Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Got myself infected with some nasty stuff :(

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Got myself infected with some nasty stuff :(

Unread postby kevin strange » August 11th, 2006, 2:01 pm

Hey guys, my friend reccomended your forum as the go-to place to deal with spyware nasties. Hope you can help! Here's my Hijackthis log...


Logfile of HijackThis v1.99.1
Scan saved at 12:59:22 PM, on 8/11/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\NavNT\defwatch.exe
C:\WINDOWS\System32\NMSSvc.exe
C:\Program Files\NavNT\rtvscan.exe
C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\VTTimer.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\MSI\Live Update 3\LMonitor.exe
C:\WINDOWS\ms06391207727.exe
C:\Program Files\NavNT\vptray.exe
C:\Program Files\Common Files\{0C61AB1F-07D0-1033-0222-060509140001}\Update.exe
C:\Program Files\Messenger\MSMSGS.EXE
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
C:\Program Files\MSI\PC Alert 4\PCAlert4.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Trillian\trillian.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\OpenOffice.org1.1.4\program\soffice.exe
C:\WINDOWS\wupdmgr.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\MsgSys.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\svchost.exe
C:\Documents and Settings\Kevin\Desktop\HijackThis.exe

F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\system32\wkfqa.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,iflukit.exe
N3 - Netscape 7: user_pref("browser.startup.homepage", "http://www.hackmovies.com/"); (C:\Documents and

Settings\Kevin\Application Data\Mozilla\Profiles\default\l1y26az2.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine",

"engine://C%3A%5CProgram%20Files%5Cmozilla.org%5CMozilla%5Csearchplugins%5Cgoogle.src"); (C:\Documents

and Settings\Kevin\Application Data\Mozilla\Profiles\default\l1y26az2.slt\prefs.js)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program

Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [PROMon.exe] PROMon.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [DrvLsnr] C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [DXDllRegExe] dxdllreg.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [VTTrayp] VTtrayp.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime
O4 - HKLM\..\Run: [LiveMonitor] C:\Program Files\MSI\Live Update 3\LMonitor.exe
O4 - HKLM\..\Run: [loaddr] C:\WINDOWS\bvq.exe
O4 - HKLM\..\Run: [TheMonitor] C:\WINDOWS\CCZoop05.exe
O4 - HKLM\..\Run: [ms06391207727] C:\WINDOWS\ms06391207727.exe
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [Mozilla Quick Launch] "C:\Program Files\Netscape\Netscape\Netscp.exe" -aim
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: OpenOffice.org 1.1.4.lnk = C:\Program Files\OpenOffice.org1.1.4\program\quickstart.exe
O4 - Startup: Trillian.lnk = C:\Program Files\Trillian\trillian.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe

Gamma Loader.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe

Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat

7.0\Reader\reader_sl.exe
O4 - Global Startup: ATI CATALYST System Tray.lnk = C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
O4 - Global Startup: PC Alert 4.lnk = C:\Program Files\MSI\PC Alert 4\PCAlert4.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} -

C:\PROGRA~1\Yahoo!\Common\yhexbmesuk.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} -

C:\PROGRA~1\Yahoo!\Common\yhexbmesuk.dll
O9 - Extra button: (no name) - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} - C:\WINDOWS\system32\dmonwv.dll

(file missing)
O9 - Extra 'Tools' menuitem: Java - {4ABF810A-F11D-4169-9D5F-7D274F2270A1} -

C:\WINDOWS\system32\dmonwv.dll (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program

Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program

Files\Messenger\msmsgs.exe
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) -

http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) -

http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - C:\Program

Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) -

http://update.microsoft.com/microsoftup ... 8231529321
O16 - DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} (ICSScanner Class) -

http://download.zonelabs.com/bin/promot ... r37380.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll"

(file missing)
O20 - AppInit_DLLs: C:\WINDOWS\system32\win_j4f.dll
O21 - SSODL: SvcSys - {FEF44AB7-DE10-4B70-B20F-4C763B2B3030} - svcsys.dll (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program

Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program

Files\NavNT\rtvscan.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. -

C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC -

C:\WINDOWS\system32\ZoneLabs\vsmon.exe
kevin strange
Regular Member
 
Posts: 20
Joined: August 11th, 2006, 1:15 pm
Advertisement
Register to Remove

Unread postby agrarianmonk » August 11th, 2006, 2:25 pm

Welcome !! Please take note of the following while we are working together:
  • Your fix may take a couple posts so please be patient even if you don't see immediate results.
  • I will working on your Malware issues, this may or may not, solve other issues you have with your machine.
  • The fixes are specific to your problem and should only be used for the issues on this machine.
  • Please continue to review my answers until I tell you your machine is clear. Absence of symptoms does not mean that everything is clear.
  • If you don't know or understand something, please don't hesitate to say or ask!! It's definitely better to be sure and safe than sorry.

***************************************

Your log is a little difficult to read !
Open Notepad
At the top of notepad click on the Format tab and UNcheck wordwrap
Close Notepad
Now continue with the rest of the instructions.

***************************************

1. Download combofix.exe by sUBs and save it to your desktop.
2. <<Double click>> combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log in your next reply

Warning: Please do not mouseclick combofix's window while it is running. This may cause it to stall.


Open HijackThis, click Config, click Misc Tools
Click "Open Uninstall Manager"
Click "Save List" (generates uninstall_list.txt)
Click Save, copy and paste the results in your next post.


Please download VundoFix.exe to your desktop.
  • Double-click VundoFix.exe to run it.
  • Put a check next to Run VundoFix as a task.
  • You will receive a message saying vundofix will close and re-open in a minute or less. Click OK
  • When VundoFix re-opens, click the Scan for Vundo button.
  • Once it's done scanning, click the Remove Vundo button.
  • You will receive a prompt asking if you want to remove the files, click YES
  • Once you click yes, your desktop will go blank as it starts removing Vundo.
  • When completed, it will prompt that it will shutdown your computer, click OK.
  • Turn your computer back on.
  • Please post the contents of C:\vundofix.txt and a new HiJackThis log.

Note: If Vundofix never reopens,
Using Windows Explorer navigate to C:\Windows\Tasks -folder
Locate the AT1.job
<<Right click>> that file and select Run

If AT1.job (or something similar) is not present, reboot and try to running Vundofix again.
If you're still having the same issue, then just click the "Scan for Vundo" but without checking "Run Vundofix as a task." In 80% of the cases, that option works as well.


Because some malware may be hiding from Hijackthis, please rename Hijackthis to FindVundo and post a new hijackthis log.


In your next post, please include
  • new hijackthis log <--after renaming
  • combofix log
  • uninstall list


*use separate posts to ensure the logs don't get cut off!

*************************
User avatar
agrarianmonk
MRU Teacher Emeritus
 
Posts: 5439
Joined: December 24th, 2005, 3:11 am

Unread postby kevin strange » August 11th, 2006, 3:17 pm

Thanks for the quick response, that was lightnight fast! :)


First things first. Vundofix didn't re-open, it prompted me to install it again. I looked for it in c:\WINDOWS\Tasks but it was not present. I ran it without running as a task and it didn't find anything.

New Hijackthis Log:


Logfile of HijackThis v1.99.1
Scan saved at 2:16:23 PM, on 8/11/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\NavNT\defwatch.exe
C:\WINDOWS\System32\NMSSvc.exe
C:\Program Files\NavNT\rtvscan.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\MsgSys.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\VTTimer.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\MSI\Live Update 3\LMonitor.exe
C:\WINDOWS\CCZoop05.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\ms06391207727.exe
C:\Program Files\NavNT\vptray.exe
C:\Program Files\Common Files\{0C61AB1F-07D0-1033-0222-060509140001}\Update.exe
C:\Program Files\Messenger\MSMSGS.EXE
C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
C:\Program Files\MSI\PC Alert 4\PCAlert4.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Trillian\trillian.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\OpenOffice.org1.1.4\program\soffice.exe
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\Documents and Settings\Kevin\Desktop\findvundo.exe

N3 - Netscape 7: user_pref("browser.startup.homepage", "http://www.hackmovies.com/"); (C:\Documents and Settings\Kevin\Application Data\Mozilla\Profiles\default\l1y26az2.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5Cmozilla.org%5CMozilla%5Csearchplugins%5Cgoogle.src"); (C:\Documents and Settings\Kevin\Application Data\Mozilla\Profiles\default\l1y26az2.slt\prefs.js)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {73364D99-1240-4dff-B11A-67E448373048} - C:\WINDOWS\system32\ipv6mons.dll (file missing)
O2 - BHO: (no name) - {A80D7DCB-BB7D-49FA-BEBA-E08154551ACE} - C:\Program Files\Windows NT\niwypahi.dll
O2 - BHO: (no name) - {C2BC7841-82DF-4890-AA87-22E26A7C5AEE} - C:\WINDOWS\system32\ddayw.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [PROMon.exe] PROMon.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [DrvLsnr] C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [DXDllRegExe] dxdllreg.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [VTTrayp] VTtrayp.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime
O4 - HKLM\..\Run: [LiveMonitor] C:\Program Files\MSI\Live Update 3\LMonitor.exe
O4 - HKLM\..\Run: [loaddr] C:\WINDOWS\bvq.exe
O4 - HKLM\..\Run: [TheMonitor] C:\WINDOWS\CCZoop05.exe
O4 - HKLM\..\Run: [ms06391207727] C:\WINDOWS\ms06391207727.exe
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [Mozilla Quick Launch] "C:\Program Files\Netscape\Netscape\Netscp.exe" -aim
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: OpenOffice.org 1.1.4.lnk = C:\Program Files\OpenOffice.org1.1.4\program\quickstart.exe
O4 - Startup: Trillian.lnk = C:\Program Files\Trillian\trillian.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: ATI CATALYST System Tray.lnk = C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
O4 - Global Startup: PC Alert 4.lnk = C:\Program Files\MSI\PC Alert 4\PCAlert4.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRA~1\Yahoo!\Common\yhexbmesuk.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRA~1\Yahoo!\Common\yhexbmesuk.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftup ... 8231529321
O16 - DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} (ICSScanner Class) - http://download.zonelabs.com/bin/promot ... r37380.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - AppInit_DLLs: C:\WINDOWS\system32\win_j4f.dll
O20 - Winlogon Notify: ddayw - C:\WINDOWS\system32\ddayw.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: SvcSys - {FEF44AB7-DE10-4B70-B20F-4C763B2B3030} - svcsys.dll (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
kevin strange
Regular Member
 
Posts: 20
Joined: August 11th, 2006, 1:15 pm

Unread postby kevin strange » August 11th, 2006, 3:17 pm

Combofix log:

Start Time= Fri 08/11/2006 13:42:55.09
Running from: C:\Documents and Settings\Kevin\Desktop

((((((((((((((((((((((((((((((((((((((((((((( Qoologic's Log )))))))))))))))))))))))))))))))))))))))))))))))))))

13:44:26.14

Not all files found by this method are bad. There may be legitimate files found
This log should be examined by a trained analyst


* * * PRE-RUN - Filepaths extracted from the Registry * * * * * * * * * * * * * * * * * * * * * *


C:\WINDOWS\system32\hbnmad.exe
C:\WINDOWS\system32\hbnmad.exe
C:\WINDOWS\system32\wkfqa.exe
C:\WINDOWS\system32\iflukit.exe


* * * PRE-RUN - Filepaths extracted by Memory Dump * * * * * * * * * * * * * * * * * * * * * *


C:\WINDOWS\system32\wkfqa.exe
C:\WINDOWS\system32\ninnrlf.dll
C:\WINDOWS\system32\ninnrlf.dll
C:\WINDOWS\system32\mxdqm.dat
C:\WINDOWS\system32\iflukit.exe
C:\WINDOWS\system32\hbnmad.exe
C:\WINDOWS\system32\hbnmad.exe
C:\WINDOWS\system32\hbnmad.exe
C:\WINDOWS\fvutr.dll
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\yiang.exe


* * * PRE-RUN - Filepaths from Locate * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


2006-07-31 09:58:58 127,488 "C:\WINDOWS\system32\hbnmad.exe"
2006-07-30 12:46:20 10,261 "C:\WINDOWS\system32\tmp_0v.exe"
2006-07-31 09:58:58 28,672 "C:\WINDOWS\system32\wkfqa.exe"
2006-07-30 14:19:12 0 "C:\WINDOWS\system32\dllsys.dll"
2006-05-19 07:59:42 148,480 "C:\WINDOWS\system32\dnsapi.dll"
2006-05-19 10:08:32 3,052,544 "C:\WINDOWS\system32\mshtml.dll"
2006-07-09 13:42:06 83,960 "C:\WINDOWS\system32\vsdata.dll"
2006-07-09 13:42:08 157,688 "C:\WINDOWS\system32\vsinit.dll"
2006-07-09 13:42:10 440,312 "C:\WINDOWS\system32\vsutil.dll"
2006-07-09 13:42:14 83,960 "C:\WINDOWS\system32\zlcomm.dll"
2006-07-31 09:58:58 23,552 "C:\WINDOWS\system32\iflukit.exe"
2006-06-19 16:19:26 304,944 "C:\WINDOWS\system32\WgaTray.exe"
2006-06-01 13:47:08 163,840 "C:\WINDOWS\system32\jgdw400.dll"
2006-06-01 13:47:08 27,648 "C:\WINDOWS\system32\jgpl400.dll"
2006-05-18 00:24:26 450,560 "C:\WINDOWS\system32\jscript.dll"
2006-07-31 09:58:58 51,712 "C:\WINDOWS\system32\ninnrlf.dll"
2006-06-22 05:47:18 181,248 "C:\WINDOWS\system32\rasmans.dll"
2006-05-29 10:30:34 1,494,016 "C:\WINDOWS\system32\shdocvw.dll"
2006-07-30 12:44:18 4,096 "C:\WINDOWS\system32\win_j4f.dll"
2006-07-31 06:06:56 573,492 "C:\WINDOWS\system32\ddayw.dll"
2006-07-09 13:42:12 59,384 "C:\WINDOWS\system32\vswmi.dll"
2006-07-09 13:42:12 100,344 "C:\WINDOWS\system32\vsxml.dll"
2006-07-31 12:33:54 127,488 "C:\WINDOWS\system32\mxdqm.dat"
2006-08-11 12:57:46 434 "C:\WINDOWS\fvutr.dll"
2006-07-31 09:58:56 53 "C:\WINDOWS\bcqqbq.dat"
2006-07-31 09:58:58 127,488 "C:\Documents and Settings\All Users\Start Menu\Programs\Startup\yiang.exe"


* * * POST-RUN - Files in the Quarantine folder * * * * * * * * * * * * * * * * * * * * * * * * *


07/31/2006 12:33 PM 127,488 mxdqm.dat.vir
07/31/2006 09:58 AM 127,488 hbnmad.exe.vir
07/31/2006 09:58 AM 127,488 yiang.exe.vir
07/31/2006 09:58 AM 51,712 ninnrlf.dll.vir
07/31/2006 09:58 AM 28,672 wkfqa.exe.vir
07/31/2006 09:58 AM 23,552 iflukit.exe.vir
07/31/2006 09:58 AM 53 bcqqbq.dat.vir


DO NOT DELETE ANY FILES FROM THIS DIRECTORY UNLESS INSTRUCTED TO


* * * POST-RUN - Filepaths from Locate * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


2006-06-19 16:19:26 304,944 "C:\WINDOWS\system32\WgaTray.exe"
2006-07-30 12:46:20 10,261 "C:\WINDOWS\system32\tmp_0v.exe"
2006-06-01 13:47:08 163,840 "C:\WINDOWS\system32\jgdw400.dll"
2006-06-01 13:47:08 27,648 "C:\WINDOWS\system32\jgpl400.dll"
2006-05-18 00:24:26 450,560 "C:\WINDOWS\system32\jscript.dll"
2006-06-22 05:47:18 181,248 "C:\WINDOWS\system32\rasmans.dll"
2006-05-29 10:30:34 1,494,016 "C:\WINDOWS\system32\shdocvw.dll"
2006-07-30 12:44:18 4,096 "C:\WINDOWS\system32\win_j4f.dll"
2006-07-30 14:19:12 0 "C:\WINDOWS\system32\dllsys.dll"
2006-05-19 07:59:42 148,480 "C:\WINDOWS\system32\dnsapi.dll"
2006-05-19 10:08:32 3,052,544 "C:\WINDOWS\system32\mshtml.dll"
2006-07-09 13:42:06 83,960 "C:\WINDOWS\system32\vsdata.dll"
2006-07-09 13:42:08 157,688 "C:\WINDOWS\system32\vsinit.dll"
2006-07-09 13:42:10 440,312 "C:\WINDOWS\system32\vsutil.dll"
2006-07-09 13:42:14 83,960 "C:\WINDOWS\system32\zlcomm.dll"
2006-07-31 06:06:56 573,492 "C:\WINDOWS\system32\ddayw.dll"
2006-07-09 13:42:12 59,384 "C:\WINDOWS\system32\vswmi.dll"
2006-07-09 13:42:12 100,344 "C:\WINDOWS\system32\vsxml.dll"
2006-08-11 12:57:46 434 "C:\WINDOWS\fvutr.dll"


(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\Documents and Settings\Kevin\Local Settings\Temp\drsmartload482a.exe


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-08-11 12:57:46 434 ( A.... ) "C:\WINDOWS\fvutr.dll"
2006-08-11 11:59:26 72418 ( A.... ) "C:\WINDOWS\system32\VundoFix.exe"
2006-08-07 01:21:36 53248 ( A.... ) "C:\WINDOWS\bvq.exe"
2006-08-01 21:04:58 ( .D... ) "C:\Program Files\Media Box"
2006-08-01 21:04:50 245760 ( ..... ) "C:\WINDOWS\Setup1.exe"
2006-08-01 21:04:42 73216 ( A.... ) "C:\WINDOWS\ST6UNST.EXE"
2006-08-01 20:58:28 ( .D... ) "C:\Program Files\CD-DA X-Tractor"
2006-07-31 14:26:04 ( .D... ) "C:\Program Files\Symantec"
2006-07-31 14:25:58 ( .D... ) "C:\Program Files\NavNT"
2006-07-31 14:25:58 ( .D... ) "C:\Program Files\Common Files\Symantec Shared"
2006-07-31 10:50:08 143360 ( A.... ) "C:\WINDOWS\ms06391207727.exe"
2006-07-31 09:58:48 ( .D... ) "C:\Program Files\Common Files\{0C61AB1F-07D0-1033-0222-060509140001}"
2006-07-31 06:06:56 573492 ( ..SH. ) "C:\WINDOWS\system32\ddayw.dll"
2006-07-30 14:19:12 0 ( A.S.. ) "C:\WINDOWS\system32\dllsys.dll"
2006-07-30 12:46:20 10261 ( ...HR ) "C:\WINDOWS\system32\tmp_0v.exe"
2006-07-30 12:44:50 53248 ( A.... ) "C:\WINDOWS\aqr.exe"
2006-07-30 12:44:18 4096 ( A..HR ) "C:\WINDOWS\system32\win_j4f.dll"
2006-07-14 10:31:40 332288 ( A.... ) "C:\WINDOWS\system32\netapi32.dll"
2006-07-09 13:42:44 392824 ( A.... ) "C:\WINDOWS\system32\vsdatant.sys"
2006-07-09 13:42:44 392824 ( A.... ) "C:\WINDOWS\system32\vsdatant.sys"
2006-07-09 13:42:14 83960 ( A.... ) "C:\WINDOWS\system32\zlcomm.dll"
2006-07-09 13:42:14 71672 ( A.... ) "C:\WINDOWS\system32\zlcommdb.dll"
2006-07-09 13:42:12 100344 ( A.... ) "C:\WINDOWS\system32\vsxml.dll"
2006-07-09 13:42:12 59384 ( A.... ) "C:\WINDOWS\system32\vswmi.dll"
2006-07-09 13:42:10 440312 ( A.... ) "C:\WINDOWS\system32\vsutil.dll"
2006-07-09 13:42:10 71672 ( A.... ) "C:\WINDOWS\system32\vsregexp.dll"
2006-07-09 13:42:08 268280 ( A.... ) "C:\WINDOWS\system32\vspubapi.dll"
2006-07-09 13:42:08 157688 ( A.... ) "C:\WINDOWS\system32\vsinit.dll"
2006-07-09 13:42:08 104440 ( A.... ) "C:\WINDOWS\system32\vsmonapi.dll"
2006-07-09 13:42:06 83960 ( A.... ) "C:\WINDOWS\system32\vsdata.dll"
2006-06-19 16:20:42 702768 ( ..... ) "C:\WINDOWS\system32\WgaLogon.dll"
2006-06-18 17:54:08 796584 ( A.... ) "C:\WINDOWS\system32\libeay32_0.9.6l.dll"
2006-05-19 07:59:42 148480 ( A.... ) "C:\WINDOWS\system32\dnsapi.dll"
2006-05-19 07:59:42 111616 ( A.... ) "C:\WINDOWS\system32\dhcpcsvc.dll"
2006-05-19 07:59:42 94720 ( A.... ) "C:\WINDOWS\system32\iphlpapi.dll"


(((((((((((((((((((((((((((((((((((((( Files Created - Last 30days )))))))))))))))))))))))))))))))))))))))))))


2006-08-11 11:57 72,418 C:\WINDOWS\system32\VundoFix.exe
2006-08-07 01:21 53,248 C:\WINDOWS\bvq.exe
2006-08-01 21:14 765,952 C:\WINDOWS\system32\tvqenc.dll
2006-08-01 21:14 393,216 C:\WINDOWS\system32\VorbisEncX.dll
2006-08-01 21:14 360,448 C:\WINDOWS\system32\NCTWMAFile.dll
2006-08-01 21:14 339,968 C:\WINDOWS\system32\MP3EncX.dll
2006-08-01 21:14 303,104 C:\WINDOWS\system32\WMAEncX.dll
2006-08-01 21:14 1,703,936 C:\WINDOWS\system32\NCTAudioFile.dll
2006-08-01 21:04 73,216 C:\WINDOWS\ST6UNST.EXE
2006-08-01 21:04 245,760 C:\WINDOWS\Setup1.exe
2006-08-01 08:42 127,208 C:\WINDOWS\system32\mucltui.dll
2006-07-31 14:26 4,032 C:\WINDOWS\system32\SYMEVNT1.DLL
2006-07-31 14:26 36,864 C:\WINDOWS\system32\S32EVNT1.DLL
2006-07-31 10:49 143,360 C:\WINDOWS\ms06391207727.exe
2006-07-31 09:58 434 C:\WINDOWS\fvutr.dll
2006-07-31 06:06 573,492 C:\WINDOWS\system32\ddayw.dll
2006-07-30 14:19 0 C:\WINDOWS\system32\dllsys.dll
2006-07-30 12:44 7,680 C:\WINDOWS\vmmlog32.dll
2006-07-30 12:44 53,248 C:\WINDOWS\aqr.exe
2006-07-30 12:44 4,096 C:\WINDOWS\system32\win_j4f.dll
2006-07-30 12:44 10,261 C:\WINDOWS\system32\tmp_0v.exe
2006-07-04 00:26 796,584 C:\WINDOWS\system32\libeay32_0.9.6l.dll
2006-07-04 00:26 59,384 C:\WINDOWS\system32\vswmi.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"PROMon.exe"="PROMon.exe"
"IgfxTray"="C:\\WINDOWS\\system32\\igfxtray.exe"
"HotKeysCmds"="C:\\WINDOWS\\system32\\hkcmd.exe"
"DrvLsnr"="C:\\Program Files\\Analog Devices\\SoundMAX\\DrvLsnr.exe"
"Zone Labs Client"="\"C:\\Program Files\\Zone Labs\\ZoneAlarm\\zlclient.exe\""
"DXDllRegExe"="dxdllreg.exe"
"iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"NeroFilterCheck"="C:\\WINDOWS\\system32\\NeroCheck.exe"
"SoundMan"="SOUNDMAN.EXE"
"VTTimer"="VTTimer.exe"
"VTTrayp"="VTtrayp.exe"
"ATICCC"="\"C:\\Program Files\\ATI Technologies\\ATI.ACE\\cli.exe\" runtime"
"LiveMonitor"="C:\\Program Files\\MSI\\Live Update 3\\LMonitor.exe"
"loaddr"="C:\\WINDOWS\\bvq.exe"
"TheMonitor"="C:\\WINDOWS\\CCZoop05.exe"
"ms06391207727"="C:\\WINDOWS\\ms06391207727.exe"
"vptray"="C:\\Program Files\\NavNT\\vptray.exe"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"MSMSGS"="\"C:\\Program Files\\Messenger\\MSMSGS.EXE\" /background"
"MoneyAgent"="\"C:\\Program Files\\Microsoft Money\\System\\mnyexpr.exe\""
"Mozilla Quick Launch"="\"C:\\Program Files\\Netscape\\Netscape\\Netscp.exe\" -aim"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonceex]
"flags"=dword:00000008

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonceex\000]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\run]
"{0C61AB1F-07D0-1033-0222-060509140001}"="\"C:\\Program Files\\Common Files\\{0C61AB1F-07D0-1033-0222-060509140001}\\Update.exe\" mc-110-12-0000509"

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000000

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source"="C:\\Program Files\\ComPlus Applications\\qufycu.html"
"SubscribedURL"=""
"FriendlyName"=""
"Flags"=dword:00002000
"Position"=hex:2c,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,00,00,e8,\
03,00,00,00,00,00,00,00,00,00,00,00,00,00,00,14,00,00,00,14,00,00,00
"CurrentState"=dword:40000001
"OriginalStateInfo"=hex:18,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,\
00,00,01,00,00,00
"RestoredStateInfo"=hex:00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\1]
"Source"="C:\\Program Files\\Windows Media Player\\nicoziwi.html"
"SubscribedURL"=""
"FriendlyName"=""
"Flags"=dword:00002000
"Position"=hex:2c,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,00,00,ea,\
03,00,00,00,00,00,00,00,00,00,00,00,00,00,00,14,00,00,00,14,00,00,00
"CurrentState"=dword:40000001
"OriginalStateInfo"=hex:18,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,\
00,00,01,00,00,00
"RestoredStateInfo"=hex:00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\2]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,00,03,00,00,ec,\
03,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=dword:40000004
"OriginalStateInfo"=hex:18,00,00,00,a0,00,00,00,00,00,00,00,80,02,00,00,3a,02,\
00,00,04,00,00,40
"RestoredStateInfo"=hex:18,00,00,00,a0,00,00,00,00,00,00,00,80,02,00,00,3a,02,\
00,00,01,00,00,00

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""




Contents of the 'Scheduled Tasks' folder

Completion time: Fri 08/11/2006 13:47:59.79
ComboFix ver 06.07.15/30 - This logfile is located at C:\ComboFix.txt
kevin strange
Regular Member
 
Posts: 20
Joined: August 11th, 2006, 1:15 pm

Unread postby kevin strange » August 11th, 2006, 3:18 pm

Uninstall list:

AC-3 ACM Codec
Ad-Aware SE Personal
Adobe Download Manager 2.0 (Remove Only)
Adobe Encore DVD 1.5
Adobe PageMaker 7.0
Adobe Photoshop 5.5
Adobe Photoshop 7.0
Adobe Premiere Pro
Adobe Reader 7.0
AOL Instant Messenger
ATI - Software Uninstall Utility
ATI Catalyst Control Center
ATI Display Driver
ATI HYDRAVISION
Avant Browser (remove only)
Broadcom 570x Driver Installer
Charter Pipeline® Self-Installation
CoffeeCup HTML Editor Version 9.7
DiscWizard for Windows
DivX Player
DivX Web Player
Enigma Browser (remove only)
Extreme Thumbnail Generator 1.7
Focus Magic
Google Earth
GTK+ 2.6.7-1 runtime environment
HijackThis 1.99.1
HmmXP 3 Theme Pack
Huffyuv AVI lossless video codec (Remove Only)
ICatch (VI) PC Camera
Intel(R) Extreme Graphics Driver
Intel(R) PRO Ethernet Adapter and Software
Intel(R) PRO Intelligent Installer
iTunes
K-Lite Mega Codec Pack 1.53
LiveUpdate 1.6 (Symantec Corporation)
Macromedia Flash Player 8
Media Box MP3 Workstation
Memories Disc Creator 2.0
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB886903)
Mozilla (1.7.11)
Mozilla Firefox (1.4)
MP3 to WAV Converter
MP3 WAV Converter 3.12
mp3-2-wav converter 1.14
MSI Live Update 3
MSN Messenger 7.5
Nero Suite
Netscape (7.0)
Norton AntiVirus Corporate Edition
Opera
PC Alert 4
PerformanceTest v5.0
QuickTime
Realtek AC'97 Audio
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899589)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901190)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911567)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB916281)
Security Update for Windows XP (KB917159)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB921883)
SmartFTP Client
SoundMAX
Spybot - Search & Destroy 1.4
Starcraft
ToolBar888
Update for Windows XP (KB894391)
Update for Windows XP (KB900485)
Update for Windows XP (KB908531)
Update for Windows XP (KB910437)
Update for Windows XP (KB911280)
Update for Windows XP (KB916595)
USB Driver
VIA Platform Device Manager
VIA/S3G Display Driver
Viewpoint Media Player (Remove Only)
WebLog Expert Lite 3.5
Windows Genuine Advantage v1.3.0254.0
Windows Installer 3.1 (KB893803)
Windows Media Format Runtime
Windows Media Player 10
Windows XP Creativity Fun Packs - Windows Movie Maker 2
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB886716
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781
WinRAR archiver
WinZip
Yahoo! Address AutoComplete
Yahoo! extras
Yahoo! Install Manager
Yahoo! Internet Mail
Yahoo! Messenger with BT Communicator
Yahoo! Toolbar
ZoneAlarm
kevin strange
Regular Member
 
Posts: 20
Joined: August 11th, 2006, 1:15 pm

Unread postby agrarianmonk » August 11th, 2006, 3:46 pm

Go to Start > Control Panel > Add or Remove Programs and uninstall the following programs (if they exist):
**Take care when answering any questions posed by an uninstaller. Some questions may be worded to deceive you into keeping the program**

ToolBar888
Viewpoint Media Player (Remove Only)

Please note any other programs that you dont recognize in that list in your next response

**********************
  • Copy the contents of the Quote Box below to Notepad.
  • Name the file as fix.reg
  • Change the Save as Type to All Files
  • and Save it on the desktop

REGEDIT4

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\run]
"{0C61AB1F-07D0-1033-0222-060509140001}"=-

[-HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{0C61AB1F-07D0-1033-0222-060509140001}]



Make sure there are NO blank lines before REGEDIT4
Make sure there IS one blank line at the end of the file.

It should look like this: Image
If you are having problems creating the file, a step by step visual tutorial by Nellie2 for making a reg file can be found here.


Then double-click on the fix.reg file, and when it prompts to merge say yes, and this will clear some registry entries left behind by the process.


***************************************

We need to run Vundofix again:
    * Double-click VundoFix.exe to run it.
    * Put a check next to Run VundoFix as a task.
    * You will receive a message saying vundofix will close and re-open in a minute or less. Click OK
    * When VundoFix re-opens,Click Scan for Vundo button.
    * Once the scan is complete, Right Click inside the listbox (white box) and click add more files
    * Copy&Paste the 2 entries below into the top 2 boxes

    o C:\WINDOWS\system32\ddayw.dll
    o C:\WINDOWS\system32\wyadd.*

    * Click Add Files and Click Close Window
    * Click the Remove Vundo button.
    * You will receive a prompt asking if you want to remove the files, click YES
    * Once you click yes, your desktop will go blank as it starts removing Vundo.
    * When completed, it will prompt that it will shutdown your computer, click OK.
    * Turn your computer back on.
    * Please post the contents of C:\vundofix.txt and a new HiJackThis log.

Note: If Vundofix never reopens,
Using Windows Explorer navigate to C:\Windows\Tasks -folder
Locate the AT1.job
<<Right click>> that file and select Run

If AT1.job (or something similar) is not present, reboot and try to running Vundofix again.
If you're still having the same issue, then just click the "Scan for Vundo" but without checking "Run Vundofix as a task." In 80% of the cases, that option works as well.


In your next post, please include
  • new hijackthis log
  • c:\vundofix.txt
User avatar
agrarianmonk
MRU Teacher Emeritus
 
Posts: 5439
Joined: December 24th, 2005, 3:11 am

Unread postby kevin strange » August 11th, 2006, 4:24 pm

Hmmm. Here's the new HJT log, but Vundofic still wont run as a task and didn't find any files.


Logfile of HijackThis v1.99.1
Scan saved at 3:23:08 PM, on 8/11/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\NavNT\defwatch.exe
C:\WINDOWS\System32\NMSSvc.exe
C:\Program Files\NavNT\rtvscan.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\system32\MsgSys.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\VTTimer.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\MSI\Live Update 3\LMonitor.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\ms06391207727.exe
C:\Program Files\NavNT\vptray.exe
C:\Program Files\Common Files\{0C61AB1F-07D0-1033-0222-060509140001}\Update.exe
C:\Program Files\Messenger\MSMSGS.EXE
C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
C:\Program Files\MSI\PC Alert 4\PCAlert4.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Trillian\trillian.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\OpenOffice.org1.1.4\program\soffice.exe
C:\PROGRAM FILES\INTERNET EXPLORER\IEXPLORE.EXE
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Kevin\Desktop\findvundo.exe

N3 - Netscape 7: user_pref("browser.startup.homepage", "http://www.hackmovies.com/"); (C:\Documents and Settings\Kevin\Application Data\Mozilla\Profiles\default\l1y26az2.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5Cmozilla.org%5CMozilla%5Csearchplugins%5Cgoogle.src"); (C:\Documents and Settings\Kevin\Application Data\Mozilla\Profiles\default\l1y26az2.slt\prefs.js)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {73364D99-1240-4dff-B11A-67E448373048} - C:\WINDOWS\system32\ipv6mons.dll (file missing)
O2 - BHO: (no name) - {A80D7DCB-BB7D-49FA-BEBA-E08154551ACE} - C:\Program Files\Windows NT\niwypahi.dll
O2 - BHO: (no name) - {C2BC7841-82DF-4890-AA87-22E26A7C5AEE} - C:\WINDOWS\system32\ddayw.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [PROMon.exe] PROMon.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [DrvLsnr] C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [DXDllRegExe] dxdllreg.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [VTTrayp] VTtrayp.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime
O4 - HKLM\..\Run: [LiveMonitor] C:\Program Files\MSI\Live Update 3\LMonitor.exe
O4 - HKLM\..\Run: [loaddr] C:\WINDOWS\bvq.exe
O4 - HKLM\..\Run: [TheMonitor] C:\WINDOWS\CCZoop05.exe
O4 - HKLM\..\Run: [ms06391207727] C:\WINDOWS\ms06391207727.exe
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [Mozilla Quick Launch] "C:\Program Files\Netscape\Netscape\Netscp.exe" -aim
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: OpenOffice.org 1.1.4.lnk = C:\Program Files\OpenOffice.org1.1.4\program\quickstart.exe
O4 - Startup: Trillian.lnk = C:\Program Files\Trillian\trillian.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: ATI CATALYST System Tray.lnk = C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
O4 - Global Startup: PC Alert 4.lnk = C:\Program Files\MSI\PC Alert 4\PCAlert4.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRA~1\Yahoo!\Common\yhexbmesuk.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRA~1\Yahoo!\Common\yhexbmesuk.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftup ... 8231529321
O16 - DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} (ICSScanner Class) - http://download.zonelabs.com/bin/promot ... r37380.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - AppInit_DLLs: C:\WINDOWS\system32\win_j4f.dll
O20 - Winlogon Notify: ddayw - C:\WINDOWS\system32\ddayw.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: SvcSys - {FEF44AB7-DE10-4B70-B20F-4C763B2B3030} - svcsys.dll (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
kevin strange
Regular Member
 
Posts: 20
Joined: August 11th, 2006, 1:15 pm

Unread postby agrarianmonk » August 11th, 2006, 4:28 pm

Did you run the reg fix and reboot? Let me know in your next post.


Make sure combofix.exe is on your desktop.

go to start --> run and copy/paste in the following:

"%userprofile%\desktop\combofix.exe" /v ddayw

When finished, it shall produce a log for you. Post that log in your next reply.

Warning: Please do not mouseclick combofix's window while it is running. This may cause it to stall.

In your next post, please include
  • new hijackthis log
  • combofix log


*use separate posts to ensure the logs don't get cut off!
User avatar
agrarianmonk
MRU Teacher Emeritus
 
Posts: 5439
Joined: December 24th, 2005, 3:11 am

Unread postby kevin strange » August 11th, 2006, 6:16 pm

Seem to have gotten myself into a bit of a bind! At the time of my last posting, I had run the Reg fix but had not restarted the pc. I did so as instructed and was imediately propted by norton of a virus notification.

Scan type: Realtime Protection Scan
Event: Virus Found!
Virus name: Trojan.Awax
File: C:\WINDOWS\system32\gebyx.dll
Location: C:\WINDOWS\system32
Computer: ****
User: ****
Action taken: Clean failed : Quarantine failed : Access denied
Date found: Fri Aug 11 17:03:33 2006

This notification repeats over and over. I ran norton in Safe mode but it could not Clean or Quarantine it there either. Any ideas?
kevin strange
Regular Member
 
Posts: 20
Joined: August 11th, 2006, 1:15 pm

Unread postby agrarianmonk » August 11th, 2006, 7:13 pm

Don't worry, I have instructions that will take care of it.

Can you run through my last instructions and post the requested logs?

thanks,
User avatar
agrarianmonk
MRU Teacher Emeritus
 
Posts: 5439
Joined: December 24th, 2005, 3:11 am

Unread postby kevin strange » August 11th, 2006, 7:25 pm

Vudofix log:


VundoFix V5.1.7

Checking Java version...

Sun Java not detected
Scan started at 11:54:42 AM 8/11/2006

Listing files found while scanning....


VundoFix V5.1.7

Checking Java version...

Sun Java not detected
Scan started at 1:55:00 PM 8/11/2006

Listing files found while scanning....

No infected files were found.


Beginning removal...

VundoFix V5.1.7

Checking Java version...

Sun Java not detected
Scan started at 3:00:29 PM 8/11/2006

Listing files found while scanning....

No infected files were found.


Beginning removal...

VundoFix V5.1.7

Checking Java version...

Sun Java not detected
Scan started at 5:04:13 PM 8/11/2006

Listing files found while scanning....

No infected files were found.


Beginning removal...

The process smss.exe was successfully stopped

The process winlogon.exe was successfully stopped

The process explorer.exe was successfully stopped

The process iexplore.exe was successfully stopped

The process rundll32.exe was successfully stopped

Attempting to delete C:\WINDOWS\system32\gebyx.dll
C:\WINDOWS\system32\gebyx.dll Has been deleted!

Performing Repairs to the registry.
Done!
kevin strange
Regular Member
 
Posts: 20
Joined: August 11th, 2006, 1:15 pm

Unread postby kevin strange » August 11th, 2006, 7:26 pm

ComboFix log:

(((((((((((((((((((((((((((((((((((((((((((((((( Vundo Log )))))))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\SYSTEM32\DDAYW.DLL
C:\WINDOWS\SYSTEM32\WYADD.INI


* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


C:\WINDOWS\SYSTEM32\WYADD.INI

18:18:00.60
(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-08-11 15:35:12 65536 ( A.... ) "C:\drsmartload.exe"
2006-08-11 15:35:04 ( .D... ) "C:\Program Files\RegiFast"
2006-08-11 12:57:46 434 ( A.... ) "C:\WINDOWS\fvutr.dll"
2006-08-11 11:05:48 155648 ( A.... ) "C:\WINDOWS\win3208120772739.exe"
2006-08-07 01:21:36 53248 ( A.... ) "C:\WINDOWS\bvq.exe"
2006-08-01 21:04:58 ( .D... ) "C:\Program Files\Media Box"
2006-08-01 21:04:50 245760 ( ..... ) "C:\WINDOWS\Setup1.exe"
2006-08-01 21:04:42 73216 ( A.... ) "C:\WINDOWS\ST6UNST.EXE"
2006-08-01 20:58:28 ( .D... ) "C:\Program Files\CD-DA X-Tractor"
2006-07-31 14:26:04 ( .D... ) "C:\Program Files\Symantec"
2006-07-31 14:25:58 ( .D... ) "C:\Program Files\NavNT"
2006-07-31 14:25:58 ( .D... ) "C:\Program Files\Common Files\Symantec Shared"
2006-07-31 10:50:08 143360 ( A.... ) "C:\WINDOWS\ms06391207727.exe"
2006-07-31 09:58:48 ( .D... ) "C:\Program Files\Common Files\{0C61AB1F-07D0-1033-0222-060509140001}"
2006-07-30 14:19:12 0 ( A.S.. ) "C:\WINDOWS\system32\dllsys.dll"
2006-07-30 12:46:20 10261 ( A..HR ) "C:\WINDOWS\system32\tmp_0v.exe"
2006-07-30 12:44:50 53248 ( A.... ) "C:\WINDOWS\aqr.exe"
2006-07-30 12:44:18 4096 ( A..HR ) "C:\WINDOWS\system32\win_j4f.dll"
2006-07-14 10:31:40 332288 ( A.... ) "C:\WINDOWS\system32\netapi32.dll"
2006-07-09 13:42:44 392824 ( A.... ) "C:\WINDOWS\system32\vsdatant.sys"
2006-07-09 13:42:44 392824 ( A.... ) "C:\WINDOWS\system32\vsdatant.sys"
2006-07-09 13:42:14 83960 ( A.... ) "C:\WINDOWS\system32\zlcomm.dll"
2006-07-09 13:42:14 71672 ( A.... ) "C:\WINDOWS\system32\zlcommdb.dll"
2006-07-09 13:42:12 100344 ( A.... ) "C:\WINDOWS\system32\vsxml.dll"
2006-07-09 13:42:12 59384 ( A.... ) "C:\WINDOWS\system32\vswmi.dll"
2006-07-09 13:42:10 440312 ( A.... ) "C:\WINDOWS\system32\vsutil.dll"
2006-07-09 13:42:10 71672 ( A.... ) "C:\WINDOWS\system32\vsregexp.dll"
2006-07-09 13:42:08 268280 ( A.... ) "C:\WINDOWS\system32\vspubapi.dll"
2006-07-09 13:42:08 157688 ( A.... ) "C:\WINDOWS\system32\vsinit.dll"
2006-07-09 13:42:08 104440 ( A.... ) "C:\WINDOWS\system32\vsmonapi.dll"
2006-07-09 13:42:06 83960 ( A.... ) "C:\WINDOWS\system32\vsdata.dll"
2006-06-19 16:20:42 702768 ( A.... ) "C:\WINDOWS\system32\WgaLogon.dll"
2006-06-19 13:38:58 53248 ( A.... ) "C:\WINDOWS\uni_ehhhh.exe"
2006-06-19 13:38:08 49152 ( A.... ) "C:\WINDOWS\uninst104.exe"
2006-06-18 17:54:08 796584 ( A.... ) "C:\WINDOWS\system32\libeay32_0.9.6l.dll"
2006-05-19 07:59:42 148480 ( A.... ) "C:\WINDOWS\system32\dnsapi.dll"
2006-05-19 07:59:42 111616 ( A.... ) "C:\WINDOWS\system32\dhcpcsvc.dll"
2006-05-19 07:59:42 94720 ( A.... ) "C:\WINDOWS\system32\iphlpapi.dll"


(((((((((((((((((((((((((((((((((((((( Files Created - Last 30days )))))))))))))))))))))))))))))))))))))))))))


2006-08-11 15:35 65,536 C:\drsmartload.exe
2006-08-11 11:05 155,648 C:\WINDOWS\win3208120772739.exe
2006-08-07 01:21 53,248 C:\WINDOWS\bvq.exe
2006-08-01 21:14 765,952 C:\WINDOWS\system32\tvqenc.dll
2006-08-01 21:14 393,216 C:\WINDOWS\system32\VorbisEncX.dll
2006-08-01 21:14 360,448 C:\WINDOWS\system32\NCTWMAFile.dll
2006-08-01 21:14 339,968 C:\WINDOWS\system32\MP3EncX.dll
2006-08-01 21:14 303,104 C:\WINDOWS\system32\WMAEncX.dll
2006-08-01 21:14 1,703,936 C:\WINDOWS\system32\NCTAudioFile.dll
2006-08-01 21:04 73,216 C:\WINDOWS\ST6UNST.EXE
2006-08-01 21:04 245,760 C:\WINDOWS\Setup1.exe
2006-08-01 08:42 127,208 C:\WINDOWS\system32\mucltui.dll
2006-07-31 14:26 4,032 C:\WINDOWS\system32\SYMEVNT1.DLL
2006-07-31 14:26 36,864 C:\WINDOWS\system32\S32EVNT1.DLL
2006-07-31 10:49 143,360 C:\WINDOWS\ms06391207727.exe
2006-07-31 09:58 434 C:\WINDOWS\fvutr.dll
2006-07-30 14:19 0 C:\WINDOWS\system32\dllsys.dll
2006-07-30 12:44 7,680 C:\WINDOWS\vmmlog32.dll
2006-07-30 12:44 53,248 C:\WINDOWS\aqr.exe
2006-07-30 12:44 4,096 C:\WINDOWS\system32\win_j4f.dll
2006-07-30 12:44 10,261 C:\WINDOWS\system32\tmp_0v.exe
2006-07-04 00:26 796,584 C:\WINDOWS\system32\libeay32_0.9.6l.dll
2006-07-04 00:26 59,384 C:\WINDOWS\system32\vswmi.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"PROMon.exe"="PROMon.exe"
"IgfxTray"="C:\\WINDOWS\\system32\\igfxtray.exe"
"HotKeysCmds"="C:\\WINDOWS\\system32\\hkcmd.exe"
"DrvLsnr"="C:\\Program Files\\Analog Devices\\SoundMAX\\DrvLsnr.exe"
"Zone Labs Client"="\"C:\\Program Files\\Zone Labs\\ZoneAlarm\\zlclient.exe\""
"DXDllRegExe"="dxdllreg.exe"
"iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"NeroFilterCheck"="C:\\WINDOWS\\system32\\NeroCheck.exe"
"SoundMan"="SOUNDMAN.EXE"
"VTTimer"="VTTimer.exe"
"VTTrayp"="VTtrayp.exe"
"ATICCC"="\"C:\\Program Files\\ATI Technologies\\ATI.ACE\\cli.exe\" runtime"
"LiveMonitor"="C:\\Program Files\\MSI\\Live Update 3\\LMonitor.exe"
"loaddr"="C:\\WINDOWS\\bvq.exe"
"TheMonitor"="C:\\WINDOWS\\CCZoop05.exe"
"ms06391207727"="C:\\WINDOWS\\ms06391207727.exe"
"vptray"="C:\\Program Files\\NavNT\\vptray.exe"
"win3208120772739"="C:\\WINDOWS\\win3208120772739.exe"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"MSMSGS"="\"C:\\Program Files\\Messenger\\MSMSGS.EXE\" /background"
"MoneyAgent"="\"C:\\Program Files\\Microsoft Money\\System\\mnyexpr.exe\""
"Mozilla Quick Launch"="\"C:\\Program Files\\Netscape\\Netscape\\Netscp.exe\" -aim"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonceex]
"flags"=dword:00000008

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonceex\000]

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000000

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source"="C:\\Program Files\\ComPlus Applications\\qufycu.html"
"SubscribedURL"=""
"FriendlyName"=""
"Flags"=dword:00002000
"Position"=hex:2c,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,00,00,e8,\
03,00,00,00,00,00,00,00,00,00,00,00,00,00,00,14,00,00,00,14,00,00,00
"CurrentState"=dword:40000001
"OriginalStateInfo"=hex:18,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,\
00,00,01,00,00,00
"RestoredStateInfo"=hex:00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\1]
"Source"="C:\\Program Files\\Windows Media Player\\nicoziwi.html"
"SubscribedURL"=""
"FriendlyName"=""
"Flags"=dword:00002000
"Position"=hex:2c,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,00,00,ea,\
03,00,00,00,00,00,00,00,00,00,00,00,00,00,00,14,00,00,00,14,00,00,00
"CurrentState"=dword:40000001
"OriginalStateInfo"=hex:18,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,\
00,00,01,00,00,00
"RestoredStateInfo"=hex:00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\2]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,00,03,00,00,ec,\
03,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=dword:40000004
"OriginalStateInfo"=hex:18,00,00,00,a0,00,00,00,00,00,00,00,80,02,00,00,3a,02,\
00,00,04,00,00,40
"RestoredStateInfo"=hex:18,00,00,00,a0,00,00,00,00,00,00,00,80,02,00,00,3a,02,\
00,00,01,00,00,00

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C}"=""




Contents of the 'Scheduled Tasks' folder

Completion time: Fri 08/11/2006 18:18:14.59
ComboFix ver 06.07.15/30 - This logfile is located at C:\ComboFix.txt

ComboFix.2006-08-11.181601.txt
kevin strange
Regular Member
 
Posts: 20
Joined: August 11th, 2006, 1:15 pm

Unread postby kevin strange » August 11th, 2006, 7:26 pm

HJT log:

Logfile of HijackThis v1.99.1
Scan saved at 6:24:46 PM, on 8/11/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\NavNT\defwatch.exe
C:\WINDOWS\System32\NMSSvc.exe
C:\Program Files\NavNT\rtvscan.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\system32\VTTimer.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\MSI\Live Update 3\LMonitor.exe
C:\WINDOWS\CCZoop05.exe
C:\WINDOWS\ms06391207727.exe
C:\Program Files\NavNT\vptray.exe
C:\WINDOWS\win3208120772739.exe
C:\Program Files\Messenger\MSMSGS.EXE
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
C:\Program Files\MSI\PC Alert 4\PCAlert4.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\Trillian\trillian.exe
C:\WINDOWS\system32\MsgSys.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\OpenOffice.org1.1.4\program\soffice.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Kevin\Desktop\findvundo.exe

N3 - Netscape 7: user_pref("browser.startup.homepage", "http://www.hackmovies.com/"); (C:\Documents and Settings\Kevin\Application Data\Mozilla\Profiles\default\l1y26az2.slt\prefs.js)
N3 - Netscape 7: user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5Cmozilla.org%5CMozilla%5Csearchplugins%5Cgoogle.src"); (C:\Documents and Settings\Kevin\Application Data\Mozilla\Profiles\default\l1y26az2.slt\prefs.js)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {09C4285F-1BA7-4DDE-BE8F-1DC55A5C2549} - C:\WINDOWS\system32\ddayw.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C} - C:\WINDOWS\system32\gebyx.dll (file missing)
O2 - BHO: (no name) - {73364D99-1240-4dff-B11A-67E448373048} - C:\WINDOWS\system32\ipv6mons.dll (file missing)
O2 - BHO: (no name) - {A80D7DCB-BB7D-49FA-BEBA-E08154551ACE} - C:\Program Files\Windows NT\niwypahi.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [PROMon.exe] PROMon.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [DrvLsnr] C:\Program Files\Analog Devices\SoundMAX\DrvLsnr.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [DXDllRegExe] dxdllreg.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [VTTrayp] VTtrayp.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime
O4 - HKLM\..\Run: [LiveMonitor] C:\Program Files\MSI\Live Update 3\LMonitor.exe
O4 - HKLM\..\Run: [loaddr] C:\WINDOWS\bvq.exe
O4 - HKLM\..\Run: [TheMonitor] C:\WINDOWS\CCZoop05.exe
O4 - HKLM\..\Run: [ms06391207727] C:\WINDOWS\ms06391207727.exe
O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
O4 - HKLM\..\Run: [win3208120772739] C:\WINDOWS\win3208120772739.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
O4 - HKCU\..\Run: [MoneyAgent] "C:\Program Files\Microsoft Money\System\mnyexpr.exe"
O4 - HKCU\..\Run: [Mozilla Quick Launch] "C:\Program Files\Netscape\Netscape\Netscp.exe" -aim
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: OpenOffice.org 1.1.4.lnk = C:\Program Files\OpenOffice.org1.1.4\program\quickstart.exe
O4 - Startup: Trillian.lnk = C:\Program Files\Trillian\trillian.exe
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: ATI CATALYST System Tray.lnk = C:\Program Files\ATI Technologies\ATI.ACE\CLI.exe
O4 - Global Startup: PC Alert 4.lnk = C:\Program Files\MSI\PC Alert 4\PCAlert4.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRA~1\Yahoo!\Common\yhexbmesuk.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\PROGRA~1\Yahoo!\Common\yhexbmesuk.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftup ... 8231529321
O16 - DPF: {7F8C8173-AD80-4807-AA75-5672F22B4582} (ICSScanner Class) - http://download.zonelabs.com/bin/promot ... r37380.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - AppInit_DLLs: C:\WINDOWS\system32\win_j4f.dll
O20 - Winlogon Notify: ddayw - C:\WINDOWS\system32\ddayw.dll (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\system32\NavLogon.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: SvcSys - {FEF44AB7-DE10-4B70-B20F-4C763B2B3030} - svcsys.dll (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intel(R) NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
kevin strange
Regular Member
 
Posts: 20
Joined: August 11th, 2006, 1:15 pm

Unread postby agrarianmonk » August 11th, 2006, 7:30 pm

Please print out or copy these instructions/tutorial to Notepad as the internet will not be (while in Safe Mode) available to you at certain points of the removal process. Make sure to work through all the Steps in the exact order in which they are listed below. If there's anything that you don't understand, ask your question(s) before moving on with the fixes.

Please download Ewido to your Desktop or to your usual Download Folder.
http://www.ewido.net/en/download/
  • Install Ewido by double clicking the installer.
  • Follow the prompts. Make sure that Launch Ewido is checked.
  • On the main screen under Your Computer's security.
    • Click on Change state next to Resident shield. It should now change to inactive.
    • Next to Last Update, click on Update now. (You will need an active internet connection to perform this)
    • Wait until you see the Update succesfull message.
      Note: If the Update now option is grayed out, follow the steps below.
      • Click on Update on the toolbar.
      • Under Manual update, click on the Start Update button.
      • Wait until you see the Update succesfull message.
  • Right-click the Ewido Tray Icon and select Exit. Confirm by clicking Yes.
If you are having problems with the updater, you can use this link to manually update ewido.
Ewido manual updates.
Download the Full database to your Desktop or to your usual Download Folder and install it by double clicking the file. Make sure that Ewido is closed before installing the update.


Please download Brute Force Uninstaller to your desktop.
  • Right click the BFU folder on your desktop, and choose Extract All
  • Click "Next"
  • In the box to choose where to extract the files to,
  • Click "Browse"
  • Click on the + sign next to "My Computer"
  • Click on "Local Disk (C:) or whatever your primary drive is
  • Click "Make New Folder"
  • Type in BFU
  • Click "Next", and Uncheck the "Show Extracted Files" box and then click "Finish".
RIGHT-CLICK HERE and choose "Save As" (in IE it's "Save Target As") in order to download Alcra PLUS Remover.
Save it in the same folder you made earlier (c:\BFU).

Do not do anything with these yet!

***************************************

Open HijackThis and click on 'Do a System Scan Only'. Check the boxes next to all the entries listed below (if present).

O2 - BHO: (no name) - {09C4285F-1BA7-4DDE-BE8F-1DC55A5C2549} - C:\WINDOWS\system32\ddayw.dll (file missing)
O2 - BHO: (no name) - {6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C} - C:\WINDOWS\system32\gebyx.dll (file missing)
O2 - BHO: (no name) - {73364D99-1240-4dff-B11A-67E448373048} - C:\WINDOWS\system32\ipv6mons.dll (file missing)
O2 - BHO: (no name) - {A80D7DCB-BB7D-49FA-BEBA-E08154551ACE} - C:\Program Files\Windows NT\niwypahi.dll
O4 - HKLM\..\Run: [loaddr] C:\WINDOWS\bvq.exe
O4 - HKLM\..\Run: [TheMonitor] C:\WINDOWS\CCZoop05.exe
O4 - HKLM\..\Run: [ms06391207727] C:\WINDOWS\ms06391207727.exe
O4 - HKLM\..\Run: [win3208120772739] C:\WINDOWS\win3208120772739.exe
O20 - AppInit_DLLs: C:\WINDOWS\system32\win_j4f.dll
O20 - Winlogon Notify: ddayw - C:\WINDOWS\system32\ddayw.dll (file missing)
O21 - SSODL: SvcSys - {FEF44AB7-DE10-4B70-B20F-4C763B2B3030} - svcsys.dll (file missing)

Now close all windows other than HiJackThis, then click Fix checked.. Close HijackThis.

***************************************

Next, please reboot your computer in SafeMode by doing the following:
  1. Restart your computer
  2. After hearing your computer beep once during startup, but before the Windows icon appears, press F8.
  3. Instead of Windows loading as normal, a menu should appear
  4. Select the first option, to run Windows in Safe Mode.

For additional help in booting into Safe Mode, see here

***************************************

Next, we need to Reveal Hidden Files
  1. Click Start.
  2. Open My Computer.
  3. Select Tools menu
  4. Click Folder Options.
  5. Select the View Tab.
  6. Select Show hidden files and folders in the Hidden files and folders section.
  7. Uncheck Hide protected operating system files (recommended) option.
  8. Uncheck the Hide file extensions for known file types option.
  9. Click Yes.
  10. Click OK.

***************************************

Using Windows Explorer (to get there right-click your Start button and go to "Explore"), please delete these files (if present):

C:\WINDOWS\SYSTEM32\WYADD.INI
C:\WINDOWS\CCZoop05.exe
C:\WINDOWS\ms06391207727.exe
C:\WINDOWS\win3208120772739.exe
C:\WINDOWS\fvutr.dll
C:\WINDOWS\system32\dllsys.dll
C:\WINDOWS\system32\tmp_0v.exe
C:\WINDOWS\aqr.exe
C:\WINDOWS\system32\win_j4f.dll
C:\Program Files\ComPlus Applications\qufycu.html
C:\Program Files\Windows Media Player\nicoziwi.html

Using Windows Explorer (to get there right-click your Start button and go to "Explore"), please delete these folders (if present):

C:\Program Files\Common Files\{0C61AB1F-07D0-1033-0222-060509140001}

***************************************

Please go to Start > My Computer and navigate to the C:\BFU folder.
  • Start the Brute Force Uninstaller by doubleclicking BFU.exe
  • Behind the scriptline to execute field click the folder icon Image and select alcanshorty.bfu
  • Press Execute and let the program do it’s job. (You ought to see a progress bar if you did this correctly.)
  • Wait for the complete script execution box to pop up and press OK.
  • Press exit to terminate the BFU program.


* Clean your Cache and Cookies in IE:
  • Close all instances of Outlook Express and Internet Explorer
  • Go to Control Panel > Internet Options > General tab
  • Click the "Delete Cookies" button
  • Next to it, Click the "Delete Files" button
  • When prompted, place a check in: "Delete all offline content", click OK
* Clean your Cache and Cookies in Firefox (In case you also have Firefox installed):
  • Go to Tools > Options.
  • Click Privacy in the menu on the left side of the Options window.
  • Click the Clear button located to the right of each option (History, Cookies, Cache).
  • Click OK to close the Options window
    Alternatively, you can clear all information stored while browsing by clicking Clear All.
    A confirmation dialog box will be shown before clearing the information.
* Clean other Temporary files + Recycle bin
  • Go to start > run and type: cleanmgr and click ok.
  • Let it scan your system for files to remove.
  • Make sure Temporary Files, Temporary Internet Files, and Recycle Bin are the only things checked.
  • Press OK to remove them.


Then, Close ALL open Windows / Programs / Folders. Please start Ewido and run a full scan.
  • Click on Scanner on the toolbar.
  • Click on the Settings tab.
    • Under How to act?
      • Click on Recommended Action and choose Quarantine from the popup menu.
    • Under How to scan?
      • All checkboxes should be ticked.
    • Under Possibly unwanted software:
      • All checkboxes should be ticked.
    • Under Reports:
      • Select Automatically generate report after every scan and uncheck Only if threats were found.
    • Under What to scan?
      • Select Scan every file.
  • Click on the Scan tab.
  • Click on Complete System Scan to start the scan process.
  • Let the program scan the machine.
  • When the scan has finished, follow the instructions below.
    IMPORTANT : Don't click on the "Save Scan Report" button before you did hit the "Apply all Actions" button.
    • Make sure that Set all elements to: shows Quarantine (1), if not click on the link and choose Quarantine from the popup menu. (2)
    • At the bottom of the window click on the Apply all Actions button. (3)
      Image
  • When done, click the Save Scan Report button.
    • Click the Save Report as button.
    • Save the report to your Desktop.
  • Right-click the Ewido Tray Icon and select Exit. Confirm by clicking Yes.

***************************************

reboot your system back into Normal Mode

Please go HERE to run Panda's ActiveScan
  • Once you are on the Panda site click the Scan your PC button
  • A new window will open...click the Check Now button
  • Enter your Country
  • Enter your State/Province
  • Enter your e-mail address and click send
  • Select either Home User or Company
  • Click the big Scan Now button
  • If it wants to install an ActiveX component allow it
  • It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
  • When download is complete, click on My Computer to start the scan
  • When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location. Post the contents of the ActiveScan report

***************************************

Go to start -> control panel -> Display properties -> Desktop -> Customize Desktop... -> Web tab, then uncheck and delete everything you find in there (except for "My current home page"),

Also remove the checkmark from the the Lock Desktop Items box if it is checked.
Apply.
Apply and Exit Display properties.

***************************************

Now, please run combofix for me again and post the log generated


in your next post, please include
  • new hijackthis log
  • ewido log
  • panda log
  • combofix log
  • a description of how your computer is running at the moment


Your may need several replies to post the requested logs, otherwise they might get cut off.
User avatar
agrarianmonk
MRU Teacher Emeritus
 
Posts: 5439
Joined: December 24th, 2005, 3:11 am

Unread postby agrarianmonk » August 13th, 2006, 12:08 am

Having any problems with the instructions?
User avatar
agrarianmonk
MRU Teacher Emeritus
 
Posts: 5439
Joined: December 24th, 2005, 3:11 am
Advertisement
Register to Remove

Next

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: Vanilla-krypton and 72 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware