Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

My hijackthis log file - Help!

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

My hijackthis log file - Help!

Unread postby sastoker » July 14th, 2007, 11:48 pm

I'm not sure what else to include. I went through the recommended online and stand alone tools which found a lot of junk on my pc. I still have reoccurring findings of the Adware.Virtumonde.SY virus. I don't know how to get rid of it. Here is a summary of the BitDfender log: (The Hijackthis log is below).

// Product BitDefender Antivirus v10
// Product 10.2
//
// Created on: 14/07/2007 15:47:58

C:\WINDOWS\SYSTEM32\hsxakdjt.exe Disinfection failed
C:\WINDOWS\SYSTEM32\hsxakdjt.exe Moved
C:\WINDOWS\SYSTEM32\wfoobfby.exe Detected: Adware.Virtumonde.SY
C:\WINDOWS\SYSTEM32\wfoobfby.exe Disinfection failed
C:\WINDOWS\SYSTEM32\wfoobfby.exe Moved
C:\WINDOWS\SYSTEM32\boljqtvc.exe Detected: Adware.Virtumonde.SY
C:\WINDOWS\SYSTEM32\boljqtvc.exe Disinfection failed
C:\WINDOWS\SYSTEM32\boljqtvc.exe Moved
C:\WINDOWS\SYSTEM32\lvjnqoah.exe Detected: Adware.Virtumonde.SY
C:\WINDOWS\SYSTEM32\lvjnqoah.exe Disinfection failed
C:\WINDOWS\SYSTEM32\lvjnqoah.exe Moved
C:\WINDOWS\SYSTEM32\vykxhepj.dll Infected: Trojan.JuanSearch.B
C:\WINDOWS\SYSTEM32\vykxhepj.dll Disinfection failed
C:\WINDOWS\SYSTEM32\vykxhepj.dll Moved
C:\WINDOWS\SYSTEM32\cisstksx.exe Detected: Adware.Virtumonde.SY
C:\WINDOWS\SYSTEM32\cisstksx.exe Disinfection failed
C:\WINDOWS\SYSTEM32\cisstksx.exe Moved
C:\WINDOWS\SYSTEM32\sebbjvij.exe Detected: Adware.Virtumonde.SY
C:\WINDOWS\SYSTEM32\sebbjvij.exe Disinfection failed
C:\WINDOWS\SYSTEM32\sebbjvij.exe Moved
C:\WINDOWS\SYSTEM32\qcmggdir.exe Detected: Adware.Virtumonde.SY
C:\WINDOWS\SYSTEM32\qcmggdir.exe Disinfection failed
C:\WINDOWS\SYSTEM32\qcmggdir.exe Moved
C:\WINDOWS\SYSTEM32\cglevadq.exe Detected: Adware.Virtumonde.SY
C:\WINDOWS\SYSTEM32\cglevadq.exe Disinfection failed
C:\WINDOWS\SYSTEM32\cglevadq.exe Moved
C:\WINDOWS\SYSTEM32\tugypqih.exe Detected: Adware.Virtumonde.SY
C:\WINDOWS\SYSTEM32\tugypqih.exe Disinfection failed
C:\WINDOWS\SYSTEM32\tugypqih.exe Moved
C:\WINDOWS\SYSTEM32\jnsmtiyk.exe Detected: Adware.Virtumonde.SY
C:\WINDOWS\SYSTEM32\jnsmtiyk.exe Disinfection failed
C:\WINDOWS\SYSTEM32\jnsmtiyk.exe Moved

C:\WINDOWS\SYSTEM32\hsxakdjt.exe Detected: Adware.Virtumonde.SY
C:\WINDOWS\SYSTEM32\hsxakdjt.exe Disinfection failed
C:\WINDOWS\SYSTEM32\hsxakdjt.exe Moved
C:\WINDOWS\SYSTEM32\wfoobfby.exe Detected: Adware.Virtumonde.SY
C:\WINDOWS\SYSTEM32\wfoobfby.exe Disinfection failed
C:\WINDOWS\SYSTEM32\wfoobfby.exe Moved
C:\WINDOWS\SYSTEM32\boljqtvc.exe Detected: Adware.Virtumonde.SY
C:\WINDOWS\SYSTEM32\boljqtvc.exe Disinfection failed
C:\WINDOWS\SYSTEM32\boljqtvc.exe Moved
C:\WINDOWS\SYSTEM32\lvjnqoah.exe Detected: Adware.Virtumonde.SY
C:\WINDOWS\SYSTEM32\lvjnqoah.exe Disinfection failed
C:\WINDOWS\SYSTEM32\lvjnqoah.exe Moved
C:\WINDOWS\SYSTEM32\vykxhepj.dll Infected: Trojan.JuanSearch.B
C:\WINDOWS\SYSTEM32\vykxhepj.dll Disinfection failed
C:\WINDOWS\SYSTEM32\vykxhepj.dll Moved
C:\WINDOWS\SYSTEM32\cisstksx.exe Detected: Adware.Virtumonde.SY
C:\WINDOWS\SYSTEM32\cisstksx.exe Disinfection failed
C:\WINDOWS\SYSTEM32\cisstksx.exe Moved
C:\WINDOWS\SYSTEM32\sebbjvij.exe Detected: Adware.Virtumonde.SY
C:\WINDOWS\SYSTEM32\sebbjvij.exe Disinfection failed
C:\WINDOWS\SYSTEM32\sebbjvij.exe Moved
C:\WINDOWS\SYSTEM32\qcmggdir.exe Detected: Adware.Virtumonde.SY
C:\WINDOWS\SYSTEM32\qcmggdir.exe Disinfection failed
C:\WINDOWS\SYSTEM32\qcmggdir.exe Moved
C:\WINDOWS\SYSTEM32\cglevadq.exe Detected: Adware.Virtumonde.SY
C:\WINDOWS\SYSTEM32\cglevadq.exe Disinfection failed
C:\WINDOWS\SYSTEM32\cglevadq.exe Moved
C:\WINDOWS\SYSTEM32\tugypqih.exe Detected: Adware.Virtumonde.SY
C:\WINDOWS\SYSTEM32\tugypqih.exe Disinfection failed
C:\WINDOWS\SYSTEM32\tugypqih.exe Moved
C:\WINDOWS\SYSTEM32\jnsmtiyk.exe Detected: Adware.Virtumonde.SY
C:\WINDOWS\SYSTEM32\jnsmtiyk.exe Disinfection failed
C:\WINDOWS\SYSTEM32\jnsmtiyk.exe Moved

Logfile of HijackThis v1.99.1
Scan saved at 10:27:40 PM, on 7/14/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\brss01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Backup995\res\ntservice.exe
C:\WINDOWS\SYSTEM32\Brmfrmps.exe
C:\Program Files\Yahoo!\Antivirus\ISafe.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe
C:\Program Files\Yahoo!\Antivirus\CAVTray.exe
C:\Program Files\Yahoo!\Antivirus\CAVRID.exe
C:\Program Files\Yahoo!\Antivirus\VetMsg.exe
C:\PROGRA~1\YAHOO!\YOP\yop.exe
C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
C:\Program Files\Softwin\BitDefender10\bdagent.exe
C:\Documents and Settings\Amber\Application Data\WinTouch\WinTouch.exe
C:\Documents and Settings\Amber\Application Data\Microsoft\Windows\rayiou.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft Office\Office10\msoffice.exe
C:\PROGRA~1\YAHOO!\browser\ycommon.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,Search = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer,Search = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.azcentral.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/def ... earch.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/def ... .yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
F2 - REG:system.ini: UserInit=userinit.exe
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\Yahoo!\Antivirus\CAVTray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\Yahoo!\Antivirus\CAVRID.exe"
O4 - HKLM\..\Run: [YOP] C:\PROGRA~1\YAHOO!\YOP\yop.exe /autostart
O4 - HKLM\..\Run: [BDMCon] "C:\Program Files\Softwin\BitDefender10\bdmcon.exe" /reg
O4 - HKLM\..\Run: [BDAgent] "C:\Program Files\Softwin\BitDefender10\bdagent.exe"
O4 - HKCU\..\Run: [WinTouch] C:\Documents and Settings\Amber\Application Data\WinTouch\WinTouch.exe
O4 - HKCU\..\Run: [SfKg6w] C:\Documents and Settings\Amber\Application Data\Microsoft\Windows\rayiou.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE10\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM32\MSJAVA.DLL
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM32\MSJAVA.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Dell Home - {08DCFC6C-B6E4-480C-95A4-FC64F37B787E} - http://www.dellnet.com/ (file missing) (HKCU)
O11 - Options group: [INTERNATIONAL] International*
O12 - Plugin for .TIF: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin5.dll
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://usercenter.cox.net/rsuite/sdccom ... gctlcm.jsp
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200 ... taller.exe
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex ... -0-3-9.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://207.188.7.150/1729222797f93afe75 ... xIE601.cab
O16 - DPF: {62789780-B744-11D0-986B-00609731A21D} (Autodesk MapGuide ActiveX Control) - http://www.maricopa.gov/assessor/gis/pl ... axctrl.cab
O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.ofoto.com/downloads/BUM/BUM_ ... ofupld.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O19 - User stylesheet: (file missing)
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Backup995 Automatic Backup - Unknown owner - C:\Program Files\Backup995\res\ntservice.exe
O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe" /service (file missing)
O23 - Service: Brother Popup Suspend service for Resource manager (brmfrmps) - Unknown owner - C:\WINDOWS\SYSTEM32\Brmfrmps.exe" -service (file missing)
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\Yahoo!\Antivirus\ISafe.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: BitDefender Desktop Update Service (LIVESRV) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe" /service (file missing)
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\Yahoo!\Antivirus\VetMsg.exe
O23 - Service: BitDefender Virus Shield (VSSERV) - Unknown owner - C:\Program Files\Softwin\BitDefender10\vsserv.exe" /service (file missing)
O23 - Service: BitDefender Communicator (XCOMM) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe" /service (file missing)
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\SYSTEM32\YPCSER~1.EXE
sastoker
Active Member
 
Posts: 12
Joined: July 14th, 2007, 12:10 am
Location: TX
Advertisement
Register to Remove

Unread postby ndmmxiaomayi » July 15th, 2007, 12:10 am

Hi sastoker. :)

Welcome to Malware Removal Forum. My name is mayi and I will be helping you. As I am still an undergraduate, I will need my fixes checked before posting back to you. Thank you for your patience.
ndmmxiaomayi
MRU Emeritus
MRU Emeritus
 
Posts: 9708
Joined: July 17th, 2006, 9:22 am

Unread postby ndmmxiaomayi » July 15th, 2007, 6:55 am

Hi sastoker,

Step 1

Please rename HijackThis.exe to dumb.exe by doing the following:

  1. Go to C:\Program Files\HijackThis
  2. Right click on HijackThis.exe and select Rename.
  3. Type in dumb and press Enter.
  4. Double click on dumb to run it. Select Do a system scan and save a logfile. Please post back this log in your next reply.
Once done, Notepad will open. Post back this log in your next reply.[/list]Do not close HijackThis yet.

Step 2

  1. Click on the Config... button at the bottom right hand corner.
  2. At the top, click on the Misc Tools button.
  3. Look under System tools.
  4. Click on the Open Uninstall Manager... button.
  5. Click on the Save list... button.
  6. It will prompt you to save. Save this log in a convenient location. By default it's named uninstall_list.txt.
  7. Notepad will open. Please post back this list in your next reply.

Step 3

  1. Open My Computer.
  2. Click on Tools > Folder Options.
  3. Select the View tab.
  4. Scroll down to Hidden files and folders.
  5. Select Show hidden files and folders radio button.
  6. Uncheck (untick) these two boxes:
    • Hide extensions for known file types
    • Hide protected operating system files (Recommended)
  7. Click Yes when prompted.
  8. Click OK.
  9. Close My Computer.

Step 4

  1. Please go to Start > Search.
  2. Select All files and folders when the dog asks you What do you want to search for?
  3. Copy and paste in SysTray.Exe to All or part of the file name box.
  4. Click on More advanced options.
  5. Check (tick) these boxes:
    • Search system folders
    • Search hidden files and folders
    • Search sub folders
  6. Click on Search.
  7. Please take note of where systray.exe is located and post the location of systray.exe in your next reply.

In your next reply, please post:

  1. A new HijackThis log
  2. The Uninstall list
  3. Location(s) of systray.exe
ndmmxiaomayi
MRU Emeritus
MRU Emeritus
 
Posts: 9708
Joined: July 17th, 2006, 9:22 am

Unread postby sastoker » July 15th, 2007, 9:01 am

First, thanks so much for your time with helping me! Here is the info:


The new HijackThis log:

Logfile of HijackThis v1.99.1
Scan saved at 7:41:33 AM, on 7/15/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\brss01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Backup995\res\ntservice.exe
C:\WINDOWS\SYSTEM32\Brmfrmps.exe
C:\Program Files\Yahoo!\Antivirus\ISafe.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe
C:\Program Files\Yahoo!\Antivirus\VetMsg.exe
C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe
C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe
C:\Program Files\Softwin\BitDefender10\vsserv.exe
C:\Program Files\Yahoo!\Antivirus\CAVTray.exe
C:\Program Files\Yahoo!\Antivirus\CAVRID.exe
C:\PROGRA~1\YAHOO!\YOP\yop.exe
C:\Program Files\Softwin\BitDefender10\bdmcon.exe
C:\Program Files\Softwin\BitDefender10\bdagent.exe
C:\Documents and Settings\Amber\Application Data\WinTouch\WinTouch.exe
C:\Documents and Settings\Amber\Application Data\Microsoft\Windows\rayiou.exe
C:\WINDOWS\system32\devldr32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Microsoft Office\Office10\msoffice.exe
C:\PROGRA~1\YAHOO!\browser\ycommon.exe
C:\Program Files\HijackThis\dumb.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,Search = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer,Search = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.azcentral.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/def ... earch.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/def ... .yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {15658D5C-05FA-41A1-82D0-F907AA17E521} - C:\WINDOWS\system32\jkkki.dll
O2 - BHO: (no name) - {281caaf3-e664-4f21-a2fe-e9725ac0643d} - C:\WINDOWS\system32\qdmpfti.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {9134218D-6070-400F-B199-539184744F79} - (no file)
O2 - BHO: (no name) - {938A8A03-A938-4019-B764-03FF8D167D79} - C:\WINDOWS\system32\xjqeghaq.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {DC192567-65F9-4AB6-ADB7-E13575F81726} - (no file)
O2 - BHO: (no name) - {FAF348AA-403F-4DE5-AD2D-1001B4352C21} - \
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\Yahoo!\Antivirus\CAVTray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\Yahoo!\Antivirus\CAVRID.exe"
O4 - HKLM\..\Run: [YOP] C:\PROGRA~1\YAHOO!\YOP\yop.exe /autostart
O4 - HKLM\..\Run: [BDMCon] "C:\Program Files\Softwin\BitDefender10\bdmcon.exe" /reg
O4 - HKLM\..\Run: [BDAgent] "C:\Program Files\Softwin\BitDefender10\bdagent.exe"
O4 - HKCU\..\Run: [WinTouch] C:\Documents and Settings\Amber\Application Data\WinTouch\WinTouch.exe
O4 - HKCU\..\Run: [SfKg6w] C:\Documents and Settings\Amber\Application Data\Microsoft\Windows\rayiou.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE10\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM32\MSJAVA.DLL
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM32\MSJAVA.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Dell Home - {08DCFC6C-B6E4-480C-95A4-FC64F37B787E} - http://www.dellnet.com/ (file missing) (HKCU)
O11 - Options group: [INTERNATIONAL] International*
O12 - Plugin for .TIF: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin5.dll
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://usercenter.cox.net/rsuite/sdccom ... gctlcm.jsp
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200 ... taller.exe
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex ... -0-3-9.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://207.188.7.150/1729222797f93afe75 ... xIE601.cab
O16 - DPF: {62789780-B744-11D0-986B-00609731A21D} (Autodesk MapGuide ActiveX Control) - http://www.maricopa.gov/assessor/gis/pl ... axctrl.cab
O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.ofoto.com/downloads/BUM/BUM_ ... ofupld.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O19 - User stylesheet: (file missing)
O20 - Winlogon Notify: ddcddcb - ddcddcb.dll (file missing)
O20 - Winlogon Notify: jkkki - C:\WINDOWS\system32\jkkki.dll
O20 - Winlogon Notify: oppmj - C:\WINDOWS\
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Backup995 Automatic Backup - Unknown owner - C:\Program Files\Backup995\res\ntservice.exe
O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe" /service (file missing)
O23 - Service: Brother Popup Suspend service for Resource manager (brmfrmps) - Unknown owner - C:\WINDOWS\SYSTEM32\Brmfrmps.exe" -service (file missing)
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\Yahoo!\Antivirus\ISafe.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: BitDefender Desktop Update Service (LIVESRV) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe" /service (file missing)
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\Yahoo!\Antivirus\VetMsg.exe
O23 - Service: BitDefender Virus Shield (VSSERV) - Unknown owner - C:\Program Files\Softwin\BitDefender10\vsserv.exe" /service (file missing)
O23 - Service: BitDefender Communicator (XCOMM) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe" /service (file missing)
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\SYSTEM32\YPCSER~1.EXE

The Uninstall list
Ad-Aware 2007
Adobe Flash Player 9 ActiveX
Adobe Photoshop 6.0
Adobe Reader 7.0.9
Advanced Video FX Utility
AT&T Self Support Tool
AT&T Yahoo! Applications
AVG Anti-Spyware 7.5
Azureus
Backup Dell-Installed Programs
Backup995
BitDefender Antivirus v10
Brother MFL-Pro Suite
Business Plan Pro 4.0
Canon PhotoRecord
Canon PIXMA iP1500
Canon Utilities Easy-PhotoPrint
Canon Utilities PhotoStitch 3.1
Canon Utilities ZoomBrowser EX
Clifford Phonics
Creative Photo Manager
Creative WebCam Center
Creative WebCam Live! Driver (1.02.03.0606)
Creative WebCam Live! User's Guide (English)
DAEMON Tools
Data Lifeguard Tools
Debt Free On Any Income
Dell Documents
Dell Resolution Assistant
DVD Decrypter (Remove Only)
DVD Shrink 3.2
DVDFab Decrypter 2.9.7.3
Easy-WebPrint
Evoluent Mouse Manager
FontVision
Get Yahoo! Messenger
Hallmark Card Studio 2006
Hallmark Scrapbook Studio Deluxe
HighMAT Extension to Microsoft Windows XP CD Writing Wizard
HijackThis 1.99.1
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows XP (KB914440)
Hotfix for Windows XP (KB915865)
Hotfix for Windows XP (KB926239)
HP RecordNow
IBM OnDemand AFP Web Viewer
i-LEARN My Dell PC
InCD
InCD EasyWrite Reader
InterActual Player
InterVideo WinDVD
Java 2 Runtime Environment, SE v1.4.2_01
LG Internetkit
LG PhoneManager
LG SyncManager
LG USB Modem driver
Logitech iTouch Software
Logitech MouseWare 9.79.3
LogViewer
LogWare
Lucent Win Modem
Macromedia Dreamweaver 4 and UltraDev 4
Macromedia Extension Manager
Macromedia Fireworks 4
Macromedia Flash 5
Macromedia Shockwave Player
MGI PhotoSuite 8.1 (Remove Only)
MGI VideoWave III (Remove Only)
Microsoft .NET Framework (English) v1.0.3705
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft ActiveX Control Pad
Microsoft Command & Control Engine
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Data Access Components KB870669
Microsoft IntelliType Pro
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft Learning and Research Plus Support Files
Microsoft National Language Support Downlevel APIs
Microsoft Office XP Professional with FrontPage
Microsoft Picture It! Express 7.0
Microsoft Speech API 3.0
Microsoft Speech Lexicon
Microsoft User-Mode Driver Framework Feature Pack 1.0
Modem Test
Move Networks Player for Internet Explorer
MSN Messenger 7.5
MSXML 4.0 SP2 (KB927978)
NCLEX-RN 3500 - Institutional Version
Nero OEM
NeroVision Express 2
NVIDIA Windows 2000/XP Display Drivers
PaperPort 8.0 SE
Pdf995
Personalized Learning Center
PhoneTools
Picasa 2
PowerDVD
Quicken 2006
QuickTime
QuickTime for Windows (32-bit)
Reader Rabbit Personalized Kindergarten
Reader Rabbit Personalized Preschool
Real Deal UpGrade
RealPlayer
Sandlot Games Client Services
SBC Yahoo! DSL Home Networking Installer
Scholastic's I SPY Junior
Security Update for Step By Step Interactive Training (KB898458)
Security Update for Step By Step Interactive Training (KB923723)
Security Update for Windows Internet Explorer 7 (KB928090)
Security Update for Windows Internet Explorer 7 (KB929969)
Security Update for Windows Internet Explorer 7 (KB931768)
Security Update for Windows Internet Explorer 7 (KB933566)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows XP (KB883939)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB896688)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899588)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB903235)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB905915)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB908531)
Security Update for Windows XP (KB911280)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911567)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912812)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913446)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB916281)
Security Update for Windows XP (KB917159)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB918899)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920214)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921398)
Security Update for Windows XP (KB921883)
Security Update for Windows XP (KB922616)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923694)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB925486)
Security Update for Windows XP (KB925902)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
Security Update for Windows XP (KB929123)
Security Update for Windows XP (KB930178)
Security Update for Windows XP (KB931261)
Security Update for Windows XP (KB931784)
Security Update for Windows XP (KB932168)
Security Update for Windows XP (KB935839)
Security Update for Windows XP (KB935840)
Shockwave
Sony USB Driver
Sound Blaster Live! Value
Spybot - Search & Destroy 1.4
SpywareBlaster v3.5.1
StatPro for Excel
The DecisionTools Suite
The Print Shop Multimedia Organizer 3.0
TONKA TOWN
TrojanHunter 4.7
True Sword 4
Ultra soft
Uniblue PowerSuite
Uniblue RegistryBooster 2
Uniblue SpeedUpMyPC 3
Uniblue SpyEraser
Uniblue System Tweaker
Update for Windows XP (KB894391)
Update for Windows XP (KB896727)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB904942)
Update for Windows XP (KB910437)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB927891)
Update for Windows XP (KB929338)
Update for Windows XP (KB930916)
Update for Windows XP (KB931836)
Update for Windows XP (KB936357)
URGE
USBControl
VCE-Medical-Surgical
Veo Digital Studio
Veo Stingray
Weather Services
Windows Backup Utility
Windows Genuine Advantage v1.3.0254.0
Windows Installer 3.1 (KB893803)
Windows Installer 3.1 (KB893803)
Windows Installer Clean Up
Windows Internet Explorer 7
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 11
Windows Media Player 11
Windows XP Hotfix - KB834707
Windows XP Hotfix - KB867282
Windows XP Hotfix - KB873333
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB885884
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890047
Windows XP Hotfix - KB890175
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB890923
Windows XP Hotfix - KB891781
Windows XP Hotfix - KB893066
Windows XP Hotfix - KB893086
Windows XP Service Pack 2
WinZip

Locations of systay.exe:
C:\WINDOWS\SYSTEM32\systray.exe
C:\WINDOWS\SYSTEM32\dllcache\systray.exe
sastoker
Active Member
 
Posts: 12
Joined: July 14th, 2007, 12:10 am
Location: TX

Unread postby ndmmxiaomayi » July 16th, 2007, 8:02 am

Hi sastoker,

Step 1

  1. Go to Start > Control Panel. Double click on Add/Remove Programs.
  2. Locate DVD Decrypter (Remove Only) and click on Change/Remove to uninstall it.
  3. Repeat Steps 1 and 2 for DVDFab Decrypter 2.9.7.3.
  4. Once done, close Add/Remove Programs and Control Panel.

Step 2

  1. Please download VundoFix.exe by Atribune from Atribune and save it to your desktop.
  2. Double click VundoFix.exe to run it.
  3. Click the Scan for Vundo button.
  4. Once it's done scanning, click the Remove Vundo button.
  5. You will receive a prompt asking if you want to remove the files, click YES
  6. Once you click yes, your desktop will go blank as it starts removing Vundo.
  7. When completed, it will prompt that it will reboot your computer, click OK.
  8. Please post the contents of C:\vundofix.txt and a new HiJackThis log.
Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.

In your next reply, please post:

  1. VundoFix report (C:\VundoFix.txt)
  2. A new HijackThis log
ndmmxiaomayi
MRU Emeritus
MRU Emeritus
 
Posts: 9708
Joined: July 17th, 2006, 9:22 am

Unread postby sastoker » July 16th, 2007, 8:16 pm

Hello,

Here is the VundoFix report (C:\VundoFix.txt)

One note, while I was running the VundoFix program my antivirus software (Computer Associates) detected a virus "win32/Darksma.BN" in the folder c:\windows\system32\ferkfotv.dll it found four instances and deleted them. So I re-ran the VundoFix until it came up clean (after 3 times).


VundoFix V6.5.6

Checking Java version...

Java version is 1.4.2.1
Old versions of java are exploitable and should be removed.

Scan started at 6:15:50 PM 7/16/2007

Listing files found while scanning....

C:\windows\system32\axnlwafw.dll
C:\windows\system32\bfdcowxi.dll
C:\windows\system32\fwnemots.dll
C:\windows\system32\gfaxcxpw.dll
C:\WINDOWS\system32\ikkkj.bak1
C:\WINDOWS\system32\ikkkj.bak2
C:\WINDOWS\system32\ikkkj.ini
C:\WINDOWS\system32\ikkkj.ini2
C:\WINDOWS\system32\ikkkj.tmp
C:\windows\system32\imgrsbvf.dll
C:\windows\system32\ipedwiik.dll
C:\WINDOWS\system32\jkkki.dll
C:\windows\system32\kpkoliiy.dll
C:\windows\system32\kveqlpom.dll
C:\WINDOWS\system32\levggbdc.dll
C:\windows\system32\rvsncvee.dll
C:\windows\system32\udlxmhrc.dll
C:\windows\system32\uxtmyvlp.dll

Beginning removal...

Attempting to delete C:\windows\system32\axnlwafw.dll
C:\windows\system32\axnlwafw.dll Has been deleted!

Attempting to delete C:\windows\system32\bfdcowxi.dll
C:\windows\system32\bfdcowxi.dll Has been deleted!

Attempting to delete C:\windows\system32\fwnemots.dll
C:\windows\system32\fwnemots.dll Has been deleted!

Attempting to delete C:\windows\system32\gfaxcxpw.dll
C:\windows\system32\gfaxcxpw.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\ikkkj.bak1
C:\WINDOWS\system32\ikkkj.bak1 Has been deleted!

Attempting to delete C:\WINDOWS\system32\ikkkj.bak2
C:\WINDOWS\system32\ikkkj.bak2 Has been deleted!

Attempting to delete C:\WINDOWS\system32\ikkkj.ini
C:\WINDOWS\system32\ikkkj.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\ikkkj.ini2
C:\WINDOWS\system32\ikkkj.ini2 Has been deleted!

Attempting to delete C:\WINDOWS\system32\ikkkj.tmp
C:\WINDOWS\system32\ikkkj.tmp Has been deleted!

Attempting to delete C:\windows\system32\imgrsbvf.dll
C:\windows\system32\imgrsbvf.dll Has been deleted!

Attempting to delete C:\windows\system32\ipedwiik.dll
C:\windows\system32\ipedwiik.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\jkkki.dll
C:\WINDOWS\system32\jkkki.dll Has been deleted!

Attempting to delete C:\windows\system32\kpkoliiy.dll
C:\windows\system32\kpkoliiy.dll Has been deleted!

Attempting to delete C:\windows\system32\kveqlpom.dll
C:\windows\system32\kveqlpom.dll Has been deleted!

Attempting to delete C:\windows\system32\rvsncvee.dll
C:\windows\system32\rvsncvee.dll Has been deleted!

Attempting to delete C:\windows\system32\udlxmhrc.dll
C:\windows\system32\udlxmhrc.dll Has been deleted!

Attempting to delete C:\windows\system32\uxtmyvlp.dll
C:\windows\system32\uxtmyvlp.dll Has been deleted!

Performing Repairs to the registry.
Done!

VundoFix V6.5.6

Checking Java version...

Java version is 1.4.2.1
Old versions of java are exploitable and should be removed.

Scan started at 6:51:48 PM 7/16/2007

Listing files found while scanning....

C:\windows\system32\jykoanhp.dll
C:\windows\system32\levggbdc.dll
C:\windows\system32\nvkmvvrx.dll
C:\windows\system32\sbvdlwwr.dll
C:\windows\system32\ttmnusmm.dll
C:\windows\system32\xjqeghaq.dll

Beginning removal...

Attempting to delete C:\windows\system32\jykoanhp.dll
C:\windows\system32\jykoanhp.dll Has been deleted!

Attempting to delete C:\windows\system32\levggbdc.dll
C:\windows\system32\levggbdc.dll Has been deleted!

Attempting to delete C:\windows\system32\nvkmvvrx.dll
C:\windows\system32\nvkmvvrx.dll Has been deleted!

Attempting to delete C:\windows\system32\sbvdlwwr.dll
C:\windows\system32\sbvdlwwr.dll Has been deleted!

Attempting to delete C:\windows\system32\ttmnusmm.dll
C:\windows\system32\ttmnusmm.dll Has been deleted!

Attempting to delete C:\windows\system32\xjqeghaq.dll
C:\windows\system32\xjqeghaq.dll Has been deleted!

Performing Repairs to the registry.
Done!

VundoFix V6.5.6

Checking Java version...

Java version is 1.4.2.1
Old versions of java are exploitable and should be removed.

Scan started at 7:05:16 PM 7/16/2007

Listing files found while scanning....


VundoFix V6.5.6

Checking Java version...

Java version is 1.4.2.1
Old versions of java are exploitable and should be removed.

Scan started at 7:08:52 PM 7/16/2007

Listing files found while scanning....

No infected files were found.



Here is the new HijackThis log:

Logfile of HijackThis v1.99.1
Scan saved at 7:14:31 PM, on 7/16/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\brss01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Yahoo!\Antivirus\CAVTray.exe
C:\Program Files\Yahoo!\Antivirus\CAVRID.exe
C:\PROGRA~1\YAHOO!\YOP\yop.exe
C:\Documents and Settings\Amber\Application Data\WinTouch\WinTouch.exe
C:\Documents and Settings\Amber\Application Data\Microsoft\Windows\rayiou.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Backup995\res\ntservice.exe
C:\WINDOWS\SYSTEM32\Brmfrmps.exe
C:\Program Files\Yahoo!\Antivirus\ISafe.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe
C:\Program Files\Yahoo!\Antivirus\VetMsg.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\YAHOO!\browser\ycommon.exe
C:\Program Files\Softwin\BitDefender10\vsserv.exe
C:\Documents and Settings\Amber\Desktop\dumb.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE

R1 - HKCU\Software\Microsoft\Internet Explorer,Search = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer,Search = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.azcentral.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/def ... earch.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/def ... .yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {281caaf3-e664-4f21-a2fe-e9725ac0643d} - C:\WINDOWS\system32\qdmpfti.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {9134218D-6070-400F-B199-539184744F79} - (no file)
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {EF7E9427-7566-4E78-9FAA-0A20F0EB0E6E} - C:\WINDOWS\system32\jkkki.dll (file missing)
O2 - BHO: (no name) - {FAF348AA-403F-4DE5-AD2D-1001B4352C21} - \
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\Yahoo!\Antivirus\CAVTray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\Yahoo!\Antivirus\CAVRID.exe"
O4 - HKLM\..\Run: [YOP] C:\PROGRA~1\YAHOO!\YOP\yop.exe /autostart
O4 - HKCU\..\Run: [WinTouch] C:\Documents and Settings\Amber\Application Data\WinTouch\WinTouch.exe
O4 - HKCU\..\Run: [SfKg6w] C:\Documents and Settings\Amber\Application Data\Microsoft\Windows\rayiou.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE10\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM32\MSJAVA.DLL
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM32\MSJAVA.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Dell Home - {08DCFC6C-B6E4-480C-95A4-FC64F37B787E} - http://www.dellnet.com/ (file missing) (HKCU)
O11 - Options group: [INTERNATIONAL] International*
O12 - Plugin for .TIF: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin5.dll
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://usercenter.cox.net/rsuite/sdccom ... gctlcm.jsp
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200 ... taller.exe
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex ... -0-3-9.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://207.188.7.150/1729222797f93afe75 ... xIE601.cab
O16 - DPF: {62789780-B744-11D0-986B-00609731A21D} (Autodesk MapGuide ActiveX Control) - http://www.maricopa.gov/assessor/gis/pl ... axctrl.cab
O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.ofoto.com/downloads/BUM/BUM_ ... ofupld.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O19 - User stylesheet: (file missing)
O20 - Winlogon Notify: ddcddcb - ddcddcb.dll (file missing)
O20 - Winlogon Notify: oppmj - C:\WINDOWS\
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Backup995 Automatic Backup - Unknown owner - C:\Program Files\Backup995\res\ntservice.exe
O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe" /service (file missing)
O23 - Service: Brother Popup Suspend service for Resource manager (brmfrmps) - Unknown owner - C:\WINDOWS\SYSTEM32\Brmfrmps.exe" -service (file missing)
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\Yahoo!\Antivirus\ISafe.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: BitDefender Desktop Update Service (LIVESRV) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe" /service (file missing)
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\Yahoo!\Antivirus\VetMsg.exe
O23 - Service: BitDefender Virus Shield (VSSERV) - Unknown owner - C:\Program Files\Softwin\BitDefender10\vsserv.exe" /service (file missing)
O23 - Service: BitDefender Communicator (XCOMM) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe" /service (file missing)
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\SYSTEM32\YPCSER~1.EXE
sastoker
Active Member
 
Posts: 12
Joined: July 14th, 2007, 12:10 am
Location: TX

Unread postby ndmmxiaomayi » July 17th, 2007, 5:00 am

Hi sastoker,

Please uninstall either Bitdefender or eTrust antivirus. Having two antivirus programs on the computer may cause problems.

Step 1

  1. Please go to Start > Search.
  2. Select All files and folders when the dog asks you What do you want to search for?
  3. Copy and paste in qdmpfti.dll to All or part of the file name box.
  4. Click on More advanced options.
  5. Check (tick) these boxes:
    • Search system folders
    • Search hidden files and folders
    • Search sub folders
  6. Click on Search.
  7. Please make a note if the qdmpfti.dll file is there and post back in your reply.

Step 2

Show hidden files and folders

  1. Open My Computer.
  2. Go to Tools > Folder Options.
  3. Select the View tab.
  4. Scroll down to Hidden files and folders.
  5. Select Show hidden files and folders.
  6. Uncheck (untick) Hide extensions of known file types.
  7. Uncheck (untick) Hide protected operating system files (Recommended).
  8. Click Yes when prompted.
  9. Click OK.
  10. Close My Computer.

Please submit C:\Documents and Settings\Amber\Application Data\Microsoft\Windows\rayiou.exe and C:\Documents and Settings\Amber\Application Data\WinTouch\WinTouch.exe to Virus Total or Jotti for scanning.

For Virus Total

  1. Click on the Browse button.
  2. Navigate and locate C:\Documents and Settings\Amber\Application Data\Microsoft\Windows\rayiou.exe file.
  3. Click Open, then click on Send.

For Jotti

  1. Click on the Browse button.
  2. Navigate and locate C:\Documents and Settings\Amber\Application Data\Microsoft\Windows\rayiou.exe file.
  3. Click on Open, then click on Submit.
Repeat for C:\Documents and Settings\Amber\Application Data\WinTouch\WinTouch.exe file.

In your next reply, please post:

  1. If the qdmpfti.dll file is present
  2. Virus Total or Jotti's scan results
  3. A new HijackThis log
ndmmxiaomayi
MRU Emeritus
MRU Emeritus
 
Posts: 9708
Joined: July 17th, 2006, 9:22 am

Unread postby sastoker » July 17th, 2007, 7:36 pm

Hello,

I've unistalled Bitdefender.

The search results did not find the qdmpfti.dll file present on my PC.

Jotti's scan results for C:\Documents and Settings\Amber\Application Data\Microsoft\Windows\rayiou.exe was:

"The file you uploaded is 0 bytes. It is very likely a firewall or a piece of malware is prohibiting you from uploading this file"

Jotti's scan results for C:\Documents and Settings\Amber\Application Data\WinTouch\WinTouch.exe was:


Service
Service load: 0% 100%

File: WinTouch.exe
Status: OK
MD5: 9bdaa6915a76116f6f8348236a59980f
Packers detected: UPX
Bit9 reports: Not analyzed yet (more info)

Scanner results
Scan taken on 17 Jul 2007 23:22:56 (GMT)
A-Squared Found nothing
AntiVir Found nothing
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
F-Secure Anti-Virus Found nothing
Fortinet Found nothing
Kaspersky Anti-Virus Found nothing
NOD32 Found nothing
Norman Virus Control Found nothing
Panda Antivirus Found nothing
Rising Antivirus Found nothing
Sophos Antivirus Found nothing
VirusBuster Found nothing
VBA32 Found nothing

However, Virus Total's scan results for C:\Documents and Settings\Amber\Application Data\WinTouch\WinTouch.exe was:

File WinTouch.exe received on 07.18.2007 01:25:40 (CET)

Antivirus Version Last Update Result
AhnLab-V3 2007.7.14.0 2007.07.17 no virus found
AntiVir 7.4.0.42 2007.07.17 no virus found
Authentium 4.93.8 2007.07.18 no virus found
Avast 4.7.997.0 2007.07.17 no virus found
AVG 7.5.0.476 2007.07.17 no virus found
BitDefender 7.2 2007.07.17 no virus found
CAT-QuickHeal 9.00 2007.07.17 no virus found
ClamAV devel-20070416 2007.07.17 no virus found
DrWeb 4.33 2007.07.18 no virus found
eSafe 7.0.15.0 2007.07.17 suspicious Trojan/Worm
eTrust-Vet 30.8.3790 2007.07.17 no virus found
Ewido 4.0 2007.07.17 no virus found
FileAdvisor 1 2007.07.18 no virus found
Fortinet 2.91.0.0 2007.07.17 no virus found
F-Prot 4.3.2.48 2007.07.17 no virus found
F-Secure 6.70.13030.0 2007.07.17 no virus found
Ikarus T3.1.1.8 2007.07.17 no virus found
Kaspersky 4.0.2.24 2007.07.18 no virus found
McAfee 5076 2007.07.17 no virus found
Microsoft 1.2704 2007.07.17 no virus found
NOD32v2 2404 2007.07.17 no virus found
Norman 5.80.02 2007.07.17 no virus found
Panda 9.0.0.4 2007.07.17 Suspicious file
Sophos 4.19.0 2007.07.17 no virus found
Sunbelt 2.2.907.0 2007.07.18 no virus found
Symantec 10 2007.07.18 Trojan Horse
TheHacker 6.1.7.148 2007.07.16 no virus found
VBA32 3.12.2 2007.07.17 no virus found
VirusBuster 4.3.23:9 2007.07.17 no virus found
Webwasher-Gateway 6.0.1 2007.07.17 no virus found
Aditional information
File size: 153600 bytes
MD5: 9bdaa6915a76116f6f8348236a59980f
SHA1: 98761ebca158eb3c59f815129e1654637bfb7519
packers: UPX
packers: UPX
packers: UPX

Here is a current copy of my HijackThis log:


Logfile of HijackThis v1.99.1
Scan saved at 6:37:19 PM, on 7/17/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\brss01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Yahoo!\Antivirus\CAVTray.exe
C:\Program Files\Yahoo!\Antivirus\CAVRID.exe
C:\PROGRA~1\YAHOO!\YOP\yop.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Documents and Settings\Amber\Application Data\WinTouch\WinTouch.exe
C:\Documents and Settings\Amber\Application Data\Microsoft\Windows\rayiou.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Backup995\res\ntservice.exe
C:\WINDOWS\SYSTEM32\Brmfrmps.exe
C:\Program Files\Yahoo!\Antivirus\ISafe.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Microsoft Office\Office10\msoffice.exe
C:\Program Files\Yahoo!\Antivirus\VetMsg.exe
C:\PROGRA~1\YAHOO!\browser\ycommon.exe
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Amber\Desktop\dumb.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,Search = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer,Search = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.azcentral.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/def ... earch.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/def ... .yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {281caaf3-e664-4f21-a2fe-e9725ac0643d} - C:\WINDOWS\system32\qdmpfti.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {9134218D-6070-400F-B199-539184744F79} - (no file)
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {EF7E9427-7566-4E78-9FAA-0A20F0EB0E6E} - C:\WINDOWS\system32\jkkki.dll (file missing)
O2 - BHO: (no name) - {FAF348AA-403F-4DE5-AD2D-1001B4352C21} - \
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\Yahoo!\Antivirus\CAVTray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\Yahoo!\Antivirus\CAVRID.exe"
O4 - HKLM\..\Run: [YOP] C:\PROGRA~1\YAHOO!\YOP\yop.exe /autostart
O4 - HKCU\..\Run: [WinTouch] C:\Documents and Settings\Amber\Application Data\WinTouch\WinTouch.exe
O4 - HKCU\..\Run: [SfKg6w] C:\Documents and Settings\Amber\Application Data\Microsoft\Windows\rayiou.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE10\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM32\MSJAVA.DLL
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\SYSTEM32\MSJAVA.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Dell Home - {08DCFC6C-B6E4-480C-95A4-FC64F37B787E} - http://www.dellnet.com/ (file missing) (HKCU)
O11 - Options group: [INTERNATIONAL] International*
O12 - Plugin for .TIF: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin5.dll
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://usercenter.cox.net/rsuite/sdccom ... gctlcm.jsp
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200 ... taller.exe
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex ... -0-3-9.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://207.188.7.150/1729222797f93afe75 ... xIE601.cab
O16 - DPF: {62789780-B744-11D0-986B-00609731A21D} (Autodesk MapGuide ActiveX Control) - http://www.maricopa.gov/assessor/gis/pl ... axctrl.cab
O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.ofoto.com/downloads/BUM/BUM_ ... ofupld.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O19 - User stylesheet: (file missing)
O20 - Winlogon Notify: ddcddcb - ddcddcb.dll (file missing)
O20 - Winlogon Notify: oppmj - C:\WINDOWS\
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Backup995 Automatic Backup - Unknown owner - C:\Program Files\Backup995\res\ntservice.exe
O23 - Service: Brother Popup Suspend service for Resource manager (brmfrmps) - Unknown owner - C:\WINDOWS\SYSTEM32\Brmfrmps.exe" -service (file missing)
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\Yahoo!\Antivirus\ISafe.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\Yahoo!\Antivirus\VetMsg.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\SYSTEM32\YPCSER~1.EXE

While I was doing these steps my antivirus software (Computer Associates) detected the Darksma.BN virus again and found three instances of it. Otherwise the computer starts up much faster than it did previously.
sastoker
Active Member
 
Posts: 12
Joined: July 14th, 2007, 12:10 am
Location: TX

Unread postby ndmmxiaomayi » July 18th, 2007, 5:01 am

Hi sastoker,

Step 1

  1. Please download the latest version of Icesword from here.
  2. Right click on IceSword122en.zip and select Extract All....
  3. Click Next on seeing the Welcome to the Compressed (zipped) Folders Extraction Wizard.
  4. Click on the Browse button. Click on Desktop. Then click OK.
  5. Check (tick) the Show extracted files box.
  6. Create a new folder on your desktop (right click on desktop, select New > Folder), name it Bad.
  7. Double click on Icesword.exe to run it.
  8. Click on File on the left hand side.
  9. Click on the + sign next to C drive to expand it.
  10. Click on the + sign next to Documents and Settings to expand it.
  11. Click on the + sign next to Amber to expand it.
  12. Click on the + sign next to Application Data to expand it.
  13. Click on the + sign next to Microsoft to expand it.
  14. Click on the + sign next to Windows to expand it.
  15. On your right hand side, right click on rayiou.exe and select Copy to....
  16. Navigate to the Bad folder created in Step 6. In the File Name field, copy and paste in rayiou.exe.
  17. Click Save.
Visit Virus Total or Jotti again and upload this file (C:\Documents and Settings\Amber\Desktop\Bad\rayiou.exe) for scanning.

Step 2

Please open HijackThis and select Do a system scan only.

Put a check (tick) next to these lines:

O2 - BHO: (no name) - {281caaf3-e664-4f21-a2fe-e9725ac0643d} - C:\WINDOWS\system32\qdmpfti.dll (file missing)
O2 - BHO: (no name) - {9134218D-6070-400F-B199-539184744F79} - (no file)
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {EF7E9427-7566-4E78-9FAA-0A20F0EB0E6E} - C:\WINDOWS\system32\jkkki.dll (file missing)
O2 - BHO: (no name) - {FAF348AA-403F-4DE5-AD2D-1001B4352C21} - \
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKCU\..\Run: [WinTouch] C:\Documents and Settings\Amber\Application Data\WinTouch\WinTouch.exe
O4 - HKCU\..\Run: [SfKg6w] C:\Documents and Settings\Amber\Application Data\Microsoft\Windows\rayiou.exe
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://207.188.7.150/1729222797f93afe75 ... xIE601.cab
O19 - User stylesheet: (file missing)
O20 - Winlogon Notify: ddcddcb - ddcddcb.dll (file missing)
O20 - Winlogon Notify: oppmj - C:\WINDOWS\


Click Fix checked. Close HijackThis.

Step 3

Restart your computer in Safe Mode.

  1. When you see BIOS screen, start pressing F8.
  2. A boot menu will appear shortly.
  3. Using the up down arrows, select Safe Mode and press the Enter key.
  4. Windows will now load.
  5. Log in to your usual account.

Step 4

Delete these file and folder.

C:\Documents and Settings\Amber\Application Data\WinTouch
C:\Documents and Settings\Amber\Application Data\Microsoft\Windows\rayiou.exe

While I was doing these steps my antivirus software (Computer Associates) detected the Darksma.BN virus again and found three instances of it. Otherwise the computer starts up much faster than it did previously.


Could you tell me in more details? Where are the virus files located? What files are detected? Thanks.

In your next reply, please post:

  1. Virus Total or Jotti's scan results from Step 1
  2. A new HijackThis log
  3. The details of the Darksma.BN virus detected
ndmmxiaomayi
MRU Emeritus
MRU Emeritus
 
Posts: 9708
Joined: July 17th, 2006, 9:22 am

Unread postby sastoker » July 18th, 2007, 9:31 pm

Hello again,

Virus Total or Jotti's scan results from Step 1

Jotti scan of rayiou.exe

Service load: 0% 100%

File: rayiou.exe
Status: INFECTED/MALWARE
MD5: b73bbaf44f9dabf855e3ec2bac857c02
Packers detected: UPX
Bit9 reports: Not analyzed yet (more info)

Scanner results
Scan taken on 18 Jul 2007 22:35:30 (GMT)
A-Squared Found nothing
AntiVir Found TR/Dldr.Agent.buo.2
ArcaVir Found Trojan.Downloader.Agent.Buo
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found Trojan.Downloader.Agent.YIS
ClamAV Found nothing
Dr.Web Found Trojan.DownLoader.26460
F-Prot Antivirus Found nothing
F-Secure Anti-Virus Found Trojan-Downloader.Win32.Agent.buo
Fortinet Found nothing
Kaspersky Anti-Virus Found Trojan-Downloader.Win32.Agent.buo
NOD32 Found Win32/Agent.NKV
Norman Virus Control Found nothing
Panda Antivirus Found Trj/Downloader.PMC
Rising Antivirus Found nothing
Sophos Antivirus Found nothing
VirusBuster Found nothing
VBA32 Found nothing

Virus Total scan of rayiou.exe

File rayiou.exe received on 07.19.2007 00:35:05 (CET)

Antivirus Version Last Update Result
AhnLab-V3 2007.7.18.0 2007.07.18 no virus found
AntiVir 7.4.0.44 2007.07.18 TR/Dldr.Agent.buo.2
Authentium 4.93.8 2007.07.18 no virus found
Avast 4.7.997.0 2007.07.18 no virus found
AVG 7.5.0.476 2007.07.18 no virus found
BitDefender 7.2 2007.07.18 Trojan.Downloader.Agent.YIS
CAT-QuickHeal 9.00 2007.07.18 TrojanDownloader.Agent.buo
ClamAV devel-20070416 2007.07.18 no virus found
DrWeb 4.33 2007.07.18 Trojan.DownLoader.26460
eSafe 7.0.15.0 2007.07.17 Win32.Agent.buo
eTrust-Vet 30.8.3793 2007.07.18 no virus found
Ewido 4.0 2007.07.18 Downloader.Agent.buo
FileAdvisor 1 2007.07.19 no virus found
Fortinet 2.91.0.0 2007.07.18 no virus found
F-Prot 4.3.2.48 2007.07.17 no virus found
F-Secure 6.70.13030.0 2007.07.18 Trojan-Downloader.Win32.Agent.buo
Ikarus T3.1.1.8 2007.07.18 Trojan-Downloader.Win32.Agent.buo
Kaspersky 4.0.2.24 2007.07.19 Trojan-Downloader.Win32.Agent.buo
McAfee 5077 2007.07.18 no virus found
Microsoft 1.2704 2007.07.18 no virus found
NOD32v2 2405 2007.07.18 Win32/Agent.NKV
Norman 5.80.02 2007.07.18 no virus found
Panda 9.0.0.4 2007.07.18 Trj/Downloader.PMC
Sophos 4.19.0 2007.07.17 no virus found
Sunbelt 2.2.907.0 2007.07.19 Trojan.Unclassified.gen
Symantec 10 2007.07.19 Trojan Horse
TheHacker 6.1.7.149 2007.07.18 no virus found
VBA32 3.12.2.1 2007.07.18 no virus found
VirusBuster 4.3.23:9 2007.07.18 no virus found
Webwasher-Gateway 6.0.1 2007.07.19 Trojan.Dldr.Agent.buo.2
Aditional information
File size: 34816 bytes
MD5: b73bbaf44f9dabf855e3ec2bac857c02
SHA1: b537a25bd2dce5171d6e8153363c96eb78feca91
packers: UPX
packers: UPX
packers: UPX
Sunbelt info: Trojan.Unclassified.gen is a group of various malicious applications that have not been fully categorized. Detection has been added as Trojan.Unclassified.gen until such applications can be further classified.


A new HijackThis log

Logfile of HijackThis v1.99.1
Scan saved at 8:20:56 PM, on 7/18/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\brss01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Yahoo!\Antivirus\CAVTray.exe
C:\Program Files\Yahoo!\Antivirus\CAVRID.exe
C:\PROGRA~1\YAHOO!\YOP\yop.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\Comodo\Firewall\CPF.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Backup995\res\ntservice.exe
C:\WINDOWS\SYSTEM32\Brmfrmps.exe
C:\Program Files\Yahoo!\Antivirus\ISafe.exe
C:\Program Files\Comodo\Firewall\cmdagent.exe
C:\Program Files\Microsoft Office\Office10\msoffice.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\YAHOO!\browser\ycommon.exe
C:\Program Files\Yahoo!\Antivirus\VetMsg.exe
C:\Documents and Settings\Amber\Desktop\dumb.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,Search = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer,Search = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.azcentral.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/def ... earch.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/def ... .yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\Yahoo!\Antivirus\CAVTray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\Yahoo!\Antivirus\CAVRID.exe"
O4 - HKLM\..\Run: [YOP] C:\PROGRA~1\YAHOO!\YOP\yop.exe /autostart
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\Comodo\Firewall\CPF.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE10\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Dell Home - {08DCFC6C-B6E4-480C-95A4-FC64F37B787E} - http://www.dellnet.com/ (file missing) (HKCU)
O11 - Options group: [INTERNATIONAL] International*
O12 - Plugin for .TIF: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin5.dll
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://usercenter.cox.net/rsuite/sdccom ... gctlcm.jsp
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200 ... taller.exe
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex ... -0-3-9.cab
O16 - DPF: {62789780-B744-11D0-986B-00609731A21D} (Autodesk MapGuide ActiveX Control) - http://www.maricopa.gov/assessor/gis/pl ... axctrl.cab
O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.ofoto.com/downloads/BUM/BUM_ ... ofupld.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Backup995 Automatic Backup - Unknown owner - C:\Program Files\Backup995\res\ntservice.exe
O23 - Service: Brother Popup Suspend service for Resource manager (brmfrmps) - Unknown owner - C:\WINDOWS\SYSTEM32\Brmfrmps.exe" -service (file missing)
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\Yahoo!\Antivirus\ISafe.exe
O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - C:\Program Files\Comodo\Firewall\cmdagent.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\Yahoo!\Antivirus\VetMsg.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\SYSTEM32\YPCSER~1.EXE

Here is an excerpt from the antivirus log which contain the details of the Darksma.BN virus and others


Information\_restore{6DB85663-C6FB-417E-8FC8-64D9BB299BE9}\RP1051\A0244023.DLL is Win32/Darksma trojan. Deleted
2007/07/13 10:38:16.772 File infection: C:\System Volume Information\_restore{6DB85663-C6FB-417E-8FC8-64D9BB299BE9}\RP1051\A0244023.DLL is Win32/Darksma trojan.
2007/07/13 10:38:16.813 File infection: C:\System Volume Information\_restore{6DB85663-C6FB-417E-8FC8-64D9BB299BE9}\RP1051\A0244023.DLL is Win32/Darksma trojan.
2007/07/13 10:38:17.293 File infection: C:\System Volume Information\_restore{6DB85663-C6FB-417E-8FC8-64D9BB299BE9}\RP1051\A0244026.DLL is Win32/Chisyne!generic trojan. Deleted
2007/07/13 10:38:17.363 File infection: C:\System Volume Information\_restore{6DB85663-C6FB-417E-8FC8-64D9BB299BE9}\RP1051\A0244026.DLL is Win32/Chisyne!generic trojan.
2007/07/13 10:38:17.504 File infection: C:\System Volume Information\_restore{6DB85663-C6FB-417E-8FC8-64D9BB299BE9}\RP1051\A0244026.DLL is Win32/Chisyne!generic trojan.
2007/07/13 10:38:17.894 File infection: C:\System Volume Information\_restore{6DB85663-C6FB-417E-8FC8-64D9BB299BE9}\RP1051\A0244034.dll is Win32/Vundo trojan. Deleted
2007/07/13 10:38:17.934 File infection: C:\System Volume Information\_restore{6DB85663-C6FB-417E-8FC8-64D9BB299BE9}\RP1051\A0244034.dll is Win32/Vundo trojan.
2007/07/13 10:38:17.994 File infection: C:\System Volume Information\_restore{6DB85663-C6FB-417E-8FC8-64D9BB299BE9}\RP1051\A0244034.dll is Win32/Vundo trojan.
2007/07/13 10:38:24.333 File infection: C:\System Volume Information\_restore{6DB85663-C6FB-417E-8FC8-64D9BB299BE9}\RP1053\A0245130.exe is Win32/Secdrop.OC trojan. Deleted
2007/07/13 10:38:24.454 File infection: C:\System Volume Information\_restore{6DB85663-C6FB-417E-8FC8-64D9BB299BE9}\RP1053\A0245130.exe is Win32/Secdrop.OC trojan.
2007/07/13 10:38:24.544 File infection: C:\System Volume Information\_restore{6DB85663-C6FB-417E-8FC8-64D9BB299BE9}\RP1053\A0245130.exe is Win32/Secdrop.OC trojan.
2007/07/13 10:38:24.994 File infection: C:\System Volume Information\_restore{6DB85663-C6FB-417E-8FC8-64D9BB299BE9}\RP1053\A0245131.dll is Win32/Vundo trojan. Deleted
2007/07/13 10:38:25.114 File infection: C:\System Volume Information\_restore{6DB85663-C6FB-417E-8FC8-64D9BB299BE9}\RP1053\A0245131.dll is Win32/Vundo trojan.
2007/07/13 10:38:25.305 File infection: C:\System Volume Information\_restore{6DB85663-C6FB-417E-8FC8-64D9BB299BE9}\RP1053\A0245131.dll is Win32/Vundo trojan.
2007/07/13 10:38:25.495 File infection: C:\System Volume Information\_restore{6DB85663-C6FB-417E-8FC8-64D9BB299BE9}\RP1053\A0245132.dll is Win32/Vundo trojan. Deleted
2007/07/13 10:38:25.535 File infection: C:\System Volume Information\_restore{6DB85663-C6FB-417E-8FC8-64D9BB299BE9}\RP1053\A0245132.dll is Win32/Vundo trojan.
2007/07/13 10:38:25.575 File infection: C:\System Volume Information\_restore{6DB85663-C6FB-417E-8FC8-64D9BB299BE9}\RP1053\A0245132.dll is Win32/Vundo trojan.
2007/07/13 10:38:26.496 File infection: C:\System Volume Information\_restore{6DB85663-C6FB-417E-8FC8-64D9BB299BE9}\RP1053\A0245133.exe is Win32/Secdrop.OB trojan. Deleted
2007/07/13 10:38:26.577 File infection: C:\System Volume Information\_restore{6DB85663-C6FB-417E-8FC8-64D9BB299BE9}\RP1053\A0245133.exe is Win32/Secdrop.OB trojan.
2007/07/13 10:38:26.617 File infection: C:\System Volume Information\_restore{6DB85663-C6FB-417E-8FC8-64D9BB299BE9}\RP1053\A0245133.exe is Win32/Secdrop.OB trojan.
2007/07/13 10:40:29.353 File infection: C:\Documents and Settings\Amber\Local Settings\Temporary Internet Files\Content.IE5\GW8N8U6R\_affvm[1] is Win32/Vundo trojan. Deleted
2007/07/13 10:40:30.685 File infection: C:\DOCUME~1\Amber\LOCALS~1\Temp\mklfbvab.dll is Win32/Vundo trojan. Deleted
2007/07/13 10:40:30.985 File infection: C:\DOCUME~1\Amber\LOCALS~1\Temp\mklfbvab.dll is Win32/Vundo trojan.
2007/07/13 23:03:11.583 File infection: C:\Documents and Settings\Amber\Local Settings\Temporary Internet Files\Content.IE5\CHMCIB40\_affvm[1] is Win32/Vundo trojan. Deleted
2007/07/13 23:03:15.428 File infection: C:\DOCUME~1\Amber\LOCALS~1\Temp\lsvqquhs.dll is Win32/Vundo trojan. Deleted
2007/07/13 23:03:16.249 File infection: C:\DOCUME~1\Amber\LOCALS~1\Temp\lsvqquhs.dll is Win32/Vundo trojan.
2007/07/14 07:54:23.089 File infection: C:\Documents and Settings\Amber\Local Settings\Temporary Internet Files\Content.IE5\CHMCIB40\_affvm[1] is Win32/Vundo trojan. Deleted
2007/07/14 07:54:24.822 File infection: C:\DOCUME~1\Amber\LOCALS~1\Temp\nqsneyky.dll is Win32/Vundo trojan. Deleted
2007/07/14 07:54:25.142 File infection: C:\DOCUME~1\Amber\LOCALS~1\Temp\nqsneyky.dll is Win32/Vundo trojan.
2007/07/14 09:00:37.082 File infection: C:\Documents and Settings\Amber\Local Settings\Temporary Internet Files\Content.IE5\CHMCIB40\_affvm[1] is Win32/Vundo trojan. Deleted
2007/07/14 09:00:40.787 File infection: C:\DOCUME~1\Amber\LOCALS~1\Temp\wkhkcdob.dll is Win32/Vundo trojan. Deleted
2007/07/14 09:00:41.798 File infection: C:\DOCUME~1\Amber\LOCALS~1\Temp\wkhkcdob.dll is Win32/Vundo trojan.
2007/07/14 10:30:58.648 File infection: C:\Documents and Settings\Amber\Local Settings\Temporary Internet Files\Content.IE5\CHMCIB40\_affvm[1] is Win32/Vundo trojan. Deleted
2007/07/14 10:30:59.329 File infection: C:\DOCUME~1\Amber\LOCALS~1\Temp\hjiavndd.dll is Win32/Vundo trojan. Deleted
2007/07/14 10:30:59.370 File infection: C:\DOCUME~1\Amber\LOCALS~1\Temp\hjiavndd.dll is Win32/Vundo trojan.
2007/07/14 10:47:28.984 File infection: C:\Documents and Settings\Amber\Local Settings\Temporary Internet Files\Content.IE5\ZX0ZPHHZ\_affvm[1] is Win32/Vundo trojan. Deleted
2007/07/14 10:47:31.448 File infection: C:\DOCUME~1\Amber\LOCALS~1\Temp\puofdltq.dll is Win32/Vundo trojan. Deleted
2007/07/14 10:47:31.498 File infection: C:\DOCUME~1\Amber\LOCALS~1\Temp\puofdltq.dll is Win32/Vundo trojan.
2007/07/14 12:19:57.032 File infection: C:\Documents and Settings\Amber\Local Settings\Temporary Internet Files\Content.IE5\CHMCIB40\_affvm[1] is Win32/Vundo trojan. Deleted
2007/07/14 12:20:03.361 File infection: C:\DOCUME~1\Amber\LOCALS~1\Temp\dnvbtsxy.dll is Win32/Vundo trojan. Deleted
2007/07/14 12:20:03.532 File infection: C:\DOCUME~1\Amber\LOCALS~1\Temp\dnvbtsxy.dll is Win32/Vundo trojan.
2007/07/14 14:42:07.533 File infection: C:\Documents and Settings\Amber\Local Settings\Temporary Internet Files\Content.IE5\FHCRDK00\_affvm[1] is Win32/Vundo trojan. Deleted
2007/07/14 14:42:09.216 File infection: C:\DOCUME~1\Amber\LOCALS~1\Temp\bqqiuphd.dll is Win32/Vundo trojan. Deleted
2007/07/14 14:42:09.286 File infection: C:\DOCUME~1\Amber\LOCALS~1\Temp\bqqiuphd.dll is Win32/Vundo trojan.
2007/07/14 15:21:13.922 File infection: C:\WINDOWS\TEMP\httproxy_srv02D609C01184444469 is Win32/Vundo trojan.
2007/07/14 15:21:14.983 File infection: C:\WINDOWS\TEMP\httproxy_srv02D609C01184444469 is Win32/Vundo trojan.
2007/07/15 07:34:47.342 File infection: C:\Documents and Settings\Amber\Local Settings\Temporary Internet Files\Content.IE5\FHCRDK00\_affvm[1] is Win32/Vundo trojan. Deleted
2007/07/15 07:34:49.765 File infection: C:\documents and settings\amber\local settings\temporary internet files\content.ie5\fhcrdk00\_affvm[1] is Win32/Vundo trojan.
2007/07/15 07:34:52.700 File infection: C:\docume~1\amber\locals~1\temp\uxeayvcg.dll is Win32/Vundo trojan. Deleted
2007/07/15 07:34:53.260 File infection: C:\DOCUME~1\Amber\LOCALS~1\Temp\uxeayvcg.dll is Win32/Vundo trojan.
2007/07/15 07:34:55.173 File infection: C:\docume~1\amber\locals~1\temp\uxeayvcg.dll is Win32/Vundo trojan.
2007/07/15 07:34:55.814 File infection: C:\DOCUME~1\Amber\LOCALS~1\Temp\uxeayvcg.dll is Win32/Vundo trojan.
2007/07/15 12:42:08.471 File infection: C:\Documents and Settings\Amber\Local Settings\Temporary Internet Files\Content.IE5\GW8N8U6R\_affvm[1] is Win32/Vundo trojan. Deleted
2007/07/15 12:42:08.802 File infection: C:\DOCUME~1\Amber\LOCALS~1\Temp\nqbilvtx.dll is Win32/Vundo trojan. Deleted
2007/07/15 12:42:08.922 File infection: C:\DOCUME~1\Amber\LOCALS~1\Temp\nqbilvtx.dll is Win32/Vundo trojan.
2007/07/16 09:34:43.612 File infection: C:\Documents and Settings\Amber\Local Settings\Temporary Internet Files\Content.IE5\ZX0ZPHHZ\_affvm[1] is Win32/Vundo trojan. Deleted
2007/07/16 09:34:45.946 File infection: C:\DOCUME~1\Amber\LOCALS~1\Temp\kqehqaao.dll is Win32/Vundo trojan. Deleted
2007/07/16 09:34:45.996 File infection: C:\DOCUME~1\Amber\LOCALS~1\Temp\kqehqaao.dll is Win32/Vundo trojan.
2007/07/16 09:52:07.413 File infection: C:\Documents and Settings\Amber\Local Settings\Temporary Internet Files\Content.IE5\ZX0ZPHHZ\_affvm[1] is Win32/Vundo trojan. Deleted
2007/07/16 09:52:13.772 File infection: C:\DOCUME~1\Amber\LOCALS~1\Temp\bdsnwkid.dll is Win32/Vundo trojan. Deleted
2007/07/16 09:52:13.863 File infection: C:\DOCUME~1\Amber\LOCALS~1\Temp\bdsnwkid.dll is Win32/Vundo trojan.
2007/07/16 13:28:21.189 File infection: C:\Documents and Settings\Amber\Local Settings\Temporary Internet Files\Content.IE5\ZX0ZPHHZ\_affvm[1] is Win32/Vundo trojan. Deleted
2007/07/16 13:28:22.000 File infection: C:\DOCUME~1\Amber\LOCALS~1\Temp\naegdewt.dll is Win32/Vundo trojan. Deleted
2007/07/16 13:28:22.360 File infection: C:\DOCUME~1\Amber\LOCALS~1\Temp\naegdewt.dll is Win32/Vundo trojan.
2007/07/16 18:07:38.156 File infection: C:\Documents and Settings\Amber\Local Settings\Temporary Internet Files\Content.IE5\7RIHSJZJ\_affvm[1] is Win32/Vundo trojan. Deleted
2007/07/16 18:07:55.101 File infection: C:\documents and settings\amber\local settings\temporary internet files\content.ie5\7rihsjzj\_affvm[1] is Win32/Vundo trojan.
2007/07/16 18:08:14.729 File infection: C:\docume~1\amber\locals~1\temp\gsdgxfty.dll is Win32/Vundo trojan. Deleted
2007/07/16 18:08:15.260 File infection: C:\DOCUME~1\Amber\LOCALS~1\Temp\gsdgxfty.dll is Win32/Vundo trojan.
2007/07/16 18:08:15.390 File infection: C:\docume~1\amber\locals~1\temp\gsdgxfty.dll is Win32/Vundo trojan.
2007/07/16 18:08:15.490 File infection: C:\DOCUME~1\Amber\LOCALS~1\Temp\gsdgxfty.dll is Win32/Vundo trojan.
2007/07/16 18:18:43.173 File infection: C:\windows\system32\fcrfkotv.dll is Win32/Darksma.BN trojan. Deleted
2007/07/16 18:18:43.804 File infection: C:\windows\system32\fcrfkotv.dll is Win32/Darksma.BN trojan.
2007/07/16 18:21:02.123 File infection: C:\windows\system32\lhgckdrx.dll is Win32/Darksma.BN trojan. Deleted
2007/07/16 18:21:02.373 File infection: C:\windows\system32\lhgckdrx.dll is Win32/Darksma.BN trojan.
2007/07/16 18:21:04.125 File infection: C:\windows\system32\rvinnbtu.dll is Win32/Darksma.BN trojan. Deleted
2007/07/16 18:21:04.256 File infection: C:\windows\system32\rvinnbtu.dll is Win32/Darksma.BN trojan.
2007/07/16 22:20:33.702 File infection: C:\System Volume Information\_restore{6DB85663-C6FB-417E-8FC8-64D9BB299BE9}\RP1059\A0248419.dll is Win32/Darksma.BN trojan. Deleted
2007/07/16 22:20:34.072 File infection: C:\System Volume Information\_restore{6DB85663-C6FB-417E-8FC8-64D9BB299BE9}\RP1059\A0248419.dll is Win32/Darksma.BN trojan.
2007/07/16 22:20:34.112 File infection: C:\System Volume Information\_restore{6DB85663-C6FB-417E-8FC8-64D9BB299BE9}\RP1059\A0248419.dll is Win32/Darksma.BN trojan.
2007/07/16 22:20:35.484 File infection: C:\System Volume Information\_restore{6DB85663-C6FB-417E-8FC8-64D9BB299BE9}\RP1059\A0248420.dll is Win32/Darksma.BN trojan. Deleted
2007/07/16 22:20:35.595 File infection: C:\System Volume Information\_restore{6DB85663-C6FB-417E-8FC8-64D9BB299BE9}\RP1059\A0248420.dll is Win32/Darksma.BN trojan.
2007/07/16 22:20:35.765 File infection: C:\System Volume Information\_restore{6DB85663-C6FB-417E-8FC8-64D9BB299BE9}\RP1059\A0248420.dll is Win32/Darksma.BN trojan.
2007/07/16 22:20:37.808 File infection: C:\System Volume Information\_restore{6DB85663-C6FB-417E-8FC8-64D9BB299BE9}\RP1059\A0248421.dll is Win32/Darksma.BN trojan. Deleted
2007/07/16 22:20:37.948 File infection: C:\System Volume Information\_restore{6DB85663-C6FB-417E-8FC8-64D9BB299BE9}\RP1059\A0248421.dll is Win32/Darksma.BN trojan.
2007/07/16 22:20:38.218 File infection: C:\System Volume Information\_restore{6DB85663-C6FB-417E-8FC8-64D9BB299BE9}\RP1059\A0248421.dll is Win32/Darksma.BN trojan.

I installed the Comodo firewall software. Is it normal for web surfing speed to slow a bit with a firewall loaded?

Thanks so much for your continued help & support with getting my PC
cleared up.
sastoker
Active Member
 
Posts: 12
Joined: July 14th, 2007, 12:10 am
Location: TX

Unread postby ndmmxiaomayi » July 19th, 2007, 5:41 am

Hi sastoker,

Most of the files are detected in System Restore, which are harmless for now as long as you don't perform a system restore. We will clear this later once you are clean.

  1. Please download AVG Anti-Spyware and save it to your desktop.
  2. Double click on avgas-setup-7.5.0.50.exe to install AVG Anti-Spyware. Install it in the default location.
  3. Once installed, start AVG Anti-Spyware by going to Start > All Programs > AVG Anti-Spyware 7.5 > AVG Anti-Spyware.
  4. In the main screen, you should see Your Computer's Security.
    • Next to Resident Shield, click on Change state. It should now be Inactive.
    • Next to Automatic Updates, click on Change state. It should now be Inactive.
    • Next to Last Update, click on Update now. If your firewall prompts you, tell your firewall to allow it. Should you be unable to update it, download the updates from here. Save it to your desktop. Double click to run the installation and the updates will be installed. Make sure AVG Anti-Spyware is closed during the installation.
    • Right-click the AVG Anti-Spyware icon near the clock and uncheck (untick) Start with Windows. Confirm by clicking Yes.
  5. Now click on the Scanner button at the top.
  6. Select the Settings tab.
  7. Under How to act?, click on Recommended actions and select Quarantine.
  8. Under How to scan?, check (tick) all the boxes.
  9. Under Possibly unwanted software:, check (tick) all the boxes.
  10. Under Reports:, select Do not automatically generate report and uncheck (untick) the Only if threats were found box.
  11. Under What to scan?, select Scan every file.
Do not run a scan yet. You will run a scan later.

Please download ATF Cleaner by Atribune.

  • Double-click ATF-Cleaner.exe to run the program.
  • Under Main choose: Select All.
  • Click the Empty Selected button.

If you use Firefox browser

  • Click Firefox at the top and choose: Select All.
  • Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser

  • Click Opera at the top and choose: Select All.
  • Click the Empty Selected button.
    NOTE: If you would like to keep your saved passwords, please click No at the prompt.

  1. Start AVG Anti-Spyware by going to Start > All Programs > AVG Anti-Spyware 7.5 > AVG Anti-Spyware.
  2. Click on the Scanner button at the top.
  3. Select the Scan tab.
  4. Click on Complete System Scan to start the scan.
  5. When the scan has finished, follow the instructions below.
    IMPORTANT: Don't click on the Save Scan Report button before you did hit the Apply all Actions button.
    • Make sure that Set all elements to: shows Quarantine (1), if not click on the link and choose Quarantine from the popup menu. (2)
    • At the bottom of the window click on the Apply all Actions button. (3)
      Image
  6. When done, click the Save Scan Report button. (4)
    • Click the Save Report as button.
    • Save the report to your Desktop.
  7. Right-click the AVG Anti-Spyware Tray Icon and select Exit. Confirm by clicking Yes.

Please go to Kaspersky website and perform an online antivirus scan.
Please use Internet Explorer as it uses ActiveX.

  1. Click on Kaspersky Online Scanner button.
  2. Read through the requirements and privacy statement and click on Accept button.
  3. It will start downloading and installing the scanner and virus definitions. You will be prompted to install an ActiveX from Kaspersky. Click Yes.
  4. When the downloads have finished, click on Next button.
  5. Click on Scan Settings button.
  6. Select extended under Scan using the following antivirus database:
  7. Check (tick) these boxes under Scan options:
    • Scan Archives
    • Scan Mail Bases
  8. Click OK
  9. Click on My Computer under Please select a target to scan:
  10. Once the scan is complete it will display if your system has been infected. Click on Save as text button and save it to your desktop.
  11. Copy and paste this log in your next reply.

I installed the Comodo firewall software. Is it normal for web surfing speed to slow a bit with a firewall loaded?


Yes, it will slow it down a bit as the firewall will check if anything is malicious.

In your next reply, please post:

  1. AVG Antispyware scan report
  2. Kaspersky Antivirus scan report
  3. A new HijackThis log
ndmmxiaomayi
MRU Emeritus
MRU Emeritus
 
Posts: 9708
Joined: July 17th, 2006, 9:22 am

Unread postby sastoker » July 19th, 2007, 10:43 pm

Hello,

AVG Antispyware scan report

---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 7:33:44 PM 7/19/2007

+ Scan result:



C:\Documents and Settings\Amber\Desktop\Bad\rayiou.exe -> Downloader.Agent.buo : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{6DB85663-C6FB-417E-8FC8-64D9BB299BE9}\RP1062\A0249057.exe -> Downloader.Agent.buo : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{6DB85663-C6FB-417E-8FC8-64D9BB299BE9}\RP1062\A0249063.exe -> Downloader.Agent.buo : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{6DB85663-C6FB-417E-8FC8-64D9BB299BE9}\RP1062\A0249065.exe -> Downloader.Agent.buo : Cleaned with backup (quarantined).


::Report end

Computer Associates Real-Time Scanner detected 56 instances of problems during the AVG Anti-Spyware scanning.

2007/07/19 19:24:27.755 File infection: C:\VundoFix Backups\axnlwafw.dll.bad is Win32/Darksma!generic trojan. Deleted
2007/07/19 19:24:28.096 File infection: C:\VundoFix Backups\axnlwafw.dll.bad is Win32/Darksma!generic trojan.
2007/07/19 19:24:28.266 File infection: C:\VundoFix Backups\axnlwafw.dll.bad is Win32/Darksma!generic trojan.
2007/07/19 19:24:29.318 File infection: C:\VundoFix Backups\bfdcowxi.dll.bad is Win32/Darksma!generic trojan. Deleted
2007/07/19 19:24:29.468 File infection: C:\VundoFix Backups\bfdcowxi.dll.bad is Win32/Darksma!generic trojan.
2007/07/19 19:24:29.648 File infection: C:\VundoFix Backups\bfdcowxi.dll.bad is Win32/Darksma!generic trojan.
2007/07/19 19:24:30.920 File infection: C:\VundoFix Backups\fwnemots.dll.bad is Win32/Darksma!generic trojan. Deleted
2007/07/19 19:24:31.060 File infection: C:\VundoFix Backups\fwnemots.dll.bad is Win32/Darksma!generic trojan.
2007/07/19 19:24:31.260 File infection: C:\VundoFix Backups\fwnemots.dll.bad is Win32/Darksma!generic trojan.
2007/07/19 19:24:31.921 File infection: C:\VundoFix Backups\gfaxcxpw.dll.bad is Win32/Darksma!generic trojan. Deleted
2007/07/19 19:24:32.031 File infection: C:\VundoFix Backups\gfaxcxpw.dll.bad is Win32/Darksma!generic trojan.
2007/07/19 19:24:32.142 File infection: C:\VundoFix Backups\gfaxcxpw.dll.bad is Win32/Darksma!generic trojan.
2007/07/19 19:24:32.873 File infection: C:\VundoFix Backups\imgrsbvf.dll.bad is Win32/Darksma!generic trojan. Deleted
2007/07/19 19:24:32.973 File infection: C:\VundoFix Backups\imgrsbvf.dll.bad is Win32/Darksma!generic trojan.
2007/07/19 19:24:33.063 File infection: C:\VundoFix Backups\imgrsbvf.dll.bad is Win32/Darksma!generic trojan.
2007/07/19 19:24:33.684 File infection: C:\VundoFix Backups\ipedwiik.dll.bad is Win32/Darksma!generic trojan. Deleted
2007/07/19 19:24:33.824 File infection: C:\VundoFix Backups\ipedwiik.dll.bad is Win32/Darksma!generic trojan.
2007/07/19 19:24:33.944 File infection: C:\VundoFix Backups\ipedwiik.dll.bad is Win32/Darksma!generic trojan.
2007/07/19 19:24:34.645 File infection: C:\VundoFix Backups\jkkki.dll.bad is Win32/Vundo!generic trojan. Deleted
2007/07/19 19:24:34.765 File infection: C:\VundoFix Backups\jkkki.dll.bad is Win32/Vundo!generic trojan.
2007/07/19 19:24:34.876 File infection: C:\VundoFix Backups\jkkki.dll.bad is Win32/Vundo!generic trojan.
2007/07/19 19:24:35.456 File infection: C:\VundoFix Backups\kpkoliiy.dll.bad is Win32/Darksma!generic trojan. Deleted
2007/07/19 19:24:35.587 File infection: C:\VundoFix Backups\kpkoliiy.dll.bad is Win32/Darksma!generic trojan.
2007/07/19 19:24:35.717 File infection: C:\VundoFix Backups\kpkoliiy.dll.bad is Win32/Darksma!generic trojan.
2007/07/19 19:24:36.458 File infection: C:\VundoFix Backups\kveqlpom.dll.bad is Win32/Darksma!generic trojan. Deleted
2007/07/19 19:24:36.558 File infection: C:\VundoFix Backups\kveqlpom.dll.bad is Win32/Darksma!generic trojan.
2007/07/19 19:24:36.678 File infection: C:\VundoFix Backups\kveqlpom.dll.bad is Win32/Darksma!generic trojan.
2007/07/19 19:24:37.229 File infection: C:\VundoFix Backups\rvsncvee.dll.bad is Win32/Darksma!generic trojan. Deleted
2007/07/19 19:24:37.379 File infection: C:\VundoFix Backups\rvsncvee.dll.bad is Win32/Darksma!generic trojan.
2007/07/19 19:24:37.559 File infection: C:\VundoFix Backups\rvsncvee.dll.bad is Win32/Darksma!generic trojan.
2007/07/19 19:24:38.230 File infection: C:\VundoFix Backups\udlxmhrc.dll.bad is Win32/Darksma!generic trojan. Deleted
2007/07/19 19:24:38.320 File infection: C:\VundoFix Backups\udlxmhrc.dll.bad is Win32/Darksma!generic trojan.
2007/07/19 19:24:38.411 File infection: C:\VundoFix Backups\udlxmhrc.dll.bad is Win32/Darksma!generic trojan.
2007/07/19 19:24:39.082 File infection: C:\VundoFix Backups\uxtmyvlp.dll.bad is Win32/Darksma!generic trojan. Deleted
2007/07/19 19:24:39.202 File infection: C:\VundoFix Backups\uxtmyvlp.dll.bad is Win32/Darksma!generic trojan.
2007/07/19 19:24:39.302 File infection: C:\VundoFix Backups\uxtmyvlp.dll.bad is Win32/Darksma!generic trojan.
2007/07/19 19:24:39.963 File infection: C:\VundoFix Backups\sbvdlwwr.dll.bad is Win32/Darksma!generic trojan. Deleted
2007/07/19 19:24:40.083 File infection: C:\VundoFix Backups\sbvdlwwr.dll.bad is Win32/Darksma!generic trojan.
2007/07/19 19:24:40.233 File infection: C:\VundoFix Backups\sbvdlwwr.dll.bad is Win32/Darksma!generic trojan.
2007/07/19 19:24:40.844 File infection: C:\VundoFix Backups\xjqeghaq.dll.bad is Win32/Darksma!generic trojan. Deleted
2007/07/19 19:24:40.974 File infection: C:\VundoFix Backups\xjqeghaq.dll.bad is Win32/Darksma!generic trojan.
2007/07/19 19:24:41.094 File infection: C:\VundoFix Backups\xjqeghaq.dll.bad is Win32/Darksma!generic trojan.
2007/07/19 19:29:26.585 File infection: C:\System Volume Information\_restore{6DB85663-C6FB-417E-8FC8-64D9BB299BE9}\RP1059\A0248422.dll is Win32/Darksma!generic trojan. Deleted
2007/07/19 19:29:26.705 File infection: C:\System Volume Information\_restore{6DB85663-C6FB-417E-8FC8-64D9BB299BE9}\RP1059\A0248422.dll is Win32/Darksma!generic trojan.
2007/07/19 19:29:26.745 File infection: C:\System Volume Information\_restore{6DB85663-C6FB-417E-8FC8-64D9BB299BE9}\RP1059\A0248422.dll is Win32/Darksma!generic trojan.
2007/07/19 19:29:27.216 File infection: C:\System Volume Information\_restore{6DB85663-C6FB-417E-8FC8-64D9BB299BE9}\RP1059\A0248423.dll is Win32/Darksma!generic trojan. Deleted
2007/07/19 19:29:27.256 File infection: C:\System Volume Information\_restore{6DB85663-C6FB-417E-8FC8-64D9BB299BE9}\RP1059\A0248423.dll is Win32/Darksma!generic trojan.
2007/07/19 19:29:27.286 File infection: C:\System Volume Information\_restore{6DB85663-C6FB-417E-8FC8-64D9BB299BE9}\RP1059\A0248423.dll is Win32/Darksma!generic trojan.
2007/07/19 19:29:27.657 File infection: C:\System Volume Information\_restore{6DB85663-C6FB-417E-8FC8-64D9BB299BE9}\RP1059\A0248424.dll is Win32/Darksma!generic trojan. Deleted
2007/07/19 19:29:27.697 File infection: C:\System Volume Information\_restore{6DB85663-C6FB-417E-8FC8-64D9BB299BE9}\RP1059\A0248424.dll is Win32/Darksma!generic trojan.
2007/07/19 19:29:27.747 File infection: C:\System Volume Information\_restore{6DB85663-C6FB-417E-8FC8-64D9BB299BE9}\RP1059\A0248424.dll is Win32/Darksma!generic trojan.
2007/07/19 19:29:28.087 File infection: C:\System Volume Information\_restore{6DB85663-C6FB-417E-8FC8-64D9BB299BE9}\RP1059\A0248425.dll is Win32/Darksma!generic trojan. Deleted
2007/07/19 19:29:28.217 File infection: C:\System Volume Information\_restore{6DB85663-C6FB-417E-8FC8-64D9BB299BE9}\RP1059\A0248425.dll is Win32/Darksma!generic trojan.
2007/07/19 19:29:28.458 File infection: C:\System Volume Information\_restore{6DB85663-C6FB-417E-8FC8-64D9BB299BE9}\RP1059\A0248425.dll is Win32/Darksma!generic trojan.
2007/07/19 19:29:29.259 File infection: C:\System Volume Information\_restore{6DB85663-C6FB-417E-8FC8-64D9BB299BE9}\RP1059\A0248427.dll is Win32/Darksma!generic trojan. Deleted
2007/07/19 19:29:29.399 File infection: C:\System Volume Information\_restore{6DB85663-C6FB-417E-8FC8-64D9BB299BE9}\RP1059\A0248427.dll is Win32/Darksma!generic trojan.
2007/07/19 19:29:29.589 File infection: C:\System Volume Information\_restore{6DB85663-C6FB-417E-8FC8-64D9BB299BE9}\RP1059\A0248427.dll is Win32/Darksma!generic trojan.
2007/07/19 19:29:30.400 File infection: C:\System Volume Information\_restore{6DB85663-C6FB-417E-8FC8-64D9BB299BE9}\RP1059\A0248428.dll is Win32/Darksma!generic trojan. Deleted
2007/07/19 19:29:30.531 File infection: C:\System Volume Information\_restore{6DB85663-C6FB-417E-8FC8-64D9BB299BE9}\RP1059\A0248428.dll is Win32/Darksma!generic trojan.
2007/07/19 19:29:30.691 File infection: C:\System Volume Information\_restore{6DB85663-C6FB-417E-8FC8-64D9BB299BE9}\RP1059\A0248428.dll is Win32/Darksma!generic trojan.
2007/07/19 19:29:31.362 File infection: C:\System Volume Information\_restore{6DB85663-C6FB-417E-8FC8-64D9BB299BE9}\RP1059\A0248429.DLL is Win32/Vundo!generic trojan. Deleted
2007/07/19 19:29:31.422 File infection: C:\System Volume Information\_restore{6DB85663-C6FB-417E-8FC8-64D9BB299BE9}\RP1059\A0248429.DLL is Win32/Vundo!generic trojan.
2007/07/19 19:29:31.522 File infection: C:\System Volume Information\_restore{6DB85663-C6FB-417E-8FC8-64D9BB299BE9}\RP1059\A0248429.DLL is Win32/Vundo!generic trojan.
2007/07/19 19:29:32.253 File infection: C:\System Volume Information\_restore{6DB85663-C6FB-417E-8FC8-64D9BB299BE9}\RP1059\A0248430.dll is Win32/Darksma!generic trojan. Deleted
2007/07/19 19:29:32.413 File infection: C:\System Volume Information\_restore{6DB85663-C6FB-417E-8FC8-64D9BB299BE9}\RP1059\A0248430.dll is Win32/Darksma!generic trojan.
2007/07/19 19:29:32.634 File infection: C:\System Volume Information\_restore{6DB85663-C6FB-417E-8FC8-64D9BB299BE9}\RP1059\A0248430.dll is Win32/Darksma!generic trojan.
2007/07/19 19:29:33.184 File infection: C:\System Volume Information\_restore{6DB85663-C6FB-417E-8FC8-64D9BB299BE9}\RP1059\A0248431.dll is Win32/Darksma!generic trojan. Deleted
2007/07/19 19:29:33.285 File infection: C:\System Volume Information\_restore{6DB85663-C6FB-417E-8FC8-64D9BB299BE9}\RP1059\A0248431.dll is Win32/Darksma!generic trojan.
2007/07/19 19:29:33.355 File infection: C:\System Volume Information\_restore{6DB85663-C6FB-417E-8FC8-64D9BB299BE9}\RP1059\A0248431.dll is Win32/Darksma!generic trojan.
2007/07/19 19:29:33.715 File infection: C:\System Volume Information\_restore{6DB85663-C6FB-417E-8FC8-64D9BB299BE9}\RP1059\A0248432.dll is Win32/Darksma!generic trojan. Deleted
2007/07/19 19:29:33.795 File infection: C:\System Volume Information\_restore{6DB85663-C6FB-417E-8FC8-64D9BB299BE9}\RP1059\A0248432.dll is Win32/Darksma!generic trojan.
2007/07/19 19:29:33.956 File infection: C:\System Volume Information\_restore{6DB85663-C6FB-417E-8FC8-64D9BB299BE9}\RP1059\A0248432.dll is Win32/Darksma!generic trojan.
2007/07/19 19:29:34.386 File infection: C:\System Volume Information\_restore{6DB85663-C6FB-417E-8FC8-64D9BB299BE9}\RP1059\A0248433.dll is Win32/Darksma!generic trojan. Deleted
2007/07/19 19:29:34.516 File infection: C:\System Volume Information\_restore{6DB85663-C6FB-417E-8FC8-64D9BB299BE9}\RP1059\A0248433.dll is Win32/Darksma!generic trojan.
2007/07/19 19:29:34.607 File infection: C:\System Volume Information\_restore{6DB85663-C6FB-417E-8FC8-64D9BB299BE9}\RP1059\A0248433.dll is Win32/Darksma!generic trojan.
2007/07/19 19:29:35.077 File infection: C:\System Volume Information\_restore{6DB85663-C6FB-417E-8FC8-64D9BB299BE9}\RP1059\A0248434.dll is Win32/Darksma!generic trojan. Deleted
2007/07/19 19:29:35.157 File infection: C:\System Volume Information\_restore{6DB85663-C6FB-417E-8FC8-64D9BB299BE9}\RP1059\A0248434.dll is Win32/Darksma!generic trojan.
2007/07/19 19:29:35.217 File infection: C:\System Volume Information\_restore{6DB85663-C6FB-417E-8FC8-64D9BB299BE9}\RP1059\A0248434.dll is Win32/Darksma!generic trojan.
2007/07/19 19:29:35.658 File infection: C:\System Volume Information\_restore{6DB85663-C6FB-417E-8FC8-64D9BB299BE9}\RP1059\A0248447.dll is Win32/Darksma!generic trojan. Deleted
2007/07/19 19:29:35.758 File infection: C:\System Volume Information\_restore{6DB85663-C6FB-417E-8FC8-64D9BB299BE9}\RP1059\A0248447.dll is Win32/Darksma!generic trojan.
2007/07/19 19:29:35.828 File infection: C:\System Volume Information\_restore{6DB85663-C6FB-417E-8FC8-64D9BB299BE9}\RP1059\A0248447.dll is Win32/Darksma!generic trojan.
2007/07/19 19:29:36.289 File infection: C:\System Volume Information\_restore{6DB85663-C6FB-417E-8FC8-64D9BB299BE9}\RP1059\A0248449.dll is Win32/Darksma!generic trojan. Deleted
2007/07/19 19:29:36.539 File infection: C:\System Volume Information\_restore{6DB85663-C6FB-417E-8FC8-64D9BB299BE9}\RP1059\A0248449.dll is Win32/Darksma!generic trojan.
2007/07/19 19:29:36.629 File infection: C:\System Volume Information\_restore{6DB85663-C6FB-417E-8FC8-64D9BB299BE9}\RP1059\A0248449.dll is Win32/Darksma!generic trojan.

Kaspersky Antivirus scan report

I could not get the program to initialize. I changed my IE security settings to medium and I still couldn't get it to start. The ActiveX install box would appear and I'd click "Install" and then it would sit for a a min or two and error out.



A new HijackThis log

Logfile of HijackThis v1.99.1
Scan saved at 9:20:25 PM, on 7/19/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\brsvc01a.exe
C:\WINDOWS\system32\brss01a.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Yahoo!\Antivirus\CAVTray.exe
C:\Program Files\Backup995\res\ntservice.exe
C:\Program Files\Yahoo!\Antivirus\CAVRID.exe
C:\WINDOWS\SYSTEM32\Brmfrmps.exe
C:\PROGRA~1\YAHOO!\YOP\yop.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\Comodo\Firewall\CPF.exe
C:\Program Files\Yahoo!\Antivirus\ISafe.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Comodo\Firewall\cmdagent.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Yahoo!\Antivirus\VetMsg.exe
C:\Program Files\Microsoft Office\Office10\msoffice.exe
C:\PROGRA~1\YAHOO!\browser\ycommon.exe
C:\WINDOWS\system32\devldr32.exe
C:\Documents and Settings\Amber\Desktop\dumb.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,Search = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer,Search = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.azcentral.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/def ... earch.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/def ... .yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
F2 - REG:system.ini: UserInit=userinit.exe
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\Yahoo!\Antivirus\CAVTray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\Yahoo!\Antivirus\CAVRID.exe"
O4 - HKLM\..\Run: [YOP] C:\PROGRA~1\YAHOO!\YOP\yop.exe /autostart
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\Comodo\Firewall\CPF.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE10\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Dell Home - {08DCFC6C-B6E4-480C-95A4-FC64F37B787E} - http://www.dellnet.com/ (file missing) (HKCU)
O11 - Options group: [INTERNATIONAL] International*
O12 - Plugin for .TIF: C:\Program Files\Internet Explorer\PLUGINS\npqtplugin5.dll
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://usercenter.cox.net/rsuite/sdccom ... gctlcm.jsp
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\common\yinsthelper.dll
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200 ... taller.exe
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg.com/eps/wl/activex ... -0-3-9.cab
O16 - DPF: {62789780-B744-11D0-986B-00609731A21D} (Autodesk MapGuide ActiveX Control) - http://www.maricopa.gov/assessor/gis/pl ... axctrl.cab
O16 - DPF: {6F750200-1362-4815-A476-88533DE61D0C} (Ofoto Upload Manager Class) - http://www.ofoto.com/downloads/BUM/BUM_ ... ofupld.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Backup995 Automatic Backup - Unknown owner - C:\Program Files\Backup995\res\ntservice.exe
O23 - Service: Brother Popup Suspend service for Resource manager (brmfrmps) - Unknown owner - C:\WINDOWS\SYSTEM32\Brmfrmps.exe" -service (file missing)
O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\Yahoo!\Antivirus\ISafe.exe
O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - C:\Program Files\Comodo\Firewall\cmdagent.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\Yahoo!\Antivirus\VetMsg.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\SYSTEM32\YPCSER~1.EXE

Thanks
sastoker
Active Member
 
Posts: 12
Joined: July 14th, 2007, 12:10 am
Location: TX

Unread postby ndmmxiaomayi » July 20th, 2007, 12:11 pm

Hi sastoker,

Please delete this folder.

C:\VundoFix Backups

Update Adobe Acrobat Reader

  1. Click here to download the latest version of Adobe Acrobat Reader.
  2. Select your Windows version and click on Download. If you are using Internet Explorer, you will receive prompts. Allow the installation to be ran and it will be installed automatically for you.
  3. If you are using other browsers, please uninstall Adobe Reader 7.0.9 before installing the latest version.
  4. Close your Internet browser and open it again.


Do another scan with Computer Associates and save and post back the report.

Some of the infected files are from System Restore, which we will clear in a while.

R1 - HKCU\Software\Microsoft\Internet Explorer,Search = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer,Search = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = about:blank


Did you set these about:blank lines yourself?

Do you still have other problems?
ndmmxiaomayi
MRU Emeritus
MRU Emeritus
 
Posts: 9708
Joined: July 17th, 2006, 9:22 am

Unread postby sastoker » July 20th, 2007, 11:36 pm

Hello,

I deleted the C:\VundoFix Backups folder

I updated Adobe Acrobat Reader. I had to download and use Firefox because my IE is not working right with ActiveX controls.

I scanned using AVG, here are the results:


---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 5:28:27 PM 7/20/2007

+ Scan result:



C:\System Volume Information\_restore{6DB85663-C6FB-417E-8FC8-64D9BB299BE9}\RP1063\A0249107.exe -> Downloader.Agent.buo : Cleaned with backup (quarantined).


::Report end

While scanning my CA caught the following real-time:


Computer Associates Real-Time Scanner detected 10 instances of problems during the AVG Anti-Spyware scanning.

2007/07/20 16:38:58.783 File infection: C:\WINDOWS\SYSTEM32\ysubkyxe.exe is Win32/Abetear.B dropper. Deleted
2007/07/20 16:38:58.953 File infection: C:\WINDOWS\SYSTEM32\ysubkyxe.exe is Win32/Abetear.B dropper.
2007/07/20 16:38:58.973 File infection: C:\WINDOWS\SYSTEM32\ysubkyxe.exe is Win32/Abetear.B dropper.
2007/07/20 16:39:19.873 File infection: C:\WINDOWS\SYSTEM32\geqlleex.exe is Win32/Abetear.B dropper. Deleted
2007/07/20 16:39:20.054 File infection: C:\WINDOWS\SYSTEM32\geqlleex.exe is Win32/Abetear.B dropper.
2007/07/20 16:39:20.194 File infection: C:\WINDOWS\SYSTEM32\geqlleex.exe is Win32/Abetear.B dropper.
2007/07/20 16:39:21.346 File infection: C:\WINDOWS\SYSTEM32\xtbqsstr.exe is Win32/Abetear.B dropper. Deleted
2007/07/20 16:39:21.416 File infection: C:\WINDOWS\SYSTEM32\xtbqsstr.exe is Win32/Abetear.B dropper.
2007/07/20 16:39:21.436 File infection: C:\WINDOWS\SYSTEM32\xtbqsstr.exe is Win32/Abetear.B dropper.
2007/07/20 16:39:22.037 File infection: C:\WINDOWS\SYSTEM32\qpaayguh.exe is Win32/Abetear.B dropper. Deleted
2007/07/20 16:39:22.187 File infection: C:\WINDOWS\SYSTEM32\qpaayguh.exe is Win32/Abetear.B dropper.
2007/07/20 16:39:22.217 File infection: C:\WINDOWS\SYSTEM32\qpaayguh.exe is Win32/Abetear.B dropper.
2007/07/20 16:39:23.078 File infection: C:\WINDOWS\SYSTEM32\mbmghjod.exe is Win32/Abetear.B dropper. Deleted
2007/07/20 16:39:23.268 File infection: C:\WINDOWS\SYSTEM32\mbmghjod.exe is Win32/Abetear.B dropper.
2007/07/20 16:39:23.298 File infection: C:\WINDOWS\SYSTEM32\mbmghjod.exe is Win32/Abetear.B dropper.
2007/07/20 17:22:02.779 File infection: C:\System Volume Information\_restore{6DB85663-C6FB-417E-8FC8-64D9BB299BE9}\RP1069\A0249268.exe is Win32/Abetear.B dropper. Deleted
2007/07/20 17:22:03.129 File infection: C:\System Volume Information\_restore{6DB85663-C6FB-417E-8FC8-64D9BB299BE9}\RP1069\A0249268.exe is Win32/Abetear.B dropper.
2007/07/20 17:22:03.169 File infection: C:\System Volume Information\_restore{6DB85663-C6FB-417E-8FC8-64D9BB299BE9}\RP1069\A0249268.exe is Win32/Abetear.B dropper.
2007/07/20 17:22:03.340 File infection: C:\System Volume Information\_restore{6DB85663-C6FB-417E-8FC8-64D9BB299BE9}\RP1069\A0249269.exe is Win32/Abetear.B dropper. Deleted
2007/07/20 17:22:03.360 File infection: C:\System Volume Information\_restore{6DB85663-C6FB-417E-8FC8-64D9BB299BE9}\RP1069\A0249269.exe is Win32/Abetear.B dropper.
2007/07/20 17:22:03.400 File infection: C:\System Volume Information\_restore{6DB85663-C6FB-417E-8FC8-64D9BB299BE9}\RP1069\A0249269.exe is Win32/Abetear.B dropper.
2007/07/20 17:22:04.241 File infection: C:\System Volume Information\_restore{6DB85663-C6FB-417E-8FC8-64D9BB299BE9}\RP1069\A0249270.exe is Win32/Abetear.B dropper. Deleted
2007/07/20 17:22:04.421 File infection: C:\System Volume Information\_restore{6DB85663-C6FB-417E-8FC8-64D9BB299BE9}\RP1069\A0249270.exe is Win32/Abetear.B dropper.
2007/07/20 17:22:04.621 File infection: C:\System Volume Information\_restore{6DB85663-C6FB-417E-8FC8-64D9BB299BE9}\RP1069\A0249270.exe is Win32/Abetear.B dropper.
2007/07/20 17:22:05.122 File infection: C:\System Volume Information\_restore{6DB85663-C6FB-417E-8FC8-64D9BB299BE9}\RP1069\A0249271.exe is Win32/Abetear.B dropper. Deleted
2007/07/20 17:22:05.212 File infection: C:\System Volume Information\_restore{6DB85663-C6FB-417E-8FC8-64D9BB299BE9}\RP1069\A0249271.exe is Win32/Abetear.B dropper.
2007/07/20 17:22:05.372 File infection: C:\System Volume Information\_restore{6DB85663-C6FB-417E-8FC8-64D9BB299BE9}\RP1069\A0249271.exe is Win32/Abetear.B dropper.
2007/07/20 17:22:05.913 File infection: C:\System Volume Information\_restore{6DB85663-C6FB-417E-8FC8-64D9BB299BE9}\RP1069\A0249272.exe is Win32/Abetear.B dropper. Deleted
2007/07/20 17:22:05.993 File infection: C:\System Volume Information\_restore{6DB85663-C6FB-417E-8FC8-64D9BB299BE9}\RP1069\A0249272.exe is Win32/Abetear.B dropper.
2007/07/20 17:22:06.224 File infection: C:\System Volume Information\_restore{6DB85663-C6FB-417E-8FC8-64D9BB299BE9}\RP1069\A0249272.exe is Win32/Abetear.B dropper.
2007/07/20 17:22:57.788 File infection: C:\System Volume Information\_restore{6DB85663-C6FB-417E-8FC8-64D9BB299BE9}\RP1057\A0248347.exe is Win32/Abetear.B dropper. Deleted
2007/07/20 17:22:57.908 File infection: C:\System Volume Information\_restore{6DB85663-C6FB-417E-8FC8-64D9BB299BE9}\RP1057\A0248347.exe is Win32/Abetear.B dropper.
2007/07/20 17:22:57.958 File infection: C:\System Volume Information\_restore{6DB85663-C6FB-417E-8FC8-64D9BB299BE9}\RP1057\A0248347.exe is Win32/Abetear.B dropper.
2007/07/20 17:22:58.960 File infection: C:\System Volume Information\_restore{6DB85663-C6FB-417E-8FC8-64D9BB299BE9}\RP1057\A0248348.exe is Win32/Abetear.B dropper. Deleted
2007/07/20 17:22:59.010 File infection: C:\System Volume Information\_restore{6DB85663-C6FB-417E-8FC8-64D9BB299BE9}\RP1057\A0248348.exe is Win32/Abetear.B dropper.
2007/07/20 17:22:59.060 File infection: C:\System Volume Information\_restore{6DB85663-C6FB-417E-8FC8-64D9BB299BE9}\RP1057\A0248348.exe is Win32/Abetear.B dropper.
2007/07/20 17:23:25.998 File infection: C:\System Volume Information\_restore{6DB85663-C6FB-417E-8FC8-64D9BB299BE9}\RP1060\A0248899.exe is Win32/Abetear.B dropper. Deleted
2007/07/20 17:23:26.099 File infection: C:\System Volume Information\_restore{6DB85663-C6FB-417E-8FC8-64D9BB299BE9}\RP1060\A0248899.exe is Win32/Abetear.B dropper.
2007/07/20 17:23:26.139 File infection: C:\System Volume Information\_restore{6DB85663-C6FB-417E-8FC8-64D9BB299BE9}\RP1060\A0248899.exe is Win32/Abetear.B dropper.
2007/07/20 17:23:26.289 File infection: C:\System Volume Information\_restore{6DB85663-C6FB-417E-8FC8-64D9BB299BE9}\RP1060\A0248900.exe is Win32/Abetear.B dropper. Deleted
2007/07/20 17:23:26.329 File infection: C:\System Volume Information\_restore{6DB85663-C6FB-417E-8FC8-64D9BB299BE9}\RP1060\A0248900.exe is Win32/Abetear.B dropper.
2007/07/20 17:23:26.369 File infection: C:\System Volume Information\_restore{6DB85663-C6FB-417E-8FC8-64D9BB299BE9}\RP1060\A0248900.exe is Win32/Abetear.B dropper.


I did not set the about:blank lines.

I don't notice any other problems. Other than the CA program picking up bad files and the AVG program finding the Downloader.Agent.buo. I'll have to check out how to solve the ActiveX issue with IE7. I may have to remove it and try reinstalling it.


Thanks for your continued help.
sastoker
Active Member
 
Posts: 12
Joined: July 14th, 2007, 12:10 am
Location: TX

Unread postby ndmmxiaomayi » July 21st, 2007, 11:39 am

Hi sastoker,

Please download Combofix from Tech Support Forum or Bleeping Computer. Save it to your desktop.

Double click to run it. Follow the prompts. Once done, it will reboot and a log will be produced. Please post that log and a new HijackThis log in your next reply.

Note: Do not mouse click on Combofix while it is running. That may cause it to crash.

Please also try keep your computer offline for as long as possible until your computer is clean.
ndmmxiaomayi
MRU Emeritus
MRU Emeritus
 
Posts: 9708
Joined: July 17th, 2006, 9:22 am
Advertisement
Register to Remove

Next

  • Similar Topics
    Replies
    Views
    Last post

Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 23 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware