Trojan and Vundu big problem!

Hello guys!

i hope you can help me cos i am desperate already.
this is the situation.i downloaded one torrent file and there was a virus.at that point i cant get rid of them.

i use NOD32,AdAware and SuperAntiSpyware and i delete all that it founded.but when i log into Internet (i use Mozilla firefox) it shows some kind of error.in the red box it writes "rundll error" and after some wierd letters.

and all kind of pop ups show when i log into internet.like page "winantivirus,amaena,system doctor "
and i wont dwnl that files cos i know that can be viruses.

here is post from my hijackthis:




Logfile of HijackThis v1.99.1
Scan saved at 19:44:44, on 27.4.2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\System Control Manager\MGSysCtrl.exe
C:\WINDOWS\tsnp2std.exe
C:\WINDOWS\vsnp2std.exe
C:\Program Files\FarStone\VirtualDrive\VDTask.exe
C:\WINDOWS\vcdplayx.exe
C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\CyberLink\Power2Go\Power2GoExpress.exe
C:\Program Files\MessengerSkinner\MessengerSkinner.exe
C:\Program Files\RALINK\Common\RaUI.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\WINDOWS\runservice.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\System Control Manager\edd.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\o2flash.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Utopia\Angel\Angel.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\msngr.exe
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} -

C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} -

C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program

files\google\googletoolbar3.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} -

C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe "

runtime -Delay
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [RemoteControl] "C:\Program

Files\CyberLink\PowerDVD\PDVDServ.exe "
O4 - HKLM\..\Run: [MGSysCtrl] C:\Program Files\System Control

Manager\MGSysCtrl.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [tsnp2std] C:\WINDOWS\tsnp2std.exe
O4 - HKLM\..\Run: [snp2std] C:\WINDOWS\vsnp2std.exe
O4 - HKLM\..\Run: [VirtualDrive] "C:\Program

Files\FarStone\VirtualDrive\VDTask.exe" /AutoRestore
O4 - HKLM\..\Run: [vcdplayx] "C:\WINDOWS\vcdplayx.exe "
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program

Files\Java\jre1.5.0_11\bin\jusched.exe "
O4 - HKLM\..\Run: [Comodo Firewall] "C:\Program Files\Comodo\Firewall\CPF.exe "

/background
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe "

/minimized
O4 - HKLM\..\Run: [InfoData] rundll32.exe

"C:\WINDOWS\system32\bqvucnbv.dll ",realset
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]

"C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe "
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Power2GoExpress] "C:\Program

Files\CyberLink\Power2Go\Power2GoExpress.exe" /Startup
O4 - HKCU\..\Run: [messengerskinner] C:\Program

Files\MessengerSkinner\MessengerSkinner.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program

Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Ralink Wireless Utility.lnk = C:\Program

Files\RALINK\Common\RaUI.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program

Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Windows Live Search - res://C:\Program

Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Download all links using BitComet -

res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: Download link using &BitComet - res://C:\Program

Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel -

res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} -

C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console -

{08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program

Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} -

C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} -

C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger -

{FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) -

http://www.kaspersky.com/kos/eng/par...an_unicode.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class)

- http://acs.pandasoftware.com/actives...ree/asinst.cab
O16 - DPF: {BE833F39-1E0C-468C-BA70-25AAEE55775E} (System Requirements Lab) -

http://www.systemrequirementslab.com/sysreqlab.cab
O17 -

HKLM\System\CCS\Services\Tcpip\..\{18C3EE64-0931-4A86-9115-58A617B994F2}:

NameServer = 195.29.150.3,195.29.150.4
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} -

C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} -

C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. -

C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Program Files\IVT

Corporation\BlueSoleil\BTNtService.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. -

C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program

Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision

Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel

32\IDriverT.exe
O23 - Service: LicCtrl Service (LicCtrlService) - Unknown owner -

C:\WINDOWS\runservice.exe
O23 - Service: SCM Driver Daemon (NishService) - Unknown owner - C:\Program

Files\System Control Manager\edd.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program

Files\Eset\nod32krn.exe
O23 - Service: O2Micro Flash Memory (O2Flash) - Unknown owner -

C:\WINDOWS\system32\o2flash.exe
O23 - Service: Windows Server Management Services (WSMSPSVC) - Unknown owner -

C:\WINDOWS\msngr.exe






guys please help me cos i dont know what to do now.thank you!!

 

Hi fball
Welcome to windowsbbs

Please undo word wrap when posting logs, Thanks.

Download SDFix and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :

• Restart your computer
• After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
• Instead of Windows loading as normal, the Advanced Options Menu should appear;
• Select the first option, to run Windows in Safe Mode, then press Enter.
• Choose your usual account.

• Open the extracted SDFix folder and double click RunThis.bat to start the script.
• Type Y to begin the cleanup process.
• It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
• Press any Key and it will restart the PC.
• When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
• Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
  (Report.txt will also be copied to Clipboard ready for posting back on the forum).
• Finally paste the contents of the Report.txt back on the forum with a new HijackThis log

Then please do this.

Please download VundoFix.exe to your desktop

• Double-click VundoFix.exe to run it.
• Click the Scan for Vundo button.
• Once it's done scanning, click the Remove Vundo button.
• You will receive a prompt asking if you want to remove the files, click YES
• Once you click yes, your desktop will go blank as it starts removing Vundo.
• When completed, it will prompt that it will reboot your computer, click OK.
• Please post the contents of C:\vundofix.txt and a new HiJackThis log in a reply to this thread.

Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears upon rebooting.

Now please rename Hijackthis.exe to Killer.exe

Please post the SDFix log the Vundo log and a new HJT log.

Thanks
Geri

 

here is my new hijackthis scan and that SDFix scan.

now i will do it with vundufix.exe.

but one question?should i use modem cos then i dont get those viruses if i am connected with modem?just with adsl.cos if i scan it now,when i come here to post it i will get new ones.



SDFix: Version 1.80

Run by Dean - pet 27.04.2007 - 23:29:00,92

Microsoft Windows XP [Version 5.1.2600]

Running From: C:\SDFix

Safe Mode:
Checking Services:

Name:
WSMSPSVC

ImagePath:
"C:\WINDOWS\msngr.exe"

WSMSPSVC - Deleted



Modified mswsock.dll Found!

File Locations:

C:\WINDOWS\system32\mswsock.dll
C:\WINDOWS\system32\dllcache\mswsock.dll

Infected files:



Restoring Windows Registry Values
Restoring Windows Default Hosts File


Rebooting...

Normal Mode:
Checking Files:

Below files will be copied to Backups folder then removed:

C:\WINDOWS\SYSTEM32\CMMGR32.EXE - Deleted
C:\WINDOWS\odbc.INI - Deleted
C:\WINDOWS\Temp\removalfile.bat - Deleted



Removing Temp Files

ADS Check:

Checking if ADS is attached to system32 Folder
C:\WINDOWS\system32
No streams found.

Checking if ADS is attached to svchost.exe
C:\WINDOWS\system32\svchost.exe
No streams found.



Final Check:

Remaining Services:
------------------



Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe "= "%windir%\\system32\\sessmgr.exe:*:enabledxpsp2res.dll,-22019 "
"C:\\Program Files\\IVT Corporation\\BlueSoleil\\BlueSoleil.exe "= "C:\\Program Files\\IVT Corporation\\BlueSoleil\\BlueSoleil.exe:*:Enabled:BlueSoleil "
"C:\\Program Files\\MSN Messenger\\msncall.exe "= "C:\\Program Files\\MSN Messenger\\msncall.exe:*:Enabled:Windows Live Messenger 8.0 (Phone) "
"C:\\Program Files\\KONAMI\\Pro Evolution Soccer 6\\PES6.exe "= "C:\\Program Files\\KONAMI\\Pro Evolution Soccer 6\\PES6.exe:*:Enabledes6.exe "
"C:\\WINDOWS\\explorer.exe "= "C:\\WINDOWS\\explorer.exe:*isabled:Windows Explorer "
"C:\\Program Files\\Activision\\Call of Duty 2\\CoD2MP_s.exe "= "C:\\Program Files\\Activision\\Call of Duty 2\\CoD2MP_s.exe:*:Enabled:CoD2MP_s "
"C:\\Program Files\\THQ\\Company of Heroes\\RelicCOH.exe "= "C:\\Program Files\\THQ\\Company of Heroes\\RelicCOH.exe:*:Enabled:RelicCOH "
"C:\\Program Files\\Sports Interactive\\Football Manager 2007\\fm.exe "= "C:\\Program Files\\Sports Interactive\\Football Manager 2007\\fm.exe:*:Enabled:Football Manager 2007 "
"C:\\Program Files\\GameSpy Arcade\\Aphex.exe "= "C:\\Program Files\\GameSpy Arcade\\Aphex.exe:*:Enabled:GameSpy Arcade "
"C:\\Program Files\\FarStone\\VirtualDrive\\MGR.exe "= "C:\\Program Files\\FarStone\\VirtualDrive\\MGR.exe:*:Enabled:VirtualDrive MGR "
"C:\\Program Files\\Microsoft Games\\Halo\\halo.exe "= "C:\\Program Files\\Microsoft Games\\Halo\\halo.exe:*:Enabled:Halo "
"C:\\UT2004\\System\\UT2004.exe "= "C:\\UT2004\\System\\UT2004.exe:*:Enabled:UT2004 "
"C:\\Program Files\\Anarchy\\AgeOfCastles\\Age-of-Castles.exe "= "C:\\Program Files\\Anarchy\\AgeOfCastles\\Age-of-Castles.exe:*:Enabled:Age of Castles "
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe "= "C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1 "
"C:\\Program Files\\MSN Messenger\\livecall.exe "= "C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone) "
"C:\\Program Files\\Hamachi\\hamachi.exe "= "C:\\Program Files\\Hamachi\\hamachi.exe:*:Enabled:Hamachi Client "
"C:\\Program Files\\BitComet\\BitComet.exe "= "C:\\Program Files\\BitComet\\BitComet.exe:*isabled:BitComet - a BitTorrent Client "
"C:\\Program Files\\BitTorrent\\bittorrent.exe "= "C:\\Program Files\\BitTorrent\\bittorrent.exe:*isabled:BitTorrent "
"C:\\Program Files\\Atari\\Neverwinter Nights 2\\nwn2main_amdxp.exe "= "C:\\Program Files\\Atari\\Neverwinter Nights 2\\nwn2main_amdxp.exe:*isabled:Neverwinter Nights 2 AMD "
"C:\\Program Files\\Atari\\Neverwinter Nights 2\\nwn2main.exe "= "C:\\Program Files\\Atari\\Neverwinter Nights 2\\nwn2main.exe:*isabled:Neverwinter Nights 2 Main "
"C:\\Program Files\\Atari\\Neverwinter Nights 2\\nwn2server.exe "= "C:\\Program Files\\Atari\\Neverwinter Nights 2\\nwn2server.exe:*isabled:Neverwinter Nights 2 Server "
"C:\\Program Files\\Atari\\Neverwinter Nights 2\\nwupdate.exe "= "C:\\Program Files\\Atari\\Neverwinter Nights 2\\nwupdate.exe:*isabled:Neverwinter Nights 2 Updater "
"C:\\Program Files\\uTorrent\\utorrent.exe "= "C:\\Program Files\\uTorrent\\utorrent.exe:*:Enabled:µTorrent "
"C:\\Documents and Settings\\Dean\\Local Settings\\Temp\\vbalink.exe "= "C:\\Documents and Settings\\Dean\\Local Settings\\Temp\\vbalink.exe:*:Enabled:vbalink "
"C:\\Documents and Settings\\Dean\\Local Settings\\Temp\\vbaserver.exe "= "C:\\Documents and Settings\\Dean\\Local Settings\\Temp\\vbaserver.exe:*:Enabled:vbaserver "
"C:\\Program Files\\Bohemia Interactive\\ArmA Demo\\ArmADemo.exe "= "C:\\Program Files\\Bohemia Interactive\\ArmA Demo\\ArmADemo.exe:*:Enabled:ArmA "


[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe "= "%windir%\\system32\\sessmgr.exe:*:enabledxpsp2res.dll,-22019 "
"C:\\Program Files\\MSN Messenger\\msncall.exe "= "C:\\Program Files\\MSN Messenger\\msncall.exe:*:Enabled:Windows Live Messenger 8.0 (Phone) "
"C:\\Program Files\\MSN Messenger\\msnmsgr.exe "= "C:\\Program Files\\MSN Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger 8.1 "
"C:\\Program Files\\MSN Messenger\\livecall.exe "= "C:\\Program Files\\MSN Messenger\\livecall.exe:*:Enabled:Windows Live Messenger 8.1 (Phone) "


Remaining Files:
---------------

Backups Folder: - C:\SDFix\backups\backups.zip

Checking For Files with Hidden Attributes:

C:\Documents and Settings\Dean\My Documents\My Received Files\homemade\bangbros.com_hj1355500k.wmv
C:\WINDOWS\system32\ddayx.dll
C:\WINDOWS\system32\mmf.sys

Finished











Logfile of HijackThis v1.99.1
Scan saved at 23:44:42, on 27.4.2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\WINDOWS\runservice.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\System Control Manager\edd.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\o2flash.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\System Control Manager\MGSysCtrl.exe
C:\WINDOWS\tsnp2std.exe
C:\WINDOWS\vsnp2std.exe
C:\Program Files\FarStone\VirtualDrive\VDTask.exe
C:\WINDOWS\vcdplayx.exe
C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\CyberLink\Power2Go\Power2GoExpress.exe
C:\Program Files\MessengerSkinner\MessengerSkinner.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\RALINK\Common\RaUI.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe "
O4 - HKLM\..\Run: [MGSysCtrl] C:\Program Files\System Control Manager\MGSysCtrl.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [tsnp2std] C:\WINDOWS\tsnp2std.exe
O4 - HKLM\..\Run: [snp2std] C:\WINDOWS\vsnp2std.exe
O4 - HKLM\..\Run: [VirtualDrive] "C:\Program Files\FarStone\VirtualDrive\VDTask.exe" /AutoRestore
O4 - HKLM\..\Run: [vcdplayx] "C:\WINDOWS\vcdplayx.exe "
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe "
O4 - HKLM\..\Run: [Comodo Firewall] "C:\Program Files\Comodo\Firewall\CPF.exe" /background
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe "
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Power2GoExpress] "C:\Program Files\CyberLink\Power2Go\Power2GoExpress.exe" /Startup
O4 - HKCU\..\Run: [messengerskinner] C:\Program Files\MessengerSkinner\MessengerSkinner.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Ralink Wireless Utility.lnk = C:\Program Files\RALINK\Common\RaUI.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Download all links using BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: Download link using &BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {BE833F39-1E0C-468C-BA70-25AAEE55775E} (System Requirements Lab) - http://www.systemrequirementslab.com/sysreqlab.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{18C3EE64-0931-4A86-9115-58A617B994F2}: NameServer = 195.29.150.3,195.29.150.4
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LicCtrl Service (LicCtrlService) - Unknown owner - C:\WINDOWS\runservice.exe
O23 - Service: SCM Driver Daemon (NishService) - Unknown owner - C:\Program Files\System Control Manager\edd.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: O2Micro Flash Memory (O2Flash) - Unknown owner - C:\WINDOWS\system32\o2flash.exe

 

VundoFix V4.2.22
Scan started at 23:53:06 27.4.2007

Listing files found while scanning....


C:\WINDOWS\system32\pqstv.bak1
C:\WINDOWS\system32\pqstv.ini
Attempting to delete C:\WINDOWS\system32\pqstv.bak1
C:\WINDOWS\system32\pqstv.bak1 Has been deleted!

Attempting to delete C:\WINDOWS\system32\pqstv.ini
C:\WINDOWS\system32\pqstv.ini Has been deleted!

Performing Repairs to the registry.
Done!

 

Logfile of HijackThis v1.99.1
Scan saved at 23:59:08, on 27.4.2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\System Control Manager\MGSysCtrl.exe
C:\WINDOWS\tsnp2std.exe
C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
C:\WINDOWS\vsnp2std.exe
C:\Program Files\FarStone\VirtualDrive\VDTask.exe
C:\WINDOWS\vcdplayx.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\WINDOWS\runservice.exe
C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\System Control Manager\edd.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\o2flash.exe
C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\CyberLink\Power2Go\Power2GoExpress.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\MessengerSkinner\MessengerSkinner.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\RALINK\Common\RaUI.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe "
O4 - HKLM\..\Run: [MGSysCtrl] C:\Program Files\System Control Manager\MGSysCtrl.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [tsnp2std] C:\WINDOWS\tsnp2std.exe
O4 - HKLM\..\Run: [snp2std] C:\WINDOWS\vsnp2std.exe
O4 - HKLM\..\Run: [VirtualDrive] "C:\Program Files\FarStone\VirtualDrive\VDTask.exe" /AutoRestore
O4 - HKLM\..\Run: [vcdplayx] "C:\WINDOWS\vcdplayx.exe "
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe "
O4 - HKLM\..\Run: [Comodo Firewall] "C:\Program Files\Comodo\Firewall\CPF.exe" /background
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe "
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Power2GoExpress] "C:\Program Files\CyberLink\Power2Go\Power2GoExpress.exe" /Startup
O4 - HKCU\..\Run: [messengerskinner] C:\Program Files\MessengerSkinner\MessengerSkinner.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Ralink Wireless Utility.lnk = C:\Program Files\RALINK\Common\RaUI.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Download all links using BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: Download link using &BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {BE833F39-1E0C-468C-BA70-25AAEE55775E} (System Requirements Lab) - http://www.systemrequirementslab.com/sysreqlab.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{18C3EE64-0931-4A86-9115-58A617B994F2}: NameServer = 195.29.150.3,195.29.150.4
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LicCtrl Service (LicCtrlService) - Unknown owner - C:\WINDOWS\runservice.exe
O23 - Service: SCM Driver Daemon (NishService) - Unknown owner - C:\Program Files\System Control Manager\edd.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: O2Micro Flash Memory (O2Flash) - Unknown owner - C:\WINDOWS\system32\o2flash.exe

 

well,i dont know if its ok,i just renamed hijackthis to killer.i hope its ok.i am beginner so i am not really sure.but this is posted like that.


Logfile of HijackThis v1.99.1
Scan saved at 0:02:10, on 28.4.2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\System Control Manager\MGSysCtrl.exe
C:\WINDOWS\tsnp2std.exe
C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
C:\WINDOWS\vsnp2std.exe
C:\Program Files\FarStone\VirtualDrive\VDTask.exe
C:\WINDOWS\vcdplayx.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\WINDOWS\runservice.exe
C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\System Control Manager\edd.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\o2flash.exe
C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\CyberLink\Power2Go\Power2GoExpress.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\MessengerSkinner\MessengerSkinner.exe
C:\Program Files\RALINK\Common\RaUI.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\HijackThis\Killer.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: (no name) - {058DB58B-1A37-44F6-8910-04332FECADCB} - C:\WINDOWS\system32\gebywtq.dll
O2 - BHO: (no name) - {AA477097-5CCF-4580-A909-1D7F02C84269} - C:\WINDOWS\system32\ddayx.dll
O2 - BHO: (no name) - {D651AFF4-9590-424d-BD1E-8E33E090DFB3} - C:\WINDOWS\system32\bupuhrqf.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe "
O4 - HKLM\..\Run: [MGSysCtrl] C:\Program Files\System Control Manager\MGSysCtrl.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [tsnp2std] C:\WINDOWS\tsnp2std.exe
O4 - HKLM\..\Run: [snp2std] C:\WINDOWS\vsnp2std.exe
O4 - HKLM\..\Run: [VirtualDrive] "C:\Program Files\FarStone\VirtualDrive\VDTask.exe" /AutoRestore
O4 - HKLM\..\Run: [vcdplayx] "C:\WINDOWS\vcdplayx.exe "
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe "
O4 - HKLM\..\Run: [Comodo Firewall] "C:\Program Files\Comodo\Firewall\CPF.exe" /background
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe "
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Power2GoExpress] "C:\Program Files\CyberLink\Power2Go\Power2GoExpress.exe" /Startup
O4 - HKCU\..\Run: [messengerskinner] C:\Program Files\MessengerSkinner\MessengerSkinner.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Ralink Wireless Utility.lnk = C:\Program Files\RALINK\Common\RaUI.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Download all links using BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: Download link using &BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {BE833F39-1E0C-468C-BA70-25AAEE55775E} (System Requirements Lab) - http://www.systemrequirementslab.com/sysreqlab.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{18C3EE64-0931-4A86-9115-58A617B994F2}: NameServer = 195.29.150.3,195.29.150.4
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: ddayx - C:\WINDOWS\system32\ddayx.dll
O20 - Winlogon Notify: gebywtq - C:\WINDOWS\SYSTEM32\gebywtq.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LicCtrl Service (LicCtrlService) - Unknown owner - C:\WINDOWS\runservice.exe
O23 - Service: SCM Driver Daemon (NishService) - Unknown owner - C:\Program Files\System Control Manager\edd.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: O2Micro Flash Memory (O2Flash) - Unknown owner - C:\WINDOWS\system32\o2flash.exe

 

Hi fball

A modem is not going to stop you from getting this stuff.

You will not get viruses from coming here and posting

OK Please do this...

• Double-click VundoFix.exe to run it.
  Right click in the white box
  Click on add more files
  * Copy&Paste the entries below into the top boxes
  
  C:\WINDOWS\system32\gebywtq.dll
  C:\WINDOWS\system32\ddayx.dll
  C:\WINDOWS\system32\bupuhrqf.dll
  
  
  * Click Add Files and Click Close Window
• Click the Scan for Vundo button.
• Once it's done scanning, click the Remove Vundo button.
• You will receive a prompt asking if you want to remove the files, click YES
• Once you click yes, your desktop will go blank as it starts removing Vundo.
• When completed, it will prompt that it will reboot your computer, click OK.
• Please post the contents of C:\vundofix.txt and a new HiJackThis log in a reply to this thread.

Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears upon rebooting.

Please post the new vundo log and a new HJT log.

Thanks
Geri

 

ok i have a problem.i added those files in and i started the scan.

and it has found:


in system32:
efcdbay.dll
gebywtg.dll
gebywtg.dll
nnnkklk.dll

but when it come to msa.dll i stops running and its non responding.

so i cant even delete those files or do anything.and i cant use killbox to destroy that msa.dll because i dont see full name i see just: ....msa.dll

 

ok i have found out where that msa.dll is.

its in c:/program files/common files/ahead/audio plugins


so is it ok if i delete it?or is it something important for my comp?

 

i have done a scan with a SuperAntiSpyware and here is the log and new hijackthis log.


SUPERAntiSpyware Scan Log
Generated 04/28/2007 at 01:04 PM

Application Version : 3.5.1016

Core Rules Database Version : 3227
Trace Rules Database Version: 1238

Scan type : Complete Scan
Total Scan Time : 00:34:22

Memory items scanned : 603
Memory threats detected : 2
Registry items scanned : 6429
Registry threats detected : 10
File items scanned : 31422
File threats detected : 19

Trojan.Downloader-UniBBB
C:\WINDOWS\SYSTEM32\GEBYWTQ.DLL
C:\WINDOWS\SYSTEM32\GEBYWTQ.DLL
HKLM\Software\Classes\CLSID\{058DB58B-1A37-44F6-8910-04332FECADCB}
HKCR\CLSID\{058DB58B-1A37-44F6-8910-04332FECADCB}
HKCR\CLSID\{058DB58B-1A37-44F6-8910-04332FECADCB}\InprocServer32
HKCR\CLSID\{058DB58B-1A37-44F6-8910-04332FECADCB}\InprocServer32#ThreadingModel
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{058DB58B-1A37-44F6-8910-04332FECADCB}
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks#{058DB58B-1A37-44F6-8910-04332FECADCB}
Software\Microsoft\Windows NT\CurrentVersion\WinLogon\Notify\gebywtq
C:\WINDOWS\SYSTEM32\EFCDBAY.DLL
C:\WINDOWS\SYSTEM32\NNNKKLK.DLL

Trojan.Downloader-Gen/LIB
C:\WINDOWS\SYSTEM32\BUPUHRQF.DLL
C:\WINDOWS\SYSTEM32\BUPUHRQF.DLL
C:\WINDOWS\SYSTEM32\QPEYFNMY.DLL

Adware.Tracking Cookie
C:\Documents and Settings\Dean\Cookies\dean@drivecleaner[1].txt
C:\Documents and Settings\Dean\Cookies\dean@mediaplex[1].txt
C:\Documents and Settings\Dean\Cookies\dean@fastclick[1].txt
C:\Documents and Settings\Dean\Cookies\dean@www.drivecleaner[1].txt
C:\Documents and Settings\Dean\Cookies\dean@cpvfeed[2].txt
C:\Documents and Settings\Dean\Cookies\dean@advertising[1].txt
C:\Documents and Settings\Dean\Cookies\dean@winantivirus[1].txt
C:\Documents and Settings\Dean\Cookies\dean@ad.iskon[1].txt
C:\Documents and Settings\Dean\Cookies\dean@www.amaena[1].txt
C:\Documents and Settings\Dean\Cookies\dean@doubleclick[1].txt

Adware.Vundo Variant
HKCR\CLSID\{D651AFF4-9590-424D-BD1E-8E33E090DFB3}
HKCR\CLSID\{D651AFF4-9590-424D-BD1E-8E33E090DFB3}\InprocServer32
HKCR\CLSID\{D651AFF4-9590-424D-BD1E-8E33E090DFB3}\InprocServer32#ThreadingModel
C:\WINDOWS\SYSTEM32\AWVVS.DLL

Trojan.Downloader-Gen/HardFall
C:\SYSTEM VOLUME INFORMATION\_RESTORE{90CB711D-AE4D-4D49-BAFC-26F4FCB4E7F0}\RP2\A0000013.DLL

Trojan.WinFixer
C:\WINDOWS\SYSTEM32\GEEBY.DLL
C:\WINDOWS\SYSTEM32\MLJJH.DLL












Logfile of HijackThis v1.99.1
Scan saved at 13:08:55, on 28.4.2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\System Control Manager\MGSysCtrl.exe
C:\WINDOWS\tsnp2std.exe
C:\WINDOWS\vsnp2std.exe
C:\Program Files\FarStone\VirtualDrive\VDTask.exe
C:\WINDOWS\vcdplayx.exe
C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe
C:\WINDOWS\runservice.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\CyberLink\Power2Go\Power2GoExpress.exe
C:\Program Files\MessengerSkinner\MessengerSkinner.exe
C:\Program Files\System Control Manager\edd.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\o2flash.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\RALINK\Common\RaUI.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINDOWS\system32\wbem\wmiapsrv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\HijackThis\Killer.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: (no name) - {058DB58B-1A37-44F6-8910-04332FECADCB} - (no file)
O2 - BHO: (no name) - {718C0B57-C2F2-4EF1-8B4D-484DB1A77FC7} - C:\WINDOWS\system32\ddayx.dll
O2 - BHO: (no name) - {D651AFF4-9590-424d-BD1E-8E33E090DFB3} - (no file)
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe "
O4 - HKLM\..\Run: [MGSysCtrl] C:\Program Files\System Control Manager\MGSysCtrl.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [tsnp2std] C:\WINDOWS\tsnp2std.exe
O4 - HKLM\..\Run: [snp2std] C:\WINDOWS\vsnp2std.exe
O4 - HKLM\..\Run: [VirtualDrive] "C:\Program Files\FarStone\VirtualDrive\VDTask.exe" /AutoRestore
O4 - HKLM\..\Run: [vcdplayx] "C:\WINDOWS\vcdplayx.exe "
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe "
O4 - HKLM\..\Run: [Comodo Firewall] "C:\Program Files\Comodo\Firewall\CPF.exe" /background
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe "
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Power2GoExpress] "C:\Program Files\CyberLink\Power2Go\Power2GoExpress.exe" /Startup
O4 - HKCU\..\Run: [messengerskinner] C:\Program Files\MessengerSkinner\MessengerSkinner.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Ralink Wireless Utility.lnk = C:\Program Files\RALINK\Common\RaUI.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Download all links using BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: Download link using &BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {BE833F39-1E0C-468C-BA70-25AAEE55775E} (System Requirements Lab) - http://www.systemrequirementslab.com/sysreqlab.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{18C3EE64-0931-4A86-9115-58A617B994F2}: NameServer = 195.29.150.3,195.29.150.4
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: ddayx - C:\WINDOWS\system32\ddayx.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LicCtrl Service (LicCtrlService) - Unknown owner - C:\WINDOWS\runservice.exe
O23 - Service: SCM Driver Daemon (NishService) - Unknown owner - C:\Program Files\System Control Manager\edd.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: O2Micro Flash Memory (O2Flash) - Unknown owner - C:\WINDOWS\system32\o2flash.exe

 

Hi fball

No do not delete it at this time, It seem to have something to do with Nero.

OK Please do this.

Download ComboFix from Here or [color= "Red"]Here[/color] to your Desktop.

• Double click combofix.exe and follow the prompts.
• When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply

Note: Do not mouseclick combofix's window while its running. That may cause it to stall

Please post the combo fix log.

Thanks
Geri

 

"Dean" - 07-04-28 18:54:01 Service Pack 2
ComboFix 07-04-25.4V - Running from: "C:\Documents and Settings\Dean\Desktop\ "


(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\system32\hogupelx_navps.dat
C:\WINDOWS\system32\hogupelx.exe
C:\WINDOWS\system32\hogupelx.dat


((((((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


-------\nm


((((((((((((((((((((((((((((((( Files Created from 2007-03-28 to 2007-04-28 ))))))))))))))))))))))))))))))))))


2007-04-28 12:59 559,307 ---hs---- C:\WINDOWS\system32\xyadd.ini2
2007-04-28 12:34 0 --a------ C:\WINDOWS\system32\CMMGR32.EXE
2007-04-28 11:14 <DIR> d--h----- C:\Program Files\WindowsUpdate
2007-04-28 11:14 <DIR> d-------- C:\WINDOWS\system32\SoftwareDistribution
2007-04-28 10:11 <DIR> d-------- C:\VundoFix Backups
2007-04-27 23:18 517,837 ---hs---- C:\WINDOWS\system32\xyadd.bak2
2007-04-27 23:18 284,244 ---hs---- C:\WINDOWS\system32\ddayx.dll
2007-04-27 19:33 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2007-04-27 17:44 <DIR> d-------- C:\Program Files\ewido anti-spyware 4.0
2007-04-27 14:40 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-04-27 14:39 <DIR> d---s---- C:\DOCUME~1\Dean\UserData
2007-04-27 14:24 <DIR> d-------- C:\Program Files\Scorpio Software
2007-04-27 14:24 <DIR> d-------- C:\Program Files\Common Files\scosoft.com
2007-04-27 14:16 76,560 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2007-04-26 15:43 <DIR> d-------- C:\DOCUME~1\Dean\APPLIC~1\SuperAdBlocker.com
2007-04-24 00:49 <DIR> d-------- C:\Program Files\Enigma Software Group
2007-04-23 21:38 <DIR> d-------- C:\Program Files\Trustix
2007-04-23 20:57 <DIR> d-------- C:\DOCUME~1\Dean\APPLIC~1\Comodo
2007-04-23 20:57 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Comodo
2007-04-23 18:12 28 --a------ C:\WINDOWS\system32\substpntx8.dll
2007-04-23 18:11 <DIR> d-------- C:\Program Files\WinTools
2007-04-23 17:42 <DIR> d-------- C:\DOCUME~1\Dean\APPLIC~1\Sereniti
2007-04-21 12:21 <DIR> d-------- C:\Program Files\CatchTheSperm2
2007-04-21 12:21 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Phenomedia
2007-04-21 12:20 <DIR> d-------- C:\Program Files\KraiSoft
2007-04-21 12:05 <DIR> d-------- C:\DOCUME~1\Dean\APPLIC~1\Oxford
2007-04-21 12:04 99,092 --a------ C:\WINDOWS\system32\bass.dll
2007-04-21 12:04 88,064 --a------ C:\WINDOWS\system32\idiom010227.dll
2007-04-21 12:04 34,304 --a------ C:\WINDOWS\system32\lfbmp10N.dll
2007-04-21 12:04 297,472 --a------ C:\WINDOWS\system32\ltkrn10N.dll
2007-04-21 12:04 266,752 --a------ C:\WINDOWS\system32\LFCMP10N.DLL
2007-04-21 12:04 231,424 --a------ C:\WINDOWS\system32\LTDIS10N.dll
2007-04-21 12:04 199,168 --a------ C:\WINDOWS\system32\Illprs.dll
2007-04-21 12:04 160,768 --a------ C:\WINDOWS\system32\ILLKRN.DLL
2007-04-21 12:04 147,456 --a------ C:\WINDOWS\system32\Twavbx32.dll
2007-04-21 12:04 143,360 --a------ C:\WINDOWS\system32\ILXTBS.DLL
2007-04-21 12:04 134,144 --a------ C:\WINDOWS\system32\lfpng10N.dll
2007-04-21 12:04 115,200 --a------ C:\WINDOWS\system32\UnzDll.dll
2007-04-21 12:04 114,176 --a------ C:\WINDOWS\system32\ltimg10N.dll
2007-04-21 12:04 103,424 --a------ C:\WINDOWS\system32\ltfil10N.DLL
2007-04-21 12:04 <DIR> d-------- C:\Program Files\TEXTware
2007-04-21 12:01 <DIR> d-------- C:\Program Files\Oxford
2007-04-14 20:13 <DIR> d-------- C:\Program Files\Common Files\Teleca Shared
2007-04-14 15:55 409,600 --a------ C:\WINDOWS\system32\wrap_oal.dll
2007-04-14 15:55 114,688 --a------ C:\WINDOWS\system32\OpenAL32.dll
2007-04-14 15:55 <DIR> d-------- C:\Program Files\OpenAL
2007-04-12 13:07 <DIR> d-------- C:\Program Files\LittleFighter2
2007-04-10 08:56 <DIR> d-------- C:\games
2007-04-09 15:46 <DIR> d-------- C:\DOCUME~1\Dean\dwhelper
2007-04-09 15:35 <DIR> d-------- C:\WINDOWS\FLV Player
2007-04-09 15:35 <DIR> d-------- C:\Program Files\FLV Player
2007-04-09 10:18 845,312 --a------ C:\WINDOWS\system32\Smab.dll
2007-04-09 10:18 719,872 --a------ C:\WINDOWS\system32\devil.dll
2007-04-09 10:18 70,656 --a------ C:\WINDOWS\system32\yv12vfw.dll
2007-04-09 10:18 70,656 --a------ C:\WINDOWS\system32\i420vfw.dll
2007-04-09 10:18 66,560 --a------ C:\WINDOWS\MOTA113.exe
2007-04-09 10:18 502,784 --a------ C:\WINDOWS\x2.64.exe
2007-04-09 10:18 306,688 --a------ C:\WINDOWS\system32\avisynth.dll
2007-04-09 10:18 27,648 --a------ C:\WINDOWS\system32\AVSredirect.dll
2007-04-09 10:18 240,128 --a------ C:\WINDOWS\system32\x.264.exe
2007-04-09 10:18 217,073 --a------ C:\WINDOWS\meta4.exe
2007-04-09 10:18 <DIR> d--hs---- C:\WINDOWS\system32\ShellDHCP
2007-04-09 10:08 <DIR> d-------- C:\Program Files\eRightSoft
2007-04-07 13:15 <DIR> d-------- C:\Program Files\Network Stumbler
2007-04-07 13:02 <DIR> d-------- C:\Program Files\WorldUnlock Codes Calculator
2007-04-05 14:55 <DIR> d-------- C:\Bug
2007-04-02 14:42 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Yahoo! Companion
2007-04-02 14:41 <DIR> d-------- C:\Program Files\Yahoo!
2007-03-31 18:23 <DIR> d-------- C:\Program Files\uTorrent
2007-03-31 18:23 <DIR> d-------- C:\DOCUME~1\Dean\APPLIC~1\uTorrent
2007-03-28 15:34 <DIR> d-------- C:\Program Files\BitTorrent


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2007-04-28 18:59 1393 --ahs---- C:\WINDOWS\system32\mmf.sys
2007-04-28 12:30 -------- d-------- C:\Program Files\superantispyware
2007-04-27 19:44 -------- d-------- C:\Program Files\system control manager
2007-04-27 19:44 -------- d-------- C:\Program Files\messengerskinner
2007-04-27 19:43 -------- d-------- C:\Program Files\messenger
2007-04-27 19:42 -------- d-------- C:\Program Files\msn messenger
2007-04-27 19:41 -------- d-------- C:\Program Files\google
2007-04-26 20:56 810 --a------ C:\WINDOWS\mozver.dat
2007-04-26 20:36 248988 --a------ C:\WINDOWS\system32\hogupelx_nav.dat
2007-04-26 16:25 -------- d-------- C:\Program Files\Common Files\wise installation wizard
2007-04-22 18:10 -------- d-------- C:\Program Files\speedfan
2007-04-14 15:55 108144 --a------ C:\WINDOWS\system32\cmdlineext.dll
2007-04-12 12:58 -------- d--h----- C:\Program Files\installshield installation information
2007-04-05 10:17 -------- d-------- C:\Program Files\konami
2007-03-31 18:15 1386496 --a------ C:\WINDOWS\system32\msvbvm60.dll
2007-03-28 15:10 737280 --a------ C:\WINDOWS\iun6002.exe
2007-03-26 22:27 -------- d-------- C:\DOCUME~1\Dean\APPLIC~1\talkback
2007-03-19 19:52 -------- d-------- C:\Program Files\Common Files\systemrequirementslab
2007-03-15 12:23 497496 --a------ C:\WINDOWS\system32\xceedzip.dll
2007-03-15 12:19 526184 --a------ C:\WINDOWS\system32\xceedcry.dll
2007-03-13 16:42 -------- d-------- C:\Program Files\ea sports
2007-03-13 16:39 -------- d-------- C:\Program Files\codec pack - all in 1
2007-03-10 09:10 -------- d-------- C:\DOCUME~1\Dean\APPLIC~1\desksoft
2007-03-08 18:40 -------- d-------- C:\Program Files\codemasters
2007-03-08 16:23 512096 --a------ C:\WINDOWS\system32\drivers\amon.sys
2007-03-08 16:23 298104 --a------ C:\WINDOWS\system32\imon.dll
2007-03-08 16:23 15424 --a------ C:\WINDOWS\system32\drivers\nod32drv.sys
2007-03-04 17:34 -------- d-------- C:\DOCUME~1\Dean\APPLIC~1\hamachi
2007-03-04 13:21 18048 --a------ C:\WINDOWS\system32\drivers\lirsgt.sys
2007-03-04 13:21 165376 --a------ C:\WINDOWS\system32\drivers\atksgt.sys
2007-02-21 20:08 967 --a------ C:\WINDOWS\scunin.pif
2007-02-21 20:08 94208 --a------ C:\WINDOWS\scunin.exe
2007-02-21 20:08 35382 --a------ C:\WINDOWS\scunin.dat
2007-02-06 15:31 43520 --a------ C:\WINDOWS\system32\cmdlineext03.dll
2007-02-06 15:05 855 --a------ C:\WINDOWS\ereg.dat
2007-02-01 16:28 5501 --a------ C:\WINDOWS\system32\rtclcmg32.dll
2007-01-05 21:19 62 --ahs---- C:\DOCUME~1\Dean\APPLIC~1\desktop.ini


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{7BDC30BA-1D73-4323-B2E1-BA602C22E725} C:\WINDOWS\system32\ddayx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"ATICCC "= "\ "C:\\Program Files\\ATI Technologies\\ATI.ACE\\cli.exe\" runtime -Delay "
"RTHDCPL "= "RTHDCPL.EXE "
"Alcmtr "= "ALCMTR.EXE "
"AGRSMMSG "= "AGRSMMSG.exe "
"nod32kui "= "\ "C:\\Program Files\\Eset\\nod32kui.exe\" /WAITSERVICE "
"RemoteControl "= "\ "C:\\Program Files\\CyberLink\\PowerDVD\\PDVDServ.exe\" "
"MGSysCtrl "= "C:\\Program Files\\System Control Manager\\MGSysCtrl.exe "
"NeroFilterCheck "= "C:\\WINDOWS\\system32\\NeroCheck.exe "
"tsnp2std "= "C:\\WINDOWS\\tsnp2std.exe "
"snp2std "= "C:\\WINDOWS\\vsnp2std.exe "
"VirtualDrive "= "\ "C:\\Program Files\\FarStone\\VirtualDrive\\VDTask.exe\" /AutoRestore "
"vcdplayx "= "\ "C:\\WINDOWS\\vcdplayx.exe\" "
"SunJavaUpdateSched "= "\ "C:\\Program Files\\Java\\jre1.5.0_11\\bin\\jusched.exe\" "
"Comodo Firewall "= "\ "C:\\Program Files\\Comodo\\Firewall\\CPF.exe\" /background "
"!ewido "= "\ "C:\\Program Files\\ewido anti-spyware 4.0\\ewido.exe\" /minimized "

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"CTFMON.EXE "= "C:\\WINDOWS\\system32\\ctfmon.exe "
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA} "= "\ "C:\\Program Files\\Common Files\\Ahead\\lib\\NMBgMonitor.exe\" "
"MSMSGS "= "\ "C:\\Program Files\\Messenger\\msmsgs.exe\" /background "
"Power2GoExpress "= "\ "C:\\Program Files\\CyberLink\\Power2Go\\Power2GoExpress.exe\" /Startup "
"messengerskinner "= "C:\\Program Files\\MessengerSkinner\\MessengerSkinner.exe "

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableRegistryTools "=dword:00000000

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"HideClock "=dword:00000000
"NoManageMyComputerVerb "=dword:00000000
"NoLowDiskSpaceChecks "=dword:00000000
"NoCDBurning "=dword:00000000
"NoStartMenuPinnedList "=dword:00000000
"NoStartMenuMFUprogramsList "=dword:00000000
"NoUserNameInStartMenu "=dword:00000000
"StartmenuLogoff "=dword:00000000
"NoStartMenuSubFolders "=dword:00000000
"NoCommonGroups "=dword:00000000
"NoRecentDocsMenu "=dword:00000000
"ClearRecentDocsOnExit "=dword:00000000
"NoPrinterTabs "=dword:00000000
"NoDeletePrinter "=dword:00000000
"NoAddPrinter "=dword:00000000
"NoPrinters "=dword:00000000
"NoNetworkConnections "=dword:00000000
"NoFavoritesMenu "=dword:00000000
"NoSMHelp "=dword:00000000
"NoChangeStartMenu "=dword:00000000
"NoFileMenu "=dword:00000000
"NoShellSearchButton "=dword:00000000
"NoToolbarCustomize "=dword:00000000
"NoRecentDocsNetHood "=dword:00000000
"NoChangeAnimation "=dword:00000000
"NoChangeKeyboardNavigationIndicators "=dword:00000000
"NoThemesTab "=dword:00000000

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\run]

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
Source REG_SZ http://www.moljac.hr/skripte/phpAdsNew/adview.php?what=zone:22&amp;n=a871ad19

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\1]
Source REG_SZ file:///C:/DOCUME~1/Dean/LOCALS~1/Temp/msohtml1/01/clip_image002.jpg

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} "=" "
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8} "= "ewido anti-spyware 4.0 "
"{058DB58B-1A37-44F6-8910-04332FECADCB} "=" "

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ddayx

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa
Authentication Packages REG_MULTI_SZ msv1_0\0\0
Security Packages REG_MULTI_SZ kerberos\0msv1_0\0schannel\0wdigest\0\0
Notification Packages REG_MULTI_SZ scecli\0\0


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BlueSoleil.lnk]
"backup "= "C:\\WINDOWS\\pss\\BlueSoleil.lnkCommon Startup "
"location "= "Common Startup "
"command "= "C:\\PROGRA~1\\IVTCOR~1\\BLUESO~1\\BLUESO~1.EXE "
"item "= "BlueSoleil "

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]
"key "= "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run "
"item "= "SUPERAntiSpyware "
"hkey "= "HKCU "
"command "= "C:\\Program Files\\SUPERAntiSpyware\\SUPERAntiSpyware.exe "
"inimapping "= "0 "

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
"key "= "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run "
"item "= "GoogleToolbarNotifier "
"hkey "= "HKCU "
"command "= "C:\\Program Files\\Google\\GoogleToolbarNotifier\\1.2.908.8472\\GoogleToolbarNotifier.exe "
"inimapping "= "0 "

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0


[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{ba35f815-a715-11db-b499-0013d38082ec}]
Shell\AutoRun\command E:\PStart.exe

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{d7089da8-9d05-11db-b438-0013d38082ec}]
Shell\AutoRun\command E:\PStart.exe


Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\Check Updates for Windows Live Toolbar.job

********************************************************************

catchme 0.3.660 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-04-28 19:04:05
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


********************************************************************

Completion time: 07-04-28 19:04:31 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 07-04-28 19:04









Logfile of HijackThis v1.99.1
Scan saved at 19:06:28, on 28.4.2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\runservice.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\System Control Manager\edd.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\o2flash.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\System Control Manager\MGSysCtrl.exe
C:\WINDOWS\tsnp2std.exe
C:\WINDOWS\vsnp2std.exe
C:\Program Files\FarStone\VirtualDrive\VDTask.exe
C:\WINDOWS\vcdplayx.exe
C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\CyberLink\Power2Go\Power2GoExpress.exe
C:\Program Files\MessengerSkinner\MessengerSkinner.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\RALINK\Common\RaUI.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\HijackThis\Killer.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: (no name) - {058DB58B-1A37-44F6-8910-04332FECADCB} - (no file)
O2 - BHO: (no name) - {7BDC30BA-1D73-4323-B2E1-BA602C22E725} - C:\WINDOWS\system32\ddayx.dll
O2 - BHO: (no name) - {D651AFF4-9590-424d-BD1E-8E33E090DFB3} - (no file)
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe "
O4 - HKLM\..\Run: [MGSysCtrl] C:\Program Files\System Control Manager\MGSysCtrl.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [tsnp2std] C:\WINDOWS\tsnp2std.exe
O4 - HKLM\..\Run: [snp2std] C:\WINDOWS\vsnp2std.exe
O4 - HKLM\..\Run: [VirtualDrive] "C:\Program Files\FarStone\VirtualDrive\VDTask.exe" /AutoRestore
O4 - HKLM\..\Run: [vcdplayx] "C:\WINDOWS\vcdplayx.exe "
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe "
O4 - HKLM\..\Run: [Comodo Firewall] "C:\Program Files\Comodo\Firewall\CPF.exe" /background
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe "
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Power2GoExpress] "C:\Program Files\CyberLink\Power2Go\Power2GoExpress.exe" /Startup
O4 - HKCU\..\Run: [messengerskinner] C:\Program Files\MessengerSkinner\MessengerSkinner.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Ralink Wireless Utility.lnk = C:\Program Files\RALINK\Common\RaUI.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Download all links using BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: Download link using &BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {BE833F39-1E0C-468C-BA70-25AAEE55775E} (System Requirements Lab) - http://www.systemrequirementslab.com/sysreqlab.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{18C3EE64-0931-4A86-9115-58A617B994F2}: NameServer = 195.29.150.3,195.29.150.4
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: ddayx - C:\WINDOWS\system32\ddayx.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LicCtrl Service (LicCtrlService) - Unknown owner - C:\WINDOWS\runservice.exe
O23 - Service: SCM Driver Daemon (NishService) - Unknown owner - C:\Program Files\System Control Manager\edd.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: O2Micro Flash Memory (O2Flash) - Unknown owner - C:\WINDOWS\system32\o2flash.exe

 

Hi
OK Please do this.

Click on Start> Run Copy and paste this line into the run box hit OK.
"%userprofile%\desktop\combofix.exe" /v ddayx.dll gebywtq.dll bupuhrqf.dll

Then please go to add/remove programs and delete this "ewido anti-spyware 4.0 " (we will download the newer version in a moment)

and delete any of these that you find in add/remove.
WhenU.WeatherCast
WhenUSearch Toolbar, WeatherCast, WhenUShop, WhenUSearch SideFinder, ClockSync, Save!/SaveNow, PriceBandit, and WhenUSearch BEST.

Please download ATF Cleaner by Atribune.
This program is for XP and Windows 2000 only

• 
  Double-click ATF-Cleaner.exe to run the program.
  Under Main choose: Select All
  Click the Empty Selected button.

If you use Firefox browser

• Click Firefox at the top and choose: Select All
  Click the Empty Selected button.
  NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser

• Click Opera at the top and choose: Select All
  Click the Empty Selected button.
  NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.

Now download the new version of AVG Anti-spyware, set it up as instructed.

Now download AVG Anti-Spyware from HERE and save that file to your desktop.
This is a 30 day trial of the program

1. Once you have downloaded AVG Anti-Spyware, locate the icon on the desktop and double-click it to launch the set up program.
2. Once the setup is complete you will need run AVG Anti-Spyware and update the definition files.
3. On the main screen select the icon "Update" then select the "Update now" link.
   • Next select the "Start Update" button, the update will start and a progress bar will show the updates being installed.
4. Once the update has completed select the "Scanner" icon at the top of the screen, then select the "Settings" tab.
5. Once in the Settings screen click on "Recommended actions" and then select "Quarantine ".
6. Under "Reports "
   • Select "Automatically generate report after every scan "
   • Un-Select "Only if threats were found "

Close AVG Anti-Spyware, Do Not run a scan just yet, we will shortly.

1. Reboot your computer into SafeMode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight SafeMode then hit enter.
   IMPORTANT: Do not open any other windows or programs while AVG Anti-Spyware is scanning, it may interfere with the scanning proccess:
2. Lauch AVG Anti-Spyware by double-clicking the icon on your desktop.
3. Select the "Scanner" icon at the top and then the "Scan" tab then click on "Complete System Scan ".
4. AVG Anti-Spyware will now begin the scanning process, be patient this may take a little time.
   Once the scan is complete do the following:
5. If you have any infections you will prompted, then select "Apply all actions "
6. Next select the "Reports" icon at the top.
7. Select the "Save report as" button in the lower left hand of the screen and save it to a text file on your system (make sure to remember where you saved that file, this is important).
8. Close AVG Anti-Spyware and reboot your system back into Normal Mode and post the results of the AVG Anti-Spyware report scan.

Please post the AVG log a new combofix log and a new HJT log.

Geri

 

---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 2:45:39 29.4.2007

+ Scan result:



C:\Program Files\TEXTware\QUICKfind\PlugIns\IEHelp.dll -> Adware.BHO : No action taken.
:mozilla.107:C:\Documents and Settings\Dean\Application Data\Mozilla\Firefox\Profiles\orctglbd.default\cookies.txt -> TrackingCookie.Adbrite : No action taken.
:mozilla.108:C:\Documents and Settings\Dean\Application Data\Mozilla\Firefox\Profiles\orctglbd.default\cookies.txt -> TrackingCookie.Adbrite : No action taken.
:mozilla.109:C:\Documents and Settings\Dean\Application Data\Mozilla\Firefox\Profiles\orctglbd.default\cookies.txt -> TrackingCookie.Adbrite : No action taken.
:mozilla.93:C:\Documents and Settings\Dean\Application Data\Mozilla\Firefox\Profiles\orctglbd.default\cookies.txt -> TrackingCookie.Burstnet : No action taken.
:mozilla.94:C:\Documents and Settings\Dean\Application Data\Mozilla\Firefox\Profiles\orctglbd.default\cookies.txt -> TrackingCookie.Burstnet : No action taken.
:mozilla.95:C:\Documents and Settings\Dean\Application Data\Mozilla\Firefox\Profiles\orctglbd.default\cookies.txt -> TrackingCookie.Burstnet : No action taken.
:mozilla.22:C:\Documents and Settings\Dean\Application Data\Mozilla\Firefox\Profiles\orctglbd.default\cookies.txt -> TrackingCookie.Casalemedia : No action taken.
:mozilla.23:C:\Documents and Settings\Dean\Application Data\Mozilla\Firefox\Profiles\orctglbd.default\cookies.txt -> TrackingCookie.Casalemedia : No action taken.
:mozilla.24:C:\Documents and Settings\Dean\Application Data\Mozilla\Firefox\Profiles\orctglbd.default\cookies.txt -> TrackingCookie.Casalemedia : No action taken.
:mozilla.25:C:\Documents and Settings\Dean\Application Data\Mozilla\Firefox\Profiles\orctglbd.default\cookies.txt -> TrackingCookie.Casalemedia : No action taken.
:mozilla.117:C:\Documents and Settings\Dean\Application Data\Mozilla\Firefox\Profiles\orctglbd.default\cookies.txt -> TrackingCookie.Doubleclick : No action taken.
:mozilla.170:C:\Documents and Settings\Dean\Application Data\Mozilla\Firefox\Profiles\orctglbd.default\cookies.txt -> TrackingCookie.Euroclick : No action taken.
:mozilla.171:C:\Documents and Settings\Dean\Application Data\Mozilla\Firefox\Profiles\orctglbd.default\cookies.txt -> TrackingCookie.Euroclick : No action taken.
:mozilla.172:C:\Documents and Settings\Dean\Application Data\Mozilla\Firefox\Profiles\orctglbd.default\cookies.txt -> TrackingCookie.Euroclick : No action taken.
:mozilla.131:C:\Documents and Settings\Dean\Application Data\Mozilla\Firefox\Profiles\orctglbd.default\cookies.txt -> TrackingCookie.Fastclick : No action taken.
:mozilla.132:C:\Documents and Settings\Dean\Application Data\Mozilla\Firefox\Profiles\orctglbd.default\cookies.txt -> TrackingCookie.Fastclick : No action taken.
:mozilla.97:C:\Documents and Settings\Dean\Application Data\Mozilla\Firefox\Profiles\orctglbd.default\cookies.txt -> TrackingCookie.Gemius : No action taken.
:mozilla.98:C:\Documents and Settings\Dean\Application Data\Mozilla\Firefox\Profiles\orctglbd.default\cookies.txt -> TrackingCookie.Gemius : No action taken.
:mozilla.129:C:\Documents and Settings\Dean\Application Data\Mozilla\Firefox\Profiles\orctglbd.default\cookies.txt -> TrackingCookie.Mediaplex : No action taken.
:mozilla.10:C:\Documents and Settings\Dean\Application Data\Mozilla\Firefox\Profiles\orctglbd.default\cookies.txt -> TrackingCookie.Realmedia : No action taken.
:mozilla.11:C:\Documents and Settings\Dean\Application Data\Mozilla\Firefox\Profiles\orctglbd.default\cookies.txt -> TrackingCookie.Realmedia : No action taken.
:mozilla.12:C:\Documents and Settings\Dean\Application Data\Mozilla\Firefox\Profiles\orctglbd.default\cookies.txt -> TrackingCookie.Realmedia : No action taken.
:mozilla.8:C:\Documents and Settings\Dean\Application Data\Mozilla\Firefox\Profiles\orctglbd.default\cookies.txt -> TrackingCookie.Realmedia : No action taken.
:mozilla.9:C:\Documents and Settings\Dean\Application Data\Mozilla\Firefox\Profiles\orctglbd.default\cookies.txt -> TrackingCookie.Realmedia : No action taken.
:mozilla.163:C:\Documents and Settings\Dean\Application Data\Mozilla\Firefox\Profiles\orctglbd.default\cookies.txt -> TrackingCookie.Tacoda : No action taken.
:mozilla.164:C:\Documents and Settings\Dean\Application Data\Mozilla\Firefox\Profiles\orctglbd.default\cookies.txt -> TrackingCookie.Tacoda : No action taken.
:mozilla.165:C:\Documents and Settings\Dean\Application Data\Mozilla\Firefox\Profiles\orctglbd.default\cookies.txt -> TrackingCookie.Tacoda : No action taken.
:mozilla.166:C:\Documents and Settings\Dean\Application Data\Mozilla\Firefox\Profiles\orctglbd.default\cookies.txt -> TrackingCookie.Tacoda : No action taken.
:mozilla.167:C:\Documents and Settings\Dean\Application Data\Mozilla\Firefox\Profiles\orctglbd.default\cookies.txt -> TrackingCookie.Tacoda : No action taken.
:mozilla.31:C:\Documents and Settings\Dean\Application Data\Mozilla\Firefox\Profiles\orctglbd.default\cookies.txt -> TrackingCookie.Tribalfusion : No action taken.
:mozilla.118:C:\Documents and Settings\Dean\Application Data\Mozilla\Firefox\Profiles\orctglbd.default\cookies.txt -> TrackingCookie.Valuead : No action taken.
:mozilla.119:C:\Documents and Settings\Dean\Application Data\Mozilla\Firefox\Profiles\orctglbd.default\cookies.txt -> TrackingCookie.Valuead : No action taken.
:mozilla.120:C:\Documents and Settings\Dean\Application Data\Mozilla\Firefox\Profiles\orctglbd.default\cookies.txt -> TrackingCookie.Valuead : No action taken.
:mozilla.121:C:\Documents and Settings\Dean\Application Data\Mozilla\Firefox\Profiles\orctglbd.default\cookies.txt -> TrackingCookie.Valuead : No action taken.
:mozilla.122:C:\Documents and Settings\Dean\Application Data\Mozilla\Firefox\Profiles\orctglbd.default\cookies.txt -> TrackingCookie.Valuead : No action taken.
:mozilla.123:C:\Documents and Settings\Dean\Application Data\Mozilla\Firefox\Profiles\orctglbd.default\cookies.txt -> TrackingCookie.Valuead : No action taken.
:mozilla.124:C:\Documents and Settings\Dean\Application Data\Mozilla\Firefox\Profiles\orctglbd.default\cookies.txt -> TrackingCookie.Valuead : No action taken.
:mozilla.13:C:\Documents and Settings\Dean\Application Data\Mozilla\Firefox\Profiles\orctglbd.default\cookies.txt -> TrackingCookie.Yieldmanager : No action taken.
:mozilla.16:C:\Documents and Settings\Dean\Application Data\Mozilla\Firefox\Profiles\orctglbd.default\cookies.txt -> TrackingCookie.Yieldmanager : No action taken.
:mozilla.17:C:\Documents and Settings\Dean\Application Data\Mozilla\Firefox\Profiles\orctglbd.default\cookies.txt -> TrackingCookie.Yieldmanager : No action taken.
:mozilla.6:C:\Documents and Settings\Dean\Application Data\Mozilla\Firefox\Profiles\orctglbd.default\cookies.txt -> TrackingCookie.Yieldmanager : No action taken.
:mozilla.7:C:\Documents and Settings\Dean\Application Data\Mozilla\Firefox\Profiles\orctglbd.default\cookies.txt -> TrackingCookie.Yieldmanager : No action taken.


::Report end







"Dean" - 07-04-29 2:52:17 Service Pack 2
ComboFix 07-04-25.4V - Running from: "C:\Documents and Settings\Dean\Desktop\ "


((((((((((((((((((((((((((((((( Files Created from 2007-03-28 to 2007-04-29 ))))))))))))))))))))))))))))))))))


2007-04-28 21:17 3,968 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-04-28 20:53 <DIR> d-------- C:\DOCUME~1\Dean\New Folder
2007-04-28 19:31 559,237 ---hs---- C:\WINDOWS\system32\xyadd.ini2
2007-04-28 19:04 49,152 --a------ C:\WINDOWS\nircmd.exe
2007-04-28 12:34 0 --a------ C:\WINDOWS\system32\CMMGR32.EXE
2007-04-28 11:14 <DIR> d--h----- C:\Program Files\WindowsUpdate
2007-04-28 11:14 <DIR> d-------- C:\WINDOWS\system32\SoftwareDistribution
2007-04-28 10:11 <DIR> d-------- C:\VundoFix Backups
2007-04-27 23:18 517,837 ---hs---- C:\WINDOWS\system32\xyadd.bak2
2007-04-27 23:18 284,244 ---hs---- C:\WINDOWS\system32\ddayx.dll
2007-04-27 19:33 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2007-04-27 14:40 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-04-27 14:39 <DIR> d---s---- C:\DOCUME~1\Dean\UserData
2007-04-27 14:24 <DIR> d-------- C:\Program Files\Scorpio Software
2007-04-27 14:24 <DIR> d-------- C:\Program Files\Common Files\scosoft.com
2007-04-27 14:16 76,560 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2007-04-26 15:43 <DIR> d-------- C:\DOCUME~1\Dean\APPLIC~1\SuperAdBlocker.com
2007-04-24 00:49 <DIR> d-------- C:\Program Files\Enigma Software Group
2007-04-23 21:38 <DIR> d-------- C:\Program Files\Trustix
2007-04-23 20:57 <DIR> d-------- C:\DOCUME~1\Dean\APPLIC~1\Comodo
2007-04-23 20:57 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Comodo
2007-04-23 18:12 28 --a------ C:\WINDOWS\system32\substpntx8.dll
2007-04-23 18:11 <DIR> d-------- C:\Program Files\WinTools
2007-04-23 17:42 <DIR> d-------- C:\DOCUME~1\Dean\APPLIC~1\Sereniti
2007-04-21 12:21 <DIR> d-------- C:\Program Files\CatchTheSperm2
2007-04-21 12:21 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Phenomedia
2007-04-21 12:20 <DIR> d-------- C:\Program Files\KraiSoft
2007-04-21 12:05 <DIR> d-------- C:\DOCUME~1\Dean\APPLIC~1\Oxford
2007-04-21 12:04 99,092 --a------ C:\WINDOWS\system32\bass.dll
2007-04-21 12:04 88,064 --a------ C:\WINDOWS\system32\idiom010227.dll
2007-04-21 12:04 34,304 --a------ C:\WINDOWS\system32\lfbmp10N.dll
2007-04-21 12:04 297,472 --a------ C:\WINDOWS\system32\ltkrn10N.dll
2007-04-21 12:04 266,752 --a------ C:\WINDOWS\system32\LFCMP10N.DLL
2007-04-21 12:04 231,424 --a------ C:\WINDOWS\system32\LTDIS10N.dll
2007-04-21 12:04 199,168 --a------ C:\WINDOWS\system32\Illprs.dll
2007-04-21 12:04 160,768 --a------ C:\WINDOWS\system32\ILLKRN.DLL
2007-04-21 12:04 147,456 --a------ C:\WINDOWS\system32\Twavbx32.dll
2007-04-21 12:04 143,360 --a------ C:\WINDOWS\system32\ILXTBS.DLL
2007-04-21 12:04 134,144 --a------ C:\WINDOWS\system32\lfpng10N.dll
2007-04-21 12:04 115,200 --a------ C:\WINDOWS\system32\UnzDll.dll
2007-04-21 12:04 114,176 --a------ C:\WINDOWS\system32\ltimg10N.dll
2007-04-21 12:04 103,424 --a------ C:\WINDOWS\system32\ltfil10N.DLL
2007-04-21 12:04 <DIR> d-------- C:\Program Files\TEXTware
2007-04-21 12:01 <DIR> d-------- C:\Program Files\Oxford
2007-04-14 20:13 <DIR> d-------- C:\Program Files\Common Files\Teleca Shared
2007-04-14 15:55 409,600 --a------ C:\WINDOWS\system32\wrap_oal.dll
2007-04-14 15:55 114,688 --a------ C:\WINDOWS\system32\OpenAL32.dll
2007-04-14 15:55 <DIR> d-------- C:\Program Files\OpenAL
2007-04-12 13:07 <DIR> d-------- C:\Program Files\LittleFighter2
2007-04-10 08:56 <DIR> d-------- C:\games
2007-04-09 15:46 <DIR> d-------- C:\DOCUME~1\Dean\dwhelper
2007-04-09 15:35 <DIR> d-------- C:\WINDOWS\FLV Player
2007-04-09 15:35 <DIR> d-------- C:\Program Files\FLV Player
2007-04-09 10:18 845,312 --a------ C:\WINDOWS\system32\Smab.dll
2007-04-09 10:18 719,872 --a------ C:\WINDOWS\system32\devil.dll
2007-04-09 10:18 70,656 --a------ C:\WINDOWS\system32\yv12vfw.dll
2007-04-09 10:18 70,656 --a------ C:\WINDOWS\system32\i420vfw.dll
2007-04-09 10:18 66,560 --a------ C:\WINDOWS\MOTA113.exe
2007-04-09 10:18 502,784 --a------ C:\WINDOWS\x2.64.exe
2007-04-09 10:18 306,688 --a------ C:\WINDOWS\system32\avisynth.dll
2007-04-09 10:18 27,648 --a------ C:\WINDOWS\system32\AVSredirect.dll
2007-04-09 10:18 240,128 --a------ C:\WINDOWS\system32\x.264.exe
2007-04-09 10:18 217,073 --a------ C:\WINDOWS\meta4.exe
2007-04-09 10:18 <DIR> d--hs---- C:\WINDOWS\system32\ShellDHCP
2007-04-09 10:08 <DIR> d-------- C:\Program Files\eRightSoft
2007-04-07 13:15 <DIR> d-------- C:\Program Files\Network Stumbler
2007-04-07 13:02 <DIR> d-------- C:\Program Files\WorldUnlock Codes Calculator
2007-04-05 14:55 <DIR> d-------- C:\Bug
2007-04-02 14:42 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Yahoo! Companion
2007-04-02 14:41 <DIR> d-------- C:\Program Files\Yahoo!
2007-03-31 18:23 <DIR> d-------- C:\Program Files\uTorrent
2007-03-31 18:23 <DIR> d-------- C:\DOCUME~1\Dean\APPLIC~1\uTorrent
2007-03-28 15:34 <DIR> d-------- C:\Program Files\BitTorrent


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2007-04-29 02:47 1393 --ahs---- C:\WINDOWS\system32\mmf.sys
2007-04-28 21:18 -------- d-------- C:\Program Files\messengerskinner
2007-04-28 19:37 -------- d-------- C:\Program Files\superantispyware
2007-04-27 19:44 -------- d-------- C:\Program Files\system control manager
2007-04-27 19:43 -------- d-------- C:\Program Files\messenger
2007-04-27 19:42 -------- d-------- C:\Program Files\msn messenger
2007-04-27 19:41 -------- d-------- C:\Program Files\google
2007-04-26 20:56 810 --a------ C:\WINDOWS\mozver.dat
2007-04-26 20:36 248988 --a------ C:\WINDOWS\system32\hogupelx_nav.dat
2007-04-26 16:25 -------- d-------- C:\Program Files\Common Files\wise installation wizard
2007-04-22 18:10 -------- d-------- C:\Program Files\speedfan
2007-04-14 15:55 108144 --a------ C:\WINDOWS\system32\cmdlineext.dll
2007-04-12 12:58 -------- d--h----- C:\Program Files\installshield installation information
2007-04-05 10:17 -------- d-------- C:\Program Files\konami
2007-03-31 18:15 1386496 --a------ C:\WINDOWS\system32\msvbvm60.dll
2007-03-28 15:10 737280 --a------ C:\WINDOWS\iun6002.exe
2007-03-26 22:27 -------- d-------- C:\DOCUME~1\Dean\APPLIC~1\talkback
2007-03-19 19:52 -------- d-------- C:\Program Files\Common Files\systemrequirementslab
2007-03-15 12:23 497496 --a------ C:\WINDOWS\system32\xceedzip.dll
2007-03-15 12:19 526184 --a------ C:\WINDOWS\system32\xceedcry.dll
2007-03-13 16:42 -------- d-------- C:\Program Files\ea sports
2007-03-13 16:39 -------- d-------- C:\Program Files\codec pack - all in 1
2007-03-10 09:10 -------- d-------- C:\DOCUME~1\Dean\APPLIC~1\desksoft
2007-03-08 18:40 -------- d-------- C:\Program Files\codemasters
2007-03-08 16:23 512096 --a------ C:\WINDOWS\system32\drivers\amon.sys
2007-03-08 16:23 298104 --a------ C:\WINDOWS\system32\imon.dll
2007-03-08 16:23 15424 --a------ C:\WINDOWS\system32\drivers\nod32drv.sys
2007-03-04 17:34 -------- d-------- C:\DOCUME~1\Dean\APPLIC~1\hamachi
2007-03-04 13:21 18048 --a------ C:\WINDOWS\system32\drivers\lirsgt.sys
2007-03-04 13:21 165376 --a------ C:\WINDOWS\system32\drivers\atksgt.sys
2007-02-21 20:08 967 --a------ C:\WINDOWS\scunin.pif
2007-02-21 20:08 94208 --a------ C:\WINDOWS\scunin.exe
2007-02-21 20:08 35382 --a------ C:\WINDOWS\scunin.dat
2007-02-06 15:31 43520 --a------ C:\WINDOWS\system32\cmdlineext03.dll
2007-02-06 15:05 855 --a------ C:\WINDOWS\ereg.dat
2007-02-01 16:28 5501 --a------ C:\WINDOWS\system32\rtclcmg32.dll
2007-01-05 21:19 62 --ahs---- C:\DOCUME~1\Dean\APPLIC~1\desktop.ini


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{07024E18-9052-49B6-B718-2F9C5E95EECC} C:\WINDOWS\system32\ddayx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"ATICCC "= "\ "C:\\Program Files\\ATI Technologies\\ATI.ACE\\cli.exe\" runtime -Delay "
"nod32kui "= "\ "C:\\Program Files\\Eset\\nod32kui.exe\" /WAITSERVICE "
"RemoteControl "= "\ "C:\\Program Files\\CyberLink\\PowerDVD\\PDVDServ.exe\" "
"MGSysCtrl "= "C:\\Program Files\\System Control Manager\\MGSysCtrl.exe "
"NeroFilterCheck "= "C:\\WINDOWS\\system32\\NeroCheck.exe "
"vcdplayx "= "\ "C:\\WINDOWS\\vcdplayx.exe\" "
"SunJavaUpdateSched "= "\ "C:\\Program Files\\Java\\jre1.5.0_11\\bin\\jusched.exe\" "
"Comodo Firewall "= "\ "C:\\Program Files\\Comodo\\Firewall\\CPF.exe\" /background "
"tsnp2std "= "C:\\WINDOWS\\tsnp2std.exe "
"snp2std "= "C:\\WINDOWS\\vsnp2std.exe "
"RTHDCPL "= "RTHDCPL.EXE "
"Alcmtr "= "ALCMTR.EXE "
"AGRSMMSG "= "AGRSMMSG.exe "
"VirtualDrive "= "\ "C:\\Program Files\\FarStone\\VirtualDrive\\VDTask.exe\" /AutoRestore "
"!AVG Anti-Spyware "= "\ "C:\\Program Files\\Grisoft\\AVG Anti-Spyware 7.5\\avgas.exe\" /minimized "

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"CTFMON.EXE "= "C:\\WINDOWS\\system32\\ctfmon.exe "
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA} "= "\ "C:\\Program Files\\Common Files\\Ahead\\lib\\NMBgMonitor.exe\" "
"MSMSGS "= "\ "C:\\Program Files\\Messenger\\msmsgs.exe\" /background "
"Power2GoExpress "= "\ "C:\\Program Files\\CyberLink\\Power2Go\\Power2GoExpress.exe\" /Startup "
"messengerskinner "= "C:\\Program Files\\MessengerSkinner\\MessengerSkinner.exe "

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"HideClock "=dword:00000000
"NoManageMyComputerVerb "=dword:00000000
"NoLowDiskSpaceChecks "=dword:00000000
"NoCDBurning "=dword:00000000
"NoStartMenuPinnedList "=dword:00000000
"NoStartMenuMFUprogramsList "=dword:00000000
"NoUserNameInStartMenu "=dword:00000000
"StartmenuLogoff "=dword:00000000
"NoStartMenuSubFolders "=dword:00000000
"NoCommonGroups "=dword:00000000
"NoRecentDocsMenu "=dword:00000000
"ClearRecentDocsOnExit "=dword:00000000
"NoPrinterTabs "=dword:00000000
"NoDeletePrinter "=dword:00000000
"NoAddPrinter "=dword:00000000
"NoPrinters "=dword:00000000
"NoNetworkConnections "=dword:00000000
"NoFavoritesMenu "=dword:00000000
"NoSMHelp "=dword:00000000
"NoChangeStartMenu "=dword:00000000
"NoFileMenu "=dword:00000000
"NoShellSearchButton "=dword:00000000
"NoToolbarCustomize "=dword:00000000
"NoRecentDocsNetHood "=dword:00000000
"NoChangeAnimation "=dword:00000000
"NoChangeKeyboardNavigationIndicators "=dword:00000000
"NoThemesTab "=dword:00000000

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\run]

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
Source REG_SZ http://www.moljac.hr/skripte/phpAdsNew/adview.php?what=zone:22&amp;n=a871ad19

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\1]
Source REG_SZ file:///C:/DOCUME~1/Dean/LOCALS~1/Temp/msohtml1/01/clip_image002.jpg

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} "=" "
"{058DB58B-1A37-44F6-8910-04332FECADCB} "=" "
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8} "= "AVG Anti-Spyware 7.5 "

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ddayx

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa
Authentication Packages REG_MULTI_SZ msv1_0\0\0
Security Packages REG_MULTI_SZ kerberos\0msv1_0\0schannel\0wdigest\0\0
Notification Packages REG_MULTI_SZ scecli\0\0


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BlueSoleil.lnk]
"backup "= "C:\\WINDOWS\\pss\\BlueSoleil.lnkCommon Startup "
"location "= "Common Startup "
"command "= "C:\\PROGRA~1\\IVTCOR~1\\BLUESO~1\\BLUESO~1.EXE "
"item "= "BlueSoleil "

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]
"key "= "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run "
"item "= "SUPERAntiSpyware "
"hkey "= "HKCU "
"command "= "C:\\Program Files\\SUPERAntiSpyware\\SUPERAntiSpyware.exe "
"inimapping "= "0 "

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
"key "= "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run "
"item "= "GoogleToolbarNotifier "
"hkey "= "HKCU "
"command "= "C:\\Program Files\\Google\\GoogleToolbarNotifier\\1.2.908.8472\\GoogleToolbarNotifier.exe "
"inimapping "= "0 "

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0


[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{ba35f815-a715-11db-b499-0013d38082ec}]
Shell\AutoRun\command E:\PStart.exe

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{d7089da8-9d05-11db-b438-0013d38082ec}]
Shell\AutoRun\command E:\PStart.exe


Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\Check Updates for Windows Live Toolbar.job

********************************************************************

catchme 0.3.660 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-04-29 02:57:02
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


********************************************************************

Completion time: 07-04-29 2:57:05
C:\ComboFix-quarantined-files.txt ... 07-04-29 02:57
C:\ComboFix2.txt ... 07-04-28 21:10









Logfile of HijackThis v1.99.1
Scan saved at 2:57:44, on 29.4.2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
C:\WINDOWS\runservice.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\System Control Manager\edd.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\o2flash.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\System Control Manager\MGSysCtrl.exe
C:\WINDOWS\vcdplayx.exe
C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
C:\WINDOWS\tsnp2std.exe
C:\WINDOWS\vsnp2std.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\FarStone\VirtualDrive\VDTask.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\CyberLink\Power2Go\Power2GoExpress.exe
C:\Program Files\RALINK\Common\RaUI.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\HijackThis\Killer.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: (no name) - {058DB58B-1A37-44F6-8910-04332FECADCB} - (no file)
O2 - BHO: (no name) - {07024E18-9052-49B6-B718-2F9C5E95EECC} - C:\WINDOWS\system32\ddayx.dll
O2 - BHO: (no name) - {D651AFF4-9590-424d-BD1E-8E33E090DFB3} - (no file)
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe "
O4 - HKLM\..\Run: [MGSysCtrl] C:\Program Files\System Control Manager\MGSysCtrl.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [vcdplayx] "C:\WINDOWS\vcdplayx.exe "
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe "
O4 - HKLM\..\Run: [Comodo Firewall] "C:\Program Files\Comodo\Firewall\CPF.exe" /background
O4 - HKLM\..\Run: [tsnp2std] C:\WINDOWS\tsnp2std.exe
O4 - HKLM\..\Run: [snp2std] C:\WINDOWS\vsnp2std.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [VirtualDrive] "C:\Program Files\FarStone\VirtualDrive\VDTask.exe" /AutoRestore
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe "
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Power2GoExpress] "C:\Program Files\CyberLink\Power2Go\Power2GoExpress.exe" /Startup
O4 - HKCU\..\Run: [messengerskinner] C:\Program Files\MessengerSkinner\MessengerSkinner.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Ralink Wireless Utility.lnk = C:\Program Files\RALINK\Common\RaUI.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Download all links using BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: Download link using &BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {BE833F39-1E0C-468C-BA70-25AAEE55775E} (System Requirements Lab) - http://www.systemrequirementslab.com/sysreqlab.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{18C3EE64-0931-4A86-9115-58A617B994F2}: NameServer = 195.29.150.3,195.29.150.4
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: ddayx - C:\WINDOWS\system32\ddayx.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LicCtrl Service (LicCtrlService) - Unknown owner - C:\WINDOWS\runservice.exe
O23 - Service: SCM Driver Daemon (NishService) - Unknown owner - C:\Program Files\System Control Manager\edd.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: O2Micro Flash Memory (O2Flash) - Unknown owner - C:\WINDOWS\system32\o2flash.exe

 

Hi

Please download the Killbox by Option^Explicit.

Note: In the event you already have Killbox, this is a new version that I need you to download.

• Save it to your desktop.
• Please double-click Killbox.exe to run it.
• Select:
  • Delete on Reboot
  • then Click on the All Files button.
• Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):
  
  C:\Program Files\TEXTware\QUICKfind\PlugIns\IEHelp.dll
  C:\WINDOWS\system32\xyadd.ini2
  C:\WINDOWS\system32\xyadd.bak2
  C:\WINDOWS\system32\ddayx.dll
  
• Return to Killbox, go to the File menu, and choose Paste from Clipboard.
  
• Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt. Click OK at any PendingFileRenameOperations prompt (and please let me know if you receive this message!).

If your computer does not restart automatically, please restart it manually.

If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run Killbox, click here to download and run missingfilesetup.exe. Then try Killbox again.

Please post a new comboifx log and a new HJT log.

Thanks
Geri

 

well,i have a problem.i did that select all,copy and i tried to post it in that box.but i couldnt.like they arent there.then i posted one by one inside close to each other.but when i clicked delete it wrote "PendingFileRenameOperations prompt" and i dont know it has been deleted.but it didnt rebooted ( i have set on delete on reboot). then i manually rebooted.

when i open killbox again and i went to file,paste from clipboard and then on delete button but it writes that i dont have anything to delete.

what should i do?

 

well,i have a problem.i did that select all,copy and i tried to post it in that box.but i couldnt.like they arent there.then i posted one by one inside close to each other.but when i clicked delete it wrote "PendingFileRenameOperations prompt" and i dont know it has been deleted.but it didnt rebooted ( i have set on delete on reboot). then i manually rebooted.

when i open killbox again and i went to file,paste from clipboard and then on delete button but it writes that i dont have anything to delete.

what should i do?


sorry for bothering you but i cant delete them like that.should i do it one by one ?

 

oh i understand it now.sorry.i read it wrong.ok i did that and this is the killbox log but i dont understand why it didnt deleted that first one.it deleted files in system32 but not that plugin.


Pocket Killbox version 2.0.0.648
Running on Windows XP as Dean(Administrator)
was started @ nedjelja, travanj 29, 2007, 12:47 PM

# 1 [Delete on Reboot]
Path = C:\WINDOWS\system32\xyadd.ini2


# 2 [Delete on Reboot]
Path = C:\WINDOWS\system32\xyadd.bak2


# 3 [Delete on Reboot]
Path = C:\WINDOWS\system32\ddayx.dll


PendingFileRenameOperations Registry Data has been Removed by External Process! @ 12:52:06 PM
Killbox Closed(Exit) @ 12:52:19 PM







hm,i dont understand why combofix shows that i have that files in comp that killbox should delete.


"Dean" - 07-04-29 13:00:28 Service Pack 2
ComboFix 07-04-25.4V - Running from: "C:\Documents and Settings\Dean\Desktop\ "


((((((((((((((((((((((((((((((( Files Created from 2007-03-28 to 2007-04-29 ))))))))))))))))))))))))))))))))))


2007-04-29 10:12 <DIR> d-------- C:\!KillBox
2007-04-28 21:17 3,968 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-04-28 20:53 <DIR> d-------- C:\DOCUME~1\Dean\New Folder
2007-04-28 19:31 490,307 ---hs---- C:\WINDOWS\system32\xyadd.ini2
2007-04-28 19:04 49,152 --a------ C:\WINDOWS\nircmd.exe
2007-04-28 12:34 0 --a------ C:\WINDOWS\system32\CMMGR32.EXE
2007-04-28 11:14 <DIR> d--h----- C:\Program Files\WindowsUpdate
2007-04-28 11:14 <DIR> d-------- C:\WINDOWS\system32\SoftwareDistribution
2007-04-28 10:11 <DIR> d-------- C:\VundoFix Backups
2007-04-27 23:18 491,104 ---hs---- C:\WINDOWS\system32\xyadd.bak2
2007-04-27 23:18 284,244 --------- C:\WINDOWS\system32\ddayx.dll
2007-04-27 19:33 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2007-04-27 14:40 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-04-27 14:39 <DIR> d---s---- C:\DOCUME~1\Dean\UserData
2007-04-27 14:24 <DIR> d-------- C:\Program Files\Scorpio Software
2007-04-27 14:24 <DIR> d-------- C:\Program Files\Common Files\scosoft.com
2007-04-27 14:16 76,560 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2007-04-26 15:43 <DIR> d-------- C:\DOCUME~1\Dean\APPLIC~1\SuperAdBlocker.com
2007-04-24 00:49 <DIR> d-------- C:\Program Files\Enigma Software Group
2007-04-23 21:38 <DIR> d-------- C:\Program Files\Trustix
2007-04-23 20:57 <DIR> d-------- C:\DOCUME~1\Dean\APPLIC~1\Comodo
2007-04-23 20:57 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Comodo
2007-04-23 18:12 28 --a------ C:\WINDOWS\system32\substpntx8.dll
2007-04-23 18:11 <DIR> d-------- C:\Program Files\WinTools
2007-04-23 17:42 <DIR> d-------- C:\DOCUME~1\Dean\APPLIC~1\Sereniti
2007-04-21 12:21 <DIR> d-------- C:\Program Files\CatchTheSperm2
2007-04-21 12:21 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Phenomedia
2007-04-21 12:20 <DIR> d-------- C:\Program Files\KraiSoft
2007-04-21 12:05 <DIR> d-------- C:\DOCUME~1\Dean\APPLIC~1\Oxford
2007-04-21 12:04 99,092 --a------ C:\WINDOWS\system32\bass.dll
2007-04-21 12:04 88,064 --a------ C:\WINDOWS\system32\idiom010227.dll
2007-04-21 12:04 34,304 --a------ C:\WINDOWS\system32\lfbmp10N.dll
2007-04-21 12:04 297,472 --a------ C:\WINDOWS\system32\ltkrn10N.dll
2007-04-21 12:04 266,752 --a------ C:\WINDOWS\system32\LFCMP10N.DLL
2007-04-21 12:04 231,424 --a------ C:\WINDOWS\system32\LTDIS10N.dll
2007-04-21 12:04 199,168 --a------ C:\WINDOWS\system32\Illprs.dll
2007-04-21 12:04 160,768 --a------ C:\WINDOWS\system32\ILLKRN.DLL
2007-04-21 12:04 147,456 --a------ C:\WINDOWS\system32\Twavbx32.dll
2007-04-21 12:04 143,360 --a------ C:\WINDOWS\system32\ILXTBS.DLL
2007-04-21 12:04 134,144 --a------ C:\WINDOWS\system32\lfpng10N.dll
2007-04-21 12:04 115,200 --a------ C:\WINDOWS\system32\UnzDll.dll
2007-04-21 12:04 114,176 --a------ C:\WINDOWS\system32\ltimg10N.dll
2007-04-21 12:04 103,424 --a------ C:\WINDOWS\system32\ltfil10N.DLL
2007-04-21 12:04 <DIR> d-------- C:\Program Files\TEXTware
2007-04-21 12:01 <DIR> d-------- C:\Program Files\Oxford
2007-04-14 20:13 <DIR> d-------- C:\Program Files\Common Files\Teleca Shared
2007-04-14 15:55 409,600 --a------ C:\WINDOWS\system32\wrap_oal.dll
2007-04-14 15:55 114,688 --a------ C:\WINDOWS\system32\OpenAL32.dll
2007-04-14 15:55 <DIR> d-------- C:\Program Files\OpenAL
2007-04-12 13:07 <DIR> d-------- C:\Program Files\LittleFighter2
2007-04-10 08:56 <DIR> d-------- C:\games
2007-04-09 15:46 <DIR> d-------- C:\DOCUME~1\Dean\dwhelper
2007-04-09 15:35 <DIR> d-------- C:\WINDOWS\FLV Player
2007-04-09 15:35 <DIR> d-------- C:\Program Files\FLV Player
2007-04-09 10:18 845,312 --a------ C:\WINDOWS\system32\Smab.dll
2007-04-09 10:18 719,872 --a------ C:\WINDOWS\system32\devil.dll
2007-04-09 10:18 70,656 --a------ C:\WINDOWS\system32\yv12vfw.dll
2007-04-09 10:18 70,656 --a------ C:\WINDOWS\system32\i420vfw.dll
2007-04-09 10:18 66,560 --a------ C:\WINDOWS\MOTA113.exe
2007-04-09 10:18 502,784 --a------ C:\WINDOWS\x2.64.exe
2007-04-09 10:18 306,688 --a------ C:\WINDOWS\system32\avisynth.dll
2007-04-09 10:18 27,648 --a------ C:\WINDOWS\system32\AVSredirect.dll
2007-04-09 10:18 240,128 --a------ C:\WINDOWS\system32\x.264.exe
2007-04-09 10:18 217,073 --a------ C:\WINDOWS\meta4.exe
2007-04-09 10:18 <DIR> d--hs---- C:\WINDOWS\system32\ShellDHCP
2007-04-09 10:08 <DIR> d-------- C:\Program Files\eRightSoft
2007-04-07 13:15 <DIR> d-------- C:\Program Files\Network Stumbler
2007-04-07 13:02 <DIR> d-------- C:\Program Files\WorldUnlock Codes Calculator
2007-04-05 14:55 <DIR> d-------- C:\Bug
2007-04-02 14:42 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Yahoo! Companion
2007-04-02 14:41 <DIR> d-------- C:\Program Files\Yahoo!
2007-03-31 18:23 <DIR> d-------- C:\Program Files\uTorrent
2007-03-31 18:23 <DIR> d-------- C:\DOCUME~1\Dean\APPLIC~1\uTorrent
2007-03-28 15:34 <DIR> d-------- C:\Program Files\BitTorrent


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2007-04-29 12:54 1393 --ahs---- C:\WINDOWS\system32\mmf.sys
2007-04-29 12:44 -------- d-------- C:\Program Files\messengerskinner
2007-04-29 12:42 -------- d-------- C:\Program Files\superantispyware
2007-04-27 19:44 -------- d-------- C:\Program Files\system control manager
2007-04-27 19:43 -------- d-------- C:\Program Files\messenger
2007-04-27 19:42 -------- d-------- C:\Program Files\msn messenger
2007-04-27 19:41 -------- d-------- C:\Program Files\google
2007-04-26 20:56 810 --a------ C:\WINDOWS\mozver.dat
2007-04-26 20:36 248988 --a------ C:\WINDOWS\system32\hogupelx_nav.dat
2007-04-26 16:25 -------- d-------- C:\Program Files\Common Files\wise installation wizard
2007-04-22 18:10 -------- d-------- C:\Program Files\speedfan
2007-04-14 15:55 108144 --a------ C:\WINDOWS\system32\cmdlineext.dll
2007-04-12 12:58 -------- d--h----- C:\Program Files\installshield installation information
2007-04-05 10:17 -------- d-------- C:\Program Files\konami
2007-03-31 18:15 1386496 --a------ C:\WINDOWS\system32\msvbvm60.dll
2007-03-28 15:10 737280 --a------ C:\WINDOWS\iun6002.exe
2007-03-26 22:27 -------- d-------- C:\DOCUME~1\Dean\APPLIC~1\talkback
2007-03-19 19:52 -------- d-------- C:\Program Files\Common Files\systemrequirementslab
2007-03-15 12:23 497496 --a------ C:\WINDOWS\system32\xceedzip.dll
2007-03-15 12:19 526184 --a------ C:\WINDOWS\system32\xceedcry.dll
2007-03-13 16:42 -------- d-------- C:\Program Files\ea sports
2007-03-13 16:39 -------- d-------- C:\Program Files\codec pack - all in 1
2007-03-10 09:10 -------- d-------- C:\DOCUME~1\Dean\APPLIC~1\desksoft
2007-03-08 18:40 -------- d-------- C:\Program Files\codemasters
2007-03-08 16:23 512096 --a------ C:\WINDOWS\system32\drivers\amon.sys
2007-03-08 16:23 298104 --a------ C:\WINDOWS\system32\imon.dll
2007-03-08 16:23 15424 --a------ C:\WINDOWS\system32\drivers\nod32drv.sys
2007-03-04 17:34 -------- d-------- C:\DOCUME~1\Dean\APPLIC~1\hamachi
2007-03-04 13:21 18048 --a------ C:\WINDOWS\system32\drivers\lirsgt.sys
2007-03-04 13:21 165376 --a------ C:\WINDOWS\system32\drivers\atksgt.sys
2007-02-21 20:08 967 --a------ C:\WINDOWS\scunin.pif
2007-02-21 20:08 94208 --a------ C:\WINDOWS\scunin.exe
2007-02-21 20:08 35382 --a------ C:\WINDOWS\scunin.dat
2007-02-06 15:31 43520 --a------ C:\WINDOWS\system32\cmdlineext03.dll
2007-02-06 15:05 855 --a------ C:\WINDOWS\ereg.dat
2007-02-01 16:28 5501 --a------ C:\WINDOWS\system32\rtclcmg32.dll
2007-01-05 21:19 62 --ahs---- C:\DOCUME~1\Dean\APPLIC~1\desktop.ini


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{558F73CD-4EF6-42D0-93BB-8B36E0BD781D} C:\WINDOWS\system32\ddayx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"ATICCC "= "\ "C:\\Program Files\\ATI Technologies\\ATI.ACE\\cli.exe\" runtime -Delay "
"nod32kui "= "\ "C:\\Program Files\\Eset\\nod32kui.exe\" /WAITSERVICE "
"RemoteControl "= "\ "C:\\Program Files\\CyberLink\\PowerDVD\\PDVDServ.exe\" "
"MGSysCtrl "= "C:\\Program Files\\System Control Manager\\MGSysCtrl.exe "
"NeroFilterCheck "= "C:\\WINDOWS\\system32\\NeroCheck.exe "
"vcdplayx "= "\ "C:\\WINDOWS\\vcdplayx.exe\" "
"SunJavaUpdateSched "= "\ "C:\\Program Files\\Java\\jre1.5.0_11\\bin\\jusched.exe\" "
"Comodo Firewall "= "\ "C:\\Program Files\\Comodo\\Firewall\\CPF.exe\" /background "
"tsnp2std "= "C:\\WINDOWS\\tsnp2std.exe "
"snp2std "= "C:\\WINDOWS\\vsnp2std.exe "
"RTHDCPL "= "RTHDCPL.EXE "
"Alcmtr "= "ALCMTR.EXE "
"AGRSMMSG "= "AGRSMMSG.exe "
"VirtualDrive "= "\ "C:\\Program Files\\FarStone\\VirtualDrive\\VDTask.exe\" /AutoRestore "
"!AVG Anti-Spyware "= "\ "C:\\Program Files\\Grisoft\\AVG Anti-Spyware 7.5\\avgas.exe\" /minimized "

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"CTFMON.EXE "= "C:\\WINDOWS\\system32\\ctfmon.exe "
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA} "= "\ "C:\\Program Files\\Common Files\\Ahead\\lib\\NMBgMonitor.exe\" "
"MSMSGS "= "\ "C:\\Program Files\\Messenger\\msmsgs.exe\" /background "
"Power2GoExpress "= "\ "C:\\Program Files\\CyberLink\\Power2Go\\Power2GoExpress.exe\" /Startup "
"messengerskinner "= "C:\\Program Files\\MessengerSkinner\\MessengerSkinner.exe "

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"HideClock "=dword:00000000
"NoManageMyComputerVerb "=dword:00000000
"NoLowDiskSpaceChecks "=dword:00000000
"NoCDBurning "=dword:00000000
"NoStartMenuPinnedList "=dword:00000000
"NoStartMenuMFUprogramsList "=dword:00000000
"NoUserNameInStartMenu "=dword:00000000
"StartmenuLogoff "=dword:00000000
"NoStartMenuSubFolders "=dword:00000000
"NoCommonGroups "=dword:00000000
"NoRecentDocsMenu "=dword:00000000
"ClearRecentDocsOnExit "=dword:00000000
"NoPrinterTabs "=dword:00000000
"NoDeletePrinter "=dword:00000000
"NoAddPrinter "=dword:00000000
"NoPrinters "=dword:00000000
"NoNetworkConnections "=dword:00000000
"NoFavoritesMenu "=dword:00000000
"NoSMHelp "=dword:00000000
"NoChangeStartMenu "=dword:00000000
"NoFileMenu "=dword:00000000
"NoShellSearchButton "=dword:00000000
"NoToolbarCustomize "=dword:00000000
"NoRecentDocsNetHood "=dword:00000000
"NoChangeAnimation "=dword:00000000
"NoChangeKeyboardNavigationIndicators "=dword:00000000
"NoThemesTab "=dword:00000000

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\run]

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
Source REG_SZ http://www.moljac.hr/skripte/phpAdsNew/adview.php?what=zone:22&amp;n=a871ad19

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\1]
Source REG_SZ file:///C:/DOCUME~1/Dean/LOCALS~1/Temp/msohtml1/01/clip_image002.jpg

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA} "=" "
"{058DB58B-1A37-44F6-8910-04332FECADCB} "=" "
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8} "= "AVG Anti-Spyware 7.5 "

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ddayx

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa
Authentication Packages REG_MULTI_SZ msv1_0\0\0
Security Packages REG_MULTI_SZ kerberos\0msv1_0\0schannel\0wdigest\0\0
Notification Packages REG_MULTI_SZ scecli\0\0


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^BlueSoleil.lnk]
"backup "= "C:\\WINDOWS\\pss\\BlueSoleil.lnkCommon Startup "
"location "= "Common Startup "
"command "= "C:\\PROGRA~1\\IVTCOR~1\\BLUESO~1\\BLUESO~1.EXE "
"item "= "BlueSoleil "

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SUPERAntiSpyware]
"key "= "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run "
"item "= "SUPERAntiSpyware "
"hkey "= "HKCU "
"command "= "C:\\Program Files\\SUPERAntiSpyware\\SUPERAntiSpyware.exe "
"inimapping "= "0 "

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
"key "= "SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run "
"item "= "GoogleToolbarNotifier "
"hkey "= "HKCU "
"command "= "C:\\Program Files\\Google\\GoogleToolbarNotifier\\1.2.908.8472\\GoogleToolbarNotifier.exe "
"inimapping "= "0 "

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0


[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{ba35f815-a715-11db-b499-0013d38082ec}]
Shell\AutoRun\command E:\PStart.exe

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{d7089da8-9d05-11db-b438-0013d38082ec}]
Shell\AutoRun\command E:\PStart.exe


Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\Check Updates for Windows Live Toolbar.job

********************************************************************

catchme 0.3.660 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-04-29 13:04:31
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0


********************************************************************

Completion time: 07-04-29 13:04:34
C:\ComboFix-quarantined-files.txt ... 07-04-29 13:04
C:\ComboFix2.txt ... 07-04-29 11:53
C:\ComboFix3.txt ... 07-04-29 02:57








Logfile of HijackThis v1.99.1
Scan saved at 13:06:40, on 29.4.2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Eset\nod32kui.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\System Control Manager\MGSysCtrl.exe
C:\WINDOWS\vcdplayx.exe
C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
C:\WINDOWS\tsnp2std.exe
C:\WINDOWS\vsnp2std.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\AGRSMMSG.exe
C:\Program Files\FarStone\VirtualDrive\VDTask.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe
C:\WINDOWS\runservice.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\CyberLink\Power2Go\Power2GoExpress.exe
C:\Program Files\System Control Manager\edd.exe
C:\Program Files\Eset\nod32krn.exe
C:\WINDOWS\system32\o2flash.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\RALINK\Common\RaUI.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\HijackThis\Killer.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: (no name) - {058DB58B-1A37-44F6-8910-04332FECADCB} - (no file)
O2 - BHO: (no name) - {558F73CD-4EF6-42D0-93BB-8B36E0BD781D} - C:\WINDOWS\system32\ddayx.dll
O2 - BHO: (no name) - {D651AFF4-9590-424d-BD1E-8E33E090DFB3} - (no file)
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe "
O4 - HKLM\..\Run: [MGSysCtrl] C:\Program Files\System Control Manager\MGSysCtrl.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [vcdplayx] "C:\WINDOWS\vcdplayx.exe "
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe "
O4 - HKLM\..\Run: [Comodo Firewall] "C:\Program Files\Comodo\Firewall\CPF.exe" /background
O4 - HKLM\..\Run: [tsnp2std] C:\WINDOWS\tsnp2std.exe
O4 - HKLM\..\Run: [snp2std] C:\WINDOWS\vsnp2std.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [VirtualDrive] "C:\Program Files\FarStone\VirtualDrive\VDTask.exe" /AutoRestore
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\lib\NMBgMonitor.exe "
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Power2GoExpress] "C:\Program Files\CyberLink\Power2Go\Power2GoExpress.exe" /Startup
O4 - HKCU\..\Run: [messengerskinner] C:\Program Files\MessengerSkinner\MessengerSkinner.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Ralink Wireless Utility.lnk = C:\Program Files\RALINK\Common\RaUI.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: Download all links using BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: Download link using &BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {BE833F39-1E0C-468C-BA70-25AAEE55775E} (System Requirements Lab) - http://www.systemrequirementslab.com/sysreqlab.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{18C3EE64-0931-4A86-9115-58A617B994F2}: NameServer = 195.29.150.3,195.29.150.4
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: ddayx - C:\WINDOWS\system32\ddayx.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LicCtrl Service (LicCtrlService) - Unknown owner - C:\WINDOWS\runservice.exe
O23 - Service: SCM Driver Daemon (NishService) - Unknown owner - C:\Program Files\System Control Manager\edd.exe
O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe
O23 - Service: O2Micro Flash Memory (O2Flash) - Unknown owner - C:\WINDOWS\system32\o2flash.exe









BTW,my comp is running very slow on startup.later its ok but when loading windows its slow.is that cos of virus or cos i have all those tools like NOD32,AdAware,superantispyware,killbox,combofix and AVG antispyware,Vundufix?

 

and yes,when i log to the windows,after few minutes i get warning from NOD32,it appears that i have virtumonde.

it writes something like this:
29.4.2007 16:21:52 IMON file http://82.98.235.61/ffa/boombox2007...uid=08606f08+0B1666D4D4554C6BB18B689B1F41AC6D Win32/Adware.Virtumonde application quarantined - Connection terminated

 

Hi
OK Lets try it manually.

Also, enable the 'Show Hidden Files/Folders' option, like this:
Click Start.
Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading select Show hidden files and folders.
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm.
Click OK.

Reboot into safe mode.
Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode

Using Windows Explorer (to get there right-click your Start button and go to "Explore "), please delete these files (if present):

C:\WINDOWS\system32\ddayx.dll
C:\WINDOWS\system32\xyadd.bak2
C:\WINDOWS\system32\xyadd.ini2

After that, Reboot.

Please run AVG Anti-Spyware again.
On the last run you have this...No action taken.
When you do the set up you need to make sure you set it to Quarantine
Follow these instuctions exactly.

1. On the main screen select the icon "Update" then select the "Update now" link.
   • Next select the "Start Update" button, the update will start and a progress bar will show the updates being installed.
2. Once the update has completed select the "Scanner" icon at the top of the screen, then select the "Settings" tab.
3. Once in the Settings screen click on "Recommended actions" and then select "Quarantine ".
4. Under "Reports "
   • Select "Automatically generate report after every scan "
   • Un-Select "Only if threats were found "

Close AVG Anti-Spyware, Do Not run a scan just yet, we will shortly.

1. Reboot your computer into SafeMode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight SafeMode then hit enter.
   IMPORTANT: Do not open any other windows or programs while AVG Anti-Spyware is scanning, it may interfere with the scanning proccess:
2. Lauch AVG Anti-Spyware by double-clicking the icon on your desktop.
3. Select the "Scanner" icon at the top and then the "Scan" tab then click on "Complete System Scan ".
4. AVG Anti-Spyware will now begin the scanning process, be patient this may take a little time.
   Once the scan is complete do the following:
5. If you have any infections you will prompted, then select "Apply all actions "
6. Next select the "Reports" icon at the top.
7. Select the "Save report as" button in the lower left hand of the screen and save it to a text file on your system (make sure to remember where you saved that file, this is important).
8. Close AVG Anti-Spyware and reboot your system back into Normal Mode and post the results of the AVG Anti-Spyware report scan.

Please post the new AVG log a new combofix log and a new HJT log.
Geri