Virtumonde, Winlogonhook.Delf.A, Toolbar888

Unknown

Hi,

I was doing something silly yesterday and now I have quite a spyware infection.

Counterspy reported Virtumonde, Backdoor.win32.agent.vc, Toolbar888, Dialler Trojan and WinlogonHook.Delf.A, but has been unseccessful at removing them. My AVG has also done what it can.

I think I have the dialler trojan and Backdoor.win32... blocked by deleting their files and creating zero length read-only files of the same name, but I have not stopped any process which may recreate the files if I delete my ones.

Toolbar888 I thought I had nailed by removing system restore, where Counterspy said it was, but Defender has just popped up again.

I have also been getting repeated Counterspy popups for something which wants to create hooks (an undetailed message), and attempted browser hijacks and program installations (Virtumonde?)

I have totally failed to do anything about the other two bits of spyware. I am running Panda's on line scan now, but it will take a while to complete.

In the meanwhile this is my hijackthis log:

Logfile of HijackThis v1.99.1
Scan saved at 20:41:26, on 01/10/06
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Nero\Nero 7\InCD\InCD.exe
C:\Program Files\Sunbelt Software\CounterSpy\Consumer\sunserver.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe
C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
C:\Program Files\FinePixViewer\QuickDCF.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Mozilla Thunderbird\thunderbird.exe
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=56626&homepage=http://www.ntlworld.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=56626&homepage=http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=62.252.0.4:8080
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O3 - Toolbar: (no name) - {CBCC61FA-0221-4ccc-B409-CEE865CACA3A} - (no file)
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Nero\Nero 7\InCD\InCD.exe
O4 - HKLM\..\Run: [SunServer] C:\Program Files\Sunbelt Software\CounterSpy\Consumer\sunserver.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1
O4 - HKCU\..\Run: [AnyDVD] C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe
O4 - Global Startup: AboutTime.lnk = C:\Program Files\AboutTime\AboutTime.exe
O4 - Global Startup: CleanTemp.lnk = E:\My Documents\Nick\Software\Visual Basic\CleanTemp.exe
O4 - Global Startup: Exif Launcher.lnk = ?
O4 - Global Startup: NeroLogCleanUp.bat
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=48835
O16 - DPF: {1B9935E4-8A50-4DD8-BD09-A7518723BF97} (Talisma NetAgent Customer ActiveX Control version 3) - http://etalk.epson.co.uk/netagent/objects/custappx3.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1124569999598
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1124572343986
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Adobe Active File Monitor V4 (AdobeActiveFileMonitor4.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\SYSTEM32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
O23 - Service: SQL Server (SQLEXPRESS) (MSSQL$SQLEXPRESS) - Unknown owner - C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe" -sSQLEXPRESS (file missing)
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

can anyone help me?

Thanks,

Nick

rpggamergirl

Hi,

1. Please download VundoFix.exe to your desktop.
http://www.atribune.org/ccount/click.php?id=4
* Double-click VundoFix.exe to run it.
* Click the "Scan for Vundo" button.
* Once it's done scanning, click the "Remove Vundo" button.
* You will receive a prompt asking if you want to remove the files, click YES
* Once you click yes, your desktop will go blank as it starts removing Vundo.
* When completed, it will prompt that it will reboot your computer, click OK.
* Please post the contents of C:\vundofix.txt.

Note: It is possible that VundoFix encounters a file it could not remove.
In this case, VundoFix will run on reboot, simply follow the above
instructions starting from "Click the Scan for Vundo button." when
VundoFix appears at reboot.


2. Download win32delfkil.exe.
http://users.telenet.be/marcvn/tools/win32delfkil.exe
Save it on your desktop.
Close all windows.
Double click on win32delfkil.exe to start the removaltool.
The computer will reboot automatically.
After reboot a logfile will open: c:\windelf.txt
Post the contents of the logfile, along with a new HijackThis log.

NickH

Thanks for the reply. Here are the logs as requested:

vundofix.txt:


VundoFix V6.1.6

Checking Java version...

Java version is 1.5.0.8

Scan started at 07:00:04 02/10/06

Listing files found while scanning....

C:\WINDOWS\SYSTEM32\winpcy32.dll
C:\WINDOWS\SYSTEM32\jkkhfde.dll
C:\WINDOWS\SYSTEM32\awtqnnm.dll

Beginning removal...

Attempting to delete C:\WINDOWS\SYSTEM32\winpcy32.dll
C:\WINDOWS\SYSTEM32\winpcy32.dll Could not be deleted.

Attempting to delete C:\WINDOWS\SYSTEM32\jkkhfde.dll
C:\WINDOWS\SYSTEM32\jkkhfde.dll Could not be deleted.

Attempting to delete C:\WINDOWS\SYSTEM32\awtqnnm.dll
C:\WINDOWS\SYSTEM32\awtqnnm.dll Could not be deleted.

Performing Repairs to the registry.
Done!

VundoFix V6.1.6

Checking Java version...

Java version is 1.5.0.8

Scan started at 07:15:13 02/10/06

Listing files found while scanning....

C:\WINDOWS\SYSTEM32\winpcy32.dll
C:\WINDOWS\SYSTEM32\jkkhfde.dll
C:\WINDOWS\SYSTEM32\awtqnnm.dll

Beginning removal...

Attempting to delete C:\WINDOWS\SYSTEM32\winpcy32.dll
C:\WINDOWS\SYSTEM32\winpcy32.dll Has been deleted!

Attempting to delete C:\WINDOWS\SYSTEM32\jkkhfde.dll
C:\WINDOWS\SYSTEM32\jkkhfde.dll Has been deleted!

Attempting to delete C:\WINDOWS\SYSTEM32\awtqnnm.dll
C:\WINDOWS\SYSTEM32\awtqnnm.dll Has been deleted!

Performing Repairs to the registry.
Done!


windelft.txt

WIN32DELFKIL LOGFILE - by Marckie


version 3.04
02/10/06 7:25:13.87
running from: "C:\Documents and Settings\Nick\Desktop"


--- File(s) found in Windows directory ---

--- File(s) found in system32 folder ---

--- Export SharedTaskScheduler key ---
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"


--- Notify key ---


--- rebooting the computer ---


--- File(s) found in Windows directory ---

--- File(s) found in system32 folder ---

--- Export SharedTaskSchedulerkey ---
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"



--- Notify key ---

Finished!


HijackThis.Log:

Logfile of HijackThis v1.99.1
Scan saved at 07:33:53, on 02/10/06
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Sunbelt Software\CounterSpy\Consumer\sunThreatEngine.exe
C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Program Files\Sunbelt Software\CounterSpy\Consumer\SunProtectionServer.exe
C:\WINDOWS\notepad.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Nero\Nero 7\InCD\InCD.exe
C:\Program Files\Sunbelt Software\CounterSpy\Consumer\sunserver.exe
C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe
C:\Program Files\FinePixViewer\QuickDCF.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=56626&homepage=http://www.ntlworld.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=56626&homepage=http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=62.252.0.4:8080
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Nero\Nero 7\InCD\InCD.exe
O4 - HKLM\..\Run: [SunServer] C:\Program Files\Sunbelt Software\CounterSpy\Consumer\sunserver.exe
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1
O4 - HKCU\..\Run: [AnyDVD] C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe
O4 - Global Startup: AboutTime.lnk = C:\Program Files\AboutTime\AboutTime.exe
O4 - Global Startup: CleanTemp.lnk = E:\My Documents\Nick\Software\Visual Basic\CleanTemp.exe
O4 - Global Startup: Exif Launcher.lnk = ?
O4 - Global Startup: NeroLogCleanUp.bat
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=48835
O16 - DPF: {1B9935E4-8A50-4DD8-BD09-A7518723BF97} (Talisma NetAgent Customer ActiveX Control version 3) - http://etalk.epson.co.uk/netagent/objects/custappx3.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1124569999598
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1124572343986
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Adobe Active File Monitor V4 (AdobeActiveFileMonitor4.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\SYSTEM32\ati2sgag.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
O23 - Service: SQL Server (SQLEXPRESS) (MSSQL$SQLEXPRESS) - Unknown owner - C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe" -sSQLEXPRESS (file missing)
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe



And one virus scan from Panda:


Incident Status Location

Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\system32\jkkhfde.dll
Adware:Adware/Mytoolbar Not disinfected C:\Program Files\ToolBar888\Activate.exe
Adware:Adware/IconAds Not disinfected C:\Program Files\ToolBar888\Uninst.exe
Spyware:Cookie/Mediaplex Not disinfected C:\Documents and Settings\Nick\Cookies\nick@mediaplex[1].txt
Spyware:Cookie/Reliablestats Not disinfected C:\Documents and Settings\Nick\Cookies\nick@stats1.reliablestats[2].txt
Spyware:Spyware/Virtumonde Not disinfected C:\Documents and Settings\Nick\Application Data\Sunbelt Software\CounterSpy\Quarantine\22422A7E-C5CA-4AE0-9121-A14116\61DA4CC3-76C1-451D-8CB1-FD0D35
Adware:Adware/Mytoolbar Not disinfected C:\Documents and Settings\Nick\Application Data\Sunbelt Software\CounterSpy\Quarantine\A7991060-8F45-4A79-A0FD-406F81\33BA31B9-8114-4F55-8C84-585582
Adware:Adware/Mytoolbar Not disinfected C:\Documents and Settings\Nick\Application Data\Sunbelt Software\CounterSpy\Quarantine\A7991060-8F45-4A79-A0FD-406F81\56F0612A-7BED-4683-A9B2-21AF70
Spyware:Spyware/Virtumonde Not disinfected C:\Documents and Settings\Nick\Application Data\Sunbelt Software\CounterSpy\Quarantine\55470FDD-79D6-431C-B342-917200\28D7F372-098F-467F-BEA0-53E72C
Adware:Adware/Mytoolbar Not disinfected C:\Documents and Settings\Nick\Application Data\Sunbelt Software\CounterSpy\Quarantine\375709B2-F073-4209-96E2-C18DBA\EEE700FD-F59D-4A92-A919-45EDE7
Adware:Adware/DollarRevenue Not disinfected C:\Documents and Settings\Nick\Application Data\Sunbelt Software\CounterSpy\Quarantine\375709B2-F073-4209-96E2-C18DBA\99EA60B9-EE2B-4DB2-ABE8-05A6C9[²ÜÇ\nsProcess.dll]
Adware:Adware/DollarRevenue Not disinfected C:\Documents and Settings\Nick\Application Data\Sunbelt Software\CounterSpy\Quarantine\375709B2-F073-4209-96E2-C18DBA\325F1645-2B4D-4513-A042-F02E58[²ÜÇ\nsProcess.dll]
Spyware:Spyware/Virtumonde Not disinfected C:\Documents and Settings\Nick\Application Data\Sunbelt Software\CounterSpy\Quarantine\375709B2-F073-4209-96E2-C18DBA\325F1645-2B4D-4513-A042-F02E58[¦++\²íÇ\Update.exe]
Spyware:Spyware/Virtumonde Not disinfected C:\Documents and Settings\Nick\Application Data\Sunbelt Software\CounterSpy\Quarantine\375709B2-F073-4209-96E2-C18DBA\325F1645-2B4D-4513-A042-F02E58[¦++\²íÇ\services.dll]
Adware:Adware/Mytoolbar Not disinfected C:\Documents and Settings\Nick\Application Data\Sunbelt Software\CounterSpy\Quarantine\375709B2-F073-4209-96E2-C18DBA\325F1645-2B4D-4513-A042-F02E58[MyToolBar.dll]
Adware:Adware/Mytoolbar Not disinfected C:\Documents and Settings\Nick\Application Data\Sunbelt Software\CounterSpy\Quarantine\375709B2-F073-4209-96E2-C18DBA\325F1645-2B4D-4513-A042-F02E58[Activate.exe]
Adware:Adware/Mytoolbar Not disinfected C:\Documents and Settings\Nick\Application Data\Sunbelt Software\CounterSpy\Quarantine\375709B2-F073-4209-96E2-C18DBA\3F7ADC32-BCB7-40CE-9112-FD6897
Adware:Adware/DollarRevenue Not disinfected C:\Documents and Settings\Nick\Application Data\Sunbelt Software\CounterSpy\Quarantine\375709B2-F073-4209-96E2-C18DBA\E4580B42-2897-4D88-961C-196F70
Adware:Adware/Mytoolbar Not disinfected C:\Documents and Settings\Nick\Application Data\Sunbelt Software\CounterSpy\Quarantine\51563557-B652-4526-948D-C78EAC\18361372-DA8E-4045-B405-DB70AF
Adware:Adware/Mytoolbar Not disinfected C:\Documents and Settings\Nick\Application Data\Sunbelt Software\CounterSpy\Quarantine\51563557-B652-4526-948D-C78EAC\1EFB4926-809C-4A99-8CF2-EEB554
Adware:Adware/DollarRevenue Not disinfected D:\Temp\nsv37D.tmp\nsProcess.dll
Adware:Adware/Maxifiles Not disinfected D:\Temp\win379.tmp.exe
Spyware:Spyware/Virtumonde Not disinfected D:\Temporary Internet Files\Content.IE5\R7W71ICK\anti4[1].exe
Adware:Adware/Maxifiles Not disinfected D:\Temporary Internet Files\Content.IE5\V8WZS1UU\wlzip32[1].exe


Regards,

Nick

rpggamergirl

Spyware:Spyware/Virtumonde that Panda found --> C:\WINDOWS\system32\jkkhfde.dll
that has been deleted by Vundofix.

C:\Program Files\ToolBar888 <-- delete this folder if still present.


1. Download and run ATF Cleaner by Atribune.
http://www.atribune.org/ccount/click.php?id=1

Reboot your computer into Safe Mode.

Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.


If you use Firefox browser
Click Firefox at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.


If you use Opera browser
Click Opera at the top and choose: Select All
Click the Empty Selected button.
NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.



2. Please download ewido anti-spyware from HERE and save that file to your desktop.
This is a 30 day trial of the program

1. Once you have downloaded ewido anti-spyware, locate the icon on the desktop and double-click it to launch the set up program.
2. Once the setup is complete you will need run ewido and update the definition files.
3. On the main screen select the icon "Update" then select the "Update now" link.
   • Next select the "Start Update" button, the update will start and a progress bar will show the updates being installed.
4. Once the update has completed select the "Scanner" icon at the top of the screen, then select the "Settings" tab.
5. Once in the Settings screen click on "Recommended actions" and then select "Quarantine".
6. Under "Reports"
   • Select "Automatically generate report after every scan"
   • Un-Select "Only if threats were found"

Close ewido anti-spyware, Do Not run a scan just yet, we will shortly.

1. Reboot your computer into SafeMode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight SafeMode then hit enter.
   IMPORTANT: Do not open any other windows or programs while ewido is scanning, it may interfere with the scanning proccess:
2. Lauch ewido-anti-spyware by double-clicking the icon on your desktop.
3. Select the "Scanner" icon at the top and then the "Scan" tab then click on "Complete System Scan".
4. ewido will now begin the scanning process, be patient this may take a little time.
   Once the scan is complete do the following:
5. If you have any infections you will prompted, then select "Apply all actions"
6. Next select the "Reports" icon at the top.
7. Select the "Save report as" button in the lower left hand of the screen and save it to a text file on your system (make sure to remember where you saved that file, this is important).
8. Close ewido and reboot your system back into Normal Mode and post the results of the ewido report scan.

NickH

I have done as you asked in a slightly different order as I could not see how to download ewido while still in safe mode after running ATF-Cleaner, so I downloaded it first. Otherwise I did everything in the order you gave. When it came to updating the definitions, I remembered I could do it in safe mode with networking, but I returned to safe mode for the scan.

Here is the ewido log:

---

AVG Anti-Spyware - Scan Report

---

+ Created at: 20:56:51 02/10/06

+ Scan result:



D:\BackUps\BackUp - 20060819 08h15m00.zi/My Documents/Nick/Software/MediaPortal-update.exe -> Adware.MediaTicket : Cleaned with backup (quarantined).
D:\BackUps\BackUp - 20060826 08h28m30.zi/My Documents/Nick/Software/MediaPortal-update.exe -> Adware.MediaTicket : Cleaned with backup (quarantined).
D:\BackUps\BackUp - 20060902 08h16m45.zi/My Documents/Nick/Software/MediaPortal-update.exe -> Adware.MediaTicket : Cleaned with backup (quarantined).
D:\BackUps\BackUp - 20060908 07h52m21.zi/My Documents/Nick/Software/MediaPortal-update.exe -> Adware.MediaTicket : Cleaned with backup (quarantined).
D:\BackUps\BackUp - 20060930 07h40m12.zi/My Documents/Nick/Software/MediaPortal-update.exe -> Adware.MediaTicket : Cleaned with backup (quarantined).
E:\My Documents\Nick\Software\MediaPortal-update.exe -> Adware.MediaTicket : Cleaned with backup (quarantined).
C:\Documents and Settings\Nick\Application Data\Sunbelt Software\CounterSpy\Quarantine\375709B2-F073-4209-96E2-C18DBA\3F7ADC32-BCB7-40CE-9112-FD6897 -> Adware.Softomate : Cleaned with backup (quarantined).
C:\Documents and Settings\Nick\Application Data\Sunbelt Software\CounterSpy\Quarantine\51563557-B652-4526-948D-C78EAC\1EFB4926-809C-4A99-8CF2-EEB554 -> Adware.Softomate : Cleaned with backup (quarantined).
C:\Documents and Settings\Nick\Application Data\Sunbelt Software\CounterSpy\Quarantine\A7991060-8F45-4A79-A0FD-406F81\56F0612A-7BED-4683-A9B2-21AF70 -> Adware.Softomate : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B5D83387-1DA1-4E00-B212-889C997829B3}\RP7\A0000130.dll -> Adware.Softomate : Cleaned with backup (quarantined).
C:\Documents and Settings\Nick\Application Data\Sunbelt Software\CounterSpy\Quarantine\22422A7E-C5CA-4AE0-9121-A14116\61DA4CC3-76C1-451D-8CB1-FD0D35 -> Adware.Virtumionde : Cleaned with backup (quarantined).
C:\Documents and Settings\Nick\Application Data\Sunbelt Software\CounterSpy\Quarantine\55470FDD-79D6-431C-B342-917200\28D7F372-098F-467F-BEA0-53E72C -> Adware.Virtumionde : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B5D83387-1DA1-4E00-B212-889C997829B3}\RP8\A0000162.dll -> Adware.Virtumionde : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{B5D83387-1DA1-4E00-B212-889C997829B3}\RP8\A0000163.dll -> Adware.Virtumionde : Cleaned with backup (quarantined).
C:\VundoFix Backups\awtqnnm.dll.bad -> Adware.Virtumionde : Cleaned with backup (quarantined).
C:\VundoFix Backups\jkkhfde.dll.bad -> Adware.Virtumionde : Cleaned with backup (quarantined).
C:\Documents and Settings\Nick\Application Data\Sunbelt Software\CounterSpy\Quarantine\FF45399C-DAFB-4754-9D66-95C765\530991D0-7449-4731-B865-CAE397 -> Dialer.InstantAccess.k : Cleaned with backup (quarantined).
C:\Documents and Settings\Nick\Application Data\Sunbelt Software\CounterSpy\Quarantine\FF45399C-DAFB-4754-9D66-95C765\831B793F-02C0-4C10-93CB-926E04 -> Dialer.InstantAccess.k : Cleaned with backup (quarantined).
C:\Documents and Settings\Nick\Application Data\Sunbelt Software\CounterSpy\Quarantine\FF45399C-DAFB-4754-9D66-95C765\B21C21ED-7E69-48D8-9F4F-568CD8 -> Dialer.InstantAccess.k : Cleaned with backup (quarantined).
C:\Documents and Settings\Nick\Application Data\Sunbelt Software\CounterSpy\Quarantine\FF45399C-DAFB-4754-9D66-95C765\E9D5DCE8-FFBE-4228-B43F-0302AC -> Dialer.InstantAccess.k : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\qbjeiysc.dll -> Logger.VBStat.e : Cleaned with backup (quarantined).
D:\Temp\ardwcufu.dll -> Logger.VBStat.e : Cleaned with backup (quarantined).
D:\Temp\win3D3.tmp.exe -> Trojan.Dialer.qs : Cleaned with backup (quarantined).
C:\Program Files\Common Files\{1F6B19E4-04B0-2057-1007-02041108002c}\update.exe -> Trojan.Starter.65 : Cleaned with backup (quarantined).


::Report end

I have some comments:
The first five items are my backup archives (renamed from .zip to .zi in a failed attempt to stop the scanners from scanning them). As they are my backups, I chose not to quarantine the whole archive and I have deleted the files directly from the archives. I am surprised at this find as it was downloaded from the originating web site. As I have not yet got to install and try MediaPortal, it is no loss. I let ewido delete the 6th instance.

A fair amount of the lines were found in the CounterSpy quanantine area, so they have been moved from one quarantine to another!

The last entry was hopefully the zero length read-only file I created myself to stop a possible re-installation by the spyware.

While writing this, AVG anti-virus has just popped up with C:\Program Files\Common Files\{1F6B19E4-04B0-2057-1007-02041108002c}\services.dll containing a virus "Trojan horse Downloader.Generic2.JVP". I have allowed AVG to quarantine it and have created another zero length file in its place.

[edit]
On re-booting, I am still getting a popup launching IE, trying to sell me WinAntivirus.
[/edit]

Regards,

Nick

rpggamergirl

Sorry about that, good job running those programs in the proper order,
It can be annoying when scanners false positively identify your backup file as nasty.
Let's run 2 more scanners and then if they don't help, we can start looking for hidden nasties.


1. * Download and install Superantispyware
http://www.superantispyware.com/downloadfile.html?productid=SUPERANTISPYWAREFREE
Load Superantispyware and click the check for updates button.
Once the update is finished, close SuperAntispyware again, we'll perform the scan later in safe mode

* Start Superantispyware.
Click the scan your computer button.
Check Perform Complete Scan and then next.
Superantispyware will now scan your computer and when its finished it will list all the infections it has found.
Make sure that they all have a check next to them and press next.
Click finish and you will be taken back to the main interface.
Click Preferences and then click the statistics/logs tab. Click the dated log and press view log and a text file will appear.


2. Download this file - combofix.exe
http://download.bleepingcomputer.com/sUBs/combofix.exe
Double click combofix.exe & follow the prompts.
When finished, it shall produce a log for you. Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall


3. Please download Silent Runners.
http://www.silentrunners.org/Silent%20Runners.vbs
* Save it to the desktop.
* Run Silent Runner's by doubleclicking the "Silent Runners" icon on your desktop.
* You will see a text file appear on the desktop - it's not done yet, just let it run (it won't appear to be doing anything!)
* Once you receive the prompt "All Done!", double-click on the new text file on the desktop and copy that entire log and upload the logfile created, go here and paste your log, http://www.rafb.net/paste/
then at the bottom left corner click "paste"
Copy the address/url and post it here:

*NOTE* If you receive any warning message about scripts, please choose to allow the script to run.

NickH

Hi,

While the scan is running above, as it will not finish before I go to work, can you tell me if steps 2 and 3 should be in safe or normal mode? I won't be able to post back until this evening, UK time and I'miss you for another day.

Regards,

Nick

p.s I am posting from another PC. The scan is running in safe mode.

rpggamergirl

Just run combofix and Silent Runners in normal mode, thanks.

NickH

Also, as each scanner appears to be picking up the next scanner's quarantine area, should I empty the quarantine areas or do you want me to leave things where they are for the moment?

rpggamergirl

Yeah, scanners tend to do that, pick up those nasty files that are already in quarantine.

As long as you're sure it's not a false positive and that they are nasty ones, you can delete them or empty the quarantine, otherwise you can just leave them there for now.



My connection is slow right now, I've used up my Broadband allowance for the month and now it reverted to dial up, I still have 3 days to go before the new month starts and broadband is on again, lol

NickH

I've run Superanitspyware with a bit of an issue. WHen it finished its scan and actioned the results, it offered to re-boot to finish off. I declined as you indicated to go on to the statistics/logs tab. When I exited the program, it terminated but I was left with an empty desktop. I had to reboot using task manager. I hope it has worked correctly, but I will run it again overnight just in case.

[edit2]
I won't run it again unless you ask me in case it interferes with what you asked me to do after.
[/edit2]

Although you did not ask for it, here is the log file:

SUPERAntiSpyware Scan Log
Generated 10/03/2006 at 08:19 AM

Core Rules Database Version : 3097
Trace Rules Database Version: 1124

Memory threats detected : 1
Registry threats detected : 42
File threats detected : 16

Adware.Vundo Variant
C:\WINDOWS\SYSTEM32\NNLLL.DLL
C:\WINDOWS\SYSTEM32\NNLLL.DLL
HKLM\Software\Classes\CLSID\{C7CB0237-1811-4793-A842-9B13B2BCC4F6}
HKCR\CLSID\{C7CB0237-1811-4793-A842-9B13B2BCC4F6}
HKCR\CLSID\{C7CB0237-1811-4793-A842-9B13B2BCC4F6}\InprocServer32
HKCR\CLSID\{C7CB0237-1811-4793-A842-9B13B2BCC4F6}\InprocServer32#ThreadingModel
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{C7CB0237-1811-4793-A842-9B13B2BCC4F6}
Software\Microsoft\Windows NT\CurrentVersion\WinLogon\Notify\nnlll

Unclassified.Unknown Origin
HKLM\Software\Classes\CLSID\{B7672BAF-E9A3-49B6-86B2-C81719A18A4C}
HKCR\CLSID\{B7672BAF-E9A3-49B6-86B2-C81719A18A4C}
HKCR\CLSID\{B7672BAF-E9A3-49B6-86B2-C81719A18A4C}\InprocServer32
HKCR\CLSID\{B7672BAF-E9A3-49B6-86B2-C81719A18A4C}\InprocServer32#ThreadingModel
C:\WINDOWS\system32\csaogdul.dll
HKLM\Software\Classes\CLSID\{D3B3C51E-8D11-4667-85B9-0930F519BED7}
HKCR\CLSID\{D3B3C51E-8D11-4667-85B9-0930F519BED7}
HKCR\CLSID\{D3B3C51E-8D11-4667-85B9-0930F519BED7}\InprocServer32
HKCR\CLSID\{D3B3C51E-8D11-4667-85B9-0930F519BED7}\InprocServer32#ThreadingModel
C:\WINDOWS\system32\jkkhfde.dll
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{B7672BAF-E9A3-49B6-86B2-C81719A18A4C}
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{D3B3C51E-8D11-4667-85B9-0930F519BED7}
HKCR\CLSID\{D3B3C51E-8D11-4667-85B9-0930F519BED7}
HKCR\CLSID\{B7672BAF-E9A3-49B6-86B2-C81719A18A4C}

Adware.Tracking Cookie
C:\Documents and Settings\Nick\Cookies\nick@www.amaena[1].txt
C:\Documents and Settings\Nick\Cookies\nick@stats1.reliablestats[1].txt
C:\Documents and Settings\Nick\Cookies\nick@mediaplex[1].txt
C:\Documents and Settings\Nick\Cookies\nick@indexstats[2].txt
C:\Documents and Settings\Nick\Cookies\nick@mypc[1].txt

Trojan.Unknown Origin
HKLM\SOFTWARE\Microsoft\MSSMGR
HKLM\SOFTWARE\Microsoft\MSSMGR#Data
HKLM\SOFTWARE\Microsoft\MSSMGR#LSTV
HKLM\SOFTWARE\Microsoft\MSSMGR#BSTV
HKLM\SOFTWARE\Microsoft\MSSMGR#MSLIST
HKLM\SOFTWARE\Microsoft\MSSMGR#Brnd
HKLM\SOFTWARE\Microsoft\MSSMGR#SSTV
HKLM\SOFTWARE\Microsoft\MSSMGR#SCLIST
HKLM\SOFTWARE\Microsoft\MSSMGR#SSLIST
HKLM\SOFTWARE\Microsoft\MSSMGR#PSTV
HKLM\SOFTWARE\Microsoft\MSSMGR#BPTV
HKLM\SOFTWARE\Microsoft\MSSMGR#Rid
HKLM\SOFTWARE\Microsoft\MSSMGR#LID
C:\System Volume Information\_restore{B5D83387-1DA1-4E00-B212-889C997829B3}\RP13\A0000269.dll

Adware.Toolbar888
HKCR\TypeLib\{569304BA-83ED-4CFF-AC26-BE3E482F7208}
HKCR\TypeLib\{569304BA-83ED-4CFF-AC26-BE3E482F7208}\1.0
HKCR\TypeLib\{569304BA-83ED-4CFF-AC26-BE3E482F7208}\1.0\0
HKCR\TypeLib\{569304BA-83ED-4CFF-AC26-BE3E482F7208}\1.0\0\win32
HKCR\TypeLib\{569304BA-83ED-4CFF-AC26-BE3E482F7208}\1.0\FLAGS
HKCR\TypeLib\{569304BA-83ED-4CFF-AC26-BE3E482F7208}\1.0\HELPDIR
HKCR\Interface\{C6F2214E-0B54-45A9-B90D-7DD4BA45ED0B}
HKCR\Interface\{C6F2214E-0B54-45A9-B90D-7DD4BA45ED0B}\ProxyStubClsid
HKCR\Interface\{C6F2214E-0B54-45A9-B90D-7DD4BA45ED0B}\ProxyStubClsid32
HKCR\Interface\{C6F2214E-0B54-45A9-B90D-7DD4BA45ED0B}\TypeLib
HKCR\Interface\{C6F2214E-0B54-45A9-B90D-7DD4BA45ED0B}\TypeLib#Version

Trojan.Downloader-VSToolbar
C:\WINDOWS\SYSTEM32\jnsrgtwl.exe

Trojan.Downloader-DoneDU
C:\WINDOWS\SYSTEM32\evpnxkl.dll.njh
C:\System Volume Information\_restore{B5D83387-1DA1-4E00-B212-889C997829B3}\RP5\A0000109.dll

Adware.Director
C:\System Volume Information\_restore{B5D83387-1DA1-4E00-B212-889C997829B3}\RP7\A0000145.exe
C:\System Volume Information\_restore{B5D83387-1DA1-4E00-B212-889C997829B3}\RP12\A0000252.exe

Trojan.Downloader-DoWork
C:\System Volume Information\_restore{B5D83387-1DA1-4E00-B212-889C997829B3}\RP12\A0000251.dll

Trojan.Freeprod
D:\Temp\win379.tmp.exe

================================================

This is the log file from combofix:

Nick - 06-10-03 19:00:34.97 Service Pack 2
ComboFix 06.09.28 - Running from: "C:\Documents and Settings\Nick\Desktop"

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\Program Files\Common Files\{1F6B19E4-04B0-2057-1007-02041108002c}


((((((((((((((((((((((((((((((( Files Created from 2006-09-03 to 2006-10-03 ))))))))))))))))))))))))))))))))))


2006-10-02 17:45 3,968 --a

---

C:\WINDOWS\SYSTEM32\DRIVERS\AvgAsCln.sys
2006-10-02 11:25 683,159 ---hs---- C:\WINDOWS\SYSTEM32\lllnn.bak2
2006-10-02 07:25 53,248 --a

---

C:\WINDOWS\SYSTEM32\process.exe
2006-10-02 07:25 4,096 --a

---

C:\WINDOWS\SYSTEM32\reboot.exe
2006-10-02 07:25 16,384 --a

---

C:\WINDOWS\SYSTEM32\restart.exe
2006-10-02 07:25 16,026 --a

---

C:\delfiles.bat
2006-10-02 07:20 9,216 --a

---

C:\WINDOWS\SYSTEM32\VundoFixSVC.exe
2006-09-30 11:23 677,803 ---hs---- C:\WINDOWS\SYSTEM32\lllnn.bak1
2006-09-23 14:27 204,800 --a

---

C:\WINDOWS\SYSTEM32\IVIresizeW7.dll
2006-09-23 14:27 200,704 --a

---

C:\WINDOWS\SYSTEM32\IVIresizeA6.dll
2006-09-23 14:27 20,480 --a

---

C:\WINDOWS\SYSTEM32\IVIresize.dll
2006-09-23 14:27 192,512 --a

---

C:\WINDOWS\SYSTEM32\IVIresizeP6.dll
2006-09-23 14:27 192,512 --a

---

C:\WINDOWS\SYSTEM32\IVIresizeM6.dll
2006-09-23 14:27 188,416 --a

---

C:\WINDOWS\SYSTEM32\IVIresizePX.dll
2006-09-21 22:57 20,096 --a

---

C:\WINDOWS\SYSTEM32\DRIVERS\AnyDVD.sys
2006-09-07 18:37 51,328 --a

---

C:\WINDOWS\SYSTEM32\DRIVERS\msdv.sys
2006-09-07 18:37 48,128 --a

---

C:\WINDOWS\SYSTEM32\DRIVERS\61883.sys
2006-09-07 18:37 38,912 --a

---

C:\WINDOWS\SYSTEM32\DRIVERS\avc.sys


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-10-03 07:05

---

d

---

C:\Program Files\SUPERAntiSpyware
2006-10-03 07:05

---

d

---

C:\Documents and Settings\Nick\Application Data\SUPERAntiSpyware.com
2006-10-03 07:03

---

d

---

C:\Program Files\Common Files\Wise Installation Wizard
2006-10-01 20:40

---

d

---

C:\Program Files\Hijackthis
2006-10-01 20:08

---

d

---

C:\Program Files\SpywareBlaster
2006-10-01 08:28

---

d

---

C:\Documents and Settings\Nick\Application Data\Sunbelt Software
2006-10-01 08:27

---

d

---

C:\Program Files\Sunbelt Software
2006-09-27 18:07 778656 --a

---

C:\WINDOWS\SYSTEM32\DRIVERS\avg7core.sys
2006-09-26 21:25 16384 --a

---

C:\Documents and Settings\Nick\Application Data\DCBC2A71-70D8-4DAN-EHR8-E0D61DEA3FDF.ini
2006-09-24 08:39

---

d

---

C:\Documents and Settings\Nick\Application Data\Publish Providers
2006-09-24 08:38

---

d

---

C:\Documents and Settings\Nick\Application Data\Sony
2006-09-24 08:36

---

d

---

C:\Program Files\Vstplugins.njh
2006-09-24 08:36

---

d

---

C:\Program Files\Sony
2006-09-24 08:35

---

d

---

C:\Program Files\Sony Setup
2006-09-23 14:54

---

d

---

C:\Documents and Settings\Nick\Application Data\Ulead Systems
2006-09-23 14:36 40 ---hs---- C:\Documents and Settings\Nick\Application Data\.zreglib
2006-09-23 14:31 63400 --a

---

C:\Documents and Settings\Nick\Application Data\GDIPFONTCACHEV1.DAT
2006-09-23 14:27

---

d

---

C:\Program Files\InterVideo
2006-09-23 14:26

---

d

---

C:\Program Files\Windows Media Components
2006-09-23 14:25

---

d

---

C:\Program Files\Ulead Systems
2006-09-23 14:06

---

d

---

C:\Documents and Settings\Nick\Application Data\SlySoft
2006-09-23 10:22 223128 --a

---

C:\WINDOWS\SYSTEM32\DRIVERS\dtscsi.sys
2006-09-23 10:18 643072 --a

---

C:\WINDOWS\SYSTEM32\DRIVERS\sptd.sys
2006-09-22 17:47

---

d

---

C:\Program Files\Nero
2006-09-16 11:31 6265 --a

---

C:\WINDOWS\SYSTEM32\Mapi32.dll
2006-09-07 18:28

---

d

---

C:\Program Files\Newsoft
2006-09-03 10:22

---

d

---

C:\Program Files\QuickTime Alternative
2006-09-02 22:49

---

d

---

C:\Documents and Settings\Nick\Application Data\Media Player Classic
2006-08-29 17:51 25992 --a

---

C:\WINDOWS\SYSTEM32\pgdfgsvc.exe
2006-08-26 10:13

---

d

---

C:\Program Files\Real Alternative
2006-08-26 10:13

---

d

---

C:\Documents and Settings\Nick\Application Data\Real
2006-08-21 19:54

---

d

---

C:\Documents and Settings\Nick\Application Data\Opera
2006-08-21 13:21 16896 --a

---

C:\WINDOWS\SYSTEM32\fltlib.dll
2006-08-21 10:14 23040 --a

---

C:\WINDOWS\SYSTEM32\fltmc.exe
2006-08-21 10:14 128896

---

C:\WINDOWS\SYSTEM32\DRIVERS\fltmgr.sys
2006-08-20 22:03 20640

---

C:\WINDOWS\SYSTEM32\DRIVERS\PxHelp20.sys
2006-08-20 22:03 109568

---

C:\WINDOWS\SYSTEM32\pxinsi64.exe
2006-08-20 22:03 108544

---

C:\WINDOWS\SYSTEM32\pxcpyi64.exe
2006-08-19 22:41 4763178 --ah

---

C:\Documents and Settings\Nick\Application Data\IconCache.db
2006-08-15 18:53

---

d

---

C:\Program Files\WinRAR
2006-08-10 21:17

---

d

---

C:\Program Files\Java
2006-08-09 11:18

---

d

---

C:\Program Files\XviD
2006-08-08 08:53 27904 --a

---

C:\WINDOWS\SYSTEM32\DRIVERS\avg7rsxp.sys
2006-08-07 21:39

---

d

---

C:\Program Files\Jetico
2006-08-07 09:30

---

d

---

C:\Program Files\Windows Defender
2006-07-28 21:18 6265 --a

---

C:\WINDOWS\SYSTEM32\Mapi32_moz_bak.dll
2006-07-27 14:24 679424 --a

---

C:\WINDOWS\SYSTEM32\inetcomm.dll
2006-07-21 09:24 72704 --a

---

C:\WINDOWS\SYSTEM32\hlink.dll
2006-07-14 17:29 966656 --a

---

C:\WINDOWS\UNRecode.exe
2006-07-14 17:29 966656 --a

---

C:\WINDOWS\UNNeroVision.exe
2006-07-14 17:29 966656 --a

---

C:\WINDOWS\UNNeroShowTime.exe
2006-07-14 17:29 966656 --a

---

C:\WINDOWS\UNNeroMediaHome.exe
2006-07-14 17:29 966656 --a

---

C:\WINDOWS\UNNeroBackItUp.exe


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"updateMgr"="\"C:\\Program Files\\Adobe\\Acrobat 7.0\\Reader\\AdobeUpdateManager.exe\" AcRdB7_0_8 -reboot 1"
"AnyDVD"="C:\\Program Files\\SlySoft\\AnyDVD\\AnyDVD.exe"
"SUPERAntiSpyware"="C:\\Program Files\\SUPERAntiSpyware\\SUPERAntiSpyware.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SystemTray"="SysTray.Exe"
"KernelFaultCheck"=hex(2):25,73,79,73,74,65,6d,72,6f,6f,74,25,5c,73,79,73,74,\
65,6d,33,32,5c,64,75,6d,70,72,65,70,20,30,20,2d,6b,00
"AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgcc.exe /STARTUP"
"AVG7_EMC"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgemc.exe"
"REGSHAVE"="C:\\Program Files\\REGSHAVE\\REGSHAVE.EXE /AUTORUN"
"HPDJ Taskbar Utility"="C:\\WINDOWS\\system32\\spool\\drivers\\w32x86\\3\\hpztsb04.exe"
"Windows Defender"="\"C:\\Program Files\\Windows Defender\\MSASCui.exe\" -hide"
"NeroFilterCheck"="C:\\Program Files\\Common Files\\Ahead\\Lib\\NeroCheck.exe"
"InCD"="C:\\Program Files\\Nero\\Nero 7\\InCD\\InCD.exe"
"SunServer"="C:\\Program Files\\Sunbelt Software\\CounterSpy\\Consumer\\sunserver.exe"
"!AVG Anti-Spyware"="\"C:\\Program Files\\Grisoft\\AVG Anti-Spyware 7.5\\avgas.exe\" /minimized"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Runonce]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Runonce\G:]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Runonce\G:\StuntRally.exe]
@=&quot;G:\\StuntRally.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Runonce\K:]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Runonce\K:\StuntRally.exe]
@=&quot;K:\\StuntRally.exe"

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000005

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,00,01,00,00,00,00,00,00,00,04,00,00,e2,03,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,00,01,00,00,00,00,00,00,00,04,00,00,e2,03,\
00,00,04,00,00,40
"RestoredStateInfo"=hex:18,00,00,00,00,01,00,00,00,00,00,00,00,04,00,00,e2,03,\
00,00,01,00,00,00

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\\WINDOWS\\System32\\CTFMON.EXE"
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\\WINDOWS\\System32\\CTFMON.EXE"
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{091EB208-39DD-417D-A5DD-7E2C2D8FB9CB}"="Microsoft AntiMalware ShellExecuteHook"
"{076394AD-7FDD-44EF-A075-32C68DBAB99B}"=""

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\shellexecutehooks\AutorunsDisabled]
"{D3B3C51E-8D11-4667-85B9-0930F519BED7}"=""

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:0000009d
"CDRAutoRun"=hex:00,00,00,00
@=hex:00,00,00,00
"NoRecentDocsMenu"=hex:01,00,00,00
"NoNetworkConnections"=hex:01,00,00,00
"NoSMMyDocs"=hex:01,00,00,00
"NoSMMyPictures"=hex:01,00,00,00
"NoLogoff"=hex:01,00,00,00
"NoActiveDesktop"=hex:01,00,00,00
"NoDrives"=hex:00,00,00,00

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001

[HKEY_USERS\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000095
"CDRAutoRun"=hex:00,00,00,00
@=hex:00,00,00,00
"NoRecentDocsMenu"=hex:01,00,00,00

[HKEY_USERS\S-1-5-18\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000095
"CDRAutoRun"=hex:00,00,00,00
@=hex:00,00,00,00
"NoRecentDocsMenu"=hex:01,00,00,00

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run-]
"PinnacleDriverCheck"="C:\\WINDOWS\\SYSTEM32\\PSDrvCheck.exe"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\disabledrunkeys]
"LoadPowerProfile"="Rundll32.exe powrprof.dll,LoadCurrentPwrScheme"
"AVG7_CC"="C:\\PROGRA~1\\GRISOFT\\AVGFRE~1\\AVGCC.EXE /STARTUP"
"AVG7_EMC"="C:\\PROGRA~1\\GRISOFT\\AVGFRE~1\\AVGEMC.EXE"
"AVG7_AMSVR"="C:\\PROGRA~1\\GRISOFT\\AVGFRE~1\\AVGAMSVR.EXE"
"Client Access Service"="\"C:\\Program Files\\IBM\\Client Access\\cwbsvstr.exe\""
"Client Access Help Update"="\"C:\\Program Files\\IBM\\Client Access\\cwbinhlp.exe\""
"Client Access Check Version"="\"C:\\Program Files\\IBM\\Client Access\\cwbckver.exe\" LOGIN"
"Client Access Express Welcome"="\"C:\\Program Files\\IBM\\Client Access\\cwbwlwiz.exe\""
"InCD"="C:\\Program Files\\Ahead\\InCD\\InCD.exe"
"Tweak UI"="RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupfolder]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Adobe Reader Speed Launch.lnk"
"backup"="C:\\WINDOWS\\pss\\Adobe Reader Speed Launch.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\Adobe\\ACROBA~1.0\\Reader\\READER~1.EXE "
"item"="Adobe Reader Speed Launch"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\ATICCC]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="cli"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\ATI Technologies\\ATI.ACE\\cli.exe\" runtime -Delay"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSCONFIG\Startupreg\evpnxkl.dll]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="evpnxkl"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\system32\\rundll32.exe C:\\WINDOWS\\system32\\evpnxkl.dll,mkvlwrb"
"inimapping"="0"

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\AutorunsDisabled
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\AutorunsDisabled\jkkhfde
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\AutorunsDisabled\nnlll
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\SASWinLogon

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders
securityproviders REG_SZ msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll


Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\MP Scheduled Scan.job

Completion time: 03/10/06 19:01:31.99
ComboFix.txt

==========================================================

The url from Silent Runners is:

http://www.rafb.net/paste/results/3NrCWc27.html

I am a bit concerned to see the Adaware.vundo variant appear in the Superantispyware log as I thought we had killed it earlier. The joys of spyware

[edit]
On some of the logs, in my startup folder you will see a program called CleanTemp.exe. It is my own VB program to automatically clear old temp files and it should not be counted as suspicious.
[/edit]

Regards,

Nick

NickH

While you've been waiting for your broadband again, I've done the following:

1 - Run SuperAntiSpyware again in safe mode with the following results:

SUPERAntiSpyware Scan Log
Generated 10/04/2006 at 08:13 AM

Core Rules Database Version : 3097
Trace Rules Database Version: 1124

Memory threats detected : 0
Registry threats detected : 0
File threats detected : 2

Trojan.Downloader-VSToolbar
C:\System Volume Information\_restore{B5D83387-1DA1-4E00-B212-889C997829B3}\RP16\A0000324.exe

Adware.Vundo Variant
C:\System Volume Information\_restore{B5D83387-1DA1-4E00-B212-889C997829B3}\RP16\A0000326.DLL

It then treated these two items which were only in the Restore folder.

2 - Run Ad-aware in normal mode. Nothing found.

3 - Run Spybot in normal mode. Nothing found.

4 - Run Ewido in normal mode. Nothing found.

5 - Run SuperAntiSpyware in normal mode. Nothing found.

6 - Run AVG Antivirus. Trojan horse Generic2.DDX found twice, once in C:\VundoFix Backups\winpcy.dll.bad. and once in the system restore folder as A0000161.dll which it quarantined.

Perhaps things are looking better, and I await your view.

Regards,

Nick

rpggamergirl

I am a bit concerned to see the Adaware.vundo variant appear in the Superantispyware log as I thought we had killed it earlier. The joys of spyware
Yeah, but they were different vundo files that superantispyware found, different than what vundofix found, sometimes vundofix can't always find all the vundo files.

These files below you can also delete, the are just the reverse files of vundo dll, they are harmless and can be taken care of by most scanners.
C:\WINDOWS\SYSTEM32\lllnn.bak2
C:\WINDOWS\SYSTEM32\lllnn.bak1


Sorry couldn't see the Silent Runners log, it's gone from the site.


Okay things are looking good from what you said in your aboved post.

The vundo backups can be deleted,
The one in System restore can be flushed when you turn your system restore off and reboot.

To turn off Windows XP System Restore:
1. Click Start.
2. Right-click the My Computer icon, and then click Properties.
3. Click the System Restore tab.
4. Check "Turn off System Restore" or "Turn off System Restore on all drives"
5. Click Apply.
6. When turning off System Restore, the existing restore points will be deleted. Click Yes to do this.
7. Click OK.
8. Restart the computer and follow the instructions in the next section to turn on System Restore.


To turn on Windows XP System Restore:
1. Click Start.
2. Right-click My Computer, and then click Properties.
3. Click the System Restore tab.
4. Uncheck "Turn off System Restore" or "Turn off System Restore on all drives."
5. Click Apply, and then click OK.
6. Immediately create a new restore point.


Can we look at your hijackthis log just to see if there are registry clutters.

Once you're clean, you can uninstall or remove all the programs/tools that we used to help clean up your pc.

NickH

I've deleted the two files. There is a third hidden one, C:\WINDOWS\SYSTEM32\lllnn.ini. Should I delete that as well?

I have run Silent Runners again and here is the new rafb url.

This is my latest HijackTHis log:

Logfile of HijackThis v1.99.1
Scan saved at 16:58:34, on 06/10/06
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Sunbelt Software\CounterSpy\Consumer\sunThreatEngine.exe
C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Program Files\Sunbelt Software\CounterSpy\Consumer\SunProtectionServer.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Nero\Nero 7\InCD\InCD.exe
C:\Program Files\Sunbelt Software\CounterSpy\Consumer\sunserver.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\FinePixViewer\QuickDCF.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.ntlworld.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=56626&homepage=http://www.microsoft.com/isapi/redir.dll?prd={SUB_PRD}&clcid={SUB_CLSID}&pver={SUB_PVER}&ar=home
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=62.252.0.4:8080
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: (no name) - AutorunsDisabled - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O2 - BHO: (no name) - {C7CB0237-1811-4793-A842-9B13B2BCC4F6} - (no file)
O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Nero\Nero 7\InCD\InCD.exe
O4 - HKLM\..\Run: [SunServer] C:\Program Files\Sunbelt Software\CounterSpy\Consumer\sunserver.exe
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKCU\..\Run: [updateMgr] "C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1
O4 - HKCU\..\Run: [AnyDVD] C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: AboutTime.lnk = C:\Program Files\AboutTime\AboutTime.exe
O4 - Global Startup: CleanTemp.lnk = E:\My Documents\Nick\Software\Visual Basic\CleanTemp.exe
O4 - Global Startup: Exif Launcher.lnk = ?
O4 - Global Startup: NeroLogCleanUp.bat
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=48835
O16 - DPF: {1B9935E4-8A50-4DD8-BD09-A7518723BF97} (Talisma NetAgent Customer ActiveX Control version 3) - http://etalk.epson.co.uk/netagent/objects/custappx3.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1124569999598
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedContent/common/bin/cabsa.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1124572343986
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {A90A5822-F108-45AD-8482-9BC8B12DD539} (Crucial cpcScan) - http://www.crucial.com/controls/cpcScanner.cab
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O20 - Winlogon Notify: AutorunsDisabled - C:\WINDOWS\
O20 - Winlogon Notify: SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Adobe Active File Monitor V4 (AdobeActiveFileMonitor4.0) - Unknown owner - C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\SYSTEM32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
O23 - Service: SQL Server (SQLEXPRESS) (MSSQL$SQLEXPRESS) - Unknown owner - C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe" -sSQLEXPRESS (file missing)
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

I hope it is all good news.

I do have a question for you which you may not be allowed to answer.

Doing this clean up, you have used Ewido and SuperAntiSpyware. My latest Computer Shopper did an anti-spyware comparison but it did not test SuperAntiSpyware. Of the programs it tested which provided real time protection, it ranked CounterSpy, Ewido and Spyware Doctor pretty similarly as the best (and it was not very complementary about M$ Defender). From what I have seen, SuperAntiSpyware seemed to do better at the eradication that Ewido or CounterSpy (which I tried before my first post) did. Do you have any recommendations or can you point me to any valid comparison tests?

Regards,

Nick

rpggamergirl

Sorry, again I'm too late viewing the Silent Runners log, the Web Server at rafb.net had deleted the files.
Can you just email me the Silent Runners log of just post it here please.

I've deleted the two files. There is a third hidden one, C:\WINDOWS\SYSTEM32\lllnn.ini. Should I delete that as well?
Yes, delete that file as well, that's one of the reversed vundo file.

With vundo infections, in every vundo dll a reversed/backward files of the dll name are also created(with different extensions) that are harmless files.
for example with this vundo dll --> C:\WINDOWS\SYSTEM32\NNLLL.DLL
There could be a reversed files as in below: (not all will be there) See how the vundo file is reversed? backward files but with different extensions.
The above vundo dll might have all or only a couple of the following: In your case you had 3 backward files.

C:\WINDOWS\SYSTEM32\lllnn.bak1
C:\WINDOWS\SYSTEM32\lllnn.bak2
C:\WINDOWS\SYSTEM32\lllnn.ini
C:\WINDOWS\SYSTEM32\lllnn.ini2
C:\WINDOWS\SYSTEM32\lllnn.tmp
C:\WINDOWS\SYSTEM32\lllnn.tmp1
C:\WINDOWS\SYSTEM32\lllnn.tmp2


I don't really know of any other antispyware scanners comparison, besides what malware experts tested on their virtual machine and found them to be good.
Malware Helpers/Experts look for good free anti-spyware scanners to use in cleaning an infected pc and Ewido(AVG Anti-spyware), Superantispyware, DrWebCureit, SpySweeper are what they've found and considered good in removing malware, where the usual AdAware, MS Defender and Spybot may have missed.


Here's also a review from Spywarewarrior and what they recommend if it helps:
http://spywarewarrior.com/asw-features.htm


No malware showing in your log, but you can fix these entries:
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\SYSTEM\blank.htm
O2 - BHO: (no name) - AutorunsDisabled - (no file)
O2 - BHO: (no name) - {C7CB0237-1811-4793-A842-9B13B2BCC4F6} - (no file)
O20 - Winlogon Notify: AutorunsDisabled - C:\WINDOWS\


How's the pc going?

NickH

Hi,

I've no true idea how the PC is going as I've been away for the weekend. The start up is slow because of all the tools I had to install, but I'll sort that out tonight. I think the PC is better in the brief time I've been on it.

Here is my Silent Runners log:

"Silent Runners.vbs", revision 48, http://www.silentrunners.org/
Operating System: Windows XP SP2
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:

---

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"updateMgr" = ""C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1" ["Adobe Systems Incorporated"]
"AnyDVD" = "C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe" ["SlySoft, Inc."]
"SUPERAntiSpyware" = "C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" ["SUPERAntiSpyware.com"]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"SystemTray" = "SysTray.Exe" [MS]
"KernelFaultCheck" = "C:\WINDOWS\system32\dumprep 0 -k" [MS]
"AVG7_CC" = "C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP" ["GRISOFT, s.r.o."]
"AVG7_EMC" = "C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe" ["GRISOFT, s.r.o."]
"REGSHAVE" = "C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN" ["FUJI PHOTO FILM CO., LTD."]
"HPDJ Taskbar Utility" = "C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb04.exe" ["HP"]
"Windows Defender" = ""C:\Program Files\Windows Defender\MSASCui.exe" -hide" [MS]
"NeroFilterCheck" = "C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" ["Nero AG"]
"InCD" = "C:\Program Files\Nero\Nero 7\InCD\InCD.exe" ["Nero AG"]
"SunServer" = "C:\Program Files\Sunbelt Software\CounterSpy\Consumer\sunserver.exe" ["Sunbelt Software"]
"!AVG Anti-Spyware" = ""C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized" ["Anti-Malware Development a.s."]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\(Default) = (no title provided)
-> {HKLM...CLSID} = "SSVHelper Class"
\InProcServer32\(Default) = "C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll" ["Sun Microsystems, Inc."]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension"
-> {HKLM...CLSID} = "Display Panning CPL Extension"
\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
-> {HKLM...CLSID} = "HyperTerminal Icon Ext"
\InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]
"{5b4dae26-b807-11d0-9815-00c04fd91972}" = "Menu Band"
-> {HKLM...CLSID} = "Menu Band"
\InProcServer32\(Default) = "C:\WINDOWS\system32\SHELL32.dll" [MS]
"{8278F931-2A3E-11d2-838F-00C04FD918D0}" = "Tracking Shell Menu"
-> {HKLM...CLSID} = "Tracking Shell Menu"
\InProcServer32\(Default) = "C:\WINDOWS\system32\SHELL32.dll" [MS]
"{E13EF4E4-D2F2-11d0-9816-00C04FD91972}" = "Menu Site"
-> {HKLM...CLSID} = "Menu Site"
\InProcServer32\(Default) = "C:\WINDOWS\system32\SHELL32.dll" [MS]
"{ECD4FC4F-521C-11D0-B792-00A0C90312E1}" = "Menu Desk Bar"
-> {HKLM...CLSID} = "Menu Desk Bar"
\InProcServer32\(Default) = "C:\WINDOWS\system32\SHELL32.dll" [MS]
"{D82BE2B0-5764-11D0-A96E-00C04FD705A2}" = "IShellFolderBand"
-> {HKLM...CLSID} = "IShellFolderBand"
\InProcServer32\(Default) = "C:\WINDOWS\system32\SHELL32.dll" [MS]
"{0E5CBF21-D15F-11d0-8301-00AA005B4383}" = "&Links"
-> {HKLM...CLSID} = "&Links"
\InProcServer32\(Default) = "C:\WINDOWS\system32\SHELL32.dll" [MS]
"{7487cd30-f71a-11d0-9ea7-00805f714772}" = "Thumbnail Image"
-> {HKLM...CLSID} = "Thumbnail Image"
\InProcServer32\(Default) = "C:\WINDOWS\system32\SHELL32.dll" [MS]
"{450D8FBA-AD25-11D0-98A8-0800361B1103}" = "MyDocs Folder"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\WINDOWS\system32\SHELL32.dll" [MS]
"{B8323370-FF27-11D2-97B6-204C4F4F5020}" = "SmartFTP Shell Extension DLL"
-> {HKLM...CLSID} = "SmartFTP Shell Extension DLL"
\InProcServer32\(Default) = "C:\PROGRAM FILES\SMARTFTP\SMARTHOOK.DLL" ["SmartFTP"]
"{640167b4-59b0-47a6-b335-a6b3c0695aea}" = "Portable Media Devices"
-> {HKLM...CLSID} = "Portable Media Devices"
\InProcServer32\(Default) = "C:\WINDOWS\system32\Audiodev.dll" [MS]
"{cc86590a-b60a-48e6-996b-41d25ed39a1e}" = "Portable Media Devices Menu"
-> {HKLM...CLSID} = "Portable Media Devices Menu"
\InProcServer32\(Default) = "C:\WINDOWS\system32\Audiodev.dll" [MS]
"{00020D75-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Desktop Icon Handler"
-> {HKLM...CLSID} = "Microsoft Office Outlook"
\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~1\OFFICE11\MLSHEXT.DLL" [MS]
"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Custom Icon Handler"
-> {HKLM...CLSID} = "Outlook File Icon Extension"
\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~1\OFFICE11\OLKFSTUB.DLL" [MS]
"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\program files\microsoft office\OFFICE11\msohev.dll" [MS]
"{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}" = "AVG7 Shell Extension"
-> {HKLM...CLSID} = "AVG7 Shell Extension Class"
\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."]
"{9F97547E-460A-42C5-AE0C-81C61FFAEBC3}" = "AVG7 Find Extension"
-> {HKLM...CLSID} = "AVG7 Find Extension Class"
\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."]
"{e82a2d71-5b2f-43a0-97b8-81be15854de8}" = "ShellLink for Application References"
-> {HKLM...CLSID} = "ShellLink for Application References"
\InProcServer32\(Default) = "C:\WINDOWS\system32\dfshim.dll" [MS]
"{E37E2028-CE1A-4f42-AF05-6CEABC4E5D75}" = "Shell Icon Handler for Application References"
-> {HKLM...CLSID} = "Shell Icon Handler for Application References"
\InProcServer32\(Default) = "C:\WINDOWS\system32\dfshim.dll" [MS]
"{21569614-B795-46b1-85F4-E737A8DC09AD}" = "Shell Search Band"
-> {HKLM...CLSID} = "Shell Search Band"
\InProcServer32\(Default) = "C:\WINDOWS\system32\browseui.dll" [MS]
"{1CC513EE-A20D-4f42-BDAF-4BE42BCDB6EC}" = "UIM File Extension"
-> {HKLM...CLSID} = "UimShlExt Class"
\InProcServer32\(Default) = "C:\WINDOWS\system32\UimExt.dll" [empty string]
"{1CC513AE-A20D-4f42-BDAF-4BE42BCDB6EC}" = "UIM Drive Extension"
-> {HKLM...CLSID} = "UimDriveExt Class"
\InProcServer32\(Default) = "C:\WINDOWS\system32\UimExt.dll" [empty string]
"{5E2121EE-0300-11D4-8D3B-444553540000}" = "Catalyst Context Menu extension"
-> {HKLM...CLSID} = "SimpleShlExt Class"
\InProcServer32\(Default) = "C:\Program Files\ATI Technologies\ATI.ACE\atiacmxx.dll" [empty string]
"{23170F69-40C1-278A-1000-000100020000}" = "7-Zip Shell Extension"
-> {HKLM...CLSID} = "7-Zip Shell Extension"
\InProcServer32\(Default) = "C:\Program Files\7-Zip\7-zip.dll" ["Igor Pavlov"]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\
INFECTION WARNING! "{091EB208-39DD-417D-A5DD-7E2C2D8FB9CB}" = "Microsoft AntiMalware ShellExecuteHook"
-> {HKLM...CLSID} = "Microsoft AntiMalware ShellExecuteHook"
\InProcServer32\(Default) = "C:\PROGRA~1\WIFD1F~1\MpShHook.dll" [MS]
INFECTION WARNING! "{076394AD-7FDD-44EF-A075-32C68DBAB99B}" = "*i" (unwritable string)
-> {HKLM...CLSID} = "GIANT AntiSpyware Service Hook"
\InProcServer32\(Default) = "C:\Program Files\Sunbelt Software\CounterSpy\Consumer\SunExecuteHook.dll" ["Sunbelt Software"]

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
INFECTION WARNING! AtiExtEvent\DLLName = "Ati2evxx.dll" ["ATI Technologies Inc."]
INFECTION WARNING! SASWinLogon\DLLName = "C:\Program Files\SUPERAntiSpyware\SASWINLO.dll" ["SUPERAntiSpyware.com"]

HKLM\Software\Classes\PROTOCOLS\Filter\
INFECTION WARNING! text/xml\CLSID = "{807553E5-5146-11D5-A672-00B0D022E945}"
-> {HKLM...CLSID} = (no title provided)
\InProcServer32\(Default) = "C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL" [MS]

HKLM\Software\Classes\Folder\shellex\ColumnHandlers\
{F9DB5320-233E-11D1-9F84-707F02C10627}\(Default) = "PDF Column Info"
-> {HKLM...CLSID} = "PDF Shell Extension"
\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 7.0\ActiveX\PDFShell.dll" ["Adobe Systems, Inc."]

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\
7-ZIP\(Default) = "{23170F69-40C1-278A-1000-000100020000}"
-> {HKLM...CLSID} = "7-Zip Shell Extension"
\InProcServer32\(Default) = "C:\Program Files\7-Zip\7-zip.dll" ["Igor Pavlov"]
AVG Anti-Spyware\(Default) = "{8934FCEF-F5B8-468f-951F-78A921CD3920}"
-> {HKLM...CLSID} = "CContextScan Object"
\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\context.dll" ["Anti-Malware Development a.s."]
AVG7 Shell Extension\(Default) = "{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}"
-> {HKLM...CLSID} = "AVG7 Shell Extension Class"
\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."]

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\
7-ZIP\(Default) = "{23170F69-40C1-278A-1000-000100020000}"
-> {HKLM...CLSID} = "7-Zip Shell Extension"
\InProcServer32\(Default) = "C:\Program Files\7-Zip\7-zip.dll" ["Igor Pavlov"]
AVG Anti-Spyware\(Default) = "{8934FCEF-F5B8-468f-951F-78A921CD3920}"
-> {HKLM...CLSID} = "CContextScan Object"
\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\context.dll" ["Anti-Malware Development a.s."]

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\
AVG7 Shell Extension\(Default) = "{9F97547E-4609-42C5-AE0C-81C61FFAEBC3}"
-> {HKLM...CLSID} = "AVG7 Shell Extension Class"
\InProcServer32\(Default) = "C:\Program Files\Grisoft\AVG Free\avgse.dll" ["GRISOFT, s.r.o."]


Active Desktop and Wallpaper:

---

Active Desktop is disabled at this entry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellState


Startup items in "Nick" & "All Users" startup folders:

---

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
"AboutTime" -> shortcut to: "C:\Program Files\AboutTime\AboutTime.exe" [empty string]
"CleanTemp" -> shortcut to: "E:\My Documents\Nick\Software\Visual Basic\CleanTemp.exe 20" [null data]
"Exif Launcher" -> shortcut to: "C:\Program Files\FinePixViewer\QuickDCF.exe" ["FUJI PHOTO FILM CO., LTD."]
INFECTION WARNING! "NeroLogCleanUp.bat" [null data]


Enabled Scheduled Tasks:

---

"MP Scheduled Scan" -> launches: "C:\Program Files\Windows Defender\MpCmdRun.exe Scan -RestrictPrivileges" [MS]


Winsock2 Service Provider DLLs:

---

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 19
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05


Toolbars, Explorer Bars, Extensions:

---

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\Software\Microsoft\Internet Explorer\Extensions\
{08B0E5C0-4FCB-11CF-AAA5-00401C608501}\
"MenuText" = "Sun Java Console"
"CLSIDExtension" = "{CAFEEFAC-0015-0000-0008-ABCDEFFEDCBC}"
-> {HKCU...CLSID} = "Java Plug-in 1.5.0_08"
\InProcServer32\(Default) = "C:\Program Files\Java\jre1.5.0_08\bin\ssv.dll" ["Sun Microsystems, Inc."]
-> {HKLM...CLSID} = "Java Plug-in 1.5.0_08"
\InProcServer32\(Default) = "C:\Program Files\Java\jre1.5.0_08\bin\npjpi150_08.dll" ["Sun Microsystems, Inc."]

{92780B25-18CC-41C8-B9BE-3C9C571A8263}\
"ButtonText" = "Research"

{FB5F1910-F110-11D2-BB9E-00C04F795683}\
"ButtonText" = "@C:\Program Files\Messenger\Msgslang.dll,-61144"
"MenuText" = "@C:\Program Files\Messenger\Msgslang.dll,-61144"
"Exec" = "C:\Program Files\Messenger\msmsgs.exe" [MS]


Running Services (Display Name, Service Name, Path {Service DLL}):

---

Adobe Active File Monitor V4, AdobeActiveFileMonitor4.0, "C:\Program Files\Adobe\Photoshop Elements 4.0\PhotoshopElementsFileAgent.exe" [null data]
Ati HotKey Poller, Ati HotKey Poller, "C:\WINDOWS\system32\Ati2evxx.exe" ["ATI Technologies Inc."]
AVG Anti-Spyware Guard, AVG Anti-Spyware Guard, "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe" ["Anti-Malware Development a.s."]
AVG7 Alert Manager Server, Avg7Alrt, "C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe" ["GRISOFT, s.r.o."]
AVG7 Update Service, Avg7UpdSvc, "C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe" ["GRISOFT, s.r.o."]
InCD Helper, InCDsrv, "C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe" ["Nero AG"]
SQL Server (SQLEXPRESS), MSSQL$SQLEXPRESS, ""C:\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe" -sSQLEXPRESS" [MS]
Ulead Burning Helper, UleadBurningHelper, "C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe" ["Ulead Systems, Inc."]
Windows Defender Service, WinDefend, ""C:\Program Files\Windows Defender\MsMpEng.exe"" [MS]
Windows User Mode Driver Framework, UMWdf, "C:\WINDOWS\system32\wdfmgr.exe" [MS]


Print Monitors:

---

HKLM\System\CurrentControlSet\Control\Print\Monitors\
HP LaserJet 5 Language Monitor\Driver = "HPDCMON.DLL" ["Hewlett-Packard"]
hpzlnt04\Driver = "hpzlnt04.dll" ["HP"]
Microsoft Document Imaging Writer Monitor\Driver = "mdimon.dll" [MS]
Microsoft Shared Fax Monitor\Driver = "FXSMON.DLL" [MS]
NetGear Print Server\Driver = "ngprtserv.dll" [null data]

---

+ This report excludes default entries except where indicated.
+ To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
+ To search all directories of local fixed drives for DESKTOP.INI
DLL launch points and all Registry CLSIDs for dormant Explorer Bars,
use the -supp parameter or answer "No" at the first message box.

---

(total run time: 66 seconds, including 18 seconds for message boxes)

I've made no changes since I created this on Friday.

Regards,

Nick

rpggamergirl

Silent Runner's log didn't show any malicious entries except for one "INFECTION WARNING" which also looks like it belongs to MS.

NickH

Are you saying that I am now clean?

rpggamergirl

Are you saying that I am now clean?

Over a year ago a clean hijackthis log means a clean pc, but I can't say that anymore because a lot of nasties now does not show up in the log.

So, now it depends on the user himself, if he has no more problems and his log shows clean then I would say that it is a clean pc, even that is not a guarantee of a perfectly clean pc.

NickH

OK, I understand.

Thanks very much for your help. It has been greatly appreciated.

Nick