Jump to content

Recommended Posts

the computer is in heavy damages............

buffer overun detected in normal mode and last known good configuration mode

i guest that is system error...

still.... some ware thing keep itself inside cookies, i guest, moreover in firefox (winantivirus)

anyways....

i need to get rid of the ware thing first

please note this in last known good configurations

do i need to format this computer????

heres the logs

Logfile of Trend Micro HijackThis v2.0.0 (BETA)

Scan saved at 21:56:44, on 02/07/2007

Platform: Windows XP SP2 (WinNT 5.01.2600)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Ahead\InCD\InCDsrv.exe

C:\WINDOWS\system32\spoolsv.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe

C:\WINDOWS\system32\inetsrv\inetinfo.exe

C:\WINDOWS\system32\svchost.exe

C:\Program Files\Canon\CAL\CALMAIN.exe

C:\Program Files\Winamp\winampa.exe

C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe

C:\Program Files\Ahead\InCD\InCD.exe

C:\Program Files\TaskSwitchXP\TaskSwitchXP.exe

C:\WINDOWS\system32\taskmgr.exe

C:\WINDOWS\system32\lxcfcoms.exe

C:\WINDOWS\System32\svchost.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\WINDOWS\explorer.exe

C:\WINDOWS\explorer.exe

C:\Documents and Settings\Administrator\My Documents\My Local File\Ape-ApeLah\utorrent.exe

C:\Documents and Settings\Administrator\My Documents\My Local File\Ape-ApeLah\HiJackThis_v2.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =

R3 - Default URLSearchHook is missing

O2 - BHO: flashget urlcatch - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\Program Files\FlashGet\jccatch.dll

O2 - BHO: MEGAUPLOADTOOLBAR - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL

O2 - BHO: FlashGet GetFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\Program Files\FlashGet\getflash.dll

O3 - Toolbar: MEGAUPLOADTOOLBAR - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL

O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe

O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP

O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe

O4 - HKLM\..\Run: [inCD] C:\Program Files\Ahead\InCD\InCD.exe

O4 - HKLM\..\Run: [Flashget] C:\Program Files\FlashGet\flashget.exe /min

O4 - HKLM\..\Run: [LXCFCATS] rundll32 C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\LXCFtime.dll,_RunDLLEntry@16

O4 - HKCU\..\Run: [TaskSwitchXP] C:\Program Files\TaskSwitchXP\TaskSwitchXP.exe

O4 - HKCU\..\Run: [utorrent] C:\Documents and Settings\Administrator\Desktop\utorrent.exe

O4 - HKUS\S-1-5-19\..\Run: [TaskSwitchXP] C:\Program Files\TaskSwitchXP\TaskSwitchXP.exe (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-19\..\Run: [Free Download Manager] C:\Program Files\Free Download Manager\fdm.exe -autorun (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-19\..\RunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-20\..\Run: [TaskSwitchXP] C:\Program Files\TaskSwitchXP\TaskSwitchXP.exe (User 'NETWORK SERVICE')

O4 - HKUS\S-1-5-20\..\RunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'NETWORK SERVICE')

O4 - HKUS\S-1-5-18\..\Run: [TaskSwitchXP] C:\Program Files\TaskSwitchXP\TaskSwitchXP.exe (User 'SYSTEM')

O4 - HKUS\S-1-5-18\..\RunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [TaskSwitchXP] C:\Program Files\TaskSwitchXP\TaskSwitchXP.exe (User 'Default user')

O4 - HKUS\.DEFAULT\..\RunOnce: [nlsf] cmd.exe /C move /Y "%SystemRoot%\System32\syssetub.dll" "%SystemRoot%\System32\syssetup.dll" (User 'Default user')

O8 - Extra context menu item: &Download All with FlashGet - C:\Program Files\FlashGet\jc_all.htm

O8 - Extra context menu item: &Download with FlashGet - C:\Program Files\FlashGet\jc_link.htm

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL

O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe

O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe

O17 - HKLM\System\CCS\Services\Tcpip\..\{AC8B89D3-240C-41D5-A91D-CC5BA4A0E886}: NameServer = 202.188.0.133 202.188.1.5

O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll

O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll

O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe

O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe

O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe

O23 - Service: Canon Camera Access Library 8 (CCALib8) - Canon Inc. - C:\Program Files\Canon\CAL\CALMAIN.exe

O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe

O23 - Service: InCD Helper (read only) (InCDsrvR) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe

O23 - Service: lxcf_device - - C:\WINDOWS\system32\lxcfcoms.exe

--

End of file - 5558 bytes

Link to post
Share on other sites

Why do you think you have winantivirus? What have you done since we cleaned you up a few days ago?

Download RogueRemover http://www.malwarebytes.org/rogueremoverpro.php update it and run a scan. Remove anything it finds.

Go to your Add/Remove Programs and uninstall this utorrent.exe

Put a check in these items in HJT and click fix.

O2 - BHO: MEGAUPLOADTOOLBAR - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL

O3 - Toolbar: MEGAUPLOADTOOLBAR - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL

O4 - HKCU\..\Run: [utorrent] C:\Documents and Settings\Administrator\Desktop\utorrent.exe

Reboot and post a new log please.

Link to post
Share on other sites

Why do you think you have winantivirus? What have you done since we cleaned you up a few days ago?

Download RogueRemover http://www.malwarebytes.org/rogueremoverpro.php update it and run a scan. Remove anything it finds.

please note that on the other topic, i talking about computer in my home.....

my home pc one is on good state........

this one about pc in my office.......

since the user on my office pc is not just me, so i cannot figured what they do with the computer..

anyways, i guest i post another reply with hijackthis log later, in monday, since i dont have access to enter office in these two days...

i installed the free version of rougeremover last thursday and it does not detect anything...........

the winantivirus thing pop-up on mozzila rather than ie...

if ie is much trouble...

Link to post
Share on other sites

Ahh I see. You have the same programs as when we cleaned your other computer. RogueRemover should get rid of wnantivirus no matter what version you have. There isn't much we can do if you can't access the machine. If anyone is going to be using it between now and you get back to it I will need a new log also.

Link to post
Share on other sites

new log.....

Logfile of Trend Micro HijackThis v2.0.0 (BETA)

Scan saved at 9:03:11 AM, on 7/9/2007

Platform: Windows XP SP2 (WinNT 5.01.2600)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe

C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe

C:\WINDOWS\Explorer.exe

C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe

C:\PROGRA~1\Grisoft\AVG7\avgemc.exe

C:\WINDOWS\system32\drivers\CDAC11BA.EXE

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\rundll32.exe

C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe

C:\PROGRA~1\Grisoft\AVG7\avgcc.exe

C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe

C:\WINDOWS\system32\wscntfy.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\Documents and Settings\user\Desktop\HiJackThis_v2.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:mozilla

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com' rel="external nofollow">http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com'>http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://as.starware.com/dp/search?x=wKX1ILE...IUaOOEz785PO5k=

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)

F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\system32\drivers\conime.exe

O2 - BHO: (no name) - {100EA37C-2B0A-4A01-9A2E-3E4F21B5EAC7} - C:\WINDOWS\system32\sstqr.dll

O2 - BHO: (no name) - {5ADF3862-9E2E-4ad3-86F7-4510E6550CD0} - (no file)

O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

O2 - BHO: (no name) - {8A61098D-612B-4EF2-943D-64E920684061} - (no file)

O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll

O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll

O4 - HKLM\..\Run: [bluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent

O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized

O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP

O4 - HKLM\..\Run: [GPLv3] rundll32.exe "C:\WINDOWS\system32\mypedauh.dll",realset

O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe

O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')

O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')

O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm

O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm

O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab

O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll

O16 - DPF: {78AF2F24-A9C3-11D3-BF8C-0060B0FCC122} (AcDcToday Control) - file://C:\Program Files\AutoCAD 2002\AcDcToday.ocx

O16 - DPF: {AE563720-B4F5-11D4-A415-00108302FDFD} (NOXLATE-BANR) - file://C:\Program Files\AutoCAD 2002\InstBanr.ocx

O16 - DPF: {C6637286-300D-11D4-AE0A-0010830243BD} (InstaFred) - file://C:\Program Files\AutoCAD 2002\InstFred.ocx

O16 - DPF: {F281A59C-7B65-11D3-8617-0010830243BD} (AcPreview Control) - file://C:\Program Files\AutoCAD 2002\AcPreview.ocx

O20 - Winlogon Notify: sstqr - C:\WINDOWS\system32\sstqr.dll

O20 - Winlogon Notify: winccf32 - winccf32.dll (file missing)

O20 - Winlogon Notify: yaywwvt - yaywwvt.dll (file missing)

O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll

O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll

O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe

O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe

O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe

O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe

O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\system32\drivers\CDAC11BA.EXE

O23 - Service: DomainService - Unknown owner - C:\WINDOWS\system32\fjwosjdm.exe (file missing)

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: USBest Service Zero (UTSCSI) - Unknown owner - C:\WINDOWS\system32\UTSCSI.EXE

--

End of file - 7716 bytes

Link to post
Share on other sites

OK we have a few things to fix. It would be best to disconnect this PC from any network it's part of and from the Internet if you can while we rid it of the infections. Also don't let anyone else use it. I know that might not be possible but you have some serious infections going on.

First move HiJack This from you desktop to a folder you create C:\ HJT

Print these instructions because you should not have any browser windows open or be connected to the Internet.

Download VundoFix to your desktop.

* Double-click VundoFix.exe to run it.

* You will receive a message saying vundofix will close and re-open in a minute or less. Click OK

* When VundoFix re-opens, click the Scan for Vundo button.

* Once it's done scanning, click the Remove Vundo button.

* You will receive a prompt asking if you want to remove the files, click YES

* Once you click yes, your desktop will go blank as it starts removing Vundo.

* When completed, it will prompt that it will shutdown your computer, click OK.

* Turn your computer back on.

* Please post the contents of C:\vundofix.txt in your next reply.

Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears at reboot.

Download ComboFix from Here to your Desktop.

* Double click combofix.exe and follow the prompts.

* When finished, it will produce a log for you. Post that log and in your next reply

Note: Do not mouseclick combofix's window while its running. That may cause it to stall

Post another HiJack This log also.

Just to be clear you will be posting three logs back into this thread. Go ahead and make each log a new reply so you don't run out of space for the post.

I will be gone most of tomorrow until late afternoon my time MDT so be patient, please.

Link to post
Share on other sites

ok.....

here the post for VundoFix....

VundoFix V6.5.4

Checking Java version...

Java version is 1.5.0.6

Old versions of java are exploitable and should be removed.

Scan started at 1:45:21 PM 7/9/2007

Listing files found while scanning....

C:\windows\system32\cyudbycd.dll

C:\windows\system32\dcybduyc.ini

C:\windows\system32\edbucuro.ini

C:\windows\system32\fbdxiawb.dll

C:\windows\system32\flqrvubs.dll

C:\windows\system32\hpijqnet.dll

C:\WINDOWS\system32\huadepym.ini

C:\WINDOWS\system32\mypedauh.dll

C:\windows\system32\orucubde.dll

C:\windows\system32\qonslpwx.dll

C:\windows\system32\rqtss.bak1

C:\windows\system32\rqtss.bak2

C:\windows\system32\rqtss.ini

C:\windows\system32\rqtss.ini2

C:\windows\system32\rqtss.tmp

C:\windows\system32\sbuvrqlf.ini

C:\windows\system32\sfpxjulv.dll

C:\WINDOWS\system32\sstqr.dll

C:\windows\system32\tenqjiph.ini

C:\windows\system32\vlujxpfs.ini

C:\windows\system32\vsfubdqw.dll

C:\windows\system32\wqdbufsv.ini

Beginning removal...

Attempting to delete C:\windows\system32\cyudbycd.dll

C:\windows\system32\cyudbycd.dll Has been deleted!

Attempting to delete C:\windows\system32\dcybduyc.ini

C:\windows\system32\dcybduyc.ini Has been deleted!

Attempting to delete C:\windows\system32\edbucuro.ini

C:\windows\system32\edbucuro.ini Has been deleted!

Attempting to delete C:\windows\system32\fbdxiawb.dll

C:\windows\system32\fbdxiawb.dll Has been deleted!

Attempting to delete C:\windows\system32\flqrvubs.dll

C:\windows\system32\flqrvubs.dll Has been deleted!

Attempting to delete C:\windows\system32\hpijqnet.dll

C:\windows\system32\hpijqnet.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\huadepym.ini

C:\WINDOWS\system32\huadepym.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\mypedauh.dll

C:\WINDOWS\system32\mypedauh.dll Has been deleted!

Attempting to delete C:\windows\system32\orucubde.dll

C:\windows\system32\orucubde.dll Has been deleted!

Attempting to delete C:\windows\system32\qonslpwx.dll

C:\windows\system32\qonslpwx.dll Has been deleted!

Attempting to delete C:\windows\system32\rqtss.bak1

C:\windows\system32\rqtss.bak1 Has been deleted!

Attempting to delete C:\windows\system32\rqtss.bak2

C:\windows\system32\rqtss.bak2 Has been deleted!

Attempting to delete C:\windows\system32\rqtss.ini

C:\windows\system32\rqtss.ini Has been deleted!

Attempting to delete C:\windows\system32\rqtss.ini2

C:\windows\system32\rqtss.ini2 Has been deleted!

Attempting to delete C:\windows\system32\rqtss.tmp

C:\windows\system32\rqtss.tmp Has been deleted!

Attempting to delete C:\windows\system32\sbuvrqlf.ini

C:\windows\system32\sbuvrqlf.ini Has been deleted!

Attempting to delete C:\windows\system32\sfpxjulv.dll

C:\windows\system32\sfpxjulv.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\sstqr.dll

C:\WINDOWS\system32\sstqr.dll Has been deleted!

Attempting to delete C:\windows\system32\tenqjiph.ini

C:\windows\system32\tenqjiph.ini Has been deleted!

Attempting to delete C:\windows\system32\vlujxpfs.ini

C:\windows\system32\vlujxpfs.ini Has been deleted!

Attempting to delete C:\windows\system32\vsfubdqw.dll

C:\windows\system32\vsfubdqw.dll Has been deleted!

Attempting to delete C:\windows\system32\wqdbufsv.ini

C:\windows\system32\wqdbufsv.ini Has been deleted!

Performing Repairs to the registry.

Done!

Link to post
Share on other sites

next, here the log for combofix...

"user" - 2007-07-09 13:51:27 - ComboFix 07-07-09.3 - Service Pack 2

ADS removed - svchost.exe: deleted 68 bytes in 1 streams.

ADS removed - ntoskrnl.exe: deleted 36 bytes in 1 streams.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

C:\Documents and Settings\user\ravmonlog

C:\WINDOWS\system32\drivers\conime.exe

C:\WINDOWS\system32\xpdx.sys

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

-------\LEGACY_DOMAINSERVICE

-------\DomainService

-------\xpdx

((((((((((((((((((((((((( Files Created from 2007-06-09 to 2007-07-09 )))))))))))))))))))))))))))))))

2007-07-09 13:51 51,200 --a------ C:\WINDOWS\nircmd.exe

2007-07-09 13:45 <DIR> d-------- C:\VundoFix Backups

2007-07-09 13:43 <DIR> d-------- C:\HJT

2007-07-06 10:49 <DIR> d-------- C:\Program Files\BillP Studios

2007-07-06 10:49 <DIR> d-------- C:\DOCUME~1\user\APPLIC~1\WinPatrol

2007-07-05 08:32 <DIR> d-------- C:\Program Files\RogueRemover

2007-06-27 19:38 <DIR> d-------- C:\Program Files\Atari

2007-06-18 08:26 <DIR> d-------- C:\WINDOWS\LastGood

2007-06-17 20:26 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Windows Genuine Advantage

2007-06-17 20:18 80,384 --a------ C:\WINDOWS\system32\charmap.exe

2007-06-17 20:18 73,216 --a------ C:\WINDOWS\system32\avwav.dll

2007-06-17 20:18 605,696 --a------ C:\WINDOWS\system32\getuname.dll

2007-06-17 20:18 56,832 --a------ C:\WINDOWS\system32\sol.exe

2007-06-17 20:18 55,296 --a------ C:\WINDOWS\system32\freecell.exe

2007-06-17 20:18 538,624 --a------ C:\WINDOWS\system32\spider.exe

2007-06-17 20:18 5,632 --a------ C:\WINDOWS\system32\write.exe

2007-06-17 20:18 44,544 --a------ C:\WINDOWS\system32\hticons.dll

2007-06-17 20:18 35,328 --a------ C:\WINDOWS\system32\winchat.exe

2007-06-17 20:18 347,136 --a------ C:\WINDOWS\system32\hypertrm.dll

2007-06-17 20:18 343,040 --a------ C:\WINDOWS\system32\mspaint.exe

2007-06-17 20:18 227,840 --a------ C:\WINDOWS\system32\avtapi.dll

2007-06-17 20:18 183,808 --a------ C:\WINDOWS\system32\accwiz.exe

2007-06-17 20:18 16,384 --a------ C:\WINDOWS\system32\avmeter.dll

2007-06-17 20:18 138,752 --a------ C:\WINDOWS\system32\sndvol32.exe

2007-06-17 20:18 131,584 --a------ C:\WINDOWS\system32\sndrec32.exe

2007-06-17 20:18 126,976 --a------ C:\WINDOWS\system32\mshearts.exe

2007-06-17 20:18 123,392 --a------ C:\WINDOWS\system32\mplay32.exe

2007-06-17 20:18 119,808 --a------ C:\WINDOWS\system32\winmine.exe

2007-06-17 20:18 114,688 --a------ C:\WINDOWS\system32\calc.exe

2007-06-17 20:18 102,912 --a------ C:\WINDOWS\system32\clipbrd.exe

2007-06-17 20:18 <DIR> d-------- C:\WINDOWS\LastGood.Tmp

2007-06-17 14:46 28,672 --------- C:\WINDOWS\system32\verclsid.exe

2007-06-14 17:46 <DIR> d-------- C:\Program Files\FlashGet

2007-06-14 17:46 <DIR> d-------- C:\Downloads

2007-06-14 13:28 1,156 --a------ C:\WINDOWS\mozver.dat

2007-06-14 11:52 0 --a------ C:\WINDOWS\nsreg.dat

2007-06-14 09:20 <DIR> d-------- C:\Program Files\Oak Systems

2007-06-13 11:26 12,160 --a------ C:\WINDOWS\system32\drivers\mouhid.sys

2007-06-12 23:11 <DIR> d-------- C:\Program Files\CCleaner

2007-06-12 17:12 <DIR> d-------- C:\Program Files\CyD

2007-06-12 15:37 <DIR> d-------- C:\Program Files\Neoretix

2007-06-11 07:31 <DIR> d-------- C:\DOCUME~1\user\APPLIC~1\Ulead Systems

2007-06-11 07:30 <DIR> d-------- C:\WINDOWS\Noslip

2007-06-11 07:30 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Ulead Systems

2007-06-11 07:19 <DIR> d-------- C:\Program Files\CoffeeCup Software

2007-06-11 06:28 <DIR> d-------- C:\DOCUME~1\user\APPLIC~1\uTorrent

2007-06-11 06:14 217,088 --a------ C:\WINDOWS\system32\yv12vfw.dll

2007-06-11 06:14 1,565,480 --a------ C:\WINDOWS\system32\wmv9vcm.dll

2007-06-11 06:14 <DIR> d-------- C:\Program Files\K-Lite Codec Pack

2007-06-11 06:14 <DIR> d-------- C:\DOCUME~1\user\APPLIC~1\Real

2007-06-11 06:14 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Real

2007-06-11 06:01 <DIR> d-------- C:\DOCUME~1\user\APPLIC~1\Media Player Classic

2007-06-10 15:52 3,968 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys

2007-06-10 02:44 754,329 --a------ C:\WINDOWS\system32\LiveProtectSetup.exe

2007-06-10 01:54 9,464 --------- C:\WINDOWS\system32\drivers\cdralw2k.sys

2007-06-10 01:54 9,336 --------- C:\WINDOWS\system32\drivers\cdr4_xp.sys

2007-06-10 01:54 129,784 --------- C:\WINDOWS\system32\pxafs.dll

2007-06-10 01:48 24,072 --a------ C:\WINDOWS\system32\uxtuneup.dll

2007-06-10 01:48 <DIR> d-------- C:\Program Files\TuneUp Utilities 2006

2007-06-10 01:48 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard

2007-06-10 01:48 <DIR> d-------- C:\DOCUME~1\user\APPLIC~1\TuneUp Software

2007-06-10 01:48 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\TuneUp Software

2007-06-10 01:41 <DIR> d--hs---- C:\WINDOWS\CSC

2007-06-10 01:34 798,720 --a------ C:\DOCUME~1\ADMINI~1\NTUSER.DAT

2007-06-10 01:04 81,984 --a------ C:\WINDOWS\system32\bdod.bin

2007-06-10 00:54 <DIR> d-------- C:\DOCUME~1\user\APPLIC~1\WinRAR

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-06-27 11:38:07 -------- d--h--w C:\Program Files\InstallShield Installation Information

2007-06-26 04:03:15 -------- d-----w C:\Program Files\ACDSee32

2007-06-17 12:20:08 -------- d-----w C:\Program Files\Online Services

2007-06-17 12:18:14 -------- d-----w C:\Program Files\Windows NT

2007-06-17 03:01:01 -------- d-----w C:\Program Files\Yahoo!

2007-06-14 03:28:25 -------- d-----w C:\Program Files\LimeWire

2007-06-12 09:13:41 -------- d-----w C:\Program Files\Messenger

2007-06-10 08:36:50 -------- d-----w C:\Program Files\Winamp

2007-06-10 08:05:43 -------- d-----w C:\Program Files\Star Downloader

2007-05-29 07:36:29 -------- d-----w C:\Program Files\Common Files\Autodesk Shared

2007-05-29 07:36:02 -------- d-----w C:\Program Files\Common Files\Macrovision Shared

2007-05-29 07:36:01 12,464 ----a-w C:\WINDOWS\system32\drivers\CDAC15BA.SYS

2007-05-29 07:35:14 -------- d-----w C:\Program Files\AnswerWorks 4.0

2007-05-29 05:01:45 -------- d-----w C:\DOCUME~1\user\APPLIC~1\Canon

2007-05-16 15:32:55 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll

2007-05-09 09:34:40 -------- d-----w C:\Program Files\MSXML 4.0

2007-05-09 04:13:04 311,296 ----a-w C:\WINDOWS\udll209.dll

2007-05-09 04:13:04 0 ----a-w C:\WINDOWS\system32\UTSCSI.EXE

2007-05-09 01:35:29 -------- d-----w C:\Program Files\Kaspersky Lab

2007-04-25 14:21:15 144,896 ----a-w C:\WINDOWS\system32\schannel.dll

2007-04-18 16:12:23 2,854,400 ----a-w C:\WINDOWS\system32\msi.dll

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{100EA37C-2B0A-4A01-9A2E-3E4F21B5EAC7}]

C:\WINDOWS\system32\sstqr.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897}]

2006-10-31 15:29 198136 --a------ C:\Program Files\Yahoo!\Common\yiesrvc.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}]

2005-11-10 13:22 184423 --a------ C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E99421FB-68DD-40F0-B4AC-B7027CAE2F1A}]

2005-02-22 13:50 368640 --a------ C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

"BluetoothAuthenticationAgent"="bthprops.cpl" [2004-08-04 06:56 C:\WINDOWS\system32\bthprops.cpl]

"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-07-05 08:25]

"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-06-13 23:10]

"WinPatrol"="C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe" [2007-04-20 01:33]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]

"DisableRegistryTools"=0 (0x0)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]

"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll" [2007-07-05 08:25]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winccf32]

winccf32.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\yaywwvt]

yaywwvt.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]

"appinit_dlls"=sockspy.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\AVG Anti-Spyware Driver]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\AVG Anti-Spyware Guard]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]

SOUNDMAN.EXE

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]

"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]

"EPSON Stylus C59 Series"=C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIBHP.EXE /FU "C:\WINDOWS\TEMP\E_S85.tmp" /EF "HKLM"

"\\JAZZ\EPSON Stylus C67 Series"=C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIAAP.EXE /P30 "\\JAZZ\EPSON Stylus C67 Series" /O6 "USB001" /M "Stylus C67"

"UnlockerAssistant"="C:\Program Files\Unlocker\UnlockerAssistant.exe"

"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" -atboottime

"GPLv3"=rundll32.exe "C:\WINDOWS\system32\hpijqnet.dll",realset

"VTTrayp"=VTtrayp.exe

"VTTimer"=VTTimer.exe

"OpwareSE2"="C:\Program Files\ScanSoft\OmniPageSE2.0\OpwareSE2.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]

bthsvcs BthServ

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Svchost - netsvcs

UxTuneUp

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{1a811d01-12fc-11dc-95e2-00192120f362}]

Auto\command- RavMonE.exe e

AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL RavMonE.exe e

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{26b32f5b-c3c5-11db-955f-00192120f362}]

Auto\command- F:\RavMonE.exe e

AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL RavMonE.exe e

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{3482e987-0ce4-11dc-95d3-00192120f362}]

Auto\command- F:\RavMonE.exe e

AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL RavMonE.exe e

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{417b0f09-e3fe-11db-9596-00192120f362}]

Auto\command- F:\RavMonE.exe e

AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL RavMonE.exe e

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{431ae6b0-fdc6-11db-95b7-00192120f362}]

AutoRun\command- H:\idstick.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{431ae6b1-fdc6-11db-95b7-00192120f362}]

Auto\command- I:\RavMonE.exe e

AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL RavMonE.exe e

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{431ae6b2-fdc6-11db-95b7-00192120f362}]

AutoRun\command- F:\idstick.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{45ad8c82-c790-11db-9566-00192120f362}]

Auto\command- J:\RavMonE.exe e

AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL RavMonE.exe e

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6fed6ca4-8a52-11db-acde-00192120f362}]

Auto\command- G:\RavMonE.exe e

AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL RavMonE.exe e

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{75572b66-0a9d-11dc-95ce-00192120f362}]

Auto\command- F:\RavMonE.exe e

AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL RavMonE.exe e

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{763f9bc5-d75b-11db-9583-00192120f362}]

AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL copy.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{82e9cfb0-d102-11db-959c-00192120f362}]

Auto\command- F:\RavMonE.exe e

AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL RavMonE.exe e

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{8c24793a-0349-11dc-95c2-00192120f362}]

Auto\command- F:\RavMonE.exe e

AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL RavMonE.exe e

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{918732a4-cba8-11db-9570-00192120f362}]

Auto\command- F:\RavMonE.exe e

AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL RavMonE.exe e

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a1b4490c-8975-11db-acda-00192120f362}]

Auto\command- RavMonE.exe e

AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL RavMonE.exe e

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{bbe8c113-9b25-11db-951d-00192120f362}]

Auto\command- F:\infrom.exe

AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL infrom.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{bd123d17-2db8-11dc-965b-00192120f362}]

Auto\command- F:\RavMonE.exe e

AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL RavMonE.exe e

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{bd32b0d2-8f4d-11db-94fb-806d6172696f}]

Auto\command- infrom.exe

AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL infrom.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{bd32b0d3-8f4d-11db-94fb-806d6172696f}]

Auto\command- infrom.exe

AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL infrom.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{bd32b0d4-8f4d-11db-94fb-806d6172696f}]

Auto\command- infrom.exe

AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL infrom.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d11d46e1-0e89-11dc-95d9-00192120f362}]

Auto\command- F:\RavMonE.exe e

AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL RavMonE.exe e

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d89cc800-dd8c-11db-95a0-00192120f362}]

Auto\command- F:\RavMonE.exe e

AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL RavMonE.exe e

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{d89cc802-dd8c-11db-95a0-00192120f362}]

Auto\command- F:\RavMonE.exe e

AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL RavMonE.exe e

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{da2e29fc-fd43-11db-95b6-00192120f362}]

Auto\command- F:\RavMonE.exe e

AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL RavMonE.exe e

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e4f38ea0-1885-11dc-9605-00192120f362}]

Auto\command- G:\RavMonE.exe e

AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL RavMonE.exe e

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f4cf9ec5-94ed-11db-9511-00192120f362}]

AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL copy.exe

*Newly Created Service* - XPDX

**************************************************************************

catchme 0.3.915 W2K/XP/Vista - rootkit detector by Gmer, http://www.gmer.net

Rootkit scan 2007-07-09 13:54:35

Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

**************************************************************************

Completion time: 2007-07-09 13:55:58 - machine was rebooted

C:\ComboFix-quarantined-files.txt ... 2007-07-09 13:55

--- E O F ---

Link to post
Share on other sites

i add additional reply for combofix quarantine file......

2004-08-04 06:56	  27648	--a------	C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\conime.exe.vir2007-07-02 13:53	  61092	--a------	C:\Qoobox\Quarantine\C\WINDOWS\system32\xpdx.sys.vir2007-07-05 08:18	  5	--a------	C:\Qoobox\Quarantine\C\Documents and Settings\user\RavMonLog.vir2007-07-09 13:52	  200	--a------	C:\Qoobox\Quarantine\Registry_backups\services_xpdx.reg.cf2007-07-09 13:52	  294	--a------	C:\Qoobox\Quarantine\catchme.log2007-07-09 13:52	  2956	--a------	C:\Qoobox\Quarantine\Registry_backups\services_DomainService.reg.cf2007-07-09 13:52	  59714	--a------	C:\Qoobox\Quarantine\catchme2007-07-09_135434.51.zip2007-07-09 13:52	  846	--a------	C:\Qoobox\Quarantine\Registry_backups\LEGACY_DOMAINSERVICE.reg.cf
Folder PATH listingVolume serial number is 688D-687FC:\QOOBOX\---Quarantine	|   catchme.log	|   catchme2007-07-09_135434.51.zip	|   	+---C	|   +---Documents and Settings	|   |   \---user	|   |		   RavMonLog.vir	|   |		   	|   \---WINDOWS	|	   \---system32	|		   |   xpdx.sys.vir	|		   |   	|		   \---drivers	|				   conime.exe.vir	|				   	\---Registry_backups			LEGACY_DOMAINSERVICE.reg.cf			services_DomainService.reg.cf			services_xpdx.reg.cf
Link to post
Share on other sites

plus the hijackpost log...

Logfile of Trend Micro HijackThis v2.0.0 (BETA)

Scan saved at 1:56:56 PM, on 7/9/2007

Platform: Windows XP SP2 (WinNT 5.01.2600)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe

C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe

C:\WINDOWS\Explorer.EXE

C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe

C:\PROGRA~1\Grisoft\AVG7\avgemc.exe

C:\WINDOWS\system32\drivers\CDAC11BA.EXE

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\wscntfy.exe

C:\WINDOWS\system32\rundll32.exe

C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe

C:\PROGRA~1\Grisoft\AVG7\avgcc.exe

C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe

C:\WINDOWS\system32\wuauclt.exe

C:\HJT\HiJackThis_v2.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:mozilla

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com' rel="external nofollow">http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com'>http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)

O2 - BHO: (no name) - {100EA37C-2B0A-4A01-9A2E-3E4F21B5EAC7} - C:\WINDOWS\system32\sstqr.dll (file missing)

O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll

O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll

O4 - HKLM\..\Run: [bluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent

O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized

O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP

O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe

O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')

O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')

O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm

O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm

O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll

O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab

O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll

O16 - DPF: {78AF2F24-A9C3-11D3-BF8C-0060B0FCC122} (AcDcToday Control) - file://C:\Program Files\AutoCAD 2002\AcDcToday.ocx

O16 - DPF: {AE563720-B4F5-11D4-A415-00108302FDFD} (NOXLATE-BANR) - file://C:\Program Files\AutoCAD 2002\InstBanr.ocx

O16 - DPF: {C6637286-300D-11D4-AE0A-0010830243BD} (InstaFred) - file://C:\Program Files\AutoCAD 2002\InstFred.ocx

O16 - DPF: {F281A59C-7B65-11D3-8617-0010830243BD} (AcPreview Control) - file://C:\Program Files\AutoCAD 2002\AcPreview.ocx

O20 - Winlogon Notify: winccf32 - winccf32.dll (file missing)

O20 - Winlogon Notify: yaywwvt - yaywwvt.dll (file missing)

O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll

O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll

O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe

O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe

O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe

O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe

O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\system32\drivers\CDAC11BA.EXE

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: USBest Service Zero (UTSCSI) - Unknown owner - C:\WINDOWS\system32\UTSCSI.EXE

--

End of file - 6785 bytes

Edited by JeanInMontana
Light blue is too hard to see.
Link to post
Share on other sites

Hi there, it's looking better. We still have some clean up and updating. The WinPatrol alert is normal and you should allow.

First run HiJack This again and put a check in the following items.

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank

R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)

O2 - BHO: (no name) - {100EA37C-2B0A-4A01-9A2E-3E4F21B5EAC7} - C:\WINDOWS\system32\sstqr.dll (file missing)

O20 - Winlogon Notify: winccf32 - winccf32.dll (file missing)

O20 - Winlogon Notify: yaywwvt - yaywwvt.dll (file missing)

Print these instructions as you need to have all browsers closed and be off line.

Download SDFix and save it to your Desktop.

http://downloads.andymanchesta.com/RemovalTools/SDFix.exe

Double click SDFix.exe and it will extract the files to %systemdrive%

(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following :

* Restart your computer

* After hearing your computer beep once during startup, but before the

Windows icon appears, tap the F8 key continually;

* Instead of Windows loading as normal, the Advanced Options Menu should

appear;

* Select the first option, to run Windows in Safe Mode, then press

Enter.

* Choose your usual account.

* Open the extracted SDFix folder and double click RunThis.bat to start

the script.

* Type Y to begin the cleanup process.

* It will remove any Trojan Services and Registry Entries that it finds

then prompt you to press any key to Reboot.

* Press any Key and it will restart the PC.

* When the PC restarts the Fixtool will run again and complete the

removal process then display Finished, press any key to end the script and

load your desktop icons.

* Once the desktop icons load the SDFix report will open on screen and

also save into the SDFix folder as Report.txt

(Report.txt will also be copied to Clipboard ready for posting back on

the forum).

* Finally paste the contents of the Report.txt back on the forum.

Now update AVG Antispyware and run a full system scan, post anything it finds here.

Next uninstall your Java from Add/Remove programs and delete the program file. Go here choose the offline one.

Post a new HJT log and we will see how we are doing.

Link to post
Share on other sites

Next uninstall your Java from Add/Remove programs and delete the program file. Go here choose the offline one.

not to clear which product to be download.

in add and remove program....

i should uninstall this entry, right?

J2SE Runtime Environment 5.0 Update 6

but i not so sure about which i should download.....

should i take standard one... ???

i attach the file just in case..(to long to list here).. list of the product

index.jsp.htm

index.jsp.htm

Link to post
Share on other sites

ok. here the result of SDFix.exe report file

SDFix: Version 1.90

Run by user on Tue 07/10/2007 at 01:20 PM

Microsoft Windows XP [Version 5.1.2600]

Running From: C:\SDFix

Safe Mode:

Checking Services:

Restoring Windows Registry Values

Restoring Windows Default Hosts File

Restoring Missing SharedAccess Service

Rebooting...

Normal Mode:

Checking Files:

Trojan Files Found:

C:\WINDOWS\SYSTEM32\UTSCSI.EXE - Deleted

Removing Temp Files...

ADS Check:

C:\WINDOWS

No streams found.

C:\WINDOWS\system32

No streams found.

C:\WINDOWS\system32\svchost.exe

No streams found.

C:\WINDOWS\system32\ntoskrnl.exe

No streams found.

Final Check:

Remaining Services:

------------------

Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]

Remaining Files:

---------------

Backups Folder: - C:\SDFix\backups\backups.zip

Files with Hidden Attributes:

C:\Program Files\Autodesk\Autodesk Express Viewer\Setup.exe

C:\Program Files\BillP Studios\WinPatrol\Setup.exe

C:\Program Files\Messenger\msmsgs.exe

C:\Program Files\Outlook Express\msimn.exe

C:\Program Files\Windows Media Player\mplayer2.exe

C:\Program Files\Windows Media Player\wmplayer.exe

C:\WINDOWS\system32\Tools\All.exe

C:\WINDOWS\system32\Tools\Change.exe

C:\WINDOWS\system32\Tools\CheckPath.exe

C:\WINDOWS\system32\Tools\Counter.exe

C:\WINDOWS\system32\Tools\DelFolders.exe

C:\WINDOWS\system32\Tools\DirectSetup.exe

C:\WINDOWS\system32\Tools\RegClean.exe

C:\WINDOWS\system32\Tools\Regexe.exe

C:\WINDOWS\system32\Tools\RunRegexe.exe

C:\WINDOWS\system32\config\default.tmp.LOG

C:\WINDOWS\system32\config\SAM.tmp.LOG

C:\WINDOWS\system32\config\SECURITY.tmp.LOG

C:\WINDOWS\system32\config\software.tmp.LOG

C:\WINDOWS\system32\config\system.tmp.LOG

Finished

Link to post
Share on other sites

sorry, color does not match background....

anyway, here new hijackthis log...

Logfile of Trend Micro HijackThis v2.0.0 (BETA)

Scan saved at 2:07:25 PM, on 7/10/2007

Platform: Windows XP SP2 (WinNT 5.01.2600)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe

C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe

C:\WINDOWS\Explorer.EXE

C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe

C:\PROGRA~1\Grisoft\AVG7\avgemc.exe

C:\WINDOWS\system32\drivers\CDAC11BA.EXE

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\wscntfy.exe

C:\WINDOWS\system32\rundll32.exe

C:\PROGRA~1\Grisoft\AVG7\avgcc.exe

C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe

C:\WINDOWS\system32\msiexec.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\HJT\HiJackThis_v2.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:mozilla

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com' rel="external nofollow">http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com'>http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com

O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll

O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll

O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll

O4 - HKLM\..\Run: [bluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent

O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized

O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP

O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"

O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')

O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')

O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm

O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm

O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\npjpi160_02.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\npjpi160_02.dll

O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab

O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll

O16 - DPF: {78AF2F24-A9C3-11D3-BF8C-0060B0FCC122} (AcDcToday Control) - file://C:\Program Files\AutoCAD 2002\AcDcToday.ocx

O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab

O16 - DPF: {AE563720-B4F5-11D4-A415-00108302FDFD} (NOXLATE-BANR) - file://C:\Program Files\AutoCAD 2002\InstBanr.ocx

O16 - DPF: {C6637286-300D-11D4-AE0A-0010830243BD} (InstaFred) - file://C:\Program Files\AutoCAD 2002\InstFred.ocx

O16 - DPF: {F281A59C-7B65-11D3-8617-0010830243BD} (AcPreview Control) - file://C:\Program Files\AutoCAD 2002\AcPreview.ocx

O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll

O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll

O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe

O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe

O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe

O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe

O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\system32\drivers\CDAC11BA.EXE

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: USBest Service Zero (UTSCSI) - Unknown owner - C:\WINDOWS\system32\UTSCSI.EXE (file missing)

--

End of file - 6639 bytes

Link to post
Share on other sites

finally, avg anti-spyware does not detect anything with full scan...

what should i do with the previous quarantine file?????

from past experience, it will restore itself once i delete the file.......

i attach 4 file, just in case

1)report.txt - sdfix report

2)hijackthis log

3)printscreen about the infected file - somehow, pc does not have paint, so the picture in word document.

4)avg anti spyware complete scan report

Report.txt

avg_antispyware_quarantine.doc

Report_Scan_20070710_135953.txt

Report.txt

avg_antispyware_quarantine.doc

Report_Scan_20070710_135953.txt

Link to post
Share on other sites

Looking good.

Run HJT and put a check in this:

O23 - Service: USBest Service Zero (UTSCSI) - Unknown owner - C:\WINDOWS\system32\UTSCSI.EXE (file missing) click fix.

Delete all quarantine files. We also need to delete all System Restore files and create a new clean one. To do that go to Control Panel>System Properties, click on the Restore tab and put a check in the box that says "turn off system restore" then apply and click OK. Depending on how large a space is allocated it may take a little time.

Now Open up Help and Support and click on Undo Changes to my System. Choose create a system restore point. Give it a name you will remember like Malware free 7-10-2007 and make the restore point.

Next go to Windows Updates and get any needed patches and updates.

Do you have a firewall? Same as with your other machine you must have one. If your using the Windows one it really isn't adequate. Be sure to turn it off though when you add another.

To get your Paint back do this go to add/remove programs. to your left select add/remove windows components and accessories and utilities, put a check in if there isn't one and uncheck if it is checked. I know that sounds weird but that is Windows not me. :)

I would suggest you add a layer of prevention also by using SpywareBlaster, and a hosts file either or any of the following MVP Hosts, IE-Spyads or hpHosts. You might want to add a tool bar item that helps keep you off bad sites too like SiteHound or SiteAdvisor both have free versions.

You should be running OK. If not let me know.

Link to post
Share on other sites

i'll add firewall later, but first i think i got a problem..

you ask me to fix this one right, but somehow, the entry still there...

i done that step 3 times, cause i firstly think i mischeck the item....

the last line, isnt???

anyways, here the new log.....

Logfile of Trend Micro HijackThis v2.0.0 (BETA)

Scan saved at 9:03:26 AM, on 7/11/2007

Platform: Windows XP SP2 (WinNT 5.01.2600)

Boot mode: Normal

Running processes:

C:\WINDOWS\System32\smss.exe

C:\WINDOWS\system32\winlogon.exe

C:\WINDOWS\system32\services.exe

C:\WINDOWS\system32\lsass.exe

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\System32\svchost.exe

C:\WINDOWS\system32\spoolsv.exe

C:\WINDOWS\Explorer.EXE

C:\WINDOWS\system32\rundll32.exe

C:\PROGRA~1\Grisoft\AVG7\avgcc.exe

C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe

C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe

C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe

C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe

C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe

C:\PROGRA~1\Grisoft\AVG7\avgemc.exe

C:\WINDOWS\system32\drivers\CDAC11BA.EXE

C:\WINDOWS\system32\svchost.exe

C:\WINDOWS\system32\wscntfy.exe

C:\WINDOWS\system32\taskmgr.exe

C:\Program Files\Mozilla Firefox\firefox.exe

C:\HJT\HiJackThis_v2.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:mozilla

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com' rel="external nofollow">http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com'>http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com

O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll

O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll

O2 - BHO: EpsonToolBandKicker Class - {E99421FB-68DD-40F0-B4AC-B7027CAE2F1A} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll

O3 - Toolbar: EPSON Web-To-Page - {EE5D279F-081B-4404-994D-C6B60AAEBA6D} - C:\Program Files\EPSON\EPSON Web-To-Page\EPSON Web-To-Page.dll

O4 - HKLM\..\Run: [bluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent

O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized

O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP

O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe

O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"

O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')

O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')

O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')

O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')

O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm

O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000

O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm

O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm

O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm

O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll

O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll

O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll

O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL

O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)

O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)

O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)

O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe

O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecal...ivex/hcImpl.cab

O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll

O16 - DPF: {78AF2F24-A9C3-11D3-BF8C-0060B0FCC122} (AcDcToday Control) - file://C:\Program Files\AutoCAD 2002\AcDcToday.ocx

O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab

O16 - DPF: {AE563720-B4F5-11D4-A415-00108302FDFD} (NOXLATE-BANR) - file://C:\Program Files\AutoCAD 2002\InstBanr.ocx

O16 - DPF: {C6637286-300D-11D4-AE0A-0010830243BD} (InstaFred) - file://C:\Program Files\AutoCAD 2002\InstFred.ocx

O16 - DPF: {F281A59C-7B65-11D3-8617-0010830243BD} (AcPreview Control) - file://C:\Program Files\AutoCAD 2002\AcPreview.ocx

O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll

O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll

O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe

O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe

O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe

O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe

O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\system32\drivers\CDAC11BA.EXE

O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe

O23 - Service: USBest Service Zero (UTSCSI) - Unknown owner - C:\WINDOWS\system32\UTSCSI.EXE (file missing)

--

End of file - 6674 bytes

Link to post
Share on other sites

I guess it's OK to leave that. I was going on what SDFix did here:

Trojan Files Found:

C:\WINDOWS\SYSTEM32\UTSCSI.EXE - Deleted

But what I find on that is it is part of USBest PQI Card Drive . Do you or did you have it installed?

Is the machine running good now?

Link to post
Share on other sites

That is good then. If you install the programs I suggested and do your security updates it will make a major difference in keeping the machine malware free.

Since this issue is resolved I will close the topic. If you need further assistance please start a new topic.

Link to post
Share on other sites

Guest
This topic is now closed to further replies.
  • Recently Browsing   0 members

    • No registered users viewing this page.
Back to top
×
×
  • Create New...

Important Information

This site uses cookies - We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.