1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

another vundo victim???

Discussion in 'Virus & Other Malware Removal' started by ijusth, Jul 5, 2007.

Thread Status:
Not open for further replies.
Advertisement
  1. ijusth

    ijusth Thread Starter

    Joined:
    Feb 15, 2003
    Messages:
    265
    Problem only occurring when I have IE open. I have Norton AV running and it catches the infection attempts an deletes stuff but I still get browser windows constantly opening new windows (I have google, IE and popup stopper all working and still they get through). Also I am not sure if this is related but I can't go into safe mode. I press f8 and get the normal prompt choices but whether I select safe, safe with network, or safe with command line it seems to fail and then reboot to return to the same screen essentially saying it failed. But back to the virus thing> Here are the three files. Vundo log. Superanti log an finally hijack log:

    VUNDOFIX

    VundoFix V6.5.4

    Checking Java version...

    Java version is 1.5.0.6
    Old versions of java are exploitable and should be removed.

    Java version is 1.5.0.11

    Scan started at 11:22:50 PM 7/2/2007

    Listing files found while scanning....

    C:\WINDOWS\system32\tmp9.tmp.dll

    Beginning removal...

    Attempting to delete C:\WINDOWS\system32\tmp9.tmp.dll
    C:\WINDOWS\system32\tmp9.tmp.dll Has been deleted!

    Performing Repairs to the registry.
    Done!

    VundoFix V6.5.4

    Checking Java version...

    Java version is 1.5.0.6
    Old versions of java are exploitable and should be removed.

    Java version is 1.5.0.11

    Scan started at 12:10:56 AM 7/3/2007

    Listing files found while scanning....

    No infected files were found.


    VundoFix V6.5.4

    Checking Java version...

    Java version is 1.5.0.6
    Old versions of java are exploitable and should be removed.

    Java version is 1.5.0.11

    Scan started at 11:00:58 AM 7/3/2007

    Listing files found while scanning....

    C:\WINDOWS\system32\tmp125.tmp.dll

    Beginning removal...

    Attempting to delete C:\WINDOWS\system32\tmp125.tmp.dll
    C:\WINDOWS\system32\tmp125.tmp.dll Has been deleted!

    Performing Repairs to the registry.
    Done!

    VundoFix V6.5.4

    Checking Java version...

    Java version is 1.5.0.6
    Old versions of java are exploitable and should be removed.

    Java version is 1.5.0.11

    Scan started at 12:20:59 AM 7/4/2007

    Listing files found while scanning....

    C:\WINDOWS\system32\tmp8B.tmp.dll

    Beginning removal...

    Attempting to delete C:\WINDOWS\system32\tmp8B.tmp.dll
    C:\WINDOWS\system32\tmp8B.tmp.dll Has been deleted!

    Performing Repairs to the registry.
    Done!

    VundoFix V6.5.4

    Checking Java version...

    Java version is 1.5.0.6
    Old versions of java are exploitable and should be removed.

    Java version is 1.5.0.11

    Scan started at 12:29:43 AM 7/4/2007

    Listing files found while scanning....

    No infected files were found.


    VundoFix V6.5.4

    Checking Java version...

    Java version is 1.5.0.6
    Old versions of java are exploitable and should be removed.

    Java version is 1.5.0.11

    Scan started at 2:12:01 PM 7/4/2007

    Listing files found while scanning....

    C:\WINDOWS\system32\tmpDC.tmp.dll

    Beginning removal...

    Attempting to delete C:\WINDOWS\system32\tmpDC.tmp.dll
    C:\WINDOWS\system32\tmpDC.tmp.dll Has been deleted!

    Performing Repairs to the registry.
    Done!

    VundoFix V6.5.4

    Checking Java version...

    Java version is 1.5.0.6
    Old versions of java are exploitable and should be removed.

    Java version is 1.5.0.11

    Scan started at 2:17:06 PM 7/4/2007

    Listing files found while scanning....

    No infected files were found.


    VundoFix V6.5.4

    Checking Java version...

    Java version is 1.5.0.6
    Old versions of java are exploitable and should be removed.

    Java version is 1.5.0.11

    Scan started at 2:32:07 PM 7/5/2007

    Listing files found while scanning....

    No infected files were found.

    *****************************************
    Superanti log:

    SUPERAntiSpyware Scan Log
    http://www.superantispyware.com

    Generated 07/04/2007 at 04:39 PM

    Application Version : 3.9.1008

    Core Rules Database Version : 3265
    Trace Rules Database Version: 1276

    Scan type : Complete Scan
    Total Scan Time : 02:15:18

    Memory items scanned : 498
    Memory threats detected : 1
    Registry items scanned : 6503
    Registry threats detected : 5
    File items scanned : 87557
    File threats detected : 35

    Trojan.Duncan
    C:\WINDOWS\SYSTEM32\MEMTIF.DLL
    C:\WINDOWS\SYSTEM32\MEMTIF.DLL
    HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{4bc35c62-1ca7-4dd6-b7ce-3f021265976f}
    HKCR\CLSID\{4BC35C62-1CA7-4DD6-B7CE-3F021265976F}
    HKCR\CLSID\{4BC35C62-1CA7-4DD6-B7CE-3F021265976F}\InprocServer32
    HKCR\CLSID\{4BC35C62-1CA7-4DD6-B7CE-3F021265976F}\InprocServer32#ThreadingModel
    Software\Microsoft\Windows NT\CurrentVersion\WinLogon\Notify\memtif

    Adware.Tracking Cookie
    C:\Documents and Settings\Ilan Justh\Cookies\[email protected][2].txt
    C:\Documents and Settings\Ilan Justh\Cookies\[email protected][2].txt
    C:\Documents and Settings\Ilan Justh\Cookies\[email protected][1].txt
    C:\Documents and Settings\Ilan Justh\Cookies\[email protected][1].txt
    C:\Documents and Settings\Ilan Justh\Cookies\[email protected][2].txt
    C:\Documents and Settings\Ilan Justh\Cookies\[email protected][1].txt
    C:\Documents and Settings\Ilan Justh\Cookies\[email protected][1].txt
    C:\Documents and Settings\Ilan Justh\Cookies\[email protected][2].txt
    C:\Documents and Settings\Ilan Justh\Cookies\[email protected][2].txt
    C:\Documents and Settings\Ilan Justh\Cookies\[email protected][1].txt
    C:\Documents and Settings\Ilan Justh\Cookies\[email protected][2].txt
    C:\Documents and Settings\Ilan Justh\Cookies\[email protected][1].txt
    C:\Documents and Settings\Ilan Justh\Cookies\[email protected][1].txt
    C:\Documents and Settings\Ilan Justh\Cookies\[email protected][2].txt
    C:\Documents and Settings\Ilan Justh\Cookies\[email protected][1].txt
    C:\Documents and Settings\Ilan Justh\Cookies\[email protected][1].txt
    C:\Documents and Settings\Ilan Justh\Cookies\[email protected][2].txt
    C:\Documents and Settings\Ilan Justh\Cookies\[email protected][2].txt
    C:\Documents and Settings\Ilan Justh\Cookies\[email protected][2].txt
    C:\Documents and Settings\Ilan Justh\Cookies\[email protected][2].txt
    C:\Documents and Settings\Ilan Justh\Cookies\[email protected][1].txt
    C:\Documents and Settings\Ilan Justh\Cookies\[email protected][1].txt
    C:\Documents and Settings\Ilan Justh\Cookies\[email protected][2].txt
    C:\Documents and Settings\Ilan Justh\Cookies\[email protected][1].txt
    C:\Documents and Settings\Ilan Justh\Cookies\[email protected][1].txt
    C:\Documents and Settings\Ilan Justh\Cookies\[email protected][2].txt
    C:\Documents and Settings\Ilan Justh\Cookies\[email protected][1].txt
    C:\Documents and Settings\Ilan Justh\Cookies\[email protected][2].txt
    C:\Documents and Settings\Ilan Justh\Cookies\[email protected][2].txt
    C:\Documents and Settings\Ilan Justh\Cookies\[email protected][1].txt
    C:\Documents and Settings\Ilan Justh\Cookies\[email protected][1].txt
    C:\Documents and Settings\Ilan Justh\Cookies\[email protected][2].txt
    C:\Documents and Settings\Ilan Justh\Cookies\[email protected][2].txt
    C:\Documents and Settings\Ilan Justh\Cookies\[email protected][1].txt

    ********************************************

    Hijack this log:

    Logfile of HijackThis v1.99.1
    Scan saved at 2:12:27 PM, on 7/3/2007
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16473)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
    C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
    C:\WINDOWS\sttray.exe
    C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\WINDOWS\system32\RunDLL32.exe
    C:\WINDOWS\system32\Rundll32.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
    C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
    C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
    C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
    C:\WINDOWS\System32\CTsvcCDA.exe
    C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\WINDOWS\System32\HPZipm12.exe
    C:\Program Files\CyberLink\Shared files\RichVideo.exe
    C:\WINDOWS\system32\STacSV.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
    C:\PROGRA~1\NORTON~1\navw32.exe
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Program Files\Internet Explorer\iexplore.exe
    C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
    C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
    C:\Program Files\BitComet\BitComet.exe
    C:\Program Files\Messenger\msmsgs.exe
    C:\hjt\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
    O1 - Hosts: 209.216.253.186 www.winmx.com err.winmx.com
    O1 - Hosts: 205.238.40.2 test3201.winmx.com test3205.winmx.com
    O1 - Hosts: 205.238.40.2 test3202.winmx.com test3206.winmx.com
    O1 - Hosts: 205.238.40.1 test3203.winmx.com test3207.winmx.com
    O1 - Hosts: 205.238.40.1 test3204.winmx.com test3208.winmx.com
    O1 - Hosts: 205.238.40.2 c3310.z1301.winmx.com c3310.z1302.winmx.com c3310.z1303.winmx.com c3310.z1304.winmx.com c3310.z1305.winmx.com c3310.z1306.winmx.com
    O1 - Hosts: 205.238.40.2 c3313.z1301.winmx.com c3313.z1302.winmx.com c3313.z1303.winmx.com c3313.z1304.winmx.com c3313.z1305.winmx.com c3313.z1306.winmx.com
    O1 - Hosts: 205.238.40.2 c3316.z1301.winmx.com c3316.z1302.winmx.com c3316.z1303.winmx.com c3316.z1304.winmx.com c3316.z1305.winmx.com c3316.z1306.winmx.com
    O1 - Hosts: 205.238.40.2 c3311.z1301.winmx.com c3311.z1302.winmx.com c3311.z1303.winmx.com c3311.z1304.winmx.com c3311.z1305.winmx.com c3311.z1306.winmx.com
    O1 - Hosts: 205.238.40.2 c3314.z1301.winmx.com c3314.z1302.winmx.com c3314.z1303.winmx.com c3314.z1304.winmx.com c3314.z1305.winmx.com c3314.z1306.winmx.com
    O1 - Hosts: 205.238.40.1 c3317.z1301.winmx.com c3317.z1302.winmx.com c3317.z1303.winmx.com c3317.z1304.winmx.com c3317.z1305.winmx.com c3317.z1306.winmx.com
    O1 - Hosts: 205.238.40.1 c3312.z1301.winmx.com c3312.z1302.winmx.com c3312.z1303.winmx.com c3312.z1304.winmx.com c3312.z1305.winmx.com c3312.z1306.winmx.com
    O1 - Hosts: 205.238.40.1 c3315.z1301.winmx.com c3315.z1302.winmx.com c3315.z1303.winmx.com c3315.z1304.winmx.com c3315.z1305.winmx.com c3315.z1306.winmx.com
    O1 - Hosts: 205.238.40.1 c3318.z1301.winmx.com c3318.z1302.winmx.com c3318.z1303.winmx.com c3318.z1304.winmx.com c3318.z1305.winmx.com c3318.z1306.winmx.com
    O1 - Hosts: 205.238.40.2 c3319.z1301.winmx.com c3319.z1302.winmx.com c3319.z1303.winmx.com c3319.z1304.winmx.com c3319.z1305.winmx.com c3319.z1306.winmx.com
    O1 - Hosts: 205.238.40.2 c3520.z1301.winmx.com c3520.z1302.winmx.com c3520.z1303.winmx.com c3520.z1304.winmx.com c3520.z1305.winmx.com c3520.z1306.winmx.com
    O1 - Hosts: 205.238.40.2 c3523.z1301.winmx.com c3523.z1302.winmx.com c3523.z1303.winmx.com c3523.z1304.winmx.com c3523.z1305.winmx.com c3523.z1306.winmx.com
    O1 - Hosts: 205.238.40.2 c3526.z1301.winmx.com c3526.z1302.winmx.com c3526.z1303.winmx.com c3526.z1304.winmx.com c3526.z1305.winmx.com c3526.z1306.winmx.com
    O1 - Hosts: 205.238.40.2 c3521.z1301.winmx.com c3521.z1302.winmx.com c3521.z1303.winmx.com c3521.z1304.winmx.com c3521.z1305.winmx.com c3521.z1306.winmx.com
    O1 - Hosts: 205.238.40.2 c3524.z1301.winmx.com c3524.z1302.winmx.com c3524.z1303.winmx.com c3524.z1304.winmx.com c3524.z1305.winmx.com c3524.z1306.winmx.com
    O1 - Hosts: 205.238.40.1 c3527.z1301.winmx.com c3527.z1302.winmx.com c3527.z1303.winmx.com c3527.z1304.winmx.com c3527.z1305.winmx.com c3527.z1306.winmx.com
    O1 - Hosts: 205.238.40.1 c3522.z1301.winmx.com c3522.z1302.winmx.com c3522.z1303.winmx.com c3522.z1304.winmx.com c3522.z1305.winmx.com c3522.z1306.winmx.com
    O1 - Hosts: 205.238.40.1 c3525.z1301.winmx.com c3525.z1302.winmx.com c3525.z1303.winmx.com c3525.z1304.winmx.com c3525.z1305.winmx.com c3525.z1306.winmx.com
    O1 - Hosts: 205.238.40.1 c3528.z1301.winmx.com c3528.z1302.winmx.com c3528.z1303.winmx.com c3528.z1304.winmx.com c3528.z1305.winmx.com c3528.z1306.winmx.com
    O1 - Hosts: 205.238.40.1 c3529.z1301.winmx.com c3529.z1302.winmx.com c3529.z1303.winmx.com c3529.z1304.winmx.com c3529.z1305.winmx.com c3529.z1306.winmx.com
    O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: SpywareBlock Class - {0A87E45F-537A-40B4-B812-E2544C21A09F} - C:\Program Files\SpyCatcher\SCActiveBlock.dll
    O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.1.6.14.dll
    O2 - BHO: (no name) - {4bc35c62-1ca7-4dd6-b7ce-3f021265976f} - C:\WINDOWS\system32\memtif.dll
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
    O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
    O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
    O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
    O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
    O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
    O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
    O4 - HKLM\..\Run: [SigmatelSysTrayApp] sttray.exe
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
    O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
    O4 - HKLM\..\Run: [DiskeeperSystray] "C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe"
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
    O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [NAV CfgWiz] "C:\Program Files\Norton AntiVirus\CfgWiz.exe" /GUID {0D7956A2-5A08-4ec2-A72C-DF8495A66016} /MODE CfgWiz /CMDLINE "REBOOT"
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [P17Helper] Rundll32 SPIRun.dll,RunDLLEntry
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [winehq.org] rundll32.exe "C:\WINDOWS\urssrp.dll",realset
    O4 - HKLM\..\Run: [SpyCatcher Reminder] C:\Program Files\SpyCatcher\SpyCatcher.exe
    O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
    O4 - HKCU\..\Run: [SetDefaultMIDI] MIDIDef.exe
    O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
    O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
    O4 - Startup: Scheduler.lnk = C:\Program Files\SpyCatcher\Scheduler daemon.exe
    O4 - Global Startup: SpyCatcher Protector.lnk = C:\Program Files\SpyCatcher\Protector.exe
    O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
    O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
    O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\memtif.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\memtif.dll
    O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\WINDOWS\system32\memtif.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: Share in Hello - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - C:\WINDOWS\system32\memtif.dll
    O9 - Extra 'Tools' menuitem: Share in H&ello - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - C:\WINDOWS\system32\memtif.dll
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O11 - Options group: [INTERNATIONAL] International*
    O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1175396128718
    O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secure/HPGetDownloadManager.ocx
    O20 - AppInit_DLLs: c:\windows\system32\geebaaw.dll
    O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
    O20 - Winlogon Notify: memtif - C:\WINDOWS\SYSTEM32\memtif.dll
    O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
    O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
    O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
    O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
    O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
    O23 - Service: Diskeeper - Diskeeper® Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
    O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
    O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
    O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
    O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
    O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
    O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe
    O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
    O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    O23 - Service: SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
    O23 - Service: SigmaTel Audio Service (STacSV) - SigmaTel, Inc. - C:\WINDOWS\system32\STacSV.exe

    thanks in advance for the help
     
  2. JSntgRvr

    JSntgRvr Retired Moderator and Malware Specialist

    Joined:
    Jul 1, 2003
    Messages:
    18,552
    First Name:
    José
    Hi, ijusth. :)

    Welcome to TSG.

    Download the HostsXpert 3.8 - Hosts File Manager.
    • Unzip HostsXpert 3.8 - Hosts File Manager to a convenient folder such as C:\HostsXpert
    • Click HostsXpert.exe to Run HostsXpert 3.8 - Hosts File Manager from its new home
    • Click "Make Hosts Writable?" in the upper right corner (If available).
    • Click Restore Microsoft's Hosts file and then click OK.
    • Click the X to exit the program.
    • Note: If you were using a custom Hosts file you will need to replace any of those entries yourself.
    [​IMG] Your Java seems to be out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version of Java components and upgrade the application. Beware it is NOT supported for use in 9x or ME and probably will not install in those systems

    Ugrading Java:
    • Download the latest version of Java Runtime Environment (JRE) 6u1.
    • Scroll down to where it says "The J2SE Runtime Environment (JRE) allows end-users to run Java applications".
    • Click the "Download" button to the right.
    • Check the box that says: "Accept License Agreement".
    • The page will refresh.
    • Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
    • Close any programs you may have running - especially your web browser.
    • Go to Start > Control Panel, double-click on Add/Remove programs and remove all older versions of Java.
    • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
    • Click the Remove or Change/Remove button.
    • Repeat as many times as necessary to remove each Java version.
    • Reboot your computer once all Java components are removed.
    • Then from your desktop double-click on the download to install the newest version.
    Please download VundoFix.exe to your desktop.

    Note: In the event you already have Vundofix, this is a new version that I need you to download.
    • Double-click VundoFix.exe to run it.
    • You will receive a message saying vundofix will close and re-open in a minute or less. Click OK
    • When VundoFix re-opens, click the Scan for Vundo button.
    • Once it's done scanning, click the Remove Vundo button.
    • You will receive a prompt asking if you want to remove the files, click YES
    • Once you click yes, your desktop will go blank as it starts removing Vundo.
    • When completed, it will prompt that it will shutdown your computer, click OK.
    • Turn your computer back on.
    • Please post the contents of C:\vundofix.txt in your next reply.
    Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears at reboot.

    Download ComboFix from Here or Here to your Desktop.

    Note: In the event you already have Combofix, this is a new version that I need you to download.
    • Double click combofix.exe and follow the prompts.
    • When finished, it shall produce a log for you. Post that log and in your next reply
    Note: Do not mouseclick combofix's window while its running. That may cause it to stall

    Download Superantispyware (SAS)
    1. Install it and double-click the icon on your desktop to run it.
    2. It will ask if you want to update the program definitions, click Yes.
    3. Under Configuration and Preferences, click the Preferences button.
    4. Click the Scanning Control tab.
    5. Under Scanner Options make sure the following are checked:
      • Close browsers before scanning
      • Scan for tracking cookies
      • Terminate memory threats before quarantining.
      • Please leave the others unchecked.
      • Click the Close button to leave the control center screen.
    6. On the main screen, under Scan for Harmful Software click Scan your computer.
    7. On the left check C:\Fixed Drive.
    8. On the right, under Complete Scan, choose Perform Complete Scan.
    9. Click Next to start the scan. Please be patient while it scans your computer.
    10. After the scan is complete a summary box will appear. Click OK.
    11. Make sure everything in the white box has a check next to it, then click Next.
    12. It will quarantine what it found and if it asks if you want to reboot, click Yes.
    13. To retrieve the removal information, please do the following:
      • After reboot, double-click the SUPERAntispyware icon on your desktop.
      • Click Preferences. Click the Statistics/Logs tab.
      • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
      • It will open in your default text editor (such as Notepad/Wordpad).
      • Please highlight everything in the notepad, then right-click and choose copy.
    14. Click close and close again to exit the program.
    15. Please paste that information in your next reply along with a fresh HijackThis log.
     
  3. ijusth

    ijusth Thread Starter

    Joined:
    Feb 15, 2003
    Messages:
    265
    ok here are the 1st three logs:
    combofix has to go seperate since there is a 30k limit to the text upload:



    VundoFix V6.5.4

    Checking Java version...

    Java version is 1.5.0.11

    Scan started at 8:16:50 PM 7/5/2007

    Listing files found while scanning....

    C:\WINDOWS\system32\tmp1B7.tmp.dll

    Beginning removal...

    Attempting to delete C:\WINDOWS\system32\tmp1B7.tmp.dll
    C:\WINDOWS\system32\tmp1B7.tmp.dll Has been deleted!

    Performing Repairs to the registry.
    Done!

    VundoFix V6.5.4

    Checking Java version...

    Java version is 1.5.0.11

    Scan started at 10:22:20 PM 7/5/2007

    Listing files found while scanning....

    No infected files were found.


    VundoFix V6.5.4

    Checking Java version...

    Java version is 1.5.0.11

    Scan started at 10:26:30 PM 7/5/2007

    Listing files found while scanning....

    No infected files were found.

    **************************
    here is hijack:
    Logfile of HijackThis v1.99.1
    Scan saved at 10:20:56 PM, on 7/5/2007
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16473)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
    C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
    C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
    C:\WINDOWS\System32\CTsvcCDA.exe
    C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
    C:\Program Files\Norton AntiVirus\navapsvc.exe
    C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\WINDOWS\System32\HPZipm12.exe
    C:\Program Files\CyberLink\Shared files\RichVideo.exe
    C:\WINDOWS\system32\STacSV.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
    C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
    C:\WINDOWS\sttray.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\WINDOWS\system32\RunDLL32.exe
    C:\WINDOWS\system32\Rundll32.exe
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
    C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
    C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe
    C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
    C:\Program Files\internet explorer\iexplore.exe
    C:\hjt\HijackThis.exe
    C:\Program Files\Messenger\msmsgs.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
    O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: SpywareBlock Class - {0A87E45F-537A-40B4-B812-E2544C21A09F} - C:\Program Files\SpyCatcher\SCActiveBlock.dll (file missing)
    O2 - BHO: BitComet ClickCapture - {39F7E362-828A-4B5A-BCAF-5B79BFDFEA60} - C:\Program Files\BitComet\tools\BitCometBHO_1.1.6.14.dll
    O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
    O2 - BHO: NAV Helper - {A8F38D8D-E480-4D52-B7A2-731BB6995FDD} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
    O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
    O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Program Files\Norton AntiVirus\NavShExt.dll
    O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
    O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
    O4 - HKLM\..\Run: [LanguageShortcut] "C:\Program Files\CyberLink\PowerDVD\Language\Language.exe"
    O4 - HKLM\..\Run: [SigmatelSysTrayApp] sttray.exe
    O4 - HKLM\..\Run: [DiskeeperSystray] "C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe"
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [NAV CfgWiz] "C:\Program Files\Norton AntiVirus\CfgWiz.exe" /GUID {0D7956A2-5A08-4ec2-A72C-DF8495A66016} /MODE CfgWiz /CMDLINE "REBOOT"
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [P17Helper] Rundll32 SPIRun.dll,RunDLLEntry
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [SpyCatcher Reminder] C:\Program Files\SpyCatcher\SpyCatcher.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKCU\..\Run: [SetDefaultMIDI] MIDIDef.exe
    O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
    O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [PopUpStopperFreeEdition] "C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe"
    O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
    O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
    O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
    O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\CT2ut8.dll (file missing)
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\CT2ut8.dll (file missing)
    O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\WINDOWS\system32\CT2ut8.dll (file missing)
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: Share in Hello - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - C:\WINDOWS\system32\CT2ut8.dll (file missing)
    O9 - Extra 'Tools' menuitem: Share in H&ello - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - C:\WINDOWS\system32\CT2ut8.dll (file missing)
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O11 - Options group: [INTERNATIONAL] International*
    O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
    O16 - DPF: {32305793-C19A-48E7-AD2F-D87FF7B264A4} (TenebrilSpywareScanner Control) - http://www.tenebril.com/assets/activeX/SpywareScannerV2.ocx
    O16 - DPF: {56393399-041A-4650-94C7-13DFCB1F4665} (PSFormX Control) - http://www.ca.com/us/securityadvisor/pestscan/pestscan.cab
    O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1175396128718
    O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor/virusinfo/webscan.cab
    O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secure/HPGetDownloadManager.ocx
    O20 - AppInit_DLLs: c:\windows\system32\geebaaw.dll
    O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
    O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxdev.dll
    O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
    O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
    O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
    O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
    O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
    O23 - Service: Diskeeper - Diskeeper® Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
    O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
    O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
    O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
    O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
    O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
    O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe
    O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
    O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    O23 - Service: SPBBCSvc - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
    O23 - Service: SigmaTel Audio Service (STacSV) - SigmaTel, Inc. - C:\WINDOWS\system32\STacSV.exe

    ***********************
    here is super anti

    SUPERAntiSpyware Scan Log
    http://www.superantispyware.com

    Generated 07/05/2007 at 09:54 PM

    Application Version : 3.9.1008

    Core Rules Database Version : 3265
    Trace Rules Database Version: 1276

    Scan type : Complete Scan
    Total Scan Time : 01:20:22

    Memory items scanned : 474
    Memory threats detected : 1
    Registry items scanned : 6490
    Registry threats detected : 5
    File items scanned : 75879
    File threats detected : 32

    Trojan.Duncan
    C:\WINDOWS\SYSTEM32\CT2UT8.DLL
    C:\WINDOWS\SYSTEM32\CT2UT8.DLL
    HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{be2b1802-cba8-4b3b-9cad-565187b58cc7}
    HKCR\CLSID\{BE2B1802-CBA8-4B3B-9CAD-565187B58CC7}
    HKCR\CLSID\{BE2B1802-CBA8-4B3B-9CAD-565187B58CC7}\InprocServer32
    HKCR\CLSID\{BE2B1802-CBA8-4B3B-9CAD-565187B58CC7}\InprocServer32#ThreadingModel
    Software\Microsoft\Windows NT\CurrentVersion\WinLogon\Notify\CT2ut8

    Adware.Tracking Cookie
    C:\Documents and Settings\Ilan Justh\Cookies\[email protected][1].txt
    C:\Documents and Settings\Ilan Justh\Cookies\[email protected][1].txt
    C:\Documents and Settings\Ilan Justh\Cookies\[email protected][2].txt
    C:\Documents and Settings\Ilan Justh\Cookies\[email protected][1].txt
    C:\Documents and Settings\Ilan Justh\Cookies\[email protected][2].txt
    C:\Documents and Settings\Ilan Justh\Cookies\[email protected][2].txt
    C:\Documents and Settings\Ilan Justh\Cookies\[email protected][2].txt
    C:\Documents and Settings\Ilan Justh\Cookies\[email protected][2].txt
    C:\Documents and Settings\Ilan Justh\Cookies\[email protected][1].txt
    C:\Documents and Settings\Ilan Justh\Cookies\[email protected][1].txt
    C:\Documents and Settings\Ilan Justh\Cookies\[email protected][1].txt
    C:\Documents and Settings\Ilan Justh\Cookies\[email protected][2].txt
    C:\Documents and Settings\Ilan Justh\Cookies\[email protected][2].txt
    C:\Documents and Settings\Ilan Justh\Cookies\[email protected][1].txt
    C:\Documents and Settings\Ilan Justh\Cookies\[email protected][1].txt
    C:\Documents and Settings\Ilan Justh\Cookies\[email protected][1].txt
    C:\Documents and Settings\Ilan Justh\Cookies\[email protected][1].txt
    C:\Documents and Settings\Ilan Justh\Cookies\[email protected][1].txt
    C:\Documents and Settings\Ilan Justh\Cookies\[email protected][2].txt
    C:\Documents and Settings\Ilan Justh\Cookies\[email protected][2].txt
    C:\Documents and Settings\Ilan Justh\Cookies\[email protected][1].txt
    C:\Documents and Settings\Ilan Justh\Cookies\[email protected][1].txt
    C:\Documents and Settings\Ilan Justh\Cookies\[email protected][2].txt
    C:\Documents and Settings\Ilan Justh\Cookies\[email protected][1].txt
    C:\Documents and Settings\Ilan Justh\Cookies\[email protected][1].txt
    C:\Documents and Settings\Ilan Justh\Cookies\[email protected][2].txt
    C:\Documents and Settings\Ilan Justh\Cookies\[email protected][1].txt
    C:\Documents and Settings\Ilan Justh\Cookies\[email protected][2].txt
    C:\Documents and Settings\Ilan Justh\Cookies\[email protected][1].txt
    C:\Documents and Settings\Ilan Justh\Cookies\[email protected][2].txt

    Trojan.Downloader-ConHook
    C:\WINDOWS\SYSTEM32\VTURR.EXE

    ***************************
     
  4. ijusth

    ijusth Thread Starter

    Joined:
    Feb 15, 2003
    Messages:
    265
    and here is combofix
    and here is combifix

    "Ilan Justh" - 2007-07-05 20:23:20 - ComboFix 07-07-04.4 - Service Pack 2


    (((((((((((((((((((((((((((((((((((((((((((( V Log )))))))))))))))))))))))))))))))))))))))))))))))))))))))


    C:\WINDOWS\system32\geebaaw.dll


    * * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


    C:\DOCUME~1\ILANJU~1\APPLIC~1.\hidires
    C:\DOCUME~1\ILANJU~1\APPLIC~1\tmp125.tmp.exe
    C:\DOCUME~1\ILANJU~1\APPLIC~1\tmp14F.tmp.exe
    C:\DOCUME~1\ILANJU~1\APPLIC~1\tmp1A3.tmp.exe
    C:\DOCUME~1\ILANJU~1\APPLIC~1\tmp1AA.tmp.exe
    C:\DOCUME~1\ILANJU~1\APPLIC~1\tmp1AC.tmp.exe
    C:\DOCUME~1\ILANJU~1\APPLIC~1\tmp1AE.tmp.exe
    C:\DOCUME~1\ILANJU~1\APPLIC~1\tmp1AF.tmp.exe
    C:\DOCUME~1\ILANJU~1\APPLIC~1\tmp1B1.tmp.exe
    C:\DOCUME~1\ILANJU~1\APPLIC~1\tmp1B4.tmp.exe
    C:\DOCUME~1\ILANJU~1\APPLIC~1\tmp1B7.tmp.exe
    C:\DOCUME~1\ILANJU~1\APPLIC~1\tmp2.tmp.exe
    C:\DOCUME~1\ILANJU~1\APPLIC~1\tmp67.tmp.exe
    C:\DOCUME~1\ILANJU~1\APPLIC~1\tmp6DA.tmp.exe
    C:\DOCUME~1\ILANJU~1\APPLIC~1\tmp6DB.tmp.exe
    C:\DOCUME~1\ILANJU~1\APPLIC~1\tmp8.tmp.exe
    C:\DOCUME~1\ILANJU~1\APPLIC~1\tmp8B.tmp.exe
    C:\DOCUME~1\ILANJU~1\APPLIC~1\tmp9.tmp.exe
    C:\DOCUME~1\ILANJU~1\APPLIC~1\tmpBE.tmp.exe
    C:\DOCUME~1\ILANJU~1\APPLIC~1\tmpC1.tmp.exe
    C:\DOCUME~1\ILANJU~1\APPLIC~1\tmpD.tmp.exe
    C:\DOCUME~1\ILANJU~1\APPLIC~1\tmpDB.tmp.exe
    C:\DOCUME~1\ILANJU~1\APPLIC~1\tmpDC.tmp.exe
    C:\DOCUME~1\ILANJU~1\Desktop\internet.lnk
    C:\WINDOWS\exefld
    C:\WINDOWS\system32\media
    C:\WINDOWS\system32\media\AvidRender.wav
    C:\WINDOWS\system32\tmp1AA.tmp.dll
    C:\WINDOWS\system32\tmp1AF.tmp.dll
    C:\WINDOWS\system32\tmp67.tmp.dll
    C:\WINDOWS\system32\tmp6DB.tmp.dll
    C:\WINDOWS\system32\tmpBE.tmp.dll


    ((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


    -------\LEGACY_DOMAINSERVICE
    -------\DomainService
    -------\m_hook


    ((((((((((((((((((((((((( Files Created from 2007-06-06 to 2007-07-06 )))))))))))))))))))))))))))))))


    2007-07-05 20:22 51,200 --a------ C:\WINDOWS\nircmd.exe
    2007-07-05 20:13 92,695 --a------ C:\WINDOWS\system32\CT2ut8.dll
    2007-07-05 20:12 105,425 --a------ C:\WINDOWS\system32\vturr.exe
    2007-07-05 19:44 134,985 --a------ C:\WINDOWS\hggged.dll
    2007-07-05 19:40 <DIR> d-------- C:\hostsxpert
    2007-07-05 16:07 134,985 --a------ C:\WINDOWS\efdbxv.dll
    2007-07-04 14:20 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
    2007-07-04 14:20 <DIR> d-------- C:\DOCUME~1\ILANJU~1\APPLIC~1\SUPERAntiSpyware.com
    2007-07-04 14:20 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\SUPERAntiSpyware.com
    2007-07-04 11:20 134,993 --a------ C:\WINDOWS\ljigee.dll
    2007-07-04 10:33 <DIR> d-------- C:\Program Files\autoruns
    2007-07-04 00:30 134,993 --a------ C:\WINDOWS\awwxvs.dll
    2007-07-03 19:51 3,846 --a------ C:\WINDOWS\system32\tmp.reg
    2007-07-03 19:50 53,248 --a------ C:\WINDOWS\system32\Process.exe
    2007-07-03 19:50 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
    2007-07-03 19:50 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
    2007-07-03 15:32 134,914 --a------ C:\WINDOWS\hgfddc.dll
    2007-07-03 15:29 <DIR> d-------- C:\WINDOWS\pss
    2007-07-03 14:50 76,560 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
    2007-07-03 14:49 <DIR> d-------- C:\DOCUME~1\ILANJU~1\.housecall6.6
    2007-07-03 14:48 <DIR> d-------- C:\Program Files\msconfig
    2007-07-03 14:48 <DIR> d-------- C:\Program Files\cwshredder
    2007-07-03 14:28 <DIR> d-------- C:\Program Files\rootkit revealer
    2007-07-03 14:15 <DIR> d-------- C:\Program Files\smitfraudfix
    2007-07-03 14:12 <DIR> d-------- C:\hjt
    2007-07-03 14:09 <DIR> d-------- C:\Program Files\hijack this
    2007-07-03 11:21 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
    2007-07-03 10:45 <DIR> d-------- C:\DOCUME~1\ILANJU~1\APPLIC~1\Tenebril
    2007-07-03 10:43 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Tenebril
    2007-07-03 10:39 180,224 --a-s---- C:\WINDOWS\system32\archlib.dll
    2007-07-03 10:39 <DIR> d-------- C:\WINDOWS\system32\tenarchlib
    2007-07-03 09:55 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
    2007-07-03 09:47 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Lavasoft
    2007-07-03 09:40 7,680 --a------ C:\WINDOWS\system32\drivers\RKL1.tmp.sys
    2007-07-03 09:30 <DIR> d-------- C:\MessengerCtrlUninstall
    2007-07-03 09:25 134,914 --------- C:\WINDOWS\urssrp.dll
    2007-07-02 23:39 134,914 --a------ C:\WINDOWS\effcyx.dll
    2007-07-02 23:22 <DIR> d-------- C:\VundoFix Backups
    2007-07-02 08:29 134,972 --a------ C:\WINDOWS\gebbbc.dll
    2007-07-02 08:00 <DIR> d-------- C:\DOCUME~1\ILANJU~1\APPLIC~1\Lavasoft
    2007-07-01 17:26 <DIR> d-------- C:\Program Files\Bethesda Softworks
    2007-07-01 17:07 40,960 --a------ C:\WINDOWS\system32\psfind.dll
    2007-07-01 16:59 <DIR> d-------- C:\WINDOWS\SxsCaPendDel
    2007-07-01 16:50 <DIR> d-------- C:\Program Files\THQ
    2007-07-01 16:35 314,666 --a------ C:\WINDOWS\system32\dn0c1aa1bf.dat
    2007-06-17 01:02 <DIR> d-------- C:\Program Files\GetRight
    2007-06-09 18:54 <DIR> d-------- C:\AudioConverter
    2007-06-09 10:08 <DIR> d-------- C:\Program Files\LimeWire Acceleration Patch
    2007-06-06 20:45 <DIR> d-------- C:\Program Files\clean center


    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

    2007-07-06 03:04:02 -------- d-----w C:\Program Files\emule
    2007-07-04 22:23:04 -------- d-----w C:\DOCUME~1\ILANJU~1\APPLIC~1\dvdcss
    2007-07-04 21:19:57 -------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
    2007-07-04 20:43:07 -------- d-----w C:\Program Files\limewire
    2007-07-04 06:07:41 200 ----a-w C:\WINDOWS\AUDC50UI.dat
    2007-07-04 06:06:13 96 ----a-w C:\WINDOWS\system32\sysmwwod.dll
    2007-07-03 21:04:09 -------- d-----w C:\Program Files\Nero
    2007-07-03 18:04:09 -------- d-----w C:\Program Files\lavasoft
    2007-07-03 17:32:44 -------- d-----w C:\Program Files\Warez P2P Client
    2007-07-02 20:06:07 -------- d-----w C:\Program Files\IsoBuster
    2007-07-02 15:19:58 -------- d-----w C:\Program Files\panicware
    2007-07-02 00:26:30 -------- d--h--w C:\Program Files\InstallShield Installation Information
    2007-07-01 01:00:41 359,808 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
    2007-06-30 02:49:48 -------- d-----w C:\Program Files\Common Files\Symantec Shared
    2007-06-25 04:15:44 -------- d-----w C:\Program Files\DivX
    2007-06-24 02:27:32 2,560 ----a-w C:\WINDOWS\system32\BitCometRes.dll
    2007-06-24 02:27:18 -------- d-----w C:\Program Files\BitComet
    2007-06-23 05:08:02 -------- d-----w C:\Program Files\outlook
    2007-06-23 05:07:54 -------- d-----w C:\Program Files\Movie Joiner
    2007-06-21 04:43:57 -------- d-----w C:\Program Files\VLC
    2007-06-12 06:21:25 -------- d-----w C:\DOCUME~1\ILANJU~1\APPLIC~1\uTorrent
    2007-06-10 02:06:22 -------- d-----w C:\Program Files\all2mp3
    2007-06-08 02:57:58 -------- d-----w C:\DOCUME~1\ILANJU~1\APPLIC~1\SopCast
    2007-06-07 04:35:29 -------- d-----w C:\Program Files\firefox
    2007-06-07 03:56:10 -------- d-----w C:\Program Files\TagRename
    2007-06-07 03:56:09 -------- d-----w C:\Program Files\free download manager
    2007-06-07 03:56:09 -------- d-----w C:\Program Files\duplicate finder
    2007-06-07 03:56:08 -------- d-----w C:\Program Files\avery
    2007-06-04 22:18:48 9,344 ----a-w C:\WINDOWS\system32\drivers\NSDriver.sys
    2007-06-04 22:17:02 8,320 ----a-w C:\WINDOWS\system32\drivers\AWRTRD.sys
    2007-06-04 22:14:56 6,272 ----a-w C:\WINDOWS\system32\drivers\AWRTPD.sys
    2007-06-03 07:03:19 -------- d-----w C:\Program Files\MXpie Patch
    2007-06-03 07:03:00 -------- d-----w C:\Program Files\winmx
    2007-06-02 04:25:05 -------- d-----w C:\Program Files\Hello
    2007-06-02 03:31:28 -------- d-----w C:\Program Files\iTunes
    2007-06-02 03:31:14 -------- d-----w C:\Program Files\iPod
    2007-06-02 03:30:40 -------- d-----w C:\Program Files\QuickTime
    2007-06-02 03:29:57 -------- d-----w C:\Program Files\Apple Software Update
    2007-06-01 04:22:47 -------- d-----w C:\Program Files\HP
    2007-06-01 04:09:03 139,264 ----a-w C:\WINDOWS\system32\hpzjrd01.dll
    2007-05-31 06:45:07 524,288 ----a-w C:\WINDOWS\system32\DivXsm.exe
    2007-05-31 06:44:55 823,296 ----a-w C:\WINDOWS\system32\divx_xx07.dll
    2007-05-31 06:44:54 823,296 ----a-w C:\WINDOWS\system32\divx_xx0c.dll
    2007-05-31 06:44:54 802,816 ----a-w C:\WINDOWS\system32\divx_xx11.dll
    2007-05-31 06:44:54 740,442 ----a-w C:\WINDOWS\system32\DivX.dll
    2007-05-16 15:12:02 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
    2007-05-11 05:28:38 -------- d-----w C:\Program Files\Microsoft CAPICOM 2.1.0.2
    2007-05-09 03:44:28 -------- d-----w C:\DOCUME~1\ILANJU~1\APPLIC~1\HP
    2007-05-07 02:41:04 -------- d-----w C:\Program Files\undelete
    2007-05-06 03:33:52 -------- d-----w C:\Program Files\SopCast
    2007-04-28 03:27:38 86,016 ----a-w C:\WINDOWS\system32\OpenAL32.dll
    2007-04-28 03:27:38 409,600 ----a-w C:\WINDOWS\system32\wrap_oal.dll
    2007-04-25 14:21:15 144,896 ----a-w C:\WINDOWS\system32\schannel.dll
    2007-04-23 00:15:29 3,596,288 ----a-w C:\WINDOWS\system32\qt-dx331.dll
    2007-04-23 00:15:18 200,704 ----a-w C:\WINDOWS\system32\ssldivx.dll
    2007-04-23 00:15:18 1,044,480 ----a-w C:\WINDOWS\system32\libdivx.dll
    2007-04-23 00:02:34 73,728 ----a-w C:\WINDOWS\system32\dpl100.dll
    2007-04-23 00:02:34 196,608 ----a-w C:\WINDOWS\system32\dtu100.dll
    2007-04-23 00:02:33 53,248 ----a-w C:\WINDOWS\system32\dpuGUI10.dll
    2007-04-23 00:02:31 593,920 ----a-w C:\WINDOWS\system32\dpuGUI11.dll
    2007-04-23 00:02:31 57,344 ----a-w C:\WINDOWS\system32\dpv11.dll
    2007-04-23 00:02:31 344,064 ----a-w C:\WINDOWS\system32\dpus11.dll
    2007-04-23 00:02:31 294,912 ----a-w C:\WINDOWS\system32\dpu11.dll
    2007-04-23 00:02:31 294,912 ----a-w C:\WINDOWS\system32\dpu10.dll
    2007-04-23 00:01:47 12,288 ----a-w C:\WINDOWS\system32\DivXWMPExtType.dll
    2007-04-23 00:01:46 124,472 ----a-w C:\WINDOWS\system32\DivXCodecUpdateChecker.exe
    2007-04-18 16:12:23 2,854,400 ----a-w C:\WINDOWS\system32\msi.dll
    2007-04-17 05:47:36 33,624 ----a-w C:\WINDOWS\system32\wups.dll
    2007-04-17 05:45:54 1,710,936 ----a-w C:\WINDOWS\system32\wuaueng.dll
    2007-04-17 05:45:48 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll
    2007-04-17 05:45:42 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll
    2007-04-17 05:45:36 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll
    2007-04-17 05:45:28 92,504 ----a-w C:\WINDOWS\system32\cdm.dll
    2007-04-17 05:45:20 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe
    2007-04-17 05:45:20 43,352 ----a-w C:\WINDOWS\system32\wups2.dll
    2007-04-17 05:44:20 271,224 ----a-w C:\WINDOWS\system32\mucltui.dll
    2007-04-17 05:44:18 208,248 ----a-w C:\WINDOWS\system32\muweb.dll
    2007-04-13 22:19:52 7,680 ----a-w C:\WINDOWS\system32\lsdelete.exe


    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


    *Note* empty entries & legit default entries are not shown

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{02478D38-C3F9-4EFB-9B51-7695ECA05670}]
    2006-10-26 10:28 440384 --a------ C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
    2006-10-22 23:08 62080 --a------ C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0A87E45F-537A-40B4-B812-E2544C21A09F}]
    C:\Program Files\SpyCatcher\SCActiveBlock.dll

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{39F7E362-828A-4B5A-BCAF-5B79BFDFEA60}]
    2007-06-14 06:07 443968 --a------ C:\Program Files\BitComet\tools\BitCometBHO_1.1.6.14.dll

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897}]
    2006-10-31 15:29 198136 --a------ C:\Program Files\Yahoo!\Common\yiesrvc.dll

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}]
    2007-06-14 18:32 509592 --a------ C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A8F38D8D-E480-4D52-B7A2-731BB6995FDD}]
    2007-04-02 19:19 140912 --a------ C:\Program Files\Norton AntiVirus\NavShExt.dll

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{AA58ED58-01DD-4d91-8333-CF10577473F7}]
    2007-01-20 00:55 2403392 -ra------ c:\program files\google\googletoolbar2.dll

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{be2b1802-cba8-4b3b-9cad-565187b58cc7}]
    2007-07-05 20:13 92695 --a------ C:\WINDOWS\system32\CT2ut8.dll

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2005-05-12 00:12]
    "RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe" [2005-12-07 22:57]
    "LanguageShortcut"="C:\Program Files\CyberLink\PowerDVD\Language\Language.exe" [2006-05-18 11:29]
    "SigmatelSysTrayApp"="sttray.exe" [2006-05-26 07:58 C:\WINDOWS\sttray.exe]
    "DiskeeperSystray"="C:\Program Files\Diskeeper Corporation\Diskeeper\DkIcon.exe" [2006-02-24 19:29]
    "ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-01-22 22:19]
    "NAV CfgWiz"="C:\Program Files\Norton AntiVirus\CfgWiz.exe" [2006-02-01 22:10]
    "nwiz"="nwiz.exe" [2006-07-24 23:31 C:\WINDOWS\system32\nwiz.exe]
    "NvMediaCenter"="NvMCTray.dll" [2006-07-24 23:31 C:\WINDOWS\system32\nvmctray.dll]
    "P17Helper"="SPIRun.dll" [2006-07-03 13:43 C:\WINDOWS\system32\SPIRun.dll]
    "iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-05-26 12:45]
    "SpyCatcher Reminder"="C:\Program Files\SpyCatcher\SpyCatcher.exe" []
    "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-06-14 18:32]
    "NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2006-07-24 23:31]

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "SetDefaultMIDI"="MIDIDef.exe" []
    "swg"="C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" [2007-03-31 20:46]
    "Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2007-03-27 15:22]
    "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56]
    "PopUpStopperFreeEdition"="C:\PROGRA~1\PANICW~1\POP-UP~1\PSFree.exe" [2005-03-17 11:10]
    "SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" []
    "SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-06-21 14:06]

    [HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
    "DefaultP17"=resdef.exe

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
    "{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll" [2007-05-30 05:29]
    "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"="C:\Program Files\SUPERAntiSpyware\SASSEH.DLL" [2006-12-20 13:55]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
    C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\CT2ut8]
    CT2ut8.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
    "appinit_dlls"=c:\windows\system32\geebaaw.dll

    SafeBoot registry key needs repairs. This machine cannot enter Safe Mode.
    ~~\SafeBoot\Minimal\Base
    ~~\SafeBoot\Minimal\Boot Bus Extender
    ~~\SafeBoot\Minimal\Boot file system
    ~~\SafeBoot\Minimal\dmboot.sys
    ~~\SafeBoot\Minimal\dmio.sys
    ~~\SafeBoot\Minimal\dmload.sys
    ~~\SafeBoot\Minimal\dmserver
    ~~\SafeBoot\Minimal\File system
    ~~\SafeBoot\Minimal\Filter
    ~~\SafeBoot\Minimal\PCI Configuration
    ~~\SafeBoot\Minimal\Primary disk
    ~~\SafeBoot\Minimal\RpcSs
    ~~\SafeBoot\Minimal\SCSI Class
    ~~\SafeBoot\Minimal\sermouse.sys
    ~~\SafeBoot\Minimal\System Bus Extender
    ~~\SafeBoot\Minimal\vga.sys
    ~~\SafeBoot\Minimal\vgasave.sys
    ~~\SafeBoot\Minimal\{4D36E967-E325-11CE-BFC1-08002BE10318}
    ~~\SafeBoot\Minimal\{4D36E96A-E325-11CE-BFC1-08002BE10318}
    ~~\SafeBoot\Minimal\{4D36E96B-E325-11CE-BFC1-08002BE10318}
    ~~\SafeBoot\Minimal\{4D36E96F-E325-11CE-BFC1-08002BE10318}
    ~~\SafeBoot\Minimal\{4D36E97D-E325-11CE-BFC1-08002BE10318}
    ~~\SafeBoot\Minimal\{71A27CDD-812A-11D0-BEC7-08002BE2092F}

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\aawservice]

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\AVG Anti-Spyware Driver]

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\AVG Anti-Spyware Guard]

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^SpyCatcher Protector.lnk]
    path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\SpyCatcher Protector.lnk
    backup=C:\WINDOWS\pss\SpyCatcher Protector.lnkCommon Startup

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Ilan Justh^Start Menu^Programs^Startup^Scheduler.lnk]
    path=C:\Documents and Settings\Ilan Justh\Start Menu\Programs\Startup\Scheduler.lnk
    backup=C:\WINDOWS\pss\Scheduler.lnkStartup


    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
    "C:\Program Files\QuickTime\qttask.exe" -atboottime


    Contents of the 'Scheduled Tasks' folder
    2007-05-05 03:49:45 C:\WINDOWS\tasks\Norton AntiVirus - Run Full System Scan - Ilan Justh.job

    **************************************************************************

    catchme 0.3.915 W2K/XP/Vista - rootkit detector by Gmer, http://www.gmer.net
    Rootkit scan 2007-07-05 20:28:12
    Windows 5.1.2600 Service Pack 2 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************

    Completion time: 2007-07-05 20:29:49 - machine was rebooted
    C:\ComboFix-quarantined-files.txt ... 2007-07-05 20:29

    --- E O F ---
     
  5. JSntgRvr

    JSntgRvr Retired Moderator and Malware Specialist

    Joined:
    Jul 1, 2003
    Messages:
    18,552
    First Name:
    José
    Hi, ijusth :)

    • Copy the entire contents of the Code Box below to Notepad.
    • Name the file as ComboFix-Do.txt
    • Change the Save as Type to All Files
    • and Save it on the desktop
    Code:
    File::
    C:\WINDOWS\system32\CT2ut8.dll
    C:\WINDOWS\system32\vturr.exe
    C:\WINDOWS\hggged.dll
    C:\WINDOWS\efdbxv.dll
    C:\WINDOWS\ljigee.dll
    C:\WINDOWS\awwxvs.dll
    C:\WINDOWS\hgfddc.dll
    C:\WINDOWS\urssrp.dll
    C:\WINDOWS\effcyx.dll
    C:\WINDOWS\gebbbc.dll
    C:\WINDOWS\system32\dn0c1aa1bf.dat
    
    Folder::
    
    
    ADS::
    
    
    Driver::
    
    
    Registry::
    [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{be2b1802-cba8-4b3b-9cad-565187b58cc7}]
    [-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\CT2ut8]
    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
    "appinit_dlls"=""
    [​IMG]

    Once saved, refering to the picture above, drag ComboFix-Do.txt into ComboFix.exe, and post back the resulting report.

    Download the enclosed file. Save and extract its contents to the desktop. It is a folder containing a Batch file, Query.bat . Double click on the Query.bat file post back the resulting report.

    Post also a fresh Hijackthis log.
     

    Attached Files:

  6. ijusth

    ijusth Thread Starter

    Joined:
    Feb 15, 2003
    Messages:
    265
    no more annoying popups. Don't know which step did it but thanks a ton. Donation made to you guys.

    One thing that is so odd is that I had Norton running when the infection jumped on the machine. It caught each vundo attempt and cleaned the file but it never cleaned whatever was causing the infections and it didn't stop the initial injection.
     
  7. JSntgRvr

    JSntgRvr Retired Moderator and Malware Specialist

    Joined:
    Jul 1, 2003
    Messages:
    18,552
    First Name:
    José
    Hi, ijusth. :)

    Congratulations.

    Since the tools we used to scan the computer, as well as tools to delete files and folders, are no longer needed, they should be removed, as well as the folders created by these tools.

    Reset and Re-enable your System Restore to remove bad files that have been backed up by Windows. The files in System Restore are protected to prevent any programmes changing them. This is the only way to clean these files: (You will lose all previous restore points which are likely to be infected.)

    To reset your restore points, please note that you will need to log into your computer with an account which has full administrator access. You will know if the account has administrator access because you will be able to see the System Restore tab. If the tab is missing, you are logged in under a limited account.

    (Windows XP)

    1. Turn off System Restore.
    On the Desktop, right-click My Computer.
    Click Properties.
    Click the System Restore tab.
    Check Turn off System Restore.
    Click Apply, and then click OK.

    2. Reboot.

    3. Turn ON System Restore.

    On the Desktop, right-click My Computer.
    Click Properties.
    Click the System Restore tab.
    UN-Check *Turn off System Restore*.
    Click Apply, and then click OK..

    Create a Restore point:
    1. Click Start, point to All Programs, point to Accessories, point to System Tools, and then click System Restore.
    2. In the System Restore dialog box, click Create a restore point, and then click Next.
    3. Type a description for your restore point, such as "After Cleanup", then click Create.

    The following is a list of tools and utilities that I like to suggest to people. This list is full of great tools and utilities to help you understand how you got infected and how to keep from getting infected again.
    1. Spybot Search & Destroy - Uber powerful tool which can search and annhilate nasties that make it onto your system. Now with an Immunize section that will help prevent future infections.
    2. AdAware - Another very powerful tool which searches and kills nasties that infect your system. AdAware and Spybot Search & Destroy compliment each other very well.
    3. SpywareBlaster - Great prevention tool to keep nasties from installing on your system.
    4. IE-SpyAd - puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.
    5. CleanUP! - Cleans temporary files from IE and Windows, empties the recycle bin and more. Great tool to help speed up your computer and knock out those nasties that like to reside in the temp folders.
    6. Windows Updates - It is very important to make sure that both Internet Explorer and Windows are kept current with the latest critical security patches from Microsoft. To do this just start Internet Explorer and select Tools > Windows Update, and follow the online instructions from there.
    7. Google Toolbar - Free google toolbar that allows you to use the powerful Google search engine from the bar, but also blocks pop up windows.
    8. Trillian or Miranda-IM - These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN)
    To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections you can read this article by Tony Klein.

    Click Here for some advise from our security Experts.

    Please use the thread's Tools and mark this thread as "Solved".

    Best wishes! [​IMG]
     
  8. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/592188

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice