Welcome to MalwareRemoval.com,
What if we told you that you could get malware removal help from experts, and that it was 100% free? MalwareRemoval.com provides free support for people with infected computers. Our help, and the tools we use are always 100% free. No hidden catch. We simply enjoy helping others. You enjoy a clean, safe computer.

Malware Removal Instructions

Virtumonde and doubleclick issues 2

MalwareRemoval.com provides free support for people with infected computers. Using plain language that anyone can understand, our community of volunteer experts will walk you through each step.

Virtumonde and doubleclick issues 2

Unread postby Shanman » October 29th, 2007, 4:17 pm

Hello,

Elrond is currently helping me with the first topic of this subject and directed me to start this one.

I have run Spy-bot and Adaware both in regular and Safe mode of windows.

I also tried to use Vundofix. It all has helped, but I think this computer is still sick.

Here is my current HJT log.

Thanks again for all your fantastic Insight.

SHanman

*************
HJT LOG
*************


Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\WINDOWS\Mixer.exe
C:\Winamp3\winampa.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\Program Files\Brother\ControlCenter2\brctrcen.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Documents and Settings\JAMZ\Desktop\hijackthis1991\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customi ... ch/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customi ... .yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customi ... .yahoo.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: (no name) - {11A69AE4-FBED-4832-A2BF-45AF82825583} - (no file)
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [WinampAgent] "C:\Winamp3\winampa.exe"
O4 - HKLM\..\Run: [PRISMSVR.EXE] "C:\WINDOWS\System32\PRISMSVR.EXE" /APPLY
O4 - HKLM\..\Run: [x3watch] C:\Program Files\X3watch\x3watch.exe
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [ControlCenter2.0] C:\Program Files\Brother\ControlCenter2\brctrcen.exe /autorun
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [YSearchProtection] "C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Client Access Service] "C:\Program Files\IBM\Client Access\cwbsvstr.exe"
O4 - HKLM\..\Run: [Client Access Help Update] "C:\Program Files\IBM\Client Access\cwbinhlp.exe"
O4 - HKLM\..\Run: [Client Access Check Version] "C:\Program Files\IBM\Client Access\cwbckver.exe" LOGIN
O4 - HKLM\..\Run: [Client Access Express Welcome] "C:\Program Files\IBM\Client Access\cwbwlwiz.exe"
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: VPN Client.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\MICROS~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Absolute Poker - {13C1DBF6-7535-495c-91F6-8C13714ED485} - C:\Documents and Settings\All Users\Start Menu\Programs\Absolute Poker\Absolute Poker.lnk (file missing)
O9 - Extra 'Tools' menuitem: Absolute Poker - {13C1DBF6-7535-495c-91F6-8C13714ED485} - C:\Documents and Settings\All Users\Start Menu\Programs\Absolute Poker\Absolute Poker.lnk (file missing)
O9 - Extra button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files\PokerStars\PokerStarsUpdate.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/binFrameWork/v10/St ... b55579.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.c ... 040510.cab
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (MSN Games – Buddy Invite) - http://zone.msn.com/BinFrameWork/v10/ZB ... b55579.cab
O16 - DPF: {50BD5CDA-4BA8-4048-8FAA-763F222E41D8} - ms-its:mhtml:file://c:\\nores.mht!http://adxrnet.net/code/chm/xpre.chm::/xpreload.ocx
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/binframework/v10/ZP ... b55579.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v ... b56649.cab
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (MSN Games – Game Communicator) - http://zone.msn.com/binframework/v10/St ... b55579.cab
O16 - DPF: {FF3C5A9F-5A99-4930-80E8-4709194C2AD3} (MSN Games – Backgammon) - http://zone.msn.com/bingame/zpagames/ZP ... b64162.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: iSeries Access for Windows Remote Command (Cwbrxd) - IBM Corporation - C:\WINDOWS\CWBRXD.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe


**********
HJT Startup Log

StartupList report, 10/29/2007, 3:16:23 PM
StartupList version: 1.52.2
Started from : C:\Documents and Settings\JAMZ\Desktop\hijackthis1991\HijackThis.EXE
Detected: Windows XP (WinNT 5.01.2600)
Detected: Internet Explorer v6.00 (6.00.2600.0000)
* Using default options
==================================================

Running processes:

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\WINDOWS\Mixer.exe
C:\Winamp3\winampa.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\Program Files\Brother\ControlCenter2\brctrcen.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\System32\rundll32.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\System32\mpuugawx.exe
C:\Documents and Settings\JAMZ\Desktop\hijackthis1991\HijackThis.exe

--------------------------------------------------

Listing of startup folders:

Shell folders Common Startup:
[C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
VPN Client.lnk = ?

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

type32 = "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
IntelliPoint = "C:\Program Files\Microsoft IntelliPoint\point32.exe"
NeroCheck = C:\WINDOWS\System32\NeroCheck.exe
C-Media Mixer = Mixer.exe /startup
WinampAgent = "C:\Winamp3\winampa.exe"
PRISMSVR.EXE = "C:\WINDOWS\System32\PRISMSVR.EXE" /APPLY
x3watch = C:\Program Files\X3watch\x3watch.exe
SSBkgdUpdate = "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
PaperPort PTD = C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
IndexSearch = C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe
ControlCenter2.0 = C:\Program Files\Brother\ControlCenter2\brctrcen.exe /autorun
QuickTime Task = "C:\Program Files\QuickTime\qttask.exe" -atboottime
YSearchProtection = "C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe"
iTunesHelper = "C:\Program Files\iTunes\iTunesHelper.exe"
Client Access Service = "C:\Program Files\IBM\Client Access\cwbsvstr.exe"
Client Access Help Update = "C:\Program Files\IBM\Client Access\cwbinhlp.exe"
Client Access Check Version = "C:\Program Files\IBM\Client Access\cwbckver.exe" LOGIN
Client Access Express Welcome = "C:\Program Files\IBM\Client Access\cwbwlwiz.exe"
74d896ce = rundll32.exe "C:\WINDOWS\System32\nuopihtt.dll",b

--------------------------------------------------

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=Explorer.exe
SCRNSAVE.EXE=C:\WINDOWS\System32\ssmypics.scr
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry key not found*
HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------


Enumerating Task Scheduler jobs:

AppleSoftwareUpdate.job

--------------------------------------------------

Enumerating Download Program Files:

[StagingUI Object]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\StagingUI.ocx
CODEBASE = http://zone.msn.com/binFrameWork/v10/St ... b55579.cab

[Windows Genuine Advantage Validation Tool]
InProcServer32 = C:\WINDOWS\System32\LegitCheckControl.DLL
CODEBASE = http://go.microsoft.com/fwlink/?linkid=39204

[YInstStarter Class]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\yinsthelper.dll
CODEBASE = http://us.dl1.yimg.com/download.yahoo.c ... 040510.cab

[{33564D57-0000-0010-8000-00AA00389B71}]
CODEBASE = http://download.microsoft.com/download/ ... mv9VCM.CAB

[{33564D57-9980-0010-8000-00AA00389B71}]
CODEBASE = http://download.microsoft.com/download/ ... mv9dmo.cab

[MSN Games – Buddy Invite]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\ZBuddy.ocx
CODEBASE = http://zone.msn.com/BinFrameWork/v10/ZB ... b55579.cab

[{50BD5CDA-4BA8-4048-8FAA-763F222E41D8}]
CODEBASE = ms-its:mhtml:file://c:\\nores.mht!http://adxrnet.net/code/chm/xpre.chm::/xpreload.ocx

[ZonePAChat Object]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\ZPAChat.ocx
CODEBASE = http://zone.msn.com/binframework/v10/ZP ... b55579.cab

[MSN Games - Installer]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\ZIntro.ocx
CODEBASE = http://cdn2.zone.msn.com/binFramework/v ... b56649.cab

[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\System32\Macromed\Flash\Flash9b.ocx
CODEBASE = http://fpdownload.macromedia.com/pub/sh ... wflash.cab

[MSN Games – Game Communicator]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\StProxy.dll
CODEBASE = http://zone.msn.com/binframework/v10/St ... b55579.cab

[MSN Games – Backgammon]
InProcServer32 = C:\WINDOWS\Downloaded Program Files\ZPA_Backgammon.ocx
CODEBASE = http://zone.msn.com/bingame/zpagames/ZP ... b64162.cab

--------------------------------------------------

Enumerating Windows NT logon/logoff scripts:
*No scripts set to run*

Windows NT checkdisk command:
BootExecute = autocheck autochk *

Windows NT 'Wininit.ini':
PendingFileRenameOperations: C:\WINDOWS\System32\vtsts.dll||C:\WINDOWS\System32\vtsts.dll||C:\WINDOWS\System32\vtsts.dll|||t

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
CDBurn: C:\WINDOWS\system32\SHELL32.dll
WebCheck: C:\WINDOWS\System32\webcheck.dll
SysTray: C:\WINDOWS\System32\stobject.dll
UPnPMonitor: C:\WINDOWS\System32\upnpui.dll

--------------------------------------------------
End of report, 7,560 bytes
Report generated in 0.031 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only
Shanman
Regular Member
 
Posts: 17
Joined: October 3rd, 2007, 4:04 pm
Advertisement
Register to Remove

Unread postby Elrond » October 30th, 2007, 1:37 am

Hi agian Shanman.

Vundo is still there.

First of all my usual intrduction at every newlog.

As an introduction, please note that I am not Superhuman, I do not know everything, but what I do know has taken me years to learn. I am happy to pass on this information to you, but please bear in mind that I am also fallible.

Please only use this topic for your replies on this problem. Do not start another thread.
Please note that the fixes we will use are specific to your problems on this computer and should only be used for this problem on this computer.
These things need to be properly researched and a complete fix for many malware problems can take some time and be spread over a number of posts, so please be patient and try to see it through to the end.

Before we start: Please be aware that removing Malware is a hazardous undertaking. I will take care not to knowingly suggest courses of action that might damage your computer. However it is impossible for me to foresee all interactions that may happen between the software on your computer and those we'll use to clear you of infection, and I cannot guarantee the safety of your system. It is possible that we might encounter situations where the only recourse is to re-format and re-install your operating system, or to necessitate you taking your computer to a repair shop.

In light of this it would be wise for you to back up any files and folders that you don't want to lose before we start.

Please observe these rules while we work:
  • Perform all actions in the order given.
  • If you don't know, stop and ask! Don't keep going on.
  • Please reply to this thread. Do not start a new topic.
  • Stick with it till you're given the all clear.
  • REMEMBER, ABSENCE OF SYMPTOMS DOES NOT MEAN THE INFECTION IS ALL GONE.
If you can do these things, everything should go smoothly.
  • Please note that you should have Administrator rights to perform the fixes. (XP accounts are Administrator by default) Also note that multiple identity PC’s (family PC’s) present a different problem; please tell me if your PC has more than one individual’s setting, but continue with the fix.Please let me know if you are using a computer with multiple accounts, as this can affect the instructions given.
It may be helpful to you to print out or take a copy of any instructions given, as sometimes it is necessary to go offline and you will lose access to them.



Please note that I will be off line for about 26 hours (sundown Friday until nightfall Saturday my local time) every week.


You did not post the complete HijackThis log. The header is missing and it has information that I need. However see below.


Edited and added:

It looks as if you have an older version of HijackThis installed. Please
  1. Click Start>Run type in appwiz.cpl and hit Enter.
  2. Select HijakThis if you find it.
  3. Click on the "Add/Remove" button.
  4. If it asks if you really want to remove the program please click Yes
  5. If it gives you more than one option about what to do please chose Remove
  6. Once the program/s are uninstalled, click on the "OK" button.
  7. Reboot the computer.


Please download HJTInstall.exe from here and save it to your desktop
  • Double click on the HJTInstall.exe icon on your desktop
  • Click I Accept
  • HijackThis will open
  • Close HiJackThis
  • Go to Start>My Computer> Local Disk (C:)>Program Files>HijackThis
  • Open the HijackThis folder and rename HijackThis.exe to Scan.exe.
  • Close My Computer
  • Click the HijackThis icon on your desktop.
  • Click on the Do a system scan and save a log file button.
  • It will scan and then the log will open in notepad.
  • Paste the log as a reply to this thread.
  • Don't use the Analyse This button - its findings are dangerous if misinterpreted.
Do NOT have HijackThis fix anything yet.


Now I want you to Download and Run ComboFix

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Post the new HijackThis log together with the ComboFic log.
User avatar
Elrond
Admin/Teacher Emeritus
 
Posts: 8818
Joined: February 17th, 2005, 9:14 pm
Location: Jerusalem

Logs

Unread postby Shanman » October 30th, 2007, 10:37 am

Hi Elrond,

Here is the HJT log

************
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:18:46 AM, on 10/30/2007
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\WINDOWS\System32\mpuugawx.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\WINDOWS\Mixer.exe
C:\Winamp3\winampa.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\Program Files\Brother\ControlCenter2\brctrcen.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\Trend Micro\HijackThis\Scan.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customi ... ch/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customi ... .yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customi ... .yahoo.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: (no name) - {03D9E56B-04FA-444C-98A1-99B72A13F5F9} - C:\Program Files\ahead\mezojeki83122.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {13AE6EE8-6638-4FC4-BC6E-9DFF986D7D2C} - C:\Program Files\ahead\mezojeki4444.dll
O2 - BHO: (no name) - {35F4B7AC-0AAF-4333-9312-056C2CB85CFB} - C:\WINDOWS\System32\awtqp.dll
O2 - BHO: (no name) - {4A05BAFF-990B-4397-B315-0DADA2D50C9A} - C:\WINDOWS\System32\ssqpn.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {6111EE92-E55E-492F-9A80-32C5994FB180} - C:\WINDOWS\System32\ddayv.dll
O2 - BHO: (no name) - {89AD4D75-2429-462e-BD4E-443F233F6033} - C:\WINDOWS\System32\qnpjsvna.dll
O2 - BHO: BndDrive2 BHO Class - {8FB5B012-E8CB-46cd-B6D2-ED428FAE9043} - C:\Program Files\ISM\BndDrive5.dll (file missing)
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: (no name) - {E006A9A3-82E1-4BD3-A4B1-3E3C58011155} - C:\WINDOWS\System32\jkhff.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: (no name) - {11A69AE4-FBED-4832-A2BF-45AF82825583} - (no file)
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [WinampAgent] "C:\Winamp3\winampa.exe"
O4 - HKLM\..\Run: [PRISMSVR.EXE] "C:\WINDOWS\System32\PRISMSVR.EXE" /APPLY
O4 - HKLM\..\Run: [x3watch] C:\Program Files\X3watch\x3watch.exe
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [ControlCenter2.0] C:\Program Files\Brother\ControlCenter2\brctrcen.exe /autorun
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [YSearchProtection] "C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Client Access Service] "C:\Program Files\IBM\Client Access\cwbsvstr.exe"
O4 - HKLM\..\Run: [Client Access Help Update] "C:\Program Files\IBM\Client Access\cwbinhlp.exe"
O4 - HKLM\..\Run: [Client Access Check Version] "C:\Program Files\IBM\Client Access\cwbckver.exe" LOGIN
O4 - HKLM\..\Run: [Client Access Express Welcome] "C:\Program Files\IBM\Client Access\cwbwlwiz.exe"
O4 - HKLM\..\Run: [74d896ce] rundll32.exe "C:\WINDOWS\System32\bfcskhff.dll",b
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: VPN Client.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\MICROS~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files\PokerStars\PokerStarsUpdate.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/binFrameWork/v10/St ... b55579.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.c ... 040510.cab
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (MSN Games – Buddy Invite) - http://zone.msn.com/BinFrameWork/v10/ZB ... b55579.cab
O16 - DPF: {50BD5CDA-4BA8-4048-8FAA-763F222E41D8} - ms-its:mhtml:file://c:\\nores.mht!http://adxrnet.net/code/chm/xpre.chm::/xpreload.ocx
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/binframework/v10/ZP ... b55579.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v ... b56649.cab
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (MSN Games – Game Communicator) - http://zone.msn.com/binframework/v10/St ... b55579.cab
O16 - DPF: {FF3C5A9F-5A99-4930-80E8-4709194C2AD3} (MSN Games – Backgammon) - http://zone.msn.com/bingame/zpagames/ZP ... b64162.cab
O20 - Winlogon Notify: awtqqom - C:\WINDOWS\SYSTEM32\awtqqom.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: iSeries Access for Windows Remote Command (Cwbrxd) - IBM Corporation - C:\WINDOWS\CWBRXD.EXE
O23 - Service: DomainService - - C:\WINDOWS\System32\mpuugawx.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O24 - Desktop Component 0: (no name) - C:\Program Files\Microsoft IntelliPoint\rterte.html

--
End of file - 8453 bytes

***********

Now here is the Combofix Log

***********
ComboFix 07-10-29.1 - JAMZ 2007-10-30 9:24:13.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.0.1252.1.1033.18.276 [GMT -6:00]
Running from: C:\Documents and Settings\JAMZ\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\check_LSA7.txt
C:\Documents and Settings\All Users\Start Menu\Live Safety Center.lnk
C:\Documents and Settings\All Users\Start Menu\Online Security Guide.lnk
C:\Documents and Settings\Shanman\Favorites\Online Security Guide.lnk
C:\Program Files\ahead\mezojeki4444.dll
C:\Program Files\ahead\mezojeki83122.dll
C:\Program Files\Microsoft IntelliPoint\rterte.html
C:\Program Files\Temporary
C:\WINDOWS\b122.exe
C:\WINDOWS\cookies.ini
C:\WINDOWS\Downloaded Program Files.\xpreload.ocx
C:\WINDOWS\system32\abc2
C:\WINDOWS\system32\abc2\aisven2.exe
C:\WINDOWS\system32\awtqp.dll
C:\WINDOWS\system32\awtqqom.dll
C:\WINDOWS\system32\bfcskhff.dll
C:\WINDOWS\system32\ddayv.dll
C:\WINDOWS\system32\ddccd.dll
C:\WINDOWS\system32\fcsacvhl.dll
C:\WINDOWS\system32\ffhkj.bak1
C:\WINDOWS\system32\ffhkj.bak2
C:\WINDOWS\system32\ffhkj.ini
C:\WINDOWS\system32\ffhkscfb.ini
C:\WINDOWS\system32\hndqatww.exe
C:\WINDOWS\system32\jeobnper.dll
C:\WINDOWS\system32\jkhff.dll
C:\WINDOWS\system32\jnwncyhj.exe
C:\WINDOWS\system32\lfwtxmfu.exe
C:\WINDOWS\system32\mmroaptj.exe
C:\WINDOWS\system32\mpuugawx.exe
C:\WINDOWS\system32\npqss.ini
C:\WINDOWS\system32\nuopihtt.dll
C:\WINDOWS\system32\opfnbonw.exe
C:\WINDOWS\system32\pac.txt
C:\WINDOWS\system32\pqtwa.bak1
C:\WINDOWS\system32\pqtwa.bak2
C:\WINDOWS\system32\pqtwa.ini
C:\WINDOWS\system32\qnpjsvna.dll
C:\WINDOWS\system32\repnboej.ini
C:\WINDOWS\system32\rev1
C:\WINDOWS\system32\rev1\gbb83122.exe
C:\WINDOWS\system32\rtutv.bak1
C:\WINDOWS\system32\rtutv.ini
C:\WINDOWS\system32\saxuqqxk.exe
C:\WINDOWS\system32\srqss.bak1
C:\WINDOWS\system32\srqss.bak2
C:\WINDOWS\system32\srqss.ini
C:\WINDOWS\system32\ss9
C:\WINDOWS\system32\ss9\rw1000dr.exe
C:\WINDOWS\system32\ssqpn.dll
C:\WINDOWS\system32\ssqqrom.dll
C:\WINDOWS\system32\ssqrs.dll
C:\WINDOWS\system32\tthipoun.ini
C:\WINDOWS\system32\ttstv.bak1
C:\WINDOWS\system32\ttstv.ini
C:\WINDOWS\system32\vjyferve.exe
C:\WINDOWS\system32\vMW02a
C:\WINDOWS\system32\vMW02a\vMW02a1065.exe
C:\WINDOWS\system32\vtstt.dll
C:\WINDOWS\system32\vtutr.dll
C:\WINDOWS\system32\vyadd.bak1
C:\WINDOWS\system32\vyadd.bak2
C:\WINDOWS\system32\vyadd.ini
C:\WINDOWS\system32\xfmmmvxq.exe
C:\WINDOWS\system32\xpaidjdr.exe
C:\WINDOWS\system32\z12
C:\WINDOWS\TTC-4444.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_CMDSERVICE
-------\LEGACY_DOMAINSERVICE
-------\LEGACY_IPRIP
-------\LEGACY_NETWORK_MONITOR
-------\DomainService


((((((((((((((((((((((((( Files Created from 2007-09-28 to 2007-10-30 )))))))))))))))))))))))))))))))
.

2007-10-30 09:23 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-10-30 09:16 <DIR> d-------- C:\Program Files\Trend Micro
2007-10-05 10:35 10 --a------ C:\WINDOWS\system32\wfxhelp22.dll
2007-10-05 10:34 <DIR> d-------- C:\Program Files\Stardock
2007-10-04 16:41 <DIR> d-------- C:\VundoFix Backups
2007-10-04 09:50 <DIR> d-------- C:\Program Files\Lavasoft
2007-10-04 09:50 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-10-04 09:49 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-10-03 14:37 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-10-03 11:28 <DIR> d-------- C:\Program Files\Common Files\Scanner
2007-10-03 10:14 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\Yahoo!
2007-10-02 14:00 <DIR> d-------- C:\WINDOWS\system32\ep1
2007-10-02 14:00 <DIR> d--hs---- C:\WINDOWS\Q2FybCBTY2hhbnN0cmE
2007-10-02 14:00 <DIR> d-------- C:\Temp
2007-10-01 13:03 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple
2007-09-25 12:22 <DIR> d-------- C:\ZUD55719
2007-09-25 12:20 868,352 --a------ C:\WINDOWS\system32\cwbzzodb.dll
2007-09-25 12:20 512,000 --a------ C:\WINDOWS\system32\cwbodbc.dll
2007-09-25 12:20 425,984 --a------ C:\WINDOWS\system32\cwbtfutl.dll
2007-09-25 12:20 307,250 --a------ C:\WINDOWS\system32\cwbaffax.dll
2007-09-25 12:20 274,482 --a------ C:\WINDOWS\system32\cwbtfcrt.dll
2007-09-25 12:20 163,890 --a------ C:\WINDOWS\system32\cwbtfdlg.dll
2007-09-25 12:20 36,864 --a------ C:\WINDOWS\system32\pcmfcenu.dll
2007-09-25 12:20 251 --a------ C:\WINDOWS\system32\drivers\hlldrvr.sys
2007-09-25 12:19 <DIR> d-------- C:\Program Files\IBM
2007-09-25 12:17 <DIR> d-------- C:\WINDOWS\Internet Logs
2007-09-25 12:17 <DIR> d-------- C:\Program Files\Common Files\Deterministic Networks
2007-09-25 12:17 <DIR> d-------- C:\Program Files\Cisco Systems
2007-09-25 12:17 110,080 --a------ C:\WINDOWS\system32\drivers\dne2000.sys
2007-09-25 12:17 94,720 --a------ C:\WINDOWS\system32\dneinobj.dll
2007-09-19 08:34 <DIR> d-------- C:\Documents and Settings\Shanman\Application Data\Yahoo!
2007-09-10 13:17 <DIR> d-------- C:\Program Files\iTunes
2007-09-10 13:17 <DIR> d-------- C:\Program Files\iPod

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-10-30 15:25 --------- d-----w C:\Program Files\Microsoft IntelliPoint
2007-10-30 15:25 --------- d-----w C:\Program Files\ahead
2007-10-30 15:12 --------- d-----w C:\Program Files\Absolute Poker
2007-10-18 19:49 --------- d-----w C:\Program Files\palmOne
2007-10-18 12:55 --------- d-----w C:\Program Files\PokerStars
2007-10-17 13:31 --------- d-----w C:\Documents and Settings\JAMZ\Application Data\AdobeUM
2007-10-03 17:28 --------- d-----w C:\Program Files\Yahoo!
2007-10-03 16:03 --------- d--h--r C:\Documents and Settings\All Users\Application Data\yahoo!
2007-10-01 19:03 --------- d-----w C:\Program Files\Apple Software Update
2005-07-29 21:24:26 472 --sha-r C:\WINDOWS\Q2FybCBTY2hhbnN0cmE\kZIVvF1nsZ11vBhXwAH.vbs
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"type32"="C:\Program Files\Microsoft IntelliType Pro\type32.exe" [2003-05-15 17:45]
"IntelliPoint"="C:\Program Files\Microsoft IntelliPoint\point32.exe" [2003-05-15 17:41]
"NeroCheck"="C:\WINDOWS\System32\NeroCheck.exe" [2001-06-12 02:36]
"C-Media Mixer"="Mixer.exe" [2001-12-07 09:24 C:\WINDOWS\Mixer.exe]
"WinampAgent"="C:\Winamp3\winampa.exe" [2002-07-23 10:58]
"PRISMSVR.EXE"="C:\WINDOWS\System32\PRISMSVR.exe" []
"x3watch"="C:\Program Files\X3watch\x3watch.exe" []
"SSBkgdUpdate"="C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2003-10-14 10:22]
"PaperPort PTD"="C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe" [2005-03-17 14:25]
"IndexSearch"="C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe" [2005-03-17 14:45]
"ControlCenter2.0"="C:\Program Files\Brother\ControlCenter2\brctrcen.exe" [2005-11-11 18:30]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-04-27 08:41]
"YSearchProtection"="C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe" []
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-07-27 19:14]
"Client Access Service"="C:\Program Files\IBM\Client Access\cwbsvstr.exe" [2002-08-09 04:20]
"Client Access Help Update"="C:\Program Files\IBM\Client Access\cwbinhlp.exe" [2002-08-09 04:20]
"Client Access Check Version"="C:\Program Files\IBM\Client Access\cwbckver.exe" [2002-08-09 04:20]
"Client Access Express Welcome"="C:\Program Files\IBM\Client Access\cwbwlwiz.exe" [2002-08-09 04:20]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Acrobat Assistant.lnk - C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe [2003-05-15 02:19:50]
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2006-10-23 21:47:56]
VPN Client.lnk - C:\WINDOWS\Installer\{D25122BC-A60E-4663-B602-B01718F12044}\Icon3E5562ED7.ico [2007-09-25 12:17:40]

R2 ousbehci;%OWC_USBEHCD.DeviceDesc%;C:\WINDOWS\System32\Drivers\ousbehci.sys
R3 AN983;ADMtek AN983/AN985/ADM951X 10/100Mbps Fast Ethernet Adapter;C:\WINDOWS\System32\DRIVERS\AN983.sys
R3 NeroCd2k;NeroCd2k;C:\WINDOWS\System32\drivers\NeroCd2k.sys
R3 ousb2hub;OrangeWare USB 2.0 Root Hub Support;C:\WINDOWS\System32\DRIVERS\ousb2hub.sys
R3 USR1806;U.S. Robotics Faxmodem Driver 1806;C:\WINDOWS\System32\DRIVERS\USR1806.SYS

*Newly Created Service* - ALG
*Newly Created Service* - IPNAT
.
Contents of the 'Scheduled Tasks' folder
"2007-10-11 13:45:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
.
**************************************************************************

catchme 0.3.1239 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-10-30 09:30:52
Windows 5.1.2600 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-10-30 9:31:34 - machine was rebooted
.
--- E O F ---


Thanks again.
Shanman
Regular Member
 
Posts: 17
Joined: October 3rd, 2007, 4:04 pm

Unread postby Elrond » October 30th, 2007, 2:00 pm

Hi again Shanman.

First a question: why is the computer not updated? You are at XP and you should be at XP SP2. However I would like to wait a moment with updating until I am sure Vundo is gone.

Go to http://www.virustotal.com/en/indexf.html
Copy the following line into the white textbox:
C:\WINDOWS\System32\nuopihtt.dll
Click Send.
Please post the results of this scan to this thread.

Repeat for the following files:
C:\WINDOWS\System32\mpuugawx.exe
C:\WINDOWS\Q2FybCBTY2hhbnN0cmE\kZIVvF1nsZ11vBhXwAH.vbs
C:\WINDOWS\system32\wfxhelp22.dll



Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:

Code: Select all
DirLook::
C:\WINDOWS\Q2FybCBTY2hhbnN0cmE
C:\Temp 
C:\WINDOWS\system32\ep1


[*] Save this as CFScript.txt and change the "Save as type" to "All Files" and place it on your desktop.


Image


[*] Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
[*] ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
[*] When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.
[/list]

CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.


Open "HijackThis". Click on "Open Misc.Tool Section".
Use the scroll bar on the right and scroll down to "Open Uninstall Manager". Click it.
On the right you will find "Save List". Click it.
The log that you just saved will appear.
Use "Copy" and "Paste" to add it to your next post.


Run a new HijackThis scan and post the log together with the logs from Uninstall Manager and Combofix.
User avatar
Elrond
Admin/Teacher Emeritus
 
Posts: 8818
Joined: February 17th, 2005, 9:14 pm
Location: Jerusalem

Can't find

Unread postby Shanman » October 30th, 2007, 2:58 pm

Hello Elrond,

First there is a very long explanation to not have sp2. Short version: - Old computer that caught a virus. Tried a different site that took weeks, not hours like here. Was frustrated and reformated Hard drive before I realized I lost my Win xp discs. Borrowed a friends discs and told my computer not to update.

C:\WINDOWS\System32\nuopihtt.dll was not there I did a search and found it as below.

C:\qoobox\Quarantine\C\WINDOWS\system32\nuopihtt.dll.vir

Should I scan that one instead?

Same issue with
C:\WINDOWS\System32\mpuugawx.exe

Found here instead
C:\qoobox\Quarantine\C\WINDOWS\system32\mpuugawx.exe.vir
and
C:\WINDOWS\Prefetch\MPUUGAWX.EXE-3A356EBA.pf


Results for other two

C:\WINDOWS\Q2FybCBTY2hhbnN0cmE\kZIVvF1nsZ11vBhXwAH.vbs

File kZIVvF1nsZ11vBhXwAH.vbs_ received on 10.30.2007 19:44:47 (CET)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED


Result: 12/31 (38.71%)
Loading server information...
Your file is queued in position: 5.
Estimated start time is between 56 and 81 seconds.
Do not close the window until scan is complete.
The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.
If you are waiting for more than five minutes you have to resend your file.
Your file is being scanned by VirusTotal in this moment,
results will be shown as they're generated.
Compact Print results
Your file has expired or does not exists.
Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.

You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished.
Email:


Antivirus Version Last Update Result
AhnLab-V3 2007.10.31.0 2007.10.30 -
AntiVir 7.6.0.30 2007.10.30 ADSPY/Isearch
Authentium 4.93.8 2007.10.30 -
Avast 4.7.1074.0 2007.10.30 -
AVG 7.5.0.503 2007.10.30 -
BitDefender 7.2 2007.10.30 Adware.Isearch.D
CAT-QuickHeal 9.00 2007.10.30 -
ClamAV 0.91.2 2007.10.30 -
DrWeb 4.44.0.09170 2007.10.30 -
eSafe 7.0.15.0 2007.10.28 Spyware.Gen
eTrust-Vet 31.2.5253 2007.10.30 -
Ewido 4.0 2007.10.30 Trojan.Small
FileAdvisor 1 2007.10.30 -
Fortinet 3.11.0.0 2007.10.19 Adware/Isearch
F-Prot 4.3.2.48 2007.10.30 -
F-Secure 6.70.13030.0 2007.10.30 -
Ikarus T3.1.1.12 2007.10.30 -
Kaspersky 7.0.0.125 2007.10.30 -
McAfee 5151 2007.10.29 potentially unwanted program Adware-Isearch
Microsoft 1.2908 2007.10.30 Adware:Win32/CMDService
NOD32v2 2627 2007.10.30 -
Norman 5.80.02 2007.10.30 VBS/CommAd.A
Panda 9.0.0.4 2007.10.30 Adware/CommAd
Rising 19.47.12.00 2007.10.30 -
Sophos 4.23.0 2007.10.30 CommAd
Sunbelt 2.2.907.0 2007.10.29 -
Symantec 10 2007.10.30 Spyware.ISearch
TheHacker 6.2.9.110 2007.10.27 -
VBA32 3.12.2.4 2007.10.28 -
VirusBuster 4.3.26:9 2007.10.30 -
Webwasher-Gateway 6.0.1 2007.10.30 Ad-Spyware.Isearch
Additional information
File size: 472 bytes
MD5: 387edbb90a5275d1b464eb31f3162c40
SHA1: 40c7e89572e2bee9f8bd24a0163c500205d0cfb8



*********
C:\WINDOWS\system32\wfxhelp22.dll


File wfxhelp22.dll received on 10.30.2007 19:36:40 (CET)
Current status: Loading ... queued waiting scanning finished NOT FOUND STOPPED


Result: 0/32 (0%)
Loading server information...
Your file is queued in position: 6.
Estimated start time is between 61 and 87 seconds.
Do not close the window until scan is complete.
The scanner that was processing your file is stopped at this moment, we are going to wait a few seconds to try to recover your result.
If you are waiting for more than five minutes you have to resend your file.
Your file is being scanned by VirusTotal in this moment,
results will be shown as they're generated.
Compact Print results
Your file has expired or does not exists.
Service is stopped in this moments, your file is waiting to be scanned (position: ) for an undefined time.

You can wait for web response (automatic reload) or type your email in the form below and click "request" so the system sends you a notification when the scan is finished.
Email:


Antivirus Version Last Update Result
AhnLab-V3 2007.10.31.0 2007.10.30 -
AntiVir 7.6.0.30 2007.10.30 -
Authentium 4.93.8 2007.10.30 -
Avast 4.7.1074.0 2007.10.30 -
AVG 7.5.0.503 2007.10.30 -
BitDefender 7.2 2007.10.30 -
CAT-QuickHeal 9.00 2007.10.29 -
ClamAV 0.91.2 2007.10.30 -
DrWeb 4.44.0.09170 2007.10.30 -
eSafe 7.0.15.0 2007.10.28 -
eTrust-Vet 31.2.5253 2007.10.30 -
Ewido 4.0 2007.10.30 -
FileAdvisor 1 2007.10.30 -
Fortinet 3.11.0.0 2007.10.19 -
F-Prot 4.3.2.48 2007.10.30 -
F-Secure 6.70.13030.0 2007.10.30 -
Ikarus T3.1.1.12 2007.10.30 -
Kaspersky 7.0.0.125 2007.10.30 -
McAfee 5151 2007.10.29 -
Microsoft 1.2908 2007.10.30 -
NOD32v2 2627 2007.10.30 -
Norman 5.80.02 2007.10.30 -
Panda 9.0.0.4 2007.10.30 -
Prevx1 V2 2007.10.30 -
Rising 19.47.12.00 2007.10.30 -
Sophos 4.23.0 2007.10.30 -
Sunbelt 2.2.907.0 2007.10.29 -
Symantec 10 2007.10.30 -
TheHacker 6.2.9.110 2007.10.27 -
VBA32 3.12.2.4 2007.10.28 -
VirusBuster 4.3.26:9 2007.10.30 -
Webwasher-Gateway 6.0.1 2007.10.30 -
Additional information
File size: 10 bytes
MD5: 468010adbb0fd8ddb473a3cc2ae60de3
SHA1: 03760b96c3ad4561335c8deb45decaac1c8980b2

*************


I will be working on the combo fix but i just wanted you to have this info first.

Thanks again.
Shanman
Regular Member
 
Posts: 17
Joined: October 3rd, 2007, 4:04 pm

other logs

Unread postby Shanman » October 30th, 2007, 3:07 pm

CF log

ComboFix 07-10-29.1 - JAMZ 2007-10-30 13:59:35.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.0.1252.1.1033.18.315 [GMT -6:00]
Running from: C:\Documents and Settings\JAMZ\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\JAMZ\Desktop\CFScript.txt
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2007-09-28 to 2007-10-30 )))))))))))))))))))))))))))))))
.

2007-10-30 09:23 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-10-30 09:16 <DIR> d-------- C:\Program Files\Trend Micro
2007-10-05 10:35 10 --a------ C:\WINDOWS\system32\wfxhelp22.dll
2007-10-05 10:34 <DIR> d-------- C:\Program Files\Stardock
2007-10-04 16:41 <DIR> d-------- C:\VundoFix Backups
2007-10-04 09:50 <DIR> d-------- C:\Program Files\Lavasoft
2007-10-04 09:50 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-10-04 09:49 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-10-03 14:37 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-10-03 11:28 <DIR> d-------- C:\Program Files\Common Files\Scanner
2007-10-03 10:14 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\Yahoo!
2007-10-02 14:00 <DIR> d-------- C:\WINDOWS\system32\ep1
2007-10-02 14:00 <DIR> d--hs---- C:\WINDOWS\Q2FybCBTY2hhbnN0cmE
2007-10-02 14:00 <DIR> d-------- C:\Temp
2007-10-01 13:03 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple
2007-09-25 12:22 <DIR> d-------- C:\ZUD55719
2007-09-25 12:20 868,352 --a------ C:\WINDOWS\system32\cwbzzodb.dll
2007-09-25 12:20 512,000 --a------ C:\WINDOWS\system32\cwbodbc.dll
2007-09-25 12:20 425,984 --a------ C:\WINDOWS\system32\cwbtfutl.dll
2007-09-25 12:20 307,250 --a------ C:\WINDOWS\system32\cwbaffax.dll
2007-09-25 12:20 274,482 --a------ C:\WINDOWS\system32\cwbtfcrt.dll
2007-09-25 12:20 163,890 --a------ C:\WINDOWS\system32\cwbtfdlg.dll
2007-09-25 12:20 36,864 --a------ C:\WINDOWS\system32\pcmfcenu.dll
2007-09-25 12:20 251 --a------ C:\WINDOWS\system32\drivers\hlldrvr.sys
2007-09-25 12:19 <DIR> d-------- C:\Program Files\IBM
2007-09-25 12:17 <DIR> d-------- C:\WINDOWS\Internet Logs
2007-09-25 12:17 <DIR> d-------- C:\Program Files\Common Files\Deterministic Networks
2007-09-25 12:17 <DIR> d-------- C:\Program Files\Cisco Systems
2007-09-25 12:17 110,080 --a------ C:\WINDOWS\system32\drivers\dne2000.sys
2007-09-25 12:17 94,720 --a------ C:\WINDOWS\system32\dneinobj.dll
2007-09-19 08:34 <DIR> d-------- C:\Documents and Settings\Shanman\Application Data\Yahoo!
2007-09-10 13:17 <DIR> d-------- C:\Program Files\iTunes
2007-09-10 13:17 <DIR> d-------- C:\Program Files\iPod

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-10-30 15:25 --------- d-----w C:\Program Files\Microsoft IntelliPoint
2007-10-30 15:25 --------- d-----w C:\Program Files\ahead
2007-10-30 15:12 --------- d-----w C:\Program Files\Absolute Poker
2007-10-18 19:49 --------- d-----w C:\Program Files\palmOne
2007-10-18 12:55 --------- d-----w C:\Program Files\PokerStars
2007-10-17 13:31 --------- d-----w C:\Documents and Settings\JAMZ\Application Data\AdobeUM
2007-10-03 17:28 --------- d-----w C:\Program Files\Yahoo!
2007-10-03 16:03 --------- d--h--r C:\Documents and Settings\All Users\Application Data\yahoo!
2007-10-01 19:03 --------- d-----w C:\Program Files\Apple Software Update
2007-07-01 17:50 64,976 ----a-w C:\WINDOWS\system32\PDFreDirectMonNT.dll
2005-07-29 21:24:26 472 --sha-r C:\WINDOWS\Q2FybCBTY2hhbnN0cmE\kZIVvF1nsZ11vBhXwAH.vbs
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.

---- Directory of C:\Temp ----


---- Directory of C:\WINDOWS\Q2FybCBTY2hhbnN0cmE ----

2005-07-29 15:24 472 -rahs---- C:\WINDOWS\Q2FybCBTY2hhbnN0cmE\kZIVvF1nsZ11vBhXwAH.vbs

---- Directory of C:\WINDOWS\system32\ep1 ----



((((((((((((((((((((((((((((( snapshot@2007-10-30_ 9.31.03.74 )))))))))))))))))))))))))))))))))))))))))
.
- 2007-10-30 15:24:04 262,144 ----a-w C:\WINDOWS\system32\config\systemprofile\ntuser.dat
+ 2007-10-30 19:59:33 262,144 ----a-w C:\WINDOWS\system32\config\systemprofile\ntuser.dat
- 2007-10-30 15:29:25 39,992 ----a-w C:\WINDOWS\system32\perfc009.dat
+ 2007-10-30 15:35:13 39,992 ----a-w C:\WINDOWS\system32\perfc009.dat
- 2007-10-30 15:29:25 311,604 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2007-10-30 15:35:13 311,604 ----a-w C:\WINDOWS\system32\perfh009.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"type32"="C:\Program Files\Microsoft IntelliType Pro\type32.exe" [2003-05-15 17:45]
"IntelliPoint"="C:\Program Files\Microsoft IntelliPoint\point32.exe" [2003-05-15 17:41]
"NeroCheck"="C:\WINDOWS\System32\NeroCheck.exe" [2001-06-12 02:36]
"C-Media Mixer"="Mixer.exe" [2001-12-07 09:24 C:\WINDOWS\Mixer.exe]
"WinampAgent"="C:\Winamp3\winampa.exe" [2002-07-23 10:58]
"PRISMSVR.EXE"="C:\WINDOWS\System32\PRISMSVR.exe" []
"x3watch"="C:\Program Files\X3watch\x3watch.exe" []
"SSBkgdUpdate"="C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2003-10-14 10:22]
"PaperPort PTD"="C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe" [2005-03-17 14:25]
"IndexSearch"="C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe" [2005-03-17 14:45]
"ControlCenter2.0"="C:\Program Files\Brother\ControlCenter2\brctrcen.exe" [2005-11-11 18:30]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-04-27 08:41]
"YSearchProtection"="C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe" []
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-07-27 19:14]
"Client Access Service"="C:\Program Files\IBM\Client Access\cwbsvstr.exe" [2002-08-09 04:20]
"Client Access Help Update"="C:\Program Files\IBM\Client Access\cwbinhlp.exe" [2002-08-09 04:20]
"Client Access Check Version"="C:\Program Files\IBM\Client Access\cwbckver.exe" [2002-08-09 04:20]
"Client Access Express Welcome"="C:\Program Files\IBM\Client Access\cwbwlwiz.exe" [2002-08-09 04:20]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Acrobat Assistant.lnk - C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe [2003-05-15 02:19:50]
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2006-10-23 21:47:56]
VPN Client.lnk - C:\WINDOWS\Installer\{D25122BC-A60E-4663-B602-B01718F12044}\Icon3E5562ED7.ico [2007-09-25 12:17:40]

R2 ousbehci;%OWC_USBEHCD.DeviceDesc%;C:\WINDOWS\System32\Drivers\ousbehci.sys
R3 AN983;ADMtek AN983/AN985/ADM951X 10/100Mbps Fast Ethernet Adapter;C:\WINDOWS\System32\DRIVERS\AN983.sys
R3 NeroCd2k;NeroCd2k;C:\WINDOWS\System32\drivers\NeroCd2k.sys
R3 ousb2hub;OrangeWare USB 2.0 Root Hub Support;C:\WINDOWS\System32\DRIVERS\ousb2hub.sys
R3 USR1806;U.S. Robotics Faxmodem Driver 1806;C:\WINDOWS\System32\DRIVERS\USR1806.SYS

*Newly Created Service* - ALG
*Newly Created Service* - IPNAT
.
Contents of the 'Scheduled Tasks' folder
"2007-10-11 13:45:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
.
**************************************************************************

catchme 0.3.1239 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-10-30 14:00:13
Windows 5.1.2600 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-10-30 14:00:44
C:\ComboFix2.txt ... 2007-10-30 09:31
.
--- E O F ---

*********

HJT Uninstall log

2Wire Wireless Client
Ad-Aware 2007
Adobe Acrobat 6.0 Professional
Adobe Flash Player 9 ActiveX
Adobe Illustrator 9.0
Adobe SVG Viewer
Apple Software Update
Brother MFL-Pro Suite
Cisco Systems VPN Client 4.8.01.0300
Easy-WebPrint
HijackThis 2.0.2
IBM iSeries Access for Windows
IBM iSeries Access for Windows SI16136
iTunes
Microsoft DirectX Transform optional components
Microsoft Office Standard Edition 2003
Nero - Burning Rom
PaperPort
PCI Audio Applications
PCI Audio Driver
PDF reDirect (remove only)
PokerStars
QuickTime
SBC Yahoo! DSL Home Networking Installer
Spybot - Search & Destroy
USB 2.0 Setup program
Winamp3 (remove only)
Windows XP Hotfix - KB823559
Windows XP Hotfix - KB828741
Windows XP Hotfix - KB833407
Windows XP Hotfix - KB834707
Windows XP Hotfix - KB835732
Windows XP Hotfix - KB842773
Windows XP Hotfix (SP1) [See Q329048 for more information]
Windows XP Hotfix (SP1) [See Q329390 for more information]
Windows XP Hotfix (SP1) [See Q329441 for more information]
Windows XP Hotfix (SP1) [See Q329834 for more information]
Windows XP Hotfix (SP1) Q329170
Windows XP Hotfix (SP1) Q810577
Windows XP Hotfix (SP1) Q810833
Windows XP Hotfix (SP1) Q815021
Windows XP Hotfix (SP1) Q817606
Windows XP Hotfix (SP2) [See Q329115 for more information]
Yahoo! Anti-Spy
Yahoo! Toolbar

**********

HJT log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:04:23 PM, on 10/30/2007
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Microsoft IntelliType Pro\type32.exe
C:\Program Files\Microsoft IntelliPoint\point32.exe
C:\WINDOWS\Mixer.exe
C:\Winamp3\winampa.exe
C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
C:\Program Files\Brother\ControlCenter2\brctrcen.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\System32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\Scan.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customi ... .yahoo.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [type32] "C:\Program Files\Microsoft IntelliType Pro\type32.exe"
O4 - HKLM\..\Run: [IntelliPoint] "C:\Program Files\Microsoft IntelliPoint\point32.exe"
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\System32\NeroCheck.exe
O4 - HKLM\..\Run: [C-Media Mixer] Mixer.exe /startup
O4 - HKLM\..\Run: [WinampAgent] "C:\Winamp3\winampa.exe"
O4 - HKLM\..\Run: [PRISMSVR.EXE] "C:\WINDOWS\System32\PRISMSVR.EXE" /APPLY
O4 - HKLM\..\Run: [x3watch] C:\Program Files\X3watch\x3watch.exe
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [PaperPort PTD] C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe
O4 - HKLM\..\Run: [IndexSearch] C:\Program Files\ScanSoft\PaperPort\IndexSearch.exe
O4 - HKLM\..\Run: [ControlCenter2.0] C:\Program Files\Brother\ControlCenter2\brctrcen.exe /autorun
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [YSearchProtection] "C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe"
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Client Access Service] "C:\Program Files\IBM\Client Access\cwbsvstr.exe"
O4 - HKLM\..\Run: [Client Access Help Update] "C:\Program Files\IBM\Client Access\cwbinhlp.exe"
O4 - HKLM\..\Run: [Client Access Check Version] "C:\Program Files\IBM\Client Access\cwbckver.exe" LOGIN
O4 - HKLM\..\Run: [Client Access Express Welcome] "C:\Program Files\IBM\Client Access\cwbwlwiz.exe"
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: VPN Client.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\MICROS~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files\PokerStars\PokerStarsUpdate.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O16 - DPF: {05D44720-58E3-49E6-BDF6-D00330E511D3} (StagingUI Object) - http://zone.msn.com/binFrameWork/v10/St ... b55579.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.c ... 040510.cab
O16 - DPF: {3BB54395-5982-4788-8AF4-B5388FFDD0D8} (MSN Games – Buddy Invite) - http://zone.msn.com/BinFrameWork/v10/ZB ... b55579.cab
O16 - DPF: {50BD5CDA-4BA8-4048-8FAA-763F222E41D8} - ms-its:mhtml:file://c:\\nores.mht!http://adxrnet.net/code/chm/xpre.chm::/xpreload.ocx
O16 - DPF: {5736C456-EA94-4AAC-BB08-917ABDD035B3} (ZonePAChat Object) - http://zone.msn.com/binframework/v10/ZP ... b55579.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://cdn2.zone.msn.com/binFramework/v ... b56649.cab
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} (MSN Games – Game Communicator) - http://zone.msn.com/binframework/v10/St ... b55579.cab
O16 - DPF: {FF3C5A9F-5A99-4930-80E8-4709194C2AD3} (MSN Games – Backgammon) - http://zone.msn.com/bingame/zpagames/ZP ... b64162.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe
O23 - Service: iSeries Access for Windows Remote Command (Cwbrxd) - IBM Corporation - C:\WINDOWS\CWBRXD.EXE
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe

--
End of file - 6899 bytes


I never get tired of saying this cause it's really true,

THANK YOU!
Shanman
Regular Member
 
Posts: 17
Joined: October 3rd, 2007, 4:04 pm

Unread postby Elrond » October 31st, 2007, 3:06 am

I am sorry but we have a serious problem. The copy that you have of Windows is not legal. This has two effects.

1: You can not update Windows which means that you will get infected very soon again and nothing you or I will do will be able to prevent it. There are too many ways of infecting an unpatched Windows instalation without even needing your or anybody elses input. There are that many security holes in it that have been closed over the years but that you can not close.

2: It is Software Piracy and both the policy of the Forum and my own consience does not peremit me in any form be part of that.

Therefore I am sorry but I will have to stop helping you with this computer until such time that there is a legal copy of Windows on it. You friend does not have the right to let you use his copy of Windows except if he gives it is a regular XP that did not come with his computer and which he gives to you and does not use himself.

This can perhaps tell you what to do about the situation http://support.microsoft.com/kb/883254 .

Let me know when/if you will get a legal copy on the computer. I will then happily finish helping you cleaning up and update this computer.

I am happy to help you with any computer that is not on a business network and does not run what in effect is pirated software even if it is not done on purpose.
User avatar
Elrond
Admin/Teacher Emeritus
 
Posts: 8818
Joined: February 17th, 2005, 9:14 pm
Location: Jerusalem

Thanks

Unread postby Shanman » October 31st, 2007, 11:31 am

I understand that.

I had a full version and screwed myself with my impatience.

Wish I knew of you before...... :cry:
Shanman
Regular Member
 
Posts: 17
Joined: October 3rd, 2007, 4:04 pm

New Computers

Unread postby Shanman » October 31st, 2007, 11:41 am

My other two computers are new and neither of them came with Window's discs. Is there anyway to create a windows install and get the code for them, Just incase I have to reformat their hard drive in the years to come?

The one that you are still helping me with is a HP and the other is a gateway.

I will probably just get rid of this machine and buy a cheep new one.

Thanks so much for your honesty and guidance.

Carl
Shanman
Regular Member
 
Posts: 17
Joined: October 3rd, 2007, 4:04 pm

Unread postby Elrond » November 1st, 2007, 1:07 pm

The lack of Operating System CDs (or DVDs) is an anoying trend among those who sell computers.
The best way is probably to contact the compnies that made the computers and find out if there is a way to get a set ofreinstalation disks. It can be that you will have to pay for them if you can get them at all. Some computers have a hidden partition that has a copy of the OS and other programs that came with the computers. Insome cases it is possible to burn that to a CD or DVD. However the only one who can tell about that is the builder of the computer.

Sorry that I can not help you more with this but this is a field that is completely dependent upon the maker of the computer. :roll:
User avatar
Elrond
Admin/Teacher Emeritus
 
Posts: 8818
Joined: February 17th, 2005, 9:14 pm
Location: Jerusalem

Re: Virtumonde and doubleclick issues 2

Unread postby askey127 » November 13th, 2007, 7:09 pm

This topic is now closed.

If you are the originator of this topic, and you need it re-opened please send an email to 'admin at malwareremoval.com', including a link to this topic.

If you have been helped and wish to donate to help with the costs of this volunteer site, please read Donations For Malware Removal

Please do not contact us if you are not the topic starter. A valid, working link to the closed topic is required along with the user name used. If the user name does not match the one in the thread linked, the email will be deleted.
User avatar
askey127
Admin/Teacher
Admin/Teacher
 
Posts: 14025
Joined: April 17th, 2005, 3:25 pm
Location: New Hampshire USA
Advertisement
Register to Remove


Return to Infected? Virus, malware, adware, ransomware, oh my!



Who is online

Users browsing this forum: No registered users and 284 guests

Contact us:

Advertisements do not imply our endorsement of that product or service. Register to remove all ads. The forum is run by volunteers who donate their time and expertise. We make every attempt to ensure that the help and advice posted is accurate and will not cause harm to your computer. However, we do not guarantee that they are accurate and they are to be used at your own risk. All trademarks are the property of their respective owners.

Member site: UNITE Against Malware