1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Solved: Vundo Virus Infection

Discussion in 'Virus & Other Malware Removal' started by dander49, Jul 18, 2007.

Thread Status:
Not open for further replies.
Advertisement
  1. dander49

    dander49 Thread Starter

    Joined:
    Jul 18, 2007
    Messages:
    3
    I was infected with what appears to be the Vundo Virus a number of days ago. Trend Micro's PC-cillin pops up alerts saying that it has found a possible Vundo-1 virus in files such as c:\Windows\mljgh.dll

    I tried to glean information from various forums about this type of virus and ended up downloading a copy of VundoFix and removing the file and it would just come back as a different file such as jkkjk.dll and currently its finding mljgg.dll

    I had removed some toolbars that were installed on my system. When I visit websites the system now brings up another browser will ads displayed in it.

    I am not really sure exactly what actions I can take that will get rid of everything hiding on the system so it doesn't come back.

    I am attaching my hijack this log. Any help to guide me through this would be greatly appreciated:

    Logfile of HijackThis v1.99.1
    Scan saved at 9:14:44 PM, on 7/18/2007
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\WLTRYSVC.EXE
    C:\WINDOWS\System32\bcmwltry.exe
    C:\WINDOWS\system32\brsvc01a.exe
    C:\WINDOWS\system32\brss01a.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
    C:\WINDOWS\eHome\ehRecvr.exe
    C:\WINDOWS\eHome\ehSched.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
    C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
    C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
    C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
    C:\WINDOWS\system32\dllhost.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\ehome\ehtray.exe
    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    C:\WINDOWS\system32\WLTRAY.exe
    C:\WINDOWS\stsystra.exe
    C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
    C:\Program Files\Dell\QuickSet\quickset.exe
    C:\Program Files\Trend Micro\Internet Security 14\pccguide.exe
    C:\WINDOWS\eHome\ehmsas.exe
    C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
    C:\Program Files\Dell\MediaDirect\PCMService.exe
    C:\Program Files\Common Files\ACD Systems\EN\DevDetect.exe
    C:\Program Files\Cobian Backup 8\cbInterface.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\NetWaiting\netWaiting.exe
    C:\Program Files\Trend Micro\Internet Security 14\TMAS_OE\TMAS_OEMon.exe
    C:\Program Files\Dell Support\DSAgnt.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
    C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE
    C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe
    C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
    C:\Program Files\Digital Line Detect\DLG.exe
    C:\Program Files\Exec\sendToBack\SENDBK.EXE
    C:\Program Files\VersionBackup\VBackRun.exe
    C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
    C:\WINDOWS\system32\taskmgr.exe
    C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
    C:\Documents and Settings\darin\Desktop\HijackThis.exe
    C:\PROGRA~1\TRENDM~1\INTERN~1\tsc.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=3070220
    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file:///C:/home/browser/index.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=3070220
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
    O3 - Toolbar: del.icio.us - {981FE6A8-260C-4930-960F-C3BC82746CB0} - C:\Program Files\del.icio.us\Internet Explorer Buttons\dlcsIE.dll
    O4 - HKLM\..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
    O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
    O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
    O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
    O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
    O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 14\pccguide.exe"
    O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
    O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\MediaDirect\PCMService.exe"
    O4 - HKLM\..\Run: [Device Detector] DevDetect.exe -autorun
    O4 - HKLM\..\Run: [Cobian Backup 8 interface] "C:\Program Files\Cobian Backup 8\cbInterface.exe" -service
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [icq.com] rundll32.exe "C:\WINDOWS\system32\avouaeen.dll",forkonce
    O4 - HKCU\..\Run: [ModemOnHold] C:\Program Files\NetWaiting\netWaiting.exe
    O4 - HKCU\..\Run: [OE_OEM] "C:\Program Files\Trend Micro\Internet Security 14\TMAS_OE\TMAS_OEMon.exe"
    O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
    O4 - HKCU\..\Run: [DW4] "C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe"
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O4 - Global Startup: Bluetooth.lnk = ?
    O4 - Global Startup: Digital Line Detect.lnk = ?
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O4 - Global Startup: SENDBK.EXE.lnk = C:\Program Files\Exec\sendToBack\SENDBK.EXE
    O4 - Global Startup: VersionBackup.lnk = C:\Program Files\VersionBackup\VersionBackup.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
    O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O15 - Trusted Zone: *.amaena.com
    O15 - Trusted Zone: *.drivecleaner.com
    O15 - Trusted Zone: *.errorprotector.com
    O15 - Trusted Zone: *.errorsafe.com
    O15 - Trusted Zone: *.imagesrvr.com
    O15 - Trusted Zone: *.systemdoctor.com
    O15 - Trusted Zone: *.winantispyware.com
    O15 - Trusted Zone: *.winantivirus.com
    O15 - Trusted Zone: *.winfixer.com
    O15 - Trusted Zone: *.amaena.com (HKLM)
    O15 - Trusted Zone: *.drivecleaner.com (HKLM)
    O15 - Trusted Zone: *.errorprotector.com (HKLM)
    O15 - Trusted Zone: *.errorsafe.com (HKLM)
    O15 - Trusted Zone: *.imageservr.com (HKLM)
    O15 - Trusted Zone: *.imagesrvr.com (HKLM)
    O15 - Trusted Zone: *.systemdoctor.com (HKLM)
    O15 - Trusted Zone: *.winantispyware.com (HKLM)
    O15 - Trusted Zone: *.winantivirus.com (HKLM)
    O15 - Trusted Zone: *.winfixer.com (HKLM)
    O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
    O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
    O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
    O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
    O23 - Service: Cobian Backup 8 service (CobBMService) - Luis Cobian - C:\Program Files\Cobian Backup 8\cbService.exe
    O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
    O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
    O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
    O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
    O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE
     
  2. JSntgRvr

    JSntgRvr Retired Moderator and Malware Specialist

    Joined:
    Jul 1, 2003
    Messages:
    18,552
    First Name:
    José
    Hi, dander49. :)

    Welcome to TSG.

    RIGHT-CLICK HERE and Save As (in IE it's "Save Target As") in order to download DelDomains.inf to your desktop. Once downloaded, RIGHT-CLICK DelDomains.inf and select: Install (no need to restart)

    Note: This will remove all entries in the "Trusted Zone" and "Ranges" also.

    [​IMG] Your Java seems to be out of date. Older versions have vulnerabilities that malware can use to infect your system. Please follow these steps to remove older version of Java components and upgrade the application. Beware it is NOT supported for use in 9x or ME and probably will not install in those systems

    Ugrading Java:
    • Download the latest version of Java Runtime Environment (JRE) 6u2.
    • Scroll down to where it says "The J2SE Runtime Environment (JRE) allows end-users to run Java applications".
    • Click the "Download" button to the right.
    • Check the box that says: "Accept License Agreement".
    • The page will refresh.
    • Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
    • Close any programs you may have running - especially your web browser.
    • Go to Start > Control Panel, double-click on Add/Remove programs and remove all older versions of Java.
    • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
    • Click the Remove or Change/Remove button.
    • Repeat as many times as necessary to remove each Java version.
    • Reboot your computer once all Java components are removed.
    • Then from your desktop double-click on the download to install the newest version.
    Please download VundoFix.exe to your desktop.

    Note: In the event you already have Vundofix, this is a new version that I need you to download.
    • Double-click VundoFix.exe to run it.
    • You will receive a message saying vundofix will close and re-open in a minute or less. Click OK
    • When VundoFix re-opens, click the Scan for Vundo button.
    • Once it's done scanning, click the Remove Vundo button.
    • You will receive a prompt asking if you want to remove the files, click YES
    • Once you click yes, your desktop will go blank as it starts removing Vundo.
    • When completed, it will prompt that it will shutdown your computer, click OK.
    • Turn your computer back on.
    • Please post the contents of C:\vundofix.txt in your next reply.
    Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears at reboot.

    Download ComboFix from Here or Here to your Desktop.

    Note: In the event you already have Combofix, this is a new version that I need you to download.
    • Double click combofix.exe and follow the prompts.
    • When finished, it shall produce a log for you. Post that log and in your next reply
    Note: Do not mouseclick combofix's window while its running. That may cause it to stall

    Download Superantispyware (SAS)
    1. Install it and double-click the icon on your desktop to run it.
    2. It will ask if you want to update the program definitions, click Yes.
    3. Under Configuration and Preferences, click the Preferences button.
    4. Click the Scanning Control tab.
    5. Under Scanner Options make sure the following are checked:
      • Close browsers before scanning
      • Scan for tracking cookies
      • Terminate memory threats before quarantining.
      • Please leave the others unchecked.
      • Click the Close button to leave the control center screen.
    6. On the main screen, under Scan for Harmful Software click Scan your computer.
    7. On the left check C:\Fixed Drive.
    8. On the right, under Complete Scan, choose Perform Complete Scan.
    9. Click Next to start the scan. Please be patient while it scans your computer.
    10. After the scan is complete a summary box will appear. Click OK.
    11. Make sure everything in the white box has a check next to it, then click Next.
    12. It will quarantine what it found and if it asks if you want to reboot, click Yes.
    13. To retrieve the removal information, please do the following:
      • After reboot, double-click the SUPERAntispyware icon on your desktop.
      • Click Preferences. Click the Statistics/Logs tab.
      • Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
      • It will open in your default text editor (such as Notepad/Wordpad).
      • Please highlight everything in the notepad, then right-click and choose copy.
    14. Click close and close again to exit the program.
    15. Please paste that information in your next reply along with a fresh HijackThis log.
     
  3. dander49

    dander49 Thread Starter

    Joined:
    Jul 18, 2007
    Messages:
    3
    Thank you very much for the quick reply. Here are the results of what I ran. My VundoFix claims I still have Java 5 but I removed it and installed Java 6. I only see Java 6 now in my add programs list so I am not sure why the VundoFix still finds Java 5.

    So here are the logs:


    ============================================
    VundoFix
    ============================================

    VundoFix V6.5.6

    Checking Java version...

    Java version is 1.5.0.6
    Old versions of java are exploitable and should be removed.

    Scan started at 11:02:59 PM 7/18/2007

    Listing files found while scanning....

    C:\windows\system32\avouaeen.dll
    C:\WINDOWS\SYSTEM32\JALUFSIE.DLL
    C:\windows\system32\neeauova.ini

    Beginning removal...

    Attempting to delete C:\windows\system32\avouaeen.dll
    C:\windows\system32\avouaeen.dll Has been deleted!

    Attempting to delete C:\WINDOWS\SYSTEM32\JALUFSIE.DLL
    C:\WINDOWS\SYSTEM32\JALUFSIE.DLL Has been deleted!

    Attempting to delete C:\windows\system32\neeauova.ini
    C:\windows\system32\neeauova.ini Has been deleted!

    Performing Repairs to the registry.
    Done!

    ============================================
    ComboFix
    ==========================================

    "darin" - 2007-07-18 23:08:23 - ComboFix 07-07-17.8 - Service Pack 2 NTFS


    (((((((((((((((((((((((((((((((((((((((((((( V Log )))))))))))))))))))))))))))))))))))))))))))))))))))))))


    C:\WINDOWS\system32\awtrrpo.dll
    C:\WINDOWS\system32\awtrrpo.dll


    * * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


    C:\DOCUME~1\ALLUSE~1\APPLIC~1.\winantispyware 2007
    C:\DOCUME~1\ALLUSE~1\APPLIC~1.\winantispyware 2007\Data\Abbr
    C:\DOCUME~1\ALLUSE~1\APPLIC~1.\winantispyware 2007\Data\ProductCode
    C:\home.\ppatch~1
    C:\Program Files\Common Files\lagus.dll
    C:\Program Files\Common Files\lagus125.dll
    C:\Program Files\Common Files\lagus169.dll
    C:\Program Files\Common Files\lagus222.dll
    C:\Program Files\Common Files\lagus503.dll
    C:\Program Files\Common Files\lagus510.dll
    C:\Program Files\Common Files\lagus523.dll
    C:\Program Files\Common Files\lagus712.dll
    C:\Program Files\Common Files\lagus968.dll
    C:\temp\tn3
    C:\WINDOWS\system32\B0
    C:\WINDOWS\system32\B0\mwspasrt83122.exe
    C:\WINDOWS\system32\B1
    C:\WINDOWS\system32\B1\wr73.exe
    C:\WINDOWS\system32\B2
    C:\WINDOWS\system32\B2\st2.exe
    C:\WINDOWS\system32\B5
    C:\WINDOWS\system32\drivers\core.cache.dsk
    C:\WINDOWS\system32\drivers\core.sys
    C:\WINDOWS\system32\drivers\fopn.sys
    C:\WINDOWS\tk58.exe
    C:\WINDOWS\wr.txt


    ((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


    -------\LEGACY_CORE
    -------\core


    ((((((((((((((((((((((((( Files Created from 2007-06-19 to 2007-07-19 )))))))))))))))))))))))))))))))


    2007-07-18 23:07 51,200 --a------ C:\WINDOWS\nircmd.exe
    2007-07-18 22:23 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\SUPERAntiSpyware.com
    2007-07-18 22:21 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
    2007-07-18 22:21 <DIR> d-------- C:\DOCUME~1\darin\APPLIC~1\SUPERAntiSpyware.com
    2007-07-18 22:20 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
    2007-07-18 20:28 <DIR> d-------- C:\!KillBox
    2007-07-18 20:22 1,792,221 ---hs---- C:\WINDOWS\system32\gjjlm.bak2
    2007-07-16 23:40 6,369 ---hs---- C:\WINDOWS\system32\gjjlm.bak1
    2007-07-15 20:43 <DIR> d-------- C:\VundoFix Backups
    2007-07-14 23:15 <DIR> d-------- C:\WINDOWS\system32\driver
    2007-07-14 23:15 <DIR> d-------- C:\WINDOWS\system32\b02FdUe
    2007-07-14 23:15 <DIR> d-------- C:\Temp\brr
    2007-07-14 23:15 <DIR> d-------- C:\Temp\0c2
    2007-07-14 23:15 <DIR> d-------- C:\Temp


    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

    2007-07-19 03:01:31 246 ----a-w C:\Program Files\Common Files\lagus125
    2007-06-29 01:36:50 -------- d-----w C:\Program Files\PokerStars
    2007-06-13 00:00:54 203,024 ----a-w C:\WINDOWS\system32\drivers\tmxpflt.sys
    2007-06-13 00:00:50 36,112 ----a-w C:\WINDOWS\system32\drivers\tmpreflt.sys
    2007-06-12 23:52:00 1,126,328 ----a-w C:\WINDOWS\system32\drivers\vsapint.sys
    2007-06-01 01:47:33 -------- d-----w C:\Program Files\del.icio.us
    2007-05-23 01:54:04 -------- d-----w C:\DOCUME~1\darin\APPLIC~1\SSH
    2007-05-23 01:45:41 -------- d-----w C:\Program Files\Exec
    2007-05-23 01:45:12 -------- d-----w C:\Program Files\WS_FTP
    2007-05-23 00:56:49 -------- d--h--w C:\Program Files\InstallShield Installation Information
    2007-05-23 00:56:49 -------- d-----w C:\Program Files\SSH Communications Security
    2007-05-16 15:12:02 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
    2007-05-12 03:49:28 1,156 ----a-w C:\WINDOWS\mozver.dat
    2007-04-25 14:21:15 144,896 ----a-w C:\WINDOWS\system32\schannel.dll


    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


    *Note* empty entries & legit default entries are not shown

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}]
    2007-07-12 04:00 501136 --a------ C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2006-03-08 12:48]
    "SigmatelSysTrayApp"="stsystra.exe" [2006-03-24 17:30 C:\WINDOWS\stsystra.exe]
    "ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" [2006-01-02 18:41]
    "Dell QuickSet"="C:\Program Files\Dell\QuickSet\quickset.exe" [2006-08-03 19:51]
    "pccguide.exe"="C:\Program Files\Trend Micro\Internet Security 14\pccguide.exe" [2006-11-21 15:02]
    "Google Desktop Search"="C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" [2007-02-20 21:02]
    "PCMService"="C:\Program Files\Dell\MediaDirect\PCMService.exe" [2006-08-22 16:32]
    "Device Detector"="DevDetect.exe" []
    "Cobian Backup 8 interface"="C:\Program Files\Cobian Backup 8\cbInterface.exe" [2007-03-21 00:35]
    "QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-02-20 21:01]
    "TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-05-02 21:29]
    "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2007-07-12 04:00]

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ModemOnHold"="C:\Program Files\NetWaiting\netWaiting.exe" [2003-09-10 03:24]
    "OE_OEM"="C:\Program Files\Trend Micro\Internet Security 14\TMAS_OE\TMAS_OEMon.exe" [2006-08-04 17:15]
    "DellSupport"="C:\Program Files\Dell Support\DSAgnt.exe" [2006-08-28 22:57]
    "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-10 06:00]
    "swg"="C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" [2007-03-24 00:34]
    "MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 11:24]
    "Yahoo! Pager"="C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.exe" [2007-03-01 18:11]
    "DW4"="C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe" [2007-03-16 07:51]
    "SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-06-21 14:06]

    C:\DOCUME~1\ALLUSE~1\STARTM~1\Programs\Startup
    Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 23:05:26]
    Bluetooth.lnk - C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe [2006-05-24 19:28:28]
    Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2007-02-20 20:56:07]
    Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-02-17 15:05:56]
    SENDBK.EXE.lnk - C:\Program Files\Exec\sendToBack\SENDBK.EXE [2007-03-24 22:38:32]
    VersionBackup.lnk - C:\Program Files\VersionBackup\VersionBackup.exe [2007-03-30 20:04:23]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
    "InstallVisualStyle"=C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
    "InstallTheme"=C:\WINDOWS\Resources\Themes\Royale.theme

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
    "{DCD53738-C4F9-414A-A03C-C7405A4AC844}"="C:\WINDOWS\SYSTEM32\EFCCAYV.DLL" []
    "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"="C:\Program Files\SUPERAntiSpyware\SASSEH.DLL" [2006-12-20 13:55]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
    C:\Program Files\SUPERAntiSpyware\SASWINLO.dll --a------ 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
    "appinit_dlls"=C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL


    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}]
    AutoRun\command- E:\setup.exe


    **************************************************************************

    catchme 0.3.1040 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2007-07-18 23:12:38
    Windows 5.1.2600 Service Pack 2 NTFS

    scanning hidden processes ...

    scanning hidden registry entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************

    Completion time: 2007-07-18 23:14:50 - machine was rebooted
    C:\ComboFix-quarantined-files.txt ... 2007-07-18 23:14

    --- E O F ---

    ==============================================
    ComboFix Quarantine
    ==============================================

    Code:
    2007-06-19 01:00      115606    --a------    C:\Qoobox\Quarantine\C\WINDOWS\system32\B0\mwspasrt83122.exe.vir
    2007-07-11 19:13      9814    --a------    C:\Qoobox\Quarantine\C\WINDOWS\system32\B1\wr73.exe.vir
    2007-07-11 19:54      86056    --a------    C:\Qoobox\Quarantine\C\WINDOWS\system32\B2\st2.exe.vir
    2007-07-14 23:15      164787    --a------    C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\core.cache.dsk.vir
    2007-07-14 23:15      72832    --a------    C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\core.sys.vir
    2007-07-14 23:16      70144    --a------    C:\Qoobox\Quarantine\C\Program Files\Common Files\lagus.dll.vir
    2007-07-14 23:24      31254    --a------    C:\Qoobox\Quarantine\C\WINDOWS\system32\awtrrpo.dll.vir
    2007-07-14 23:37      70144    --a------    C:\Qoobox\Quarantine\C\Program Files\Common Files\lagus222.dll.vir
    2007-07-14 23:39      20    --a------    C:\Qoobox\Quarantine\C\DOCUME~1\ALLUSE~1\APPLIC~1\WinAntiSpyware 2007\Data\ProductCode.vir
    2007-07-14 23:39      5    --a------    C:\Qoobox\Quarantine\C\DOCUME~1\ALLUSE~1\APPLIC~1\WinAntiSpyware 2007\Data\Abbr.vir
    2007-07-14 23:39      79872    --a------    C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\FOPN.sys.vir
    2007-07-15 00:45      281    --a------    C:\Qoobox\Quarantine\C\WINDOWS\wr.txt.vir
    2007-07-15 04:48      70144    --a------    C:\Qoobox\Quarantine\C\Program Files\Common Files\lagus510.dll.vir
    2007-07-15 05:18      70144    --a------    C:\Qoobox\Quarantine\C\Program Files\Common Files\lagus968.dll.vir
    2007-07-15 21:22      70144    --a------    C:\Qoobox\Quarantine\C\Program Files\Common Files\lagus503.dll.vir
    2007-07-15 21:59      70144    --a------    C:\Qoobox\Quarantine\C\Program Files\Common Files\lagus712.dll.vir
    2007-07-15 22:07      70144    --a------    C:\Qoobox\Quarantine\C\Program Files\Common Files\lagus523.dll.vir
    2007-07-16 23:18      70144    --a------    C:\Qoobox\Quarantine\C\Program Files\Common Files\lagus169.dll.vir
    2007-07-16 23:37      135168    --a------    C:\Qoobox\Quarantine\C\WINDOWS\tk58.exe.vir
    2007-07-16 23:37      70144    --a------    C:\Qoobox\Quarantine\C\Program Files\Common Files\lagus125.dll.vir
    2007-07-18 23:10      1220    --a------    C:\Qoobox\Quarantine\Registry_backups\LEGACY_CORE.reg.cf
    2007-07-18 23:10      163    --a------    C:\Qoobox\Quarantine\catchme.log
    2007-07-18 23:10      54674    --a------    C:\Qoobox\Quarantine\catchme2007-07-18_231237.29.zip
    2007-07-18 23:10      994    --a------    C:\Qoobox\Quarantine\Registry_backups\services_core.reg.cf
    
    
    Folder PATH listing
    Volume serial number is C857-F0B0
    C:\QOOBOX
    \---Quarantine
        |   catchme.log
        |   catchme2007-07-18_231237.29.zip
        |   
        +---C
        |   +---DOCUME~1
        |   |   \---ALLUSE~1
        |   |       \---APPLIC~1
        |   |           \---WinAntiSpyware 2007
        |   |               \---Data
        |   |                       Abbr.vir
        |   |                       ProductCode.vir
        |   |                       
        |   +---Program Files
        |   |   \---Common Files
        |   |           lagus.dll.vir
        |   |           lagus125.dll.vir
        |   |           lagus169.dll.vir
        |   |           lagus222.dll.vir
        |   |           lagus503.dll.vir
        |   |           lagus510.dll.vir
        |   |           lagus523.dll.vir
        |   |           lagus712.dll.vir
        |   |           lagus968.dll.vir
        |   |           
        |   \---WINDOWS
        |       |   tk58.exe.vir
        |       |   wr.txt.vir
        |       |   
        |       \---system32
        |           |   awtrrpo.dll.vir
        |           |   
        |           +---B0
        |           |       mwspasrt83122.exe.vir
        |           |       
        |           +---B1
        |           |       wr73.exe.vir
        |           |       
        |           +---B2
        |           |       st2.exe.vir
        |           |       
        |           \---drivers
        |                   core.cache.dsk.vir
        |                   core.sys.vir
        |                   FOPN.sys.vir
        |                   
        \---Registry_backups
                LEGACY_CORE.reg.cf
                services_core.reg.cf
                
    

    =============================================
    SuperAntiSpyWare
    =============================================


    SUPERAntiSpyware Scan Log
    http://www.superantispyware.com

    Generated 07/19/2007 at 00:08 AM

    Application Version : 3.9.1008

    Core Rules Database Version : 3271
    Trace Rules Database Version: 1282

    Scan type : Complete Scan
    Total Scan Time : 00:47:48

    Memory items scanned : 664
    Memory threats detected : 0
    Registry items scanned : 5461
    Registry threats detected : 41
    File items scanned : 54669
    File threats detected : 50

    Trojan.WinFixer
    HKLM\Software\Classes\CLSID\{5BDA231B-A1C7-4D82-9869-85FB2BCC9EA5}
    HKCR\CLSID\{5BDA231B-A1C7-4D82-9869-85FB2BCC9EA5}
    HKCR\CLSID\{5BDA231B-A1C7-4D82-9869-85FB2BCC9EA5}\InprocServer32
    HKCR\CLSID\{5BDA231B-A1C7-4D82-9869-85FB2BCC9EA5}\InprocServer32#ThreadingModel
    C:\WINDOWS\SYSTEM32\MLJJG.DLL

    Adware.Vundo Variant
    HKLM\Software\Classes\CLSID\{61243CCF-044C-44C8-BADC-166D571109A2}
    HKCR\CLSID\{61243CCF-044C-44C8-BADC-166D571109A2}
    HKCR\CLSID\{61243CCF-044C-44C8-BADC-166D571109A2}\InprocServer32
    HKCR\CLSID\{61243CCF-044C-44C8-BADC-166D571109A2}\InprocServer32#ThreadingModel
    C:\WINDOWS\SYSTEM32\PMNLM.DLL
    HKLM\Software\Classes\CLSID\{6FF9C085-7861-462F-875D-45D53F35A3A3}
    HKCR\CLSID\{6FF9C085-7861-462F-875D-45D53F35A3A3}
    HKCR\CLSID\{6FF9C085-7861-462F-875D-45D53F35A3A3}\InprocServer32
    HKCR\CLSID\{6FF9C085-7861-462F-875D-45D53F35A3A3}\InprocServer32#ThreadingModel
    C:\WINDOWS\SYSTEM32\JKKJK.DLL
    HKLM\Software\Classes\CLSID\{F27446E4-A53B-4A23-91D0-7C105183D49D}
    HKCR\CLSID\{F27446E4-A53B-4A23-91D0-7C105183D49D}
    HKCR\CLSID\{F27446E4-A53B-4A23-91D0-7C105183D49D}\InprocServer32
    HKCR\CLSID\{F27446E4-A53B-4A23-91D0-7C105183D49D}\InprocServer32#ThreadingModel
    C:\WINDOWS\SYSTEM32\MLJGH.DLL
    C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\AWTRRPO.DLL.VIR

    Adware.Mirar/NetNucleus
    HKLM\Software\Classes\CLSID\{9A9C9B68-F908-4AAB-8D0C-10EA8997F37E}
    HKCR\CLSID\{9A9C9B68-F908-4AAB-8D0C-10EA8997F37E}
    HKCR\CLSID\{9A9C9B68-F908-4AAB-8D0C-10EA8997F37E}\Properties
    HKCR\CLSID\{9A9C9B68-F908-4AAB-8D0C-10EA8997F37E}\Properties#Ticket
    HKCR\Interface\{1037B06C-84B7-4240-8D80-485810A0497D}
    HKCR\Interface\{1037B06C-84B7-4240-8D80-485810A0497D}\ProxyStubClsid
    HKCR\Interface\{1037B06C-84B7-4240-8D80-485810A0497D}\ProxyStubClsid32
    HKCR\Interface\{1037B06C-84B7-4240-8D80-485810A0497D}\TypeLib
    HKCR\Interface\{1037B06C-84B7-4240-8D80-485810A0497D}\TypeLib#Version
    HKCR\Interface\{54B287F9-FD90-4457-B65E-CB91560C021D}
    HKCR\Interface\{54B287F9-FD90-4457-B65E-CB91560C021D}\ProxyStubClsid
    HKCR\Interface\{54B287F9-FD90-4457-B65E-CB91560C021D}\ProxyStubClsid32
    HKCR\Interface\{54B287F9-FD90-4457-B65E-CB91560C021D}\TypeLib
    HKCR\Interface\{54B287F9-FD90-4457-B65E-CB91560C021D}\TypeLib#Version
    HKCR\Interface\{6E4C7AFC-9915-4036-B7F9-8B3F1710788F}
    HKCR\Interface\{6E4C7AFC-9915-4036-B7F9-8B3F1710788F}\ProxyStubClsid
    HKCR\Interface\{6E4C7AFC-9915-4036-B7F9-8B3F1710788F}\ProxyStubClsid32
    HKCR\Interface\{6E4C7AFC-9915-4036-B7F9-8B3F1710788F}\TypeLib
    HKCR\Interface\{6E4C7AFC-9915-4036-B7F9-8B3F1710788F}\TypeLib#Version
    HKCR\TypeLib\{566DEDE9-9ED8-45DA-9BE6-9B2EEAB17F49}
    HKCR\TypeLib\{566DEDE9-9ED8-45DA-9BE6-9B2EEAB17F49}\1.0
    HKCR\TypeLib\{566DEDE9-9ED8-45DA-9BE6-9B2EEAB17F49}\1.0\0
    HKCR\TypeLib\{566DEDE9-9ED8-45DA-9BE6-9B2EEAB17F49}\1.0\0\win32
    HKCR\TypeLib\{566DEDE9-9ED8-45DA-9BE6-9B2EEAB17F49}\1.0\FLAGS
    HKCR\TypeLib\{566DEDE9-9ED8-45DA-9BE6-9B2EEAB17F49}\1.0\HELPDIR

    Adware.Tracking Cookie
    C:\Documents and Settings\darin\Cookies\[email protected][1].txt
    C:\Documents and Settings\darin\Cookies\[email protected][2].txt
    C:\Documents and Settings\darin\Cookies\[email protected][1].txt
    C:\Documents and Settings\darin\Cookies\[email protected][2].txt
    C:\Documents and Settings\darin\Cookies\[email protected][2].txt
    C:\Documents and Settings\darin\Cookies\[email protected][1].txt
    C:\Documents and Settings\darin\Cookies\[email protected][2].txt
    C:\Documents and Settings\darin\Cookies\[email protected][1].txt
    C:\Documents and Settings\darin\Cookies\[email protected][1].txt
    C:\Documents and Settings\darin\Cookies\[email protected][1].txt
    C:\Documents and Settings\darin\Cookies\[email protected][1].txt
    C:\Documents and Settings\darin\Cookies\[email protected][1].txt
    C:\Documents and Settings\darin\Cookies\[email protected][2].txt
    C:\Documents and Settings\darin\Cookies\[email protected][2].txt
    C:\Documents and Settings\darin\Cookies\[email protected][2].txt
    C:\Documents and Settings\darin\Cookies\[email protected][1].txt
    C:\Documents and Settings\darin\Cookies\[email protected][2].txt
    C:\Documents and Settings\darin\Cookies\[email protected][1].txt
    C:\Documents and Settings\darin\Cookies\[email protected][1].txt
    C:\Documents and Settings\darin\Cookies\[email protected][1].txt
    C:\Documents and Settings\darin\Cookies\[email protected][2].txt
    C:\Documents and Settings\darin\Cookies\[email protected][1].txt
    C:\Documents and Settings\darin\Cookies\[email protected][1].txt
    C:\Documents and Settings\darin\Cookies\[email protected][2].txt

    Malware.Installer-Pkg/Gen
    C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\WILDTANGENT\DELL GAME CONSOLE\DOWNLOADS\INSTALLERS\{26D2C2C3-CF14-4ED7-B1FC-0BE64AFBA3B3}.EXE
    C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\WILDTANGENT\DELL GAME CONSOLE\DOWNLOADS\INSTALLERS\{3C48F877-A164-45E9-B9DA-26A049FFC207}.EXE
    C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\WILDTANGENT\DELL GAME CONSOLE\DOWNLOADS\INSTALLERS\{6293BC00-4EB8-4C65-8548-53E2FC3BF937}.EXE
    C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\WILDTANGENT\DELL GAME CONSOLE\DOWNLOADS\INSTALLERS\{651956B7-1969-42AA-9453-E0B813019D54}.EXE
    C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\WILDTANGENT\DELL GAME CONSOLE\DOWNLOADS\INSTALLERS\{6B6A7665-DB48-4762-AB5D-BEEB9E1CD7FA}.EXE
    C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\WILDTANGENT\DELL GAME CONSOLE\DOWNLOADS\INSTALLERS\{989E4C3B-B2C9-4486-9A09-D5A8F953837C}.EXE
    C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\WILDTANGENT\DELL GAME CONSOLE\DOWNLOADS\INSTALLERS\{C0A0AA4D-C79B-48CA-8843-2B02B626C9E6}.EXE
    C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\WILDTANGENT\DELL GAME CONSOLE\DOWNLOADS\INSTALLERS\{C2D8F0E2-6978-4409-8351-BA8785DA11EE}.EXE
    C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\WILDTANGENT\DELL GAME CONSOLE\DOWNLOADS\INSTALLERS\{D1A6F3FD-7B40-443F-8767-BADB25A0D222}.EXE
    C:\DOCUMENTS AND SETTINGS\ALL USERS\APPLICATION DATA\WILDTANGENT\DELL GAME CONSOLE\DOWNLOADS\INSTALLERS\{E0814F95-5380-4892-B8C8-7FA4B349EF46}.EXE

    Trojan.ZQuest
    C:\QOOBOX\QUARANTINE\C\PROGRAM FILES\COMMON FILES\LAGUS.DLL.VIR
    C:\QOOBOX\QUARANTINE\C\PROGRAM FILES\COMMON FILES\LAGUS125.DLL.VIR
    C:\QOOBOX\QUARANTINE\C\PROGRAM FILES\COMMON FILES\LAGUS169.DLL.VIR
    C:\QOOBOX\QUARANTINE\C\PROGRAM FILES\COMMON FILES\LAGUS222.DLL.VIR
    C:\QOOBOX\QUARANTINE\C\PROGRAM FILES\COMMON FILES\LAGUS503.DLL.VIR
    C:\QOOBOX\QUARANTINE\C\PROGRAM FILES\COMMON FILES\LAGUS510.DLL.VIR
    C:\QOOBOX\QUARANTINE\C\PROGRAM FILES\COMMON FILES\LAGUS523.DLL.VIR
    C:\QOOBOX\QUARANTINE\C\PROGRAM FILES\COMMON FILES\LAGUS712.DLL.VIR
    C:\QOOBOX\QUARANTINE\C\PROGRAM FILES\COMMON FILES\LAGUS968.DLL.VIR

    Trojan.ZQuest-Installer
    C:\QOOBOX\QUARANTINE\C\WINDOWS\TK58.EXE.VIR
    C:\WINDOWS\TK58Q.EXEQ


    =================================================
    Fresh HijackThis Log
    =================================================


    Logfile of HijackThis v1.99.1
    Scan saved at 12:26:07 AM, on 7/19/2007
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\WLTRYSVC.EXE
    C:\WINDOWS\System32\bcmwltry.exe
    C:\WINDOWS\system32\brsvc01a.exe
    C:\WINDOWS\system32\brss01a.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
    C:\WINDOWS\eHome\ehRecvr.exe
    C:\WINDOWS\eHome\ehSched.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
    C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
    C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
    C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
    C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
    C:\WINDOWS\system32\dllhost.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    C:\WINDOWS\stsystra.exe
    C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
    C:\Program Files\Dell\QuickSet\quickset.exe
    C:\Program Files\Trend Micro\Internet Security 14\pccguide.exe
    C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
    C:\Program Files\Dell\MediaDirect\PCMService.exe
    C:\Program Files\Common Files\ACD Systems\EN\DevDetect.exe
    C:\Program Files\Cobian Backup 8\cbInterface.exe
    C:\Program Files\Common Files\Real\Update_OB\realsched.exe
    C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\NetWaiting\netWaiting.exe
    C:\Program Files\Google\Google Desktop Search\GoogleDesktopIndex.exe
    C:\Program Files\Trend Micro\Internet Security 14\TMAS_OE\TMAS_OEMon.exe
    C:\Program Files\Dell Support\DSAgnt.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
    C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE
    C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe
    C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
    C:\Program Files\Digital Line Detect\DLG.exe
    C:\Program Files\Exec\sendToBack\SENDBK.EXE
    C:\Program Files\VersionBackup\VBackRun.exe
    C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
    C:\WINDOWS\System32\rundll32.exe
    C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
    C:\WINDOWS\system32\taskmgr.exe
    C:\WINDOWS\system32\notepad.exe
    C:\Documents and Settings\darin\Desktop\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file:///C:/home/browser/index.html
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell.com
    R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk-rel&channel=us&ibd=3070220
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
    O3 - Toolbar: del.icio.us - {981FE6A8-260C-4930-960F-C3BC82746CB0} - C:\Program Files\del.icio.us\Internet Explorer Buttons\dlcsIE.dll
    O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
    O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
    O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\quickset.exe
    O4 - HKLM\..\Run: [pccguide.exe] "C:\Program Files\Trend Micro\Internet Security 14\pccguide.exe"
    O4 - HKLM\..\Run: [Google Desktop Search] "C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe" /startup
    O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\MediaDirect\PCMService.exe"
    O4 - HKLM\..\Run: [Device Detector] DevDetect.exe -autorun
    O4 - HKLM\..\Run: [Cobian Backup 8 interface] "C:\Program Files\Cobian Backup 8\cbInterface.exe" -service
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
    O4 - HKCU\..\Run: [ModemOnHold] C:\Program Files\NetWaiting\netWaiting.exe
    O4 - HKCU\..\Run: [OE_OEM] "C:\Program Files\Trend Micro\Internet Security 14\TMAS_OE\TMAS_OEMon.exe"
    O4 - HKCU\..\Run: [DellSupport] "C:\Program Files\Dell Support\DSAgnt.exe" /startup
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
    O4 - HKCU\..\Run: [DW4] "C:\Program Files\The Weather Channel FW\Desktop Weather\DesktopWeather.exe"
    O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O4 - Global Startup: Bluetooth.lnk = ?
    O4 - Global Startup: Digital Line Detect.lnk = ?
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
    O4 - Global Startup: SENDBK.EXE.lnk = C:\Program Files\Exec\sendToBack\SENDBK.EXE
    O4 - Global Startup: VersionBackup.lnk = C:\Program Files\VersionBackup\VersionBackup.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
    O8 - Extra context menu item: Send to &Bluetooth Device... - C:\Program Files\WIDCOMM\Bluetooth Software\btsendto_ie_ctx.htm
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\npjpi160_02.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\npjpi160_02.dll
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
    O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
    O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
    O23 - Service: BrSplService (Brother XP spl Service) - brother Industries Ltd - C:\WINDOWS\system32\brsvc01a.exe
    O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
    O23 - Service: Cobian Backup 8 service (CobBMService) - Luis Cobian - C:\Program Files\Cobian Backup 8\cbService.exe
    O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
    O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
    O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
    O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
    O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE


    =================================================

    So how does it look? Am I clean? It seems to run much better and my TrendMicro hasn't been complaining about anything yet.
     
  4. JSntgRvr

    JSntgRvr Retired Moderator and Malware Specialist

    Joined:
    Jul 1, 2003
    Messages:
    18,552
    First Name:
    José
    Hi, dander49 :)

    • Copy the entire contents of the Quote Box below to Notepad.
    • Name the file as ComboFix-Do.txt
    • Change the Save as Type to All Files
    • and Save it on the desktop
    Code:
    File::
    C:\WINDOWS\system32\gjjlm.bak2
    C:\WINDOWS\system32\gjjlm.bak1
    
    Folder::
    
    
    ADS::
    
    
    Driver::
    
    
    Registry::
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
    "{DCD53738-C4F9-414A-A03C-C7405A4AC844}"=-
    [​IMG]

    Once saved, refering to the picture above, drag ComboFix-Do.txt into ComboFix.exe.

    The rest looks clear, congratulations.[​IMG]

    Since the tools we used to scan the computer, as well as tools to delete files and folders, are no longer needed, they should be removed, as well as the folders created by these tools.

    Reset and Re-enable your System Restore to remove bad files that have been backed up by Windows. The files in System Restore are protected to prevent any programmes changing them. This is the only way to clean these files: (You will lose all previous restore points which are likely to be infected.)

    To reset your restore points, please note that you will need to log into your computer with an account which has full administrator access. You will know if the account has administrator access because you will be able to see the System Restore tab. If the tab is missing, you are logged in under a limited account.

    (Windows XP)

    1. Turn off System Restore.
    On the Desktop, right-click My Computer.
    Click Properties.
    Click the System Restore tab.
    Check Turn off System Restore.
    Click Apply, and then click OK.

    2. Reboot.

    3. Turn ON System Restore.

    On the Desktop, right-click My Computer.
    Click Properties.
    Click the System Restore tab.
    UN-Check *Turn off System Restore*.
    Click Apply, and then click OK..

    Create a Restore point:
    1. Click Start, point to All Programs, point to Accessories, point to System Tools, and then click System Restore.
    2. In the System Restore dialog box, click Create a restore point, and then click Next.
    3. Type a description for your restore point, such as "After Cleanup", then click Create.

    The following is a list of tools and utilities that I like to suggest to people. This list is full of great tools and utilities to help you understand how you got infected and how to keep from getting infected again.
    1. Spybot Search & Destroy - Uber powerful tool which can search and annhilate nasties that make it onto your system. Now with an Immunize section that will help prevent future infections.
    2. AdAware - Another very powerful tool which searches and kills nasties that infect your system. AdAware and Spybot Search & Destroy compliment each other very well.
    3. SpywareBlaster - Great prevention tool to keep nasties from installing on your system.
    4. IE-SpyAd - puts over 5000 sites in your restricted zone so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.
    5. CleanUP! - Cleans temporary files from IE and Windows, empties the recycle bin and more. Great tool to help speed up your computer and knock out those nasties that like to reside in the temp folders.
    6. Windows Updates - It is very important to make sure that both Internet Explorer and Windows are kept current with the latest critical security patches from Microsoft. To do this just start Internet Explorer and select Tools > Windows Update, and follow the online instructions from there.
    7. Google Toolbar - Free google toolbar that allows you to use the powerful Google search engine from the bar, but also blocks pop up windows.
    8. Trillian or Miranda-IM - These are Malware free Instant Messenger programs which allow you to connect to multiple IM services in one program! (AOL, Yahoo, ICQ, IRC, MSN)
    To find out more information about how you got infected in the first place and some great guidelines to follow to prevent future infections you can read this article by Tony Klein.

    Click Here for some advise from our security Experts.

    Please use the thread's Tools and mark this thread as "Solved".

    Best wishes! [​IMG]
     
  5. dander49

    dander49 Thread Starter

    Joined:
    Jul 18, 2007
    Messages:
    3
    Thank you very much for the great and useful guidance. Everything listed here worked exactly as you said which made this far less painful than I feared it would be. Feels good to be clean again. :)

    THANKS AGAIN!!!
     
  6. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/597575

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice