• Announcements

    • Budfred

      IE 11 copy/paste problem

      It has come to our attention that people using Internet Explorer 11 (IE 11) are having trouble with copy/paste to the forum. If you encounter this problem, using a different browser like Firefox or Chrome seems to get around the problem. We do not know what the problem is, but it seems to be specific to IE 11 and we are hopeful that Microsoft will eventually fix it.
Sign in to follow this  
Followers 0
bRIGHt OnE

N>Help, IE Browser Hijacked. Pop ups etc

27 posts in this topic

Hi, i've read the "Forum FAQ" before i posted this topic. I've done almost everything, except certain steps such as going into safe-mode(i'm having problem with it, i've pressed F8, selected safe mode, but my PC doesn't open up safe mode).

 

Before i post the log files, here's some of the symtoms and current situations:

- IE Browser's Privacy -> auto set to "Accept all cookies" on restart

- xxyxxvt.dll restored after restart

- Had Vundo on my pc, might be still having it

- Browser visiting sites such as (www.systemdoctor.com, www.winantivirus.com, www.ameana.com,etc)

 

I didn't restart my PC after i ran AVG Anti-Spyware's scan.

 

 

---------------------------------------------------------

AVG Anti-Spyware - Scan Report

---------------------------------------------------------

 

+ Created at: 11:31:47 PM 6/4/2007

 

+ Scan result:

 

 

 

C:\WINDOWS\system32\xxyxxvt.dll -> Adware.Virtumonde : Cleaned with backup (quarantined).

D:\HJT\backups\backup-20070603-223814-422.dll -> Adware.Virtumonde : Cleaned with backup (quarantined).

C:\Documents and Settings\Administrator\Local Settings\Temp\win18.tmp.exe~ -> Trojan.Agent.qt : Cleaned with backup (quarantined).

C:\WINDOWS\Temp\win81E.tmp.exe -> Trojan.Dialer.qn : Cleaned with backup (quarantined).

C:\WINDOWS\Temp\win9C4.tmp.exe -> Trojan.Dialer.qn : Cleaned with backup (quarantined).

C:\WINDOWS\Temp\winAAA.tmp.exe -> Trojan.Dialer.qn : Cleaned with backup (quarantined).

C:\WINDOWS\system32\__delete_on_reboot__w_i_n_u_n_s_3_2_._d_l_l_ -> Trojan.Dialer.qn : Cleaned with backup (quarantined).

 

 

::Report end

 

-------------------------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.0 (BETA)

Scan saved at 11:33:08 PM, on 6/4/2007

Platform: Windows XP SP2 (WinNT 5.01.2600)

Boot mode: Normal

-------------------------------------------------------------------

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

C:\Program Files\Alwil Software\Avast4\ashServ.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe

C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe

C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe

C:\Program Files\G10C Mouse\moffice.exe

C:\WINDOWS\system32\VTTimer.exe

C:\WINDOWS\SOUNDMAN.EXE

C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe

C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe

C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe

C:\Program Files\LClock\LClock.exe

C:\Program Files\G10C Mouse\MOUSE32A.EXE

C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe

C:\Program Files\Softwin\BitDefender10\vsserv.exe

C:\Program Files\Common Files\Teleca Shared\CapabilityManager.exe

C:\Program Files\TuneUp Utilities 2007\MemOptimizer.exe

C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe

C:\Program Files\Alwil Software\Avast4\ashWebSv.exe

C:\WINDOWS\system32\lxcrcoms.exe

C:\Program Files\Common Files\Teleca Shared\Generic.exe

C:\Program Files\Sony Ericsson\Mobile2\Mobile Phone Monitor\epmworker.exe

C:\Documents and Settings\Administrator\Desktop\HiJackThis_v2.exe

 

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: (no name) - {0AAFF3B3-8DCF-425B-9A1C-FA66C51B5891} - (no file)

O2 - BHO: (no name) - {0B1C0F6A-C12E-43C2-BD74-30F3E7B56629} - C:\WINDOWS\system32\ddcyx.dll

O2 - BHO: (no name) - {3B43CE9D-D824-467F-A9E1-DEF0FBC8B018} - (no file)

O2 - BHO: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: (no name) - {55DB983C-BDBF-426f-86F0-187B02DDA39B} - (no file)

O2 - BHO: (no name) - {636A1216-7CDF-4907-ABF9-86EAB69DD30f} - (no file)

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll

O2 - BHO: (no name) - {78CF77B8-60E5-454F-A973-3A139ABC0849} - (no file)

O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)

O2 - BHO: (no name) - {8402B093-8815-4F3D-8392-A3E10568E7F2} - (no file)

O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll

O2 - BHO: (no name) - {C7CD989F-36D3-40EB-BFD6-260B6D5C3FFF} - (no file)

O2 - BHO: (no name) - {CACA7731-9C77-464A-B1B7-462281DD8164} - C:\WINDOWS\system32\xxyxxvt.dll

O2 - BHO: (no name) - {CD3447D4-CA39-4377-8084-30E86331D74C} - C:\WINDOWS\system32\ruunpekc.dll

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll

O3 - Toolbar: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL

O4 - HKLM\..\Run: [iMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32

O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC

O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName

O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

O4 - HKLM\..\Run: [Media] C:\Program Files\G10C Mouse\moffice.exe

O4 - HKLM\..\Run: [VTTimer] VTTimer.exe

O4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXE

O4 - HKLM\..\Run: [sony Ericsson PC Suite] "C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe"

O4 - HKLM\..\Run: [LClock] C:\Program Files\LClock\LClock.exe

O4 - HKLM\..\Run: [LXCRCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCRtime.dll,_RunDLLEntry@16

O4 - HKLM\..\Run: [Genuine] rundll32.exe "C:\WINDOWS\system32\aobhoffi.dll",realset

O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized

O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background

O4 - HKCU\..\Run: [ares] "C:\Program Files\Ares\Ares.exe" -h

O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe

O4 - HKCU\..\Run: [TuneUp MemOptimizer] "C:\Program Files\TuneUp Utilities 2007\MemOptimizer.exe" autostart

O4 - HKCU\..\Run: [spybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe

O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll

O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)

O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm

O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm

O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{2DC1B26F-0CA7-4FF5-A254-3D7CE55133DC}: NameServer = 202.188.0.133,202.188.1.5

O20 - Winlogon Notify: ddcyx - C:\WINDOWS\system32\ddcyx.dll

O20 - Winlogon Notify: winuns32 - winuns32.dll (file missing)

O20 - Winlogon Notify: xxyxxvt - C:\WINDOWS\SYSTEM32\xxyxxvt.dll

O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll

O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll

O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe

O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - C:\Program Files\Ares\chatServer.exe

O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe

O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe

O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe

O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe

O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe

O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe

O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe

O23 - Service: Crypkey License - Unknown owner - crypserv.exe (file missing)

O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: BitDefender Desktop Update Service (LIVESRV) - SOFTWIN S.R.L. - C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe

O23 - Service: lxcr_device - - C:\WINDOWS\system32\lxcrcoms.exe

O23 - Service: CLCV0 (UTSCSI) - Unknown owner - C:\WINDOWS\system32\UTSCSI.EXE

O23 - Service: BitDefender Virus Shield (VSSERV) - SOFTWIN S.R.L. - C:\Program Files\Softwin\BitDefender10\vsserv.exe

O23 - Service: BitDefender Communicator (XCOMM) - Softwin - C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe

 

--

End of file - 9641 bytes

 

 

Thanks beforehand.

Share this post


Link to post
Share on other sites

BitDefender Online Scanner

 

 

 

Scan report generated at: Tue, Jun 05, 2007 - 00:30:57

 

 

 

 

 

Scan path: A:\;C:\;D:\;E:\;

 

 

 

 

 

 

 

Statistics

 

Time

00:39:43

 

Files

194604

 

Folders

5112

 

Boot Sectors

3

 

Archives

1810

 

Packed Files

13396

 

 

 

 

Results

 

Identified Viruses

3

 

Infected Files

12

 

Suspect Files

0

 

Warnings

0

 

Disinfected

0

 

Deleted Files

10

 

 

 

 

Engines Info

 

Virus Definitions

511772

 

Engine build

AVCORE v1.0 (build 2397) (i386) (Feb 8 2007 14:24:08)

 

Scan plugins

14

 

Archive plugins

38

 

Unpack plugins

6

 

E-mail plugins

6

 

System plugins

1

 

 

 

 

Scan Settings

 

First Action

Disinfect

 

Second Action

Delete

 

Heuristics

Yes

 

Enable Warnings

Yes

 

Scanned Extensions

*;

 

Exclude Extensions

 

 

Scan Emails

Yes

 

Scan Archives

Yes

 

Scan Packed

Yes

 

Scan Files

Yes

 

Scan Boot

Yes

 

 

 

 

Scanned File

Status

 

C:\Documents and Settings\Administrator\Local Settings\Application Data\Ares\My Shared Folder\bitdefender plus v10 + keygen core + patch.rar=>BitDefender Plus v10 + Keygen CORE + Patch\bitdefender_avplus_v10.exe=>(NSIS o)=>zlib_nsis0001

Infected with: Trojan.Spy.Delf.RL

 

C:\Documents and Settings\Administrator\Local Settings\Application Data\Ares\My Shared Folder\bitdefender plus v10 + keygen core + patch.rar=>BitDefender Plus v10 + Keygen CORE + Patch\bitdefender_avplus_v10.exe=>(NSIS o)=>zlib_nsis0001

Disinfection failed

 

C:\Documents and Settings\Administrator\Local Settings\Application Data\Ares\My Shared Folder\bitdefender plus v10 + keygen core + patch.rar=>BitDefender Plus v10 + Keygen CORE + Patch\bitdefender_avplus_v10.exe=>(NSIS o)=>zlib_nsis0001

Deleted

 

C:\Documents and Settings\Administrator\Local Settings\Application Data\Ares\My Shared Folder\bitdefender plus v10 + keygen core + patch.rar=>BitDefender Plus v10 + Keygen CORE + Patch\bitdefender_avplus_v10.exe=>(NSIS o)

Update failed

 

C:\WINDOWS\system32\ftlpucta.exe

Infected with: Trojan.LowZones.SA

 

C:\WINDOWS\system32\ftlpucta.exe

Disinfection failed

 

C:\WINDOWS\system32\ftlpucta.exe

Deleted

 

C:\WINDOWS\system32\iqjnoeqy.exe

Infected with: Trojan.LowZones.SA

 

C:\WINDOWS\system32\iqjnoeqy.exe

Disinfection failed

 

C:\WINDOWS\system32\iqjnoeqy.exe

Deleted

 

C:\WINDOWS\system32\llmgfpix.exe

Infected with: Trojan.LowZones.SA

 

C:\WINDOWS\system32\llmgfpix.exe

Disinfection failed

 

C:\WINDOWS\system32\llmgfpix.exe

Deleted

 

C:\WINDOWS\system32\oatqaeeg.exe

Infected with: Trojan.LowZones.SA

 

C:\WINDOWS\system32\oatqaeeg.exe

Disinfection failed

 

C:\WINDOWS\system32\oatqaeeg.exe

Deleted

 

C:\WINDOWS\system32\oyhawvit.exe

Infected with: Trojan.LowZones.SA

 

C:\WINDOWS\system32\oyhawvit.exe

Disinfection failed

 

C:\WINDOWS\system32\oyhawvit.exe

Deleted

 

C:\WINDOWS\system32\qdlougih.exe

Infected with: Trojan.LowZones.SA

 

C:\WINDOWS\system32\qdlougih.exe

Disinfection failed

 

C:\WINDOWS\system32\qdlougih.exe

Deleted

 

C:\WINDOWS\system32\tiahrpba.exe

Infected with: Trojan.LowZones.SA

 

C:\WINDOWS\system32\tiahrpba.exe

Disinfection failed

 

C:\WINDOWS\system32\tiahrpba.exe

Delete failed

 

C:\WINDOWS\system32\ucvykvvj.exe

Infected with: Trojan.LowZones.SA

 

C:\WINDOWS\system32\ucvykvvj.exe

Disinfection failed

 

C:\WINDOWS\system32\ucvykvvj.exe

Deleted

 

C:\WINDOWS\system32\uwirobra.exe

Infected with: Trojan.LowZones.SA

 

C:\WINDOWS\system32\uwirobra.exe

Disinfection failed

 

C:\WINDOWS\system32\uwirobra.exe

Deleted

 

C:\WINDOWS\system32\wogvuhbh.exe

Infected with: Trojan.LowZones.SA

 

C:\WINDOWS\system32\wogvuhbh.exe

Disinfection failed

 

C:\WINDOWS\system32\wogvuhbh.exe

Deleted

 

C:\WINDOWS\system32\xxyxxvt.dll

Infected with: Trojan.Vundo.DLU

 

C:\WINDOWS\system32\xxyxxvt.dll

Disinfection failed

 

C:\WINDOWS\system32\xxyxxvt.dll

Delete failed

Share this post


Link to post
Share on other sites

Welcome to SWI. We apologize for the delay; our helpers have been very busy.

If you have not received help after 3 days, please CLICK HERE, and post a link to your log and the date it was originally posted.

 

Thank you for your patience.

 

[this is an automated reply]

Share this post


Link to post
Share on other sites

Hi Bright One,

 

Welcome to SpywareInfo! :wave:

 

I apologize for the delay getting to your log. The helpers here are all volunteers and we have been very busy here lately. If you are still having malware problems, I will be glad to help.

 

OK, here's what we do first.

 

I notice that you have Spybot's TeaTimer running. While this is normally a wonderful tool to protect against hijackers, it can also interfere with HijackThis fixes. So please disable TeaTimer by doing the following.

 

To disable Spybot’s TeaTimer function:

  • Run Spybot-S&D.
  • Go to the "Mode" menu, and make sure "Advanced Mode" is selected.
  • On the left hand side, choose Tools -> Resident.
  • Uncheck "Resident TeaTimer" and "OK" any prompts.
  • Please download ResetTeaTimer.bat and save it to your desktop.
  • Double-click ResetTeaTimer.bat to remove all entries set by TeaTimer.

 

NEXT:

 

Please download ComboFix by sUBs:

 

NOTE: In the event you already have ComboFix, this is a new version that I need you to download.

  • Save it to your desktop.
  • Double-click combofix.exe and follow the prompts.
  • When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.

CAUTION: Please do NOT mouse-click ComboFix's window while it is running. That may cause it to stall. Also, please do NOT adjust your time format while ComboFix is running.

 

 

NEXT:

 

Please reboot your computer normally into Windows, and then please post the ComboFix log and a new HijackThis log.

Share this post


Link to post
Share on other sites

Hi.

Firstly, Thanks for your reply.

Here's my situation :

2 days ago, i read through some topics with similar cases of malware infection and I've done the same steps. After i've done those, i've installed Nod32 antivirus, Opera Browser and Comodo firewall.

I'll post a NEW HijackThis log along with the previous ComboFix log.

 

NEW HijackThis Log:

Logfile of Trend Micro HijackThis v2.0.0 (BETA)

Scan saved at 7:17:18 PM, on 6/11/2007

Platform: Windows XP SP2 (WinNT 5.01.2600)

Boot mode: Normal

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\G10C Mouse\moffice.exe

C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe

C:\WINDOWS\system32\VTTimer.exe

C:\WINDOWS\SOUNDMAN.EXE

C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe

C:\Program Files\LClock\LClock.exe

C:\Program Files\Eset\nod32kui.exe

C:\Program Files\Comodo\Firewall\CPF.exe

C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

C:\Program Files\G10C Mouse\MOUSE32A.EXE

C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe

C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe

C:\Program Files\Comodo\Firewall\cmdagent.exe

C:\Program Files\Eset\nod32krn.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe

C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe

C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe

C:\Program Files\MSN Messenger\msnmsgr.exe

C:\Program Files\Opera\Opera.exe

C:\Program Files\MSN Messenger\usnsvc.exe

C:\WINDOWS\system32\msiexec.exe

C:\Program Files\Internet Explorer\iexplore.exe

D:\HJT\HiJackThis_v2.exe

 

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = IE 6

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll

O3 - Toolbar: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL

O4 - HKLM\..\Run: [Media] C:\Program Files\G10C Mouse\moffice.exe

O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized

O4 - HKLM\..\Run: [VTTimer] VTTimer.exe

O4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXE

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"

O4 - HKLM\..\Run: [LClock] C:\Program Files\LClock\LClock.exe

O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE

O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\Comodo\Firewall\CPF.exe" /background

O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe

O4 - HKCU\..\Run: [spybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe

O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O8 - Extra context menu item: Open in &new window - C:\Documents and Settings\Administrator\Application Data\TuneUp Software\TuneUp Utilities\Web\tuofinw.htm

O8 - Extra context menu item: Search with &Google - C:\Documents and Settings\Administrator\Application Data\TuneUp Software\TuneUp Utilities\Web\gsearch.htm

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)

O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm

O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm

O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{2DC1B26F-0CA7-4FF5-A254-3D7CE55133DC}: NameServer = 202.188.0.133,202.188.1.5

O20 - Winlogon Notify: winuns32 - C:\WINDOWS\

O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll

O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll

O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe

O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - C:\Program Files\Ares\chatServer.exe

O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe

O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe

O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe

O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - C:\Program Files\Comodo\Firewall\cmdagent.exe

O23 - Service: Crypkey License - Unknown owner - crypserv.exe (file missing)

O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: BitDefender Desktop Update Service (LIVESRV) - SOFTWIN S.R.L. - C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe

O23 - Service: lxcr_device - - C:\WINDOWS\system32\lxcrcoms.exe

O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe

O23 - Service: CLCV0 (UTSCSI) - Unknown owner - C:\WINDOWS\system32\UTSCSI.EXE

O23 - Service: BitDefender Virus Shield (VSSERV) - Unknown owner - C:\Program Files\Softwin\BitDefender10\vsserv.exe (file missing)

O23 - Service: BitDefender Communicator (XCOMM) - Softwin - C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe

 

--

End of file - 7691 bytes

 

 

Previous ComboFix log:

"Administrator" - 2007-06-09 23:57:14 Service Pack 2 NTFS

ComboFix 07-06-06 - Running from: ""

 

 

((((((((((((((((((((((((( Files Created from 2007-05-09 to 2007-06-09 )))))))))))))))))))))))))))))))

 

 

2007-06-09 23:02 49,152 --a------ C:\WINDOWS\nircmd.exe

2007-06-09 23:01 528 --a------ C:\CFCleanUp.bat

2007-06-09 17:23 131,124 --a------ C:\WINDOWS\system32\wwdfkkim.dll

2007-06-09 17:20 58,420 --a------ C:\WINDOWS\system32\wmsjfmkf.dll

2007-06-08 18:16 58,420 --a------ C:\WINDOWS\system32\dafxiola.dll

2007-06-06 19:19 14,868 --a------ C:\WINDOWS\system32\vwtmukgn.exe

2007-06-06 19:19 131,124 --a------ C:\WINDOWS\system32\wnurdsuy.dll

2007-06-05 19:38 131,124 --a------ C:\WINDOWS\system32\iycmaypk.dll

2007-06-05 17:04 131,124 --a------ C:\WINDOWS\system32\igvqyepl.dll

2007-06-05 16:58 2,580 --a------ C:\WINDOWS\system32\dnvsorun.exe

2007-06-05 16:29 2,580 --a------ C:\WINDOWS\system32\hkhcvedu.exe

2007-06-05 16:29 131,124 --a------ C:\WINDOWS\system32\ivbhumtc.dll

2007-06-05 00:04 2,580 --a------ C:\WINDOWS\system32\tiahrpba.exe

2007-06-04 19:31 356,352 --a------ C:\WINDOWS\eSellerateEngine.dll

2007-06-03 07:54 81,984 --a------ C:\WINDOWS\system32\bdod.bin

2007-06-03 07:52 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\Bitdefender

2007-06-03 07:19 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\BitDefender

2007-06-03 00:39 <DIR> d-------- C:\Program Files\HJTHotkey

2007-06-02 23:56 <DIR> d-------- C:\WINDOWS\BDOSCAN8

2007-06-02 22:40 3,968 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys

2007-06-02 00:10 131,124 --a------ C:\WINDOWS\system32\aobhoffi.dll

2007-05-30 06:32 <DIR> d-------- C:\Program Files\iLike

2007-05-25 00:19 <DIR> d-------- C:\WINDOWS\system32\VIRepair

2007-05-23 16:35 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy

2007-05-22 17:14 <DIR> d-------- C:\Program Files\XoftSpy

2007-05-21 00:05 29,696 --a------ C:\intvuvmp.exe

2007-05-09 21:51 <DIR> d-------- C:\WINDOWS\FLV Player

 

 

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

 

2007-06-03 01:05:32 913,408 ----a-w C:\WINDOWS\system32\xreglib.dll

2007-06-02 16:37:02 -------- d-----w C:\Program Files\SpywareBlaster

2007-05-29 22:32:20 -------- d-----w C:\Program Files\iTunes

2007-05-22 01:05:51 -------- d-----w C:\Program Files\NCH Swift Sound

2007-05-22 00:25:40 -------- d-----w C:\Program Files\RegCleaner

2007-05-22 00:01:34 -------- d-----w C:\Program Files\lx_cats

2007-05-21 13:20:35 -------- d-----w C:\DOCUME~1\ADMINI~1\APPLIC~1\Orbit

2007-05-21 10:42:01 -------- d-----w C:\Program Files\TuneUp Utilities 2007

2007-05-20 08:34:40 389,120 ----a-w C:\WINDOWS\udll3011.dll

2007-05-20 08:34:40 0 ----a-w C:\WINDOWS\system32\UTSCSI.EXE

2007-05-19 15:39:35 -------- d-----w C:\Program Files\MSN Messenger

2007-05-14 02:06:51 -------- d-----w C:\Program Files\Plato Video To 3GP Converter

2007-05-10 05:42:39 -------- d-----w C:\DOCUME~1\ADMINI~1\APPLIC~1\Media Player Classic

2007-05-05 14:36:48 -------- d-----w C:\Program Files\Acoustica MP3 To Wave Converter PLUS

2007-04-30 15:46:10 745,600 ----a-w C:\WINDOWS\system32\aswBoot.exe

2007-04-30 15:41:55 85,952 ----a-w C:\WINDOWS\system32\drivers\aswmon.sys

2007-04-30 15:41:42 94,552 ----a-w C:\WINDOWS\system32\drivers\aswmon2.sys

2007-04-30 15:39:41 23,416 ----a-w C:\WINDOWS\system32\drivers\aswRdr.sys

2007-04-30 15:38:51 43,176 ----a-w C:\WINDOWS\system32\drivers\aswTdi.sys

2007-04-30 15:37:23 26,888 ----a-w C:\WINDOWS\system32\drivers\aavmker4.sys

2007-04-30 15:35:28 95,872 ----a-w C:\WINDOWS\system32\AVASTSS.scr

2007-04-28 16:51:17 2,337,792 ----a-w C:\WINDOWS\system32\TUKernel.exe

2007-04-28 00:46:55 -------- d-----w C:\Program Files\Design Explorer 99 SE

2007-04-28 00:32:58 -------- d-----w C:\DOCUME~1\ADMINI~1\APPLIC~1\TuneUp Software

2007-04-28 00:32:23 -------- d-----w C:\Program Files\Common Files\Wise Installation Wizard

2007-04-23 14:32:52 -------- d-----w C:\Program Files\SWiSHmax

2007-04-19 10:42:52 -------- d-----w C:\Program Files\MP3 Player Utilities 4.00

2007-04-18 16:12:23 2,854,400 ----a-w C:\WINDOWS\system32\msi.dll

2007-04-18 14:39:42 -------- d-----w C:\DOCUME~1\ADMINI~1\APPLIC~1\Stardock

2007-04-18 14:39:30 -------- d-----w C:\Program Files\LClock

2007-04-14 10:15:19 -------- d-----w C:\Program Files\WIDCOMM

2007-04-13 04:05:11 -------- d-----w C:\Program Files\Winamp

2007-04-10 13:16:07 -------- d-----w C:\Program Files\Common Files\Novell Shared

2007-04-10 13:16:04 -------- d--h--w C:\Program Files\InstallShield Installation Information

2007-04-10 13:15:56 -------- d-----w C:\Program Files\Common Files\InstallShield

2007-03-28 20:42:42 29,704 ----a-w C:\WINDOWS\system32\uxtuneup.dll

2007-03-17 13:45:03 292,864 ----a-w C:\WINDOWS\system32\winsrv.dll

2007-03-15 04:23:16 497,496 ----a-w C:\WINDOWS\system32\XceedZip.dll

2007-03-15 04:19:58 526,184 ----a-w C:\WINDOWS\system32\XceedCry.dll

2007-03-09 01:37:54 139,264 ----a-w C:\WINDOWS\system32\viscomqtde.dll

2007-03-09 01:36:48 81,920 ----a-w C:\WINDOWS\system32\viscomwave.dll

 

 

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

 

 

*Note* empty entries & legit default entries are not shown

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]

{4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C}=C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL [2006-10-31 14:55]

{53707962-6F74-2D53-2644-206D7942484F}=C:\PROGRA~1\SPYBOT~1\SDHelper.dll [2005-05-31 01:04]

{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}=C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll [2006-12-15 03:23]

{9030D464-4C02-4ABF-8ECC-5164760863C6}=C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2006-07-07 12:29]

{AA58ED58-01DD-4d91-8333-CF10577473F7}=c:\program files\google\googletoolbar3.dll [2007-01-19 23:55]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-04-30 23:42]

"Media"="C:\Program Files\G10C Mouse\moffice.exe" [2007-01-17 10:22]

"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2006-10-07 20:20]

"VTTimer"="VTTimer.exe" [2004-01-15 20:33 C:\WINDOWS\system32\VTTimer.exe]

"SoundMan"="SOUNDMAN.EXE" [2006-11-17 05:42 C:\WINDOWS\soundman.exe]

"Sony Ericsson PC Suite"="C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" [2005-10-26 16:17]

"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe" [2006-12-15 03:23]

"LClock"="C:\Program Files\LClock\LClock.exe" [2004-09-20 01:27]

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"swg"="C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" [2007-02-14 20:27]

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]

"NoRecentDocsHistory"=1 (0x1)

"ClearRecentDocsOnExit"=1 (0x1)

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]

"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll" [2006-09-28 22:13]

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winuns32]

 

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]

"appinit_dlls"=sockspy.dll

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Bluetooth.lnk]

path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Bluetooth.lnk

backup=C:\WINDOWS\pss\Bluetooth.lnkCommon Startup

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Orbit.lnk]

path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Orbit.lnk

backup=C:\WINDOWS\pss\Orbit.lnkCommon Startup

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]

"C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ares]

"C:\Program Files\Ares\Ares.exe" -h

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Blaero Start Orb]

C:\Program Files\Blaero Start Orb\Blaero Start Orb.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EzPrint]

"C:\Program Files\Lexmark 2400 Series\ezprint.exe"

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FaxCenterServer]

"C:\Program Files\Lexmark Fax Solutions\fm3032.exe" /s

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]

"C:\Program Files\iTunes\iTunesHelper.exe"

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\lxcrmon.exe]

"C:\Program Files\Lexmark 2400 Series\lxcrmon.exe"

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]

"C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]

"C:\Program Files\QuickTime\qttask.exe" -atboottime

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Rainlendar2]

C:\Program Files\Rainlendar2\Rainlendar2.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]

C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]

C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TuneUp MemOptimizer]

"C:\Program Files\TuneUp Utilities 2007\MemOptimizer.exe" autostart

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Vista Sidebar]

C:\Program Files\Vista Sidebar\sidebar.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinClicker.exe]

"C:\Program Files\Salling Software AB\Salling Clicker\WinClicker.exe" -atboottime

 

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost *netsvcs*

UxTuneUp

 

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]

AutoRun\command- F:\idstick.exe

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{015a5122-1426-11dc-8892-0013d3986a03}]

Auto\command- infrom.exe

AutoRun\command- %SystemRoot%\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL infrom.exe

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{69f5f7f6-0911-11dc-8875-0013d3986a03}]

AutoRun\command- SSCVIHOST.exe

Open\command- SSCVIHOST.exe

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c448d382-fa38-11db-884d-0013d3986a03}]

AutoRun\command- F:\idstick.exe

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d5821aca-ee60-11db-8830-0013d3986a03}]

AutoRun\command- %SystemRoot%\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL copy.exe

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e2390bee-a9cb-11db-87b7-0013d3986a03}]

Auto\command- H:\RavMonE.exe e

AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL RavMonE.exe e

 

 

Contents of the 'Scheduled Tasks' folder

2007-05-18 09:16:36 C:\WINDOWS\tasks\1-Click Maintenance.job

 

**************************************************************************

 

catchme 0.3.721 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net

Rootkit scan 2007-06-09 23:59:49

Windows 5.1.2600 Service Pack 2 NTFS

 

scanning hidden processes ...

 

scanning hidden autostart entries ...

 

scanning hidden files ...

 

**************************************************************************

 

Completion time: 2007-06-10 0:02:35

C:\ComboFix-quarantined-files.txt ... 2007-06-10 00:02

C:\ComboFix2.txt ... 2007-06-09 23:14

 

--- E O F ---

 

 

p/s: I noticed the quaratine files from ComboFix, should i delete it?

 

-bRIGHt. Thanks

Share this post


Link to post
Share on other sites

Hi Bright One, :wave:

 

You’re most welcome, Bright One. :)

 

Leave the quarantined files of ComboFix alone for the moment. The developer of ComboFix might need them for further analysis.

 

OK, let’s do this next.

 

Please download Flash_Disinfector.exe by sUBs and save it to your desktop:

 

NOTE: In the event you already have Flash_Disinfector, this is a new version that I need you to download.

  • Double-click Flash_Disinfector.exe to run it.
  • Follow any prompts that may appear.
  • Your desktop will vanish for a while, and then reappear. This is normal.
  • Wait until the program has finished scanning, then please exit the program.

 

NEXT:

 

BEFORE BEGINNING, Please read completely through the instructions below. Please also print these instructions or copy them to Notepad (or another word processor), and save it for easier reference. This is because we will be in Safe Mode during the fix and you won’t be able to access the Internet to view these instructions.

 

Please download the Suspicious File Packer from Safer-Networking.Org and unzip (extract) it to your desktop.

 

Then please reboot your computer into Safe Mode by doing the following:

  • Reboot your computer.
  • After hearing your computer beep once during startup, but just before the Windows icon appears, begin tapping the F8 key on your keyboard. If you begin tapping the F8 key too soon, some computers display a "keyboard error" message. To resolve this, reboot the computer and try again.
  • Instead of Windows loading as normal, a menu should appear.
  • Using the arrow keys on the keyboard, scroll to and select the "Safe Mode" menu item, and then press "Enter".

Please run the Suspicious File Packer:

  • Double-click on SFP.exe to run it.
  • Please copy the following lines into the "Step 1: Paste Text" window:
     
    C:\WINDOWS\system32\wwdfkkim.dll
    C:\WINDOWS\system32\wmsjfmkf.dll
    C:\WINDOWS\system32\dafxiola.dll
    C:\WINDOWS\system32\vwtmukgn.exe
    C:\WINDOWS\system32\wnurdsuy.dll
    C:\WINDOWS\system32\iycmaypk.dll
    C:\WINDOWS\system32\igvqyepl.dll
    C:\WINDOWS\system32\dnvsorun.exe
    C:\WINDOWS\system32\hkhcvedu.exe
    C:\WINDOWS\system32\ivbhumtc.dll
    C:\WINDOWS\system32\tiahrpba.exe
    C:\WINDOWS\system32\aobhoffi.dll
    C:\intvuvmp.exe
    C:\WINDOWS\system32\TUKernel.exe
     
     
  • Then click "Continue".
  • When SFP has finished packing the file, please reboot normally into Windows.
  • Please upload the created .cab file on your desktop (named "requested-files[Date/Time].cab") to:
     
    http://www.bleepingcomputer.com/submit-malware.php?channel=4
     
     
  • Please include a link to your thread at SWI in your upload message.
  • You can then delete the requested-files.cab file from your desktop once you have sent it to the above recipients.

 

NEXT:

 

Please run HijackThis and click "Scan". Place a check (tick) next to the following entries (if present):

 

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blankR0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank

O2 - BHO: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL

O3 - Toolbar: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL

O20 - Winlogon Notify: winuns32 - C:\WINDOWS\

 

 

Close ALL programs and browsers (including this one), leaving ONLY HijackThis open, then click "Fix checked".

 

Then please exit HijackThis.

 

 

NEXT:

 

Go to Start -> Control Panel -> Add/Remove Programs and remove any of the following that are listed:

 

MegaUploadToolbar

RegCleaner

 

 

NEXT:

 

For this next step, please ensure that ComboFix.exe is on your desktop:

  • Then, please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:
    (start copying from "File::")
     
     
    File::
    C:\WINDOWS\system32\winuns32.exe
    C:\WINDOWS\winuns32.exe
    C:\winuns32.exe
    C:\WINDOWS\system32\winuns32.dll
    C:\WINDOWS\winuns32.dll
    C:\winuns32.dll
    C:\WINDOWS\system32\wwdfkkim.dll
    C:\WINDOWS\system32\wmsjfmkf.dll
    C:\WINDOWS\system32\dafxiola.dll
    C:\WINDOWS\system32\vwtmukgn.exe
    C:\WINDOWS\system32\wnurdsuy.dll
    C:\WINDOWS\system32\iycmaypk.dll
    C:\WINDOWS\system32\igvqyepl.dll
    C:\WINDOWS\system32\dnvsorun.exe
    C:\WINDOWS\system32\hkhcvedu.exe
    C:\WINDOWS\system32\ivbhumtc.dll
    C:\WINDOWS\system32\tiahrpba.exe
    C:\WINDOWS\system32\aobhoffi.dll
    C:\intvuvmp.exe
    C:\WINDOWS\system32\TUKernel.exe
    
    Folder::
    C:\PROGRA~1\MEGAUP~1
    C:\Program Files\RegCleaner
    
    Registry::
    [-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\F]
    [-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{015a5122-1426-11dc-8892-0013d3986a03}]
    [-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{69f5f7f6-0911-11dc-8875-0013d3986a03}]
    [-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{c448d382-fa38-11db-884d-0013d3986a03}]
    [-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d5821aca-ee60-11db-8830-0013d3986a03}]
    [-HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e2390bee-a9cb-11db-87b7-0013d3986a03}]
    


     
     

  • Save this as ComboFix-Do.txt and change the "Save as type" to "All Files" and place it on your desktop.
     
     
    Combo-Do.gif
     
     
     
  • Referring to the screenshot above, drag ComboFix-Do.txt into ComboFix.exe.
  • ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
  • When finished, it shall produce a log for you. Copy and paste the contents of the log in your next reply.

CAUTION: Please do NOT mouse-click ComboFix's window while it is running. That may cause it to stall. Also, please do NOT adjust your time format while ComboFix is running.

 

 

NEXT:

 

Please download CCleaner (freeware) and save it to your desktop:

  1. Run the CCleaner installer.
  2. During installation process, please UNCHECK "Add CCleaner Yahoo! Toolbar".
  3. Once installed, run CCleaner and click the "Windows" tab.
  4. Select the following:
    • Check everything under the "Internet Explorer" section.
    • Check everything under the "Windows Explorer" section.
    • Check everything under the "System" section.
    • Check ONLY "Old Prefetch data" under the "Advanced" section.

[*]Then, click the "Applications" tab:

  • CHECK everything there.

[*]Next, click the "Options" button in the left pane, then click the "Advanced" button:

  • UNCHECK : "Only delete files in Windows Temp folders older than 48 hours".

[*]Next, click the "Cleaner" button in the left pane, then click the "Run Cleaner" button (bottom right), click "OK" at the prompt.

[*]When done, please exit CCleaner.

CAUTION: Please do NOT use the "Issues" button in the left pane. This is a built-in registry cleaner. If you don’t know how to use it, you may cause irreparable damage to your system.

 

 

NEXT:

 

Let's run an online scan to make sure we're not leaving anything behind.

 

Please do an online scan with Kaspersky Online Scanner using Internet Explorer (this online scanner only works with IE):

  1. Click on "Kaspersky Online Scanner".
  2. You will be prompted to install an ActiveX component from Kaspersky, click "Yes".
  3. The program will launch and then begin downloading the latest definition files.
  4. Once the files have been downloaded click on "Next".
  5. Now click on "Scan Settings".
  6. In the scan settings make sure that the following are selected:
    • Scan using the following Anti-Virus database:
      Extended
    • Scan Options:
      Scan Archives
      Scan Mail Bases

[*]Click "OK".

[*]Now under select a target to scan:

  • Select "My Computer".

[*]This program will start and scan your system.

[*]The scan will take a while so be patient and let it run.

[*]Once the scan is complete it will display if your system has been infected.

  • Now click on the "Save Report As" button.
  • In the "File name:" field, type kavscan.
  • In the "Save as type:" field, select "Text file (*.txt)".

[*]Save the file to your desktop.

[*]Copy and paste that information in your next post.

Note for Internet Explorer 7 users: If at any time you have trouble with the "Accept" button of the license, click on the "Zoom" tool located at the bottom right of the IE window and set the zoom to 75 %. Once the license has been accepted, reset to 100%.

 

 

NEXT:

 

Please go to: VirusTotal

  • At the top of the page you'll find a "Browse" button. Click the "Browse" button and browse to next file:
     
    C:\WINDOWS\system32\bdod.bin
     
     
  • Click "Open".
  • Then click the "Send" button at the top of the VirusTotal page.
  • This will scan the file. Please be patient.
  • Once scanned, copy and paste the results in your next reply.

Then please do the same as above for the following files:

 

C:\WINDOWS\system32\xreglib.dll

C:\WINDOWS\udll3011.dll

 

 

NEXT:

 

Please REBOOT your computer normally into Windows and post these logs in your next reply:

  1. The log from the ComboFix scan located at C:\ComboFix.txt.
  2. The log from the Kaspersky scan.
  3. The reports from VirusTotal.
  4. A new HijackThis log.

(You might have to paste the logs in multiple posts in the event they are too long and breach the post length restrictions of the forum software).

 

Also, please let me know how things are running now and if you encountered any problems while you were following the directions I posted.

Share this post


Link to post
Share on other sites

Hi, i've installed the 'Suspicious File Packer' and i've tried to enter safe-mode... after tapping F8, i selected Safe Mode, but i cant get into it.

Share this post


Link to post
Share on other sites

Hi Bright One, :wave:

 

OK, there is something wrong with your Safe Mode, then. This was most likely caused by the malware.

 

Skip the Safe Mode and SFP part. We will fix your Safe Mode and do the SFP part later once we are sure that all the malware is gone from your system.

 

Do the rest of the fix and let me know how things go, OK? :)

Edited by Sempurna

Share this post


Link to post
Share on other sites

Hi :wave:, Here's the logs you've requested

 

ComboFix Log:

"Administrator" - 2007-06-12 20:32:26 Service Pack 2 NTFS

Command switches used :: C:\Documents and Settings\Administrator\Desktop\ComboFix-Do.txt.txt

 

 

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

 

 

C:\intvuvmp.exe

C:\WINDOWS\system32\aobhoffi.dll

C:\WINDOWS\system32\dafxiola.dll

C:\WINDOWS\system32\dnvsorun.exe

C:\WINDOWS\system32\hkhcvedu.exe

C:\WINDOWS\system32\igvqyepl.dll

C:\WINDOWS\system32\ivbhumtc.dll

C:\WINDOWS\system32\iycmaypk.dll

C:\WINDOWS\system32\tiahrpba.exe

C:\WINDOWS\system32\TUKernel.exe

C:\WINDOWS\system32\vwtmukgn.exe

C:\WINDOWS\system32\wmsjfmkf.dll

C:\WINDOWS\system32\wnurdsuy.dll

C:\WINDOWS\system32\wwdfkkim.dll

 

 

((((((((((((((((((((((((( Files Created from 2007-05-12 to 2007-06-12 )))))))))))))))))))))))))))))))

 

 

2007-06-11 23:18 26,112 --a------ C:\WINDOWS\system32\nircmd.exe

2007-06-11 23:18 <DIR> drahs---- C:\autorun.inf

2007-06-11 23:05 <DIR> d-------- C:\Program Files\FlashGet

2007-06-10 23:15 <DIR> d--h----- C:\WINDOWS\Icons

2007-06-10 22:28 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\Opera

2007-06-10 22:27 <DIR> d-------- C:\Program Files\Opera

2007-06-10 16:03 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Comodo

2007-06-10 16:03 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\Comodo

2007-06-10 16:02 <DIR> d-------- C:\Program Files\Comodo

2007-06-10 14:33 512,096 --a------ C:\WINDOWS\system32\drivers\amon.sys

2007-06-10 14:33 299,392 --a------ C:\WINDOWS\system32\imon.dll

2007-06-10 14:33 15,424 --a------ C:\WINDOWS\system32\drivers\nod32drv.sys

2007-06-10 14:31 <DIR> d-------- C:\Program Files\nod32

2007-06-09 23:47 528 --a------ C:\CFCleanUp.bat

2007-06-09 23:02 49,152 --a------ C:\WINDOWS\nircmd.exe

2007-06-04 19:31 356,352 --a------ C:\WINDOWS\eSellerateEngine.dll

2007-06-03 07:54 81,984 --a------ C:\WINDOWS\system32\bdod.bin

2007-06-03 07:52 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\Bitdefender

2007-06-03 07:19 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\BitDefender

2007-06-03 00:39 <DIR> d-------- C:\Program Files\HJTHotkey

2007-06-02 23:56 <DIR> d-------- C:\WINDOWS\BDOSCAN8

2007-06-02 22:40 3,968 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys

2007-05-30 06:32 <DIR> d-------- C:\Program Files\iLike

2007-05-25 00:19 <DIR> d-------- C:\WINDOWS\system32\VIRepair

2007-05-23 16:35 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy

2007-05-22 17:14 <DIR> d-------- C:\Program Files\XoftSpy

 

 

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

 

2007-06-11 12:20:53 -------- d-----w C:\Program Files\TuneUp Utilities 2007

2007-06-03 01:05:32 913,408 ----a-w C:\WINDOWS\system32\xreglib.dll

2007-06-02 16:37:02 -------- d-----w C:\Program Files\SpywareBlaster

2007-05-29 22:32:20 -------- d-----w C:\Program Files\iTunes

2007-05-22 01:05:51 -------- d-----w C:\Program Files\NCH Swift Sound

2007-05-22 00:01:34 -------- d-----w C:\Program Files\lx_cats

2007-05-21 13:20:35 -------- d-----w C:\DOCUME~1\ADMINI~1\APPLIC~1\Orbit

2007-05-20 08:34:40 389,120 ----a-w C:\WINDOWS\udll3011.dll

2007-05-20 08:34:40 0 ----a-w C:\WINDOWS\system32\UTSCSI.EXE

2007-05-19 15:39:35 -------- d-----w C:\Program Files\MSN Messenger

2007-05-14 02:06:51 -------- d-----w C:\Program Files\Plato Video To 3GP Converter

2007-05-10 05:42:39 -------- d-----w C:\DOCUME~1\ADMINI~1\APPLIC~1\Media Player Classic

2007-05-05 14:36:48 -------- d-----w C:\Program Files\Acoustica MP3 To Wave Converter PLUS

2007-04-28 00:46:55 -------- d-----w C:\Program Files\Design Explorer 99 SE

2007-04-28 00:32:58 -------- d-----w C:\DOCUME~1\ADMINI~1\APPLIC~1\TuneUp Software

2007-04-28 00:32:23 -------- d-----w C:\Program Files\Common Files\Wise Installation Wizard

2007-04-23 14:32:52 -------- d-----w C:\Program Files\SWiSHmax

2007-04-19 10:42:52 -------- d-----w C:\Program Files\MP3 Player Utilities 4.00

2007-04-18 16:12:23 2,854,400 ----a-w C:\WINDOWS\system32\msi.dll

2007-04-18 14:39:42 -------- d-----w C:\DOCUME~1\ADMINI~1\APPLIC~1\Stardock

2007-04-18 14:39:30 -------- d-----w C:\Program Files\LClock

2007-04-14 10:15:19 -------- d-----w C:\Program Files\WIDCOMM

2007-04-13 04:05:11 -------- d-----w C:\Program Files\Winamp

2007-03-28 20:42:42 29,704 ----a-w C:\WINDOWS\system32\uxtuneup.dll

2007-03-17 13:45:03 292,864 ----a-w C:\WINDOWS\system32\winsrv.dll

2007-03-15 04:23:16 497,496 ----a-w C:\WINDOWS\system32\XceedZip.dll

2007-03-15 04:19:58 526,184 ----a-w C:\WINDOWS\system32\XceedCry.dll

 

 

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

 

 

*Note* empty entries & legit default entries are not shown

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]

{2F364306-AA45-47B5-9F9D-39A8B94E7EF7}=C:\Program Files\FlashGet\jccatch.dll [2007-05-16 17:03]

{53707962-6F74-2D53-2644-206D7942484F}=C:\PROGRA~1\SPYBOT~1\SDHelper.dll [2005-05-31 01:04]

{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}=C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll [2007-03-14 03:43]

{9030D464-4C02-4ABF-8ECC-5164760863C6}=C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2006-07-07 12:29]

{AA58ED58-01DD-4d91-8333-CF10577473F7}=c:\program files\google\googletoolbar3.dll [2007-01-19 23:55]

{F156768E-81EF-470C-9057-481BA8380DBA}=C:\Program Files\FlashGet\getflash.dll [2007-05-16 13:05]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Media"="C:\Program Files\G10C Mouse\moffice.exe" [2007-01-17 10:22]

"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-10 14:29]

"VTTimer"="VTTimer.exe" [2004-01-15 20:33 C:\WINDOWS\system32\VTTimer.exe]

"SoundMan"="SOUNDMAN.EXE" [2006-11-17 05:42 C:\WINDOWS\soundman.exe]

"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" [2007-03-14 03:43]

"LClock"="C:\Program Files\LClock\LClock.exe" [2004-09-20 01:27]

"nod32kui"="C:\Program Files\Eset\nod32kui.exe" [2007-06-10 14:31]

"COMODO Firewall Pro"="C:\Program Files\Comodo\Firewall\CPF.exe" [2007-06-10 16:02]

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"swg"="C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" [2007-02-14 20:27]

"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2005-05-31 01:04]

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonce]

"megauploadtoolbar"=C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\tbuninstall.exe -df "C:\Program Files\MegauploadToolbar\"

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]

"NoStrCmpLogical"=1 (0x1)

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]

"NoRecentDocsHistory"=1 (0x1)

"ClearRecentDocsOnExit"=1 (0x1)

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]

"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll" [2006-09-28 22:13]

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Bluetooth.lnk]

path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Bluetooth.lnk

backup=C:\WINDOWS\pss\Bluetooth.lnkCommon Startup

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Orbit.lnk]

path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Orbit.lnk

backup=C:\WINDOWS\pss\Orbit.lnkCommon Startup

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]

"C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ares]

"C:\Program Files\Ares\Ares.exe" -h

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Blaero Start Orb]

C:\Program Files\Blaero Start Orb\Blaero Start Orb.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EzPrint]

"C:\Program Files\Lexmark 2400 Series\ezprint.exe"

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FaxCenterServer]

"C:\Program Files\Lexmark Fax Solutions\fm3032.exe" /s

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]

"C:\Program Files\iTunes\iTunesHelper.exe"

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\lxcrmon.exe]

"C:\Program Files\Lexmark 2400 Series\lxcrmon.exe"

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]

"C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]

"C:\Program Files\QuickTime\qttask.exe" -atboottime

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Rainlendar2]

C:\Program Files\Rainlendar2\Rainlendar2.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sony Ericsson PC Suite]

"C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]

C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TuneUp MemOptimizer]

"C:\Program Files\TuneUp Utilities 2007\MemOptimizer.exe" autostart

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Vista Sidebar]

C:\Program Files\Vista Sidebar\sidebar.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinClicker.exe]

"C:\Program Files\Salling Software AB\Salling Clicker\WinClicker.exe" -atboottime

 

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost *netsvcs*

UxTuneUp

 

 

Contents of the 'Scheduled Tasks' folder

2007-05-18 09:16:36 C:\WINDOWS\tasks\1-Click Maintenance.job

 

**************************************************************************

 

catchme 0.3.721 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net

Rootkit scan 2007-06-12 20:34:00

Windows 5.1.2600 Service Pack 2 NTFS

 

scanning hidden processes ...

 

scanning hidden autostart entries ...

 

scanning hidden files ...

 

scan completed successfully

hidden files: 0

 

**************************************************************************

 

Completion time: 2007-06-12 20:34:49

C:\ComboFix-quarantined-files.txt ... 2007-06-12 20:34

C:\ComboFix2.txt ... 2007-06-10 00:02

C:\ComboFix3.txt ... 2007-06-09 23:14

 

--- E O F ---

 

Kaspersky Online Scanner Log:

-------------------------------------------------------------------------------

KASPERSKY ONLINE SCANNER REPORT

Tuesday, June 12, 2007 11:15:11 PM

Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)

Kaspersky Online Scanner version: 5.0.83.0

Kaspersky Anti-Virus database last update: 12/06/2007

Kaspersky Anti-Virus database records: 342717

-------------------------------------------------------------------------------

 

Scan Settings:

Scan using the following antivirus database: extended

Scan Archives: true

Scan Mail Bases: true

 

Scan Target - My Computer:

A:\

C:\

D:\

E:\

 

Scan Statistics:

Total number of scanned objects: 64617

Number of viruses found: 8

Number of infected objects: 19 / 0

Number of suspicious objects: 0

Duration of the scan process: 00:57:11

 

Infected Object Name / Virus Name / Last Action

C:\Documents and Settings\Administrator\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\Administrator\Desktop\shared\vtp6.zip/Vista Transformation Pack 6.0.exe/WISE0030.BIN Infected: not-a-virus:RiskTool.Win32.CloseApp.a skipped

C:\Documents and Settings\Administrator\Desktop\shared\vtp6.zip/Vista Transformation Pack 6.0.exe/WISE0053.BIN/WISE0005.BIN Infected: not-a-virus:RiskTool.Win32.CloseApp.a skipped

C:\Documents and Settings\Administrator\Desktop\shared\vtp6.zip/Vista Transformation Pack 6.0.exe/WISE0053.BIN Infected: not-a-virus:RiskTool.Win32.CloseApp.a skipped

C:\Documents and Settings\Administrator\Desktop\shared\vtp6.zip/Vista Transformation Pack 6.0.exe Infected: not-a-virus:RiskTool.Win32.CloseApp.a skipped

C:\Documents and Settings\Administrator\Desktop\shared\vtp6.zip ZIP: infected - 4 skipped

C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\Administrator\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\Administrator\Local Settings\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\Administrator\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\Administrator\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped

C:\Program Files\ESET\cache\CACHE.NDB Object is locked skipped

C:\Program Files\ESET\infected\33PNBABA.NQF Infected: not-a-virus:AdWare.Win32.Virtumonde.ar skipped

C:\Program Files\ESET\infected\HYP1BIAA.NQF Infected: Trojan.Win32.Agent.anr skipped

C:\Program Files\ESET\infected\VAQN1IDA.NQF Infected: Trojan.Win32.BHO.bd skipped

C:\Program Files\ESET\logs\virlog.dat Object is locked skipped

C:\Program Files\ESET\logs\warnlog.dat Object is locked skipped

C:\QooBox\Quarantine\C\intvuvmp.exe.vir Infected: Trojan-Clicker.Win32.Costrat.at skipped

C:\QooBox\Quarantine\C\WINDOWS\system32\aobhoffi.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.kg skipped

C:\QooBox\Quarantine\C\WINDOWS\system32\babiirxd.dll.vir Object is locked skipped

C:\QooBox\Quarantine\C\WINDOWS\system32\ddcyx.dll.vir Infected: not-a-virus:AdWare.Win32.Virtumonde.fp skipped

C:\QooBox\Quarantine\C\WINDOWS\system32\mwkdfbld.dll.vir Object is locked skipped

C:\QooBox\Quarantine\C\WINDOWS\system32\qvngmpyo.dll.vir Object is locked skipped

C:\QooBox\Quarantine\C\WINDOWS\system32\ruunpekc.dll.vir Object is locked skipped

C:\QooBox\Quarantine\C\WINDOWS\system32\vwtmukgn.exe.vir Infected: Trojan-Clicker.Win32.Small.mw skipped

C:\QooBox\Quarantine\C\WINDOWS\system32\xxyxxvt.dll.vir Object is locked skipped

C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped

C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped

C:\WINDOWS\SchedLgU.Txt Object is locked skipped

C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped

C:\WINDOWS\Sti_Trace.log Object is locked skipped

C:\WINDOWS\system32\bdss.log Object is locked skipped

C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped

C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped

C:\WINDOWS\system32\closeapp.exe Infected: not-a-virus:RiskTool.Win32.CloseApp.a skipped

C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\default Object is locked skipped

C:\WINDOWS\system32\config\default.LOG Object is locked skipped

C:\WINDOWS\system32\config\SAM Object is locked skipped

C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped

C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\SECURITY Object is locked skipped

C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped

C:\WINDOWS\system32\config\software Object is locked skipped

C:\WINDOWS\system32\config\software.LOG Object is locked skipped

C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\system Object is locked skipped

C:\WINDOWS\system32\config\system.LOG Object is locked skipped

C:\WINDOWS\system32\esnecil.ind Object is locked skipped

C:\WINDOWS\system32\h323log.txt Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped

C:\WINDOWS\system32\__delete_on_reboot__j_6_2_8_1_8_3_1_._d_l_l_ Infected: Trojan-Clicker.Win32.Small.mw skipped

C:\WINDOWS\Temp\tmp00005383\tmp00000000 Object is locked skipped

C:\WINDOWS\wiadebug.log Object is locked skipped

C:\WINDOWS\wiaservc.log Object is locked skipped

D:\HJT\backups\backup-20070603-004549-410.dll Object is locked skipped

D:\HJT\backups\backup-20070603-005751-572.dll Object is locked skipped

D:\HJT\backups\backup-20070603-010613-835.dll Object is locked skipped

D:\HJT\backups\backup-20070603-010937-865.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.fp skipped

D:\HJT\backups\backup-20070603-011009-926.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.fp skipped

D:\HJT\backups\backup-20070603-223809-361.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.fp skipped

D:\HJT\backups\backup-20070605-164457-387.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.fp skipped

D:\HJT\backups\backup-20070605-164457-619.dll Object is locked skipped

D:\HJT\backups\backup-20070605-164457-710.dll Object is locked skipped

D:\HJT\backups\backup-20070609-202033-383.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.fp skipped

D:\HJT\backups\backup-20070609-202033-861.dll Object is locked skipped

D:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped

 

Scan process completed.

 

VirusTotal Results:

STATUS: FINISHED

Complete scanning result of "bdod.bin", received in VirusTotal at 06.12.2007, 15:52:27 (CET).

 

Antivirus Version Update Result

AhnLab-V3 2007.6.12.2 06.12.2007 no virus found

AntiVir 7.4.0.32 06.12.2007 no virus found

Authentium 4.93.8 06.12.2007 no virus found

Avast 4.7.997.0 06.12.2007 no virus found

AVG 7.5.0.467 06.12.2007 no virus found

BitDefender 7.2 06.12.2007 no virus found

CAT-QuickHeal 9.00 06.12.2007 no virus found

ClamAV devel-20070416 06.12.2007 no virus found

DrWeb 4.33 06.12.2007 no virus found

eSafe 7.0.15.0 06.12.2007 no virus found

eTrust-Vet 30.7.3713 06.12.2007 no virus found

Ewido 4.0 06.12.2007 no virus found

FileAdvisor 1 06.12.2007 no virus found

Fortinet 2.85.0.0 06.12.2007 no virus found

F-Prot 4.3.2.48 06.12.2007 no virus found

F-Secure 6.70.13030.0 06.12.2007 no virus found

Ikarus T3.1.1.8 06.12.2007 no virus found

Kaspersky 4.0.2.24 06.12.2007 no virus found

McAfee 5050 06.11.2007 no virus found

Microsoft 1.2503 06.12.2007 no virus found

NOD32v2 2325 06.12.2007 no virus found

Norman 5.80.02 06.12.2007 no virus found

Panda 9.0.0.4 06.12.2007 no virus found

Prevx1 V2 06.12.2007 no virus found

Sophos 4.18.0 06.12.2007 no virus found

Sunbelt 2.2.907.0 06.09.2007 no virus found

Symantec 10 06.12.2007 no virus found

TheHacker 6.1.6.132 06.11.2007 no virus found

VBA32 3.12.0.1 06.11.2007 no virus found

VirusBuster 4.3.23:9 06.11.2007 no virus found

Webwasher-Gateway 6.0.1 06.12.2007 no virus found

-

STATUS: FINISHED

Complete scanning result of "xreglib.dll", received in VirusTotal at 06.12.2007, 16:38:50 (CET).

 

Antivirus Version Update Result

AhnLab-V3 2007.6.12.2 06.12.2007 no virus found

AntiVir 7.4.0.32 06.12.2007 no virus found

Authentium 4.93.8 06.12.2007 no virus found

Avast 4.7.997.0 06.12.2007 no virus found

AVG 7.5.0.467 06.12.2007 no virus found

BitDefender 7.2 06.12.2007 no virus found

CAT-QuickHeal 9.00 06.12.2007 no virus found

ClamAV devel-20070416 06.12.2007 no virus found

DrWeb 4.33 06.12.2007 no virus found

eSafe 7.0.15.0 06.12.2007 no virus found

eTrust-Vet 30.7.3713 06.12.2007 no virus found

Ewido 4.0 06.12.2007 no virus found

FileAdvisor 1 06.12.2007 no virus found

Fortinet 2.85.0.0 06.12.2007 no virus found

F-Prot 4.3.2.48 06.12.2007 no virus found

F-Secure 6.70.13030.0 06.12.2007 no virus found

Ikarus T3.1.1.8 06.12.2007 no virus found

Kaspersky 4.0.2.24 06.12.2007 no virus found

McAfee 5050 06.11.2007 no virus found

Microsoft 1.2503 06.12.2007 no virus found

NOD32v2 2325 06.12.2007 no virus found

Norman 5.80.02 06.12.2007 no virus found

Panda 9.0.0.4 06.12.2007 no virus found

Prevx1 V2 06.12.2007 no virus found

Sophos 4.18.0 06.12.2007 no virus found

Sunbelt 2.2.907.0 06.09.2007 no virus found

Symantec 10 06.12.2007 no virus found

TheHacker 6.1.6.132 06.11.2007 no virus found

VBA32 3.12.0.1 06.11.2007 no virus found

VirusBuster 4.3.23:9 06.12.2007 no virus found

Webwasher-Gateway 6.0.1 06.12.2007 no virus found

-

STATUS: FINISHED

Complete scanning result of "udll3011.dll", received in VirusTotal at 06.12.2007, 16:55:53 (CET).

 

Antivirus Version Update Result

AhnLab-V3 2007.6.12.2 06.12.2007 no virus found

AntiVir 7.4.0.32 06.12.2007 no virus found

Authentium 4.93.8 06.12.2007 no virus found

Avast 4.7.997.0 06.12.2007 no virus found

AVG 7.5.0.467 06.12.2007 no virus found

BitDefender 7.2 06.12.2007 no virus found

CAT-QuickHeal 9.00 06.12.2007 no virus found

ClamAV devel-20070416 06.12.2007 no virus found

DrWeb 4.33 06.12.2007 no virus found

eSafe 7.0.15.0 06.12.2007 no virus found

eTrust-Vet 30.7.3713 06.12.2007 no virus found

Ewido 4.0 06.12.2007 no virus found

FileAdvisor 1 06.12.2007 no virus found

Fortinet 2.85.0.0 06.12.2007 no virus found

F-Prot 4.3.2.48 06.12.2007 no virus found

F-Secure 6.70.13030.0 06.12.2007 no virus found

Ikarus T3.1.1.8 06.12.2007 no virus found

Kaspersky 4.0.2.24 06.12.2007 no virus found

McAfee 5050 06.11.2007 no virus found

Microsoft 1.2503 06.12.2007 no virus found

NOD32v2 2325 06.12.2007 no virus found

Norman 5.80.02 06.12.2007 no virus found

Panda 9.0.0.4 06.12.2007 no virus found

Prevx1 V2 06.12.2007 no virus found

Sophos 4.18.0 06.12.2007 no virus found

Sunbelt 2.2.907.0 06.09.2007 no virus found

Symantec 10 06.12.2007 no virus found

TheHacker 6.1.6.132 06.11.2007 no virus found

VBA32 3.12.0.1 06.11.2007 no virus found

VirusBuster 4.3.23:9 06.12.2007 no virus found

Webwasher-Gateway 6.0.1 06.12.2007 no virus found

 

HijackThis Log:

Logfile of Trend Micro HijackThis v2.0.0 (BETA)

Scan saved at 11:33:41 PM, on 6/12/2007

Platform: Windows XP SP2 (WinNT 5.01.2600)

Boot mode: Normal

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe

C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe

C:\Program Files\Comodo\Firewall\cmdagent.exe

C:\Program Files\Eset\nod32krn.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe

C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe

C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe

C:\Program Files\G10C Mouse\moffice.exe

C:\Program Files\G10C Mouse\MOUSE32A.EXE

C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe

C:\WINDOWS\system32\VTTimer.exe

C:\WINDOWS\SOUNDMAN.EXE

C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe

C:\Program Files\LClock\LClock.exe

C:\Program Files\Eset\nod32kui.exe

C:\Program Files\Comodo\Firewall\CPF.exe

C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

C:\WINDOWS\system32\NOTEPAD.EXE

C:\Program Files\Opera\Opera.exe

C:\Documents and Settings\Administrator\Desktop\HiJackThis_v2.exe

 

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: flashget urlcatch - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\Program Files\FlashGet\jccatch.dll

O2 - BHO: (no name) - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - (no file)

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll

O2 - BHO: FlashGet GetFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\Program Files\FlashGet\getflash.dll

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll

O4 - HKLM\..\Run: [Media] C:\Program Files\G10C Mouse\moffice.exe

O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized

O4 - HKLM\..\Run: [VTTimer] VTTimer.exe

O4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXE

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"

O4 - HKLM\..\Run: [LClock] C:\Program Files\LClock\LClock.exe

O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE

O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\Comodo\Firewall\CPF.exe" /background

O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe

O4 - HKCU\..\Run: [spybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe

O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present

O8 - Extra context menu item: &Download All with FlashGet - C:\Program Files\FlashGet\jc_all.htm

O8 - Extra context menu item: &Download with FlashGet - C:\Program Files\FlashGet\jc_link.htm

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O8 - Extra context menu item: Open in &new window - C:\Documents and Settings\Administrator\Application Data\TuneUp Software\TuneUp Utilities\Web\tuofinw.htm

O8 - Extra context menu item: Search with &Google - C:\Documents and Settings\Administrator\Application Data\TuneUp Software\TuneUp Utilities\Web\gsearch.htm

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)

O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm

O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm

O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe

O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe

O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/d...can_unicode.cab

O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{2DC1B26F-0CA7-4FF5-A254-3D7CE55133DC}: NameServer = 202.188.0.133,202.188.1.5

O20 - Winlogon Notify: winuns32 - C:\WINDOWS\

O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll

O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll

O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe

O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - C:\Program Files\Ares\chatServer.exe

O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe

O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe

O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe

O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - C:\Program Files\Comodo\Firewall\cmdagent.exe

O23 - Service: Crypkey License - Unknown owner - crypserv.exe (file missing)

O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: BitDefender Desktop Update Service (LIVESRV) - SOFTWIN S.R.L. - C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe

O23 - Service: lxcr_device - - C:\WINDOWS\system32\lxcrcoms.exe

O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe

O23 - Service: CLCV0 (UTSCSI) - Unknown owner - C:\WINDOWS\system32\UTSCSI.EXE

O23 - Service: BitDefender Virus Shield (VSSERV) - Unknown owner - C:\Program Files\Softwin\BitDefender10\vsserv.exe (file missing)

O23 - Service: BitDefender Communicator (XCOMM) - Softwin - C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe

 

--

End of file - 8178 bytes

 

Thanks in advance.

Share this post


Link to post
Share on other sites

Hi Bright One, :wave:

 

OK, let’s clean up the leftovers, let SFP pack some files, and fix your Safe Mode problem, shall we? :)

 

First of all, please delete this FILE (please let me know if you have trouble finding or deleting the file):

 

C:\WINDOWS\system32\__delete_on_reboot__j_6_2_8_1_8_3_1_._d_l_l

 

You may have to Show hidden files and folders first.

 

 

NEXT:

 

Please run HijackThis and click "Scan". Place a check (tick) next to the following entries (if present):

 

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank

O2 - BHO: (no name) - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - (no file)

O20 - Winlogon Notify: winuns32 - C:\WINDOWS\

 

 

Close ALL programs and browsers (including this one), leaving ONLY HijackThis open, then click "Fix checked".

 

Then please exit HijackThis.

 

 

NEXT:

 

Please run the Suspicious File Packer:

  • Double-click on SFP.exe to run it.
  • Please copy the following lines into the "Step 1: Paste Text" window:
     
    C:\QooBox\Quarantine\C\intvuvmp.exe
    C:\QooBox\Quarantine\C\WINDOWS\system32\aobhoffi.dll
    C:\QooBox\Quarantine\C\WINDOWS\system32\dafxiola.dll
    C:\QooBox\Quarantine\C\WINDOWS\system32\dnvsorun.exe
    C:\QooBox\Quarantine\C\WINDOWS\system32\hkhcvedu.exe
    C:\QooBox\Quarantine\C\WINDOWS\system32\igvqyepl.dll
    C:\QooBox\Quarantine\C\WINDOWS\system32\ivbhumtc.dll
    C:\QooBox\Quarantine\C\WINDOWS\system32\iycmaypk.dll
    C:\QooBox\Quarantine\C\WINDOWS\system32\tiahrpba.exe
    C:\QooBox\Quarantine\C\WINDOWS\system32\TUKernel.exe
    C:\QooBox\Quarantine\C\WINDOWS\system32\vwtmukgn.exe
    C:\QooBox\Quarantine\C\WINDOWS\system32\wmsjfmkf.dll
    C:\QooBox\Quarantine\C\WINDOWS\system32\wnurdsuy.dll
    C:\QooBox\Quarantine\C\WINDOWS\system32\wwdfkkim.dll
     
     
  • Then click "Continue".
  • When SFP has finished packing the files, please upload the created .cab file on your desktop (named "requested-files[Date/Time].cab") to:
     
    http://www.bleepingcomputer.com/submit-malware.php?channel=4
     
     
  • Please include a link to your thread at SWI in your upload message.
  • You can then delete the requested-files.cab file from your desktop once you have sent it to the above recipients.

 

NEXT:

 

Let’s see if we can solve your Safe Mode boot problem.

 

Please download SafeBootKeyRepair.exe by sUBs and save it to your desktop.

 

Double-click SafeBootKeyRepair.exe to run it. Follow any prompts that may appear.

 

Then post the log it produces.

 

 

NEXT:

 

Please REBOOT your computer normally into Windows and post these logs in your next reply:

  1. The log from SafeBootKeyRepair.
  2. A new ComboFix log.
  3. A new HijackThis log.

(You might have to paste the logs in multiple posts in the event they are too long and breach the post length restrictions of the forum software).

 

How are things running now? Can you boot into Safe Mode?

Edited by Sempurna

Share this post


Link to post
Share on other sites

Hi, thanks for your fast reply.

This is what 'SafeBootKeyRepair' came out with:

Nothing wrong with your SafeBoot Key

Didn't your Momma teach you not to play with strange tools?

LOL ...

Press any key to continue ...

i can print a print screen if you don't believe :lol:

 

anyway back to work,

 

ComboFix log:

"Administrator" - 2007-06-13 3:22:16 Service Pack 2 NTFS

ComboFix 07-06-06 - Running from: ""

 

 

((((((((((((((((((((((((( Files Created from 2007-05-12 to 2007-06-12 )))))))))))))))))))))))))))))))

 

 

2007-06-12 20:44 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab

2007-06-12 20:32 528 --a------ C:\CFCleanUp.bat

2007-06-11 23:18 26,112 --a------ C:\WINDOWS\system32\nircmd.exe

2007-06-11 23:18 <DIR> drahs---- C:\autorun.inf

2007-06-11 23:05 <DIR> d-------- C:\Program Files\FlashGet

2007-06-10 23:15 <DIR> d--h----- C:\WINDOWS\Icons

2007-06-10 22:28 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\Opera

2007-06-10 22:27 <DIR> d-------- C:\Program Files\Opera

2007-06-10 16:03 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Comodo

2007-06-10 16:03 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\Comodo

2007-06-10 16:02 <DIR> d-------- C:\Program Files\Comodo

2007-06-10 14:33 512,096 --a------ C:\WINDOWS\system32\drivers\amon.sys

2007-06-10 14:33 299,392 --a------ C:\WINDOWS\system32\imon.dll

2007-06-10 14:33 15,424 --a------ C:\WINDOWS\system32\drivers\nod32drv.sys

2007-06-10 14:31 <DIR> d-------- C:\Program Files\nod32

2007-06-09 23:02 49,152 --a------ C:\WINDOWS\nircmd.exe

2007-06-04 19:31 356,352 --a------ C:\WINDOWS\eSellerateEngine.dll

2007-06-03 07:54 81,984 --a------ C:\WINDOWS\system32\bdod.bin

2007-06-03 07:52 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\Bitdefender

2007-06-03 07:19 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\BitDefender

2007-06-03 00:39 <DIR> d-------- C:\Program Files\HJTHotkey

2007-06-02 23:56 <DIR> d-------- C:\WINDOWS\BDOSCAN8

2007-06-02 22:40 3,968 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys

2007-05-30 06:32 <DIR> d-------- C:\Program Files\iLike

2007-05-25 00:19 <DIR> d-------- C:\WINDOWS\system32\VIRepair

2007-05-23 16:35 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy

2007-05-22 17:14 <DIR> d-------- C:\Program Files\XoftSpy

 

 

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

 

2007-06-11 12:20:53 -------- d-----w C:\Program Files\TuneUp Utilities 2007

2007-06-03 01:05:32 913,408 ----a-w C:\WINDOWS\system32\xreglib.dll

2007-06-02 16:37:02 -------- d-----w C:\Program Files\SpywareBlaster

2007-05-29 22:32:20 -------- d-----w C:\Program Files\iTunes

2007-05-22 01:05:51 -------- d-----w C:\Program Files\NCH Swift Sound

2007-05-22 00:01:34 -------- d-----w C:\Program Files\lx_cats

2007-05-21 13:20:35 -------- d-----w C:\DOCUME~1\ADMINI~1\APPLIC~1\Orbit

2007-05-20 08:34:40 389,120 ----a-w C:\WINDOWS\udll3011.dll

2007-05-20 08:34:40 0 ----a-w C:\WINDOWS\system32\UTSCSI.EXE

2007-05-19 15:39:35 -------- d-----w C:\Program Files\MSN Messenger

2007-05-14 02:06:51 -------- d-----w C:\Program Files\Plato Video To 3GP Converter

2007-05-10 05:42:39 -------- d-----w C:\DOCUME~1\ADMINI~1\APPLIC~1\Media Player Classic

2007-05-05 14:36:48 -------- d-----w C:\Program Files\Acoustica MP3 To Wave Converter PLUS

2007-04-28 00:46:55 -------- d-----w C:\Program Files\Design Explorer 99 SE

2007-04-28 00:32:58 -------- d-----w C:\DOCUME~1\ADMINI~1\APPLIC~1\TuneUp Software

2007-04-28 00:32:23 -------- d-----w C:\Program Files\Common Files\Wise Installation Wizard

2007-04-23 14:32:52 -------- d-----w C:\Program Files\SWiSHmax

2007-04-19 10:42:52 -------- d-----w C:\Program Files\MP3 Player Utilities 4.00

2007-04-18 16:12:23 2,854,400 ----a-w C:\WINDOWS\system32\msi.dll

2007-04-18 14:39:42 -------- d-----w C:\DOCUME~1\ADMINI~1\APPLIC~1\Stardock

2007-04-18 14:39:30 -------- d-----w C:\Program Files\LClock

2007-04-14 10:15:19 -------- d-----w C:\Program Files\WIDCOMM

2007-04-13 04:05:11 -------- d-----w C:\Program Files\Winamp

2007-03-28 20:42:42 29,704 ----a-w C:\WINDOWS\system32\uxtuneup.dll

2007-03-17 13:45:03 292,864 ----a-w C:\WINDOWS\system32\winsrv.dll

2007-03-15 04:23:16 497,496 ----a-w C:\WINDOWS\system32\XceedZip.dll

2007-03-15 04:19:58 526,184 ----a-w C:\WINDOWS\system32\XceedCry.dll

 

 

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

 

 

*Note* empty entries & legit default entries are not shown

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]

{2F364306-AA45-47B5-9F9D-39A8B94E7EF7}=C:\Program Files\FlashGet\jccatch.dll [2007-05-16 17:03]

{53707962-6F74-2D53-2644-206D7942484F}=C:\PROGRA~1\SPYBOT~1\SDHelper.dll [2005-05-31 01:04]

{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}=C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll [2007-03-14 03:43]

{9030D464-4C02-4ABF-8ECC-5164760863C6}=C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2006-07-07 12:29]

{AA58ED58-01DD-4d91-8333-CF10577473F7}=c:\program files\google\googletoolbar3.dll [2007-01-19 23:55]

{F156768E-81EF-470C-9057-481BA8380DBA}=C:\Program Files\FlashGet\getflash.dll [2007-05-16 13:05]

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"Media"="C:\Program Files\G10C Mouse\moffice.exe" [2007-01-17 10:22]

"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-10 14:29]

"VTTimer"="VTTimer.exe" [2004-01-15 20:33 C:\WINDOWS\system32\VTTimer.exe]

"SoundMan"="SOUNDMAN.EXE" [2006-11-17 05:42 C:\WINDOWS\soundman.exe]

"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe" [2007-03-14 03:43]

"LClock"="C:\Program Files\LClock\LClock.exe" [2004-09-20 01:27]

"nod32kui"="C:\Program Files\Eset\nod32kui.exe" [2007-06-10 14:31]

"COMODO Firewall Pro"="C:\Program Files\Comodo\Firewall\CPF.exe" [2007-06-10 16:02]

 

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"swg"="C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" [2007-02-14 20:27]

"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2005-05-31 01:04]

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]

"NoStrCmpLogical"=1 (0x1)

 

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]

"NoRecentDocsHistory"=1 (0x1)

"ClearRecentDocsOnExit"=1 (0x1)

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]

"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll" [2006-09-28 22:13]

 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winuns32]

 

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Bluetooth.lnk]

path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Bluetooth.lnk

backup=C:\WINDOWS\pss\Bluetooth.lnkCommon Startup

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Orbit.lnk]

path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Orbit.lnk

backup=C:\WINDOWS\pss\Orbit.lnkCommon Startup

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]

"C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ares]

"C:\Program Files\Ares\Ares.exe" -h

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Blaero Start Orb]

C:\Program Files\Blaero Start Orb\Blaero Start Orb.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EzPrint]

"C:\Program Files\Lexmark 2400 Series\ezprint.exe"

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FaxCenterServer]

"C:\Program Files\Lexmark Fax Solutions\fm3032.exe" /s

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]

"C:\Program Files\iTunes\iTunesHelper.exe"

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\lxcrmon.exe]

"C:\Program Files\Lexmark 2400 Series\lxcrmon.exe"

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]

"C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]

"C:\Program Files\QuickTime\qttask.exe" -atboottime

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Rainlendar2]

C:\Program Files\Rainlendar2\Rainlendar2.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sony Ericsson PC Suite]

"C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]

C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TuneUp MemOptimizer]

"C:\Program Files\TuneUp Utilities 2007\MemOptimizer.exe" autostart

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Vista Sidebar]

C:\Program Files\Vista Sidebar\sidebar.exe

 

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinClicker.exe]

"C:\Program Files\Salling Software AB\Salling Clicker\WinClicker.exe" -atboottime

 

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost *netsvcs*

UxTuneUp

 

 

Contents of the 'Scheduled Tasks' folder

2007-05-18 09:16:36 C:\WINDOWS\tasks\1-Click Maintenance.job

 

**************************************************************************

 

catchme 0.3.721 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net

Rootkit scan 2007-06-13 03:24:09

Windows 5.1.2600 Service Pack 2 NTFS

 

scanning hidden processes ...

 

scanning hidden autostart entries ...

 

scanning hidden files ...

 

scan completed successfully

hidden files: 0

 

**************************************************************************

 

Completion time: 2007-06-13 3:24:59

C:\ComboFix-quarantined-files.txt ... 2007-06-13 03:24

C:\ComboFix2.txt ... 2007-06-12 20:34

C:\ComboFix3.txt ... 2007-06-10 00:02

 

--- E O F ---

 

HijackThis log:

Logfile of Trend Micro HijackThis v2.0.0 (BETA)

Scan saved at 3:25:50 AM, on 6/13/2007

Platform: Windows XP SP2 (WinNT 5.01.2600)

Boot mode: Normal

 

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\G10C Mouse\moffice.exe

C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe

C:\WINDOWS\system32\VTTimer.exe

C:\WINDOWS\SOUNDMAN.EXE

C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe

C:\Program Files\LClock\LClock.exe

C:\Program Files\Eset\nod32kui.exe

C:\Program Files\Comodo\Firewall\CPF.exe

C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

C:\Program Files\G10C Mouse\MOUSE32A.EXE

C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe

C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe

C:\Program Files\Comodo\Firewall\cmdagent.exe

C:\Program Files\Eset\nod32krn.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe

C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe

C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe

C:\Program Files\Opera\Opera.exe

C:\WINDOWS\explorer.exe

D:\HJT\HiJackThis_v2.exe

 

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

O2 - BHO: flashget urlcatch - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\Program Files\FlashGet\jccatch.dll

O2 - BHO: (no name) - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - (no file)

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll

O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll

O2 - BHO: FlashGet GetFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\Program Files\FlashGet\getflash.dll

O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll

O4 - HKLM\..\Run: [Media] C:\Program Files\G10C Mouse\moffice.exe

O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized

O4 - HKLM\..\Run: [VTTimer] VTTimer.exe

O4 - HKLM\..\Run: [soundMan] SOUNDMAN.EXE

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"

O4 - HKLM\..\Run: [LClock] C:\Program Files\LClock\LClock.exe

O4 - HKLM\..\Run: [nod32kui] "C:\Program Files\Eset\nod32kui.exe" /WAITSERVICE

O4 - HKLM\..\Run: [COMODO Firewall Pro] "C:\Program Files\Comodo\Firewall\CPF.exe" /background

O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe

O4 - HKCU\..\Run: [spybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe

O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe

O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present

O8 - Extra context menu item: &Download All with FlashGet - C:\Program Files\FlashGet\jc_all.htm

O8 - Extra context menu item: &Download with FlashGet - C:\Program Files\FlashGet\jc_link.htm

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O8 - Extra context menu item: Open in &new window - C:\Documents and Settings\Administrator\Application Data\TuneUp Software\TuneUp Utilities\Web\tuofinw.htm

O8 - Extra context menu item: Search with &Google - C:\Documents and Settings\Administrator\Application Data\TuneUp Software\TuneUp Utilities\Web\gsearch.htm

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll

O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)

O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: @btrez.dll,-4015 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm

O9 - Extra 'Tools' menuitem: @btrez.dll,-12650 - {CCA281CA-C863-46ef-9331-5C8D4460577F} - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie.htm

O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe

O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe

O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/d...can_unicode.cab

O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab

O17 - HKLM\System\CCS\Services\Tcpip\..\{2DC1B26F-0CA7-4FF5-A254-3D7CE55133DC}: NameServer = 202.188.0.133,202.188.1.5

O20 - Winlogon Notify: winuns32 - C:\WINDOWS\

O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll

O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll

O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe

O23 - Service: Ares Chatroom server (AresChatServer) - Ares Development Group - C:\Program Files\Ares\chatServer.exe

O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe

O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe

O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe

O23 - Service: Comodo Application Agent (CmdAgent) - COMODO - C:\Program Files\Comodo\Firewall\cmdagent.exe

O23 - Service: Crypkey License - Unknown owner - crypserv.exe (file missing)

O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe

O23 - Service: BitDefender Desktop Update Service (LIVESRV) - SOFTWIN S.R.L. - C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe

O23 - Service: lxcr_device - - C:\WINDOWS\system32\lxcrcoms.exe

O23 - Service: NOD32 Kernel Service (NOD32krn) - Eset - C:\Program Files\Eset\nod32krn.exe

O23 - Service: CLCV0 (UTSCSI) - Unknown owner - C:\WINDOWS\system32\UTSCSI.EXE

O23 - Service: BitDefender Virus Shield (VSSERV) - Unknown owner - C:\Program Files\Softwin\BitDefender10\vsserv.exe (file missing)

O23 - Service: BitDefender Communicator (XCOMM) - Softwin - C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe

 

--

End of file - 8025 bytes

 

p/s: I noticed when i press ComboFix, it does this

"R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank"

i didn't turn off my TeaTimer.

 

and nope, still cant enter safemode

Share this post


Link to post
Share on other sites

Hi Bright One, :wave:

 

Yep, that would come out from SafeBootKeyRepair if it didn’t find anything wrong. :)

 

OK, we'll do a couple of more things to see if we can fix your Safe Mode problem. But, first I would like you to run SFP again and pack these filepaths (I gave you the wrong filepaths the last time):

 

C:\QooBox\Quarantine\C\intvuvmp.exe.vir

C:\QooBox\Quarantine\C\WINDOWS\system32\aobhoffi.dll.vir

C:\QooBox\Quarantine\C\WINDOWS\system32\dafxiola.dll.vir

C:\QooBox\Quarantine\C\WINDOWS\system32\dnvsorun.exe.vir

C:\QooBox\Quarantine\C\WINDOWS\system32\hkhcvedu.exe.vir

C:\QooBox\Quarantine\C\WINDOWS\system32\igvqyepl.dll.vir

C:\QooBox\Quarantine\C\WINDOWS\system32\ivbhumtc.dll.vir

C:\QooBox\Quarantine\C\WINDOWS\system32\iycmaypk.dll.vir

C:\QooBox\Quarantine\C\WINDOWS\system32\tiahrpba.exe.vir

C:\QooBox\Quarantine\C\WINDOWS\system32\TUKernel.exe.vir

C:\QooBox\Quarantine\C\WINDOWS\system32\vwtmukgn.exe.vir

C:\QooBox\Quarantine\C\WINDOWS\system32\wmsjfmkf.dll.vir

C:\QooBox\Quarantine\C\WINDOWS\system32\wnurdsuy.dll.vir

C:\QooBox\Quarantine\C\WINDOWS\system32\wwdfkkim.dll.vir

 

 

NEXT:

 

Let's do this and see that solves your Safe Mode problem.

 

Please open Notepad and copy and paste the text present inside the code box below (don't forget to copy and paste REGEDIT4 as well):

 

REGEDIT4

[-HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

 

Save this as fix.reg and change the "Save as type" to "All Files" and place it on your desktop.

 

It should look like this: reg.gif

 

Double-click on it and when it asks you if you want to merge the contents to the registry, click "Yes" or "OK". You should receive a message that it was successful.

 

In case you still are unsure on how to create a REG file, please take a look HERE with screenshots.

 

 

NEXT:

 

For this next step, please have your original Windows XP installation CD handy.

 

(If you don’t have your original Windows XP installation CD, proceed with the scan anyway. If the scan prompts you to replace a corrupt OS file, direct it to the dllcache or i386 folder that should be present in your system. That’s where Windows XP keeps its backup OS files. The location of these folders vary from system to system, so you would have to locate them first and remember their locations.):

  • Then, please go to Start -> Run and type (or copy and paste):
     
    sfc /scannow
     
     
  • Click "OK".
  • The System File Checker will now run. If it finds any corrupt OS files, it will prompt you to insert your Windows XP installation CD. If nothing is found, it will close by itself.
  • Please be patient as this scan may take awhile to complete.

Is the Safe Mode problem the only persistent one left? Any others or any suspicious behaviour on your machine that I should know about?

Edited by Sempurna

Share this post


Link to post
Share on other sites

hi, thanks for the fast reply. i've done the above steps until

'For this next step, please have your original Windows XP installation CD handy.'

 

i searched for i386 folder and i was returned with 9 folders.

anyway i'll post again after i've finished the last step.

Share this post


Link to post
Share on other sites

i ran the 'sfc /scannow' command, a 'cmd' kindda look window open and closed almost instantly.

 

IMO, safe mode is the only problem left,i don't sense any suspicious behaviour on my computer.

 

FYI, when i pressed into safe mode, the last line i see is

'multi(0)disk(0)rdisk(0)partition(1)\WINDOWS\System32\Drivers\Mup.sys'

 

after that line, my pc halts.... for (dunno how long, i fell asleep while waiting) and it goes into the normal window...i assume a reboot is done while i was asleep. i waited for more than 50minutes

Share this post


Link to post
Share on other sites

You're most welcome, Bright One. :)

 

You have 9 instances of the i386 folder? May I know what is inside those folders, please?

 

Let's do the "sfc /scannow" from the command prompt window and see whether it will run or not.

 

For this next step, please have your original Windows XP installation CD handy.

 

(If you don’t have your original Windows XP installation CD, proceed with the scan anyway. If the scan prompts you to replace a corrupt OS file, direct it to the dllcache or i386 folder that should be present in your system. That’s where Windows XP keeps its backup OS files. The location of these folders vary from system to system, so you would have to locate them first and remember their locations.):

  • Then, please go to Start -> Run and type (or copy and paste):
     
    cmd
     
     
  • Click "OK".
  • A black DOS window with the Command Prompt or C:\WINDOWS\system32\cmd.exe header will now appear. Now type (or copy and paste):
     
    sfc /scannow
     
     
  • Hit "Enter".
  • The System File Checker will now run. If it finds any corrupt OS files, it will prompt you to insert your Windows XP installation CD. If nothing is found, it will close by itself.
  • Please be patient as this scan may take awhile to complete.

Please let me know how things go. It appears you have some corruption in your OS.

Share this post


Link to post
Share on other sites

i have 1 jvm file each... in 5 folders,

the other 4:

 

1) under "C:\WINDOWS\Driver Cache\i386",

11 files:aec.sys,driver.cab(4778 files inside), http.sys,kmixer.sys,

mrxsmb.sys,ntkrnlmp.exe,ntkrnlpa.exe,ntkrpamp.exe,splitter.sys and wdmaud.sys

 

2)under "C:\WINDOWS\system32\ReinstallBackups\0004\DriverFiles\i386"

1 file : isapnp.sys

 

3)under "C:\WINDOWS\system32\ReinstallBackups\0008\DriverFiles\i386"

3 files: atapi.sys, pciidex.sys, viaide.sys

 

and lastly,

 

4)under "C:\WINDOWS\system32\ReinstallBackups\0009\DriverFiles\i386"

7 files: drmk.sys, ks.sys,ksproxy.ax,ksuser.dll,portcls.sys,stream.sys,wdmaud.sys

 

i've attached a screenshot

http://aycu04.webshots.com/image/18123/200...71282250_rs.jpg

Share this post


Link to post
Share on other sites

ok now, so i've hit the cmd and sfc /scannow, this is what is came out with:

 

Windoes File Protection could not initiate a scan of protected system files.

 

The specific error code is 0x000006ba [The RPC server is unavailable.

].

Share this post


Link to post
Share on other sites

Hi Bright One, :wave:

 

It looks like we need to do a repair reinstall of your OS. Don't worry, there is not reformatting involved here, and your data files will remain intact.

 

OK, this is what we do next. Please follow the instructions here (print them out, please):

http://www.michaelstevenstech.com/XPrepairinstall.htm

 

Let me know how things go, please.

Share this post


Link to post
Share on other sites

hi Sempurna, i've read through the 'http://www.michaelstevenstech.com/XPrepairinstall.htm' page and it seems like i really need to have my Windows XP installation CD which i do not have.

 

I really appreciate your help, but i don't think i'll proceed any futher due to the overwhelming files that i have do backup (and my portable HDD isn't around, which makes it all the even 'better')

 

maybe after i've backuped my important documents, i'll do a reformatting of pc.

Edited by bRIGHt OnE

Share this post


Link to post
Share on other sites

Hi Bright One, :wave:

 

Good idea there. Backup all your important documents and data, but no need to reformat and reinstall. A repair reinstall would do just fine.

 

Let me know how things go.

Share this post


Link to post
Share on other sites

Hi, i would like to know what would happen if i use a newer version of OS to repair reinstall?

eg:

i installed my pc using a XP-2006, but now i wanna do a repair install with a XP-2007, is that ok?

Share this post


Link to post
Share on other sites

Hi Bright One, :wave:

 

Hmm, I don't see why not. Most problems with a repair reinstall would be if what you have on your system is newer than the CD. And, that could still be a problem. Just take note of all the things one the Repair Reinstall page that I linked for you. Print them out would be best.

 

Back up all your valuable data, or even better, Ghost your hard drive. That way, if the repair reinstall doesn't go as planned, you can go back to your present system, albeit with all the errors and file corruption. A corrupt system is better than no system. :)

Share this post


Link to post
Share on other sites

hi, i was considering to upgrade my PC to a XP x64... how do i check wheter my hardwares are compatible to it? i qouted this from Tune Up system advisor:

 

 

Your computer has a 64bit processor, but your current Windows version only uses 32 of the available 64 bits. You should consider upgrading to a 64bit version of your operating system to benefit from improved security and better system performance.

 

After reading that. i went to Microsoft to check out XP x64, i notice that i have to consider wheter my other hardwares are compatible... so what should i do?

 

p/s: sry if i should post this here...

Share this post


Link to post
Share on other sites

You would have to check every chipset, sound card, video card, LAN card, all the other various hardware in your system, etc. Also, check whether the various drivers in your system are compatible.

 

All these can be found in your device manager profile. You would then have to Google for more information on each individual hardware item to see whether it is compatible with XP64.

 

There are always hardware problems when upgrading. Why bother if your current system is satisfactory? :)

Share this post


Link to post
Share on other sites

Since this issue appears resolved ... this Topic is closed.

 

If you need this topic reopened, please tell the moderating team by replying HERE with the address of the thread. This applies only to the original topic starter.

 

Everyone else please begin a New Topic.

Share this post


Link to post
Share on other sites
Guest
This topic is now closed to further replies.
Sign in to follow this  
Followers 0