another vundo victim???

Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

ijusth

Thread Starter
Joined
Feb 15, 2003
Messages
265
Problem only occurring when I have IE open. I have Norton AV running and it catches the infection attempts an deletes stuff but I still get browser windows constantly opening new windows (I have google, IE and popup stopper all working and still they get through). Also I am not sure if this is related but I can't go into safe mode. I press f8 and get the normal prompt choices but whether I select safe, safe with network, or safe with command line it seems to fail and then reboot to return to the same screen essentially saying it failed. But back to the virus thing> Here are the three files. Vundo log. Superanti log an finally hijack log:

VUNDOFIX

VundoFix V6.5.4

Checking Java version...

Java version is 1.5.0.6
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.11

Scan started at 11:22:50 PM 7/2/2007

Listing files found while scanning....

C:\WINDOWS\system32\tmp9.tmp.dll

Beginning removal...

Attempting to delete C:\WINDOWS\system32\tmp9.tmp.dll
C:\WINDOWS\system32\tmp9.tmp.dll Has been deleted!

Performing Repairs to the registry.
Done!

VundoFix V6.5.4

Checking Java version...

Java version is 1.5.0.6
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.11

Scan started at 12:10:56 AM 7/3/2007

Listing files found while scanning....

No infected files were found.


VundoFix V6.5.4

Checking Java version...

Java version is 1.5.0.6
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.11

Scan started at 11:00:58 AM 7/3/2007

Listing files found while scanning....

C:\WINDOWS\system32\tmp125.tmp.dll

Beginning removal...

Attempting to delete C:\WINDOWS\system32\tmp125.tmp.dll
C:\WINDOWS\system32\tmp125.tmp.dll Has been deleted!

Performing Repairs to the registry.
Done!

VundoFix V6.5.4

Checking Java version...

Java version is 1.5.0.6
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.11

Scan started at 12:20:59 AM 7/4/2007

Listing files found while scanning....

C:\WINDOWS\system32\tmp8B.tmp.dll

Beginning removal...

Attempting to delete C:\WINDOWS\system32\tmp8B.tmp.dll
C:\WINDOWS\system32\tmp8B.tmp.dll Has been deleted!

Performing Repairs to the registry.
Done!

VundoFix V6.5.4

Checking Java version...

Java version is 1.5.0.6
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.11

Scan started at 12:29:43 AM 7/4/2007

Listing files found while scanning....

No infected files were found.


VundoFix V6.5.4

Checking Java version...

Java version is 1.5.0.6
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.11

Scan started at 2:12:01 PM 7/4/2007

Listing files found while scanning....

C:\WINDOWS\system32\tmpDC.tmp.dll

Beginning removal...

Attempting to delete C:\WINDOWS\system32\tmpDC.tmp.dll
C:\WINDOWS\system32\tmpDC.tmp.dll Has been deleted!

Performing Repairs to the registry.
Done!

VundoFix V6.5.4

Checking Java version...

Java version is 1.5.0.6
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.11

Scan started at 2:17:06 PM 7/4/2007

Listing files found while scanning....

No infected files were found.


VundoFix V6.5.4

Checking Java version...

Java version is 1.5.0.6
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.11

Scan started at 2:32:07 PM 7/5/2007

Listing files found while scanning....

No infected files were found.

*****************************************
Superanti log:

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 07/04/2007 at 04:39 PM

Application Version : 3.9.1008

Core Rules Database Version : 3265
Trace Rules Database Version: 1276

Scan type : Complete Scan
Total Scan Time : 02:15:18

Memory items scanned : 498
Memory threats detected : 1
Registry items scanned : 6503
Registry threats detected : 5
File items scanned : 87557
File threats detected : 35

Trojan.Duncan
C:\WINDOWS\SYSTEM32\MEMTIF.DLL
C:\WINDOWS\SYSTEM32\MEMTIF.DLL
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{4bc35c62-1ca7-4dd6-b7ce-3f021265976f}
HKCR\CLSID\{4BC35C62-1CA7-4DD6-B7CE-3F021265976F}
HKCR\CLSID\{4BC35C62-1CA7-4DD6-B7CE-3F021265976F}\InprocServer32
HKCR\CLSID\{4BC35C62-1CA7-4DD6-B7CE-3F021265976F}\InprocServer32#ThreadingModel
Software\Microsoft\Windows NT\CurrentVersion\WinLogon\Notify\memtif

Adware.Tracking Cookie
C:\Documents and Settings\Ilan Justh\Cookies\[email protected][2].txt
C:\Documents and Settings\Ilan Justh\Cookies\[email protected][2].txt
C:\Documents and Settings\Ilan Justh\Cookies\[email protected][1].txt
C:\Documents and Settings\Ilan Justh\Cookies\[email protected][1].txt
C:\Documents and Settings\Ilan Justh\Cookies\[email protected][2].txt
C:\Documents and Settings\Ilan Justh\Cookies\[email protected][1].txt
C:\Documents and Settings\Ilan Justh\Cookies\[email protected][1].txt
C:\Documents and Settings\Ilan Justh\Cookies\[email protected][2].txt
C:\Documents and Settings\Ilan Justh\Cookies\[email protected][2].txt
C:\Documents and Settings\Ilan Justh\Cookies\[email protected][1].txt
C:\Documents and Settings\Ilan Justh\Cookies\[email protected][2].txt
C:\Documents and Settings\Ilan Justh\Cookies\[email protected][1].txt
C:\Documents and Settings\Ilan Justh\Cookies\[email protected][1].txt
C:\Documents and Settings\Ilan Justh\Cookies\[email protected][2].txt
C:\Documents and Settings\Ilan Justh\Cookies\[email protected][1].txt
C:\Documents and Settings\Ilan Justh\Cookies\[email protected][1].txt
C:\Documents and Settings\Ilan Justh\Cookies\[email protected][2].txt
C:\Documents and Settings\Ilan Justh\Cookies\[email protected][2].txt
C:\Documents and Settings\Ilan Justh\Cookies\[email protected][2].txt
C:\Documents and Settings\Ilan Justh\Cookies\[email protected][2].txt
C:\Documents and Settings\Ilan Justh\Cookies\[email protected][1].txt
C:\Documents and Settings\Ilan Justh\Cookies\[email protected][1].txt
C:\Documents and Settings\Ilan Justh\Cookies\[email protected][2].txt
C:\Documents and Settings\Ilan Justh\Cookies\[email protected][1].txt
C:\Documents and Settings\Ilan Justh\Cookies\[email protected][1].txt
C:\Documents and Settings\Ilan Justh\Cookies\[email protected][2].txt
C:\Documents and Settings\Ilan Justh\Cookies\[email protected][1].txt
C:\Documents and Settings\Ilan Justh\Cookies\[email protected][2].txt
C:\Documents and Settings\Ilan Justh\Cookies\[email protected][2].txt
C:\Documents and Settings\Ilan Justh\Cookies\[email protected][1].txt
C:\Documents and Settings\Ilan Justh\Cookies\[email protected][1].txt
C:\Documents and Settings\Ilan Justh\Cookies\[email protected][2].txt
C:\Documents and Settings\Ilan Justh\Cookies\[email protected][2].txt
C:\Documents and Settings\Ilan Justh\Cookies\[email protected][1].txt

********************************************

Hijack this log:

Logfile of HijackThis v1.99.1
Scan saved at 2:12:27 PM, on 7/3/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\sttray.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\RunDLL32.exe
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\Program Files\CyberLink\Shared files\RichVideo.exe
C:\WINDOWS\system32\STacSV.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
C:\PROGRA~1\NORTON~1\navw32.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\BitComet\BitComet.exe
C:\Program Files\Messenger\msmsgs.exe
C:\hjt\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O1 - Hosts: 209.216.253.186 www.winmx.com err.winmx.com
O1 - Hosts: 205.238.40.2 test3201.winmx.com test3205.winmx.com
O1 - Hosts: 205.238.40.2 test3202.winmx.com test3206.winmx.com
O1 - Hosts: 205.238.40.1 test3203.winmx.com test3207.winmx.com
O1 - Hosts: 205.238.40.1 test3204.winmx.com test3208.winmx.com
O1 - Hosts: 205.238.40.2 c3310.z1301.winmx.com c3310.z1302.winmx.com c3310.z1303.winmx.com c3310.z1304.winmx.com c3310.z1305.winmx.com c3310.z1306.winmx.com
O1 - Hosts: 205.238.40.2 c3313.z1301.winmx.com c3313.z1302.winmx.com c3313.z1303.winmx.com c3313.z1304.winmx.com c3313.z1305.winmx.com c3313.z1306.winmx.com
O1 - Hosts: 205.238.40.2 c3316.z1301.winmx.com c3316.z1302.winmx.com c3316.z1303.winmx.com c3316.z1304.winmx.com c3316.z1305.winmx.com c3316.z1306.winmx.com
O1 - Hosts: 205.238.40.2 c3311.z1301.winmx.com c3311.z1302.winmx.com c3311.z1303.winmx.com c3311.z1304.winmx.com c3311.z1305.winmx.com c3311.z1306.winmx.com
O1 - Hosts: 205.238.40.2 c3314.z1301.winmx.com c3314.z1302.winmx.com c3314.z1303.winmx.com c3314.z1304.winmx.com c3314.z1305.winmx.com c3314.z1306.winmx.com
O1 - Hosts: 205.238.40.1 c3317.z1301.winmx.com c3317.z1302.winmx.com c3317.z1303.winmx.com c3317.z1304.winmx.com c3317.z1305.winmx.com c3317.z1306.winmx.com
O1 - Hosts: 205.238.40.1 c3312.z1301.winmx.com c3312.z1302.winmx.com c3312.z1303.winmx.com c3312.z1304.winmx.com c3312.z1305.winmx.com c3312.z1306.winmx.com
O1 - Hosts: 205.238.40.1 c3315.z1301.winmx.com c3315.z1302.winmx.com c3315.z1303.winmx.com c3315.z1304.winmx.com c3315.z1305.winmx.com c3315.z1306.winmx.com
O1 - Hosts: 205.238.40.1 c3318.z1301.winmx.com c3318.z1302.winmx.com c3318.z1303.winmx.com c3318.z1304.winmx.com c3318.z1305.winmx.com c3318.z1306.winmx.com
O1 - Hosts: 205.238.40.2 c3319.z1301.winmx.com c3319.z1302.winmx.com c3319.z1303.winmx.com c3319.z1304.winmx.com c3319.z1305.winmx.com c3319.z1306.winmx.com
O1 - Hosts: 205.238.40.2 c3520.z1301.winmx.com c3520.z1302.winmx.com c3520.z1303.winmx.com c3520.z1304.winmx.com c3520.z1305.winmx.com c3520.z1306.winmx.com
O1 - Hosts: 205.238.40.2 c3523.z1301.winmx.com c3523.z1302.winmx.com c3523.z1303.winmx.com c3523.z1304.winmx.com c3523.z1305.winmx.com c3523.z1306.winmx.com
O1 - Hosts: 205.238.40.2 c3526.z1301.winmx.com c3526.z1302.winmx.com c3526.z1303.winmx.com c3526.z1304.winmx.com c3526.z1305.winmx.com c3526.z1306.winmx.com
O1 - Hosts: 205.238.40.2 c3521.z1301.winmx.com c3521.z1302.winmx.com c3521.z1303.winmx.com c3521.z1304.winmx.com c3521.z1305.winmx.com c3521.z1306.winmx.com
O1 - Hosts: 205.238.40.2 c3524.z1301.winmx.com c3524.z1302.winmx.com c3524.z1303.winmx.com c3524.z1304.winmx.com c3524.z1305.winmx.com c3524.z1306.winmx.com
O1 - Hosts: 205.238.40.1 c3527.z1301.winmx.com c3527.z1302.winmx.com c3527.z1303.winmx.com c3527.z1304.winmx.com c3527.z1305.winmx.com c3527.z1306.winmx.com
O1 - Hosts: 205.238.40.1 c3522.z1301.winmx.com c3522.z1302.winmx.com c3522.z1303.winmx.com c3522.z1304.winmx.com c3522.z1305.winmx.com c3522.z1306.winmx.com
O1 - Hosts: 205.238.40.1 c3525.z1301.winmx.com c3525.z1302.winmx.com c3525.z1303.winmx.com c3525.z1304.winmx.com c3525.z1305.winmx.com c3525.z1306.winmx.com
O1 - Hosts: 205.238.40.1 c3528.z1301.winmx.com c3528.z1302.winmx.com c3528.z1303.winmx.com c3528.z1304.winmx.com c3528.z1305.winmx.com c3528.z1306.winmx.com
O1 - Hosts: 205.238.40.1 c3529.z1301.winmx.com c3529.z1302.winmx.com c3529.z1303.winmx.com c3529.z1304.winmx.com c3529.z1305.winmx.com c3529.z1306.winmx.com
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareBlock Class - {0A87E45F-537A-40B4-B812-E2544C21A09F} - C:\Program Files\SpyCatcher\SCActiveBlock.dll
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.1.6.14.dll
O2 - BHO: (no name) - {4bc35c62-1ca7-4dd6-b7ce-3f021265976f} - C:\WINDOWS\system32\memtif.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
O4 - HKLM\..\Run: [SigmatelSysTrayApp] sttray.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [DiskeeperSystray] "C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [NAV CfgWiz] "C:\Program Files\Norton AntiVirus\CfgWiz.exe" /GUID {0D7956A2-5A08-4ec2-A72C-DF8495A66016} /MODE CfgWiz /CMDLINE "REBOOT"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [P17Helper] Rundll32 SPIRun.dll,RunDLLEntry
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [winehq.org] rundll32.exe "C:\WINDOWS\urssrp.dll",realset
O4 - HKLM\..\Run: [SpyCatcher Reminder] C:\Program Files\SpyCatcher\SpyCatcher.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [SetDefaultMIDI] MIDIDef.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
O4 - Startup: Scheduler.lnk = C:\Program Files\SpyCatcher\Scheduler daemon.exe
O4 - Global Startup: SpyCatcher Protector.lnk = C:\Program Files\SpyCatcher\Protector.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\memtif.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\memtif.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\WINDOWS\system32\memtif.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Share in Hello - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - C:\WINDOWS\system32\memtif.dll
O9 - Extra 'Tools' menuitem: Share in H&ello - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - C:\WINDOWS\system32\memtif.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1175396128718
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secure/HPGetDownloadManager.ocx
O20 - AppInit_DLLs: c:\windows\system32\geebaaw.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: memtif - C:\WINDOWS\SYSTEM32\memtif.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: Diskeeper - Diskeeper® Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: SigmaTel Audio Service (STacSV) - SigmaTel, Inc. - C:\WINDOWS\system32\STacSV.exe

thanks in advance for the help
 

JSntgRvr

José
Retired Moderator and Malware Specialist
Joined
Jul 1, 2003
Messages
18,552
Hi, ijusth. :)

Welcome to TSG.

Download the HostsXpert 3.8 - Hosts File Manager.
  • Unzip HostsXpert 3.8 - Hosts File Manager to a convenient folder such as C:\HostsXpert
  • Click HostsXpert.exe to Run HostsXpert 3.8 - Hosts File Manager from its new home
  • Click "Make Hosts Writable?" in the upper right corner (If available).
  • Click Restore Microsoft's Hosts file and then click OK.
  • Click the X to exit the program.
  • Note: If you were using a custom Hosts file you will need to replace any of those entries yourself.
Your Java seems to be out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version of Java components and upgrade the application. Beware it is NOT supported for use in 9x or ME and probably will not install in those systems

Ugrading Java:
  • Download the latest version of Java Runtime Environment (JRE) 6u1.
  • Scroll down to where it says "The J2SE Runtime Environment (JRE) allows end-users to run Java applications".
  • Click the "Download" button to the right.
  • Check the box that says: "Accept License Agreement".
  • The page will refresh.
  • Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel, double-click on Add/Remove programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java version.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on the download to install the newest version.
Please download VundoFix.exe to your desktop.

Note: In the event you already have Vundofix, this is a new version that I need you to download.
  • Double-click VundoFix.exe to run it.
  • You will receive a message saying vundofix will close and re-open in a minute or less. Click OK
  • When VundoFix re-opens, click the Scan for Vundo button.
  • Once it's done scanning, click the Remove Vundo button.
  • You will receive a prompt asking if you want to remove the files, click YES
  • Once you click yes, your desktop will go blank as it starts removing Vundo.
  • When completed, it will prompt that it will shutdown your computer, click OK.
  • Turn your computer back on.
  • Please post the contents of C:\vundofix.txt in your next reply.
Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears at reboot.

Download ComboFix from Here or Here to your Desktop.

Note: In the event you already have Combofix, this is a new version that I need you to download.
  • Double click combofix.exe and follow the prompts.
  • When finished, it shall produce a log for you. Post that log and in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall

Download Superantispyware (SAS)
  1. Install it and double-click the icon on your desktop to run it.
  2. It will ask if you want to update the program definitions, click Yes.
  3. Under Configuration and Preferences, click the Preferences button.
  4. Click the Scanning Control tab.
  5. Under Scanner Options make sure the following are checked:
    • Close browsers before scanning
    • Scan for tracking cookies
    • Terminate memory threats before quarantining.
    • Please leave the others unchecked.
    • Click the Close button to leave the control center screen.
  6. On the main screen, under Scan for Harmful Software click Scan your computer.
  7. On the left check C:\Fixed Drive.
  8. On the right, under Complete Scan, choose Perform Complete Scan.
  9. Click Next to start the scan. Please be patient while it scans your computer.
  10. After the scan is complete a summary box will appear. Click OK.
  11. Make sure everything in the white box has a check next to it, then click Next.
  12. It will quarantine what it found and if it asks if you want to reboot, click Yes.
  13. To retrieve the removal information, please do the following:
    • After reboot, double-click the SUPERAntispyware icon on your desktop.
    • Click Preferences. Click the Statistics/Logs tab.
    • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    • It will open in your default text editor (such as Notepad/Wordpad).
    • Please highlight everything in the notepad, then right-click and choose copy.
  14. Click close and close again to exit the program.
  15. Please paste that information in your next reply along with a fresh HijackThis log.
 

ijusth

Thread Starter
Joined
Feb 15, 2003
Messages
265
ok here are the 1st three logs:
combofix has to go seperate since there is a 30k limit to the text upload:



VundoFix V6.5.4

Checking Java version...

Java version is 1.5.0.11

Scan started at 8:16:50 PM 7/5/2007

Listing files found while scanning....

C:\WINDOWS\system32\tmp1B7.tmp.dll

Beginning removal...

Attempting to delete C:\WINDOWS\system32\tmp1B7.tmp.dll
C:\WINDOWS\system32\tmp1B7.tmp.dll Has been deleted!

Performing Repairs to the registry.
Done!

VundoFix V6.5.4

Checking Java version...

Java version is 1.5.0.11

Scan started at 10:22:20 PM 7/5/2007

Listing files found while scanning....

No infected files were found.


VundoFix V6.5.4

Checking Java version...

Java version is 1.5.0.11

Scan started at 10:26:30 PM 7/5/2007

Listing files found while scanning....

No infected files were found.

**************************
here is hijack:
Logfile of HijackThis v1.99.1
Scan saved at 10:20:56 PM, on 7/5/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\Program Files\CyberLink\Shared files\RichVideo.exe
C:\WINDOWS\system32\STacSV.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\WINDOWS\sttray.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\RunDLL32.exe
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
C:\Program Files\internet explorer\iexplore.exe
C:\hjt\HijackThis.exe
C:\Program Files\Messenger\msmsgs.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SpywareBlock Class - {0A87E45F-537A-40B4-B812-E2544C21A09F} - C:\Program Files\SpyCatcher\SCActiveBlock.dll (file missing)
O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.1.6.14.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
O4 - HKLM\..\Run: [SigmatelSysTrayApp] sttray.exe
O4 - HKLM\..\Run: [DiskeeperSystray] "C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [NAV CfgWiz] "C:\Program Files\Norton AntiVirus\CfgWiz.exe" /GUID {0D7956A2-5A08-4ec2-A72C-DF8495A66016} /MODE CfgWiz /CMDLINE "REBOOT"
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [P17Helper] Rundll32 SPIRun.dll,RunDLLEntry
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [SpyCatcher Reminder] C:\Program Files\SpyCatcher\SpyCatcher.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKCU\..\Run: [SetDefaultMIDI] MIDIDef.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\CT2ut8.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\CT2ut8.dll (file missing)
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\WINDOWS\system32\CT2ut8.dll (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Share in Hello - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - C:\WINDOWS\system32\CT2ut8.dll (file missing)
O9 - Extra 'Tools' menuitem: Share in H&ello - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - C:\WINDOWS\system32\CT2ut8.dll (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {32305793-C19A-48E7-AD2F-D87FF7B264A4} (TenebrilSpywareScanner Control) - http://www.tenebril.com/assets/activeX/SpywareScannerV2.ocx
O16 - DPF: {56393399-041A-4650-94C7-13DFCB1F4665} (PSFormX Control) - http://www.ca.com/us/securityadvisor/pestscan/pestscan.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1175396128718
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secure/HPGetDownloadManager.ocx
O20 - AppInit_DLLs: c:\windows\system32\geebaaw.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: Diskeeper - Diskeeper® Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe
O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: SigmaTel Audio Service (STacSV) - SigmaTel, Inc. - C:\WINDOWS\system32\STacSV.exe

***********************
here is super anti

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 07/05/2007 at 09:54 PM

Application Version : 3.9.1008

Core Rules Database Version : 3265
Trace Rules Database Version: 1276

Scan type : Complete Scan
Total Scan Time : 01:20:22

Memory items scanned : 474
Memory threats detected : 1
Registry items scanned : 6490
Registry threats detected : 5
File items scanned : 75879
File threats detected : 32

Trojan.Duncan
C:\WINDOWS\SYSTEM32\CT2UT8.DLL
C:\WINDOWS\SYSTEM32\CT2UT8.DLL
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{be2b1802-cba8-4b3b-9cad-565187b58cc7}
HKCR\CLSID\{BE2B1802-CBA8-4B3B-9CAD-565187B58CC7}
HKCR\CLSID\{BE2B1802-CBA8-4B3B-9CAD-565187B58CC7}\InprocServer32
HKCR\CLSID\{BE2B1802-CBA8-4B3B-9CAD-565187B58CC7}\InprocServer32#ThreadingModel
Software\Microsoft\Windows NT\CurrentVersion\WinLogon\Notify\CT2ut8

Adware.Tracking Cookie
C:\Documents and Settings\Ilan Justh\Cookies\[email protected][1].txt
C:\Documents and Settings\Ilan Justh\Cookies\[email protected][1].txt
C:\Documents and Settings\Ilan Justh\Cookies\[email protected][2].txt
C:\Documents and Settings\Ilan Justh\Cookies\[email protected][1].txt
C:\Documents and Settings\Ilan Justh\Cookies\[email protected][2].txt
C:\Documents and Settings\Ilan Justh\Cookies\[email protected][2].txt
C:\Documents and Settings\Ilan Justh\Cookies\[email protected][2].txt
C:\Documents and Settings\Ilan Justh\Cookies\[email protected][2].txt
C:\Documents and Settings\Ilan Justh\Cookies\[email protected][1].txt
C:\Documents and Settings\Ilan Justh\Cookies\[email protected][1].txt
C:\Documents and Settings\Ilan Justh\Cookies\[email protected][1].txt
C:\Documents and Settings\Ilan Justh\Cookies\[email protected][2].txt
C:\Documents and Settings\Ilan Justh\Cookies\[email protected][2].txt
C:\Documents and Settings\Ilan Justh\Cookies\[email protected][1].txt
C:\Documents and Settings\Ilan Justh\Cookies\[email protected][1].txt
C:\Documents and Settings\Ilan Justh\Cookies\[email protected][1].txt
C:\Documents and Settings\Ilan Justh\Cookies\[email protected][1].txt
C:\Documents and Settings\Ilan Justh\Cookies\[email protected][1].txt
C:\Documents and Settings\Ilan Justh\Cookies\[email protected][2].txt
C:\Documents and Settings\Ilan Justh\Cookies\[email protected][2].txt
C:\Documents and Settings\Ilan Justh\Cookies\[email protected][1].txt
C:\Documents and Settings\Ilan Justh\Cookies\[email protected][1].txt
C:\Documents and Settings\Ilan Justh\Cookies\[email protected][2].txt
C:\Documents and Settings\Ilan Justh\Cookies\[email protected][1].txt
C:\Documents and Settings\Ilan Justh\Cookies\[email protected][1].txt
C:\Documents and Settings\Ilan Justh\Cookies\[email protected][2].txt
C:\Documents and Settings\Ilan Justh\Cookies\[email protected]o7[1].txt
C:\Documents and Settings\Ilan Justh\Cookies\[email protected][2].txt
C:\Documents and Settings\Ilan Justh\Cookies\[email protected][1].txt
C:\Documents and Settings\Ilan Justh\Cookies\[email protected][2].txt

Trojan.Downloader-ConHook
C:\WINDOWS\SYSTEM32\VTURR.EXE

***************************
 

ijusth

Thread Starter
Joined
Feb 15, 2003
Messages
265
and here is combofix
and here is combifix

"Ilan Justh" - 2007-07-05 20:23:20 - ComboFix 07-07-04.4 - Service Pack 2


(((((((((((((((((((((((((((((((((((((((((((( V Log )))))))))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\system32\geebaaw.dll


* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\DOCUME~1\ILANJU~1\APPLIC~1.\hidires
C:\DOCUME~1\ILANJU~1\APPLIC~1\tmp125.tmp.exe
C:\DOCUME~1\ILANJU~1\APPLIC~1\tmp14F.tmp.exe
C:\DOCUME~1\ILANJU~1\APPLIC~1\tmp1A3.tmp.exe
C:\DOCUME~1\ILANJU~1\APPLIC~1\tmp1AA.tmp.exe
C:\DOCUME~1\ILANJU~1\APPLIC~1\tmp1AC.tmp.exe
C:\DOCUME~1\ILANJU~1\APPLIC~1\tmp1AE.tmp.exe
C:\DOCUME~1\ILANJU~1\APPLIC~1\tmp1AF.tmp.exe
C:\DOCUME~1\ILANJU~1\APPLIC~1\tmp1B1.tmp.exe
C:\DOCUME~1\ILANJU~1\APPLIC~1\tmp1B4.tmp.exe
C:\DOCUME~1\ILANJU~1\APPLIC~1\tmp1B7.tmp.exe
C:\DOCUME~1\ILANJU~1\APPLIC~1\tmp2.tmp.exe
C:\DOCUME~1\ILANJU~1\APPLIC~1\tmp67.tmp.exe
C:\DOCUME~1\ILANJU~1\APPLIC~1\tmp6DA.tmp.exe
C:\DOCUME~1\ILANJU~1\APPLIC~1\tmp6DB.tmp.exe
C:\DOCUME~1\ILANJU~1\APPLIC~1\tmp8.tmp.exe
C:\DOCUME~1\ILANJU~1\APPLIC~1\tmp8B.tmp.exe
C:\DOCUME~1\ILANJU~1\APPLIC~1\tmp9.tmp.exe
C:\DOCUME~1\ILANJU~1\APPLIC~1\tmpBE.tmp.exe
C:\DOCUME~1\ILANJU~1\APPLIC~1\tmpC1.tmp.exe
C:\DOCUME~1\ILANJU~1\APPLIC~1\tmpD.tmp.exe
C:\DOCUME~1\ILANJU~1\APPLIC~1\tmpDB.tmp.exe
C:\DOCUME~1\ILANJU~1\APPLIC~1\tmpDC.tmp.exe
C:\DOCUME~1\ILANJU~1\Desktop\internet.lnk
C:\WINDOWS\exefld
C:\WINDOWS\system32\media
C:\WINDOWS\system32\media\AvidRender.wav
C:\WINDOWS\system32\tmp1AA.tmp.dll
C:\WINDOWS\system32\tmp1AF.tmp.dll
C:\WINDOWS\system32\tmp67.tmp.dll
C:\WINDOWS\system32\tmp6DB.tmp.dll
C:\WINDOWS\system32\tmpBE.tmp.dll


((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


-------\LEGACY_DOMAINSERVICE
-------\DomainService
-------\m_hook


((((((((((((((((((((((((( Files Created from 2007-06-06 to 2007-07-06 )))))))))))))))))))))))))))))))


2007-07-05 20:22 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-07-05 20:13 92,695 --a------ C:\WINDOWS\system32\CT2ut8.dll
2007-07-05 20:12 105,425 --a------ C:\WINDOWS\system32\vturr.exe
2007-07-05 19:44 134,985 --a------ C:\WINDOWS\hggged.dll
2007-07-05 19:40 <DIR> d-------- C:\hostsxpert
2007-07-05 16:07 134,985 --a------ C:\WINDOWS\efdbxv.dll
2007-07-04 14:20 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2007-07-04 14:20 <DIR> d-------- C:\DOCUME~1\ILANJU~1\APPLIC~1\SUPERAntiSpyware.com
2007-07-04 14:20 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\SUPERAntiSpyware.com
2007-07-04 11:20 134,993 --a------ C:\WINDOWS\ljigee.dll
2007-07-04 10:33 <DIR> d-------- C:\Program Files\autoruns
2007-07-04 00:30 134,993 --a------ C:\WINDOWS\awwxvs.dll
2007-07-03 19:51 3,846 --a------ C:\WINDOWS\system32\tmp.reg
2007-07-03 19:50 53,248 --a------ C:\WINDOWS\system32\Process.exe
2007-07-03 19:50 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2007-07-03 19:50 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2007-07-03 15:32 134,914 --a------ C:\WINDOWS\hgfddc.dll
2007-07-03 15:29 <DIR> d-------- C:\WINDOWS\pss
2007-07-03 14:50 76,560 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2007-07-03 14:49 <DIR> d-------- C:\DOCUME~1\ILANJU~1\.housecall6.6
2007-07-03 14:48 <DIR> d-------- C:\Program Files\msconfig
2007-07-03 14:48 <DIR> d-------- C:\Program Files\cwshredder
2007-07-03 14:28 <DIR> d-------- C:\Program Files\rootkit revealer
2007-07-03 14:15 <DIR> d-------- C:\Program Files\smitfraudfix
2007-07-03 14:12 <DIR> d-------- C:\hjt
2007-07-03 14:09 <DIR> d-------- C:\Program Files\hijack this
2007-07-03 11:21 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-07-03 10:45 <DIR> d-------- C:\DOCUME~1\ILANJU~1\APPLIC~1\Tenebril
2007-07-03 10:43 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Tenebril
2007-07-03 10:39 180,224 --a-s---- C:\WINDOWS\system32\archlib.dll
2007-07-03 10:39 <DIR> d-------- C:\WINDOWS\system32\tenarchlib
2007-07-03 09:55 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-07-03 09:47 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Lavasoft
2007-07-03 09:40 7,680 --a------ C:\WINDOWS\system32\drivers\RKL1.tmp.sys
2007-07-03 09:30 <DIR> d-------- C:\MessengerCtrlUninstall
2007-07-03 09:25 134,914 --------- C:\WINDOWS\urssrp.dll
2007-07-02 23:39 134,914 --a------ C:\WINDOWS\effcyx.dll
2007-07-02 23:22 <DIR> d-------- C:\VundoFix Backups
2007-07-02 08:29 134,972 --a------ C:\WINDOWS\gebbbc.dll
2007-07-02 08:00 <DIR> d-------- C:\DOCUME~1\ILANJU~1\APPLIC~1\Lavasoft
2007-07-01 17:26 <DIR> d-------- C:\Program Files\Bethesda Softworks
2007-07-01 17:07 40,960 --a------ C:\WINDOWS\system32\psfind.dll
2007-07-01 16:59 <DIR> d-------- C:\WINDOWS\SxsCaPendDel
2007-07-01 16:50 <DIR> d-------- C:\Program Files\THQ
2007-07-01 16:35 314,666 --a------ C:\WINDOWS\system32\dn0c1aa1bf.dat
2007-06-17 01:02 <DIR> d-------- C:\Program Files\GetRight
2007-06-09 18:54 <DIR> d-------- C:\AudioConverter
2007-06-09 10:08 <DIR> d-------- C:\Program Files\LimeWire Acceleration Patch
2007-06-06 20:45 <DIR> d-------- C:\Program Files\clean center


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-07-06 03:04:02 -------- d-----w C:\Program Files\emule
2007-07-04 22:23:04 -------- d-----w C:\DOCUME~1\ILANJU~1\APPLIC~1\dvdcss
2007-07-04 21:19:57 -------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2007-07-04 20:43:07 -------- d-----w C:\Program Files\limewire
2007-07-04 06:07:41 200 ----a-w C:\WINDOWS\AUDC50UI.dat
2007-07-04 06:06:13 96 ----a-w C:\WINDOWS\system32\sysmwwod.dll
2007-07-03 21:04:09 -------- d-----w C:\Program Files\Nero
2007-07-03 18:04:09 -------- d-----w C:\Program Files\lavasoft
2007-07-03 17:32:44 -------- d-----w C:\Program Files\Warez P2P Client
2007-07-02 20:06:07 -------- d-----w C:\Program Files\IsoBuster
2007-07-02 15:19:58 -------- d-----w C:\Program Files\panicware
2007-07-02 00:26:30 -------- d--h--w C:\Program Files\InstallShield Installation Information
2007-07-01 01:00:41 359,808 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2007-06-30 02:49:48 -------- d-----w C:\Program Files\Common Files\Symantec Shared
2007-06-25 04:15:44 -------- d-----w C:\Program Files\DivX
2007-06-24 02:27:32 2,560 ----a-w C:\WINDOWS\system32\BitCometRes.dll
2007-06-24 02:27:18 -------- d-----w C:\Program Files\BitComet
2007-06-23 05:08:02 -------- d-----w C:\Program Files\outlook
2007-06-23 05:07:54 -------- d-----w C:\Program Files\Movie Joiner
2007-06-21 04:43:57 -------- d-----w C:\Program Files\VLC
2007-06-12 06:21:25 -------- d-----w C:\DOCUME~1\ILANJU~1\APPLIC~1\uTorrent
2007-06-10 02:06:22 -------- d-----w C:\Program Files\all2mp3
2007-06-08 02:57:58 -------- d-----w C:\DOCUME~1\ILANJU~1\APPLIC~1\SopCast
2007-06-07 04:35:29 -------- d-----w C:\Program Files\firefox
2007-06-07 03:56:10 -------- d-----w C:\Program Files\TagRename
2007-06-07 03:56:09 -------- d-----w C:\Program Files\free download manager
2007-06-07 03:56:09 -------- d-----w C:\Program Files\duplicate finder
2007-06-07 03:56:08 -------- d-----w C:\Program Files\avery
2007-06-04 22:18:48 9,344 ----a-w C:\WINDOWS\system32\drivers\NSDriver.sys
2007-06-04 22:17:02 8,320 ----a-w C:\WINDOWS\system32\drivers\AWRTRD.sys
2007-06-04 22:14:56 6,272 ----a-w C:\WINDOWS\system32\drivers\AWRTPD.sys
2007-06-03 07:03:19 -------- d-----w C:\Program Files\MXpie Patch
2007-06-03 07:03:00 -------- d-----w C:\Program Files\winmx
2007-06-02 04:25:05 -------- d-----w C:\Program Files\Hello
2007-06-02 03:31:28 -------- d-----w C:\Program Files\iTunes
2007-06-02 03:31:14 -------- d-----w C:\Program Files\iPod
2007-06-02 03:30:40 -------- d-----w C:\Program Files\QuickTime
2007-06-02 03:29:57 -------- d-----w C:\Program Files\Apple Software Update
2007-06-01 04:22:47 -------- d-----w C:\Program Files\HP
2007-06-01 04:09:03 139,264 ----a-w C:\WINDOWS\system32\hpzjrd01.dll
2007-05-31 06:45:07 524,288 ----a-w C:\WINDOWS\system32\DivXsm.exe
2007-05-31 06:44:55 823,296 ----a-w C:\WINDOWS\system32\divx_xx07.dll
2007-05-31 06:44:54 823,296 ----a-w C:\WINDOWS\system32\divx_xx0c.dll
2007-05-31 06:44:54 802,816 ----a-w C:\WINDOWS\system32\divx_xx11.dll
2007-05-31 06:44:54 740,442 ----a-w C:\WINDOWS\system32\DivX.dll
2007-05-16 15:12:02 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
2007-05-11 05:28:38 -------- d-----w C:\Program Files\Microsoft CAPICOM 2.1.0.2
2007-05-09 03:44:28 -------- d-----w C:\DOCUME~1\ILANJU~1\APPLIC~1\HP
2007-05-07 02:41:04 -------- d-----w C:\Program Files\undelete
2007-05-06 03:33:52 -------- d-----w C:\Program Files\SopCast
2007-04-28 03:27:38 86,016 ----a-w C:\WINDOWS\system32\OpenAL32.dll
2007-04-28 03:27:38 409,600 ----a-w C:\WINDOWS\system32\wrap_oal.dll
2007-04-25 14:21:15 144,896 ----a-w C:\WINDOWS\system32\schannel.dll
2007-04-23 00:15:29 3,596,288 ----a-w C:\WINDOWS\system32\qt-dx331.dll
2007-04-23 00:15:18 200,704 ----a-w C:\WINDOWS\system32\ssldivx.dll
2007-04-23 00:15:18 1,044,480 ----a-w C:\WINDOWS\system32\libdivx.dll
2007-04-23 00:02:34 73,728 ----a-w C:\WINDOWS\system32\dpl100.dll
2007-04-23 00:02:34 196,608 ----a-w C:\WINDOWS\system32\dtu100.dll
2007-04-23 00:02:33 53,248 ----a-w C:\WINDOWS\system32\dpuGUI10.dll
2007-04-23 00:02:31 593,920 ----a-w C:\WINDOWS\system32\dpuGUI11.dll
2007-04-23 00:02:31 57,344 ----a-w C:\WINDOWS\system32\dpv11.dll
2007-04-23 00:02:31 344,064 ----a-w C:\WINDOWS\system32\dpus11.dll
2007-04-23 00:02:31 294,912 ----a-w C:\WINDOWS\system32\dpu11.dll
2007-04-23 00:02:31 294,912 ----a-w C:\WINDOWS\system32\dpu10.dll
2007-04-23 00:01:47 12,288 ----a-w C:\WINDOWS\system32\DivXWMPExtType.dll
2007-04-23 00:01:46 124,472 ----a-w C:\WINDOWS\system32\DivXCodecUpdateChecker.exe
2007-04-18 16:12:23 2,854,400 ----a-w C:\WINDOWS\system32\msi.dll
2007-04-17 05:47:36 33,624 ----a-w C:\WINDOWS\system32\wups.dll
2007-04-17 05:45:54 1,710,936 ----a-w C:\WINDOWS\system32\wuaueng.dll
2007-04-17 05:45:48 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll
2007-04-17 05:45:42 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll
2007-04-17 05:45:36 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll
2007-04-17 05:45:28 92,504 ----a-w C:\WINDOWS\system32\cdm.dll
2007-04-17 05:45:20 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe
2007-04-17 05:45:20 43,352 ----a-w C:\WINDOWS\system32\wups2.dll
2007-04-17 05:44:20 271,224 ----a-w C:\WINDOWS\system32\mucltui.dll
2007-04-17 05:44:18 208,248 ----a-w C:\WINDOWS\system32\muweb.dll
2007-04-13 22:19:52 7,680 ----a-w C:\WINDOWS\system32\lsdelete.exe


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{02478D38-C3F9-4EFB-9B51-7695ECA05670}]
2006-10-26 10:28 440384 --a------ C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
2006-10-22 23:08 62080 --a------ C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0A87E45F-537A-40B4-B812-E2544C21A09F}]
C:\Program Files\SpyCatcher\SCActiveBlock.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{39F7E362-828A-4B5A-BCAF-5B79BFDFEA60}]
2007-06-14 06:07 443968 --a------ C:\Program Files\BitComet\tools\BitCometBHO_1.1.6.14.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897}]
2006-10-31 15:29 198136 --a------ C:\Program Files\Yahoo!\Common\yiesrvc.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}]
2007-06-14 18:32 509592 --a------ C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A8F38D8D-E480-4D52-B7A2-731BB6995FDD}]
2007-04-02 19:19 140912 --a------ C:\Program Files\Norton AntiVirus\NavShExt.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{AA58ED58-01DD-4d91-8333-CF10577473F7}]
2007-01-20 00:55 2403392 -ra------ c:\program files\google\googletoolbar2.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{be2b1802-cba8-4b3b-9cad-565187b58cc7}]
2007-07-05 20:13 92695 --a------ C:\WINDOWS\system32\CT2ut8.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2005-05-12 00:12]
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2005-12-07 22:57]
"LanguageShortcut"="C:\Program Files\CyberLink\PowerDVD\Language\Language.exe" [2006-05-18 11:29]
"SigmatelSysTrayApp"="sttray.exe" [2006-05-26 07:58 C:\WINDOWS\sttray.exe]
"DiskeeperSystray"="C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe" [2006-02-24 19:29]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-01-22 22:19]
"NAV CfgWiz"="C:\Program Files\Norton AntiVirus\CfgWiz.exe" [2006-02-01 22:10]
"nwiz"="nwiz.exe" [2006-07-24 23:31 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="NvMCTray.dll" [2006-07-24 23:31 C:\WINDOWS\system32\nvmctray.dll]
"P17Helper"="SPIRun.dll" [2006-07-03 13:43 C:\WINDOWS\system32\SPIRun.dll]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-05-26 12:45]
"SpyCatcher Reminder"="C:\Program Files\SpyCatcher\SpyCatcher.exe" []
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-06-14 18:32]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-07-24 23:31]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SetDefaultMIDI"="MIDIDef.exe" []
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" [2007-03-31 20:46]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2007-03-27 15:22]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56]
"PopUpStopperFreeEdition"="C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe" [2005-03-17 11:10]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" []
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-06-21 14:06]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"DefaultP17"=resdef.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll" [2007-05-30 05:29]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"="C:\Program Files\SUPERAntiSpyware\SASSEH.DLL" [2006-12-20 13:55]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\CT2ut8]
CT2ut8.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=c:\windows\system32\geebaaw.dll

SafeBoot registry key needs repairs. This machine cannot enter Safe Mode.
~~\SafeBoot\Minimal\Base
~~\SafeBoot\Minimal\Boot Bus Extender
~~\SafeBoot\Minimal\Boot file system
~~\SafeBoot\Minimal\dmboot.sys
~~\SafeBoot\Minimal\dmio.sys
~~\SafeBoot\Minimal\dmload.sys
~~\SafeBoot\Minimal\dmserver
~~\SafeBoot\Minimal\File system
~~\SafeBoot\Minimal\Filter
~~\SafeBoot\Minimal\PCI Configuration
~~\SafeBoot\Minimal\Primary disk
~~\SafeBoot\Minimal\RpcSs
~~\SafeBoot\Minimal\SCSI Class
~~\SafeBoot\Minimal\sermouse.sys
~~\SafeBoot\Minimal\System Bus Extender
~~\SafeBoot\Minimal\vga.sys
~~\SafeBoot\Minimal\vgasave.sys
~~\SafeBoot\Minimal\{4D36E967-E325-11CE-BFC1-08002BE10318}
~~\SafeBoot\Minimal\{4D36E96A-E325-11CE-BFC1-08002BE10318}
~~\SafeBoot\Minimal\{4D36E96B-E325-11CE-BFC1-08002BE10318}
~~\SafeBoot\Minimal\{4D36E96F-E325-11CE-BFC1-08002BE10318}
~~\SafeBoot\Minimal\{4D36E97D-E325-11CE-BFC1-08002BE10318}
~~\SafeBoot\Minimal\{71A27CDD-812A-11D0-BEC7-08002BE2092F}

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\aawservice]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\AVG Anti-Spyware Driver]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\AVG Anti-Spyware Guard]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^SpyCatcher Protector.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\SpyCatcher Protector.lnk
backup=C:\WINDOWS\pss\SpyCatcher Protector.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Ilan Justh^Start Menu^Programs^Startup^Scheduler.lnk]
path=C:\Documents and Settings\Ilan Justh\Start Menu\Programs\Startup\Scheduler.lnk
backup=C:\WINDOWS\pss\Scheduler.lnkStartup


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime


Contents of the 'Scheduled Tasks' folder
2007-05-05 03:49:45 C:\WINDOWS\tasks\Norton AntiVirus - Run Full System Scan - Ilan Justh.job

**************************************************************************

catchme 0.3.915 W2K/XP/Vista - rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-07-05 20:28:12
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-07-05 20:29:49 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-07-05 20:29

--- E O F ---
 

JSntgRvr

José
Retired Moderator and Malware Specialist
Joined
Jul 1, 2003
Messages
18,552
Hi, ijusth :)

  • Copy the entire contents of the Code Box below to Notepad.
  • Name the file as ComboFix-Do.txt
  • Change the Save as Type to All Files
  • and Save it on the desktop
Code:
File::
C:\WINDOWS\system32\CT2ut8.dll
C:\WINDOWS\system32\vturr.exe
C:\WINDOWS\hggged.dll
C:\WINDOWS\efdbxv.dll
C:\WINDOWS\ljigee.dll
C:\WINDOWS\awwxvs.dll
C:\WINDOWS\hgfddc.dll
C:\WINDOWS\urssrp.dll
C:\WINDOWS\effcyx.dll
C:\WINDOWS\gebbbc.dll
C:\WINDOWS\system32\dn0c1aa1bf.dat

Folder::


ADS::


Driver::


Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{be2b1802-cba8-4b3b-9cad-565187b58cc7}]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\CT2ut8]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=""


Once saved, refering to the picture above, drag ComboFix-Do.txt into ComboFix.exe, and post back the resulting report.

Download the enclosed file. Save and extract its contents to the desktop. It is a folder containing a Batch file, Query.bat . Double click on the Query.bat file post back the resulting report.

Post also a fresh Hijackthis log.
 

Attachments

ijusth

Thread Starter
Joined
Feb 15, 2003
Messages
265
no more annoying popups. Don't know which step did it but thanks a ton. Donation made to you guys.

One thing that is so odd is that I had Norton running when the infection jumped on the machine. It caught each vundo attempt and cleaned the file but it never cleaned whatever was causing the infections and it didn't stop the initial injection.
 

JSntgRvr

José
Retired Moderator and Malware Specialist
Joined
Jul 1, 2003
Messages
18,552
Hi, ijusth. :)

Congratulations.

Since the tools we used to scan the computer, as well as tools to delete files and folders, are no longer needed, they should be removed, as well as the folders created by these tools.

Reset and Re-enable your System Restore to remove bad files that have been backed up by Windows. The files in System Restore are protected to prevent any programmes changing them. This is the only way to clean these files: (You will lose all previous restore points which are likely to be infected.)

To reset your restore points, please note that you will need to log into your computer with an account which has full administrator access. You will know if the account has administrator access because you will be able to see the System Restore tab. If the tab is missing, you are logged in under a limited account.

(Windows XP)

1. Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

2. Reboot.

3. Turn ON System Restore.

On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK..

Create a Restore point:
  1. Click Start, point to All Programs, point to Accessories, point to System Tools, and then click System Restore.
  2. In the System Restore dialog box, click Create a restore point, and then click Next.
  3. Type a description for your restore point, such as "After Cleanup", then click Create.

The following is a list of tools and utilities that I like to suggest to people. This list is full of great tools and utilities to help you understand how you got infected and how to keep from getting infected again.
  1. Spybot Search & Destroy - Uber powerful tool which can search and annhilate nasties that make it onto your system. Now with an Immunize section that will help prevent future infections.
  2. AdAware - Another very powerful tool which searches and kills nasties that infect your system. AdAware and Spybot Search & Destroy compliment each other very well.
  3. SpywareBlaster - Great prevention tool to keep nasties from installing on your system.
  4. IE-SpyAd - puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.
  5. CleanUP! - Cleans temporary files from IE and Windows, empties the recycle bin and more. Great tool to help speed up your computer and knock out those nasties that like to reside in the temp folders.
  6. Windows Updates - It is very important to make sure that both Internet Explorer and Windows are kept current with the latest critical security patches from Microsoft. To do this just start Internet Explorer and select Tools > Windows Update, and follow the online instructions from there.
  7. Google Toolbar - Free google toolbar that allows you to use the powerful Google search engine from the bar, but also blocks pop up windows.
  8. Trillian or Miranda-IM - These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN)
To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections you can read this article by Tony Klein.

Click Here for some advise from our security Experts.

Please use the thread's Tools and mark this thread as "Solved".

Best wishes!
 
Status
This thread has been Locked and is not open to further replies. Please start a New Thread if you're having a similar issue. View our Welcome Guide to learn how to use this site.

Users Who Are Viewing This Thread (Users: 0, Guests: 1)

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 807,865 other people just like you!

Latest posts

Staff online

Top