Help remove virus drivecleaner and more...

prophete · 2007/05/31

Hi,

Please see if you can help me.
I runned VundoFix - but it seems i still have some problems.

Please see if you can help,

Thanks a lot !!!
llan

I runned HijackThis and this is the log:
Logfile of HijackThis v1.99.1
Scan saved at 09:00:06, on 01,06,2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe
C:\Program Files\ISS\issSensors\DesktopProtection\blackd.exe
C:\WINDOWS\SYSTEM32\DNTUS26.EXE
C:\WINDOWS\SYSTEM32\DWRCS.EXE
C:\Program Files\Network Associates\VirusScan\mcshield.exe
C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\netsrv.exe
C:\WINDOWS\System32\CCM\CcmExec.exe
C:\WINDOWS\System32\msiexec.exe
C:\Program Files\Citrix\ICA Client\ssonsvr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\smanager.7.exe
C:\WINDOWS\avp.exe
C:\Documents and Settings\All Users\Application Data\zyngtczm.exe
C:\WINDOWS\smgr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\RALINK\Common\RaUI.exe
C:\Documents and Settings\i026024\Desktop\VundoFix.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\i026024\Desktop\m\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.il/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.tlv.sap.corp;*.dhcp.tlv.sap.corp;*.wdf.sap.corp;*.sap.corp;*.wdf.sap- ag.de;*.pal.sap.corp;*.perflab.com;10.*.*.*;<local>
O2 - BHO: (no name) - AutorunsDisabled - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Plugin Class - {56CD20F0-7C09-11D5-A768-0050042307CE} - C:\Program Files\SAP\SAP Tutor\PlayerIE.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: (no name) - {b2340d3f-9e05-4eba-8151-b872b2d52ef0} - C:\WINDOWS\system32\d3draf.dll
O2 - BHO: IE Redirector - {C68AE9C0-0909-4DDC-B661-C1AFB9F5AE53} - C:\WINDOWS\system32\dnsersnd.dll
O2 - BHO: H - {C9905EF0-610F-4404-9030-A3F345D069F5} - C:\WINDOWS\system32\comi.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: AbsoluteToolbar - {7092FE0A-9993-4a48-8949-619A3C4C76B9} - C:\Program Files\AbsoluteToolbar\AbsoluteToolbar152.dll
O3 - Toolbar: febooti ie&Zoom - {605F5EB4-E40B-4000-BD60-70CF5494ED9F} - C:\Program Files\febooti ieZoom\ieZoom.dll
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [LogitechCameraService(E)] C:\WINDOWS\System32\ElkCtrl.exe /automation
O4 - HKLM\..\Run: [LogitechCameraAssistant] C:\Program Files\Logitech\Video\CameraAssistant.exe
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\System32\LVCOMSX.EXE
O4 - HKLM\..\Run: [CfgDownload] C:\Program Files\IXOS\IXOS-eCONtext\bin\CfgDownload.exe
O4 - HKLM\..\Run: [AdminCheck] wscript "C:\Program Files\sap\eus\_admincheck.vbs "
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [LogitechVideo[inspector]] C:\Program Files\Logitech\Video\InstallHelper.exe /inspect
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [WindowsServicesStartup] C:\DOCUME~1\i026024\LOCALS~1\Temp\svchost.exe 1
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [clcl7] C:\WINDOWS\system32\clcl7.exe
O4 - HKLM\..\Run: [mav_startupmon] "C:\Program Files\Common Files\WinAntiVirus Pro 2007\mav_startupmon.exe "
O4 - HKLM\..\Run: [SNM] C:\Program Files\SpyNoMore\SNM.exe /startup
O4 - HKLM\..\Run: [{87-73-3F-FC-ZN}] c:\windows\system32\mjdsregp.exe CHD001
O4 - HKLM\..\Run: [ExploreUpdSched] C:\WINDOWS\system32\swinkndt.exe CHD001
O4 - HKLM\..\Run: [SManager] smanager.7.exe
O4 - HKLM\..\Run: [avp] C:\WINDOWS\avp.exe
O4 - HKLM\..\Run: [WMDM PMSP Service] C:\WINDOWS\system32\cssrss.exe
O4 - HKLM\..\Run: [zyngtczm.exe] C:\Documents and Settings\All Users\Application Data\zyngtczm.exe
O4 - HKLM\..\Run: [smgr] smgr.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\RunOnce: [z_Oudescription] C:\Program Files\SAP\EUS\_OUdescription.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot
O4 - HKCU\..\Run: [SysRestore] "C:\DOCUME~1\i026024\LOCALS~1\Temp\tmp20.tmp.exe "
O4 - Startup: TA_Start.lnk = C:\Documents and Settings\i026024\Desktop\TICHD001.exe
O4 - Startup: Think-Adz.lnk = C:\WINDOWS\system32\swinkndt.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O4 - Global Startup: BGinfo.lnk = ?
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Ralink Wireless Utility.lnk = C:\Program Files\RALINK\Common\RaUI.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: AbsoluteToolbar - {5614CCAE-1E8F-49a4-B64B-BD846A2DCAF6} - C:\Program Files\AbsoluteToolbar\AbsoluteToolbar152.dll
O9 - Extra 'Tools' menuitem: AbsoluteToolbar - {5614CCAE-1E8F-49a4-B64B-BD846A2DCAF6} - C:\Program Files\AbsoluteToolbar\AbsoluteToolbar152.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: NeoTrace It! - {9885224C-1217-4c5f-83C2-00002E6CEF2B} - C:\WINDOWS\System32\shdocvw.dll (HKCU)
O14 - IERESET.INF: START_PAGE_URL=http://intranet.sap.com
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1142456071785
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1142456055612
O16 - DPF: {A18962F6-E6ED-40B1-97C9-1FB36F38BFA8} (Aurigma Image Uploader 3.5 Control) - http://www.zoom2foto.co.il/Modules/Main/ImageUploader3.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = tlv.sap.corp
O17 - HKLM\Software\..\Telephony: DomainName = tlv.sap.corp
O17 - HKLM\System\CCS\Services\Tcpip\..\{74FFBCB7-469F-41E8-8936-B7147E05AD73}: NameServer = 192.168.1.1,192.168.1.2
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = tlv.sap.corp
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = tlv.sap.corp,dhcp.tlv.sap.corp,wdf.sap.corp
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = tlv.sap.corp
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = tlv.sap.corp,dhcp.tlv.sap.corp,wdf.sap.corp
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = tlv.sap.corp,dhcp.tlv.sap.corp,wdf.sap.corp
O20 - AppInit_DLLs:
O20 - Winlogon Notify: d3draf - C:\WINDOWS\SYSTEM32\d3draf.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: PCANotify - C:\WINDOWS\SYSTEM32\PCANotify.dll
O20 - Winlogon Notify: winkye32 - C:\WINDOWS\SYSTEM32\winkye32.dll
O21 - SSODL: msvcrt64.dll - {09D8F992-8FAC-4826-AC73-DB1F1BFCCCB2} - msvcrt64.dll (file missing)
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: BlackICE - Internet Security Systems, Inc. - C:\Program Files\ISS\issSensors\DesktopProtection\blackd.exe
O23 - Service: DameWare NT Utilities 2.6 (DNTUS26) - DameWare Development - C:\WINDOWS\SYSTEM32\DNTUS26.EXE
O23 - Service: DameWare Mini Remote Control (DWMRCS) - DameWare Development - C:\WINDOWS\SYSTEM32\DWRCS.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Logitech Process Monitor (LVPrcSrv) - Logitech Inc. - c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Unknown owner - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe" /ServiceStart (file missing)
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
O23 - Service: RapApp - Internet Security Systems, Inc. - C:\Program Files\ISS\issSensors\DesktopProtection\RapApp.exe
O23 - Service: Rescue_Account - Unknown owner - C:\WINDOWS\srvany.exe (file missing)

TeMerc · 2007/05/31

Hello and welcome to WindowsBBS Forums.

Vundo does not appear presnt in the log, did the tool find anythng? Post that log later after I have you run the tool below.

Looks like you have a new bot perhaps, we'll run SDFix to see if it picks it up.

Download SDFix and save it to your Desktop.

Double click SDFix.exe and choose Install to extract it to its own folder on the Desktop. Please then reboot your computer in Safe Mode by doing the following :

Restart your computer

After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;

Instead of Windows loading as normal, the Advanced Options Menu should appear;

Select the first option, to run Windows in Safe Mode, then press Enter.

Choose your usual account.

Open the extracted SDFix folder and double click RunThis.bat to start the script.

Type Y to begin the cleanup process.

It will remove any Trojan Services or Registry Entries found then prompt you to press any key to Reboot.

Press any Key and it will restart the PC.

When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.

Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt.

Finally copy and paste the contents of the results file Report.txt back onto the forum with a new HijackThis log along with the Vundo report if anything was found and\or removed.

prophete · 2007/05/31

Virus - logs

Thanks a lot.

I did what you say and you can find the logs below.
Please let me know if I still need to do something.
(i still got some pop-ups)

thanks again for your help!
IIan

SDFix: Version 1.85

Run by i026024 - Fri 06/01/2007 - 11:21:59.20

Microsoft Windows XP [Version 5.1.2600]

Running From: C:\DOCUME~1\i026024\Desktop\w\SDFix

Safe Mode:
Checking Services:

Restoring Windows Registry Values
Restoring Windows Default Hosts File

Rebooting...

Normal Mode:
Checking Files:

Below files will be copied to Backups folder then removed:

C:\WINDOWS\TEMP\win228.tmp.exe - Deleted
C:\WINDOWS\TEMP\win22A.tmp.exe - Deleted
C:\WINDOWS\TEMP\win22E.tmp.exe - Deleted
C:\WINDOWS\TEMP\win23C.tmp.exe - Deleted
C:\WINDOWS\TEMP\winD.tmp.exe - Deleted
C:\WINDOWS\Temp\win228.tmp.exe - Deleted
C:\WINDOWS\Temp\win22A.tmp.exe - Deleted
C:\WINDOWS\Temp\win22E.tmp.exe - Deleted
C:\WINDOWS\Temp\win23C.tmp.exe - Deleted
C:\WINDOWS\Temp\winD.tmp.exe - Deleted
C:\DOCUME~1\i026024\LOCALS~1\Temp\tmp125.tmp.exe - Deleted
C:\DOCUME~1\i026024\LOCALS~1\Temp\tmp1C.tmp.exe - Deleted
C:\DOCUME~1\i026024\LOCALS~1\Temp\tmp1D3.tmp.exe - Deleted
C:\DOCUME~1\i026024\LOCALS~1\Temp\tmp2.tmp.exe - Deleted
C:\DOCUME~1\i026024\LOCALS~1\Temp\tmp21B.tmp.exe - Deleted
C:\DOCUME~1\i026024\LOCALS~1\Temp\tmp21C.tmp.exe - Deleted
C:\DOCUME~1\i026024\LOCALS~1\Temp\tmp223.tmp.exe - Deleted
C:\DOCUME~1\i026024\LOCALS~1\Temp\tmp244.tmp.exe - Deleted
C:\DOCUME~1\i026024\LOCALS~1\Temp\tmp245.tmp.exe - Deleted
C:\DOCUME~1\i026024\LOCALS~1\Temp\tmp246.tmp.exe - Deleted
C:\DOCUME~1\i026024\LOCALS~1\Temp\tmp250.tmp.exe - Deleted
C:\DOCUME~1\i026024\LOCALS~1\Temp\tmp253.tmp.exe - Deleted
C:\DOCUME~1\i026024\LOCALS~1\Temp\tmp2F.tmp.exe - Deleted
C:\DOCUME~1\i026024\LOCALS~1\Temp\tmp4E.tmp.exe - Deleted
C:\DOCUME~1\i026024\LOCALS~1\Temp\tmp50.tmp.exe - Deleted
C:\DOCUME~1\i026024\LOCALS~1\Temp\tmp51.tmp.exe - Deleted
C:\DOCUME~1\i026024\LOCALS~1\Temp\tmp6D0.tmp.exe - Deleted
C:\DOCUME~1\i026024\LOCALS~1\Temp\tmp6D1.tmp.exe - Deleted
C:\DOCUME~1\i026024\LOCALS~1\Temp\tmp6F.tmp.exe - Deleted
C:\DOCUME~1\i026024\LOCALS~1\Temp\tmp8.tmp.exe - Deleted
C:\DOCUME~1\i026024\LOCALS~1\Temp\tmp9.tmp.exe - Deleted
C:\DOCUME~1\i026024\LOCALS~1\Temp\tmpA.tmp.exe - Deleted
C:\DOCUME~1\i026024\LOCALS~1\Temp\tmpE.tmp.exe - Deleted
C:\DOCUME~1\i026024\LOCALS~1\Temp\win229.tmp.exe - Deleted
C:\DOCUME~1\i026024\LOCALS~1\Temp\win22D.tmp.exe - Deleted
C:\Documents and Settings\i026024\Application Data\Install.dat - Deleted
C:\svchost.exe - Deleted
C:\WINDOWS\smanager.7.exe - Deleted
C:\WINDOWS\svchost.exe - Deleted
C:\WINDOWS\system32\msnav32.ax - Deleted
C:\WINDOWS\system32\netsrv.exe - Deleted
C:\WINDOWS\Temp\win*.tmp - Deleted
C:\DOCUME~1\i026024\LOCALS~1\Temp\win*.tmp - Deleted

Removing Temp Files...

ADS Check:

Checking if ADS is attached to system32 Folder
C:\WINDOWS\system32
No streams found.

Checking if ADS is attached to svchost.exe
C:\WINDOWS\system32\svchost.exe
No streams found.

Final Check:

Remaining Services:
------------------

Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe "= "%windir%\\system32\\sessmgr.exe:*: enabledxpsp2res.dll,-22019 "
"C:\\Program Files\\eMule\\Incoming\\divers\\EMULE MORPHXT (configurazione perfetta)\\emule.exe "= "C:\\Program Files\\eMule\\Incoming\\divers\\EMULE MORPHXT (configurazione perfetta)\\emule.exe:*:Enabled:eMule"
"C:\\Program Files\\Messenger\\Msmsgs.exe "= "C:\\Program Files\\Messenger\\Msmsgs.exe:*:Enabled:Windows Messenger "
"C:\\Program Files\\iTunes\\iTunes.exe "= "C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"
"C:\\WINDOWS\\system32\\jview.exe "= "C:\\WINDOWS\\system32\\jview.exe:*:Enabled:Microsoftr VM Command Line Interpreter "
"C:\\Program Files\\SmartFTP\\SmartFTP.exe "= "C:\\Program Files\\SmartFTP\\SmartFTP.exe:*:Enabled:SmartFTP Client"
"C:\\Program Files\\Internet Explorer\\iexplore.exe "= "C:\\Program Files\\Internet Explorer\\iexplore.exe:*isabled:Internet Explorer "
"C:\\Documents and Settings\\i026024\\Desktop\\RISK2\\RISKII.EXE "= "C:\\Documents and Settings\\i026024\\Desktop\\RISK2\\RISKII.EXE:*:Enabled:Risk II"
"C:\\Program Files\\eMule\\Incoming\\divers\\EMULE! perfect configuration ready to work ownload very fast [v.0.45b]\\EMULE MORPHXT (configurazione perfetta)\\emule.exe "= "C:\\Program Files\\eMule\\Incoming\\divers\\EMULE! perfect configuration ready to work ownload very fast [ v.0.45b]\\EMULE MORPHXT (configurazione perfetta)\\emule.exe:*:Enabled:eMule "
"C:\\Program Files\\Common Files\\Synacast\\SynaLive\\PE.exe "= "C:\\Program Files\\Common Files\\Synacast\\SynaLive\\PE.exe:*:EnabledE"
"C:\\Documents and Settings\\All Users\\Application Data\\Spontania4IM\\spontaniavideo.exe "= "C:\\Documents and Settings\\All Users\\Application Data\\Spontania4IM\\spontaniavideo.exe:*:Enabledialcom Spontania video4IM"
"C:\\Program Files\\eMule1\\emule.exe "= "C:\\Program Files\\eMule1\\emule.exe:*:Enabled:eMule "
"C:\\emuleextreme\\emule.exe "= "C:\\emuleextreme\\emule.exe:*:Enabled:eMule "
"C:\\Documents and Settings\\i026024\\Desktop\\emule\\emule.exe "= "C:\\Documents and Settings\\i026024\\Desktop\\emule\\emule.exe:*:Enabled:eMule"
"C:\\emuleextreme\\Copy of emule.exe "= "C:\\emuleextreme\\Copy of emule.exe:*:Enabled:eMule "
"C:\\Program Files\\Skype\\Phone\\Skype.exe "= "C:\\Program Files\\Skype\\Phone\\Skype.exe:*:Enabled:Skype"
"C:\\svchost.exe "= "C:\\svchost.exe:*:Enabled:svchost "
"C:\\WINDOWS\\Explorer.EXE "= "C:\\WINDOWS\\Explorer.EXE:*:Enabled:Explorer "

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe "= "%windir%\\system32\\sessmgr.exe:*: enabledxpsp2res.dll,-22019 "

Remaining Files:
---------------

Backups Folder: - C:\DOCUME~1\i026024\Desktop\w\SDFix\backups\backups.zip

Checking For Files with Hidden Attributes:

C:\Program Files\DominateGame\Setup.exe
C:\Program Files\Picasa2\setup.exe
C:\Documents and Settings\i026024\Desktop\~WRL0384.tmp

Finished

Logfile of HijackThis v1.99.1
Scan saved at 13:15:51, on 01,06,2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\i026024\Desktop\m\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.il/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.tlv.sap.corp;*.dhcp.tlv.sap.corp;*.wdf.sap.corp;*.sap.corp;*.wdf.sap- ag.de;*.pal.sap.corp;*.perflab.com;10.*.*.*;<local>
O2 - BHO: (no name) - AutorunsDisabled - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {0868E7A4-82FD-48ED-942F-AC7CEC0280C3} - C:\WINDOWS\system32\ssqqool.dll
O2 - BHO: (no name) - {4B646AFB-9341-4330-8FD1-C32485AEE619} - C:\WINDOWS\system32\tmp21C.tmp.dll
O2 - BHO: Plugin Class - {56CD20F0-7C09-11D5-A768-0050042307CE} - C:\Program Files\SAP\SAP Tutor\PlayerIE.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: (no name) - {b2340d3f-9e05-4eba-8151-b872b2d52ef0} - C:\WINDOWS\system32\d3draf.dll
O2 - BHO: IE Redirector - {C68AE9C0-0909-4DDC-B661-C1AFB9F5AE53} - C:\WINDOWS\system32\dnsersnd.dll
O2 - BHO: H - {C9905EF0-610F-4404-9030-A3F345D069F5} - C:\WINDOWS\system32\comi.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: AbsoluteToolbar - {7092FE0A-9993-4a48-8949-619A3C4C76B9} - C:\Program Files\AbsoluteToolbar\AbsoluteToolbar152.dll
O3 - Toolbar: febooti ie&Zoom - {605F5EB4-E40B-4000-BD60-70CF5494ED9F} - C:\Program Files\febooti ieZoom\ieZoom.dll
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [LogitechCameraService(E)] C:\WINDOWS\System32\ElkCtrl.exe /automation
O4 - HKLM\..\Run: [LogitechCameraAssistant] C:\Program Files\Logitech\Video\CameraAssistant.exe
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\System32\LVCOMSX.EXE
O4 - HKLM\..\Run: [CfgDownload] C:\Program Files\IXOS\IXOS-eCONtext\bin\CfgDownload.exe
O4 - HKLM\..\Run: [AdminCheck] wscript "C:\Program Files\sap\eus\_admincheck.vbs "
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [LogitechVideo[inspector]] C:\Program Files\Logitech\Video\InstallHelper.exe /inspect
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [WindowsServicesStartup] C:\DOCUME~1\i026024\LOCALS~1\Temp\svchost.exe 1
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [clcl7] C:\WINDOWS\system32\clcl7.exe
O4 - HKLM\..\Run: [mav_startupmon] "C:\Program Files\Common Files\WinAntiVirus Pro 2007\mav_startupmon.exe"
O4 - HKLM\..\Run: [SNM] C:\Program Files\SpyNoMore\SNM.exe /startup
O4 - HKLM\..\Run: [{87-73-3F-FC-ZN}] c:\windows\system32\mjdsregp.exe CHD001
O4 - HKLM\..\Run: [ExploreUpdSched] C:\WINDOWS\system32\swinkndt.exe CHD001
O4 - HKLM\..\Run: [avp] C:\WINDOWS\btn5026v7.exe
O4 - HKLM\..\Run: [WMDM PMSP Service] C:\WINDOWS\system32\cssrss.exe
O4 - HKLM\..\Run: [zyngtczm.exe] C:\Documents and Settings\All Users\Application Data\zyngtczm.exe
O4 - HKLM\..\Run: [smgr] smgr.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe "
O4 - HKLM\..\Run: [iut75] c:\windows\system32\drivers\uzcx.exe
O4 - HKLM\..\Run: [System] C:\WINDOWS\system32\kernels32.exe
O4 - HKLM\..\RunOnce: [z_Oudescription] C:\Program Files\SAP\EUS\_OUdescription.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot
O4 - HKCU\..\Run: [SysRestore] "C:\DOCUME~1\i026024\LOCALS~1\Temp\tmp21D.tmp.exe "
O4 - HKCU\..\Run: [Windows update loader] C:\Windows\xpupdate.exe
O4 - Startup: TA_Start.lnk = C:\Documents and Settings\i026024\Desktop\TICHD001.exe
O4 - Startup: Think-Adz.lnk = C:\WINDOWS\system32\swinkndt.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O4 - Global Startup: BGinfo.lnk = ?
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Ralink Wireless Utility.lnk = C:\Program Files\RALINK\Common\RaUI.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: AbsoluteToolbar - {5614CCAE-1E8F-49a4-B64B-BD846A2DCAF6} - C:\Program Files\AbsoluteToolbar\AbsoluteToolbar152.dll
O9 - Extra 'Tools' menuitem: AbsoluteToolbar - {5614CCAE-1E8F-49a4-B64B-BD846A2DCAF6} - C:\Program Files\AbsoluteToolbar\AbsoluteToolbar152.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: NeoTrace It! - {9885224C-1217-4c5f-83C2-00002E6CEF2B} - C:\WINDOWS\System32\shdocvw.dll (HKCU)
O14 - IERESET.INF: START_PAGE_URL=http://intranet.sap.com
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1142456071785
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1142456055612
O16 - DPF: {A18962F6-E6ED-40B1-97C9-1FB36F38BFA8} (Aurigma Image Uploader 3.5 Control) - http://www.zoom2foto.co.il/Modules/Main/ImageUploader3.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = tlv.sap.corp
O17 - HKLM\Software\..\Telephony: DomainName = tlv.sap.corp
O17 - HKLM\System\CCS\Services\Tcpip\..\{74FFBCB7-469F-41E8-8936-B7147E05AD73}: NameServer = 192.168.1.1,192.168.1.2
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = tlv.sap.corp
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = tlv.sap.corp,dhcp.tlv.sap.corp,wdf.sap.corp
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = tlv.sap.corp
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = tlv.sap.corp,dhcp.tlv.sap.corp,wdf.sap.corp
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = tlv.sap.corp,dhcp.tlv.sap.corp,wdf.sap.corp
O20 - AppInit_DLLs: c:\windows\system32\ldcore.dll
O20 - Winlogon Notify: d3draf - C:\WINDOWS\SYSTEM32\d3draf.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: PCANotify - C:\WINDOWS\SYSTEM32\PCANotify.dll
O20 - Winlogon Notify: ssqqool - C:\WINDOWS\SYSTEM32\ssqqool.dll
O20 - Winlogon Notify: winkye32 - C:\WINDOWS\SYSTEM32\winkye32.dll
O21 - SSODL: msvcrt64.dll - {09D8F992-8FAC-4826-AC73-DB1F1BFCCCB2} - msvcrt64.dll (file missing)
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: BlackICE - Internet Security Systems, Inc. - C:\Program Files\ISS\issSensors\DesktopProtection\blackd.exe
O23 - Service: DameWare NT Utilities 2.6 (DNTUS26) - DameWare Development - C:\WINDOWS\SYSTEM32\DNTUS26.EXE
O23 - Service: DameWare Mini Remote Control (DWMRCS) - DameWare Development - C:\WINDOWS\SYSTEM32\DWRCS.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Logitech Process Monitor (LVPrcSrv) - Logitech Inc. - c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Unknown owner - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe" /ServiceStart (file missing)
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
O23 - Service: Application Event (msitsk) - Unknown owner - C:\WINDOWS\svchost.exe (file missing)
O23 - Service: RapApp - Internet Security Systems, Inc. - C:\Program Files\ISS\issSensors\DesktopProtection\RapApp.exe
O23 - Service: Rescue_Account - Unknown owner - C:\WINDOWS\srvany.exe (file missing)
O23 - Service: Windows Scheduler (WinShr) - Unknown owner - C:\WINDOWS\system32\netsrv.exe (file missing)

TeMerc · 2007/05/31

Ok, lets break out the other big gun and see what remains.

Download combofix.exe

Double click combofix.exe & follow the prompts.

When finished, it shall produce a log for you. Post that log in your next reply with a new HJT log please.

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

prophete · 2007/06/01

still have popup virus ... scanner.malwarealarm.com

Hi,

I still have problems.the virus seems to be now scanner.malwarealarm.com

thanks again &Again..
llan

both logs (hijackthis and combofix)

Logfile of HijackThis v1.99.1
Scan saved at 01:22, on 2007-06-02
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe
C:\Program Files\ISS\issSensors\DesktopProtection\blackd.exe
C:\WINDOWS\SYSTEM32\DNTUS26.EXE
C:\WINDOWS\SYSTEM32\DWRCS.EXE
C:\Program Files\Network Associates\VirusScan\mcshield.exe
C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\CCM\CcmExec.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\smgr.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Documents and Settings\All Users\Application Data\nojehsjs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Logitech\Video\ManifestEngine.exe
C:\Program Files\RALINK\Common\RaUI.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\notepad.exe
C:\Documents and Settings\i026024\Desktop\m\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.co.il/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.tlv.sap.corp;*.dhcp.tlv.sap.corp;*.wdf.sap.corp;*.sap.corp;*.wdf.sap-ag.de;*.pal.sap.corp;*.perflab.com;10.*.*.*;<local>
O2 - BHO: (no name) - AutorunsDisabled - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Plugin Class - {56CD20F0-7C09-11D5-A768-0050042307CE} - C:\Program Files\SAP\SAP Tutor\PlayerIE.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: IE Redirector - {C68AE9C0-0909-4DDC-B661-C1AFB9F5AE53} - C:\WINDOWS\system32\dnsersnd.dll (file missing)
O2 - BHO: H - {C9905EF0-610F-4404-9030-A3F345D069F5} - C:\WINDOWS\system32\comi.dll (file missing)
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: AbsoluteToolbar - {7092FE0A-9993-4a48-8949-619A3C4C76B9} - C:\Program Files\AbsoluteToolbar\AbsoluteToolbar152.dll
O3 - Toolbar: febooti ie&Zoom - {605F5EB4-E40B-4000-BD60-70CF5494ED9F} - C:\Program Files\febooti ieZoom\ieZoom.dll
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [LogitechCameraAssistant] C:\Program Files\Logitech\Video\CameraAssistant.exe
O4 - HKLM\..\Run: [CfgDownload] C:\Program Files\IXOS\IXOS-eCONtext\bin\CfgDownload.exe
O4 - HKLM\..\Run: [AdminCheck] wscript "C:\Program Files\sap\eus\_admincheck.vbs "
O4 - HKLM\..\Run: [LogitechVideo[inspector]] C:\Program Files\Logitech\Video\InstallHelper.exe /inspect
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [mav_startupmon] "C:\Program Files\Common Files\WinAntiVirus Pro 2007\mav_startupmon.exe "
O4 - HKLM\..\Run: [SNM] C:\Program Files\SpyNoMore\SNM.exe /startup
O4 - HKLM\..\Run: [zyngtczm.exe] C:\Documents and Settings\All Users\Application Data\zyngtczm.exe
O4 - HKLM\..\Run: [smgr] smgr.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe "
O4 - HKLM\..\Run: [nojehsjs.exe] C:\Documents and Settings\All Users\Application Data\nojehsjs.exe
O4 - HKLM\..\RunOnce: [z_Oudescription] C:\Program Files\SAP\EUS\_OUdescription.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [LogitechSoftwareUpdate] "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O4 - Global Startup: BGinfo.lnk = ?
O4 - Global Startup: Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
O4 - Global Startup: Ralink Wireless Utility.lnk = C:\Program Files\RALINK\Common\RaUI.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: AbsoluteToolbar - {5614CCAE-1E8F-49a4-B64B-BD846A2DCAF6} - C:\Program Files\AbsoluteToolbar\AbsoluteToolbar152.dll
O9 - Extra 'Tools' menuitem: AbsoluteToolbar - {5614CCAE-1E8F-49a4-B64B-BD846A2DCAF6} - C:\Program Files\AbsoluteToolbar\AbsoluteToolbar152.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: NeoTrace It! - {9885224C-1217-4c5f-83C2-00002E6CEF2B} - C:\WINDOWS\System32\shdocvw.dll (HKCU)
O14 - IERESET.INF: START_PAGE_URL=http://intranet.sap.com
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://downloads.ewido.net/ewidoOnlineScan.cab
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1142456071785
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1142456055612
O16 - DPF: {A18962F6-E6ED-40B1-97C9-1FB36F38BFA8} (Aurigma Image Uploader 3.5 Control) - http://www.zoom2foto.co.il/Modules/Main/ImageUploader3.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = tlv.sap.corp
O17 - HKLM\Software\..\Telephony: DomainName = tlv.sap.corp
O17 - HKLM\System\CCS\Services\Tcpip\..\{74FFBCB7-469F-41E8-8936-B7147E05AD73}: NameServer = 192.168.1.1,192.168.1.2
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = tlv.sap.corp
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: SearchList = tlv.sap.corp,dhcp.tlv.sap.corp,wdf.sap.corp
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = tlv.sap.corp
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: SearchList = tlv.sap.corp,dhcp.tlv.sap.corp,wdf.sap.corp
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: SearchList = tlv.sap.corp,dhcp.tlv.sap.corp,wdf.sap.corp
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: PCANotify - C:\WINDOWS\SYSTEM32\PCANotify.dll
O21 - SSODL: msvcrt64.dll - {09D8F992-8FAC-4826-AC73-DB1F1BFCCCB2} - msvcrt64.dll (file missing)
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: BlackICE - Internet Security Systems, Inc. - C:\Program Files\ISS\issSensors\DesktopProtection\blackd.exe
O23 - Service: DameWare NT Utilities 2.6 (DNTUS26) - DameWare Development - C:\WINDOWS\SYSTEM32\DNTUS26.EXE
O23 - Service: DameWare Mini Remote Control (DWMRCS) - DameWare Development - C:\WINDOWS\SYSTEM32\DWRCS.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Logitech Process Monitor (LVPrcSrv) - Logitech Inc. - c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - Unknown owner - C:\Program Files\Network Associates\Common Framework\FrameworkService.exe" /ServiceStart (file missing)
O23 - Service: Network Associates McShield (McShield) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
O23 - Service: Application Event (msitsk) - Unknown owner - C:\WINDOWS\svchost.exe (file missing)
O23 - Service: RapApp - Internet Security Systems, Inc. - C:\Program Files\ISS\issSensors\DesktopProtection\RapApp.exe
O23 - Service: Rescue_Account - Unknown owner - C:\WINDOWS\srvany.exe (file missing)
O23 - Service: Windows Scheduler (WinShr) - Unknown owner - C:\WINDOWS\system32\netsrv.exe (file missing)

"i026024" - 2007-06-01 20:41:22 Service Pack 2 [SAFE MODE]
ComboFix 07-05.27.BV - Running from: "C:\Documents and Settings\i026024\Desktop\ "

(((((((((((((((((((((((((((((((((((((((((((((((((( V Log )))))))))))))))))))))))))))))))))))))))))))))))))))))))

C:\WINDOWS\system32\iifff.dll
C:\WINDOWS\system32\levrhtne.dll
C:\WINDOWS\system32\odjegaxr.dll
C:\WINDOWS\system32\wwqwfcgh.dll
C:\WINDOWS\system32\winkye32.dll
C:\WINDOWS\system32\cccdd.bak1
C:\WINDOWS\system32\cccdd.ini
C:\WINDOWS\system32\fffii.ini
C:\WINDOWS\system32\hgcfwqww.ini
C:\WINDOWS\system32\cccdd.bak1
C:\WINDOWS\system32\cccdd.ini
C:\WINDOWS\system32\d3draf.dll
C:\WINDOWS\system32\ddccc.dll
C:\WINDOWS\system32\ssqqool.dll

* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

"C:\DOCUME~1\LOCALS~1\APPLIC~1\Install.dat "
"C:\DOCUME~1\NETWOR~1\APPLIC~1\Install.dat "
"C:\WINDOWS\system32\tmp1D3.tmp.dll "
"C:\WINDOWS\system32\tmp21C.tmp.dll "
"C:\WINDOWS\system32\tmp244.tmp.dll "
"C:\WINDOWS\system32\tmp6F.tmp.dll "
"C:\WINDOWS\system32\tmp9.tmp.dll "
"C:\WINDOWS\system32\tmpA.tmp.dll "
"C:\WINDOWS\system32\advvpi32.dll "
"C:\WINDOWS\system32\ldcore.dll "
"C:\WINDOWS\system32\ldinfo.ldr "
"C:\WINDOWS\system32\test.exe "
"C:\WINDOWS\install.exe "
"C:\WINDOWS\system32\msvcrt64.dll "
"C:\WINDOWS\system32\dnsersnd.dll "
"C:\WINDOWS\avp.exe "
"C:\WINDOWS\system32\boa.dat "
"C:\WINDOWS\system32\drivers\uzcx.exe "
"C:\WINDOWS\system32\comi.dll "

((((((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

-------\LEGACY_DRIVER
-------\Driver

((((((((((((((((((((((((((((((( Files Created from 2007-05-01 to 2007-06-01 ))))))))))))))))))))))))))))))))))

2007-06-01 18:53 57,344 --a------ C:\DOCUME~1\ALLUSE~1\APPLIC~1\nojehsjs.exe
2007-06-01 12:42 6,144 --a------ C:\njynakp.exe
2007-06-01 12:42 11,776 --a------ C:\WINDOWS\smgr.exe
2007-06-01 12:41 6,689 --a------ C:\WINDOWS\system32\ldcore.dll
2007-06-01 12:41 26,112 --a------ C:\syszuit.exe
2007-06-01 12:41 18,944 --a------ C:\WINDOWS\btn5026v7.exe
2007-06-01 12:41 <DIR> d-------- C:\WINDOWS\system32\T8QaSQ
2007-06-01 12:41 <DIR> d-------- C:\Temp\0b9
2007-06-01 12:41 <DIR> d-------- C:\Temp
2007-06-01 06:38 <DIR> d-------- C:\VundoFix Backups
2007-05-31 12:05 28,160 --a------ C:\WINDOWS\system32\sysmon32.exe
2007-05-31 06:03 146,432 --a------ C:\WINDOWS\system32\swinkndt.exe
2007-05-31 05:01 106,658 --a------ C:\WINDOWS\cbywwt.dll
2007-05-31 04:51 1 --a------ C:\WINDOWS\system32\ps.dat
2007-05-31 04:49 0 --a------ C:\WINDOWS\system32\nso12k.sys
2007-05-31 03:59 28,160 --a------ C:\WINDOWS\system32\winsys64.exe
2007-05-31 03:58 933 --a------ C:\WINDOWS\system32\winpfz32.sys
2007-05-31 03:58 14,390 --a------ C:\syslhlo.exe
2007-05-04 06:59 <DIR> d-------- C:\Documents and Settings\i026024\.housecall6.6
2007-05-04 06:59 <DIR> d-------- C:\DOCUME~1\i026024\.housecall6.6
2007-05-04 06:29 1,152 --a------ C:\WINDOWS\system32\windrv.sys
2007-05-04 06:28 <DIR> d-------- C:\Program Files\Common Files\Download Manager

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-06-01 16:16:40 -------- d-----w C:\DOCUME~1\i026024\APPLIC~1\Skype
2007-04-23 02:30:26 106,767 ------w C:\WINDOWS\sstroo.dll

(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{56CD20F0-7C09-11D5-A768-0050042307CE}=C:\Program Files\SAP\SAP Tutor\PlayerIE.dll [2004-10-15 18:20]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}=C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll [2007-03-14 03:43]
{C68AE9C0-0909-4DDC-B661-C1AFB9F5AE53}=C:\WINDOWS\system32\dnsersnd.dll []
{C9905EF0-610F-4404-9030-A3F345D069F5}=C:\WINDOWS\system32\comi.dll []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"McAfeeUpdaterUI "= "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" []
"LogitechCameraAssistant "= "C:\Program Files\Logitech\Video\CameraAssistant.exe" []
"CfgDownload "= "C:\Program Files\IXOS\IXOS-eCONtext\bin\CfgDownload.exe" []
"AdminCheck "= "wscript C:\Program Files\sap\eus\_admincheck.vbs" []
"LogitechVideo[inspector] "= "C:\Program Files\Logitech\Video\InstallHelper.exe" []
"QuickTime Task "= "C:\Program Files\QuickTime\qttask.exe" []
"mav_startupmon "= "C:\Program Files\Common Files\WinAntiVirus Pro 2007\mav_startupmon.exe" []
"SNM "= "C:\Program Files\SpyNoMore\SNM.exe" []
"zyngtczm.exe "= "C:\Documents and Settings\All Users\Application Data\zyngtczm.exe" []
"smgr "= "smgr.exe" []
"SunJavaUpdateSched "= "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" [2007-03-14 03:43]
"nojehsjs.exe "= "C:\Documents and Settings\All Users\Application Data\nojehsjs.exe" [2007-06-01 20:45]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe "= "C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 10:56]
"LogitechSoftwareUpdate "= "C:\Program Files\Logitech\Video\ManifestEngine.exe" [2007-03-07 23:06]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonce]
"z_Oudescription "=C:\Program Files\SAP\EUS\_OUdescription.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoRemoteRecursiveEvents "=1 (0x1)
"NoMSAppLogo5ChannelNotify "=0 (0x0)
"NoToolbarCustomize "=0 (0x0)
"NoBandCustomize "=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoFavoritesMenu "=0 (0x0)
"NoSetActiveDesktop "=0 (0x0)
"NoWindowsUpdate "=0 (0x0)
"NoChangeStartMenu "=0 (0x0)
"NoRecentDocsMenu "=0 (0x0)
"NoRecentDocsHistory "=0 (0x0)
"ClearRecentDocsOnExit "=0 (0x0)
"NoLogoff "=0 (0x0)
"NoSetTaskbar "=0 (0x0)
"NoTrayContextMenu "=0 (0x0)
"NoFileMenu "=0 (0x0)
"EnforceShellExtensionSecurity "=0 (0x0)
"LinkResolveIgnoreLinkInfo "=0 (0x0)
"NoNetConnectDisconnect "=0 (0x0)
"NoDeletePrinter "=0 (0x0)
"NoAddPrinter "=0 (0x0)
"NoPrinterTabs "=0 (0x0)
"Btn_Back "=0 (0x0)
"Btn_Forward "=0 (0x0)
"Btn_Stop "=0 (0x0)
"Btn_Refresh "=0 (0x0)
"Btn_Home "=0 (0x0)
"Btn_Search "=0 (0x0)
"Btn_History "=0 (0x0)
"Btn_Favorites "=0 (0x0)
"Btn_Media "=0 (0x0)
"Btn_Folders "=0 (0x0)
"Btn_Fullscreen "=0 (0x0)
"Btn_Tools "=0 (0x0)
"Btn_MailNews "=0 (0x0)
"Btn_Size "=0 (0x0)
"Btn_Print "=0 (0x0)
"Btn_Edit "=0 (0x0)
"Btn_Discussions "=0 (0x0)
"Btn_Cut "=0 (0x0)
"Btn_Copy "=0 (0x0)
"Btn_Paste "=0 (0x0)
"Btn_Encoding "=0 (0x0)
"Btn_PrintPreview "=0 (0x0)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{93994DE8-8239-4655-B1D1-5F4E91300429} "= "C:\PROGRA~1\DVDIDL~1\DVDShell.dll" [2003-01-29 15:58]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"{09D8F992-8FAC-4826-AC73-DB1F1BFCCCB2} "= "msvcrt64.dll" []

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PCANotify]
PCANotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HotSync Manager.lnk]
backup=C:\WINDOWS\pss\HotSync Manager.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^i026024^Start Menu^Programs^Startup^PartMetBackup.lnk]
backup=C:\WINDOWS\pss\PartMetBackup.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Babylon Client]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Easy-PrintToolBox]
C:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN.EXE /logon

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"C:\Program Files\iTunes\iTunesHelper.exe "

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Picasa Media Detector]
C:\Program Files\Picasa2\PicasaMediaDetector.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"ShStatEXE "= "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost *netsvcs*

********************************************************************

catchme 0.3.692 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-06-02 01:16:14
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

********************************************************************

Completion time: 2007-06-02 1:20:09 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-06-02 01:19

--- E O F ---

TeMerc · 2007/06/04

Oh my....

I seem to have over looked this one. I'm looking at it now and will reply shortly, in between checking the grill as we cook dinner.

My apologies.

Be back soon.

TeMerc · 2007/06/04

Ok, we still have quite a bit left over.

Please do as instructed below in the order presented.

I asked for the Vundo log earlier, are you still able to retrieve it? If so, please post it here. I'd also like you to DL a fresh copy and run it again as it's been updated since the end of May. Use this link please

Download the Killbox from here and save it to the desktop.

Double-click the KillBox icon on your desktop to open it

Select "Delete on Reboot "

Then select "All files ".

Copy the file names below to the clipboard by highlighting them and pressing Control-C:
C:\DOCUME~1\ALLUSE~1\APPLIC~1\nojehsjs.exe
C:\njynakp.exe
C:\WINDOWS\system32\ldcore.dll
C:\syszuit.exe
C:\WINDOWS\btn5026v7.exe
C:\WINDOWS\system32\T8QaSQ
C:\WINDOWS\system32\sysmon32.exe
C:\WINDOWS\system32\swinkndt.exe
C:\WINDOWS\cbywwt.dll
C:\WINDOWS\system32\ps.dat
C:\WINDOWS\system32\nso12k.sys
C:\WINDOWS\system32\winsys64.exe
C:\WINDOWS\system32\winpfz32.sys
C:\syslhlo.exe
C:\WINDOWS\sstroo.dll
C:\Documents and Settings\All Users\Application Data\zyngtczm.exe
C:\Documents and Settings\All Users\Application Data\nojehsjs.exe

Return to Killbox

Go to the File menu, and choose "Paste from Clipboard ".

Click the red-and-white [Delete File] button.

Click "Yes" at the Delete on Reboot prompt. Click "No" at the 'Pending Operations' prompt.

Do not allow a reboot if possible.

Open Hijackthis, select the [Do a system scan only] button and look over the following entries I have listed, check the boxes [] next to them and press the [Fix Checked] button. When you are doing this, make sure you have No IE windows, nor any other browsers open, including this one. Reboot if I have specified below, and post a fresh HijackThis log.

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =

O2 - BHO: (no name) - AutorunsDisabled - (no file)

O2 - BHO: IE Redirector - {C68AE9C0-0909-4DDC-B661-C1AFB9F5AE53} - C:\WINDOWS\system32\dnsersnd.dll (file missing)

O2 - BHO: H - {C9905EF0-610F-4404-9030-A3F345D069F5} - C:\WINDOWS\system32\comi.dll (file missing)

O3 - Toolbar: AbsoluteToolbar - {7092FE0A-9993-4a48-8949-619A3C4C76B9} - C:\Program Files\AbsoluteToolbar\AbsoluteToolbar152.dll

O4 - HKLM\..\Run: [mav_startupmon] "C:\Program Files\Common Files\WinAntiVirus Pro 2007\mav_startupmon.exe "

O4 - HKLM\..\Run: [SNM] C:\Program Files\SpyNoMore\SNM.exe /startup

O4 - HKLM\..\Run: [zyngtczm.exe] C:\Documents and Settings\All Users\Application Data\zyngtczm.exe

O4 - HKLM\..\Run: [nojehsjs.exe] C:\Documents and Settings\All Users\Application Data\nojehsjs.exe

O4 - HKLM\..\RunOnce: [z_Oudescription] C:\Program Files\SAP\EUS\_OUdescription.exe

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

O21 - SSODL: msvcrt64.dll - {09D8F992-8FAC-4826-AC73-DB1F1BFCCCB2} - msvcrt64.dll (file missing)

O23 - Service: Application Event (msitsk) - Unknown owner - C:\WINDOWS\svchost.exe (file missing)

O23 - Service: Windows Scheduler (WinShr) - Unknown owner - C:\WINDOWS\system32\netsrv.exe (file missing)

Reboot and run ComboFix first, then HJT and post both logs back into this thread along with the old Vundo log, if you have it and the new one as well.

prophete · 2007/06/05

Virus - These are the logs

Hi,

I did when you mentionned.
I runned VundoFix (newest version) and he failed to delete these files:
c:windows\system32\efcaw.dll
c:windows\system32\mljkhef.dll
c:windows\system32\wacfeee.dll
they disapear in the second VundoFix run (which didnt found any infected files)

then i run the killbox and the Hijackthis (for automatic fix), the ComboFix, the Vundofix again (for log)

thanks again for time and help,
llan

Please find all the logs:
first Vundo Log, second Vundo Log, Combo fix Log, HJT Log (after all):

first VundoFix Log:

VundoFix V6.4.2

Checking Java version...

Java version is 1.4.2.3
Old versions of java are exploitable and should be removed.

Scan started at 05:30:12 2007-06-06

Listing files found while scanning....

C:\WINDOWS\system32\efcaw.dll
C:\WINDOWS\system32\mljkhef.dll
C:\WINDOWS\system32\ufwygfmc.dll
C:\WINDOWS\system32\wacfe.ini

Beginning removal...

Attempting to delete C:\WINDOWS\system32\efcaw.dll
C:\WINDOWS\system32\efcaw.dll Could not be deleted.

Attempting to delete C:\WINDOWS\system32\mljkhef.dll
C:\WINDOWS\system32\mljkhef.dll Could not be deleted.

Attempting to delete C:\WINDOWS\system32\ufwygfmc.dll
C:\WINDOWS\system32\ufwygfmc.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\wacfe.ini
C:\WINDOWS\system32\wacfe.ini Has been deleted!

Performing Repairs to the registry.
Done!

second vundofix log:

VundoFix V6.4.2

Checking Java version...

Java version is 1.4.2.3
Old versions of java are exploitable and should be removed.

Scan started at 07:10:23 2007-06-06

Listing files found while scanning....

No infected files were found.

ComboFix:

"i026024" - 2007-06-06 6:27:53 Service Pack 2 [SAFE MODE]
ComboFix 07-05.27.BV - Running from: "C:\Documents and Settings\i026024\Desktop\ "

(((((((((((((((((((((((((((((((((((((((((((((((((( V Log )))))))))))))))))))))))))))))))))))))))))))))))))))))))

C:\WINDOWS\system32\jiqqowol.dll
C:\WINDOWS\system32\wacfe.bak1
C:\WINDOWS\system32\wacfe.ini
C:\WINDOWS\system32\wacfe.bak1
C:\WINDOWS\system32\wacfe.ini
C:\WINDOWS\system32\efcaw.dll
C:\WINDOWS\system32\mljkhef.dll

* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

"C:\DOCUME~1\i026024\APPLIC~1\Install.dat "
"C:\DOCUME~1\LOCALS~1\APPLIC~1\Install.dat "
"C:\DOCUME~1\NETWOR~1\APPLIC~1\Install.dat "
"C:\WINDOWS\alerter_snow.exe "
"C:\WINDOWS\system32\advvpi32.dll "
"C:\WINDOWS\system32\ldinfo.ldr "
"C:\WINDOWS\avp.exe "
"C:\WINDOWS\system32\drivers\uzcx.exe "

((((((((((((((((((((((((((((((( Files Created from 2007-05-06 to 2007-06-06 ))))))))))))))))))))))))))))))))))

2007-06-06 06:29 14,868 --a------ C:\WINDOWS\system32\ywpjujsq.exe
2007-06-06 06:29 10,752 --a------ C:\WINDOWS\system32\j7241330.dll
2007-06-06 04:50 <DIR> d-------- C:\!KillBox
2007-06-05 08:47 2,580 --a------ C:\WINDOWS\system32\ohaoohef.exe
2007-06-04 08:47 2,580 --a------ C:\WINDOWS\system32\riphfleb.exe
2007-06-03 10:44 26,112 --a------ C:\syskhhk.exe
2007-06-03 08:51 2,580 --a------ C:\WINDOWS\system32\loquvtmp.exe
2007-06-03 08:44 127,208 --a------ C:\WINDOWS\system32\mucltui.dll
2007-06-03 08:41 57,344 --a------ C:\lfyo.exe
2007-06-03 08:41 53,760 --a------ C:\WINDOWS\system32\wuauclt3.exe
2007-06-02 03:46 30,720 --a------ C:\WINDOWS\system32\ipmon.exe
2007-06-02 03:46 26,112 --a------ C:\syscfny.exe
2007-06-02 01:20 49,152 --a------ C:\WINDOWS\nircmd.exe
2007-06-01 12:42 11,776 --a------ C:\WINDOWS\smgr.exe
2007-06-01 12:41 26,112 --------- C:\syszuit.exe
2007-06-01 12:41 18,944 --------- C:\WINDOWS\btn5026v7.exe
2007-06-01 12:41 <DIR> d-------- C:\WINDOWS\system32\T8QaSQ
2007-06-01 12:41 <DIR> d-------- C:\Temp\0b9
2007-06-01 12:41 <DIR> d-------- C:\Temp
2007-06-01 06:38 <DIR> d-------- C:\VundoFix Backups
2007-05-31 12:05 28,160 --------- C:\WINDOWS\system32\sysmon32.exe
2007-05-31 06:03 146,432 --------- C:\WINDOWS\system32\swinkndt.exe
2007-05-31 05:01 106,658 --------- C:\WINDOWS\cbywwt.dll
2007-05-31 04:51 1 --------- C:\WINDOWS\system32\ps.dat
2007-05-31 04:49 0 --------- C:\WINDOWS\system32\nso12k.sys
2007-05-31 03:59 28,160 --------- C:\WINDOWS\system32\winsys64.exe
2007-05-31 03:58 933 --------- C:\WINDOWS\system32\winpfz32.sys
2007-05-31 03:58 14,390 --------- C:\syslhlo.exe

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-06-03 05:44:58 -------- d--h--w C:\Program Files\WindowsUpdate
2007-06-01 16:16:40 -------- d-----w C:\DOCUME~1\i026024\APPLIC~1\Skype
2007-05-04 03:29:06 1,152 ----a-w C:\WINDOWS\system32\windrv.sys
2007-05-04 03:28:53 -------- d-----w C:\Program Files\Common Files\Download Manager
2007-03-08 15:36:28 577,536 ----a-w C:\WINDOWS\system32\user32.dll
2007-03-08 15:36:28 40,960 ----a-w C:\WINDOWS\system32\mf3216.dll
2007-03-08 15:36:28 281,600 ----a-w C:\WINDOWS\system32\gdi32.dll
2007-03-08 13:47:48 1,843,584 ----a-w C:\WINDOWS\system32\win32k.sys

(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{56CD20F0-7C09-11D5-A768-0050042307CE}=C:\Program Files\SAP\SAP Tutor\PlayerIE.dll [2004-10-15 18:20]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}=C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll [2007-03-14 03:43]
{C68AE9C0-0909-4DDC-B661-C1AFB9F5AE53}=C:\WINDOWS\system32\dnsersnd.dll []
{C9905EF0-610F-4404-9030-A3F345D069F5}=C:\WINDOWS\system32\comi.dll []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"McAfeeUpdaterUI "= "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" []
"LogitechCameraAssistant "= "C:\Program Files\Logitech\Video\CameraAssistant.exe" []
"CfgDownload "= "C:\Program Files\IXOS\IXOS-eCONtext\bin\CfgDownload.exe" []
"AdminCheck "= "wscript C:\Program Files\sap\eus\_admincheck.vbs" []
"LogitechVideo[inspector] "= "C:\Program Files\Logitech\Video\InstallHelper.exe" []
"QuickTime Task "= "C:\Program Files\QuickTime\qttask.exe" []
"smgr "= "smgr.exe" []
"SunJavaUpdateSched "= "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" [2007-03-14 03:43]
"wuauclt3 "= "wuauclt3.exe" [2007-06-03 08:41 C:\WINDOWS\system32\wuauclt3.exe]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe "= "C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 10:56]
"LogitechSoftwareUpdate "= "C:\Program Files\Logitech\Video\ManifestEngine.exe" []

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonce]
"VundoFix "= "C:\Documents and Settings\i026024\Desktop\vundofix.exe "
"combofix "=C:\WINDOWS\system32\cmd.exe /c C:\ComboFix\Combobatch.bat

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoRemoteRecursiveEvents "=1 (0x1)
"NoMSAppLogo5ChannelNotify "=0 (0x0)
"NoToolbarCustomize "=0 (0x0)
"NoBandCustomize "=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoFavoritesMenu "=0 (0x0)
"NoSetActiveDesktop "=0 (0x0)
"NoWindowsUpdate "=0 (0x0)
"NoChangeStartMenu "=0 (0x0)
"NoRecentDocsMenu "=0 (0x0)
"NoRecentDocsHistory "=0 (0x0)
"ClearRecentDocsOnExit "=0 (0x0)
"NoLogoff "=0 (0x0)
"NoSetTaskbar "=0 (0x0)
"NoTrayContextMenu "=0 (0x0)
"NoFileMenu "=0 (0x0)
"EnforceShellExtensionSecurity "=0 (0x0)
"LinkResolveIgnoreLinkInfo "=0 (0x0)
"NoNetConnectDisconnect "=0 (0x0)
"NoDeletePrinter "=0 (0x0)
"NoAddPrinter "=0 (0x0)
"NoPrinterTabs "=0 (0x0)
"Btn_Back "=0 (0x0)
"Btn_Forward "=0 (0x0)
"Btn_Stop "=0 (0x0)
"Btn_Refresh "=0 (0x0)
"Btn_Home "=0 (0x0)
"Btn_Search "=0 (0x0)
"Btn_History "=0 (0x0)
"Btn_Favorites "=0 (0x0)
"Btn_Media "=0 (0x0)
"Btn_Folders "=0 (0x0)
"Btn_Fullscreen "=0 (0x0)
"Btn_Tools "=0 (0x0)
"Btn_MailNews "=0 (0x0)
"Btn_Size "=0 (0x0)
"Btn_Print "=0 (0x0)
"Btn_Edit "=0 (0x0)
"Btn_Discussions "=0 (0x0)
"Btn_Cut "=0 (0x0)
"Btn_Copy "=0 (0x0)
"Btn_Paste "=0 (0x0)
"Btn_Encoding "=0 (0x0)
"Btn_PrintPreview "=0 (0x0)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{93994DE8-8239-4655-B1D1-5F4E91300429} "= "C:\PROGRA~1\DVDIDL~1\DVDShell.dll" [2003-01-29 15:58]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PCANotify]
PCANotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HotSync Manager.lnk]
backup=C:\WINDOWS\pss\HotSync Manager.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^i026024^Start Menu^Programs^Startup^PartMetBackup.lnk]
backup=C:\WINDOWS\pss\PartMetBackup.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Babylon Client]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Easy-PrintToolBox]
C:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN.EXE /logon

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"C:\Program Files\iTunes\iTunesHelper.exe "

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Picasa Media Detector]
C:\Program Files\Picasa2\PicasaMediaDetector.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"ShStatEXE "= "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost *netsvcs*

********************************************************************

catchme 0.3.692 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-06-06 07:06:02
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

********************************************************************

Completion time: 2007-06-06 7:08:56 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-06-06 07:08
C:\ComboFix2.txt ... 2007-06-02 01:20

--- E O F ---

HJT logs

StartupList report, 2007-06-06, 07:20:12
StartupList version: 1.52.2
Started from : C:\Documents and Settings\i026024\Desktop\m\HijackThis.EXE
Detected: Windows XP SP2 (WinNT 5.01.2600)
Detected: Internet Explorer v6.00 SP2 (6.00.2900.2180)
* Using default options
==================================================
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\i026024\Desktop\m\HijackThis.exe
--------------------------------------------------
Listing of startup folders:
Shell folders Common Startup:
[C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
BGinfo.lnk = ?
Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
Ralink Wireless Utility.lnk = C:\Program Files\RALINK\Common\RaUI.exe
--------------------------------------------------
Checking Windows NT UserInit:
[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,
--------------------------------------------------
Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
McAfeeUpdaterUI = "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
LogitechCameraAssistant = C:\Program Files\Logitech\Video\CameraAssistant.exe
CfgDownload = C:\Program Files\IXOS\IXOS-eCONtext\bin\CfgDownload.exe
AdminCheck = wscript "C:\Program Files\sap\eus\_admincheck.vbs "
LogitechVideo[inspector] = C:\Program Files\Logitech\Video\InstallHelper.exe /inspect
QuickTime Task = "C:\Program Files\QuickTime\qttask.exe" -atboottime
smgr = smgr.exe
SunJavaUpdateSched = "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe "
wuauclt3 = wuauclt3.exe
--------------------------------------------------
Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
VundoFix = "C:\Documents and Settings\i026024\Desktop\vundofix.exe "
combofix = C:\WINDOWS\system32\cmd.exe /c C:\ComboFix\Combobatch.bat
--------------------------------------------------
Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
ctfmon.exe = C:\WINDOWS\system32\ctfmon.exe
LogitechSoftwareUpdate = "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot
--------------------------------------------------
Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:
Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*
Shell & screensaver key from Registry:
Shell=Explorer.exe
SCRNSAVE.EXE=*Registry value not found*
drivers=*Registry value not found*
Policies Shell key:
HKCU\..\Policies: Shell=*Registry value not found*
HKLM\..\Policies: Shell=*Registry value not found*
--------------------------------------------------

Enumerating Browser Helper Objects:
(no name) - (no file) - AutorunsDisabled
(no name) - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
(no name) - C:\Program Files\SAP\SAP Tutor\PlayerIE.dll - {56CD20F0-7C09-11D5-A768-0050042307CE}
(no name) - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43}
IE Redirector - C:\WINDOWS\system32\dnsersnd.dll (file missing) - {C68AE9C0-0909-4DDC-B661-C1AFB9F5AE53}
(no name) - C:\WINDOWS\system32\comi.dll (file missing) - {C9905EF0-610F-4404-9030-A3F345D069F5}
--------------------------------------------------
Enumerating Download Program Files:
[Shockwave ActiveX Control]
InProcServer32 = C:\WINDOWS\system32\Macromed\Director\SwDir.dll
CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab
[ewidoOnlineScan Control]
InProcServer32 = C:\WINDOWS\DOWNLO~1\EWIDOO~1.DLL
CODEBASE = http://downloads.ewido.net/ewidoOnlineScan.cab
[Trend Micro ActiveX Scan Agent 6.6]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\Housecall_ActiveX.dll
CODEBASE = http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
[{33564D57-0000-0010-8000-00AA00389B71}]
CODEBASE = http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB
[WUWebControl Class]
InProcServer32 = C:\WINDOWS\System32\wuweb.dll
CODEBASE = http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1142456071785
[MUWebControl Class]
InProcServer32 = C:\WINDOWS\System32\muweb.dll
CODEBASE = http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1142456055612
[Aurigma Image Uploader 3.5 Control]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\ImageUploader3.ocx
CODEBASE = http://www.zoom2foto.co.il/Modules/Main/ImageUploader3.cab
[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\system32\Macromed\Flash\Flash9b.ocx
CODEBASE = http://fpdownload.macromedia.com/get/shockwave/cabs/flash/swflash.cab
--------------------------------------------------
Enumerating ShellServiceObjectDelayLoad items:
PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
CDBurn: *Registry key not found*
WebCheck: C:\WINDOWS\System32\webcheck.dll
SysTray: C:\WINDOWS\System32\stobject.dll
--------------------------------------------------
End of report, 6,452 bytes
Report generated in 0.060 seconds

TeMerc · 2007/06/06

Not quite sure how some of these revived themselves, so lets try KB again then run a rootkit scan to see if anything is being stealthy.

Also, please physically disconnect the Networking cable from that machine before proceeding. It's possible something is calling out for more nasties.

Open up KillBox again and insert the following files for deletion, using the same instructions:
C:\WINDOWS\system32\ywpjujsq.exe
C:\WINDOWS\system32\j7241330.dll
C:\WINDOWS\system32\ohaoohef.exe
C:\WINDOWS\system32\riphfleb.exe
C:\syskhhk.exe
C:\WINDOWS\system32\loquvtmp.exe
C:\lfyo.exe
C:\syscfny.exe
C:\syszuit.exe
C:\WINDOWS\btn5026v7.exe
C:\Temp
C:\WINDOWS\system32\sysmon32.exe
C:\WINDOWS\system32\swinkndt.exe
C:\WINDOWS\cbywwt.dll
C:\WINDOWS\system32\ps.dat
C:\WINDOWS\system32\winsys64.exe
C:\WINDOWS\system32\nso12k.sys
C:\WINDOWS\system32\winpfz32.sys
C:\syslhlo.exe

Allow a reboot then Download GMER from one of the following sites listed on this Google page.

Right Click the Zip and Select "Extract All "

Double-click gmer.exe to launch the program.

Click on the Rootkit Tab and on the right side, untick the Registry [] box, then click Scan.

Once the scan is done, hit the [copy] button, then open notepad and paste the results here for me to see.

After running GMER, run CF again and then finally a fresh HJT log as well, thanks for your patience.

prophete · 2007/06/08

Virus - logs

Hi,

Pleasefind the logs as asked.

(I unplugged the computer from net - this is done from another PC).

Thanks,
llan

GMER Log:
GMER 1.0.12.12011 - http://www.gmer.net
Rootkit scan 2007-06-09 00:51:35
Windows 5.1.2600 Service Pack 2

---- System - GMER 1.0.12 ----

SSDT \??\C:\WINDOWS\system32\nso12k.sys ZwQueryDirectoryFile
SSDT \??\C:\WINDOWS\system32\nso12k.sys ZwQuerySystemInformation
SSDT \??\C:\WINDOWS\system32\nso12k.sys ZwTerminateProcess

---- Devices - GMER 1.0.12 ----

Device \FileSystem\Ntfs \Ntfs IRP_MJ_CREATE [F8858D32] xpdx.sys

---- Processes - GMER 1.0.12 ----

Process C:\WINDOWS\system32\cssrss.exe (*** hidden *** ) 2264

---- Files - GMER 1.0.12 ----

File C:\Documents and Settings\i026024\Desktop\FOLDERS\ilan\bestlife.co.il\www\phpMyAdmin\css
File C:\Documents and Settings\i026024\Desktop\FOLDERS\ilan\bestlife.co.il\www\phpMyAdmin\css\phpmyadmin.css.php
File C:\Documents and Settings\i026024\Desktop\FOLDERS\ilan\bestlife.co.il\www\shop\phpMyAdmin\css
File C:\Documents and Settings\i026024\Desktop\FOLDERS\ilan\bestlife.co.il\www\shop\phpMyAdmin\css\phpmyadmin.css.php
File C:\Documents and Settings\i026024\Desktop\FOLDERS\ilan\bestlife.co.il\www\shop\phpMyAdmin270\css
File C:\Documents and Settings\i026024\Desktop\FOLDERS\ilan\bestlife.co.il\www\shop\phpMyAdmin270\css\phpmyadmin.css.php
File C:\Documents and Settings\i026024\Desktop\FOLDERS\ilan\bestlife.co.il\www\shop\phpMyAdmin270\css\print.css
File C:\Documents and Settings\i026024\Desktop\FOLDERS\ilan\bestlife.co.il\www\shop\phpMyAdmin270\themes\darkblue_orange\css
File C:\Documents and Settings\i026024\Desktop\FOLDERS\ilan\bestlife.co.il\www\shop\phpMyAdmin270\themes\darkblue_orange\css\theme_left.css.php
File C:\Documents and Settings\i026024\Desktop\FOLDERS\ilan\bestlife.co.il\www\shop\phpMyAdmin270\themes\darkblue_orange\css\theme_print.css.php
File C:\Documents and Settings\i026024\Desktop\FOLDERS\ilan\bestlife.co.il\www\shop\phpMyAdmin270\themes\darkblue_orange\css\theme_right.css.php
File C:\Documents and Settings\i026024\Desktop\FOLDERS\ilan\bestlife.co.il\www\shop\phpMyAdmin270\themes\original\css
File C:\Documents and Settings\i026024\Desktop\FOLDERS\ilan\bestlife.co.il\www\shop\phpMyAdmin270\themes\original\css\theme_left.css.php
File C:\Documents and Settings\i026024\Desktop\FOLDERS\ilan\bestlife.co.il\www\shop\phpMyAdmin270\themes\original\css\theme_print.css.php
File C:\Documents and Settings\i026024\Desktop\FOLDERS\ilan\bestlife.co.il\www\shop\phpMyAdmin270\themes\original\css\theme_right.css.php
File C:\WINDOWS\PCHealth\HelpCtr\System\css
File C:\WINDOWS\PCHealth\HelpCtr\System\css\Behaviors.css
File C:\WINDOWS\PCHealth\HelpCtr\System\css\Layout.css
File C:\WINDOWS\system32\cssrss.exe

---- EOF - GMER 1.0.12 ----

Combo Fix Log:
"i026024" - 2007-06-09 0:53:40 Service Pack 2
ComboFix 07-05.27.BV - Running from: "C:\Documents and Settings\i026024\Desktop\ "

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

"C:\U.exe "
"C:\DOCUME~1\i026024\APPLIC~1\Install.dat "
"C:\DOCUME~1\LOCALS~1\APPLIC~1\Install.dat "
"C:\DOCUME~1\NETWOR~1\APPLIC~1\Install.dat "
"C:\WINDOWS\system32\drivers\ip6fw.sys "
"C:\WINDOWS\system32\advvpi32.dll "
"C:\WINDOWS\system32\ldinfo.ldr "
"C:\WINDOWS\avp.exe "
"C:\WINDOWS\system32\drivers\uzcx.exe "

((((((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

-------\LEGACY_DRIVER
-------\Driver

((((((((((((((((((((((((((((((( Files Created from 2007-05-08 to 2007-06-08 ))))))))))))))))))))))))))))))))))

2007-06-08 23:14 3,888 --a------ C:\WINDOWS\system32\drivers\NTHANDLE.SYS
2007-06-08 18:47 58,420 --a------ C:\WINDOWS\system32\xkoobwyg.dll
2007-06-07 09:42 22,016 --a------ C:\WINDOWS\system32\cssrss.exe
2007-06-07 09:42 22,016 --a------ C:\squix.exe
2007-06-06 16:53 67,860 --a------ C:\WINDOWS\system32\xpdx.sys
2007-06-06 11:01 <DIR> d-------- C:\Program Files\Microsoft CAPICOM 2.1.0.2
2007-06-06 10:55 <DIR> d-------- C:\Program Files\MSXML 4.0
2007-06-06 04:50 <DIR> d-------- C:\!KillBox
2007-06-03 08:44 271,224 --a------ C:\WINDOWS\system32\mucltui.dll
2007-06-03 08:41 53,760 --a------ C:\WINDOWS\system32\wuauclt3.exe
2007-06-02 03:46 30,720 --a------ C:\WINDOWS\system32\ipmon.exe
2007-06-02 01:20 49,152 --a------ C:\WINDOWS\nircmd.exe
2007-06-01 12:42 11,776 --a------ C:\WINDOWS\smgr.exe
2007-06-01 12:41 <DIR> d-------- C:\WINDOWS\system32\T8QaSQ
2007-06-01 06:38 <DIR> d-------- C:\VundoFix Backups

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-06-03 05:44:58 -------- d--h--w C:\Program Files\WindowsUpdate
2007-06-01 16:16:40 -------- d-----w C:\DOCUME~1\i026024\APPLIC~1\Skype
2007-05-04 03:29:06 1,152 ----a-w C:\WINDOWS\system32\windrv.sys
2007-05-04 03:28:53 -------- d-----w C:\Program Files\Common Files\Download Manager
2007-04-18 16:12:23 2,854,400 ----a-w C:\WINDOWS\system32\msi.dll
2007-04-16 19:47:36 33,624 ----a-w C:\WINDOWS\system32\wups.dll
2007-04-16 19:45:54 1,710,936 ----a-w C:\WINDOWS\system32\wuaueng.dll
2007-04-16 19:45:48 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll
2007-04-16 19:45:42 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll
2007-04-16 19:45:36 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll
2007-04-16 19:45:28 92,504 ----a-w C:\WINDOWS\system32\cdm.dll
2007-04-16 19:45:20 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe
2007-04-16 19:45:20 43,352 ----a-w C:\WINDOWS\system32\wups2.dll
2007-04-16 19:44:18 208,248 ----a-w C:\WINDOWS\system32\muweb.dll
2007-03-17 13:43:01 292,864 ----a-w C:\WINDOWS\system32\winsrv.dll
2007-03-08 15:36:28 577,536 ----a-w C:\WINDOWS\system32\user32.dll
2007-03-08 15:36:28 40,960 ----a-w C:\WINDOWS\system32\mf3216.dll
2007-03-08 15:36:28 281,600 ----a-w C:\WINDOWS\system32\gdi32.dll
2007-03-08 13:47:48 1,843,584 ----a-w C:\WINDOWS\system32\win32k.sys

(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{0868E7A4-82FD-48ED-942F-AC7CEC0280C3}=C:\WINDOWS\system32\urqpomn.dll []
{1C39007B-60D0-45F5-AD06-FED06D92A249}=C:\WINDOWS\system32\mllkj.dll []
{56CD20F0-7C09-11D5-A768-0050042307CE}=C:\Program Files\SAP\SAP Tutor\PlayerIE.dll [2004-10-15 18:20]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}=C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll [2007-03-14 03:43]
{C68AE9C0-0909-4DDC-B661-C1AFB9F5AE53}=C:\WINDOWS\system32\dnsersnd.dll []
{C9905EF0-610F-4404-9030-A3F345D069F5}=C:\WINDOWS\system32\comi.dll []
{E12BFF69-38A7-406e-A8EF-2738107A7831}=C:\WINDOWS\system32\xkoobwyg.dll [2007-06-08 18:47]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"McAfeeUpdaterUI "= "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" []
"LogitechCameraAssistant "= "C:\Program Files\Logitech\Video\CameraAssistant.exe" []
"CfgDownload "= "C:\Program Files\IXOS\IXOS-eCONtext\bin\CfgDownload.exe" []
"AdminCheck "= "wscript C:\Program Files\sap\eus\_admincheck.vbs" []
"LogitechVideo[inspector] "= "C:\Program Files\Logitech\Video\InstallHelper.exe" []
"QuickTime Task "= "C:\Program Files\QuickTime\qttask.exe" []
"smgr "= "smgr.exe" []
"SunJavaUpdateSched "= "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" [2007-03-14 03:43]
"wuauclt3 "= "wuauclt3.exe" [2007-06-03 08:41 C:\WINDOWS\system32\wuauclt3.exe]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe "= "C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 10:56]
"LogitechSoftwareUpdate "= "C:\Program Files\Logitech\Video\ManifestEngine.exe" []

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoRemoteRecursiveEvents "=1 (0x1)
"NoMSAppLogo5ChannelNotify "=0 (0x0)
"NoToolbarCustomize "=0 (0x0)
"NoBandCustomize "=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoFavoritesMenu "=0 (0x0)
"NoSetActiveDesktop "=0 (0x0)
"NoWindowsUpdate "=0 (0x0)
"NoChangeStartMenu "=0 (0x0)
"NoRecentDocsMenu "=0 (0x0)
"NoRecentDocsHistory "=0 (0x0)
"ClearRecentDocsOnExit "=0 (0x0)
"NoLogoff "=0 (0x0)
"NoSetTaskbar "=0 (0x0)
"NoTrayContextMenu "=0 (0x0)
"NoFileMenu "=0 (0x0)
"EnforceShellExtensionSecurity "=0 (0x0)
"LinkResolveIgnoreLinkInfo "=0 (0x0)
"NoNetConnectDisconnect "=0 (0x0)
"NoDeletePrinter "=0 (0x0)
"NoAddPrinter "=0 (0x0)
"NoPrinterTabs "=0 (0x0)
"Btn_Back "=0 (0x0)
"Btn_Forward "=0 (0x0)
"Btn_Stop "=0 (0x0)
"Btn_Refresh "=0 (0x0)
"Btn_Home "=0 (0x0)
"Btn_Search "=0 (0x0)
"Btn_History "=0 (0x0)
"Btn_Favorites "=0 (0x0)
"Btn_Media "=0 (0x0)
"Btn_Folders "=0 (0x0)
"Btn_Fullscreen "=0 (0x0)
"Btn_Tools "=0 (0x0)
"Btn_MailNews "=0 (0x0)
"Btn_Size "=0 (0x0)
"Btn_Print "=0 (0x0)
"Btn_Edit "=0 (0x0)
"Btn_Discussions "=0 (0x0)
"Btn_Cut "=0 (0x0)
"Btn_Copy "=0 (0x0)
"Btn_Paste "=0 (0x0)
"Btn_Encoding "=0 (0x0)
"Btn_PrintPreview "=0 (0x0)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{93994DE8-8239-4655-B1D1-5F4E91300429} "= "C:\PROGRA~1\DVDIDL~1\DVDShell.dll" [2003-01-29 15:58]
"{0868E7A4-82FD-48ED-942F-AC7CEC0280C3} "= "C:\WINDOWS\system32\urqpomn.dll" []

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PCANotify]
PCANotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HotSync Manager.lnk]
backup=C:\WINDOWS\pss\HotSync Manager.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^i026024^Start Menu^Programs^Startup^PartMetBackup.lnk]
backup=C:\WINDOWS\pss\PartMetBackup.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Babylon Client]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Easy-PrintToolBox]
C:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN.EXE /logon

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"C:\Program Files\iTunes\iTunesHelper.exe "

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Picasa Media Detector]
C:\Program Files\Picasa2\PicasaMediaDetector.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"ShStatEXE "= "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost *netsvcs*

********************************************************************

catchme 0.3.692 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-06-09 06:08:11
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

********************************************************************

Completion time: 2007-06-09 6:10:52 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-06-09 06:10
C:\ComboFix2.txt ... 2007-06-06 07:08
C:\ComboFix3.txt ... 2007-06-02 01:20

--- E O F ---

Hijackthis

StartupList report, 2007-06-09, 06:11:27
StartupList version: 1.52.2
Started from : C:\Documents and Settings\i026024\Desktop\m\HijackThis.EXE
Detected: Windows XP SP2 (WinNT 5.01.2600)
Detected: Internet Explorer v6.00 SP2 (6.00.2900.2180)
* Using default options
==================================================

Running processes:

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe
C:\Program Files\ISS\issSensors\DesktopProtection\blackd.exe
C:\WINDOWS\SYSTEM32\DNTUS26.EXE
C:\WINDOWS\SYSTEM32\DWRCS.EXE
C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\CCM\CcmExec.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\smgr.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\WINDOWS\system32\wuauclt3.exe
C:\WINDOWS\system32\wuauclt3.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
C:\Program Files\RALINK\Common\RaUI.exe
C:\Documents and Settings\i026024\Desktop\m\HijackThis.exe
C:\WINDOWS\system32\cmd.exe
C:\ComboFix\vfind.cfexe

--------------------------------------------------

Listing of startup folders:

Shell folders Common Startup:
[C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
BGinfo.lnk = ?
Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
Ralink Wireless Utility.lnk = C:\Program Files\RALINK\Common\RaUI.exe

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

McAfeeUpdaterUI = "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
LogitechCameraAssistant = C:\Program Files\Logitech\Video\CameraAssistant.exe
CfgDownload = C:\Program Files\IXOS\IXOS-eCONtext\bin\CfgDownload.exe
AdminCheck = wscript "C:\Program Files\sap\eus\_admincheck.vbs "
LogitechVideo[inspector] = C:\Program Files\Logitech\Video\InstallHelper.exe /inspect
QuickTime Task = "C:\Program Files\QuickTime\qttask.exe" -atboottime
smgr = smgr.exe
SunJavaUpdateSched = "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe "
wuauclt3 = wuauclt3.exe

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

ctfmon.exe = C:\WINDOWS\system32\ctfmon.exe
LogitechSoftwareUpdate = "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot

--------------------------------------------------

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=Explorer.exe
SCRNSAVE.EXE=*Registry value not found*
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry value not found*
HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------

Enumerating Browser Helper Objects:

(no name) - (no file) - AutorunsDisabled
(no name) - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
(no name) - C:\WINDOWS\system32\urqpomn.dll (file missing) - {0868E7A4-82FD-48ED-942F-AC7CEC0280C3}
(no name) - C:\WINDOWS\system32\mllkj.dll (file missing) - {1C39007B-60D0-45F5-AD06-FED06D92A249}
(no name) - C:\Program Files\SAP\SAP Tutor\PlayerIE.dll - {56CD20F0-7C09-11D5-A768-0050042307CE}
(no name) - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43}
IE Redirector - C:\WINDOWS\system32\dnsersnd.dll (file missing) - {C68AE9C0-0909-4DDC-B661-C1AFB9F5AE53}
(no name) - C:\WINDOWS\system32\comi.dll (file missing) - {C9905EF0-610F-4404-9030-A3F345D069F5}
(no name) - C:\WINDOWS\system32\xkoobwyg.dll - {E12BFF69-38A7-406e-A8EF-2738107A7831}

--------------------------------------------------

Enumerating Download Program Files:

[Shockwave ActiveX Control]
InProcServer32 = C:\WINDOWS\system32\Macromed\Director\SwDir.dll
CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab

[ewidoOnlineScan Control]
InProcServer32 = C:\WINDOWS\DOWNLO~1\EWIDOO~1.DLL
CODEBASE = http://downloads.ewido.net/ewidoOnlineScan.cab

[Trend Micro ActiveX Scan Agent 6.6]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\Housecall_ActiveX.dll
CODEBASE = http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab

[{33564D57-0000-0010-8000-00AA00389B71}]
CODEBASE = http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB

[WUWebControl Class]
InProcServer32 = C:\WINDOWS\system32\wuweb.dll
CODEBASE = http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1142456071785

[MUWebControl Class]
InProcServer32 = C:\WINDOWS\system32\muweb.dll
CODEBASE = http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1142456055612

[Aurigma Image Uploader 3.5 Control]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\ImageUploader3.ocx
CODEBASE = http://www.zoom2foto.co.il/Modules/Main/ImageUploader3.cab

[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\system32\Macromed\Flash\Flash9b.ocx
CODEBASE = http://fpdownload.macromedia.com/get/shockwave/cabs/flash/swflash.cab

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
CDBurn: *Registry key not found*
WebCheck: C:\WINDOWS\System32\webcheck.dll
SysTray: C:\WINDOWS\System32\stobject.dll

--------------------------------------------------
End of report, 7,125 bytes
Report generated in 0.070 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only

TeMerc · 2007/06/08

OK, there is a nasty rootkit there as I suspected. I just noticed your version of ComboFix is fairly old, it was just updated to include this rk removal.

Can you please download a fresh copy from the same link and run it again, sorry for the double run, I should have paid more attention to the updates and asked you to download a fresh copy right off, apologies for that.

prophete · 2007/06/09

new logs of CF (new version) and HJT

Hi,

Please find the new logs.
Thanks for your patience,

llan

CombFix:
"i026024" - 2007-06-09 0:53:40 Service Pack 2
ComboFix 07-05.27.BV - Running from: "C:\Documents and Settings\i026024\Desktop\ "

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

"C:\U.exe "
"C:\DOCUME~1\i026024\APPLIC~1\Install.dat "
"C:\DOCUME~1\LOCALS~1\APPLIC~1\Install.dat "
"C:\DOCUME~1\NETWOR~1\APPLIC~1\Install.dat "
"C:\WINDOWS\system32\drivers\ip6fw.sys "
"C:\WINDOWS\system32\advvpi32.dll "
"C:\WINDOWS\system32\ldinfo.ldr "
"C:\WINDOWS\avp.exe "
"C:\WINDOWS\system32\drivers\uzcx.exe "

((((((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

-------\LEGACY_DRIVER
-------\Driver

((((((((((((((((((((((((((((((( Files Created from 2007-05-08 to 2007-06-08 ))))))))))))))))))))))))))))))))))

2007-06-08 23:14 3,888 --a------ C:\WINDOWS\system32\drivers\NTHANDLE.SYS
2007-06-08 18:47 58,420 --a------ C:\WINDOWS\system32\xkoobwyg.dll
2007-06-07 09:42 22,016 --a------ C:\WINDOWS\system32\cssrss.exe
2007-06-07 09:42 22,016 --a------ C:\squix.exe
2007-06-06 16:53 67,860 --a------ C:\WINDOWS\system32\xpdx.sys
2007-06-06 11:01 <DIR> d-------- C:\Program Files\Microsoft CAPICOM 2.1.0.2
2007-06-06 10:55 <DIR> d-------- C:\Program Files\MSXML 4.0
2007-06-06 04:50 <DIR> d-------- C:\!KillBox
2007-06-03 08:44 271,224 --a------ C:\WINDOWS\system32\mucltui.dll
2007-06-03 08:41 53,760 --a------ C:\WINDOWS\system32\wuauclt3.exe
2007-06-02 03:46 30,720 --a------ C:\WINDOWS\system32\ipmon.exe
2007-06-02 01:20 49,152 --a------ C:\WINDOWS\nircmd.exe
2007-06-01 12:42 11,776 --a------ C:\WINDOWS\smgr.exe
2007-06-01 12:41 <DIR> d-------- C:\WINDOWS\system32\T8QaSQ
2007-06-01 06:38 <DIR> d-------- C:\VundoFix Backups

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-06-03 05:44:58 -------- d--h--w C:\Program Files\WindowsUpdate
2007-06-01 16:16:40 -------- d-----w C:\DOCUME~1\i026024\APPLIC~1\Skype
2007-05-04 03:29:06 1,152 ----a-w C:\WINDOWS\system32\windrv.sys
2007-05-04 03:28:53 -------- d-----w C:\Program Files\Common Files\Download Manager
2007-04-18 16:12:23 2,854,400 ----a-w C:\WINDOWS\system32\msi.dll
2007-04-16 19:47:36 33,624 ----a-w C:\WINDOWS\system32\wups.dll
2007-04-16 19:45:54 1,710,936 ----a-w C:\WINDOWS\system32\wuaueng.dll
2007-04-16 19:45:48 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll
2007-04-16 19:45:42 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll
2007-04-16 19:45:36 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll
2007-04-16 19:45:28 92,504 ----a-w C:\WINDOWS\system32\cdm.dll
2007-04-16 19:45:20 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe
2007-04-16 19:45:20 43,352 ----a-w C:\WINDOWS\system32\wups2.dll
2007-04-16 19:44:18 208,248 ----a-w C:\WINDOWS\system32\muweb.dll
2007-03-17 13:43:01 292,864 ----a-w C:\WINDOWS\system32\winsrv.dll
2007-03-08 15:36:28 577,536 ----a-w C:\WINDOWS\system32\user32.dll
2007-03-08 15:36:28 40,960 ----a-w C:\WINDOWS\system32\mf3216.dll
2007-03-08 15:36:28 281,600 ----a-w C:\WINDOWS\system32\gdi32.dll
2007-03-08 13:47:48 1,843,584 ----a-w C:\WINDOWS\system32\win32k.sys

(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{0868E7A4-82FD-48ED-942F-AC7CEC0280C3}=C:\WINDOWS\system32\urqpomn.dll []
{1C39007B-60D0-45F5-AD06-FED06D92A249}=C:\WINDOWS\system32\mllkj.dll []
{56CD20F0-7C09-11D5-A768-0050042307CE}=C:\Program Files\SAP\SAP Tutor\PlayerIE.dll [2004-10-15 18:20]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}=C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll [2007-03-14 03:43]
{C68AE9C0-0909-4DDC-B661-C1AFB9F5AE53}=C:\WINDOWS\system32\dnsersnd.dll []
{C9905EF0-610F-4404-9030-A3F345D069F5}=C:\WINDOWS\system32\comi.dll []
{E12BFF69-38A7-406e-A8EF-2738107A7831}=C:\WINDOWS\system32\xkoobwyg.dll [2007-06-08 18:47]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"McAfeeUpdaterUI "= "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" []
"LogitechCameraAssistant "= "C:\Program Files\Logitech\Video\CameraAssistant.exe" []
"CfgDownload "= "C:\Program Files\IXOS\IXOS-eCONtext\bin\CfgDownload.exe" []
"AdminCheck "= "wscript C:\Program Files\sap\eus\_admincheck.vbs" []
"LogitechVideo[inspector] "= "C:\Program Files\Logitech\Video\InstallHelper.exe" []
"QuickTime Task "= "C:\Program Files\QuickTime\qttask.exe" []
"smgr "= "smgr.exe" []
"SunJavaUpdateSched "= "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" [2007-03-14 03:43]
"wuauclt3 "= "wuauclt3.exe" [2007-06-03 08:41 C:\WINDOWS\system32\wuauclt3.exe]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe "= "C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 10:56]
"LogitechSoftwareUpdate "= "C:\Program Files\Logitech\Video\ManifestEngine.exe" []

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoRemoteRecursiveEvents "=1 (0x1)
"NoMSAppLogo5ChannelNotify "=0 (0x0)
"NoToolbarCustomize "=0 (0x0)
"NoBandCustomize "=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoFavoritesMenu "=0 (0x0)
"NoSetActiveDesktop "=0 (0x0)
"NoWindowsUpdate "=0 (0x0)
"NoChangeStartMenu "=0 (0x0)
"NoRecentDocsMenu "=0 (0x0)
"NoRecentDocsHistory "=0 (0x0)
"ClearRecentDocsOnExit "=0 (0x0)
"NoLogoff "=0 (0x0)
"NoSetTaskbar "=0 (0x0)
"NoTrayContextMenu "=0 (0x0)
"NoFileMenu "=0 (0x0)
"EnforceShellExtensionSecurity "=0 (0x0)
"LinkResolveIgnoreLinkInfo "=0 (0x0)
"NoNetConnectDisconnect "=0 (0x0)
"NoDeletePrinter "=0 (0x0)
"NoAddPrinter "=0 (0x0)
"NoPrinterTabs "=0 (0x0)
"Btn_Back "=0 (0x0)
"Btn_Forward "=0 (0x0)
"Btn_Stop "=0 (0x0)
"Btn_Refresh "=0 (0x0)
"Btn_Home "=0 (0x0)
"Btn_Search "=0 (0x0)
"Btn_History "=0 (0x0)
"Btn_Favorites "=0 (0x0)
"Btn_Media "=0 (0x0)
"Btn_Folders "=0 (0x0)
"Btn_Fullscreen "=0 (0x0)
"Btn_Tools "=0 (0x0)
"Btn_MailNews "=0 (0x0)
"Btn_Size "=0 (0x0)
"Btn_Print "=0 (0x0)
"Btn_Edit "=0 (0x0)
"Btn_Discussions "=0 (0x0)
"Btn_Cut "=0 (0x0)
"Btn_Copy "=0 (0x0)
"Btn_Paste "=0 (0x0)
"Btn_Encoding "=0 (0x0)
"Btn_PrintPreview "=0 (0x0)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{93994DE8-8239-4655-B1D1-5F4E91300429} "= "C:\PROGRA~1\DVDIDL~1\DVDShell.dll" [2003-01-29 15:58]
"{0868E7A4-82FD-48ED-942F-AC7CEC0280C3} "= "C:\WINDOWS\system32\urqpomn.dll" []

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PCANotify]
PCANotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HotSync Manager.lnk]
backup=C:\WINDOWS\pss\HotSync Manager.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^i026024^Start Menu^Programs^Startup^PartMetBackup.lnk]
backup=C:\WINDOWS\pss\PartMetBackup.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Babylon Client]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Easy-PrintToolBox]
C:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN.EXE /logon

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"C:\Program Files\iTunes\iTunesHelper.exe "

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Picasa Media Detector]
C:\Program Files\Picasa2\PicasaMediaDetector.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"ShStatEXE "= "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost *netsvcs*

********************************************************************

catchme 0.3.692 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-06-09 06:08:11
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

********************************************************************

Completion time: 2007-06-09 6:10:52 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-06-09 06:10
C:\ComboFix2.txt ... 2007-06-06 07:08
C:\ComboFix3.txt ... 2007-06-02 01:20

--- E O F ---

Combofix - quaranted files:

2001-08-23 17:00 375808 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\test.exe.vir
2004-08-04 09:00 29056 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\ip6fw.sys.vir
2004-08-04 10:56 20480 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\msvcrt64.dll.vir
2007-04-23 04:55 19625 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\d3draf.dll.vir
2007-04-23 05:51 37938 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\tmp9.tmp.dll.vir
2007-05-19 07:59 38200 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\tmp6F.tmp.dll.vir
2007-05-30 09:53 39221 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\tmp1D3.tmp.dll.vir
2007-05-31 03:58 19968 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\winkye32.dll.vir
2007-05-31 03:58 94208 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\dnsersnd.dll.vir
2007-05-31 04:49 42737 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\comi.dll.vir
2007-05-31 04:52 1 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\boa.dat.vir
2007-05-31 04:56 39132 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\tmp244.tmp.dll.vir
2007-05-31 12:10 39160 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\tmpA.tmp.dll.vir
2007-06-01 09:24 39278 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\tmp21C.tmp.dll.vir
2007-06-01 12:41 26171 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\ssqqool.dll.vir
2007-06-01 12:41 30720 --a------ C:\Qoobox\Quarantine\C\WINDOWS\Install.exe.vir
2007-06-01 13:21 285273 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\ddccc.dll.vir
2007-06-01 13:21 285273 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\iifff.dll.vir
2007-06-01 13:21 353 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\fffii.ini.vir
2007-06-01 13:21 50740 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\levrhtne.dll.vir
2007-06-01 13:21 608395 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\cccdd.bak1.vir
2007-06-01 13:24 132660 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\wwqwfcgh.dll.vir
2007-06-01 13:24 76412 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\odjegaxr.dll.vir
2007-06-01 19:12 1101477 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\hgcfwqww.ini.vir
2007-06-01 21:21 613042 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\cccdd.ini.vir
2007-06-02 03:46 26171 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\mljkhef.dll.vir
2007-06-02 03:52 285273 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\efcaw.dll.vir
2007-06-03 08:41 15801 --a------ C:\Qoobox\Quarantine\C\WINDOWS\alerter_snow.exe.vir
2007-06-06 06:26 652043 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\wacfe.bak1.vir
2007-06-06 06:32 50740 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\jiqqowol.dll.vir
2007-06-06 07:01 652603 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\wacfe.ini.vir
2007-06-06 12:28 19456 --a------ C:\Qoobox\Quarantine\C\WINDOWS\avp.exe.vir
2007-06-06 16:52 26112 --a------ C:\Qoobox\Quarantine\C\U.exe.vir
2007-06-06 16:52 26112 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\uzcx.exe.vir
2007-06-06 16:52 61440 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\advvpi32.dll.vir
2007-06-06 16:53 1174416 --a------ C:\Qoobox\Quarantine\C\DOCUME~1\LOCALS~1\APPLIC~1\Install.dat.vir
2007-06-06 16:53 334 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\ldinfo.ldr.vir
2007-06-06 16:54 1174416 --a------ C:\Qoobox\Quarantine\C\DOCUME~1\NETWOR~1\APPLIC~1\Install.dat.vir
2007-06-07 07:37 0 --a------ C:\Qoobox\Quarantine\C\DOCUME~1\i026024\APPLIC~1\Install.dat.vir
2007-06-09 01:26 1248 --a------ C:\Qoobox\Quarantine\Registry_backups\LEGACY_DRIVER.reg.cf
2007-06-09 01:26 6689 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\ldcore.dll.vir
2007-06-09 01:26 676 --a------ C:\Qoobox\Quarantine\Registry_backups\services_Driver.reg.cf
2007-06-09 01:26 762 --a------ C:\Qoobox\Quarantine\Registry_backups\hklm_windowsNT_windows.reg.cf

Folder PATH listing for volume LocalÃ¿
Volume serial number is F0A8-73FC
C:\QOOBOX
\---Quarantine
+---C
| | U.exe.vir
| |
| +---DOCUME~1
| | +---i026024
| | | \---APPLIC~1
| | | Install.dat.vir
| | |
| | +---LOCALS~1
| | | \---APPLIC~1
| | | Install.dat.vir
| | |
| | \---NETWOR~1
| | \---APPLIC~1
| | Install.dat.vir
| |
| \---WINDOWS
| | alerter_snow.exe.vir
| | avp.exe.vir
| | Install.exe.vir
| |
| \---system32
| | advvpi32.dll.vir
| | boa.dat.vir
| | cccdd.bak1.vir
| | cccdd.ini.vir
| | comi.dll.vir
| | d3draf.dll.vir
| | ddccc.dll.vir
| | dnsersnd.dll.vir
| | efcaw.dll.vir
| | fffii.ini.vir
| | hgcfwqww.ini.vir
| | iifff.dll.vir
| | jiqqowol.dll.vir
| | ldcore.dll.vir
| | ldinfo.ldr.vir
| | levrhtne.dll.vir
| | mljkhef.dll.vir
| | msvcrt64.dll.vir
| | odjegaxr.dll.vir
| | ssqqool.dll.vir
| | test.exe.vir
| | tmp1D3.tmp.dll.vir
| | tmp21C.tmp.dll.vir
| | tmp244.tmp.dll.vir
| | tmp6F.tmp.dll.vir
| | tmp9.tmp.dll.vir
| | tmpA.tmp.dll.vir
| | wacfe.bak1.vir
| | wacfe.ini.vir
| | winkye32.dll.vir
| | wwqwfcgh.dll.vir
| |
| \---drivers
| ip6fw.sys.vir
| uzcx.exe.vir
|
\---Registry_backups
hklm_windowsNT_windows.reg.cf
LEGACY_DRIVER.reg.cf
services_Driver.reg.cf

HJT at the end:
StartupList report, 2007-06-10, 19:56:09
StartupList version: 1.52.2
Started from : C:\Documents and Settings\i026024\Desktop\m\HijackThis.EXE
Detected: Windows XP SP2 (WinNT 5.01.2600)
Detected: Internet Explorer v6.00 SP2 (6.00.2900.2180)
* Using default options
==================================================

Running processes:

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe
C:\Program Files\ISS\issSensors\DesktopProtection\blackd.exe
C:\WINDOWS\SYSTEM32\DNTUS26.EXE
C:\WINDOWS\SYSTEM32\DWRCS.EXE
C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\CCM\CcmExec.exe
C:\WINDOWS\System32\msiexec.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\cmd.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\WINDOWS\system32\wuauclt3.exe
C:\WINDOWS\system32\wuauclt3.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
C:\Program Files\RALINK\Common\RaUI.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\cmd.exe
C:\ComboFix\vfind.cfexe
C:\Documents and Settings\i026024\Desktop\m\HijackThis.exe

--------------------------------------------------

Listing of startup folders:

Shell folders Common Startup:
[C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
BGinfo.lnk = ?
Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
Ralink Wireless Utility.lnk = C:\Program Files\RALINK\Common\RaUI.exe

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

McAfeeUpdaterUI = "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
LogitechCameraAssistant = C:\Program Files\Logitech\Video\CameraAssistant.exe
CfgDownload = C:\Program Files\IXOS\IXOS-eCONtext\bin\CfgDownload.exe
AdminCheck = wscript "C:\Program Files\sap\eus\_admincheck.vbs "
LogitechVideo[inspector] = C:\Program Files\Logitech\Video\InstallHelper.exe /inspect
QuickTime Task = "C:\Program Files\QuickTime\qttask.exe" -atboottime
SunJavaUpdateSched = "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe "
wuauclt3 = wuauclt3.exe

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

ctfmon.exe = C:\WINDOWS\system32\ctfmon.exe
LogitechSoftwareUpdate = "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot

--------------------------------------------------

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=Explorer.exe
SCRNSAVE.EXE=*Registry value not found*
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry value not found*
HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------

Enumerating Browser Helper Objects:

(no name) - (no file) - AutorunsDisabled
(no name) - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
(no name) - C:\WINDOWS\system32\urqpomn.dll (file missing) - {0868E7A4-82FD-48ED-942F-AC7CEC0280C3}
(no name) - C:\WINDOWS\system32\mllkj.dll (file missing) - {1C39007B-60D0-45F5-AD06-FED06D92A249}
(no name) - C:\Program Files\SAP\SAP Tutor\PlayerIE.dll - {56CD20F0-7C09-11D5-A768-0050042307CE}
(no name) - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43}
(no name) - C:\WINDOWS\system32\comi.dll (file missing) - {C9905EF0-610F-4404-9030-A3F345D069F5}
(no name) - C:\WINDOWS\system32\xkoobwyg.dll - {E12BFF69-38A7-406e-A8EF-2738107A7831}

--------------------------------------------------

Enumerating Download Program Files:

[Shockwave ActiveX Control]
InProcServer32 = C:\WINDOWS\system32\Macromed\Director\SwDir.dll
CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab

[ewidoOnlineScan Control]
InProcServer32 = C:\WINDOWS\DOWNLO~1\EWIDOO~1.DLL
CODEBASE = http://downloads.ewido.net/ewidoOnlineScan.cab

[Trend Micro ActiveX Scan Agent 6.6]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\Housecall_ActiveX.dll
CODEBASE = http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab

[{33564D57-0000-0010-8000-00AA00389B71}]
CODEBASE = http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB

[WUWebControl Class]
InProcServer32 = C:\WINDOWS\system32\wuweb.dll
CODEBASE = http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1142456071785

[MUWebControl Class]
InProcServer32 = C:\WINDOWS\system32\muweb.dll
CODEBASE = http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1142456055612

[Aurigma Image Uploader 3.5 Control]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\ImageUploader3.ocx
CODEBASE = http://www.zoom2foto.co.il/Modules/Main/ImageUploader3.cab

[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\system32\Macromed\Flash\Flash9b.ocx
CODEBASE = http://fpdownload.macromedia.com/get/shockwave/cabs/flash/swflash.cab

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
CDBurn: *Registry key not found*
WebCheck: C:\WINDOWS\System32\webcheck.dll
SysTray: C:\WINDOWS\System32\stobject.dll

--------------------------------------------------
End of report, 7,014 bytes
Report generated in 0.070 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only

TeMerc · 2007/06/10

Ok, lets get what remains.

Download the Killbox from here and save it to the desktop.

Double-click the KillBox icon on your desktop to open it

Select "Delete on Reboot "

Then select "All files ".

Copy the file names below to the clipboard by highlighting them and pressing Control-C:
C:\WINDOWS\system32\xkoobwyg.dll
C:\WINDOWS\system32\cssrss.exe
C:\squix.exe
C:\WINDOWS\system32\xpdx.sys
C:\WINDOWS\system32\wuauclt3.exe
C:\WINDOWS\system32\ipmon.exe
C:\WINDOWS\smgr.exe
C:\WINDOWS\system32\T8QaSQ

Return to Killbox

Go to the File menu, and choose "Paste from Clipboard ".

Click the red-and-white [Delete File] button.

Click "Yes" at the Delete on Reboot prompt. Click "No" at the 'Pending Operations' prompt.

Reboot and run ComboFix first, then HJT and post both logs back into this thread.

prophete · 2007/06/10

logs

Hi,

Please find the logs below,

llan

ComboFix
"i026024" - 2007-06-11 7:48:46 Service Pack 2 NTFS
ComboFix 07-06-3B - Running from: "C:\Documents and Settings\i026024\Desktop\ "

((((((((((((((((((((((((( Files Created from 2007-05-11 to 2007-06-11 )))))))))))))))))))))))))))))))

2007-06-10 13:00 <DIR> d-------- C:\Avenger
2007-06-08 23:14 3,888 --a------ C:\WINDOWS\system32\drivers\NTHANDLE.SYS
2007-06-08 18:47 58,420 --------- C:\WINDOWS\system32\xkoobwyg.dll
2007-06-07 09:42 22,016 --------- C:\WINDOWS\system32\cssrss.exe
2007-06-07 09:42 22,016 --------- C:\squix.exe
2007-06-06 11:01 <DIR> d-------- C:\Program Files\Microsoft CAPICOM 2.1.0.2
2007-06-06 10:55 <DIR> d-------- C:\Program Files\MSXML 4.0
2007-06-06 04:50 <DIR> d-------- C:\!KillBox
2007-06-03 08:44 271,224 --a------ C:\WINDOWS\system32\mucltui.dll
2007-06-03 08:41 53,760 --------- C:\WINDOWS\system32\wuauclt3.exe
2007-06-02 03:46 30,720 --------- C:\WINDOWS\system32\ipmon.exe
2007-06-02 01:20 49,152 --a------ C:\WINDOWS\nircmd.exe
2007-06-01 06:38 <DIR> d-------- C:\VundoFix Backups

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-06-03 05:44:58 -------- d--h--w C:\Program Files\WindowsUpdate
2007-06-01 16:16:40 -------- d-----w C:\DOCUME~1\i026024\APPLIC~1\Skype
2007-05-04 03:29:06 1,152 ----a-w C:\WINDOWS\system32\windrv.sys
2007-05-04 03:28:53 -------- d-----w C:\Program Files\Common Files\Download Manager
2007-04-18 16:12:23 2,854,400 ----a-w C:\WINDOWS\system32\msi.dll
2007-04-16 19:47:36 33,624 ----a-w C:\WINDOWS\system32\wups.dll
2007-04-16 19:45:54 1,710,936 ----a-w C:\WINDOWS\system32\wuaueng.dll
2007-04-16 19:45:48 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll
2007-04-16 19:45:42 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll
2007-04-16 19:45:36 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll
2007-04-16 19:45:28 92,504 ----a-w C:\WINDOWS\system32\cdm.dll
2007-04-16 19:45:20 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe
2007-04-16 19:45:20 43,352 ----a-w C:\WINDOWS\system32\wups2.dll
2007-04-16 19:44:18 208,248 ----a-w C:\WINDOWS\system32\muweb.dll
2007-03-17 13:43:01 292,864 ----a-w C:\WINDOWS\system32\winsrv.dll

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{0868E7A4-82FD-48ED-942F-AC7CEC0280C3}=C:\WINDOWS\system32\urqpomn.dll []
{1C39007B-60D0-45F5-AD06-FED06D92A249}=C:\WINDOWS\system32\mllkj.dll []
{56CD20F0-7C09-11D5-A768-0050042307CE}=C:\Program Files\SAP\SAP Tutor\PlayerIE.dll [2004-10-15 18:20]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}=C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll [2007-03-14 03:43]
{C9905EF0-610F-4404-9030-A3F345D069F5}=C:\WINDOWS\system32\comi.dll []
{E12BFF69-38A7-406e-A8EF-2738107A7831}=C:\WINDOWS\system32\xkoobwyg.dll [2007-06-08 18:47]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"McAfeeUpdaterUI "= "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" []
"LogitechCameraAssistant "= "C:\Program Files\Logitech\Video\CameraAssistant.exe" []
"CfgDownload "= "C:\Program Files\IXOS\IXOS-eCONtext\bin\CfgDownload.exe" []
"AdminCheck "= "wscript C:\Program Files\sap\eus\_admincheck.vbs" []
"LogitechVideo[inspector] "= "C:\Program Files\Logitech\Video\InstallHelper.exe" []
"QuickTime Task "= "C:\Program Files\QuickTime\qttask.exe" []
"SunJavaUpdateSched "= "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" [2007-03-14 03:43]
"wuauclt3 "= "wuauclt3.exe" [2007-06-03 08:41 C:\WINDOWS\system32\wuauclt3.exe]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe "= "C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 10:56]
"LogitechSoftwareUpdate "= "C:\Program Files\Logitech\Video\ManifestEngine.exe" []

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoRemoteRecursiveEvents "=1 (0x1)
"NoMSAppLogo5ChannelNotify "=0 (0x0)
"NoToolbarCustomize "=0 (0x0)
"NoBandCustomize "=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoFavoritesMenu "=0 (0x0)
"NoSetActiveDesktop "=0 (0x0)
"NoWindowsUpdate "=0 (0x0)
"NoChangeStartMenu "=0 (0x0)
"NoRecentDocsMenu "=0 (0x0)
"NoRecentDocsHistory "=0 (0x0)
"ClearRecentDocsOnExit "=0 (0x0)
"NoLogoff "=0 (0x0)
"NoSetTaskbar "=0 (0x0)
"NoTrayContextMenu "=0 (0x0)
"NoFileMenu "=0 (0x0)
"EnforceShellExtensionSecurity "=0 (0x0)
"LinkResolveIgnoreLinkInfo "=0 (0x0)
"NoNetConnectDisconnect "=0 (0x0)
"NoDeletePrinter "=0 (0x0)
"NoAddPrinter "=0 (0x0)
"NoPrinterTabs "=0 (0x0)
"Btn_Back "=0 (0x0)
"Btn_Forward "=0 (0x0)
"Btn_Stop "=0 (0x0)
"Btn_Refresh "=0 (0x0)
"Btn_Home "=0 (0x0)
"Btn_Search "=0 (0x0)
"Btn_History "=0 (0x0)
"Btn_Favorites "=0 (0x0)
"Btn_Media "=0 (0x0)
"Btn_Folders "=0 (0x0)
"Btn_Fullscreen "=0 (0x0)
"Btn_Tools "=0 (0x0)
"Btn_MailNews "=0 (0x0)
"Btn_Size "=0 (0x0)
"Btn_Print "=0 (0x0)
"Btn_Edit "=0 (0x0)
"Btn_Discussions "=0 (0x0)
"Btn_Cut "=0 (0x0)
"Btn_Copy "=0 (0x0)
"Btn_Paste "=0 (0x0)
"Btn_Encoding "=0 (0x0)
"Btn_PrintPreview "=0 (0x0)
"NoActiveDesktopChanges "=0
"NoClose "=0
"NoSetFolders "=0
"NoViewContextMenu "=0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{93994DE8-8239-4655-B1D1-5F4E91300429} "= "C:\PROGRA~1\DVDIDL~1\DVDShell.dll" [2003-01-29 15:58]
"{0868E7A4-82FD-48ED-942F-AC7CEC0280C3} "= "C:\WINDOWS\system32\urqpomn.dll" []

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PCANotify]
PCANotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HotSync Manager.lnk]
backup=C:\WINDOWS\pss\HotSync Manager.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^i026024^Start Menu^Programs^Startup^PartMetBackup.lnk]
backup=C:\WINDOWS\pss\PartMetBackup.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Babylon Client]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Easy-PrintToolBox]
C:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN.EXE /logon

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"C:\Program Files\iTunes\iTunesHelper.exe "

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Picasa Media Detector]
C:\Program Files\Picasa2\PicasaMediaDetector.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"ShStatEXE "= "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost *netsvcs*

**************************************************************************

catchme 0.3.692 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-06-11 08:20:56
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-06-11 8:22:37
C:\ComboFix-quarantined-files.txt ... 2007-06-11 08:22
C:\ComboFix3.txt ... 2007-06-06 07:08

--- E O F ---

HJT
StartupList report, 2007-06-11, 08:28:07
StartupList version: 1.52.2
Started from : C:\Documents and Settings\i026024\Desktop\m\HijackThis.EXE
Detected: Windows XP SP2 (WinNT 5.01.2600)
Detected: Internet Explorer v6.00 SP2 (6.00.2900.2180)
* Using default options
==================================================

Running processes:

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe
C:\Program Files\ISS\issSensors\DesktopProtection\blackd.exe
C:\WINDOWS\SYSTEM32\DNTUS26.EXE
C:\WINDOWS\SYSTEM32\DWRCS.EXE
C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\CCM\CcmExec.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\WINDOWS\system32\wuauclt3.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\RALINK\Common\RaUI.exe
C:\WINDOWS\system32\wuauclt3.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\i026024\Desktop\m\HijackThis.exe

--------------------------------------------------

Listing of startup folders:

Shell folders Common Startup:
[C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
BGinfo.lnk = ?
Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
Ralink Wireless Utility.lnk = C:\Program Files\RALINK\Common\RaUI.exe

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

McAfeeUpdaterUI = "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
LogitechCameraAssistant = C:\Program Files\Logitech\Video\CameraAssistant.exe
CfgDownload = C:\Program Files\IXOS\IXOS-eCONtext\bin\CfgDownload.exe
AdminCheck = wscript "C:\Program Files\sap\eus\_admincheck.vbs "
LogitechVideo[inspector] = C:\Program Files\Logitech\Video\InstallHelper.exe /inspect
QuickTime Task = "C:\Program Files\QuickTime\qttask.exe" -atboottime
SunJavaUpdateSched = "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe "
wuauclt3 = wuauclt3.exe

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

ctfmon.exe = C:\WINDOWS\system32\ctfmon.exe
LogitechSoftwareUpdate = "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot

--------------------------------------------------

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=Explorer.exe
SCRNSAVE.EXE=*Registry value not found*
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry value not found*
HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------

Enumerating Browser Helper Objects:

(no name) - (no file) - AutorunsDisabled
(no name) - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
(no name) - C:\WINDOWS\system32\urqpomn.dll (file missing) - {0868E7A4-82FD-48ED-942F-AC7CEC0280C3}
(no name) - C:\WINDOWS\system32\mllkj.dll (file missing) - {1C39007B-60D0-45F5-AD06-FED06D92A249}
(no name) - C:\Program Files\SAP\SAP Tutor\PlayerIE.dll - {56CD20F0-7C09-11D5-A768-0050042307CE}
(no name) - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43}
(no name) - C:\WINDOWS\system32\comi.dll (file missing) - {C9905EF0-610F-4404-9030-A3F345D069F5}
(no name) - C:\WINDOWS\system32\xkoobwyg.dll - {E12BFF69-38A7-406e-A8EF-2738107A7831}

--------------------------------------------------

Enumerating Download Program Files:

[Shockwave ActiveX Control]
InProcServer32 = C:\WINDOWS\system32\Macromed\Director\SwDir.dll
CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab

[ewidoOnlineScan Control]
InProcServer32 = C:\WINDOWS\DOWNLO~1\EWIDOO~1.DLL
CODEBASE = http://downloads.ewido.net/ewidoOnlineScan.cab

[Trend Micro ActiveX Scan Agent 6.6]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\Housecall_ActiveX.dll
CODEBASE = http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab

[{33564D57-0000-0010-8000-00AA00389B71}]
CODEBASE = http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB

[WUWebControl Class]
InProcServer32 = C:\WINDOWS\system32\wuweb.dll
CODEBASE = http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1142456071785

[MUWebControl Class]
InProcServer32 = C:\WINDOWS\system32\muweb.dll
CODEBASE = http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1142456055612

[Aurigma Image Uploader 3.5 Control]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\ImageUploader3.ocx
CODEBASE = http://www.zoom2foto.co.il/Modules/Main/ImageUploader3.cab

[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\system32\Macromed\Flash\Flash9b.ocx
CODEBASE = http://fpdownload.macromedia.com/get/shockwave/cabs/flash/swflash.cab

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
CDBurn: *Registry key not found*
WebCheck: C:\WINDOWS\System32\webcheck.dll
SysTray: C:\WINDOWS\System32\stobject.dll

--------------------------------------------------
End of report, 6,809 bytes
Report generated in 0.090 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only

TeMerc · 2007/06/10

Grrr....somethings not allowing those to be removed. Lets run and RK scan.

Download GMER from one of the following sites listed on this Google page.

Right Click the Zip and Select "Extract All "

Double-click gmer.exe to launch the program.

Click on the Rootkit Tab and on the right side, untick the Registry [] box, then click Scan.

Once the scan is done, hit the [copy] button, then open notepad and paste the results here for me to see.

prophete · 2007/06/10

logs for virus

hi please find the logs, llan

gmer
GMER 1.0.12.12011 - http://www.gmer.net
Rootkit scan 2007-06-11 19:35:48
Windows 5.1.2600 Service Pack 2

---- Kernel code sections - GMER 1.0.12 ----

.text tcpip.sys!IPRcvPacket + 27 F48915C7 8 Bytes JMP F848C221 BlackDrv.sys
.text tcpip.sys!IPTransmit + 5 F4892C43 6 Bytes JMP F848BFCD BlackDrv.sys
.text tcpip.sys!SetIPSecPtr + 10 F48A7180 6 Bytes CALL F848BDFE BlackDrv.sys
.text tcpip.sys!tcpxsum + 6F55 F48B403D 1 Byte [ EB ]
.text ipfltdrv.sys F7F6A037 4 Bytes [ 48, 21, 52, 00 ]

---- Devices - GMER 1.0.12 ----

Device \Driver\IpFilterDriver \Device\IPFILTERDRIVER IRP_MJ_DEVICE_CONTROL [F849955A] BlackDrv.sys

---- EOF - GMER 1.0.12 ----

HJT
StartupList report, 2007-06-11, 19:37:10
StartupList version: 1.52.2
Started from : C:\Documents and Settings\i026024\Desktop\m\HijackThis.EXE
Detected: Windows XP SP2 (WinNT 5.01.2600)
Detected: Internet Explorer v6.00 SP2 (6.00.2900.2180)
* Using default options
==================================================

Running processes:

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe
C:\Program Files\ISS\issSensors\DesktopProtection\blackd.exe
C:\WINDOWS\SYSTEM32\DNTUS26.EXE
C:\WINDOWS\SYSTEM32\DWRCS.EXE
C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\CCM\CcmExec.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\WINDOWS\system32\wuauclt3.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\RALINK\Common\RaUI.exe
C:\WINDOWS\system32\wuauclt3.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\i026024\Desktop\m\HijackThis.exe

--------------------------------------------------

Listing of startup folders:

Shell folders Common Startup:
[C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
BGinfo.lnk = ?
Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
Ralink Wireless Utility.lnk = C:\Program Files\RALINK\Common\RaUI.exe

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

McAfeeUpdaterUI = "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
LogitechCameraAssistant = C:\Program Files\Logitech\Video\CameraAssistant.exe
CfgDownload = C:\Program Files\IXOS\IXOS-eCONtext\bin\CfgDownload.exe
AdminCheck = wscript "C:\Program Files\sap\eus\_admincheck.vbs "
LogitechVideo[inspector] = C:\Program Files\Logitech\Video\InstallHelper.exe /inspect
QuickTime Task = "C:\Program Files\QuickTime\qttask.exe" -atboottime
SunJavaUpdateSched = "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe "
wuauclt3 = wuauclt3.exe

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

ctfmon.exe = C:\WINDOWS\system32\ctfmon.exe
LogitechSoftwareUpdate = "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot

--------------------------------------------------

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=Explorer.exe
SCRNSAVE.EXE=*Registry value not found*
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry value not found*
HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------

Enumerating Browser Helper Objects:

(no name) - (no file) - AutorunsDisabled
(no name) - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
(no name) - C:\WINDOWS\system32\urqpomn.dll (file missing) - {0868E7A4-82FD-48ED-942F-AC7CEC0280C3}
(no name) - C:\WINDOWS\system32\mllkj.dll (file missing) - {1C39007B-60D0-45F5-AD06-FED06D92A249}
(no name) - C:\Program Files\SAP\SAP Tutor\PlayerIE.dll - {56CD20F0-7C09-11D5-A768-0050042307CE}
(no name) - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43}
(no name) - C:\WINDOWS\system32\comi.dll (file missing) - {C9905EF0-610F-4404-9030-A3F345D069F5}
(no name) - C:\WINDOWS\system32\xkoobwyg.dll - {E12BFF69-38A7-406e-A8EF-2738107A7831}

--------------------------------------------------

Enumerating Download Program Files:

[Shockwave ActiveX Control]
InProcServer32 = C:\WINDOWS\system32\Macromed\Director\SwDir.dll
CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab

[ewidoOnlineScan Control]
InProcServer32 = C:\WINDOWS\DOWNLO~1\EWIDOO~1.DLL
CODEBASE = http://downloads.ewido.net/ewidoOnlineScan.cab

[Trend Micro ActiveX Scan Agent 6.6]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\Housecall_ActiveX.dll
CODEBASE = http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab

[{33564D57-0000-0010-8000-00AA00389B71}]
CODEBASE = http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB

[WUWebControl Class]
InProcServer32 = C:\WINDOWS\system32\wuweb.dll
CODEBASE = http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1142456071785

[MUWebControl Class]
InProcServer32 = C:\WINDOWS\system32\muweb.dll
CODEBASE = http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1142456055612

[Aurigma Image Uploader 3.5 Control]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\ImageUploader3.ocx
CODEBASE = http://www.zoom2foto.co.il/Modules/Main/ImageUploader3.cab

[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\system32\Macromed\Flash\Flash9b.ocx
CODEBASE = http://fpdownload.macromedia.com/get/shockwave/cabs/flash/swflash.cab

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
CDBurn: *Registry key not found*
WebCheck: C:\WINDOWS\System32\webcheck.dll
SysTray: C:\WINDOWS\System32\stobject.dll

--------------------------------------------------
End of report, 6,809 bytes
Report generated in 0.311 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only

TeMerc · 2007/06/11

OK, I think I see the problem here. we have rogue files running, so Killbox can't get them.

Ok, download a different version of KillBox from here, look for the 'Download KillBox' link on the left-upper hand side.

Run it again, once it is running, tick the 'Processes' >>> tab. Once that expands kill the following process:
C:\WINDOWS\system32\wuauclt3.exe
(all instances)

Then using the same instructions as previous, insert the following files for deletion:
C:\WINDOWS\system32\xkoobwyg.dll
C:\WINDOWS\system32\cssrss.exe
C:\squix.exe
C:\WINDOWS\system32\wuauclt3.exe
C:\WINDOWS\system32\ipmon.exe

Reboot and run ComboFix first, then HJT and post both logs back into this thread.

prophete · 2007/06/12

new logs for virus

Please find the logs,
thanks,
llan

combofix

av "i026024" - 2007-06-13 7:54:20 Service Pack 2 NTFS
ComboFix 07-06-3B - Running from: "C:\Documents and Settings\i026024\Desktop\ "

((((((((((((((((((((((((( Files Created from 2007-05-13 to 2007-06-13 )))))))))))))))))))))))))))))))

2007-06-10 13:00 <DIR> d-------- C:\Avenger
2007-06-08 23:14 3,888 --a------ C:\WINDOWS\system32\drivers\NTHANDLE.SYS
2007-06-06 11:01 <DIR> d-------- C:\Program Files\Microsoft CAPICOM 2.1.0.2
2007-06-06 10:55 <DIR> d-------- C:\Program Files\MSXML 4.0
2007-06-06 04:50 <DIR> d-------- C:\!KillBox
2007-06-03 08:44 271,224 --a------ C:\WINDOWS\system32\mucltui.dll
2007-06-02 01:20 49,152 --a------ C:\WINDOWS\nircmd.exe
2007-06-01 06:38 <DIR> d-------- C:\VundoFix Backups

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-06-03 05:44:58 -------- d--h--w C:\Program Files\WindowsUpdate
2007-06-01 16:16:40 -------- d-----w C:\DOCUME~1\i026024\APPLIC~1\Skype
2007-05-04 03:29:06 1,152 ----a-w C:\WINDOWS\system32\windrv.sys
2007-05-04 03:28:53 -------- d-----w C:\Program Files\Common Files\Download Manager
2007-04-18 16:12:23 2,854,400 ----a-w C:\WINDOWS\system32\msi.dll
2007-04-16 19:47:36 33,624 ----a-w C:\WINDOWS\system32\wups.dll
2007-04-16 19:45:54 1,710,936 ----a-w C:\WINDOWS\system32\wuaueng.dll
2007-04-16 19:45:48 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll
2007-04-16 19:45:42 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll
2007-04-16 19:45:36 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll
2007-04-16 19:45:28 92,504 ----a-w C:\WINDOWS\system32\cdm.dll
2007-04-16 19:45:20 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe
2007-04-16 19:45:20 43,352 ----a-w C:\WINDOWS\system32\wups2.dll
2007-04-16 19:44:18 208,248 ----a-w C:\WINDOWS\system32\muweb.dll
2007-03-17 13:43:01 292,864 ----a-w C:\WINDOWS\system32\winsrv.dll

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{0868E7A4-82FD-48ED-942F-AC7CEC0280C3}=C:\WINDOWS\system32\urqpomn.dll []
{1C39007B-60D0-45F5-AD06-FED06D92A249}=C:\WINDOWS\system32\mllkj.dll []
{56CD20F0-7C09-11D5-A768-0050042307CE}=C:\Program Files\SAP\SAP Tutor\PlayerIE.dll [2004-10-15 18:20]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}=C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll [2007-03-14 03:43]
{C9905EF0-610F-4404-9030-A3F345D069F5}=C:\WINDOWS\system32\comi.dll []
{E12BFF69-38A7-406e-A8EF-2738107A7831}=C:\WINDOWS\system32\xkoobwyg.dll []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"McAfeeUpdaterUI "= "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" []
"LogitechCameraAssistant "= "C:\Program Files\Logitech\Video\CameraAssistant.exe" []
"CfgDownload "= "C:\Program Files\IXOS\IXOS-eCONtext\bin\CfgDownload.exe" []
"AdminCheck "= "wscript C:\Program Files\sap\eus\_admincheck.vbs" []
"LogitechVideo[inspector] "= "C:\Program Files\Logitech\Video\InstallHelper.exe" []
"QuickTime Task "= "C:\Program Files\QuickTime\qttask.exe" []
"SunJavaUpdateSched "= "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" [2007-03-14 03:43]
"wuauclt3 "= "wuauclt3.exe" []

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe "= "C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 10:56]
"LogitechSoftwareUpdate "= "C:\Program Files\Logitech\Video\ManifestEngine.exe" []

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoRemoteRecursiveEvents "=1 (0x1)
"NoMSAppLogo5ChannelNotify "=0 (0x0)
"NoToolbarCustomize "=0 (0x0)
"NoBandCustomize "=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoFavoritesMenu "=0 (0x0)
"NoSetActiveDesktop "=0 (0x0)
"NoWindowsUpdate "=0 (0x0)
"NoChangeStartMenu "=0 (0x0)
"NoRecentDocsMenu "=0 (0x0)
"NoRecentDocsHistory "=0 (0x0)
"ClearRecentDocsOnExit "=0 (0x0)
"NoLogoff "=0 (0x0)
"NoSetTaskbar "=0 (0x0)
"NoTrayContextMenu "=0 (0x0)
"NoFileMenu "=0 (0x0)
"EnforceShellExtensionSecurity "=0 (0x0)
"LinkResolveIgnoreLinkInfo "=0 (0x0)
"NoNetConnectDisconnect "=0 (0x0)
"NoDeletePrinter "=0 (0x0)
"NoAddPrinter "=0 (0x0)
"NoPrinterTabs "=0 (0x0)
"Btn_Back "=0 (0x0)
"Btn_Forward "=0 (0x0)
"Btn_Stop "=0 (0x0)
"Btn_Refresh "=0 (0x0)
"Btn_Home "=0 (0x0)
"Btn_Search "=0 (0x0)
"Btn_History "=0 (0x0)
"Btn_Favorites "=0 (0x0)
"Btn_Media "=0 (0x0)
"Btn_Folders "=0 (0x0)
"Btn_Fullscreen "=0 (0x0)
"Btn_Tools "=0 (0x0)
"Btn_MailNews "=0 (0x0)
"Btn_Size "=0 (0x0)
"Btn_Print "=0 (0x0)
"Btn_Edit "=0 (0x0)
"Btn_Discussions "=0 (0x0)
"Btn_Cut "=0 (0x0)
"Btn_Copy "=0 (0x0)
"Btn_Paste "=0 (0x0)
"Btn_Encoding "=0 (0x0)
"Btn_PrintPreview "=0 (0x0)
"NoActiveDesktopChanges "=0
"NoClose "=0
"NoSetFolders "=0
"NoViewContextMenu "=0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{93994DE8-8239-4655-B1D1-5F4E91300429} "= "C:\PROGRA~1\DVDIDL~1\DVDShell.dll" [2003-01-29 15:58]
"{0868E7A4-82FD-48ED-942F-AC7CEC0280C3} "= "C:\WINDOWS\system32\urqpomn.dll" []

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PCANotify]
PCANotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HotSync Manager.lnk]
backup=C:\WINDOWS\pss\HotSync Manager.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^i026024^Start Menu^Programs^Startup^PartMetBackup.lnk]
backup=C:\WINDOWS\pss\PartMetBackup.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Babylon Client]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Easy-PrintToolBox]
C:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN.EXE /logon

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"C:\Program Files\iTunes\iTunesHelper.exe "

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Picasa Media Detector]
C:\Program Files\Picasa2\PicasaMediaDetector.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"ShStatEXE "= "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost *netsvcs*

**************************************************************************

catchme 0.3.692 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-06-13 08:25:05
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-06-13 8:26:48
C:\ComboFix-quarantined-files.txt ... 2007-06-13 08:26
C:\ComboFix2.txt ... 2007-06-11 08:22
C:\ComboFix3.txt ... 2007-06-06 07:08

--- E O F ---

HJT

StartupList report, 2007-06-13, 09:27:04
StartupList version: 1.52.2
Started from : C:\Documents and Settings\i026024\Desktop\m\HijackThis.EXE
Detected: Windows XP SP2 (WinNT 5.01.2600)
Detected: Internet Explorer v6.00 SP2 (6.00.2900.2180)
* Using default options
==================================================

Running processes:

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe
C:\Program Files\ISS\issSensors\DesktopProtection\blackd.exe
C:\WINDOWS\SYSTEM32\DNTUS26.EXE
C:\WINDOWS\SYSTEM32\DWRCS.EXE
C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\CCM\CcmExec.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\RALINK\Common\RaUI.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Documents and Settings\i026024\Desktop\m\HijackThis.exe

--------------------------------------------------

Listing of startup folders:

Shell folders Common Startup:
[C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
BGinfo.lnk = ?
Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
Ralink Wireless Utility.lnk = C:\Program Files\RALINK\Common\RaUI.exe

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

McAfeeUpdaterUI = "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
LogitechCameraAssistant = C:\Program Files\Logitech\Video\CameraAssistant.exe
CfgDownload = C:\Program Files\IXOS\IXOS-eCONtext\bin\CfgDownload.exe
AdminCheck = wscript "C:\Program Files\sap\eus\_admincheck.vbs "
LogitechVideo[inspector] = C:\Program Files\Logitech\Video\InstallHelper.exe /inspect
QuickTime Task = "C:\Program Files\QuickTime\qttask.exe" -atboottime
SunJavaUpdateSched = "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe "
wuauclt3 = wuauclt3.exe

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

ctfmon.exe = C:\WINDOWS\system32\ctfmon.exe
LogitechSoftwareUpdate = "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot

--------------------------------------------------

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=Explorer.exe
SCRNSAVE.EXE=*Registry value not found*
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry value not found*
HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------

Enumerating Browser Helper Objects:

(no name) - (no file) - AutorunsDisabled
(no name) - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
(no name) - C:\WINDOWS\system32\urqpomn.dll (file missing) - {0868E7A4-82FD-48ED-942F-AC7CEC0280C3}
(no name) - C:\WINDOWS\system32\mllkj.dll (file missing) - {1C39007B-60D0-45F5-AD06-FED06D92A249}
(no name) - C:\Program Files\SAP\SAP Tutor\PlayerIE.dll - {56CD20F0-7C09-11D5-A768-0050042307CE}
(no name) - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43}
(no name) - C:\WINDOWS\system32\comi.dll (file missing) - {C9905EF0-610F-4404-9030-A3F345D069F5}
(no name) - C:\WINDOWS\system32\xkoobwyg.dll (file missing) - {E12BFF69-38A7-406e-A8EF-2738107A7831}

--------------------------------------------------

Enumerating Download Program Files:

[Shockwave ActiveX Control]
InProcServer32 = C:\WINDOWS\system32\Macromed\Director\SwDir.dll
CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab

[ewidoOnlineScan Control]
InProcServer32 = C:\WINDOWS\DOWNLO~1\EWIDOO~1.DLL
CODEBASE = http://downloads.ewido.net/ewidoOnlineScan.cab

[Trend Micro ActiveX Scan Agent 6.6]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\Housecall_ActiveX.dll
CODEBASE = http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab

[{33564D57-0000-0010-8000-00AA00389B71}]
CODEBASE = http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB

[WUWebControl Class]
InProcServer32 = C:\WINDOWS\system32\wuweb.dll
CODEBASE = http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1142456071785

[MUWebControl Class]
InProcServer32 = C:\WINDOWS\system32\muweb.dll
CODEBASE = http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1142456055612

[Aurigma Image Uploader 3.5 Control]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\ImageUploader3.ocx
CODEBASE = http://www.zoom2foto.co.il/Modules/Main/ImageUploader3.cab

[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\system32\Macromed\Flash\Flash9b.ocx
CODEBASE = http://fpdownload.macromedia.com/get/shockwave/cabs/flash/swflash.cab

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
CDBurn: *Registry key not found*
WebCheck: C:\WINDOWS\System32\webcheck.dll
SysTray: C:\WINDOWS\System32\stobject.dll

--------------------------------------------------
End of report, 6,789 bytes
Report generated in 0.140 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only

prophete · 2007/06/12

new logs for virus

Please find the logs,
thanks,
llan

combofix

av "i026024" - 2007-06-13 7:54:20 Service Pack 2 NTFS
ComboFix 07-06-3B - Running from: "C:\Documents and Settings\i026024\Desktop\ "

((((((((((((((((((((((((( Files Created from 2007-05-13 to 2007-06-13 )))))))))))))))))))))))))))))))

2007-06-10 13:00 <DIR> d-------- C:\Avenger
2007-06-08 23:14 3,888 --a------ C:\WINDOWS\system32\drivers\NTHANDLE.SYS
2007-06-06 11:01 <DIR> d-------- C:\Program Files\Microsoft CAPICOM 2.1.0.2
2007-06-06 10:55 <DIR> d-------- C:\Program Files\MSXML 4.0
2007-06-06 04:50 <DIR> d-------- C:\!KillBox
2007-06-03 08:44 271,224 --a------ C:\WINDOWS\system32\mucltui.dll
2007-06-02 01:20 49,152 --a------ C:\WINDOWS\nircmd.exe
2007-06-01 06:38 <DIR> d-------- C:\VundoFix Backups

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-06-03 05:44:58 -------- d--h--w C:\Program Files\WindowsUpdate
2007-06-01 16:16:40 -------- d-----w C:\DOCUME~1\i026024\APPLIC~1\Skype
2007-05-04 03:29:06 1,152 ----a-w C:\WINDOWS\system32\windrv.sys
2007-05-04 03:28:53 -------- d-----w C:\Program Files\Common Files\Download Manager
2007-04-18 16:12:23 2,854,400 ----a-w C:\WINDOWS\system32\msi.dll
2007-04-16 19:47:36 33,624 ----a-w C:\WINDOWS\system32\wups.dll
2007-04-16 19:45:54 1,710,936 ----a-w C:\WINDOWS\system32\wuaueng.dll
2007-04-16 19:45:48 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll
2007-04-16 19:45:42 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll
2007-04-16 19:45:36 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll
2007-04-16 19:45:28 92,504 ----a-w C:\WINDOWS\system32\cdm.dll
2007-04-16 19:45:20 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe
2007-04-16 19:45:20 43,352 ----a-w C:\WINDOWS\system32\wups2.dll
2007-04-16 19:44:18 208,248 ----a-w C:\WINDOWS\system32\muweb.dll
2007-03-17 13:43:01 292,864 ----a-w C:\WINDOWS\system32\winsrv.dll

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{0868E7A4-82FD-48ED-942F-AC7CEC0280C3}=C:\WINDOWS\system32\urqpomn.dll []
{1C39007B-60D0-45F5-AD06-FED06D92A249}=C:\WINDOWS\system32\mllkj.dll []
{56CD20F0-7C09-11D5-A768-0050042307CE}=C:\Program Files\SAP\SAP Tutor\PlayerIE.dll [2004-10-15 18:20]
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}=C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll [2007-03-14 03:43]
{C9905EF0-610F-4404-9030-A3F345D069F5}=C:\WINDOWS\system32\comi.dll []
{E12BFF69-38A7-406e-A8EF-2738107A7831}=C:\WINDOWS\system32\xkoobwyg.dll []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"McAfeeUpdaterUI "= "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" []
"LogitechCameraAssistant "= "C:\Program Files\Logitech\Video\CameraAssistant.exe" []
"CfgDownload "= "C:\Program Files\IXOS\IXOS-eCONtext\bin\CfgDownload.exe" []
"AdminCheck "= "wscript C:\Program Files\sap\eus\_admincheck.vbs" []
"LogitechVideo[inspector] "= "C:\Program Files\Logitech\Video\InstallHelper.exe" []
"QuickTime Task "= "C:\Program Files\QuickTime\qttask.exe" []
"SunJavaUpdateSched "= "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" [2007-03-14 03:43]
"wuauclt3 "= "wuauclt3.exe" []

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe "= "C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 10:56]
"LogitechSoftwareUpdate "= "C:\Program Files\Logitech\Video\ManifestEngine.exe" []

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoRemoteRecursiveEvents "=1 (0x1)
"NoMSAppLogo5ChannelNotify "=0 (0x0)
"NoToolbarCustomize "=0 (0x0)
"NoBandCustomize "=0 (0x0)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoFavoritesMenu "=0 (0x0)
"NoSetActiveDesktop "=0 (0x0)
"NoWindowsUpdate "=0 (0x0)
"NoChangeStartMenu "=0 (0x0)
"NoRecentDocsMenu "=0 (0x0)
"NoRecentDocsHistory "=0 (0x0)
"ClearRecentDocsOnExit "=0 (0x0)
"NoLogoff "=0 (0x0)
"NoSetTaskbar "=0 (0x0)
"NoTrayContextMenu "=0 (0x0)
"NoFileMenu "=0 (0x0)
"EnforceShellExtensionSecurity "=0 (0x0)
"LinkResolveIgnoreLinkInfo "=0 (0x0)
"NoNetConnectDisconnect "=0 (0x0)
"NoDeletePrinter "=0 (0x0)
"NoAddPrinter "=0 (0x0)
"NoPrinterTabs "=0 (0x0)
"Btn_Back "=0 (0x0)
"Btn_Forward "=0 (0x0)
"Btn_Stop "=0 (0x0)
"Btn_Refresh "=0 (0x0)
"Btn_Home "=0 (0x0)
"Btn_Search "=0 (0x0)
"Btn_History "=0 (0x0)
"Btn_Favorites "=0 (0x0)
"Btn_Media "=0 (0x0)
"Btn_Folders "=0 (0x0)
"Btn_Fullscreen "=0 (0x0)
"Btn_Tools "=0 (0x0)
"Btn_MailNews "=0 (0x0)
"Btn_Size "=0 (0x0)
"Btn_Print "=0 (0x0)
"Btn_Edit "=0 (0x0)
"Btn_Discussions "=0 (0x0)
"Btn_Cut "=0 (0x0)
"Btn_Copy "=0 (0x0)
"Btn_Paste "=0 (0x0)
"Btn_Encoding "=0 (0x0)
"Btn_PrintPreview "=0 (0x0)
"NoActiveDesktopChanges "=0
"NoClose "=0
"NoSetFolders "=0
"NoViewContextMenu "=0

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{93994DE8-8239-4655-B1D1-5F4E91300429} "= "C:\PROGRA~1\DVDIDL~1\DVDShell.dll" [2003-01-29 15:58]
"{0868E7A4-82FD-48ED-942F-AC7CEC0280C3} "= "C:\WINDOWS\system32\urqpomn.dll" []

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\PCANotify]
PCANotify.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HotSync Manager.lnk]
backup=C:\WINDOWS\pss\HotSync Manager.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^i026024^Start Menu^Programs^Startup^PartMetBackup.lnk]
backup=C:\WINDOWS\pss\PartMetBackup.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Babylon Client]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Easy-PrintToolBox]
C:\Program Files\Canon\Easy-PrintToolBox\BJPSMAIN.EXE /logon

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"C:\Program Files\iTunes\iTunesHelper.exe "

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Picasa Media Detector]
C:\Program Files\Picasa2\PicasaMediaDetector.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"ShStatEXE "= "C:\Program Files\Network Associates\VirusScan\SHSTAT.EXE" /STANDALONE

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost *netsvcs*

**************************************************************************

catchme 0.3.692 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-06-13 08:25:05
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-06-13 8:26:48
C:\ComboFix-quarantined-files.txt ... 2007-06-13 08:26
C:\ComboFix2.txt ... 2007-06-11 08:22
C:\ComboFix3.txt ... 2007-06-06 07:08

--- E O F ---

HJT

StartupList report, 2007-06-13, 09:27:04
StartupList version: 1.52.2
Started from : C:\Documents and Settings\i026024\Desktop\m\HijackThis.EXE
Detected: Windows XP SP2 (WinNT 5.01.2600)
Detected: Internet Explorer v6.00 SP2 (6.00.2900.2180)
* Using default options
==================================================

Running processes:

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
c:\program files\common files\logitech\lvmvfm\LVPrcSrv.exe
C:\Program Files\ISS\issSensors\DesktopProtection\blackd.exe
C:\WINDOWS\SYSTEM32\DNTUS26.EXE
C:\WINDOWS\SYSTEM32\DWRCS.EXE
C:\Program Files\Network Associates\VirusScan\vstskmgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\CCM\CcmExec.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\RALINK\Common\RaUI.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Documents and Settings\i026024\Desktop\m\HijackThis.exe

--------------------------------------------------

Listing of startup folders:

Shell folders Common Startup:
[C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
BGinfo.lnk = ?
Logitech Desktop Messenger.lnk = C:\Program Files\Logitech\Desktop Messenger\8876480\Program\LDMConf.exe
Ralink Wireless Utility.lnk = C:\Program Files\RALINK\Common\RaUI.exe

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

McAfeeUpdaterUI = "C:\Program Files\Network Associates\Common Framework\UpdaterUI.exe" /StartedFromRunKey
LogitechCameraAssistant = C:\Program Files\Logitech\Video\CameraAssistant.exe
CfgDownload = C:\Program Files\IXOS\IXOS-eCONtext\bin\CfgDownload.exe
AdminCheck = wscript "C:\Program Files\sap\eus\_admincheck.vbs "
LogitechVideo[inspector] = C:\Program Files\Logitech\Video\InstallHelper.exe /inspect
QuickTime Task = "C:\Program Files\QuickTime\qttask.exe" -atboottime
SunJavaUpdateSched = "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe "
wuauclt3 = wuauclt3.exe

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

ctfmon.exe = C:\WINDOWS\system32\ctfmon.exe
LogitechSoftwareUpdate = "C:\Program Files\Logitech\Video\ManifestEngine.exe" boot

--------------------------------------------------

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=Explorer.exe
SCRNSAVE.EXE=*Registry value not found*
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry value not found*
HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------

Enumerating Browser Helper Objects:

(no name) - (no file) - AutorunsDisabled
(no name) - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
(no name) - C:\WINDOWS\system32\urqpomn.dll (file missing) - {0868E7A4-82FD-48ED-942F-AC7CEC0280C3}
(no name) - C:\WINDOWS\system32\mllkj.dll (file missing) - {1C39007B-60D0-45F5-AD06-FED06D92A249}
(no name) - C:\Program Files\SAP\SAP Tutor\PlayerIE.dll - {56CD20F0-7C09-11D5-A768-0050042307CE}
(no name) - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43}
(no name) - C:\WINDOWS\system32\comi.dll (file missing) - {C9905EF0-610F-4404-9030-A3F345D069F5}
(no name) - C:\WINDOWS\system32\xkoobwyg.dll (file missing) - {E12BFF69-38A7-406e-A8EF-2738107A7831}

--------------------------------------------------

Enumerating Download Program Files:

[Shockwave ActiveX Control]
InProcServer32 = C:\WINDOWS\system32\Macromed\Director\SwDir.dll
CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/director/sw.cab

[ewidoOnlineScan Control]
InProcServer32 = C:\WINDOWS\DOWNLO~1\EWIDOO~1.DLL
CODEBASE = http://downloads.ewido.net/ewidoOnlineScan.cab

[Trend Micro ActiveX Scan Agent 6.6]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\Housecall_ActiveX.dll
CODEBASE = http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab

[{33564D57-0000-0010-8000-00AA00389B71}]
CODEBASE = http://download.microsoft.com/download/F/6/E/F6E491A6-77E1-4E20-9F5F-94901338C922/wmv9VCM.CAB

[WUWebControl Class]
InProcServer32 = C:\WINDOWS\system32\wuweb.dll
CODEBASE = http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1142456071785

[MUWebControl Class]
InProcServer32 = C:\WINDOWS\system32\muweb.dll
CODEBASE = http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1142456055612

[Aurigma Image Uploader 3.5 Control]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\ImageUploader3.ocx
CODEBASE = http://www.zoom2foto.co.il/Modules/Main/ImageUploader3.cab

[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\system32\Macromed\Flash\Flash9b.ocx
CODEBASE = http://fpdownload.macromedia.com/get/shockwave/cabs/flash/swflash.cab

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
CDBurn: *Registry key not found*
WebCheck: C:\WINDOWS\System32\webcheck.dll
SysTray: C:\WINDOWS\System32\stobject.dll

--------------------------------------------------
End of report, 6,789 bytes
Report generated in 0.140 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only

TeMerc · 2007/06/12

HJT log please.

I also just noticed you have Avenger installed, please remove it.

Log in or Sign up

Help remove virus drivecleaner and more...

prophete Inactive Thread Starter

TeMerc Inactive Alumni

prophete Inactive Thread Starter

TeMerc Inactive Alumni

prophete Inactive Thread Starter

TeMerc Inactive Alumni

TeMerc Inactive Alumni

prophete Inactive Thread Starter

TeMerc Inactive Alumni

prophete Inactive Thread Starter

TeMerc Inactive Alumni

prophete Inactive Thread Starter

TeMerc Inactive Alumni

prophete Inactive Thread Starter

TeMerc Inactive Alumni

prophete Inactive Thread Starter

TeMerc Inactive Alumni

prophete Inactive Thread Starter

prophete Inactive Thread Starter

TeMerc Inactive Alumni

Share This Page

Log in or Sign up

Help remove virus drivecleaner and more...

prophete Inactive Thread Starter

TeMerc Inactive Alumni

prophete Inactive Thread Starter

TeMerc Inactive Alumni

prophete Inactive Thread Starter

TeMerc Inactive Alumni

TeMerc Inactive Alumni

prophete Inactive Thread Starter

TeMerc Inactive Alumni

prophete Inactive Thread Starter

TeMerc Inactive Alumni

prophete Inactive Thread Starter

TeMerc Inactive Alumni

prophete Inactive Thread Starter

TeMerc Inactive Alumni

prophete Inactive Thread Starter

TeMerc Inactive Alumni

prophete Inactive Thread Starter

prophete Inactive Thread Starter

TeMerc Inactive Alumni

Share This Page

Useful Searches