Author Topic: I've received many trojan warnings! (Read 23066 times)

stomper · « **on:** November 22, 2007, 06:11:02 AM »

I'm using windows XP service pak 1. I have a DSL connection. All was fine in my world until last Saturday, Nov. 17. I guess I ventured into far away places ...

I came on this forum and read the posts, and followed the step-by-step instructions posted by "evilfantasy". Thank you for such easy to follow instructions!

I am attaching my 3 logs - SuperAntiSpyware, EsetOnline Scanner, and HijackThis.

Any help I am given will be greatly appreciated!

[saving disk space - old attachment deleted by admin]

evilfantasy · « **Reply #1 on:** November 22, 2007, 07:56:56 AM »

Welcome to Computer Hope.

Please download Vundofix.exe to your desktop.

* Double-click VundoFix.exe to run it.
* Put a check next to Run VundoFix as a task.
* You will receive a message saying vundofix will close and re-open in a minute or less. Click OK
* When VundoFix re-opens, click the Scan for Vundo button.
* Once it's done scanning, click the Remove Vundo button.
* You will receive a prompt asking if you want to remove the files, click YES
* Once you click yes, your desktop will go blank as it starts removing Vundo.
* When completed, it will prompt that it will shutdown your computer, click OK.
* Turn your computer back on.
* Please post the contents of C:\vundofix.txt and a new HiJackThis log.

Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears at reboot.

Please let Vundo finish, sometimes it can take multiple passes

=====

The copy of HijackThis is the old Beta version. You will need to delete/uninstall it and use the one from the link here >HijackThis

Why are you using Service Pack 1

Items needed in next post
vundofix.txt
New HijackThis log.

stomper · « **Reply #2 on:** November 22, 2007, 12:09:05 PM »

Getting hard to get into the forum - I keep getting all these pop-up sites. They seem to pop up faster than I can close them.

Oh well, here's my 2 new logs VundoFix, and the new HijackThis. Vundo found 2 files, which I removed.

When I restart the computer I'm getting the following error messages:
No disk in Drive A - insert disk.
Error loading C:\windows\system32\nvanpbip.dll - file could not be found.

Thanks so much for your help.

[saving disk space - old attachment deleted by admin]

evilfantasy · « **Reply #3 on:** November 22, 2007, 01:14:11 PM »

First, go to add/remove programs and uninstall Web Buying.

Open HijackThis and place a check mark next to:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
O4 - HKCU\..\Run: [WebBuying] C:\Program Files\Web Buying\v1.8.6\webbuying.exe <--If still there

Close all windows and click Fix checked

Un-hide protected system files.
To enable the viewing of Hidden files follow these steps:

1. Close all programs so that you are at your desktop.
2. Double-click on the My Computer icon.
3. Select the Tools menu and click Folder Options.
4. After the new window appears select the View tab.
5. Put a checkmark in the checkbox labeled Display the contents of system folders.
6. Under the Hidden files and folders section select the radio button labeled Show hidden files and folders.
7. Remove the checkmark from the checkbox labeled Hide file extensions for known file types.
8. Remove the checkmark from the checkbox labeled Hide protected operating system files.
9. Press the Apply button and then the OK button and close My Computer.

Now go to C:\Program Files\Web Buying\v1.8.6\webbuying.exe <--Delete this whole folder

Also delete C:\vundofix.txt

Re-hide the protected files.

Download SDFix.exe and save it to your Desktop.

Double click SDFix.exe and it will extract the files to %systemdrive%
(Drive that contains the Windows Directory, typically C:\SDFix)

Please then reboot your computer in Safe Mode by doing the following:
* Restart your computer
* After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
* Instead of Windows loading as normal, the Advanced Options Menu should appear;
* Select the first option, to run Windows in Safe Mode, then press Enter.
* Choose your usual account.
* Open the extracted SDFix folder and double click RunThis.bat to start the script.
* Type Y to begin the cleanup process.
* It will remove any Trojan Services and Registry Entries that it finds then prompt you to press any key to Reboot.
* Press any Key and it will restart the PC.
* When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
*] Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt
(Report.txt will also be copied to Clipboard).
* Finally add the contents of the Report.txt in your next post as an Attachment with a new HijackThis log

Items needed in next post
Report.txt
New HijackThis log

Also, why is the computer running SP1 and not SP2

stomper · « **Reply #4 on:** November 22, 2007, 02:48:28 PM »

Here are the new logs - report.txt and HijackThis.

As for SP1, I once tried the update to SP2 and it locked my system - or should I say crash. Windows wouldn't start at all - not even in safe mode. I tried to reload windows, and nothing. I eventually had to reformat. I don't want to go there again.

Since then, I had internet connection problems (nothing to do with XP) so I called BellSouth for help. At the time I had a router. He took me out of bridge mode. I called Linksys for help and they wouldn't help because I had my router a long time. This left me a bit vulnerable and I got a bad virus (similar to what I have now - and still have no router connected). Didn't know about these forums back then, and once again had to reformat. I learned about Avast then, so added it for some protection. At one time I used zonealarm, but forgot to reload it after formatting.

Don't know if I'm right or wrong about any of this, but I really want to stay away from SP2.

[saving disk space - old attachment deleted by admin]

evilfantasy · « **Reply #5 on:** November 22, 2007, 03:01:43 PM »

The thing is that without SP2 you are severely vulnerable to malware. There have been many many security updates since then. Have you seen the SP2 troubleshooting guide? Your computer stops responding when you restart to complete the installation of Windows XP Service Pack 2

Or you could try installing it from a CD which is free from Microsoft. Order Windows XP Service Pack 2 on CD

OK, I am looking at the logs now.....

evilfantasy · « **Reply #6 on:** November 22, 2007, 03:36:32 PM »

Open HijackThis and place a check mark next to:
O16 - DPF: {50BD5CDA-4BA8-4048-8FAA-763F222E41D8} - ms-its:mhtml:file://c:\nores.mht!http://adxrnet.net/code/chm/xpre.chm::/xpreloa d.ocx

Close all windows except for HijackThis and click Fix checked

Restart the computer and post a new HijackThis log.

Let me know how is the computer acting after the reboot

stomper · « **Reply #7 on:** November 22, 2007, 04:00:42 PM »

Here's my latest HijackThis report.

The popup windows seem to have stopped. I haven't had any new warning from Avast. When I start up, windows is still looking for a disk in drive A, and also for nvanpbip.dll. Other than that, it seems to be stablizing.

Since I don't want to mess with SP2, will Avast and ZoneAlarm protect me enough? Or is there another software you'd recommend.

Thanks for ALL your help and HAPPY THANKSGIVING!

[saving disk space - old attachment deleted by admin]

evilfantasy · « **Reply #8 on:** November 22, 2007, 04:48:36 PM »

Quote from: stomper on November 22, 2007, 04:00:42 PM

Thanks for ALL your help and HAPPY THANKSGIVING!

Thanks, same in return!!!

Download Killbox.exe to your desktop. Don't use it yet.

=====

Un-hide protected system files.
To enable the viewing of Hidden files follow these steps:

1. Close all programs so that you are at your desktop.
2. Double-click on the My Computer icon.
3. Select the Tools menu and click Folder Options.
4. After the new window appears select the View tab.
5. Put a checkmark in the checkbox labeled Display the contents of system folders.
6. Under the Hidden files and folders section select the radio button labeled Show hidden files and folders.
7. Remove the checkmark from the checkbox labeled Hide file extensions for known file types.
8. Remove the checkmark from the checkbox labeled Hide protected operating system files.
9. Press the Apply button and then the OK button and close My Computer.

=====

You may want to print out or copy and paste the rest of this to notepad and save it to the desktop. You won't be able to see this page in safe mode.

=====

Reboot into Safe Mode

Safe Mode Instructions

=====

Open HijackThis (HJT) and select Do a system scan only

Place a check mark next to:

O4 - HKLM\..\Run: [B5B8B4B6B8BBBEC0] 1114101214171A.exe
O4 - HKLM\..\Run: [2cf0eb2f] rundll32.exe "C:\WINDOWS\System32\nvanpbip.dll",b
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm

Close all windows and click Fix checked

=====

Double-click on Killbox.exe to run it. Make sure Standard File Kill is selected.
In the Full Path of File to Delete box, copy and paste the following
line into the box.

Quote

C:\WINDOWS\System32\nvanpbip.dll

Then click on the button that has the red circle with the
X in the middle after you enter the file. It will ask for confirmation to
delete the file. Click Yes.

Note: It is possible that Killbox will tell you that the file does not
exist.

Reboot to normal mode and re-hide the protected files.

=====

Post a new HJT log

Let me know how things are now.

stomper · « **Reply #9 on:** November 22, 2007, 05:21:29 PM »

Here's the new HijackThis log.

This time it didn't ask for a disk in drive A, nor did it look for that dll.

I don't know how you figure all this out, but I'm sure glad you were here!

[saving disk space - old attachment deleted by admin]

evilfantasy · « **Reply #10 on:** November 22, 2007, 05:45:35 PM »

The log is clean.

OK, now to clean up what we have used.

You can delete any logs that are left over.

Also delete:
VundoFix.exe
SDFix.exe
Killbox.exe

Might as well run CCleaner with the Cleaner and Registry options.

Toggle System Restore to clear infected restore points

1. Turn off System Restore
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

2. Restart your computer

3. Turn ON System Restore
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check Turn off System Restore.
Click Apply, and then click OK.

To learn more about how to protect yourself while on the internet read this article by Tony Klien: So how did I get infected in the first place? It mentions many free programs so it is worth a look.

If you need anything else just come back and ask, we will do our best.

Safe surfing......

stomper · « **Reply #11 on:** November 22, 2007, 06:52:08 PM »

They don't have enough "emotions" on here - I need one that's jumping up and down!!!!!

Thank you!

evilfantasy · « **Reply #12 on:** November 22, 2007, 07:03:49 PM »

No problem....

Quote

Since I don't want to mess with SP2, will Avast and ZoneAlarm protect me enough? Or is there another software you'd recommend.

Almost forgot.

Check out WinPatrol 2007 Free

The 2007 version is free, so don't click the Plus version which is not free.

SpywareBlaster Free
Note: This free version does not auto update so check once a week or so for updates.

Comodo BOClean : Anti-Malware free

These all run in the background and use little resources. Great for extra layers of protection.

stomper · « **Reply #13 on:** November 22, 2007, 07:20:13 PM »

Oh oh! I was reading the article by Tony Klien. He suggested using Firefox instead of IE. So I downloaded it. Immediately after, I'm getting the virus and trojan alerts again.

evilfantasy · « **Reply #14 on:** November 22, 2007, 07:29:30 PM »

Were they quarantined?

What are the names?

stomper · « **Reply #15 on:** November 22, 2007, 07:39:56 PM »

These are all the pop-ups that show up in the task bar with the exclamation point inside a yellow triangle. They are popping up about 2 minutes - one says i am infected with the latest version of Spyware.CyberLog-X; another says: NetWorm-i.Virus@fp; securityonpage.com pops up; protectroom.com pops up;
I'm getting the monitor warnings about slowed down systems again; savetheinformation.com pops up; I'm getting Internet Explorer alerts about adware; PSW.x-Virtrojan; Trojn-Spy.win32@mx - these all all the original warnings I was getting.

These may be just pop-up to make you download the software, but we had them stopped. Why are they starting up again?

They're popping up faster than I can type the names. All I did was down Firefox for better protection.

evilfantasy · « **Reply #16 on:** November 22, 2007, 07:42:39 PM »

Step 1
Complete this procedure completely including attaching the requested log before doing the second procedure.

Download SmitfraudFix (by S!Ri) to your Desktop.

Extract all the files to your Destop. A folder named SmitfraudFix will be created on your Desktop.

Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Select option #1 - Search by typing 1 and press Enter
This program will scan large amounts of files on your computer for known patterns so please be patient while it works. When it is done, the results of the scan will be displayed and it will create a log named rapport.txt in the root of your drive, eg: Local Disk C: or partition where your operating system is installed. Please attach that log in your next reply.

Note: process.exe ( which is used by SmitFraudFIx ) is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlogic.org/consulting/processutil/processutil.htm

stomper · « **Reply #17 on:** November 22, 2007, 08:55:39 PM »

Had a hard time with this one. The first time I ran the program it hung up. By the time I realized it wasn't working I had to reboot the computer. The next time it worked, but when I tried to close the program I lost my whole desktop and had to reboot again. The third time it worked, but when I tried to post here IE hung up. Better hurray and post before it happens again.

Here's the report.

[saving disk space - old attachment deleted by admin]

evilfantasy · « **Reply #18 on:** November 22, 2007, 09:06:49 PM »

Please download Combofix by sUBs from either here or here

Save Combofix.exe to your your Desktop.

1. Double click combofix.exe & follow the prompts. (from the keyboard select 1 and press enter at the prompt)
2. When finished, it will produce a log for you.
3. Attach that log in your next reply.

Note:
Do not mouseclick combofix's window while it's running. That may cause your computer to stall

stomper · « **Reply #19 on:** November 23, 2007, 05:34:10 AM »

Here's the comfix report. Alot of websites popped up while it was running - hope that didn't interfere with the report.

[saving disk space - old attachment deleted by admin]

evilfantasy · « **Reply #20 on:** November 23, 2007, 12:53:43 PM »

OK, we need to run SUPERAntiSpyware.

This time boot to safe mode to run it. We need NO internet connection at all. Physically disconnect the connection from the wall if needed.

Then post the SUPER log and a fresh HijackThis log.

stomper · « **Reply #21 on:** November 23, 2007, 01:28:45 PM »

I ran vundofix this morning and removed the bad files - everything seems to be working okay. Should I still run superantispyware?

evilfantasy · « **Reply #22 on:** November 23, 2007, 01:45:27 PM »

Yes you should run SAS. There are a few entries in the combofix log that I am not sure about and will probably lead to a few more steps.

Did you get Firefox installed?

So we need the SAS log and a new HJT log. Be sure to get the HJT log after running SAS.

stomper · « **Reply #23 on:** November 23, 2007, 05:12:19 PM »

Yes, I have firefox installed. Here's my logs

[saving disk space - old attachment deleted by admin]

evilfantasy · « **Reply #24 on:** November 24, 2007, 10:40:25 AM »

Delete these files/folders, as follows:

* Open notepad and copy/paste the text in the quote box below into it (all except the word QUOTE):

Quote

Folder::
C:\VundoFix Backups
C:\WINDOWS\system32\cc1

Registry::
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F1A1D30A-5CF6-42DA-829C-B71CFF182A5C}]
[HKEY_CLASSES_ROOT\clsid\{11a69ae4-fbed-4832-a2bf-45af82825583}]
[HKEY_CLASSES_ROOT\clsid\{11a69ae4-fbed-4832-a2bf-45af82825583}]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\vtuutro]
vtuutro.dll

* Save this as CFScript on the desktop.
* Then drag the CFScript (hold the left mouse button while dragging the file) and drop it (release the left mouse button) into ComboFix.exe as you see in the screenshot below. Important: Perform this instruction carefully!

* ComboFix will begin to execute, just follow the prompts. After reboot (in case it asks to reboot), it shall produce a log for you. Post that log (Combofix.txt) in your next reply.

Note: Do not mouseclick combofix's window while it is running. That may cause your system to hang.

==========

Next run the Bitdefender Online Scan

Please read carefully

Run the BitDefender Online Scanner
Agree to the license and then select Scan.
DO NOT CHANGE THE OPTIONS TO SHOW ALL FILES SCANNED.
That will make your logs huge and we don't need to see clean files.

Once Bitdefender completes the scan:
Click-on the Detected Problems tab.
Then select Click here to export the scan report.

When the window comes up to save the report, change the Save as type: box to:
Text (Tab Delimited) (*.txt) and then in the File name box enter change to bdscan then click Save.

This will save a file named bdscan.txt. I would suggest saving it to the Desktop so you can easily find it. (take notice of where you save it so you can find it later).
This bdcan.txt file will actually contain HTML code that we can easily view later while reviewing your log. All we have to do is rename the file to bdscan.html.

If you do not follow these step, you will have an incorrect log or worse a log summary which is useless to us.

Post the bdscan.txt file as an Attachment.

==========

Next Post
combofix.txt log
bdscan.txt log
New HJT log
as attachments

stomper · « **Reply #25 on:** November 24, 2007, 04:34:04 PM »

I have the new logs but I've received a message the upload folder is full.

evilfantasy · « **Reply #26 on:** November 24, 2007, 04:39:34 PM »

Yes you will need to copy and paste them.

You may need to break them into two or three parts to fit them all in.

stomper · « **Reply #27 on:** November 24, 2007, 05:06:18 PM »

I've tried uploading only 1 file - HJT which is only 7 kb. I still received a message that the upload folder is full - contact an administrator

evilfantasy · « **Reply #28 on:** November 24, 2007, 05:08:16 PM »

Just copy the log off of the notepad and paste it in the reply.

Not as an attachment, just right in the reply box.

stomper · « **Reply #29 on:** November 24, 2007, 06:20:21 PM »

Okay - didn't understand.
Here's combofix - part 1

ComboFix 07-11-19.3 - KATHY 2007-11-24 14:55:18.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.1.1252.1.1033.18.543 [GMT -5:00]
Running from: C:\Documents and Settings\KATHY\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\KATHY\Desktop\CFScript.txt
* Created a new restore point
.

 Unable to gain System Privileges

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Start Menu\Live Safety Center.lnk
C:\Documents and Settings\All Users\Start Menu\Online Security Guide.lnk
C:\Documents and Settings\KATHY\Desktop\Live Safety Center.lnk
C:\Documents and Settings\KATHY\Desktop\Online Security Guide.lnk
C:\Documents and Settings\KATHY\Favorites\Online Security Guide.lnk
C:\VundoFix Backups
C:\VundoFix Backups\hrkorrmn.dllbox.bad
C:\VundoFix Backups\husaaxdy.dll.bad
C:\VundoFix Backups\husaaxdy.dllbox.bad
C:\VundoFix Backups\kstlxzir.dllbox.bad
C:\VundoFix Backups\nothqsit.dll.bad
C:\VundoFix Backups\nothqsit.dllbox.bad
C:\VundoFix Backups\parmudte.dll.bad
C:\VundoFix Backups\rasdedwb.dll.bad
C:\WINDOWS\system32\cc1
C:\WINDOWS\system32\nothqsit.dllbox
C:\WINDOWS\system32\ssuvw.ini
C:\WINDOWS\system32\ssuvw.ini2
C:\WINDOWS\system32\wvuss.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_DOMAINSERVICE
-------\DomainService

((((((((((((((((((((((((( Files Created from 2007-10-24 to 2007-11-24 )))))))))))))))))))))))))))))))
.

2007-11-24 15:01 775,952 C:\WINDOWS\system32\pdupggjv.tmp
2007-11-24 07:42 775,952 ---hs---- C:\WINDOWS\system32\pdupggjv.ini
2007-11-22 21:58 53,248 --a------ C:\WINDOWS\system32\Process.exe
2007-11-22 21:07 0 --a------ C:\WINDOWS\nsreg.dat
2007-11-22 16:22 <DIR> d-------- C:\WINDOWS\ERUNT
2007-11-22 13:58 <DIR> d-------- C:\Program Files\Trend Micro
2007-11-22 09:29 <DIR> d-------- C:\Program Files\Common Files\Scanner
2007-11-22 09:11 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\MailFrontier
2007-11-22 09:10 <DIR> d-------- C:\WINDOWS\system32\ZoneLabs
2007-11-22 09:10 75,248 --a------ C:\WINDOWS\zllsputility.exe
2007-11-22 09:09 <DIR> d-------- C:\WINDOWS\Internet Logs
2007-11-22 00:28 <DIR> d-------- C:\Program Files\EsetOnlineScanner
2007-11-21 19:10 <DIR> d-------- C:\Program Files\InCode Solutions
2007-11-21 19:08 <DIR> d-------- C:\Program Files\RegCure
2007-11-21 19:04 <DIR> d-------- C:\Program Files\CCleaner
2007-11-21 18:58 714,446 --ahs---- C:\WINDOWS\system32\pibpnavn.ini
2007-11-20 23:29 <DIR> d-------- C:\Documents and Settings\KATHY\Application Data\Uniblue
2007-11-19 21:28 685,703 --ahs---- C:\WINDOWS\system32\rmsruhsm.ini
2007-11-19 18:26 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2007-11-19 18:25 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2007-11-19 18:25 <DIR> d-------- C:\Documents and Settings\KATHY\Application Data\SUPERAntiSpyware.com
2007-11-19 18:10 <DIR> d-------- C:\Program Files\Musicmatch
2007-11-18 15:05 <DIR> d-------- C:\Program Files\Lavasoft
2007-11-18 15:05 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-11-18 15:03 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-11-17 18:14 <DIR> d-------- C:\WINDOWS\system32\CDD0CCCED0D3D6
2007-11-17 18:14 124,416 --a------ C:\WINDOWS\system32\1114101214171A.exe
2007-11-17 15:25 108,544 --a------ C:\WINDOWS\system32\pxcpyi64.exe
2007-11-17 15:25 104,960 --a------ C:\WINDOWS\system32\pxinsi64.exe
2007-11-17 15:24 <DIR> d-------- C:\Documents and Settings\KATHY\Application Data\Musicmatch
2007-11-17 15:24 503,808 --a------ C:\WINDOWS\system32\msvcp71.dll
2007-11-17 15:24 348,160 --a------ C:\WINDOWS\system32\msvcr71.dll
2007-11-17 15:24 89,088 --a------ C:\WINDOWS\system32\atl71.dll
2007-11-12 18:32 <DIR> d-------- C:\Documents and Settings\KATHY\Application Data\Corel
2007-11-12 18:24 553,984 --a------ C:\WINDOWS\system32\rave.dll
2007-11-12 18:24 229,376 --a------ C:\WINDOWS\system32\rpza32.qtc
2007-11-12 18:24 211,456 --a------ C:\WINDOWS\system32\qd3d_ir2.q3x
2007-11-12 18:24 165,888 --a------ C:\WINDOWS\system32\smc32.qtc
2007-11-12 18:24 70,656 --a------ C:\WINDOWS\system32\3dviewer.dll
2007-11-12 18:24 32,768 --a------ C:\WINDOWS\system32\cmgr32.dll
2007-11-12 18:23 909,312 --a------ C:\WINDOWS\system32\qd3d.dll
2007-11-12 18:23 409,600 --a------ C:\WINDOWS\system32\scint78.dll
2007-11-12 18:23 345,600 --a------ C:\WINDOWS\system32\qtim32.dll
2007-11-12 18:23 108,032 --a------ C:\WINDOWS\system32\sh33w32.dll
2007-11-12 18:23 35,840 --a------ C:\WINDOWS\system32\navg32.qtc
2007-11-12 18:23 20,480 --a------ C:\WINDOWS\system32\raw32.qtc
2007-11-12 18:22 128,000 --a------ C:\WINDOWS\system32\mc32.qtc
2007-11-12 18:22 103,936 --a------ C:\WINDOWS\system32\rle32.qtc
2007-11-12 18:21 <DIR> d-------- C:\WINDOWS\Favorites
2007-11-12 18:21 <DIR> d-------- C:\Corel
2007-11-12 18:20 <DIR> d-------- C:\WINDOWS\Corel

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-24 12:45 81,472 ----a-w C:\WINDOWS\system32\iyyjnglw.dll
2007-11-24 12:42 85,056 ----a-w C:\WINDOWS\system32\vjggpudp.dll
2007-11-24 12:33 71,232 ----a-w C:\WINDOWS\system32\fpdpnnjj.exe
2007-11-22 14:29 --------- d-----w C:\Program Files\Yahoo!
2007-11-19 23:35 --------- d-----w C:\Program Files\Canon
2007-11-19 23:10 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-11-16 23:40 --------- d-----w C:\Program Files\DC++
2007-10-28 12:51 --------- d-----w C:\Documents and Settings\KATHY\Application Data\CoreFTP
2007-10-04 04:36 25,600 ----a-w C:\WINDOWS\system32\WS2Fix.exe
2007-09-29 17:43 --------- d-----w C:\Documents and Settings\KATHY\Application Data\Ahead
2007-09-27 00:29 --------- d-----w C:\Program Files\Microsoft.NET
2007-09-06 21:14 1,086,952 ----a-w C:\WINDOWS\system32\zpeng24.dll
2007-09-06 10:09 801,144 ----a-w C:\WINDOWS\system32\aswBoot.exe
2007-09-06 10:00 95,608 ----a-w C:\WINDOWS\system32\AVASTSS.scr
2007-09-06 04:22 289,144 ----a-w C:\WINDOWS\system32\VCCLSID.exe
.

stomper · « **Reply #30 on:** November 24, 2007, 06:20:54 PM »

Here's combofix - part 2

((((((((((((((((((((((((((((( snapshot@2007-11-23_ 7.26.26.69 )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-11-24 20:00:53   16,384   ----atw   C:\WINDOWS\Temp\Perflib_Perfdata_7a4.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{132c0724-1e49-435a-b805-2880c8d6e789}]
2007-11-24 07:45   81472   --a------   C:\WINDOWS\System32\iyyjnglw.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F1A1D30A-5CF6-42DA-829C-B71CFF182A5C}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2002-08-29 02:41]
"PhotoShow Deluxe Media Manager"="C:\PROGRA~1\Ahead\NEROPH~1\data\Xtras\mssysmgr.exe" [2004-11-11 20:50]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2007-06-07 13:08]
"YSearchProtection"="C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe" [2007-06-08 09:59]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-11-19 21:38]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 09:50]
"zzzHPSETUP"="H:\Setup.exe" []
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-06-29 05:24]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-09-06 05:06]
"YSearchProtection"="C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe" [2007-06-08 09:59]
"CanonSolutionMenu"="C:\Program Files\Canon\SolutionMenu\CNSLMAIN.exe" [2007-05-14 20:01]
"SSBkgdUpdate"="C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-10-25 08:03]
"OpwareSE4"="C:\Program Files\ScanSoft\OmniPageSE4\OpwareSE4.exe" [2007-02-04 11:02]
"WrtMon.exe"="C:\WINDOWS\System32\spool\drivers\w32x86\3\WrtMon.exe" [2006-09-20 07:35]
"MimBoot"="C:\PROGRA~1\MUSICM~1\MUSICM~1\mimboot.exe" [2006-01-19 11:06]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-09-06 16:14]
"2cf0eb2f"="C:\WINDOWS\System32\vjggpudp.dll" [2007-11-24 07:42]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Acrobat Assistant.lnk - C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe [2007-07-07 16:14:23]
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2007-07-08 14:19:36]
Corel MEDIA FOLDERS INDEXER 8.LNK - C:\Corel\Graphics8\Programs\MFIndexer.exe [2007-11-12 18:24:28]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 00:01:04]

[hklm\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 12:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL 2007-11-19 21:38 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\reset5]
reset5.dll 2002-09-09 15:30 17408 C:\WINDOWS\system32\reset5.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\vtuutro]
vtuutro.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\System32\wvuss.dll

R3 cwrwdm;SoundFusion(tm) WDM Driver;C:\WINDOWS\System32\DRIVERS\cwrwdm.sys

.
**************************************************************************

catchme 0.3.1262 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-24 15:01:28
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-11-24 15:04:05 - machine was rebooted
C:\ComboFix2.txt ... 2007-11-23 07:27
.
   --- E O F ---

stomper · « **Reply #31 on:** November 24, 2007, 06:22:04 PM »

Here's HJT:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:27:31 PM, on 11/24/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\srvany.exe
C:\WINDOWS\system32\resetservice.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
C:\Program Files\ScanSoft\OmniPageSE4\OpwareSE4.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\WrtMon.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\Ahead\NEROPH~1\data\Xtras\mssysmgr.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\WrtProc.exe
C:\Corel\Graphics8\Programs\MFIndexer.exe
C:\PROGRA~1\MUSICM~1\MUSICM~1\MMDiag.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mim.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: {987e6d8c-0882-508b-a534-94e14270c231} - {132c0724-1e49-435a-b805-2880c8d6e789} - C:\WINDOWS\System32\iyyjnglw.dll
O2 - BHO: (no name) - {F1A1D30A-5CF6-42DA-829C-B71CFF182A5C} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [zzzHPSETUP] H:\Setup.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [YSearchProtection] "C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe"
O4 - HKLM\..\Run: [CanonSolutionMenu] C:\Program Files\Canon\SolutionMenu\CNSLMAIN.exe /logon
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [OpwareSE4] "C:\Program Files\ScanSoft\OmniPageSE4\OpwareSE4.exe"
O4 - HKLM\..\Run: [WrtMon.exe] C:\WINDOWS\System32\spool\drivers\w32x86\3\WrtMon.exe
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~1\mimboot.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [2cf0eb2f] rundll32.exe "C:\WINDOWS\System32\vjggpudp.dll",b
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\Ahead\NEROPH~1\data\Xtras\mssysmgr.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [YSearchProtection] C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Corel MEDIA FOLDERS INDEXER 8.LNK = C:\Corel\Graphics8\Programs\MFIndexer.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O20 - Winlogon Notify: reset5 - C:\WINDOWS\SYSTEM32\reset5.dll
O20 - Winlogon Notify: vtuutro - vtuutro.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: InCD Helper (read only) (InCDsrvR) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: Reset 5 - Unknown owner - C:\WINDOWS\system32\srvany.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 6875 bytes

stomper · « **Reply #32 on:** November 24, 2007, 06:27:58 PM »

Here's bdscan - part 1:

<HTML>
<HEAD>
<TITLE>BitDefender Online Scanner -Scan Report</TITLE>
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=iso-8859-1">
<meta name="generator" content="Namo WebEditor v5.0(Trial)">
</HEAD>
<BODY BGCOLOR=#FFFFFF leftmargin="10" marginwidth="0" topmargin="20" marginheight="0" >

<table align="center" border="0" cellpadding="0" cellspacing="0" width="90%">
<tr>
<td width="458">
BitDefender
Online Scanner
</td>
<td width="40%">
 
</td>
<td width="10%">
 
</td>
</tr>
<tr>
<td colspan="3" width="912">
Scan report generated
at: Sat, Nov 24, 2007 - 18:08:23
</td>
</tr>

 <tr>
<td width="458">
 
</td>
<td width="40%">
 
</td>
<td width="10%">
 
</td>
</tr>

 <tr>
<td width="458">
Scan
path: A:\;C:\;E:\;F:\;G:\;J:\;
</td>
<td width="40%">
 
</td>
<td width="10%">
 
</td>
</tr>

 <tr>
<td width="458">
 
</td>
<td width="40%">
 
</td>
<td width="10%">
 
</td>
</tr>

<tr>
<td width="458">
<table border="1" cellspacing="0" bordercolordark="white" bordercolorlight="black" width="100%">
<tr>
<td width="451" colspan="2" bgcolor="#CCCCCC">
Statistics
</td>
</tr>
<tr>
<td width="57%">
Time
</td>
<td width="43%" align="right">
02:43:03
</td>
</tr>
<tr>
<td width="57%">
Files
</td>
<td width="43%" align="right">
250479
</td>
</tr>
<tr>
<td width="57%">
Folders
</td>
<td width="43%" align="right">
5560
</td>
</tr>
<tr>
<td width="57%">
Boot Sectors
</td>
<td width="43%" align="right">
9
</td>
</tr>
<tr>
<td width="57%">
Archives
</td>
<td width="43%" align="right">
8245
</td>
</tr>
<tr>
<td width="57%">
Packed Files
</td>
<td width="43%" align="right">
17300
</td>
</tr>
</table>
</td>
<td width="40%">
 
</td>
<td width="10%">
 
</td>
</tr>

 <tr>
<td width="458">
<table border="1" cellspacing="0" bordercolordark="white" bordercolorlight="black" width="100%">
<tr>
<td width="451" colspan="2" bgcolor="#CCCCCC">
Results
</td>
</tr>
<tr>
<td width="57%">
Identified Viruses 
</td>
<td width="43%" align="right">
6
</td>
</tr>
<tr>
<td width="57%">
Infected Files 
</td>
<td width="43%" align="right">
9
</td>
</tr>
<tr>
<td width="57%">
Suspect Files 
</td>
<td width="43%" align="right">
0
</td>
</tr>
<tr>
<td width="57%">
Warnings
</td>
<td width="43%" align="right">
0
</td>
</tr>

stomper · « **Reply #33 on:** November 24, 2007, 06:29:49 PM »

Here's bdscan - part 2:

<tr>
<td width="57%">
Disinfected
</td>
<td width="43%" align="right">
0
</td>
</tr>
<tr>
<td width="57%">
Deleted Files
</td>
<td width="43%" align="right">
8
</td>
</tr>
</table>
</td>
<td width="40%">
 
</td>
<td width="10%">
 
</td>
</tr>

 <tr>
<td width="458">
<table border="1" cellspacing="0" bordercolordark="white" bordercolorlight="black" width="100%">
<tr>
<td width="451" colspan="2" bgcolor="#CCCCCC">
Engines Info
</td>
</tr>
<tr>
<td width="57%">
Virus Definitions
</td>
<td width="43%" align="right">
878762
</td>
</tr>
<tr>
<td width="57%">
Engine build
</td>
<td width="43%" align="right">
AVCORE v1.0 (build 2422) (i386) (Sep 25 2007 08:26:36)
</td>
</tr>
<tr>
<td width="57%">
Scan plugins
</td>
<td width="43%" align="right">
14
</td>
</tr>
<tr>
<td width="57%">
Archive plugins
</td>
<td width="43%" align="right">
38
</td>
</tr>
<tr>
<td width="57%">
Unpack plugins
</td>
<td width="43%" align="right">
7
</td>
</tr>
<tr>
<td width="57%">
E-mail plugins
</td>
<td width="43%" align="right">
6
</td>
</tr>
<tr>
<td width="57%">
System plugins
</td>
<td width="43%" align="right">
1
</td>
</tr>
</table>
</td>
<td width="40%">
 
</td>
<td width="10%">
 
</td>
</tr>

 <tr>
<td width="458">
<table border="1" cellspacing="0" bordercolordark="white" bordercolorlight="black" width="100%">
<tr>
<td width="451" colspan="2" bgcolor="#CCCCCC">
Scan Settings
</td>
</tr>
<tr>
<td width="57%">
First Action
</td>
<td width="43%" align="right">
Disinfect
</td>
</tr>
<tr>
<td width="57%">
Second Action
</td>
<td width="43%" align="right">
Delete
</td>
</tr>
<tr>
<td width="57%">
Heuristics
</td>
<td width="43%" align="right">
Yes
</td>
</tr>
<tr>
<td width="57%">
Enable Warnings
</td>
<td width="43%" align="right">
Yes
</td>
</tr>
 <tr>
<td width="57%">
Scanned Extensions
</td>
<td width="43%" align="right">
*;
</td>
</tr>

<tr>
<td width="57%">
Exclude Extensions
</td>
<td width="43%" align="right">
 
</td>
</tr>
<tr>
<td width="57%">
Scan Emails
</td>
<td width="43%" align="right">
Yes
</td>
</tr>
<tr>
<td width="57%">
Scan Archives
</td>
<td width="43%" align="right">
Yes
</td>
</tr>
<tr>
<td width="57%">
Scan Packed
</td>
<td width="43%" align="right">
Yes
</td>
</tr>
<tr>
<td width="57%">
Scan Files
</td>
<td width="43%" align="right">
Yes
</td>
</tr>
<tr>
<td width="57%">
Scan Boot
</td>
<td width="43%" align="right">
Yes
</td>
</tr>
</table>
</td>
<td width="40%">
 
</td>
<td width="10%">
 
</td>
</tr>

stomper · « **Reply #34 on:** November 24, 2007, 06:30:29 PM »

Here's bdscan - part 3:

<tr>
<td colspan=2>  
<table border="1" cellspacing="0" bordercolordark="white" bordercolorlight="black" width="100%">
<tr>
<td width="252" bgcolor="#CCCCCC">
Scanned File
</td>
<td width="195" bgcolor="#CCCCCC" align="right">
 Status
</td>
</tr>
<tr>
 <td width="57%">
 C:\qoobox\Quarantine\C\WINDOWS\system32\g2\bemwdll3.exe.vir
 </td>
 <td width="43%" align="left">
 Infected with: Trojan.Downloader.JJEJ
 </td>
</tr><tr>
 <td width="57%">
 C:\qoobox\Quarantine\C\WINDOWS\system32\g2\bemwdll3.exe.vir
 </td>
 <td width="43%" align="left">
 Disinfection failed
 </td>
</tr><tr>
 <td width="57%">
 C:\qoobox\Quarantine\C\WINDOWS\system32\g2\bemwdll3.exe.vir
 </td>
 <td width="43%" align="left">
 Deleted
 </td>
</tr><tr>
 <td width="57%">
 C:\System Volume Information\_restore{F1E03FE8-0BEC-4447-8CE3-C34955F04B97}\RP2\A0002089.exe
 </td>
 <td width="43%" align="left">
 Infected with: Trojan.Downloader.JJEJ
 </td>
</tr><tr>
 <td width="57%">
 C:\System Volume Information\_restore{F1E03FE8-0BEC-4447-8CE3-C34955F04B97}\RP2\A0002089.exe
 </td>
 <td width="43%" align="left">
 Disinfection failed
 </td>
</tr><tr>
 <td width="57%">
 C:\System Volume Information\_restore{F1E03FE8-0BEC-4447-8CE3-C34955F04B97}\RP2\A0002089.exe
 </td>
 <td width="43%" align="left">
 Deleted
 </td>
</tr><tr>
 <td width="57%">
 C:\System Volume Information\_restore{F1E03FE8-0BEC-4447-8CE3-C34955F04B97}\RP2\A0002090.exe
 </td>
 <td width="43%" align="left">
 Infected with: Trojan.Generic.78149
 </td>
</tr><tr>
 <td width="57%">
 C:\System Volume Information\_restore{F1E03FE8-0BEC-4447-8CE3-C34955F04B97}\RP2\A0002090.exe
 </td>
 <td width="43%" align="left">
 Disinfection failed
 </td>
</tr><tr>
 <td width="57%">
 C:\System Volume Information\_restore{F1E03FE8-0BEC-4447-8CE3-C34955F04B97}\RP2\A0002090.exe
 </td>
 <td width="43%" align="left">
 Deleted
 </td>
</tr><tr>
 <td width="57%">
 C:\System Volume Information\_restore{F1E03FE8-0BEC-4447-8CE3-C34955F04B97}\RP2\A0002091.exe
 </td>
 <td width="43%" align="left">
 Infected with: Trojan.Downloader.Obfuscated.CF
 </td>
</tr><tr>
 <td width="57%">
 C:\System Volume Information\_restore{F1E03FE8-0BEC-4447-8CE3-C34955F04B97}\RP2\A0002091.exe
 </td>
 <td width="43%" align="left">
 Disinfection failed
 </td>
</tr><tr>
 <td width="57%">
 C:\System Volume Information\_restore{F1E03FE8-0BEC-4447-8CE3-C34955F04B97}\RP2\A0002091.exe
 </td>
 <td width="43%" align="left">
 Deleted
 </td>
</tr><tr>
 <td width="57%">
 C:\System Volume Information\_restore{F1E03FE8-0BEC-4447-8CE3-C34955F04B97}\RP3\A0004286.dll
 </td>
 <td width="43%" align="left">
 Infected with: Trojan.Vundo.DQZ
 </td>
</tr><tr>
 <td width="57%">
 C:\System Volume Information\_restore{F1E03FE8-0BEC-4447-8CE3-C34955F04B97}\RP3\A0004286.dll
 </td>
 <td width="43%" align="left">
 Disinfection failed
 </td>
</tr><tr>
 <td width="57%">
 C:\System Volume Information\_restore{F1E03FE8-0BEC-4447-8CE3-C34955F04B97}\RP3\A0004286.dll
 </td>
 <td width="43%" align="left">
 Deleted
 </td>
</tr><tr>
 <td width="57%">
 C:\System Volume Information\_restore{F1E03FE8-0BEC-4447-8CE3-C34955F04B97}\RP3\A0004287.dll
 </td>
 <td width="43%" align="left">
 Infected with: Trojan.Vundo.DQO
 </td>
</tr><tr>
 <td width="57%">
 C:\System Volume Information\_restore{F1E03FE8-0BEC-4447-8CE3-C34955F04B97}\RP3\A0004287.dll
 </td>
 <td width="43%" align="left">
 Disinfection failed
 </td>
</tr><tr>
 <td width="57%">
 C:\System Volume Information\_restore{F1E03FE8-0BEC-4447-8CE3-C34955F04B97}\RP3\A0004287.dll
 </td>
 <td width="43%" align="left">
 Deleted
 </td>
</tr><tr>
 <td width="57%">
 C:\System Volume Information\_restore{F1E03FE8-0BEC-4447-8CE3-C34955F04B97}\RP3\A0004288.exe
 </td>
 <td width="43%" align="left">
 Infected with: Trojan.Fotomoto.F
 </td>
</tr><tr>
 <td width="57%">
 C:\System Volume Information\_restore{F1E03FE8-0BEC-4447-8CE3-C34955F04B97}\RP3\A0004288.exe
 </td>
 <td width="43%" align="left">
 Disinfection failed
 </td>
</tr><tr>
 <td width="57%">
 C:\System Volume Information\_restore{F1E03FE8-0BEC-4447-8CE3-C34955F04B97}\RP3\A0004288.exe
 </td>
 <td width="43%" align="left">
 Deleted
 </td>
</tr><tr>
 <td width="57%">
 C:\WINDOWS\system32\fpdpnnjj.exe
 </td>
 <td width="43%" align="left">
 Infected with: Trojan.Fotomoto.F
 </td>
</tr><tr>
 <td width="57%">
 C:\WINDOWS\system32\fpdpnnjj.exe
 </td>
 <td width="43%" align="left">
 Disinfection failed
 </td>
</tr><tr>
 <td width="57%">
 C:\WINDOWS\system32\fpdpnnjj.exe
 </td>
 <td width="43%" align="left">
 Deleted
 </td>
</tr><tr>
 <td width="57%">
 C:\WINDOWS\system32\vjggpudp.dll
 </td>
 <td width="43%" align="left">
 Infected with: Trojan.Vundo.DQO
 </td>
</tr><tr>
 <td width="57%">
 C:\WINDOWS\system32\vjggpudp.dll
 </td>
 <td width="43%" align="left">
 Disinfection failed
 </td>
</tr><tr>
 <td width="57%">
 C:\WINDOWS\system32\vjggpudp.dll
 </td>
 <td width="43%" align="left">
 Delete failed
 </td>
</tr>
</table>
</td>

<td width="10%">
 
</td>
</tr>

 <tr>
<td width="458">
 
</td>
<td width="40%">
 
</td>
<td width="10%">
 
</td>
</tr>

 <tr>
<td width="458">
 
</td>
<td width="40%">
 
</td>
<td width="10%">
 
</td>
</tr>

</table>
 

</body>
</html>

evilfantasy · « **Reply #35 on:** November 24, 2007, 08:11:22 PM »

Did you install this C:\WINDOWS\SYSTEM32\reset5.dll

=====
Open HijackThis and select "Do a system scan only"

Place a check mark next to:

O2 - BHO: {987e6d8c-0882-508b-a534-94e14270c231} - {132c0724-1e49-435a-b805-2880c8d6e789} - C:\WINDOWS\System32\iyyjnglw.dll
O2 - BHO: (no name) - {F1A1D30A-5CF6-42DA-829C-B71CFF182A5C} - (no file)
O4 - HKLM\..\Run: [2cf0eb2f] rundll32.exe "C:\WINDOWS\System32\vjggpudp.dll",b
O20 - Winlogon Notify: reset5 - C:\WINDOWS\SYSTEM32\reset5.dll
O20 - Winlogon Notify: vtuutro - vtuutro.dll (file missing)

Close all windows and click "Fix checked"

=====

Delete these files/folders, as follows:

* Open notepad and copy/paste the text in the quote box below into it (all except the word QUOTE):

Quote

File::
C:\WINDOWS\system32\pdupggjv.tmp
C:\WINDOWS\system32\pdupggjv.ini

Folder::
C:\WINDOWS\System32\vjggpudp.dll

Registry::
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{132c0724-1e49-435a-b805-2880c8d6e789}]
2007-11-24 07:45 81472 --a------ C:\WINDOWS\System32\iyyjnglw.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F1A1D30A-5CF6-42DA-829C-B71CFF182A5C}]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\vtuutro]
vtuutro.dll
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\System32\wvuss.dll

* Save this as CFScript on the desktop.
* Then drag the CFScript (hold the left mouse button while dragging the file) and drop it (release the left mouse button) into ComboFix.exe as you see in the screenshot below. Important: Perform this instruction carefully!

* ComboFix will begin to execute, just follow the prompts. After reboot (in case it asks to reboot), it shall produce a log for you. Post that log (Combofix.txt) in your next reply.

Note: Do not mouseclick combofix's window while it is running. That may cause your system to hang.

=====

After that we need the:
Combofix lof
New HijackThis log

stomper · « **Reply #36 on:** November 24, 2007, 10:15:59 PM »

No, I did not install C:\WINDOWS\SYSTEM32\reset5.dll - haven't a clue what it is.

Here's the combofix log - part 1:

ComboFix 07-11-19.3 - KATHY 2007-11-25 0:01:04.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.1.1252.1.1033.18.534 [GMT -5:00]
Running from: C:\Documents and Settings\KATHY\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\KATHY\Desktop\CFScript.txt
* Created a new restore point

FILE
C:\WINDOWS\system32\pdupggjv.ini
C:\WINDOWS\system32\pdupggjv.tmp
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\cookies.ini
C:\WINDOWS\system32\pdupggjv.ini
C:\WINDOWS\System32\vjggpudp.dll\

.
((((((((((((((((((((((((( Files Created from 2007-10-25 to 2007-11-25 )))))))))))))))))))))))))))))))
.

2007-11-24 15:22 <DIR> d-------- C:\WINDOWS\LastGood.Tmp
2007-11-24 15:22 <DIR> d-------- C:\WINDOWS\BDOSCAN8
2007-11-22 21:58 53,248 --a------ C:\WINDOWS\system32\Process.exe
2007-11-22 21:58 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2007-11-22 21:07 0 --a------ C:\WINDOWS\nsreg.dat
2007-11-22 16:22 <DIR> d-------- C:\WINDOWS\ERUNT
2007-11-22 13:58 <DIR> d-------- C:\Program Files\Trend Micro
2007-11-22 09:29 <DIR> d-------- C:\Program Files\Common Files\Scanner
2007-11-22 09:11 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\MailFrontier
2007-11-22 09:10 <DIR> d-------- C:\WINDOWS\system32\ZoneLabs
2007-11-22 09:10 75,248 --a------ C:\WINDOWS\zllsputility.exe
2007-11-22 09:09 <DIR> d-------- C:\WINDOWS\Internet Logs
2007-11-22 00:28 <DIR> d-------- C:\Program Files\EsetOnlineScanner
2007-11-21 19:10 <DIR> d-------- C:\Program Files\InCode Solutions
2007-11-21 19:08 <DIR> d-------- C:\Program Files\RegCure
2007-11-21 19:04 <DIR> d-------- C:\Program Files\CCleaner
2007-11-21 18:58 714,446 --ahs---- C:\WINDOWS\system32\pibpnavn.ini
2007-11-20 23:29 <DIR> d-------- C:\Documents and Settings\KATHY\Application Data\Uniblue
2007-11-19 21:28 685,703 --ahs---- C:\WINDOWS\system32\rmsruhsm.ini
2007-11-19 18:26 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2007-11-19 18:25 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2007-11-19 18:25 <DIR> d-------- C:\Documents and Settings\KATHY\Application Data\SUPERAntiSpyware.com
2007-11-19 18:10 <DIR> d-------- C:\Program Files\Musicmatch
2007-11-18 15:05 <DIR> d-------- C:\Program Files\Lavasoft
2007-11-18 15:05 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-11-18 15:03 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-11-17 18:14 <DIR> d-------- C:\WINDOWS\system32\CDD0CCCED0D3D6
2007-11-17 18:14 124,416 --a------ C:\WINDOWS\system32\1114101214171A.exe
2007-11-17 15:25 108,544 --a------ C:\WINDOWS\system32\pxcpyi64.exe
2007-11-17 15:25 104,960 --a------ C:\WINDOWS\system32\pxinsi64.exe
2007-11-17 15:24 <DIR> d-------- C:\Documents and Settings\KATHY\Application Data\Musicmatch
2007-11-17 15:24 89,088 --a------ C:\WINDOWS\system32\atl71.dll
2007-11-12 18:32 <DIR> d-------- C:\Documents and Settings\KATHY\Application Data\Corel
2007-11-12 18:24 553,984 --a------ C:\WINDOWS\system32\rave.dll
2007-11-12 18:24 229,376 --a------ C:\WINDOWS\system32\rpza32.qtc
2007-11-12 18:24 211,456 --a------ C:\WINDOWS\system32\qd3d_ir2.q3x
2007-11-12 18:24 165,888 --a------ C:\WINDOWS\system32\smc32.qtc
2007-11-12 18:24 70,656 --a------ C:\WINDOWS\system32\3dviewer.dll
2007-11-12 18:24 32,768 --a------ C:\WINDOWS\system32\cmgr32.dll
2007-11-12 18:23 909,312 --a------ C:\WINDOWS\system32\qd3d.dll
2007-11-12 18:23 409,600 --a------ C:\WINDOWS\system32\scint78.dll
2007-11-12 18:23 345,600 --a------ C:\WINDOWS\system32\qtim32.dll
2007-11-12 18:23 151,040 --a------ C:\WINDOWS\system32\cvid32.qtc
2007-11-12 18:23 108,032 --a------ C:\WINDOWS\system32\sh33w32.dll
2007-11-12 18:23 24,064 --a------ C:\WINDOWS\system32\dci32.qtc
2007-11-12 18:23 20,480 --a------ C:\WINDOWS\system32\raw32.qtc
2007-11-12 18:22 103,936 --a------ C:\WINDOWS\system32\rle32.qtc
2007-11-12 18:22 38,912 --a------ C:\WINDOWS\system32\dhio32.qtc
2007-11-12 18:21 <DIR> d-------- C:\WINDOWS\Favorites
2007-11-12 18:21 <DIR> d-------- C:\Corel
2007-11-12 18:20 <DIR> d-------- C:\WINDOWS\Corel
2007-10-25 10:26 53,248 --a------ C:\WINDOWS\bdoscandel.exe

stomper · « **Reply #37 on:** November 24, 2007, 10:16:34 PM »

Here's combofix log - part 2:

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-24 12:45   81,472   ----a-w   C:\WINDOWS\system32\iyyjnglw.dll
2007-11-24 12:42   85,056   ----a-w   C:\WINDOWS\system32\vjggpudp.dll
2007-11-22 14:29   ---------   d-----w   C:\Program Files\Yahoo!
2007-11-19 23:35   ---------   d-----w   C:\Program Files\Canon
2007-11-19 23:10   ---------   d--h--w   C:\Program Files\InstallShield Installation Information
2007-11-16 23:40   ---------   d-----w   C:\Program Files\DC++
2007-10-28 12:51   ---------   d-----w   C:\Documents and Settings\KATHY\Application Data\CoreFTP
2007-10-04 04:36   25,600   ----a-w   C:\WINDOWS\system32\WS2Fix.exe
2007-09-29 17:43   ---------   d-----w   C:\Documents and Settings\KATHY\Application Data\Ahead
2007-09-27 00:29   ---------   d-----w   C:\Program Files\Microsoft.NET
2007-09-06 21:14   1,086,952   ----a-w   C:\WINDOWS\system32\zpeng24.dll
2007-09-06 10:09   801,144   ----a-w   C:\WINDOWS\system32\aswBoot.exe
2007-09-06 10:00   95,608   ----a-w   C:\WINDOWS\system32\AVASTSS.scr
2007-09-06 04:22   289,144   ----a-w   C:\WINDOWS\system32\VCCLSID.exe
.

((((((((((((((((((((((((((((( snapshot@2007-11-23_ 7.26.26.69 )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-11-24 20:23:19   45,056   ----a-w   C:\WINDOWS\BDOSCAN8\avxdisk.dll
+ 2007-11-24 20:23:20   10,240   ----a-w   C:\WINDOWS\BDOSCAN8\avxs.dll
+ 2007-11-24 20:23:20   27,136   ----a-w   C:\WINDOWS\BDOSCAN8\avxt.dll
+ 2007-11-24 20:23:25   181,760   ----a-w   C:\WINDOWS\BDOSCAN8\bdcore.dll
+ 2007-10-25 15:26:48   118,784   ----a-w   C:\WINDOWS\BDOSCAN8\bdupd.dll
+ 2007-10-25 15:26:48   53,248   ----a-w   C:\WINDOWS\BDOSCAN8\ipsupd.dll
+ 2007-11-24 20:23:26   142,848   ----a-w   C:\WINDOWS\BDOSCAN8\libfn.dll
+ 2007-11-24 20:23:21   86,016   ----a-w   C:\WINDOWS\BDOSCAN8\librtvr.dll
+ 2007-10-25 15:26:48   118,784   ----a-w   C:\WINDOWS\Downloaded Program Files\bdupd.dll
+ 2007-10-25 15:26:48   53,248   ----a-w   C:\WINDOWS\Downloaded Program Files\ipsupd.dll
+ 2007-11-25 05:04:27   16,384   ----atw   C:\WINDOWS\Temp\Perflib_Perfdata_b8.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2002-08-29 02:41]
"PhotoShow Deluxe Media Manager"="C:\PROGRA~1\Ahead\NEROPH~1\data\Xtras\mssysmgr.exe" [2004-11-11 20:50]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2007-06-07 13:08]
"YSearchProtection"="C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe" [2007-06-08 09:59]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-11-19 21:38]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 09:50]
"zzzHPSETUP"="H:\Setup.exe" []
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-06-29 05:24]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-09-06 05:06]
"YSearchProtection"="C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe" [2007-06-08 09:59]
"CanonSolutionMenu"="C:\Program Files\Canon\SolutionMenu\CNSLMAIN.exe" [2007-05-14 20:01]
"SSBkgdUpdate"="C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-10-25 08:03]
"OpwareSE4"="C:\Program Files\ScanSoft\OmniPageSE4\OpwareSE4.exe" [2007-02-04 11:02]
"WrtMon.exe"="C:\WINDOWS\System32\spool\drivers\w32x86\3\WrtMon.exe" [2006-09-20 07:35]
"MimBoot"="C:\PROGRA~1\MUSICM~1\MUSICM~1\mimboot.exe" [2006-01-19 11:06]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-09-06 16:14]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Acrobat Assistant.lnk - C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe [2007-07-07 16:14:23]
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2007-07-08 14:19:36]
Corel MEDIA FOLDERS INDEXER 8.LNK - C:\Corel\Graphics8\Programs\MFIndexer.exe [2007-11-12 18:24:28]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 00:01:04]

[hklm\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 12:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL 2007-11-19 21:38 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\vtuutro]

R3 cwrwdm;SoundFusion(tm) WDM Driver;C:\WINDOWS\System32\DRIVERS\cwrwdm.sys

.
**************************************************************************

catchme 0.3.1262 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-25 00:05:06
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-11-25 0:06:33 - machine was rebooted
C:\ComboFix2.txt ... 2007-11-24 15:04
C:\ComboFix3.txt ... 2007-11-23 07:27
.
   --- E O F ---

stomper · « **Reply #38 on:** November 24, 2007, 10:17:31 PM »

Here's the HJT log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:08:21 AM, on 11/25/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
C:\Program Files\ScanSoft\OmniPageSE4\OpwareSE4.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\WrtMon.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\Ahead\NEROPH~1\data\Xtras\mssysmgr.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Corel\Graphics8\Programs\MFIndexer.exe
C:\WINDOWS\system32\srvany.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\WrtProc.exe
C:\PROGRA~1\MUSICM~1\MUSICM~1\MMDiag.exe
C:\WINDOWS\system32\resetservice.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mim.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [zzzHPSETUP] H:\Setup.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [YSearchProtection] "C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe"
O4 - HKLM\..\Run: [CanonSolutionMenu] C:\Program Files\Canon\SolutionMenu\CNSLMAIN.exe /logon
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [OpwareSE4] "C:\Program Files\ScanSoft\OmniPageSE4\OpwareSE4.exe"
O4 - HKLM\..\Run: [WrtMon.exe] C:\WINDOWS\System32\spool\drivers\w32x86\3\WrtMon.exe
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~1\mimboot.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\Ahead\NEROPH~1\data\Xtras\mssysmgr.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [YSearchProtection] C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Corel MEDIA FOLDERS INDEXER 8.LNK = C:\Corel\Graphics8\Programs\MFIndexer.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O20 - Winlogon Notify: vtuutro - C:\WINDOWS\
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: InCD Helper (read only) (InCDsrvR) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: Reset 5 - Unknown owner - C:\WINDOWS\system32\srvany.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 6517 bytes

evilfantasy · « **Reply #39 on:** November 24, 2007, 10:40:33 PM »

Open HijackThis and "Do a system scan only"

Place a check mark next to"

O20 - Winlogon Notify: vtuutro - C:\WINDOWS\

Close all windows and click "Fix checked"

Now download The Avenger By Swandog46, and save it to your Desktop.

* Extract avenger.exe from the Zip file and save it to your desktop
* Run avenger.exe by double-clicking on it.
* Check the Input script manually box.
* Click on the Magnifying Glass Icon which will open a new window titled View/edit script
* Copy everything in the Quote box below, and paste it in the box that opens:

Quote

Files to delete:
C:\WINDOWS\system32\vtuutro.dll

Registry keys to delete:
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\vtuutro]

Note: the above quote was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system

* Now click the 'Done' button.
* Click on the Green Light and OK the prompt.
* You will be prompted to restart, click OK at the prompt and your PC should reboot, if not, reboot it yourself.
* A log file from Avenger will be produced at C:\avenger.txt

The Avenger will automatically do the following:

* It will Restart your computer. (In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.)
* On reboot, it will briefly open a black command window on your desktop, this is normal.
* After the restart, it creates a log file that should open with the results of Avenger's actions. This log file will be located at C:\avenger.txt
* The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.

Please attach the C:\avenger.txt in your next post.

Next post
avenger.txt
New hijackthis log

stomper · « **Reply #40 on:** November 25, 2007, 05:16:31 AM »

Here's the Avenger log:

Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\tuqfagop

*******************

Script file located at: \??\C:\whvmqpys.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

File C:\WINDOWS\system32\vtuutro.dll not found!
Deletion of file C:\WINDOWS\system32\vtuutro.dll failed!

Could not process line:
C:\WINDOWS\system32\vtuutro.dll
Status: 0xc0000034

Could not open registry key [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\vtuutro] for deletion
Deletion of registry key [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\vtuutro] failed!
Status: 0xc000003b

Completed script processing.

*******************

Finished! Terminate.

stomper · « **Reply #41 on:** November 25, 2007, 05:17:11 AM »

Here's the HJT log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:14:45 AM, on 11/25/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
C:\Program Files\ScanSoft\OmniPageSE4\OpwareSE4.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\WrtMon.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\Ahead\NEROPH~1\data\Xtras\mssysmgr.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Corel\Graphics8\Programs\MFIndexer.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\WrtProc.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\PROGRA~1\MUSICM~1\MUSICM~1\MMDiag.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mim.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\srvany.exe
C:\WINDOWS\system32\resetservice.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [zzzHPSETUP] H:\Setup.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [YSearchProtection] "C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe"
O4 - HKLM\..\Run: [CanonSolutionMenu] C:\Program Files\Canon\SolutionMenu\CNSLMAIN.exe /logon
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [OpwareSE4] "C:\Program Files\ScanSoft\OmniPageSE4\OpwareSE4.exe"
O4 - HKLM\..\Run: [WrtMon.exe] C:\WINDOWS\System32\spool\drivers\w32x86\3\WrtMon.exe
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~1\mimboot.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\Ahead\NEROPH~1\data\Xtras\mssysmgr.exe
O4 - HKCU\..\Run: [YSearchProtection] C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Corel MEDIA FOLDERS INDEXER 8.LNK = C:\Corel\Graphics8\Programs\MFIndexer.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: InCD Helper (read only) (InCDsrvR) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: Reset 5 - Unknown owner - C:\WINDOWS\system32\srvany.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 6403 bytes

stomper · « **Reply #42 on:** November 25, 2007, 07:47:51 AM »

Just realized today that my cd burner and my external USB DVD burner are no longer recognized.

evilfantasy · « **Reply #43 on:** November 25, 2007, 10:57:51 AM »

Quote from: stomper on November 25, 2007, 07:47:51 AM

Just realized today that my cd burner and my external USB DVD burner are no longer recognized.

Can you re-install the drivers.

====

Well the entry finally went away.

Uninstall/delete The Avenger and go to C:\avenger.txt and delete that whole folder.

Go to Start > Run and copy and paste next command in the field:

ComboFix /u

Make sure there's a space between Combofix and /
Then hit Enter.

This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

Hopefully it will stay gone this time.

stomper · « **Reply #44 on:** November 25, 2007, 01:15:08 PM »

Thanks for all your help.

As for my drivers, I haven't been successful. I uninstalled the hardware and reinstalled it. Windows recognized that new hardward had been installed. However, the driver is still corrupt. I tried to update driver, but was told that it is the current driver.

Broni · « **Reply #45 on:** November 25, 2007, 02:48:02 PM »

Quote

Windows recognized that new hardward had been installed.

...and?

stomper · « **Reply #46 on:** November 25, 2007, 03:58:02 PM »

I uninstalled the DVD writer, and reinstalled it. I rebooted the computer. When windows came back up I got a popup saying new hardward had been installed. When I checked device manager, there is a yellow exclamation mark next to it. I right clicked on the drive and clicked on properties. I received a message that Windows cannot load the device driver for this hardware. The driver may be corrupted or missing. (Code 39)

I clicked on update driver and did install automatically. I received a message that windows could not find a better match. There is an option to locate the driver manually, but I don't know what I'm looking for.

I also checked driver details, and a list of drivers came up, but again I don't know what they are.

Thanks for any help.

Broni · « **Reply #47 on:** November 25, 2007, 04:06:56 PM »

Quote

The driver may be corrupted or missing. (Code 39)

Call it Micro$oft way. You don't need optical drives drivers since Win2K(?), but Micro$oft appears not to know about it, and gives you bogus error messages.
Any other "yellow" error marks?
You may need to update/reinstall your motherboard drivers.

stomper · « **Reply #48 on:** November 25, 2007, 04:55:18 PM »

I only have yellow markers next to the CD writer and DVD writer.

Broni · « **Reply #49 on:** November 25, 2007, 04:58:21 PM »

You may need to update/reinstall your motherboard drivers.

stomper · « **Reply #50 on:** November 25, 2007, 06:04:05 PM »

That sounds scary - don't know if I have the guts for that.

Broni · « **Reply #51 on:** November 25, 2007, 06:14:36 PM »

I'm not talking about flushing BIOS, I'm talking about motherboard drivers.

stomper · « **Reply #52 on:** November 25, 2007, 06:29:54 PM »

I found an old post in another forum. Apparently alot of people were having this same problem. Here's an answer that was given. Replys to this were all successful. Going into the registry sounds like another evil place $:-\$

Do you have any thoughts on this solution?

----------------

To fix this problem, I performed the following:

Start Registry Editor (Start, Run and type in regedit then click)

Find "UpperFilters" and "LowerFilters" (and "UpperFilters.bak" "LowerFilters.bak", if they exist) value under the following key in the registry, and delete it:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E965-E325-11CE-BFC1-08002BE10318}

Quit Registry Editor.

Reboot.

NOTE: You might need to reinstall any CD recording apps you have, if they start to not work completely, after doing this.

Broni · « **Reply #53 on:** November 25, 2007, 06:36:28 PM »

This is a very good find. I forgot about that solution.
You're gonna be fine. Just backup your registry, first.
Go Start>Run, type in:
regedit
Hit Enter.
Go File>Export, and save your registry to know location.

stomper · « **Reply #54 on:** November 25, 2007, 07:47:34 PM »

It worked!

Thanks for taking the time to help Broni.

And Evilfantasy - if you're still around (wouldn't blame you if you didn't look at this thread anymore) I can't thank you enough for all the time and help you've given me. You went above and beyond!

Thank you! Thank you! Thank you!

evilfantasy · « **Reply #55 on:** November 25, 2007, 07:51:37 PM »

Still here, glad it worked.

Safe surfing.

Broni · « **Reply #56 on:** November 25, 2007, 08:12:34 PM »

Very nice job, people!!!

CBMatt · « **Reply #57 on:** November 27, 2007, 05:14:15 AM »

Quote from: stomper on November 22, 2007, 02:48:28 PM

As for SP1, I once tried the update to SP2 and it locked my system - or should I say crash. Windows wouldn't start at all - not even in safe mode. I tried to reload windows, and nothing. I eventually had to reformat. I don't want to go there again.

Without SP2, you are fairly vulnerable, like evilfantasy mentioned earlier. As your computer appears to be clean now, you might want to consider trying SP2 again. It's quite possible that SP2 didn't work properly for you before because you installed it on an infected machine, which can cause problems. Of course, we can't force you to update...after all, we'd hate to be blamed if something went wrong again. Heh.

Computer Hope Forum

News:

Author Topic: I've received many trojan warnings! (Read 23066 times)

stomper

evilfantasy

stomper

evilfantasy

stomper

evilfantasy

evilfantasy

stomper

evilfantasy

stomper

evilfantasy

stomper

evilfantasy

stomper

evilfantasy

stomper

evilfantasy

stomper

evilfantasy

stomper

evilfantasy

stomper

evilfantasy

stomper

evilfantasy

stomper

evilfantasy

stomper

evilfantasy

stomper

stomper

stomper

stomper

stomper

stomper

evilfantasy

stomper

stomper

stomper

evilfantasy

stomper

stomper

stomper

evilfantasy

stomper

Broni

stomper

Broni

stomper

Broni

stomper

Broni

stomper

Broni

stomper

evilfantasy

Broni

CBMatt