04-21 12:04 143,360 --a------ C:\WINDOWS\system32\ILXTBS.DLL
2007-04-21 12:04 134,144 --a------ C:\WINDOWS\system32\lfpng10N.dll
2007-04-21 12:04 115,200 --a------ C:\WINDOWS\system32\UnzDll.dll
2007-04-21 12:04 114,176 --a------ C:\WINDOWS\system32\ltimg10N.dll
2007-04-21 12:04 103,424 --a------ C:\WINDOWS\system32\ltfil10N.DLL
2007-04-21 12:04 <DIR> d-------- C:\Program Files\TEXTware
2007-04-21 12:01 <DIR> d-------- C:\Program Files\Oxford
2007-04-14 20:13 <DIR> d-------- C:\Program Files\Common Files\Teleca Shared
2007-04-14 15:55 409,600 --a------ C:\WINDOWS\system32\wrap_oal.dll
2007-04-14 15:55 114,688 --a------ C:\WINDOWS\system32\OpenAL32.dll
2007-04-14 15:55 <DIR> d-------- C:\Program Files\OpenAL
2007-04-12 13:07 <DIR> d-------- C:\Program Files\LittleFighter2
2007-04-10 08:56 <DIR> d-------- C:\games
2007-04-09 15:46 <DIR> d-------- C:\DOCUME~1\Dean\dwhelper
2007-04-09 15:35 <DIR> d-------- C:\WINDOWS\FLV Player
2007-04-09 15:35 <DIR> d-------- C:\Program Files\FLV Player
2007-04-09 10:18 845,312 --a------ C:\WINDOWS\system32\Smab.dll
2007-04-09 10:18 719,872 --a------ C:\WINDOWS\system32\devil.dll
2007-04-09 10:18 70,656 --a------ C:\WINDOWS\system32\yv12vfw.dll
2007-04-09 10:18 70,656 --a------ C:\WINDOWS\system32\i420vfw.dll
2007-04-09 10:18 66,560 --a------ C:\WINDOWS\MOTA113.exe
2007-04-09 10:18 502,784 --a------ C:\WINDOWS\x2.64.exe
2007-04-09 10:18 306,688 --a------ C:\WINDOWS\system32\avisynth.dll
2007-04-09 10:18 27,648 --a------ C:\WINDOWS\system32\AVSredirect.dll
2007-04-09 10:18 240,128 --a------ C:\WINDOWS\system32\x.264.exe
2007-04-09 10:18 217,073 --a------ C:\WINDOWS\meta4.exe
2007-04-09 10:18 <DIR> d--hs---- C:\WINDOWS\system32\ShellDHCP
2007-04-09 10:08 <DIR> d-------- C:\Program Files\eRightSoft
2007-04-07 13:15 <DIR> d-------- C:\Program Files\Network Stumbler
2007-04-07 13:02 <DIR> d-------- C:\Program Files\WorldUnlock Codes Calculator
2007-04-05 14:55 <DIR> d-------- C:\Bug
2007-04-02 14:42 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Yahoo! Companion
2007-04-02 14:41 <DIR> d-------- C:\Program Files\Yahoo!
2007-03-31 18:23 <DIR> d-------- C:\Program Files\uTorrent
2007-03-31 18:23 <DIR> d-------- C:\DOCUME~1\Dean\APPLIC~1\uTorrent
2007-03-28 15:34 <DIR> d-------- C:\Program Files\BitTorrent

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-04-30 10:09 1393 --ahs---- C:\WINDOWS\system32\mmf.sys
2007-04-29 21:57 -------- d-------- C:\Program Files\superantispyware
2007-04-29 12:44 -------- d-------- C:\Program Files\messengerskinner
2007-04-27 19:44 -------- d-------- C:\Program Files\system control manager
2007-04-27 19:43 -------- d-------- C:\Program Files\messenger
2007-04-27 19:42 -------- d-------- C:\Program Files\msn messenger
2007-04-27 19:41 -------- d-------- C:\Program Files\google
2007-04-26 20:56 810 --a------ C:\WINDOWS\mozver.dat
2007-04-26 20:36 248988 --a------ C:\WINDOWS\system32\hogupelx_nav.dat
2007-04-26 16:25 -------- d-------- C:\Program Files\Common Files\wise installation wizard
2007-04-22 18:10 -------- d-------- C:\Program Files\speedfan
2007-04-14 15:55 108144 --a------ C:\WINDOWS\system32\cmdlineext.dll
2007-04-12 12:58 -------- d--h----- C:\Program Files\installshield installation information
2007-04-05 10:17 -------- d-------- C:\Program Files\konami
2007-03-31 18:15 1386496 --a------ C:\WINDOWS\system32\msvbvm60.dll
2007-03-28 15:10 737280 --a------ C:\WINDOWS\iun6002.exe
2007-03-26 22:27 -------- d-------- C:\DOCUME~1\Dean\APPLIC~1\talkback
2007-03-19 19:52 -------- d-------- C:\Program Files\Common Files\systemrequirementslab
2007-03-15 12:23 497496 --a------ C:\WINDOWS\system32\xceedzip.dll
2007-03-15 12:19 526184 --a------ C:\WINDOWS\system32\xceedcry.dll
2007-03-13 16:42 -------- d-------- C:\Program Files\ea sports
2007-03-13 16:39 -------- d-------- C:\Program Files\codec pack - all in 1
2007-03-10 09:10 -------- d-------- C:\DOCUME~1\Dean\APPLIC~1\desksoft
2007-03-08 18:40 -------- d-------- C:\Program Files\codemasters
2007-03-08 16:23 512096 --a------ C:\WINDOWS\system32\drivers\amon.sys
2007-03-08 16:23 298104 --a------ C:\WINDOWS\system32\imon.dll
2007-03-08 16:23 15424 --a------ C:\WINDOWS\system32\drivers\nod32drv.sys
2007-03-04 17:34 -------- d-------- C:\DOCUME~1\Dean\APPLIC~1\hamachi
2007-03-04 13:21 18048 --a------ C:\WINDOWS\system32\drivers\lirsgt.sys
2007-03-04 13:21 165376 --a------ C:\WINDOWS\system32\drivers\atksgt.sys
2007-02-21 20:08 967 --a------ C:\WINDOWS\scunin.pif
2007-02-21 20:08 94208 --a------ C:\WINDOWS\scunin.exe
2007-02-21 20:08 35382 --a------ C:\WINDOWS\scunin.dat
2007-02-06 15:31 43520 --a------ C:\WINDOWS\system32\cmdlineext03.dll
2007-02-06 15:05 855 --a------ C:\WINDOWS\ereg.dat
2007-02-01 16:28 5501 --a------ C:\WINDOWS\system32\rtclcmg32.dll
2007-01-05 21:19 62 --ahs---- C:\DOCUME~1\Dean\APPLIC~1\desktop.ini

(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{30FE0AE4-1087-4219-A85D-2AC522BE8E56} C:\WINDOWS\system32\ddayx.dll [x]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"ATICCC "= "\ "C:\\Program Files\\ATI Technologies\\ATI.ACE\\cli.exe\" runtime -Delay "
"nod32kui "= "\ "C:\\Program Files\\Eset\\nod32kui.exe\" /WAITSERVICE "
"RemoteControl "= "\ "C:\\Program Files\\CyberLink\\PowerDVD\\PDVDServ.exe\" "
"MGSysCtrl "= "C:\\Program Files\\System Control Manager\\MGSysCtrl.exe "
"NeroFilterCheck "= "C:\\WINDOWS\\system32\\NeroCheck.exe "
"vcdplayx "= "\ "C:\\WINDOWS\\vcdplayx.exe\" "
"SunJavaUpdateSched "= "\ "C:\\Program Files\\Java\\jre1.5.0_11\\bin\\jusched.exe\" "
"Comodo Firewall "= "\ "C:\\Program Files\\Comodo\\Firewall\\CPF.exe\" /background "
"tsnp2std "= "C:\\WINDOWS\\tsnp2std.exe "
"snp2std "= "C:\\WINDOWS\\vsnp2std.exe "
"RTHDCPL "= "RTHDCPL.EXE "
"Alcmtr "= "ALCMTR.EXE "
"AGRSMMSG "= "AGRSMMSG.exe "
"VirtualDrive "= "\ "C:\\Program Files\\FarStone\\VirtualDrive\\VDTask.exe\" /AutoRestore "
"UnlockerAssistant "= "\ "C:\\Program Files\\Unlocker\\UnlockerAssistant.exe\" "
"UserFaultCheck "=hex(2):25,73,79,73,74,65,6d,72,6f,6f,74,25,5c,73,79,73,74,65,\

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"CTFMON.EXE "= "C:\\WINDOWS\\system32\\ctfmon.exe "
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA} "= "\ "C:\\Program Files\\Common Files\\Ahead\\lib\\NMBgMonitor.exe\" "
"MSMSGS "= "\ "C:\\Program Files\\Messenger\\msmsgs.exe\" /background "
"Power2GoExpress "= "\ "C:\\Program Files\\CyberLink\\Power2Go\\Power2GoExpress.exe\" /Startup "
"messengerskinner "= "C:\\Program Files\\MessengerSkinner\\MessengerSkinner.exe "

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"HideClock "=dword:00000000
"NoManageMyComputerVerb "=dword:00000000
"NoLowDiskSpaceChecks "=dword:00000000
"NoCDBurning "=dword:00000000
"NoStartMenuPinnedList "=dword:00000000
"NoStartMenuMFUprogramsList "=dword:00000000
"NoUserNameInStartMenu "=dword:00000000
"StartmenuLogoff "=dword:00000000
"NoStartMenuSubFolders "=dword:00000000
"NoCommonGroups "=dword:00000000
"NoRecentDocsMenu "=dword:00000000
"ClearRecentDocsOnExit "=dword:00000000
"NoPrinterTabs "=dword:00000000
"NoDeletePrinter "=dword:00000000
"NoAddPrinter "=dword:00000000
"NoPrinters "=dword:00000000
"NoNetworkConnections "=dword:00000000
"NoFavoritesMenu "=dword:00000000
"NoSMHelp "=dword:00000000
"NoChangeStartMenu "=dword:00000000
"NoFileMenu "=dword:00000000
"NoShellSearchButton "=dword:00000000
"NoToolbarCustomize "=dword:00000000
"NoRecentDocsNetHood "=dword:00000000
"NoChangeAnimation "=dword:00000000
"NoChangeKeyboardNavigationIndicators "=dword:00000000
"NoThemesTab "=dword:00000000

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\run]

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
Source REG_SZ http://www.moljac.hr/skripte/phpAdsNew/adview.php?what=zone:22&n=a871ad19

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\1]
Source REG_SZ file:///C:/DOCUME~1/Dean/LOCALS~1/Temp/msohtml1/01/clip_image002.jpg

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} "=" "
"{058DB58B-1A37-44F6-8910-04332FECADCB} "=" "
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8} "= "AVG Anti-Spyware 7.5 "

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ddayx

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa
Authentication Packages REG_MULTI_SZ msv1_0\0\0
Security Packages REG_MULTI_SZ kerberos\0msv1_0\0schannel\0wdigest\0\0
Notification Packages REG_MULTI_SZ scecli\0\0

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BlueSoleil.lnk]
"backup "= "C:\\WINDOWS\\pss\\BlueSoleil.lnkCommon Startup "
"location "= "Common Startup "
"command "= "C:\\PROGRA~1\\IVTCOR~1\\BLUESO~1\\BLUESO~1.EXE "
"item "= "BlueSoleil "

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]
"key "= "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run "
"item "= "SUPERAntiSpyware "
"hkey "= "HKCU "
"command "= "C:\\Program Files\\SUPERAntiSpyware\\SUPERAntiSpyware.exe "
"inimapping "= "0 "

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
"key "= "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run "
"item "= "GoogleToolbarNotifier "
"hkey "= "HKCU "
"command "= "C:\\Program Files\\Google\\GoogleToolbarNotifier\\1.2.908.8472\\GoogleToolbarNotifier.exe "
"inimapping "= "0 "

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{ba35f815-a715-11db-b499-0013d38082ec}]
Shell\AutoRun\command E:\PStart.exe

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{d7089da8-9d05-11db-b438-0013d38082ec}]
Shell\AutoRun\command E:\PStart.exe

Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\Check Updates for Windows Live Toolbar.job

********************************************************************

catchme 0.3.660 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-04-30 10:19:54
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0

********************************************************************

Completion time: 07-04-30 10:19:56
C:\ComboFix-quarantined-files.txt ... 07-04-30 10:19
C:\ComboFix2.txt ... 07-04-30 10:16
C:\ComboFix3.txt ... 07-04-30 10:13

Logfile of HijackThis v1.99.1
Scan saved at 10:21:00, on 30.4.2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\System Control Manager\MGSysCtrl.exe
C:\WINDOWS\vcdplayx.exe
C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
C:\WINDOWS\tsnp2std.exe
C:\WINDOWS\vsnp2std.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\FarStone\VirtualDrive\VDTask.exe
C:\Program Files\Unlocker\UnlockerAssistant.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\CyberLink\Power2Go\Power2GoExpress.exe
C:\Program Files\RALINK\Common\RaUI.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
C:\WINDOWS\runservice.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\System Control Manager\edd.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\o2flash.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\HijackThis\Killer.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: (no name) - {058DB58B-1A37-44F6-8910-04332FECADCB} - (no file)
O2 - BHO: (no name) - {30FE0AE4-1087-4219-A85D-2AC522BE8E56} - C:\WINDOWS\system32\ddayx.dll (file missing)
O2 - BHO: (no name) - {D651AFF4-9590-424d-BD1E-8E33E090DFB3} - (no file)
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe "
O4 - HKLM\..\Run: [MGSysCtrl] C:\Program Files\System Control Manager\MGSysCtrl.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [vcdplayx] "C:\WINDOWS\vcdplayx.exe "
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe "
O4 - HKLM\..\Run: [Comodo Firewall] "C:\Program Files\Comodo\Firewall\CPF.exe" /background
O4 - HKLM\..\Run: [tsnp2std] C:\WINDOWS\tsnp2std.exe
O4 - HKLM\..\Run: [snp2std] C:\WINDOWS\vsnp2std.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [VirtualDrive] "C:\Program Files\FarStone\VirtualDrive\VDTask.exe" /AutoRestore
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe "
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe "
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Power2GoExpress] "C:\Program Files\CyberLink\Power2Go\Power2GoExpress.exe" /Startup
O4 - HKCU\..\Run: [messengerskinner] C:\Program Files\MessengerSkinner\MessengerSkinner.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Ralink Wireless Utility.lnk = C:\Program Files\RALINK\Common\RaUI.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Download all links using BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: Download link using &BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O16 - DPF: {BE833F39-1E0C-468C-BA70-25AAEE55775E} (System Requirements Lab) - http://www.systemrequirementslab.com/sysreqlab.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{18C3EE64-0931-4A86-9115-58A617B994F2}: NameServer = 195.29.150.3,195.29.150.4
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: ddayx - C:\WINDOWS\system32\ddayx.dll (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LicCtrl Service (LicCtrlService) - Unknown owner - C:\WINDOWS\runservice.exe
O23 - Service: SCM Driver Daemon (NishService) - Unknown owner - C:\Program Files\System Control Manager\edd.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: O2Micro Flash Memory (O2Flash) - Unknown owner - C:\WINDOWS\system32\o2flash.exe

well it looks like the problems are solved.i will contact you if something is still not doing good cos i see that you really know how to deal any situation!

thank you very much!!

now my comuter is runing fast again on the startup.

i hope it will stay that way.

one more time,thank you very much!!!

Geri · 2007/04/30

Hi fball
That's great.

OK Just a little clean up left.

You can delete any tools you were asked to download, (Vundofix, combofix, Killbox...)There will be newer versions if ever needed again any way.
AVG you can keep or not, Your choice.

Please re-open HiJackThis and scan only. Check the boxes next to all the entries listed below.

O2 - BHO: (no name) - {058DB58B-1A37-44F6-8910-04332FECADCB} - (no file)
O2 - BHO: (no name) - {30FE0AE4-1087-4219-A85D-2AC522BE8E56} - C:\WINDOWS\system32\ddayx.dll (file missing)
O2 - BHO: (no name) - {D651AFF4-9590-424d-BD1E-8E33E090DFB3} - (no file)
O20 - Winlogon Notify: ddayx - C:\WINDOWS\system32\ddayx.dll (file missing)

Now close all windows other than HiJackThis, then click Fix Checked.

Close HJT.

We have just a few more things to do, mostly maintenance and then our recommendations:

Delete all your cookies, and empty your recycle bin. But remember, by deleting your cookies, you will have to re-enter any passwords and log-in info for any sites you are usually required to do so with.

This would also be a good time to set a new system restore point for your machine.
Set New System Restore Point. Do not do this unless there are no other user accounts to be diagnosed.

Also, as you are an XP user, if there are any other accounts on this machine, they too, must be cleaned with AdAware, Spybot S&D, then HJT. Not all infections are global, nor are all the HJT fixes global. You can post each user account here into this thread, but please, do only one at a time to avoid confusion. It is very rare that anything significant is ever found.

The following is a list of tools and utilities that I like to suggest to people. This list is full of great tools and utilities to help you understand how you got infected and how to keep from getting infected again.

Spybot Search & Destroy - A powerful tool which can search and annhilate nasties that make it onto your system. Now with an Immunize section that will help prevent future infections.

AdAware - Another very powerful tool which searches and kills nasties that infect your system. AdAware and Spybot Search & Destroy compliment each other very well.

SpywareBlaster - Great prevention tool to keep nasties from installing on your system.

SpywareGuard - Works as a Spyware "Shield" to protect your computer from getting malware in the first place.

IE-SpyAd - puts over 23,000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all,
and MVPS Hosts File will accomplish a similar tactic and provide another layer of protection.

Install WinPatrol to prevent unknown applications from being inserted to start up on your machine

Now just because you have security apps installed, they are useless unless updated regularly.

Another thing I would suggest, is to install SiteAdvisor. It gives sites a few different 'ratings' and while not fool proof, a good additional layer of information about many sites.

ATF Cleaner by Atribune.
This program is for XP and Windows 2000 only, Cleans out temporary files all the garbage you collect while surfing the web.

Windows Updates - It is very important to make sure that both Internet Explorer and Windows are kept current with the latest critical security patches from Microsoft. To do this just start Internet Explorer and select Tools > Windows Update, and follow the online instructions from there.

Google Toolbar - Free google toolbar that allows you to use the powerful Google search engine from the bar, but also blocks pop up windows.

Trillian or Miranda-IM - These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN)

To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections you can read this article by Tony Klein

Surf Safely
Geri

fball · 2007/04/30

ok thanks.i done it all.i hope its ok now.

thank you very,very much!

i must say that you are very smart and good man.

thank you!

Log in or Sign up

Trojan and Vundu big problem!

fball Inactive Thread Starter

fball Inactive Thread Starter

fball Inactive Thread Starter

Geri Inactive Alumni

fball Inactive Thread Starter

Geri Inactive Alumni

fball Inactive Thread Starter

Share This Page

Log in or Sign up

Trojan and Vundu big problem!

fball Inactive Thread Starter

fball Inactive Thread Starter

fball Inactive Thread Starter

Geri Inactive Alumni

fball Inactive Thread Starter

Geri Inactive Alumni

fball Inactive Thread Starter

Share This Page

Useful Searches