need help cleaning my system from virus, worms, spyware etc.

[_iTALY]

can i get some help eliminating the viruses and etc. that have infected my computer ?

here is my HJT log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:37:45 AM, on 7/11/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\csrss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\system32\oodteyma.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINNT\CTHELPER.EXE
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
C:\WINNT\TEMP\win50C6.tmp.exe
C:\Documents and Settings\All Users\Application Data\abynipkx.exe
C:\WINNT\mgrs.exe
C:\WINNT\SOUNDMAN.EXE
C:\Program Files\Nero\Nero 7\InCD\NBHGui.exe
C:\Program Files\Nero\Nero 7\InCD\InCD.exe
C:\DOCUME~1\ADMINI~1\APPLIC~1\SSTEM3~1\winlogon.exe
C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
D:\Program Files\Creative Professional\E-MU PatchMix DSP\EmuPatchMixDSP.exe
C:\WINNT\system32\wdfmgr.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Safari\Safari.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\server64.exe
D:\Program Files\Cakewalk\SONAR 3 Producer Edition\SONARPDR.EXE
C:\WINNT\explorer.exe
C:\WINNT\system32\wbem\wmiprvse.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
F2 - REG:system.ini: Shell=explorer.exe C:\WINNT\system32\msdun.exe
F2 - REG:system.ini: UserInit=C:\WINNT\system32\userinit.exe,C:\WINNT\system32\ntos.exe,
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [avp] C:\WINNT\TEMP\win50C6.tmp.exe
O4 - HKLM\..\Run: [CTDrive] rundll32.exe C:\WINNT\system32\drvcud.dll,startup
O4 - HKLM\..\Run: [abynipkx.exe] C:\Documents and Settings\All Users\Application Data\abynipkx.exe
O4 - HKLM\..\Run: [smgr] mgrs.exe
O4 - HKLM\..\Run: [SC2] C:\WINNT\system32\scchk32.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SecurDisc] C:\Program Files\Nero\Nero 7\InCD\NBHGui.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Nero\Nero 7\InCD\InCD.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Winmplayer] "C:\WINNT\system32\KB_963491.exe"
O4 - HKLM\..\Run: [startdrv] C:\WINNT\Temp\startdrv.exe
O4 - HKLM\..\Run: [runner1] C:\WINNT\retadpu1000106.exe 61A847B5BBF72813329B385772FF01F0B3E35B6638993F4661AA4EBD86D67C56389B284534F310
O4 - HKLM\..\Run: [ms] C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\10213\gm.exe
O4 - HKLM\..\Run: [icq.com] rundll32.exe "C:\WINNT\system32\srgaxfqq.dll",forkonce
O4 - HKCU\..\Run: [SetDefaultMIDI] MIDIDef.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [Bear] "C:\WINNT\system32\MCROSO~1.NET\services.exe" -vt yazb
O4 - HKCU\..\Run: [autoload] C:\WINNT\system32\drivers\svchost.exe
O4 - HKCU\..\Run: [autorun] C:\Documents and Settings\Administrator\svchost.exe
O4 - HKCU\..\Run: [tlz] C:\WINNT\47681727.exe
O4 - HKCU\..\Run: [System reservation] C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\svchots.exe
O4 - HKCU\..\Run: [XP restart system] C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\wnset.exe
O4 - HKCU\..\Run: [userinit] C:\WINNT\system32\ntos.exe
O4 - HKCU\..\Run: [Ptpe] "C:\DOCUME~1\ADMINI~1\APPLIC~1\SSTEM3~1\winlogon.exe" -vt yazb
O4 - HKLM\..\Policies\Explorer\Run: [svchost.exe] C:\WINNT\svchost.exe
O4 - HKUS\S-1-5-19\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [SetDefaultMIDI] MIDIDEF.EXE /s:'Creative SoundFont Synthesizer' /w:'SB Audigy' (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [userinit] C:\WINNT\system32\ntos.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [userinit] C:\WINNT\system32\ntos.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5F5F9FB8-878E-4455-95E0-F64B2314288A} (ijjiPlugin2 Class) - http://gamedownload.ijjimax.com/gamedownload/dist/hgstart/HGPlugin11USA.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1174506012109
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1182822289765
O16 - DPF: {CD995117-98E5-4169-9920-6C12D4C0B548} (HGPlugin9USA Class) - http://gamedownload.ijjimax.com/gamedownload/dist/hgstart/HGPlugin9USA.cab
O21 - SSODL: DCOM Server 25319 - {2C1CD3D7-86AC-4068-93BC-A02304B25319} - C:\WINNT\system32\bxcjiz.dll
O22 - SharedTaskScheduler: DCOM Server 25319 - {2C1CD3D7-86AC-4068-93BC-A02304B25319} - C:\WINNT\system32\bxcjiz.dll
O22 - SharedTaskScheduler: kdg9049i904ktkgtj - {20AD49A2-94F3-42bD-F434-2604812C897C} - C:\WINNT\system32\jkxdf84ndf.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\system32\Ati2evxx.exe (file missing)
O23 - Service: ATI Smart - Unknown owner - C:\WINNT\system32\ati2sgag.exe (file missing)
O23 - Service: Logical Disk Manager dmserverRemoteRegistry (dmserverRemoteRegistry) - Unknown owner - C:\WINNT\system32\ahuij.exe (file missing)
O23 - Service: DomainService - - C:\WINNT\system32\oodteyma.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe

--
End of file - 7085 bytes

 

[_iTALY]

bump!

 

[cybertech]

Hi, Welcome to TSG!!

Load AVG http://free.grisoft.com/freeweb.php/doc/2/ it's free.



Please download ATF Cleaner by Atribune.
This program is for XP and Windows 2000 only

• 
  Double-click ATF-Cleaner.exe to run the program.
  Under Main choose: Select All
  Click the Empty Selected button.

Click Exit on the Main menu to close the program.


Download ComboFix from Here or Here to your Desktop.

• Double click combofix.exe and follow the prompts.
• When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply

Note: Do not mouseclick combofix's window while its running. That may cause it to stall


Download SDFix and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :

• Restart your computer
• After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
• Instead of Windows loading as normal, the Advanced Options Menu should appear;
• Select the first option, to run Windows in Safe Mode, then press Enter.
• Choose your usual account.

• Open the extracted SDFix folder and double click RunThis.bat to start the script.
• Type Y to begin the cleanup process.
• It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
• Press any Key and it will restart the PC.
• When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
• Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
  (Report.txt will also be copied to Clipboard ready for posting back on the forum).
• Finally paste the contents of the Report.txt back on the forum with a new HijackThis log

 

[_iTALY]

thanks for the help here are my logs:

"Owner" - 2007-07-11 16:43:04 - ComboFix 07-07-10.1 - Service Pack 2


(((((((((((((((((((((((((((((((((((((((((((( V Log )))))))))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINNT\system32\aodvnpre.dll
C:\WINNT\system32\bcvaiktm.dll
C:\WINNT\system32\bwgdhwth.dll
C:\WINNT\system32\dtpopqww.dll
C:\WINNT\system32\elmsowpk.dll
C:\WINNT\system32\gliovvjw.dll
C:\WINNT\system32\idlcbfeb.dll
C:\WINNT\system32\sjbngffd.dll
C:\WINNT\system32\srgaxfqq.dll
C:\WINNT\system32\tkqhdaeb.dll
C:\WINNT\system32\twoqfnqo.dll
C:\WINNT\system32\vufbfglb.dll
C:\WINNT\system32\wypqnhkd.dll
C:\WINNT\system32\xfoshate.dll
C:\WINNT\system32\yoygxfcb.dll
C:\WINNT\system32\axhbixbm.exe
C:\WINNT\system32\cavhrbcn.exe
C:\WINNT\system32\cdeattxh.exe
C:\WINNT\system32\ermdggie.exe
C:\WINNT\system32\fdokjylv.exe
C:\WINNT\system32\lbsrjtbh.exe
C:\WINNT\system32\lpdprpce.exe
C:\WINNT\system32\gebaxww.dll
C:\WINNT\system32\jkkkigh.dll
C:\WINNT\system32\nnnnmnl.dll
C:\WINNT\system32\opnmmlm.dll
C:\WINNT\system32\vturono.dll
C:\WINNT\system32\wingsa32.dll
C:\WINNT\system32\erpnvdoa.ini
C:\WINNT\system32\mtkiavcb.ini
C:\WINNT\system32\htwhdgwb.ini
C:\WINNT\system32\wwqpoptd.ini
C:\WINNT\system32\kpwosmle.ini
C:\WINNT\system32\wjvvoilg.ini
C:\WINNT\system32\befbcldi.ini
C:\WINNT\system32\hjjlm.bak1
C:\WINNT\system32\hjjlm.ini2
C:\WINNT\system32\dffgnbjs.ini
C:\WINNT\system32\qqfxagrs.ini
C:\WINNT\system32\blgfbfuv.ini
C:\WINNT\system32\dkhnqpyw.ini
C:\WINNT\system32\hjjlm.bak1
C:\WINNT\system32\hjjlm.bak2
C:\WINNT\system32\hjjlm.ini
C:\WINNT\system32\hjjlm.ini2
C:\WINNT\system32\hjjlm.tmp
C:\WINNT\system32\mljjh.dll
C:\WINNT\system32\rqrpnll.dll
C:\WINNT\system32\hjjlm.bak2
C:\WINNT\system32\hjjlm.ini
C:\WINNT\system32\hjjlm.tmp
C:\WINNT\system32\etahsofx.ini


* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *



((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\DOCUME~1\ADMINI~1\APPLIC~1.\sstem3~1
C:\DOCUME~1\ADMINI~1\APPLIC~1.\sstem3~1\winlogon.exe
C:\DOCUME~1\ADMINI~1\APPLIC~1\Microsoft\25319.dat
C:\DOCUME~1\NETWOR~1\APPLIC~1\Install.dat
C:\Documents and Settings\All Users.\documents\settings
C:\Documents and Settings\All Users.\documents\settings\desktop.ini
C:\Program Files\fnts~1
C:\Program Files\outerinfo
C:\Program Files\outerinfo\Terms.rtf
C:\Program Files\ymbols~1
C:\Program Files\ymbols~1\w?nlogon.exe
C:\temp\0b9
C:\temp\0b9\tmpTF.log
C:\temp\iee
C:\temp\tn3
C:\WINNT\appatc~1
C:\WINNT\appatc~1\??oolsv.exe
C:\WINNT\csrss.exe
C:\WINNT\mgrs.exe
C:\WINNT\sstem~1
C:\WINNT\sstem~1\n?lookup.exe
C:\WINNT\system32\3_exception.nls
C:\WINNT\system32\advvpi32.dll
C:\WINNT\system32\bxcjiz.dll
C:\WINNT\system32\drivers\core.cache.dsk
C:\WINNT\system32\drivers\core.sys
C:\WINNT\system32\KB28125911.exe
C:\WINNT\system32\KB93427757.exe
C:\WINNT\system32\mcroso~1.net
C:\WINNT\system32\o08PrEz
C:\WINNT\system32\wcpsvsu.exe
C:\WINNT\system32\win
C:\WINNT\system32\WINDBG48.sys
C:\WINNT\ymbols~1


((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


-------\LEGACY_CORE
-------\LEGACY_DOMAINSERVICE
-------\LEGACY_NTIO256
-------\LEGACY_WINDBG48
-------\core
-------\DomainService
-------\ntio256
-------\RpcApi


((((((((((((((((((((((((( Files Created from 2007-06-11 to 2007-07-11 )))))))))))))))))))))))))))))))


2007-07-11 16:42 51,200 --a------ C:\WINNT\nircmd.exe
2007-07-11 16:40 66,112 --a------ C:\WINNT\system32\honerdai.exe
2007-07-11 16:26 499,712 --a------ C:\WINNT\system32\msvcp71.dll
2007-07-11 16:26 348,160 --a------ C:\WINNT\system32\msvcr71.dll
2007-07-11 16:20 66,624 --a------ C:\WINNT\system32\eglelhdw.dll
2007-07-11 16:17 66,112 --a------ C:\WINNT\system32\svpyosuj.exe
2007-07-11 15:57 <DIR> d-------- C:\Program Files\Uniblue
2007-07-11 15:57 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\Uniblue
2007-07-11 15:42 <DIR> d-------- C:\WINNT\pss
2007-07-11 15:29 66,624 --a------ C:\WINNT\system32\didmwnwd.dll
2007-07-11 15:21 66,112 --a------ C:\WINNT\system32\qsdfvgol.exe
2007-07-11 11:25 93,696 --a------ C:\WINNT\system32\drvvun.dll
2007-07-11 10:38 <DIR> d-------- C:\Program Files\ToniArts
2007-07-11 10:08 66,624 --a------ C:\WINNT\system32\cwidlcny.dll
2007-07-11 10:06 66,112 --a------ C:\WINNT\system32\kkhiedfy.exe
2007-07-11 09:37 66,112 --a------ C:\WINNT\system32\lvikjpbl.exe
2007-07-11 08:33 66,112 --a------ C:\WINNT\system32\aqykftal.exe
2007-07-11 08:29 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\Prevx
2007-07-11 08:28 77,312 --a------ C:\WINNT\ua2.dll
2007-07-11 08:28 <DIR> d-------- C:\Program Files\Prevx2
2007-07-11 08:28 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Prevx
2007-07-11 07:46 66,624 --a------ C:\WINNT\system32\mdfumqrp.dll
2007-07-11 07:40 66,112 --a------ C:\WINNT\system32\vddivhus.exe
2007-07-11 07:35 66,624 --a------ C:\WINNT\system32\hehqkjwd.dll
2007-07-11 07:32 66,112 --a------ C:\WINNT\system32\eqoaxmbc.exe
2007-07-11 07:27 66,624 --a------ C:\WINNT\system32\qfkbgkac.dll
2007-07-11 07:22 66,112 --a------ C:\WINNT\system32\goptaeim.exe
2007-07-11 07:03 66,624 --a------ C:\WINNT\system32\qgvdonpe.dll
2007-07-11 06:57 66,112 --a------ C:\WINNT\system32\ureruslt.exe
2007-07-11 06:51 66,624 --a------ C:\WINNT\system32\biwstjkx.dll
2007-07-11 06:50 <DIR> d-------- C:\Program Files\Lavasoft
2007-07-11 06:50 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Lavasoft
2007-07-11 06:49 66,112 --a------ C:\WINNT\system32\juwadxie.exe
2007-07-11 06:08 66,624 --a------ C:\WINNT\system32\sglxdyit.dll
2007-07-11 06:02 66,112 --a------ C:\WINNT\system32\peqqvnec.exe
2007-07-11 05:56 66,112 --a------ C:\WINNT\system32\udrmbsfr.exe
2007-07-11 05:54 13,312 --a------ C:\WINNT\system32\s2f.exe
2007-07-11 05:52 66,624 --a------ C:\WINNT\system32\nfcaprwm.dll
2007-07-11 05:52 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-07-11 05:00 <DIR> d-------- C:\DOCUME~1\ADMINI~1\.housecall6.6
2007-07-11 04:35 <DIR> d-------- C:\Program Files\Trend Micro
2007-07-11 04:13 66,624 --a------ C:\WINNT\system32\rslwvrxv.dll
2007-07-11 04:10 1,156 --a------ C:\WINNT\mozver.dat
2007-07-11 03:39 66,624 --a------ C:\WINNT\system32\hloctjyn.dll
2007-07-11 01:36 66,624 --a------ C:\WINNT\system32\xyucnkby.dll
2007-07-11 01:08 66,624 --a------ C:\WINNT\system32\qqwumcse.dll
2007-07-11 00:17 66,624 --a------ C:\WINNT\system32\xxnaovka.dll
2007-07-10 23:14 66,624 --a------ C:\WINNT\system32\lxtdlwdp.dll
2007-07-10 22:58 106 --a------ C:\temp.bat
2007-07-10 16:43 10,240 --a------ C:\WINNT\system32\syswin.exe
2007-07-07 18:19 162 --ahs---- C:\WINNT\system32\3961485737.dat
2007-07-07 01:37 <DIR> d--hs---- C:\DOCUME~1\MULTIM~1\APPLIC~1\wsnpoem
2007-07-06 23:12 0 --a------ C:\WINNT\nsreg.dat
2007-07-06 22:12 38,912 --a------ C:\WINNT\system32\msdun.dll
2007-07-06 22:12 10,000 --a------ C:\WINNT\system32\jkxdf84ndf.dll
2007-07-06 22:12 <DIR> d-------- C:\WINNT\system32\X9
2007-07-06 22:12 <DIR> d-------- C:\WINNT\system32\X4
2007-07-06 22:12 <DIR> d-------- C:\WINNT\system32\X3
2007-07-06 22:12 <DIR> d-------- C:\WINNT\system32\X2
2007-07-06 22:12 <DIR> d-------- C:\Temp
2007-07-02 16:57 <DIR> d-------- C:\DOCUME~1\MULTIM~1\APPLIC~1\Cakewalk
2007-06-29 19:41 <DIR> d-------- C:\Program Files\Steinberg
2007-06-29 17:26 <DIR> d-------- C:\Program Files\rgcaudio software
2007-06-29 17:18 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\Propellerhead Software
2007-06-29 17:16 <DIR> d-------- C:\Program Files\Propellerhead
2007-06-29 14:42 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Nero
2007-06-29 14:12 <DIR> d-------- C:\DOCUME~1\LOCALS~1\APPLIC~1\Ahead
2007-06-29 01:29 <DIR> d-------- C:\DOCUME~1\MULTIM~1\APPLIC~1\Apple Computer
2007-06-29 01:22 741,376 --a------ C:\DOCUME~1\MULTIM~1\NTUSER.DAT
2007-06-29 01:22 <DIR> d-------- C:\DOCUME~1\MULTIM~1\APPLIC~1\EmuPatchMixDSP
2007-06-29 01:22 <DIR> d-------- C:\DOCUME~1\MULTIM~1\APPLIC~1\Creative
2007-06-28 22:39 102,400 --a------ C:\WINNT\system32\TrackerNET.dll
2007-06-28 22:32 217,088 --a------ C:\WINNT\system32\libmySQL.dll
2007-06-28 17:59 <DIR> d--h----- C:\WINNT\$hf_mig$
2007-06-28 03:03 524,288 --ah----- C:\DOCUME~1\LOCALS~1\NTUSER.DAT
2007-06-28 03:03 262,144 --ah----- C:\DOCUME~1\NETWOR~1\NTUSER.DAT
2007-06-28 03:03 <DIR> d-------- C:\WINNT\Prefetch
2007-06-28 03:00 <DIR> d-------- C:\WINNT\system32\xircom
2007-06-28 02:59 221,184 --a------ C:\WINNT\system32\wmpns.dll
2007-06-28 02:58 11,264 --a------ C:\WINNT\system32\atrace.dll
2007-06-28 02:58 <DIR> d-------- C:\WINNT\srchasst
2007-06-28 02:58 <DIR> d-------- C:\Program Files\Online Services
2007-06-28 02:58 <DIR> d-------- C:\Program Files\Movie Maker
2007-06-28 02:58 <DIR> d-------- C:\Program Files\Common Files\MSSoap
2007-06-28 02:57 73,472 --a------ C:\WINNT\system32\drivers\sr.sys
2007-06-28 02:57 67,584 --a------ C:\WINNT\system32\srclient.dll
2007-06-28 02:57 45,568 --a------ C:\WINNT\system32\safrslv.dll
2007-06-28 02:57 43,520 --a------ C:\WINNT\system32\safrcdlg.dll
2007-06-28 02:57 43,520 --a------ C:\WINNT\system32\racpldlg.dll
2007-06-28 02:57 32,768 --a------ C:\WINNT\system32\isrdbg32.dll
2007-06-28 02:57 29,696 --a------ C:\WINNT\system32\safrdm.dll
2007-06-28 02:57 239,104 --a------ C:\WINNT\system32\srrstr.dll
2007-06-28 02:57 190,976 --a------ C:\WINNT\system32\schedsvc.dll
2007-06-28 02:57 170,496 --a------ C:\WINNT\system32\srsvc.dll
2007-06-28 02:57 <DIR> d-------- C:\WINNT\system32\Restore
2007-06-28 02:54 93,696 --a------ C:\WINNT\system32\tscfgwmi.dll
2007-06-28 02:54 9,728 --a------ C:\WINNT\system32\rwnh.dll
2007-06-28 02:54 9,728 --a------ C:\WINNT\system32\reset.exe
2007-06-28 02:54 87,176 --a------ C:\WINNT\system32\rdpwsx.dll
2007-06-28 02:54 8,704 --a------ C:\WINNT\system32\fxsperf.dll


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-07-11 14:38:46 -------- d--h--w C:\Program Files\InstallShield Installation Information
2007-07-07 02:31:57 -------- d-----w C:\Program Files\Accessories
2007-06-29 20:02:13 -------- d-----w C:\Program Files\Yamp 2.3
2007-06-29 19:49:14 -------- d-----w C:\Program Files\Nero
2007-06-29 18:42:13 -------- d-----w C:\Program Files\Common Files\Ahead
2007-06-28 06:57:08 22,924 ----a-w C:\WINNT\system32\emptyregdb.dat
2007-06-28 06:54:48 -------- d-----w C:\Program Files\Windows NT
2007-06-28 06:52:56 81,920 ----a-w C:\WINNT\system32\OpenAL32.dll
2007-06-28 06:52:56 233,472 ----a-w C:\WINNT\system32\wrap_oal.dll
2007-06-04 19:18:48 9,344 ----a-w C:\WINNT\system32\drivers\NSDriver.sys
2007-06-04 19:17:02 8,320 ----a-w C:\WINNT\system32\drivers\AWRTRD.sys
2007-06-04 19:14:56 6,272 ----a-w C:\WINNT\system32\drivers\AWRTPD.sys
2007-04-17 02:47:36 33,624 ----a-w C:\WINNT\system32\wups.dll
2007-04-17 02:45:54 1,710,936 ----a-w C:\WINNT\system32\wuaueng.dll
2007-04-17 02:45:48 549,720 ----a-w C:\WINNT\system32\wuapi.dll
2007-04-17 02:45:42 325,976 ----a-w C:\WINNT\system32\wucltui.dll
2007-04-17 02:45:36 203,096 ----a-w C:\WINNT\system32\wuweb.dll
2007-04-17 02:45:28 92,504 ----a-w C:\WINNT\system32\cdm.dll
2007-04-17 02:45:20 53,080 ----a-w C:\WINNT\system32\wuauclt.exe
2007-04-17 02:45:20 43,352 ----a-w C:\WINNT\system32\wups2.dll
2007-04-13 19:19:52 7,680 ----a-w C:\WINNT\system32\lsdelete.exe


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{20AD49A2-94F3-42bD-F434-2604812C897C}]
2007-07-06 22:12 10000 --a------ C:\WINNT\system32\jkxdf84ndf.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-08-25 13:52]
"CTHelper"="CTHELPER.EXE" [2005-10-22 12:00 C:\WINNT\CTHELPER.EXE]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-07-11 16:26]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SetDefaultMIDI"="MIDIDef.exe" [2005-10-22 11:46 C:\WINNT\MIDIDEF.EXE]
"Bear"="C:\WINNT\system32\MCROSO~1.NET\services.exe" []
"Ptpe"="C:\DOCUME~1\ADMINI~1\APPLIC~1\SSTEM3~1\winlogon.exe" []
"XP restart system"="" []

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"^SetupICWDesktop"=C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop
"SetDefaultMIDI"=MIDIDEF.EXE /s:'Creative SoundFont Synthesizer' /w:'SB Audigy'
"tscuninstall"=%systemroot%\system32\tscupgrd.exe

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{20AD49A2-94F3-42bD-F434-2604812C897C}"="C:\WINNT\system32\jkxdf84ndf.dll" [2007-07-06 22:12]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\aawservice]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\autorun]
C:\Documents and Settings\Administrator\svchost.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTDrive]
rundll32.exe C:\WINNT\system32\drvvun.dll,startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\icq.com]
rundll32.exe "C:\WINNT\system32\bwgdhwth.dll",forkonce

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Synchronization Manager]
mobsync.exe /logon

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\XP restart system]
h


Contents of the 'Scheduled Tasks' folder
2007-07-06 19:40:00 C:\WINNT\tasks\AppleSoftwareUpdate.job

**************************************************************************

catchme 0.3.915 W2K/XP/Vista - rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-07-11 16:47:53
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-07-11 16:51:19 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-07-11 16:49

--- E O F ---


SDFix: Version 1.90

Run by Administrator on Wed 07/11/2007 at 04:58 PM

Microsoft Windows XP [Version 5.1.2600]

Running From: C:\SDFix

Safe Mode:
Checking Services:


Restoring Windows Registry Values
Restoring Windows Default Hosts File
Restoring Missing Security Center Service
Restoring Missing SharedAccess Service

Rebooting...


Normal Mode:
Checking Files:

Trojan Files Found:

C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\wnset.exe - Deleted
C:\WINNT\system32KBRunOnce2.tm_ - Deleted
C:\WINNT\system32KBRunOnce2.t__ - Deleted
C:\WINNT\system32\KBRunOnce2.t__ - Deleted
C:\WINNT\system32\msdun.dll - Deleted
C:\WINNT\system32\svehost.exe - Deleted



Removing Temp Files...

ADS Check:

C:\WINNT
No streams found.

C:\WINNT\system32
No streams found.

C:\WINNT\system32\svchost.exe
No streams found.

C:\WINNT\system32\ntoskrnl.exe
No streams found.



Final Check:

Remaining Services:
------------------



Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabledxpsp2res.dll,-22019"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabledxpsp2res.dll,-22019"

Remaining Files:
---------------

Backups Folder: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes:

C:\WINNT\system32\config\default.tmp.LOG
C:\WINNT\system32\config\SAM.tmp.LOG
C:\WINNT\system32\config\SECURITY.tmp.LOG
C:\WINNT\system32\config\software.tmp.LOG
C:\WINNT\system32\config\system.tmp.LOG

Finished


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:06:11 PM, on 7/11/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
C:\Program Files\Prevx2\PXAgent.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINNT\CTHELPER.EXE
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINNT\system32\clcl12.exe
D:\Program Files\Creative Professional\E-MU PatchMix DSP\EmuPatchMixDSP.exe
C:\WINNT\system32\wscntfy.exe
C:\WINNT\system32\wuauclt.exe
C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\wnset.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Safari\Safari.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: C:\WINNT\system32\jkxdf84ndf.dll - {20AD49A2-94F3-42bD-F434-2604812C897C} - C:\WINNT\system32\jkxdf84ndf.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [clcl12] C:\WINNT\system32\clcl12.exe
O4 - HKCU\..\Run: [SetDefaultMIDI] MIDIDef.exe
O4 - HKCU\..\Run: [Bear] "C:\WINNT\system32\MCROSO~1.NET\services.exe" -vt yazb
O4 - HKCU\..\Run: [Ptpe] "C:\DOCUME~1\ADMINI~1\APPLIC~1\SSTEM3~1\winlogon.exe" -vt yazb
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5F5F9FB8-878E-4455-95E0-F64B2314288A} (ijjiPlugin2 Class) - http://gamedownload.ijjimax.com/gamedownload/dist/hgstart/HGPlugin11USA.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1174506012109
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1182822289765
O16 - DPF: {CD995117-98E5-4169-9920-6C12D4C0B548} (HGPlugin9USA Class) - http://gamedownload.ijjimax.com/gamedownload/dist/hgstart/HGPlugin9USA.cab
O22 - SharedTaskScheduler: kdg9049i904ktkgtj - {20AD49A2-94F3-42bD-F434-2604812C897C} - C:\WINNT\system32\jkxdf84ndf.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\system32\Ati2evxx.exe (file missing)
O23 - Service: ATI Smart - Unknown owner - C:\WINNT\system32\ati2sgag.exe (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Logical Disk Manager dmserverRemoteRegistry (dmserverRemoteRegistry) - Unknown owner - C:\WINNT\system32\ahuij.exe (file missing)
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: Prevx Agent (PREVXAgent) - Prevx - C:\Program Files\Prevx2\PXAgent.exe

--
End of file - 5318 bytes

 

[cybertech]

Download and run this uninstaller:
http://www.outerinfo.com/OiUninstaller.exe


Please download ATF Cleaner by Atribune.
This program is for XP and Windows 2000 only

• 
  Double-click ATF-Cleaner.exe to run the program.
  Under Main choose: Select All
  Click the Empty Selected button.

Click Exit on the Main menu to close the program.



Download and scan with SUPERAntiSpyware Free for Home Users

• Double-click SUPERAntiSpyware.exe and use the default settings for installation.
• An icon will be created on your desktop. Double-click that icon to launch the program.
• If asked to update the program definitions, click "Yes". If not, update the definitions before scanning by selecting "Check for Updates". (If you encounter any problems while downloading the updates, manually download and unzip them from here.)
• Under "Configuration and Preferences", click the Preferences button.
• Click the Scanning Control tab.
• Under Scanner Options make sure the following are checked (leave all others unchecked):
  • Close browsers before scanning.
  • Scan for tracking cookies.
  • Terminate memory threats before quarantining.
• Click the "Close" button to leave the control center screen.
• Back on the main screen, under "Scan for Harmful Software" click Scan your computer.
• On the left, make sure you check C:\Fixed Drive.
• On the right, under "Complete Scan", choose Perform Complete Scan.
• Click "Next" to start the scan. Please be patient while it scans your computer.
• After the scan is complete, a Scan Summary box will appear with potentially harmful items that were detected. Click "OK".
• Make sure everything has a checkmark next to it and click "Next".
• A notification will appear that "Quarantine and Removal is Complete". Click "OK" and then click the "Finish" button to return to the main menu.
• If asked if you want to reboot, click "Yes".
• To retrieve the removal information after reboot, launch SUPERAntispyware again.
  • Click Preferences, then click the Statistics/Logs tab.
  • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
  • If there are several logs, click the current dated log and press View log. A text file will open in your default text editor.
  • Please copy and paste the Scan Log results in your next reply with a new hijackthis log.
• Click Close to exit the program.

 

[_iTALY]

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 07/12/2007 at 00:53 AM

Application Version : 3.9.1008

Core Rules Database Version : 3268
Trace Rules Database Version: 1279

Scan type : Complete Scan
Total Scan Time : 00:55:53

Memory items scanned : 340
Memory threats detected : 0
Registry items scanned : 5265
Registry threats detected : 31
File items scanned : 74433
File threats detected : 44

Trojan.WinFixer
HKLM\Software\Classes\CLSID\{060377DF-A621-43ED-8F24-B01F0BC26EF5}
HKCR\CLSID\{060377DF-A621-43ED-8F24-B01F0BC26EF5}
HKCR\CLSID\{060377DF-A621-43ED-8F24-B01F0BC26EF5}\InprocServer32
HKCR\CLSID\{060377DF-A621-43ED-8F24-B01F0BC26EF5}\InprocServer32#ThreadingModel
C:\WINNT\SYSTEM32\MLJJH.DLL
HKLM\Software\Classes\CLSID\{36FD7261-A219-42A4-BE3A-570E440286B7}
HKCR\CLSID\{36FD7261-A219-42A4-BE3A-570E440286B7}
HKCR\CLSID\{36FD7261-A219-42A4-BE3A-570E440286B7}\InprocServer32
HKCR\CLSID\{36FD7261-A219-42A4-BE3A-570E440286B7}\InprocServer32#ThreadingModel
HKLM\Software\Classes\CLSID\{7DF93AFE-B876-4189-8390-0F0173E0041C}
HKCR\CLSID\{7DF93AFE-B876-4189-8390-0F0173E0041C}
HKCR\CLSID\{7DF93AFE-B876-4189-8390-0F0173E0041C}\InprocServer32
HKCR\CLSID\{7DF93AFE-B876-4189-8390-0F0173E0041C}\InprocServer32#ThreadingModel
HKLM\Software\Classes\CLSID\{B615AED2-C44C-4792-9A80-42AA30E2D4E1}
HKCR\CLSID\{B615AED2-C44C-4792-9A80-42AA30E2D4E1}
HKCR\CLSID\{B615AED2-C44C-4792-9A80-42AA30E2D4E1}\InprocServer32
HKCR\CLSID\{B615AED2-C44C-4792-9A80-42AA30E2D4E1}\InprocServer32#ThreadingModel
HKLM\Software\Classes\CLSID\{CCE1B637-6E66-455F-8CCC-3F2A0D9482A7}
HKCR\CLSID\{CCE1B637-6E66-455F-8CCC-3F2A0D9482A7}
HKCR\CLSID\{CCE1B637-6E66-455F-8CCC-3F2A0D9482A7}\InprocServer32
HKCR\CLSID\{CCE1B637-6E66-455F-8CCC-3F2A0D9482A7}\InprocServer32#ThreadingModel
HKLM\Software\Classes\CLSID\{FAFC6538-DFB5-439E-9AE4-E4C374B4DDC3}
HKCR\CLSID\{FAFC6538-DFB5-439E-9AE4-E4C374B4DDC3}
HKCR\CLSID\{FAFC6538-DFB5-439E-9AE4-E4C374B4DDC3}\InprocServer32
HKCR\CLSID\{FAFC6538-DFB5-439E-9AE4-E4C374B4DDC3}\InprocServer32#ThreadingModel

Unclassified.Unknown Origin
HKLM\Software\Classes\CLSID\{938A8A03-A938-4019-B764-03FF8D167D79}
HKCR\CLSID\{938A8A03-A938-4019-B764-03FF8D167D79}
HKCR\CLSID\{938A8A03-A938-4019-B764-03FF8D167D79}\InprocServer32
HKCR\CLSID\{938A8A03-A938-4019-B764-03FF8D167D79}\InprocServer32#ThreadingModel
C:\WINNT\SYSTEM32\DIDMWNWD.DLL
HKCR\CLSID\{938A8A03-A938-4019-B764-03FF8D167D79}
C:\QOOBOX\QUARANTINE\C\WINNT\SYSTEM32\ADVVPI32.DLL.VIR

Adware.ClickSpring
HKLM\Software\ClickSpring
HKLM\Software\ClickSpring#UBWKR
C:\QOOBOX\QUARANTINE\C\DOCUME~1\ADMINI~1\APPLIC~1\SSTEM3~1\WINLOGON.EXE.VIR
C:\QooBox\Quarantine\C\Program Files\YMBOLS~1\WNLOGO~1.VIR
C:\QooBox\Quarantine\C\WINNT\APPATC~1\OOLSVE~1.VIR
C:\QooBox\Quarantine\C\WINNT\SSTEM~1\NLOOKU~1.VIR
C:\SYSTEM VOLUME INFORMATION\_RESTORE{6DCD19B8-BC02-49BD-9E5E-38D7B0D30552}\RP10\A0011532.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{6DCD19B8-BC02-49BD-9E5E-38D7B0D30552}\RP17\A0040630.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{6DCD19B8-BC02-49BD-9E5E-38D7B0D30552}\RP17\A0040631.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{6DCD19B8-BC02-49BD-9E5E-38D7B0D30552}\RP17\A0040632.EXE

Trojan.Unknown Origin
C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\ABYNIPKX.EXE
C:\QOOBOX\QUARANTINE\C\WINNT\SYSTEM32\WCPSVSU.EXE.VIR
C:\SYSTEM VOLUME INFORMATION\_RESTORE{6DCD19B8-BC02-49BD-9E5E-38D7B0D30552}\RP10\A0011533.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{6DCD19B8-BC02-49BD-9E5E-38D7B0D30552}\RP14\A0029614.EXE
C:\SYSTEM VOLUME INFORMATION\_RESTORE{6DCD19B8-BC02-49BD-9E5E-38D7B0D30552}\RP17\A0040627.EXE

Trojan.Downloader-Gen/TStamp
C:\QOOBOX\QUARANTINE\C\WINNT\SYSTEM32\AXHBIXBM.EXE.VIR
C:\QOOBOX\QUARANTINE\C\WINNT\SYSTEM32\CDEATTXH.EXE.VIR
C:\QOOBOX\QUARANTINE\C\WINNT\SYSTEM32\ERMDGGIE.EXE.VIR
C:\QOOBOX\QUARANTINE\C\WINNT\SYSTEM32\FDOKJYLV.EXE.VIR
C:\QOOBOX\QUARANTINE\C\WINNT\SYSTEM32\LBSRJTBH.EXE.VIR
C:\QOOBOX\QUARANTINE\C\WINNT\SYSTEM32\LPDPRPCE.EXE.VIR

Trojan.Downloader-MSDCom32
C:\QOOBOX\QUARANTINE\C\WINNT\SYSTEM32\BXCJIZ.DLL.VIR
C:\SYSTEM VOLUME INFORMATION\_RESTORE{6DCD19B8-BC02-49BD-9E5E-38D7B0D30552}\RP13\A0026629.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{6DCD19B8-BC02-49BD-9E5E-38D7B0D30552}\RP17\A0040628.DLL

Adware.Vundo/Traff-2
C:\QOOBOX\QUARANTINE\C\WINNT\SYSTEM32\CAVHRBCN.EXE.VIR

Adware.Vundo Variant
C:\QOOBOX\QUARANTINE\C\WINNT\SYSTEM32\VTURONO.DLL.VIR
C:\SYSTEM VOLUME INFORMATION\_RESTORE{6DCD19B8-BC02-49BD-9E5E-38D7B0D30552}\RP13\A0026607.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{6DCD19B8-BC02-49BD-9E5E-38D7B0D30552}\RP17\A0040661.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{6DCD19B8-BC02-49BD-9E5E-38D7B0D30552}\RP3\A0001067.DLL

Rootkit.ShapeChanger
C:\QOOBOX\QUARANTINE\C\WINNT\SYSTEM32\WINDBG48.SYS.VIR

Adware.ClickSpring/Resident
C:\SYSTEM VOLUME INFORMATION\_RESTORE{6DCD19B8-BC02-49BD-9E5E-38D7B0D30552}\RP10\A0011542.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{6DCD19B8-BC02-49BD-9E5E-38D7B0D30552}\RP13\A0026625.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{6DCD19B8-BC02-49BD-9E5E-38D7B0D30552}\RP14\A0029620.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{6DCD19B8-BC02-49BD-9E5E-38D7B0D30552}\RP14\A0029621.DLL

Rootkit.Runtime-Installer
C:\SYSTEM VOLUME INFORMATION\_RESTORE{6DCD19B8-BC02-49BD-9E5E-38D7B0D30552}\RP13\A0025630.EXE

Trojan.Downloader-Gen/HitItQuitIt
C:\SYSTEM VOLUME INFORMATION\_RESTORE{6DCD19B8-BC02-49BD-9E5E-38D7B0D30552}\RP13\A0026612.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{6DCD19B8-BC02-49BD-9E5E-38D7B0D30552}\RP17\A0040657.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{6DCD19B8-BC02-49BD-9E5E-38D7B0D30552}\RP17\A0040658.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{6DCD19B8-BC02-49BD-9E5E-38D7B0D30552}\RP17\A0040659.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{6DCD19B8-BC02-49BD-9E5E-38D7B0D30552}\RP17\A0040660.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{6DCD19B8-BC02-49BD-9E5E-38D7B0D30552}\RP17\A0040678.DLL

Trojan.Downloader-Gen/Blah
C:\SYSTEM VOLUME INFORMATION\_RESTORE{6DCD19B8-BC02-49BD-9E5E-38D7B0D30552}\RP13\A0026644.DLL

Adware.ClickSpring/Yazzle
C:\WINNT\PREFETCH\YAZZLE1162OINADMIN.EXE-04B49B8B.PF

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:58:37 AM, on 7/12/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\WINNT\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\WINNT\CTHELPER.EXE
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINNT\system32\clcl12.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
D:\Program Files\Creative Professional\E-MU PatchMix DSP\EmuPatchMixDSP.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\Program Files\Prevx2\PXAgent.exe
C:\WINNT\system32\wscntfy.exe
C:\WINNT\system32\wuauclt.exe
C:\WINNT\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
O2 - BHO: C:\WINNT\system32\jkxdf84ndf.dll - {20AD49A2-94F3-42bD-F434-2604812C897C} - C:\WINNT\system32\jkxdf84ndf.dll (file missing)
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [clcl12] C:\WINNT\system32\clcl12.exe
O4 - HKCU\..\Run: [SetDefaultMIDI] MIDIDef.exe
O4 - HKCU\..\Run: [Bear] "C:\WINNT\system32\MCROSO~1.NET\services.exe" -vt yazb
O4 - HKCU\..\Run: [XP restart system] h
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [^SetupICWDesktop] C:\Program Files\Internet Explorer\Connection Wizard\icwconn1.exe /desktop (User 'Default user')
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5F5F9FB8-878E-4455-95E0-F64B2314288A} (ijjiPlugin2 Class) - http://gamedownload.ijjimax.com/gamedownload/dist/hgstart/HGPlugin11USA.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1174506012109
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1182822289765
O16 - DPF: {CD995117-98E5-4169-9920-6C12D4C0B548} (HGPlugin9USA Class) - http://gamedownload.ijjimax.com/gamedownload/dist/hgstart/HGPlugin9USA.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O22 - SharedTaskScheduler: kdg9049i904ktkgtj - {20AD49A2-94F3-42bD-F434-2604812C897C} - C:\WINNT\system32\jkxdf84ndf.dll (file missing)
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINNT\system32\Ati2evxx.exe (file missing)
O23 - Service: ATI Smart - Unknown owner - C:\WINNT\system32\ati2sgag.exe (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Logical Disk Manager dmserverRemoteRegistry (dmserverRemoteRegistry) - Unknown owner - C:\WINNT\system32\ahuij.exe (file missing)
O23 - Service: InCD Helper (InCDsrv) - Unknown owner - C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe (file missing)
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: Prevx Agent (PREVXAgent) - Prevx - C:\Program Files\Prevx2\PXAgent.exe

--
End of file - 5250 bytes

 

[cybertech]

Run HJT again and put a check in the following:

O2 - BHO: C:\WINNT\system32\jkxdf84ndf.dll - {20AD49A2-94F3-42bD-F434-2604812C897C} - C:\WINNT\system32\jkxdf84ndf.dll (file missing)
O4 - HKLM\..\Run: [clcl12] C:\WINNT\system32\clcl12.exe
O4 - HKCU\..\Run: [XP restart system] h
O22 - SharedTaskScheduler: kdg9049i904ktkgtj - {20AD49A2-94F3-42bD-F434-2604812C897C} - C:\WINNT\system32\jkxdf84ndf.dll (file missing)
O23 - Service: Logical Disk Manager dmserverRemoteRegistry (dmserverRemoteRegistry) - Unknown owner - C:\WINNT\system32\ahuij.exe (file missing)

Close all applications and browser windows before you click "fix checked".



Please download the OTMoveIt by OldTimer.

• Save it to your desktop.
• Please double-click OTMoveIt.exe to run it.
• Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):
  
  C:\WINNT\system32\clcl12.exe
  C:\WINNT\system32\ahuij.exe
  C:\WINDOWS\SYSTEM32\drvvun.dll
  C:\WINNT\system32\bwgdhwth.dll
  
  
• Return to OTMoveIt, right click on the "Paste List of Files/Folders to be moved" window and choose Paste.
• Click the red Moveit! button.
• Close OTMoveIt

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.


Download WinPFind3U.exe to your Desktop and double-click on it to extract the files. It will create a folder named WinPFind3u on your desktop.

Open the WinPFind3u folder and double-click on WinPFind3U.exe to start the program.

• In the Processes group click ALL
• In the Win32 Services group click ALL
• In the Driver Services group click ALL
• In the Registry group click ALL
• In the Files Created Within group click 60 days Make sure Non-Microsoft only is UNCHECKED
• In the Files Modified Within group select 30 days Make sure Non-Microsoft only is UNCHECKED
• In the File String Search group select ALL
• in the Additional scans sections please press select ALL
• Now click the Run Scan button on the toolbar.
• The program will be scanning huge amounts of data so depending on your system it could take a long time to complete. Let it run unhindered until it finishes.
• When the scan is complete Notepad will open with the report file loaded in it.
• Save that notepad file but click on the "Format" menu and make sure that "word wrap" is not checked. If it is then click on it to uncheck it.

Please post the resulting log here as an attachment.

• Click on the orange Post a Reply! button
• scroll down to Manage Attachments
• Click in the box that says Upload File from your Computer
• Click the Browse... button and find the file then click open
• Click the Upload button
• Wait until you see Current Attachment and your file name
• Click on Close this window
• Then submit the reply.

 

[_iTALY]

im getting the "Your file of 555.6 KB bytes exceeds the forum's limit of 500.0 KB for this filetype."

i cant attach the file >.> what should i do ?
btw thanks for all the help so far !

 

[cybertech]

Please post the resulting log here as an attachment.

• Click on the orange Post a Reply! button
• scroll down to Manage Attachments
• Click in the box that says Upload File from your Computer
• Click the Browse... button and find the file then click open
• Click the Upload button
• Wait until you see Current Attachment and your file name
• Click on Close this window
• Then submit the reply.

 

[_iTALY]

i have followed these instructions each time, but i am not allowed to upload .txt files this large

.. i switched browers and all
the forum wont let me upload anything larger than 500kb
my file is 55.6kb too large

any suggestions

 

[cybertech]

I'll PM you with my e-mail address

 

[_iTALY]

ok
.. i sent the email to ya

 

[cybertech]

 

[cybertech]

Start WinPFind3U. Copy/Paste the information in the quotebox below into the pane where it says "Paste fix here" and then click the Run Fix button.

[Files/Folders - Created Within 60 days]
NY -> biwstjkx.dll -> %System32%\biwstjkx.dll
NY -> cwidlcny.dll -> %System32%\cwidlcny.dll
NY -> dicopydl.ini -> %System32%\dicopydl.ini
NY -> edufpwmc.ini -> %System32%\edufpwmc.ini
NY -> eglelhdw.dll -> %System32%\eglelhdw.dll
NY -> hehqkjwd.dll -> %System32%\hehqkjwd.dll
NY -> hloctjyn.dll -> %System32%\hloctjyn.dll
NY -> hodxnupt.ini -> %System32%\hodxnupt.ini
NY -> intacxcm.ini -> %System32%\intacxcm.ini
NY -> knupunps.ini -> %System32%\knupunps.ini
NY -> lofjspew.ini -> %System32%\lofjspew.ini
NY -> lxtdlwdp.dll -> %System32%\lxtdlwdp.dll
NY -> mcrh.tmp -> %System32%\mcrh.tmp
NY -> mdfumqrp.dll -> %System32%\mdfumqrp.dll
NY -> mlfcache.dat -> %System32%\mlfcache.dat
NY -> pbesghvn.ini -> %System32%\pbesghvn.ini
NY -> qfkbgkac.dll -> %System32%\qfkbgkac.dll
NY -> qgvdonpe.dll -> %System32%\qgvdonpe.dll
NY -> qqwumcse.dll -> %System32%\qqwumcse.dll
NY -> rslwvrxv.dll -> %System32%\rslwvrxv.dll
NY -> subexwdn.ini -> %System32%\subexwdn.ini
NY -> wloxnrij.ini -> %System32%\wloxnrij.ini
NY -> wywpvfui.ini -> %System32%\wywpvfui.ini
NY -> X2 -> %System32%\X2
NY -> X3 -> %System32%\X3
NY -> X4 -> %System32%\X4
NY -> X9 -> %System32%\X9
NY -> xcknhgxr.ini -> %System32%\xcknhgxr.ini
NY -> xxnaovka.dll -> %System32%\xxnaovka.dll
NY -> xyucnkby.dll -> %System32%\xyucnkby.dll
[Files/Folders - Modified Within 30 days]
NY -> ahkktftt.ini -> %System32%\ahkktftt.ini

The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. CLick the Ok button and Notepad will open with a log of actions taken during the fix. Post that information back here along with a new WinPFind3u scan.

I will review the information when it comes back in.

 

[_iTALY]

log after pressing Run Fix
[Files/Folders - Created Within 60 days]
File C:\WINNT\SYSTEM32\biwstjkx.dll not found!
File C:\WINNT\SYSTEM32\cwidlcny.dll not found!
C:\WINNT\SYSTEM32\dicopydl.ini moved successfully.
C:\WINNT\SYSTEM32\edufpwmc.ini moved successfully.
File C:\WINNT\SYSTEM32\eglelhdw.dll not found!
File C:\WINNT\SYSTEM32\hehqkjwd.dll not found!
File C:\WINNT\SYSTEM32\hloctjyn.dll not found!
C:\WINNT\SYSTEM32\hodxnupt.ini moved successfully.
C:\WINNT\SYSTEM32\intacxcm.ini moved successfully.
C:\WINNT\SYSTEM32\knupunps.ini moved successfully.
C:\WINNT\SYSTEM32\lofjspew.ini moved successfully.
C:\WINNT\SYSTEM32\lxtdlwdp.dll moved successfully.
C:\WINNT\SYSTEM32\mcrh.tmp moved successfully.
File C:\WINNT\SYSTEM32\mdfumqrp.dll not found!
C:\WINNT\SYSTEM32\mlfcache.dat moved successfully.
C:\WINNT\SYSTEM32\pbesghvn.ini moved successfully.
File C:\WINNT\SYSTEM32\qfkbgkac.dll not found!
File C:\WINNT\SYSTEM32\qgvdonpe.dll not found!
C:\WINNT\SYSTEM32\qqwumcse.dll moved successfully.
File C:\WINNT\SYSTEM32\rslwvrxv.dll not found!
C:\WINNT\SYSTEM32\subexwdn.ini moved successfully.
C:\WINNT\SYSTEM32\wloxnrij.ini moved successfully.
C:\WINNT\SYSTEM32\wywpvfui.ini moved successfully.
C:\WINNT\SYSTEM32\X2 moved successfully.
C:\WINNT\SYSTEM32\X3 moved successfully.
C:\WINNT\SYSTEM32\X4 moved successfully.
C:\WINNT\SYSTEM32\X9 moved successfully.
C:\WINNT\SYSTEM32\xcknhgxr.ini moved successfully.
C:\WINNT\SYSTEM32\xxnaovka.dll moved successfully.
File C:\WINNT\SYSTEM32\xyucnkby.dll not found!
[Files/Folders - Modified Within 30 days]
C:\WINNT\SYSTEM32\ahkktftt.ini moved successfully.
< End of log >
Created on 07/14/2007 23:41:08

.. the new Log was emailed