Author Topic: I've received many trojan warnings! (Read 23067 times)

stomper · « **Reply #30 on:** November 24, 2007, 06:20:54 PM »

Here's combofix - part 2

((((((((((((((((((((((((((((( snapshot@2007-11-23_ 7.26.26.69 )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-11-24 20:00:53   16,384   ----atw   C:\WINDOWS\Temp\Perflib_Perfdata_7a4.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{132c0724-1e49-435a-b805-2880c8d6e789}]
2007-11-24 07:45   81472   --a------   C:\WINDOWS\System32\iyyjnglw.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F1A1D30A-5CF6-42DA-829C-B71CFF182A5C}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2002-08-29 02:41]
"PhotoShow Deluxe Media Manager"="C:\PROGRA~1\Ahead\NEROPH~1\data\Xtras\mssysmgr.exe" [2004-11-11 20:50]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2007-06-07 13:08]
"YSearchProtection"="C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe" [2007-06-08 09:59]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-11-19 21:38]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 09:50]
"zzzHPSETUP"="H:\Setup.exe" []
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-06-29 05:24]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-09-06 05:06]
"YSearchProtection"="C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe" [2007-06-08 09:59]
"CanonSolutionMenu"="C:\Program Files\Canon\SolutionMenu\CNSLMAIN.exe" [2007-05-14 20:01]
"SSBkgdUpdate"="C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-10-25 08:03]
"OpwareSE4"="C:\Program Files\ScanSoft\OmniPageSE4\OpwareSE4.exe" [2007-02-04 11:02]
"WrtMon.exe"="C:\WINDOWS\System32\spool\drivers\w32x86\3\WrtMon.exe" [2006-09-20 07:35]
"MimBoot"="C:\PROGRA~1\MUSICM~1\MUSICM~1\mimboot.exe" [2006-01-19 11:06]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-09-06 16:14]
"2cf0eb2f"="C:\WINDOWS\System32\vjggpudp.dll" [2007-11-24 07:42]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Acrobat Assistant.lnk - C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe [2007-07-07 16:14:23]
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2007-07-08 14:19:36]
Corel MEDIA FOLDERS INDEXER 8.LNK - C:\Corel\Graphics8\Programs\MFIndexer.exe [2007-11-12 18:24:28]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 00:01:04]

[hklm\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 12:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL 2007-11-19 21:38 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\reset5]
reset5.dll 2002-09-09 15:30 17408 C:\WINDOWS\system32\reset5.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\vtuutro]
vtuutro.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\System32\wvuss.dll

R3 cwrwdm;SoundFusion(tm) WDM Driver;C:\WINDOWS\System32\DRIVERS\cwrwdm.sys

.
**************************************************************************

catchme 0.3.1262 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-24 15:01:28
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-11-24 15:04:05 - machine was rebooted
C:\ComboFix2.txt ... 2007-11-23 07:27
.
   --- E O F ---

stomper · « **Reply #31 on:** November 24, 2007, 06:22:04 PM »

Here's HJT:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:27:31 PM, on 11/24/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\srvany.exe
C:\WINDOWS\system32\resetservice.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
C:\Program Files\ScanSoft\OmniPageSE4\OpwareSE4.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\WrtMon.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\Ahead\NEROPH~1\data\Xtras\mssysmgr.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\WrtProc.exe
C:\Corel\Graphics8\Programs\MFIndexer.exe
C:\PROGRA~1\MUSICM~1\MUSICM~1\MMDiag.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mim.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: {987e6d8c-0882-508b-a534-94e14270c231} - {132c0724-1e49-435a-b805-2880c8d6e789} - C:\WINDOWS\System32\iyyjnglw.dll
O2 - BHO: (no name) - {F1A1D30A-5CF6-42DA-829C-B71CFF182A5C} - (no file)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [zzzHPSETUP] H:\Setup.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [YSearchProtection] "C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe"
O4 - HKLM\..\Run: [CanonSolutionMenu] C:\Program Files\Canon\SolutionMenu\CNSLMAIN.exe /logon
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [OpwareSE4] "C:\Program Files\ScanSoft\OmniPageSE4\OpwareSE4.exe"
O4 - HKLM\..\Run: [WrtMon.exe] C:\WINDOWS\System32\spool\drivers\w32x86\3\WrtMon.exe
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~1\mimboot.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [2cf0eb2f] rundll32.exe "C:\WINDOWS\System32\vjggpudp.dll",b
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\Ahead\NEROPH~1\data\Xtras\mssysmgr.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [YSearchProtection] C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Corel MEDIA FOLDERS INDEXER 8.LNK = C:\Corel\Graphics8\Programs\MFIndexer.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O20 - Winlogon Notify: reset5 - C:\WINDOWS\SYSTEM32\reset5.dll
O20 - Winlogon Notify: vtuutro - vtuutro.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: InCD Helper (read only) (InCDsrvR) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: Reset 5 - Unknown owner - C:\WINDOWS\system32\srvany.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 6875 bytes

stomper · « **Reply #32 on:** November 24, 2007, 06:27:58 PM »

Here's bdscan - part 1:

<HTML>
<HEAD>
<TITLE>BitDefender Online Scanner -Scan Report</TITLE>
<META HTTP-EQUIV="Content-Type" CONTENT="text/html; charset=iso-8859-1">
<meta name="generator" content="Namo WebEditor v5.0(Trial)">
</HEAD>
<BODY BGCOLOR=#FFFFFF leftmargin="10" marginwidth="0" topmargin="20" marginheight="0" >

<table align="center" border="0" cellpadding="0" cellspacing="0" width="90%">
<tr>
<td width="458">
BitDefender
Online Scanner
</td>
<td width="40%">
 
</td>
<td width="10%">
 
</td>
</tr>
<tr>
<td colspan="3" width="912">
Scan report generated
at: Sat, Nov 24, 2007 - 18:08:23
</td>
</tr>

 <tr>
<td width="458">
 
</td>
<td width="40%">
 
</td>
<td width="10%">
 
</td>
</tr>

 <tr>
<td width="458">
Scan
path: A:\;C:\;E:\;F:\;G:\;J:\;
</td>
<td width="40%">
 
</td>
<td width="10%">
 
</td>
</tr>

 <tr>
<td width="458">
 
</td>
<td width="40%">
 
</td>
<td width="10%">
 
</td>
</tr>

<tr>
<td width="458">
<table border="1" cellspacing="0" bordercolordark="white" bordercolorlight="black" width="100%">
<tr>
<td width="451" colspan="2" bgcolor="#CCCCCC">
Statistics
</td>
</tr>
<tr>
<td width="57%">
Time
</td>
<td width="43%" align="right">
02:43:03
</td>
</tr>
<tr>
<td width="57%">
Files
</td>
<td width="43%" align="right">
250479
</td>
</tr>
<tr>
<td width="57%">
Folders
</td>
<td width="43%" align="right">
5560
</td>
</tr>
<tr>
<td width="57%">
Boot Sectors
</td>
<td width="43%" align="right">
9
</td>
</tr>
<tr>
<td width="57%">
Archives
</td>
<td width="43%" align="right">
8245
</td>
</tr>
<tr>
<td width="57%">
Packed Files
</td>
<td width="43%" align="right">
17300
</td>
</tr>
</table>
</td>
<td width="40%">
 
</td>
<td width="10%">
 
</td>
</tr>

 <tr>
<td width="458">
<table border="1" cellspacing="0" bordercolordark="white" bordercolorlight="black" width="100%">
<tr>
<td width="451" colspan="2" bgcolor="#CCCCCC">
Results
</td>
</tr>
<tr>
<td width="57%">
Identified Viruses 
</td>
<td width="43%" align="right">
6
</td>
</tr>
<tr>
<td width="57%">
Infected Files 
</td>
<td width="43%" align="right">
9
</td>
</tr>
<tr>
<td width="57%">
Suspect Files 
</td>
<td width="43%" align="right">
0
</td>
</tr>
<tr>
<td width="57%">
Warnings
</td>
<td width="43%" align="right">
0
</td>
</tr>

stomper · « **Reply #33 on:** November 24, 2007, 06:29:49 PM »

Here's bdscan - part 2:

<tr>
<td width="57%">
Disinfected
</td>
<td width="43%" align="right">
0
</td>
</tr>
<tr>
<td width="57%">
Deleted Files
</td>
<td width="43%" align="right">
8
</td>
</tr>
</table>
</td>
<td width="40%">
 
</td>
<td width="10%">
 
</td>
</tr>

 <tr>
<td width="458">
<table border="1" cellspacing="0" bordercolordark="white" bordercolorlight="black" width="100%">
<tr>
<td width="451" colspan="2" bgcolor="#CCCCCC">
Engines Info
</td>
</tr>
<tr>
<td width="57%">
Virus Definitions
</td>
<td width="43%" align="right">
878762
</td>
</tr>
<tr>
<td width="57%">
Engine build
</td>
<td width="43%" align="right">
AVCORE v1.0 (build 2422) (i386) (Sep 25 2007 08:26:36)
</td>
</tr>
<tr>
<td width="57%">
Scan plugins
</td>
<td width="43%" align="right">
14
</td>
</tr>
<tr>
<td width="57%">
Archive plugins
</td>
<td width="43%" align="right">
38
</td>
</tr>
<tr>
<td width="57%">
Unpack plugins
</td>
<td width="43%" align="right">
7
</td>
</tr>
<tr>
<td width="57%">
E-mail plugins
</td>
<td width="43%" align="right">
6
</td>
</tr>
<tr>
<td width="57%">
System plugins
</td>
<td width="43%" align="right">
1
</td>
</tr>
</table>
</td>
<td width="40%">
 
</td>
<td width="10%">
 
</td>
</tr>

 <tr>
<td width="458">
<table border="1" cellspacing="0" bordercolordark="white" bordercolorlight="black" width="100%">
<tr>
<td width="451" colspan="2" bgcolor="#CCCCCC">
Scan Settings
</td>
</tr>
<tr>
<td width="57%">
First Action
</td>
<td width="43%" align="right">
Disinfect
</td>
</tr>
<tr>
<td width="57%">
Second Action
</td>
<td width="43%" align="right">
Delete
</td>
</tr>
<tr>
<td width="57%">
Heuristics
</td>
<td width="43%" align="right">
Yes
</td>
</tr>
<tr>
<td width="57%">
Enable Warnings
</td>
<td width="43%" align="right">
Yes
</td>
</tr>
 <tr>
<td width="57%">
Scanned Extensions
</td>
<td width="43%" align="right">
*;
</td>
</tr>

<tr>
<td width="57%">
Exclude Extensions
</td>
<td width="43%" align="right">
 
</td>
</tr>
<tr>
<td width="57%">
Scan Emails
</td>
<td width="43%" align="right">
Yes
</td>
</tr>
<tr>
<td width="57%">
Scan Archives
</td>
<td width="43%" align="right">
Yes
</td>
</tr>
<tr>
<td width="57%">
Scan Packed
</td>
<td width="43%" align="right">
Yes
</td>
</tr>
<tr>
<td width="57%">
Scan Files
</td>
<td width="43%" align="right">
Yes
</td>
</tr>
<tr>
<td width="57%">
Scan Boot
</td>
<td width="43%" align="right">
Yes
</td>
</tr>
</table>
</td>
<td width="40%">
 
</td>
<td width="10%">
 
</td>
</tr>

stomper · « **Reply #34 on:** November 24, 2007, 06:30:29 PM »

Here's bdscan - part 3:

<tr>
<td colspan=2>  
<table border="1" cellspacing="0" bordercolordark="white" bordercolorlight="black" width="100%">
<tr>
<td width="252" bgcolor="#CCCCCC">
Scanned File
</td>
<td width="195" bgcolor="#CCCCCC" align="right">
 Status
</td>
</tr>
<tr>
 <td width="57%">
 C:\qoobox\Quarantine\C\WINDOWS\system32\g2\bemwdll3.exe.vir
 </td>
 <td width="43%" align="left">
 Infected with: Trojan.Downloader.JJEJ
 </td>
</tr><tr>
 <td width="57%">
 C:\qoobox\Quarantine\C\WINDOWS\system32\g2\bemwdll3.exe.vir
 </td>
 <td width="43%" align="left">
 Disinfection failed
 </td>
</tr><tr>
 <td width="57%">
 C:\qoobox\Quarantine\C\WINDOWS\system32\g2\bemwdll3.exe.vir
 </td>
 <td width="43%" align="left">
 Deleted
 </td>
</tr><tr>
 <td width="57%">
 C:\System Volume Information\_restore{F1E03FE8-0BEC-4447-8CE3-C34955F04B97}\RP2\A0002089.exe
 </td>
 <td width="43%" align="left">
 Infected with: Trojan.Downloader.JJEJ
 </td>
</tr><tr>
 <td width="57%">
 C:\System Volume Information\_restore{F1E03FE8-0BEC-4447-8CE3-C34955F04B97}\RP2\A0002089.exe
 </td>
 <td width="43%" align="left">
 Disinfection failed
 </td>
</tr><tr>
 <td width="57%">
 C:\System Volume Information\_restore{F1E03FE8-0BEC-4447-8CE3-C34955F04B97}\RP2\A0002089.exe
 </td>
 <td width="43%" align="left">
 Deleted
 </td>
</tr><tr>
 <td width="57%">
 C:\System Volume Information\_restore{F1E03FE8-0BEC-4447-8CE3-C34955F04B97}\RP2\A0002090.exe
 </td>
 <td width="43%" align="left">
 Infected with: Trojan.Generic.78149
 </td>
</tr><tr>
 <td width="57%">
 C:\System Volume Information\_restore{F1E03FE8-0BEC-4447-8CE3-C34955F04B97}\RP2\A0002090.exe
 </td>
 <td width="43%" align="left">
 Disinfection failed
 </td>
</tr><tr>
 <td width="57%">
 C:\System Volume Information\_restore{F1E03FE8-0BEC-4447-8CE3-C34955F04B97}\RP2\A0002090.exe
 </td>
 <td width="43%" align="left">
 Deleted
 </td>
</tr><tr>
 <td width="57%">
 C:\System Volume Information\_restore{F1E03FE8-0BEC-4447-8CE3-C34955F04B97}\RP2\A0002091.exe
 </td>
 <td width="43%" align="left">
 Infected with: Trojan.Downloader.Obfuscated.CF
 </td>
</tr><tr>
 <td width="57%">
 C:\System Volume Information\_restore{F1E03FE8-0BEC-4447-8CE3-C34955F04B97}\RP2\A0002091.exe
 </td>
 <td width="43%" align="left">
 Disinfection failed
 </td>
</tr><tr>
 <td width="57%">
 C:\System Volume Information\_restore{F1E03FE8-0BEC-4447-8CE3-C34955F04B97}\RP2\A0002091.exe
 </td>
 <td width="43%" align="left">
 Deleted
 </td>
</tr><tr>
 <td width="57%">
 C:\System Volume Information\_restore{F1E03FE8-0BEC-4447-8CE3-C34955F04B97}\RP3\A0004286.dll
 </td>
 <td width="43%" align="left">
 Infected with: Trojan.Vundo.DQZ
 </td>
</tr><tr>
 <td width="57%">
 C:\System Volume Information\_restore{F1E03FE8-0BEC-4447-8CE3-C34955F04B97}\RP3\A0004286.dll
 </td>
 <td width="43%" align="left">
 Disinfection failed
 </td>
</tr><tr>
 <td width="57%">
 C:\System Volume Information\_restore{F1E03FE8-0BEC-4447-8CE3-C34955F04B97}\RP3\A0004286.dll
 </td>
 <td width="43%" align="left">
 Deleted
 </td>
</tr><tr>
 <td width="57%">
 C:\System Volume Information\_restore{F1E03FE8-0BEC-4447-8CE3-C34955F04B97}\RP3\A0004287.dll
 </td>
 <td width="43%" align="left">
 Infected with: Trojan.Vundo.DQO
 </td>
</tr><tr>
 <td width="57%">
 C:\System Volume Information\_restore{F1E03FE8-0BEC-4447-8CE3-C34955F04B97}\RP3\A0004287.dll
 </td>
 <td width="43%" align="left">
 Disinfection failed
 </td>
</tr><tr>
 <td width="57%">
 C:\System Volume Information\_restore{F1E03FE8-0BEC-4447-8CE3-C34955F04B97}\RP3\A0004287.dll
 </td>
 <td width="43%" align="left">
 Deleted
 </td>
</tr><tr>
 <td width="57%">
 C:\System Volume Information\_restore{F1E03FE8-0BEC-4447-8CE3-C34955F04B97}\RP3\A0004288.exe
 </td>
 <td width="43%" align="left">
 Infected with: Trojan.Fotomoto.F
 </td>
</tr><tr>
 <td width="57%">
 C:\System Volume Information\_restore{F1E03FE8-0BEC-4447-8CE3-C34955F04B97}\RP3\A0004288.exe
 </td>
 <td width="43%" align="left">
 Disinfection failed
 </td>
</tr><tr>
 <td width="57%">
 C:\System Volume Information\_restore{F1E03FE8-0BEC-4447-8CE3-C34955F04B97}\RP3\A0004288.exe
 </td>
 <td width="43%" align="left">
 Deleted
 </td>
</tr><tr>
 <td width="57%">
 C:\WINDOWS\system32\fpdpnnjj.exe
 </td>
 <td width="43%" align="left">
 Infected with: Trojan.Fotomoto.F
 </td>
</tr><tr>
 <td width="57%">
 C:\WINDOWS\system32\fpdpnnjj.exe
 </td>
 <td width="43%" align="left">
 Disinfection failed
 </td>
</tr><tr>
 <td width="57%">
 C:\WINDOWS\system32\fpdpnnjj.exe
 </td>
 <td width="43%" align="left">
 Deleted
 </td>
</tr><tr>
 <td width="57%">
 C:\WINDOWS\system32\vjggpudp.dll
 </td>
 <td width="43%" align="left">
 Infected with: Trojan.Vundo.DQO
 </td>
</tr><tr>
 <td width="57%">
 C:\WINDOWS\system32\vjggpudp.dll
 </td>
 <td width="43%" align="left">
 Disinfection failed
 </td>
</tr><tr>
 <td width="57%">
 C:\WINDOWS\system32\vjggpudp.dll
 </td>
 <td width="43%" align="left">
 Delete failed
 </td>
</tr>
</table>
</td>

<td width="10%">
 
</td>
</tr>

 <tr>
<td width="458">
 
</td>
<td width="40%">
 
</td>
<td width="10%">
 
</td>
</tr>

 <tr>
<td width="458">
 
</td>
<td width="40%">
 
</td>
<td width="10%">
 
</td>
</tr>

</table>
 

</body>
</html>

evilfantasy · « **Reply #35 on:** November 24, 2007, 08:11:22 PM »

Did you install this C:\WINDOWS\SYSTEM32\reset5.dll

=====
Open HijackThis and select "Do a system scan only"

Place a check mark next to:

O2 - BHO: {987e6d8c-0882-508b-a534-94e14270c231} - {132c0724-1e49-435a-b805-2880c8d6e789} - C:\WINDOWS\System32\iyyjnglw.dll
O2 - BHO: (no name) - {F1A1D30A-5CF6-42DA-829C-B71CFF182A5C} - (no file)
O4 - HKLM\..\Run: [2cf0eb2f] rundll32.exe "C:\WINDOWS\System32\vjggpudp.dll",b
O20 - Winlogon Notify: reset5 - C:\WINDOWS\SYSTEM32\reset5.dll
O20 - Winlogon Notify: vtuutro - vtuutro.dll (file missing)

Close all windows and click "Fix checked"

=====

Delete these files/folders, as follows:

* Open notepad and copy/paste the text in the quote box below into it (all except the word QUOTE):

Quote

File::
C:\WINDOWS\system32\pdupggjv.tmp
C:\WINDOWS\system32\pdupggjv.ini

Folder::
C:\WINDOWS\System32\vjggpudp.dll

Registry::
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{132c0724-1e49-435a-b805-2880c8d6e789}]
2007-11-24 07:45 81472 --a------ C:\WINDOWS\System32\iyyjnglw.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F1A1D30A-5CF6-42DA-829C-B71CFF182A5C}]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\vtuutro]
vtuutro.dll
[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\System32\wvuss.dll

* Save this as CFScript on the desktop.
* Then drag the CFScript (hold the left mouse button while dragging the file) and drop it (release the left mouse button) into ComboFix.exe as you see in the screenshot below. Important: Perform this instruction carefully!

* ComboFix will begin to execute, just follow the prompts. After reboot (in case it asks to reboot), it shall produce a log for you. Post that log (Combofix.txt) in your next reply.

Note: Do not mouseclick combofix's window while it is running. That may cause your system to hang.

=====

After that we need the:
Combofix lof
New HijackThis log

stomper · « **Reply #36 on:** November 24, 2007, 10:15:59 PM »

No, I did not install C:\WINDOWS\SYSTEM32\reset5.dll - haven't a clue what it is.

Here's the combofix log - part 1:

ComboFix 07-11-19.3 - KATHY 2007-11-25 0:01:04.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.1.1252.1.1033.18.534 [GMT -5:00]
Running from: C:\Documents and Settings\KATHY\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\KATHY\Desktop\CFScript.txt
* Created a new restore point

FILE
C:\WINDOWS\system32\pdupggjv.ini
C:\WINDOWS\system32\pdupggjv.tmp
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\cookies.ini
C:\WINDOWS\system32\pdupggjv.ini
C:\WINDOWS\System32\vjggpudp.dll\

.
((((((((((((((((((((((((( Files Created from 2007-10-25 to 2007-11-25 )))))))))))))))))))))))))))))))
.

2007-11-24 15:22 <DIR> d-------- C:\WINDOWS\LastGood.Tmp
2007-11-24 15:22 <DIR> d-------- C:\WINDOWS\BDOSCAN8
2007-11-22 21:58 53,248 --a------ C:\WINDOWS\system32\Process.exe
2007-11-22 21:58 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2007-11-22 21:07 0 --a------ C:\WINDOWS\nsreg.dat
2007-11-22 16:22 <DIR> d-------- C:\WINDOWS\ERUNT
2007-11-22 13:58 <DIR> d-------- C:\Program Files\Trend Micro
2007-11-22 09:29 <DIR> d-------- C:\Program Files\Common Files\Scanner
2007-11-22 09:11 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\MailFrontier
2007-11-22 09:10 <DIR> d-------- C:\WINDOWS\system32\ZoneLabs
2007-11-22 09:10 75,248 --a------ C:\WINDOWS\zllsputility.exe
2007-11-22 09:09 <DIR> d-------- C:\WINDOWS\Internet Logs
2007-11-22 00:28 <DIR> d-------- C:\Program Files\EsetOnlineScanner
2007-11-21 19:10 <DIR> d-------- C:\Program Files\InCode Solutions
2007-11-21 19:08 <DIR> d-------- C:\Program Files\RegCure
2007-11-21 19:04 <DIR> d-------- C:\Program Files\CCleaner
2007-11-21 18:58 714,446 --ahs---- C:\WINDOWS\system32\pibpnavn.ini
2007-11-20 23:29 <DIR> d-------- C:\Documents and Settings\KATHY\Application Data\Uniblue
2007-11-19 21:28 685,703 --ahs---- C:\WINDOWS\system32\rmsruhsm.ini
2007-11-19 18:26 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2007-11-19 18:25 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2007-11-19 18:25 <DIR> d-------- C:\Documents and Settings\KATHY\Application Data\SUPERAntiSpyware.com
2007-11-19 18:10 <DIR> d-------- C:\Program Files\Musicmatch
2007-11-18 15:05 <DIR> d-------- C:\Program Files\Lavasoft
2007-11-18 15:05 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-11-18 15:03 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-11-17 18:14 <DIR> d-------- C:\WINDOWS\system32\CDD0CCCED0D3D6
2007-11-17 18:14 124,416 --a------ C:\WINDOWS\system32\1114101214171A.exe
2007-11-17 15:25 108,544 --a------ C:\WINDOWS\system32\pxcpyi64.exe
2007-11-17 15:25 104,960 --a------ C:\WINDOWS\system32\pxinsi64.exe
2007-11-17 15:24 <DIR> d-------- C:\Documents and Settings\KATHY\Application Data\Musicmatch
2007-11-17 15:24 89,088 --a------ C:\WINDOWS\system32\atl71.dll
2007-11-12 18:32 <DIR> d-------- C:\Documents and Settings\KATHY\Application Data\Corel
2007-11-12 18:24 553,984 --a------ C:\WINDOWS\system32\rave.dll
2007-11-12 18:24 229,376 --a------ C:\WINDOWS\system32\rpza32.qtc
2007-11-12 18:24 211,456 --a------ C:\WINDOWS\system32\qd3d_ir2.q3x
2007-11-12 18:24 165,888 --a------ C:\WINDOWS\system32\smc32.qtc
2007-11-12 18:24 70,656 --a------ C:\WINDOWS\system32\3dviewer.dll
2007-11-12 18:24 32,768 --a------ C:\WINDOWS\system32\cmgr32.dll
2007-11-12 18:23 909,312 --a------ C:\WINDOWS\system32\qd3d.dll
2007-11-12 18:23 409,600 --a------ C:\WINDOWS\system32\scint78.dll
2007-11-12 18:23 345,600 --a------ C:\WINDOWS\system32\qtim32.dll
2007-11-12 18:23 151,040 --a------ C:\WINDOWS\system32\cvid32.qtc
2007-11-12 18:23 108,032 --a------ C:\WINDOWS\system32\sh33w32.dll
2007-11-12 18:23 24,064 --a------ C:\WINDOWS\system32\dci32.qtc
2007-11-12 18:23 20,480 --a------ C:\WINDOWS\system32\raw32.qtc
2007-11-12 18:22 103,936 --a------ C:\WINDOWS\system32\rle32.qtc
2007-11-12 18:22 38,912 --a------ C:\WINDOWS\system32\dhio32.qtc
2007-11-12 18:21 <DIR> d-------- C:\WINDOWS\Favorites
2007-11-12 18:21 <DIR> d-------- C:\Corel
2007-11-12 18:20 <DIR> d-------- C:\WINDOWS\Corel
2007-10-25 10:26 53,248 --a------ C:\WINDOWS\bdoscandel.exe

stomper · « **Reply #37 on:** November 24, 2007, 10:16:34 PM »

Here's combofix log - part 2:

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-24 12:45   81,472   ----a-w   C:\WINDOWS\system32\iyyjnglw.dll
2007-11-24 12:42   85,056   ----a-w   C:\WINDOWS\system32\vjggpudp.dll
2007-11-22 14:29   ---------   d-----w   C:\Program Files\Yahoo!
2007-11-19 23:35   ---------   d-----w   C:\Program Files\Canon
2007-11-19 23:10   ---------   d--h--w   C:\Program Files\InstallShield Installation Information
2007-11-16 23:40   ---------   d-----w   C:\Program Files\DC++
2007-10-28 12:51   ---------   d-----w   C:\Documents and Settings\KATHY\Application Data\CoreFTP
2007-10-04 04:36   25,600   ----a-w   C:\WINDOWS\system32\WS2Fix.exe
2007-09-29 17:43   ---------   d-----w   C:\Documents and Settings\KATHY\Application Data\Ahead
2007-09-27 00:29   ---------   d-----w   C:\Program Files\Microsoft.NET
2007-09-06 21:14   1,086,952   ----a-w   C:\WINDOWS\system32\zpeng24.dll
2007-09-06 10:09   801,144   ----a-w   C:\WINDOWS\system32\aswBoot.exe
2007-09-06 10:00   95,608   ----a-w   C:\WINDOWS\system32\AVASTSS.scr
2007-09-06 04:22   289,144   ----a-w   C:\WINDOWS\system32\VCCLSID.exe
.

((((((((((((((((((((((((((((( snapshot@2007-11-23_ 7.26.26.69 )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-11-24 20:23:19   45,056   ----a-w   C:\WINDOWS\BDOSCAN8\avxdisk.dll
+ 2007-11-24 20:23:20   10,240   ----a-w   C:\WINDOWS\BDOSCAN8\avxs.dll
+ 2007-11-24 20:23:20   27,136   ----a-w   C:\WINDOWS\BDOSCAN8\avxt.dll
+ 2007-11-24 20:23:25   181,760   ----a-w   C:\WINDOWS\BDOSCAN8\bdcore.dll
+ 2007-10-25 15:26:48   118,784   ----a-w   C:\WINDOWS\BDOSCAN8\bdupd.dll
+ 2007-10-25 15:26:48   53,248   ----a-w   C:\WINDOWS\BDOSCAN8\ipsupd.dll
+ 2007-11-24 20:23:26   142,848   ----a-w   C:\WINDOWS\BDOSCAN8\libfn.dll
+ 2007-11-24 20:23:21   86,016   ----a-w   C:\WINDOWS\BDOSCAN8\librtvr.dll
+ 2007-10-25 15:26:48   118,784   ----a-w   C:\WINDOWS\Downloaded Program Files\bdupd.dll
+ 2007-10-25 15:26:48   53,248   ----a-w   C:\WINDOWS\Downloaded Program Files\ipsupd.dll
+ 2007-11-25 05:04:27   16,384   ----atw   C:\WINDOWS\Temp\Perflib_Perfdata_b8.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2002-08-29 02:41]
"PhotoShow Deluxe Media Manager"="C:\PROGRA~1\Ahead\NEROPH~1\data\Xtras\mssysmgr.exe" [2004-11-11 20:50]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2007-06-07 13:08]
"YSearchProtection"="C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe" [2007-06-08 09:59]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-11-19 21:38]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 09:50]
"zzzHPSETUP"="H:\Setup.exe" []
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-06-29 05:24]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-09-06 05:06]
"YSearchProtection"="C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe" [2007-06-08 09:59]
"CanonSolutionMenu"="C:\Program Files\Canon\SolutionMenu\CNSLMAIN.exe" [2007-05-14 20:01]
"SSBkgdUpdate"="C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" [2006-10-25 08:03]
"OpwareSE4"="C:\Program Files\ScanSoft\OmniPageSE4\OpwareSE4.exe" [2007-02-04 11:02]
"WrtMon.exe"="C:\WINDOWS\System32\spool\drivers\w32x86\3\WrtMon.exe" [2006-09-20 07:35]
"MimBoot"="C:\PROGRA~1\MUSICM~1\MUSICM~1\mimboot.exe" [2006-01-19 11:06]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-09-06 16:14]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Acrobat Assistant.lnk - C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe [2007-07-07 16:14:23]
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2007-07-08 14:19:36]
Corel MEDIA FOLDERS INDEXER 8.LNK - C:\Corel\Graphics8\Programs\MFIndexer.exe [2007-11-12 18:24:28]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 00:01:04]

[hklm\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 12:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL 2007-11-19 21:38 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\vtuutro]

R3 cwrwdm;SoundFusion(tm) WDM Driver;C:\WINDOWS\System32\DRIVERS\cwrwdm.sys

.
**************************************************************************

catchme 0.3.1262 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-25 00:05:06
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-11-25 0:06:33 - machine was rebooted
C:\ComboFix2.txt ... 2007-11-24 15:04
C:\ComboFix3.txt ... 2007-11-23 07:27
.
   --- E O F ---

stomper · « **Reply #38 on:** November 24, 2007, 10:17:31 PM »

Here's the HJT log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:08:21 AM, on 11/25/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
C:\Program Files\ScanSoft\OmniPageSE4\OpwareSE4.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\WrtMon.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\Ahead\NEROPH~1\data\Xtras\mssysmgr.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Corel\Graphics8\Programs\MFIndexer.exe
C:\WINDOWS\system32\srvany.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\WrtProc.exe
C:\PROGRA~1\MUSICM~1\MUSICM~1\MMDiag.exe
C:\WINDOWS\system32\resetservice.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mim.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [zzzHPSETUP] H:\Setup.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [YSearchProtection] "C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe"
O4 - HKLM\..\Run: [CanonSolutionMenu] C:\Program Files\Canon\SolutionMenu\CNSLMAIN.exe /logon
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [OpwareSE4] "C:\Program Files\ScanSoft\OmniPageSE4\OpwareSE4.exe"
O4 - HKLM\..\Run: [WrtMon.exe] C:\WINDOWS\System32\spool\drivers\w32x86\3\WrtMon.exe
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~1\mimboot.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\Ahead\NEROPH~1\data\Xtras\mssysmgr.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [YSearchProtection] C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Corel MEDIA FOLDERS INDEXER 8.LNK = C:\Corel\Graphics8\Programs\MFIndexer.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O20 - Winlogon Notify: vtuutro - C:\WINDOWS\
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: InCD Helper (read only) (InCDsrvR) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: Reset 5 - Unknown owner - C:\WINDOWS\system32\srvany.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 6517 bytes

evilfantasy · « **Reply #39 on:** November 24, 2007, 10:40:33 PM »

Open HijackThis and "Do a system scan only"

Place a check mark next to"

O20 - Winlogon Notify: vtuutro - C:\WINDOWS\

Close all windows and click "Fix checked"

Now download The Avenger By Swandog46, and save it to your Desktop.

* Extract avenger.exe from the Zip file and save it to your desktop
* Run avenger.exe by double-clicking on it.
* Check the Input script manually box.
* Click on the Magnifying Glass Icon which will open a new window titled View/edit script
* Copy everything in the Quote box below, and paste it in the box that opens:

Quote

Files to delete:
C:\WINDOWS\system32\vtuutro.dll

Registry keys to delete:
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\vtuutro]

Note: the above quote was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system

* Now click the 'Done' button.
* Click on the Green Light and OK the prompt.
* You will be prompted to restart, click OK at the prompt and your PC should reboot, if not, reboot it yourself.
* A log file from Avenger will be produced at C:\avenger.txt

The Avenger will automatically do the following:

* It will Restart your computer. (In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.)
* On reboot, it will briefly open a black command window on your desktop, this is normal.
* After the restart, it creates a log file that should open with the results of Avenger's actions. This log file will be located at C:\avenger.txt
* The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.

Please attach the C:\avenger.txt in your next post.

Next post
avenger.txt
New hijackthis log

stomper · « **Reply #40 on:** November 25, 2007, 05:16:31 AM »

Here's the Avenger log:

Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\tuqfagop

*******************

Script file located at: \??\C:\whvmqpys.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

File C:\WINDOWS\system32\vtuutro.dll not found!
Deletion of file C:\WINDOWS\system32\vtuutro.dll failed!

Could not process line:
C:\WINDOWS\system32\vtuutro.dll
Status: 0xc0000034

Could not open registry key [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\vtuutro] for deletion
Deletion of registry key [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\vtuutro] failed!
Status: 0xc000003b

Completed script processing.

*******************

Finished! Terminate.

stomper · « **Reply #41 on:** November 25, 2007, 05:17:11 AM »

Here's the HJT log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:14:45 AM, on 11/25/2007
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
C:\Program Files\ScanSoft\OmniPageSE4\OpwareSE4.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\WrtMon.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Messenger\msmsgs.exe
C:\PROGRA~1\Ahead\NEROPH~1\data\Xtras\mssysmgr.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
C:\Corel\Graphics8\Programs\MFIndexer.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\WrtProc.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\PROGRA~1\MUSICM~1\MUSICM~1\MMDiag.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Musicmatch\Musicmatch Jukebox\mim.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\srvany.exe
C:\WINDOWS\system32\resetservice.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr8/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr8/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [zzzHPSETUP] H:\Setup.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [YSearchProtection] "C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe"
O4 - HKLM\..\Run: [CanonSolutionMenu] C:\Program Files\Canon\SolutionMenu\CNSLMAIN.exe /logon
O4 - HKLM\..\Run: [SSBkgdUpdate] "C:\Program Files\Common Files\Scansoft Shared\SSBkgdUpdate\SSBkgdupdate.exe" -Embedding -boot
O4 - HKLM\..\Run: [OpwareSE4] "C:\Program Files\ScanSoft\OmniPageSE4\OpwareSE4.exe"
O4 - HKLM\..\Run: [WrtMon.exe] C:\WINDOWS\System32\spool\drivers\w32x86\3\WrtMon.exe
O4 - HKLM\..\Run: [MimBoot] C:\PROGRA~1\MUSICM~1\MUSICM~1\mimboot.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [PhotoShow Deluxe Media Manager] C:\PROGRA~1\Ahead\NEROPH~1\data\Xtras\mssysmgr.exe
O4 - HKCU\..\Run: [YSearchProtection] C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 5.0\Distillr\AcroTray.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Corel MEDIA FOLDERS INDEXER 8.LNK = C:\Corel\Graphics8\Programs\MFIndexer.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/buxus/docs/OnlineScanner.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.DLL
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: InCD Helper (read only) (InCDsrvR) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: Reset 5 - Unknown owner - C:\WINDOWS\system32\srvany.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 6403 bytes

stomper · « **Reply #42 on:** November 25, 2007, 07:47:51 AM »

Just realized today that my cd burner and my external USB DVD burner are no longer recognized.

evilfantasy · « **Reply #43 on:** November 25, 2007, 10:57:51 AM »

Quote from: stomper on November 25, 2007, 07:47:51 AM

Just realized today that my cd burner and my external USB DVD burner are no longer recognized.

Can you re-install the drivers.

====

Well the entry finally went away.

Uninstall/delete The Avenger and go to C:\avenger.txt and delete that whole folder.

Go to Start > Run and copy and paste next command in the field:

ComboFix /u

Make sure there's a space between Combofix and /
Then hit Enter.

This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

Hopefully it will stay gone this time.

stomper · « **Reply #44 on:** November 25, 2007, 01:15:08 PM »

Thanks for all your help.

As for my drivers, I haven't been successful. I uninstalled the hardware and reinstalled it. Windows recognized that new hardward had been installed. However, the driver is still corrupt. I tried to update driver, but was told that it is the current driver.

Computer Hope Forum

News:

Author Topic: I've received many trojan warnings! (Read 23067 times)

stomper

Re: I've received many trojan warnings!

stomper

Re: I've received many trojan warnings!

stomper

Re: I've received many trojan warnings!

stomper

Re: I've received many trojan warnings!

stomper

Re: I've received many trojan warnings!

evilfantasy

Re: I've received many trojan warnings!

stomper

Re: I've received many trojan warnings!

stomper

Re: I've received many trojan warnings!

stomper

Re: I've received many trojan warnings!

evilfantasy

Re: I've received many trojan warnings!

stomper

Re: I've received many trojan warnings!

stomper

Re: I've received many trojan warnings!

stomper

Re: I've received many trojan warnings!

evilfantasy

Re: I've received many trojan warnings!

stomper

Re: I've received many trojan warnings!