HJT log - My problem still exist

[KiLiCatLet]

Dear all,


I realies my computer and my internet is acting strange lately where a lot of website cannot be load or very slow using IE or FF2. So I did scan using AVG and Avast. Avast shows that I am infected with something call Win32.VunDrop[drp] while AVG says I am clean. I try cleaning it with Avast but it keeps coming back. I followed the instruction posted here http://www.techist.com/forums/f51/spyware-removal-guide-osiris-165828/ this is the HJT log after I follow those instructions. I am not sure if it's been clean, since Avast do not always pick it up right away, but my internet is still not working.

Thanks many, sorry for my bad english
KiLiCatLet


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:19:33 AM, on 14/06/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\Rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
C:\WINDOWS\System32\cisvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\WINDOWS\msagent\AgentSvr.exe
C:\Program Files\HighJacjThis\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: flashget urlcatch - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\Program Files\FlashGet\jccatch.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: NetXfer - {83B80A9C-D91A-4F22-8DCF-EA7204039F79} - C:\Program Files\Xi\NetXfer\NXIEHelper.dll
O2 - BHO: (no name) - {86211BB5-DC72-44D1-8207-0CEA3CD825AD} - C:\WINDOWS\system32\bitsprx.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {BD3C6F7C-6C8D-48F6-AC52-5E4071AEB257} - (no file)
O2 - BHO: (no name) - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - (no file)
O2 - BHO: FlashGet GetFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\Program Files\FlashGet\getflash.dll
O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)
O3 - Toolbar: NetXfer - {C16CBAAC-A75C-4DB5-A0DD-CDF5CAFCDD3A} - C:\Program Files\Xi\NetXfer\NXToolBar.dll
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [TrojanScanner] C:\Program Files\Trojan Remover\Trjscan.exe
O4 - HKLM\..\Run: [BM335e9ca1] Rundll32.exe "C:\WINDOWS\system32\vvdcswdy.dll",s
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O8 - Extra context menu item: &Download All with FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: &Download with FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: &U妏蚚馨譙儂狟婥甜彶紲 - C:\Program Files\NamiRobot\Data\du.html
O8 - Extra context menu item: Add to QQ Customized Panel - C:\Program Files\QQ2005En\AddPanel.htm
O8 - Extra context menu item: Add to QQ Emotions - C:\Program Files\QQ2005En\AddEmotion.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Send picture by MMS - C:\Program Files\QQ2005En\SendMMS.htm
O8 - Extra context menu item: Upload to QQ Network Hard Disk - C:\Program Files\QQ2005En\AddToNetDisk.htm
O8 - Extra context menu item: 新增到QQ自定義面板 - C:\Program Files\QQ2005Beta2\AddPanel.htm
O8 - Extra context menu item: 新增到QQ表情 - C:\Program Files\QQ2005Beta2\AddEmotion.htm
O8 - Extra context menu item: 添加到QQ自定義面板 - C:\Program Files\QQ2005Beta2\AddPanel.htm
O8 - Extra context menu item: 添加到QQ表情 - C:\Program Files\QQ2005Beta2\AddEmotion.htm
O8 - Extra context menu item: 用QQ MMS傳送該圖片 - C:\Program Files\QQ2005Beta2\SendMMS.htm
O8 - Extra context menu item: 用QQ彩信發送該圖片 - C:\Program Files\QQ2005Beta2\SendMMS.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: QQ - {c95fe080-8f5d-11d2-a20b-00aa003c157b} - C:\Program Files\QQ2005Beta2\QQ.EXE (file missing)
O9 - Extra 'Tools' menuitem: AE°TQQ - {c95fe080-8f5d-11d2-a20b-00aa003c157b} - C:\Program Files\QQ2005Beta2\QQ.EXE (file missing)
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra button: (no name) - {DEDEB80D-FA35-45d9-9460-4983E5A8AFE6} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra 'Tools' menuitem: QQiA2E1??sIoEeOA - {DEDEB80D-FA35-45d9-9460-4983E5A8AFE6} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://go.divx.com/plugin/DivXBrowserPlugin.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - http://zone.msn.com/bingame/dim2/default/popcaploader_v6.cab
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 7562 bytes



StartupList report, 14/06/2008, 2:20:40 AM
StartupList version: 1.52.2
Started from : C:\Program Files\HighJacjThis\HijackThis.EXE
Detected: Windows XP SP2 (WinNT 5.01.2600)
Detected: Internet Explorer v6.00 SP2 (6.00.2900.2180)
* Using default options
==================================================

Running processes:

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\Rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
C:\WINDOWS\System32\cisvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Microsoft Office\Office10\WINWORD.EXE
C:\WINDOWS\msagent\AgentSvr.exe
C:\Program Files\HighJacjThis\HijackThis.exe

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINDOWS\system32\userinit.exe,

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

avast! = C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
NvCplDaemon = RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
!AVG Anti-Spyware = "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
TrojanScanner = C:\Program Files\Trojan Remover\Trjscan.exe
BM335e9ca1 = Rundll32.exe "C:\WINDOWS\system32\vvdcswdy.dll",s

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

ctfmon.exe = C:\WINDOWS\system32\ctfmon.exe

--------------------------------------------------

Shell & screensaver key from C:\WINDOWS\SYSTEM.INI:

Shell=*INI section not found*
SCRNSAVE.EXE=*INI section not found*
drivers=*INI section not found*

Shell & screensaver key from Registry:

Shell=Explorer.exe
SCRNSAVE.EXE=*Registry value not found*
drivers=*Registry value not found*

Policies Shell key:

HKCU\..\Policies: Shell=*Registry value not found*
HKLM\..\Policies: Shell=*Registry value not found*

--------------------------------------------------


Enumerating Browser Helper Objects:

(no name) - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}
flashget urlcatch - C:\Program Files\FlashGet\jccatch.dll - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7}
(no name) - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43}
(no name) - (no file) - {7E853D72-626A-48EC-A868-BA8D5E23E045}
NetXfer - C:\Program Files\Xi\NetXfer\NXIEHelper.dll - {83B80A9C-D91A-4F22-8DCF-EA7204039F79}
(no name) - C:\WINDOWS\system32\bitsprx.dll - {86211BB5-DC72-44D1-8207-0CEA3CD825AD}
(no name) - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll - {9030D464-4C02-4ABF-8ECC-5164760863C6}
(no name) - (no file) - {BD3C6F7C-6C8D-48F6-AC52-5E4071AEB257}
(no name) - (no file) - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0}
(no name) - C:\Program Files\FlashGet\getflash.dll - {F156768E-81EF-470C-9057-481BA8380DBA}

--------------------------------------------------

Enumerating Task Scheduler jobs:

GlaryInitialize.job

--------------------------------------------------

Enumerating Download Program Files:

[QuickTime Object]
InProcServer32 = C:\Program Files\QuickTime\QTPlugin.ocx
CODEBASE = http://www.apple.com/qtactivex/qtplugin.cab

[DivXBrowserPlugin Object]
InProcServer32 = C:\Program Files\DivX\DivX Web Player\npdivx32.dll
CODEBASE = http://go.divx.com/plugin/DivXBrowserPlugin.cab

[Shockwave Flash Object]
InProcServer32 = C:\WINDOWS\system32\Macromed\Flash\Flash9b.ocx
CODEBASE = http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab

[{DF780F87-FF2B-4DF8-92D0-73DB16A1543A}]
CODEBASE = http://zone.msn.com/bingame/dim2/default/popcaploader_v6.cab

--------------------------------------------------

Enumerating ShellServiceObjectDelayLoad items:

PostBootReminder: C:\WINDOWS\system32\SHELL32.dll
CDBurn: C:\WINDOWS\system32\SHELL32.dll
WebCheck: C:\WINDOWS\System32\webcheck.dll
SysTray: C:\WINDOWS\System32\stobject.dll
WPDShServiceObj: C:\WINDOWS\system32\WPDShServiceObj.dll

--------------------------------------------------
End of report, 5,649 bytes
Report generated in 0.031 seconds

Command line options:
/verbose - to add additional info on each section
/complete - to include empty sections and unsuspicious data
/full - to include several rarely-important sections
/force9x - to include Win9x-only startups even if running on WinNT
/forcent - to include WinNT-only startups even if running on Win9x
/forceall - to include all Win9x and WinNT startups, regardless of platform
/history - to list version history only

 

[techpro5238]

Hello KiLiCatLet and welcome to tech forums,

Your computer is infected with an infection named Vundo. Don't worry about the English and if you really need to speak in your native tongue please feel free to do so but please tell me what language it is in so I can convert it to English

Download ComboFix from Here or Here to your Desktop.
Read first: "How to download and use ComboFix"
If you downloaded ComboFix previously, delete that version and download it again as the tool is frequently updated!

• Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
  Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.

• Double click combofix.exe and follow the prompts.
• When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply
• Be sure to re-enable your anti-virus and other security programs, after ComboFix finished.

Note: Do not mouseclick combofix's window while its running. That may cause it to stall.

Extra-Note: Please, DO NOT use ComboFix on your own. It is a very powerful tool designed to deal with sophisticated infections and if something goes wrong or you use it incorrectly, you could possibly lose the use of your computer. It is ONLY meant to be used under the direct supervision of a malware removal specialist. Please read Combofix's Disclaimer

 

[KiLiCatLet]

Dear techpro5238,

My browser cannot load into the Microsoft support page for downloading Win XP Recovery Console, should I continues running Combofix?

KiLiCatLet

 

[techpro5238]

Yes you may skip that step.

 

[KiLiCatLet]

Here is the combofix log and HJT log

EDIT: I think the issue is solved =D Thanks a lot

ComboFix 08-06-12.2 - Candy 2008-06-14 14:13:14.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.950.886.1033.18.604 [GMT 10:00]
Running from: C:\Downloads\!anti-virus\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Documents\My Music\Desktop_.ini
C:\Documents and Settings\All Users\Documents\My Music\My Playlists\Desktop_.ini
C:\Documents and Settings\All Users\Documents\My Music\Sample Music\Desktop_.ini
C:\Documents and Settings\All Users\Documents\My Music\Sample Playlists\000A2A5B\Desktop_.ini
C:\Documents and Settings\All Users\Documents\My Music\Sample Playlists\Desktop_.ini
C:\Documents and Settings\All Users\Documents\My Music\Sync Playlists\00086EB1\Desktop_.ini
C:\Documents and Settings\All Users\Documents\My Music\Sync Playlists\Desktop_.ini
C:\Documents and Settings\All Users\Documents\My Pictures\Desktop_.ini
C:\Documents and Settings\All Users\Documents\My Pictures\Sample Pictures\Desktop_.ini
C:\Documents and Settings\All Users\Documents\My Videos\Desktop_.ini
C:\WINDOWS\BM335e9ca1.xml
C:\WINDOWS\pskt.ini
C:\WINDOWS\setup.exe
C:\WINDOWS\system32\bitsprx.dll
C:\WINDOWS\system32\trmsmfcv.dll
C:\WINDOWS\system32\vvdcswdy.dll

.
((((((((((((((((((((((((( Files Created from 2008-05-14 to 2008-06-14 )))))))))))))))))))))))))))))))
.

2008-06-14 13:39 . 2008-06-14 13:39 <DIR> d-------- C:\Documents and Settings\Candy\Application Data\AdobeUM
2008-06-14 02:17 . 2008-06-14 02:20 <DIR> d-------- C:\Program Files\HighJacjThis
2008-06-14 02:17 . 2007-06-28 14:36 401,720 --a------ C:\HijackThis.exe
2008-06-14 02:08 . 2008-06-14 02:14 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-06-14 02:06 . 2006-05-25 15:52 162,304 --a------ C:\WINDOWS\system32\ztvunrar36.dll
2008-06-14 02:06 . 2003-02-02 20:06 153,088 --a------ C:\WINDOWS\system32\UNRAR3.dll
2008-06-14 02:06 . 2005-08-26 01:50 77,312 --a------ C:\WINDOWS\system32\ztvunace26.dll
2008-06-14 02:06 . 2002-03-06 01:00 75,264 --a------ C:\WINDOWS\system32\unacev2.dll
2008-06-14 02:06 . 2006-06-19 13:01 69,632 --a------ C:\WINDOWS\system32\ztvcabinet.dll
2008-06-14 02:05 . 2008-06-14 02:08 <DIR> d-------- C:\Program Files\Trojan Remover
2008-06-14 02:05 . 2008-06-14 02:05 <DIR> d-------- C:\Documents and Settings\Candy\Application Data\Simply Super Software
2008-06-14 02:05 . 2008-06-14 02:05 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Simply Super Software
2008-06-14 01:19 . 2008-06-14 01:19 <DIR> d-------- C:\VundoFix Backups
2008-06-14 01:05 . 2008-06-14 01:14 1,492 --a------ C:\WINDOWS\system32\tmp.reg
2008-06-14 00:48 . 2008-06-14 00:48 <DIR> d-------- C:\Program Files\CleanUp!
2008-06-14 00:48 . 2008-06-14 00:48 <DIR> d-------- C:\Program Files\CCleaner
2008-06-14 00:47 . 2008-06-14 00:47 <DIR> d-------- C:\Program Files\MSConfig CleanUp
2008-06-13 23:55 . 2008-06-13 23:56 1,483,977 --ahs---- C:\WINDOWS\system32\gswwybpc.ini
2008-06-13 22:41 . 2008-06-13 22:41 <DIR> d-------- C:\Documents and Settings\Candy\Application Data\GlarySoft
2008-06-13 22:33 . 2008-06-13 22:33 <DIR> d-------- C:\Program Files\Glary Utilities
2008-06-13 17:43 . 2008-06-13 18:24 102,664 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2008-06-13 17:35 . 2008-06-13 23:00 <DIR> d-------- C:\Documents and Settings\Candy\.housecall6.6
2008-06-12 23:53 . 2008-06-13 23:55 1,661,687 --ahs---- C:\WINDOWS\system32\jcwldwxn.ini
2008-06-12 23:52 . 2008-01-16 21:42 44,544 --a------ C:\WINDOWS\system32\msxml4a.dll
2008-06-12 23:42 . 1998-06-18 00:00 89,360 --a------ C:\WINDOWS\system32\VB5DB.DLL
2008-06-12 14:51 . 2008-06-13 23:00 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-06-12 14:50 . 2008-06-12 14:50 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-06-12 11:50 . 2008-06-12 12:59 1,630,501 --ahs---- C:\WINDOWS\system32\dksilssl.ini
2008-06-12 11:49 . 2008-06-12 11:49 321,536 --a------ C:\WINDOWS\system32\awtRihFY.dll.vir
2008-06-07 22:04 . 2008-06-07 22:04 <DIR> d-------- C:\Program Files\NextLink
2008-05-23 08:07 . 2008-05-23 08:07 <DIR> d-------- C:\Program Files\NamiRobot
2008-05-23 00:16 . 2008-05-23 00:16 516 --a------ C:\WINDOWS\NSSHAFT.INI
2008-05-23 00:15 . 2008-05-23 00:15 616 --a------ C:\WINDOWS\nstower.ini
2008-05-21 22:22 . 2008-05-21 22:22 23,392 --a------ C:\WINDOWS\system32\nscompat.tlb
2008-05-21 22:22 . 2008-05-21 22:22 16,832 --a------ C:\WINDOWS\system32\amcompat.tlb
2008-05-21 21:52 . 2008-05-21 21:53 <DIR> d-------- C:\WINDOWS\system32\drivers\UMDF
2008-05-16 11:58 . 2008-05-16 11:58 12,632 --a------ C:\WINDOWS\system32\lsdelete.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-13 13:00 --------- d-----w C:\Program Files\Real Alternative
2008-06-13 13:00 --------- d-----w C:\Program Files\QQ2005Beta2
2008-06-13 13:00 --------- d-----w C:\Program Files\Photoshop CS2
2008-06-13 13:00 --------- d-----w C:\Program Files\Messenger Plus! Live
2008-06-13 13:00 --------- d-----w C:\Program Files\FlashGet
2008-06-13 13:00 --------- d-----w C:\Program Files\eMule
2008-06-13 13:00 --------- d-----w C:\Program Files\DivX
2008-06-13 13:00 --------- d-----w C:\Documents and Settings\Candy\Application Data\Azureus
2008-06-13 13:00 --------- d-----w C:\Documents and Settings\Candy\Application Data\Ahead
2008-06-13 13:00 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-06-12 13:46 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-06-12 05:00 --------- d-----w C:\Program Files\Lavasoft
2008-06-11 16:23 --------- d-----w C:\Documents and Settings\Candy\Application Data\U3
2008-05-03 02:33 --------- d-----w C:\Program Files\NCH Swift Sound
2008-04-29 01:20 15,648 ----a-w C:\WINDOWS\system32\drivers\NSDriver.sys
2008-04-29 01:19 15,648 ----a-w C:\WINDOWS\system32\drivers\Awrtrd.sys
2008-04-29 01:19 12,960 ----a-w C:\WINDOWS\system32\drivers\Awrtpd.sys
2008-04-16 12:41 --------- d-----w C:\Documents and Settings\All Users\Application Data\WLInstaller
2008-03-31 12:39 69,568 -c--a-w C:\Documents and Settings\Candy\Application Data\GDIPFONTCACHEV1.DAT
.

------- Sigcheck -------

2002-08-29 01:58 332928 244a2f9816bc9b593957281ef577d976 C:\WINDOWS\$NtServicePackUninstall$\tcpip.sys
2004-08-03 23:14 359040 9f4b36614a0fc234525ba224957de55c C:\WINDOWS\ServicePackFiles\i386\tcpip.sys
2004-08-03 23:14 359040 6a603809f598332dbedd535bdbce313e C:\WINDOWS\system32\drivers\tcpip.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2008-05-16 09:19 79224]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-04-19 13:26 7700480]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-30 14:18 6731312]
"TrojanScanner"="C:\Program Files\Trojan Remover\Trjscan.exe" [2008-06-03 20:33 878672]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-08-04 00:56 15360]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2004-08-04 00:56 53760 C:\WINDOWS\system32\narrator.exe]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"StartMenuLogOff"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.YV12"= yv12vfw.dll
"msacm.l3fhg"= mp3fhg.acm
"VIDC.X264"= x264vfw.dll
"VIDC.HFYU"= huffyuv.dll
"vidc.i263"= i263_32.drv
"msacm.divxa32"= divxa32.acm

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BM335e9ca1]
C:\WINDOWS\system32\vvdcswdy.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2004-08-04 00:56 15360 C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
--a------ 2007-04-19 13:26 7700480 C:\WINDOWS\system32\NvCpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\WINDOWS\\PCHEALTH\\HELPCTR\\Binaries\\helpctr.exe"=
"C:\\Program Files\\IVT Corporation\\BlueSoleil\\BlueSoleil.exe"=
"C:\\Program Files\\FlashGet\\flashget.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"15789:TCP"= 15789:TCP:BitComet 15789 TCP
"15789:UDP"= 15789:UDP:BitComet 15789 UDP
"23829:TCP"= 23829:TCP:BitComet 23829 TCP
"23829:UDP"= 23829:UDP:BitComet 23829 UDP
"3389:TCP"= 3389:TCPxpsp2res.dll,-22009
"6881:TCP"= 6881:TCP:Azureus
"22288:TCP"= 22288:TCP:Azureus

R1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys [2008-05-16 09:20]
R2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-05-16 09:16]
S3 glauiad;D-Link DSL-302G Modem;C:\WINDOWS\system32\DRIVERS\glauiad.sys [2003-03-07 15:07]
S3 NOWMEMDF;NOWMEMDF;C:\WINDOWS\system32\NOWMEMDF.sys [2005-11-02 12:23]
S3 pacdcacm;pacdcacm;C:\WINDOWS\system32\DRIVERS\pacdcacm.sys [2005-06-15 12:28]
S3 PciCon;PciCon;E:\PciCon.sys []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\G]
\Shell\AutoRun\command - G:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ae2ce9ea-f5a6-11da-ac33-00138f60d5f8}]
\Shell\Auto\command - Windir.exe
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Windir.exe

*Newly Created Service* - CATCHME

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{18B0E5C2-99CB-11CF-AYX5-00401C648513}]
C:\RECYCLER\S-1-5-21-1482476501-1644491937-682003330-1013\iuhi64.exe
.
Contents of the 'Scheduled Tasks' folder
"2008-06-14 03:24:59 C:\WINDOWS\Tasks\GlaryInitialize.job"
- C:\Program Files\Glary Utilities\initialize.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-14 14:15:52
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...


**************************************************************************
.
Completion time: 2008-06-14 14:18:56
ComboFix-quarantined-files.txt 2008-06-14 04:17:53

Pre-Run: 5,291,888,640 bytes free
Post-Run: 5,274,927,104 bytes free

176






Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:21:20 PM, on 14/06/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
C:\WINDOWS\System32\cisvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\conime.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\HighJacjThis\HijackThis.exe

O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: flashget urlcatch - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\Program Files\FlashGet\jccatch.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: NetXfer - {83B80A9C-D91A-4F22-8DCF-EA7204039F79} - C:\Program Files\Xi\NetXfer\NXIEHelper.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: FlashGet GetFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\Program Files\FlashGet\getflash.dll
O3 - Toolbar: (no name) - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - (no file)
O3 - Toolbar: NetXfer - {C16CBAAC-A75C-4DB5-A0DD-CDF5CAFCDD3A} - C:\Program Files\Xi\NetXfer\NXToolBar.dll
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [TrojanScanner] C:\Program Files\Trojan Remover\Trjscan.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\System32\CTFMON.EXE (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O8 - Extra context menu item: &Download All with FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: &Download with FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: &U妏蚚馨譙儂狟婥甜彶紲 - C:\Program Files\NamiRobot\Data\du.html
O8 - Extra context menu item: Add to QQ Customized Panel - C:\Program Files\QQ2005En\AddPanel.htm
O8 - Extra context menu item: Add to QQ Emotions - C:\Program Files\QQ2005En\AddEmotion.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Send picture by MMS - C:\Program Files\QQ2005En\SendMMS.htm
O8 - Extra context menu item: Upload to QQ Network Hard Disk - C:\Program Files\QQ2005En\AddToNetDisk.htm
O8 - Extra context menu item: 新增到QQ自定義面板 - C:\Program Files\QQ2005Beta2\AddPanel.htm
O8 - Extra context menu item: 新增到QQ表情 - C:\Program Files\QQ2005Beta2\AddEmotion.htm
O8 - Extra context menu item: 添加到QQ自定義面板 - C:\Program Files\QQ2005Beta2\AddPanel.htm
O8 - Extra context menu item: 添加到QQ表情 - C:\Program Files\QQ2005Beta2\AddEmotion.htm
O8 - Extra context menu item: 用QQ MMS傳送該圖片 - C:\Program Files\QQ2005Beta2\SendMMS.htm
O8 - Extra context menu item: 用QQ彩信發送該圖片 - C:\Program Files\QQ2005Beta2\SendMMS.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra 'Tools' menuitem: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\Program Files\FlashGet\FlashGet.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://go.divx.com/plugin/DivXBrowserPlugin.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - http://zone.msn.com/bingame/dim2/default/popcaploader_v6.cab
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: BlueSoleil Hid Service - Unknown owner - C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 6716 bytes

 

[techpro5238]

Step1 | ComboFix CFScript

1. Please open Notepad

• Click Start, then Run
• Type "notepad.exe" in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

KillAll::

Look::
C:\WINDOWS\system32\drivers\UMDF

File::
C:\WINDOWS\system32\tmp.reg
C:\WINDOWS\system32\gswwybpc.ini
C:\WINDOWS\system32\jcwldwxn.ini
C:\WINDOWS\system32\dksilssl.ini
C:\WINDOWS\system32\awtRihFY.dll.vir
C:\WINDOWS\system32\tmp.reg
C:\WINDOWS\system32\x264vfw.dll
C:\WINDOWS\system32\vvdcswdy.dll

Folder::
C:\Program Files\HighJacjThis
C:\Documents and Settings\All Users\Application Data\TEMP
C:\VundoFix Backups

Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BM335e9ca1]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.X264"=-

3. Then in the text file go to FILE => SAVE AS and in the dropdown box select SAVE AS TYPE to ALL FILES

4. Save the above as CFScript.txt

5. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply

Step2 | MBAM Malware Scan

Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.

• Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
• If an update is found, it will download and install the latest version.
• Once the program has loaded, select "Perform Quick Scan", then click Scan.
• The scan may take some time to finish,so please be patient.
• When the scan is complete, click OK, then Show Results to view the results.
• Make sure that everything is checked, and click Remove Selected.
• When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
• The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
• Copy&Paste the entire report in your next reply.

Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

Step3 | Jotti Malware Scan

Jotti File Submission:

• Please go to Jotti's malware scan
  
• Copy and paste the following file path into the "File to upload & scan"box on the top of the page:
  
  • C:\Program Files\QQ2005Beta2\QQ.EXE
• Click on the submit button
  
• Please post the results in your next reply.

Logs Required In Next Post
-------------------------------

ComboFix CFScript Log
MBAM Malware Scan Log
Jotti Malware Scan Log

 

[KiLiCatLet]

Dear techpro5238

The ComboFix and MBAM log is attached.
The Jotti Malware Scan return me with "The file you uploaded is 0 bytes. It is very likely a firewall or a piece of malware is prohibiting you from uploading this file"
When I look into that QQ2005Beta2 folder, there's no prgram call QQ.EXE. From memory it is a instant messenger program my friend install back ages ago, I am pretty sure I uninstalled it a long time ago. But it seem there's a bunch of residue files in that folder.

KiLiCatLet


ComboFix 08-06-12.2 - Candy 2008-06-16 11:15:51.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.950.886.1033.18.691 [GMT 10:00]
Running from: C:\Downloads\!anti-virus\ComboFix.exe
Command switches used :: C:\Downloads\!anti-virus\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\WINDOWS\system32\awtRihFY.dll.vir
C:\WINDOWS\system32\dksilssl.ini
C:\WINDOWS\system32\gswwybpc.ini
C:\WINDOWS\system32\jcwldwxn.ini
C:\WINDOWS\system32\tmp.reg
C:\WINDOWS\system32\vvdcswdy.dll
C:\WINDOWS\system32\x264vfw.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data\TEMP
C:\Program Files\HighJacjThis
C:\Program Files\HighJacjThis\HijackThis.exe
C:\Program Files\HighJacjThis\startuplist.txt
C:\VundoFix Backups
C:\WINDOWS\system32\awtRihFY.dll.vir
C:\WINDOWS\system32\dksilssl.ini
C:\WINDOWS\system32\gswwybpc.ini
C:\WINDOWS\system32\jcwldwxn.ini
C:\WINDOWS\system32\tmp.reg
C:\WINDOWS\system32\x264vfw.dll

.
((((((((((((((((((((((((( Files Created from 2008-05-16 to 2008-06-16 )))))))))))))))))))))))))))))))
.

2008-06-14 13:39 . 2008-06-14 13:39 <DIR> d-------- C:\Documents and Settings\Candy\Application Data\AdobeUM
2008-06-14 02:17 . 2007-06-28 14:36 401,720 --a------ C:\HijackThis.exe
2008-06-14 02:06 . 2006-05-25 15:52 162,304 --a------ C:\WINDOWS\system32\ztvunrar36.dll
2008-06-14 02:06 . 2003-02-02 20:06 153,088 --a------ C:\WINDOWS\system32\UNRAR3.dll
2008-06-14 02:06 . 2005-08-26 01:50 77,312 --a------ C:\WINDOWS\system32\ztvunace26.dll
2008-06-14 02:06 . 2002-03-06 01:00 75,264 --a------ C:\WINDOWS\system32\unacev2.dll
2008-06-14 02:06 . 2006-06-19 13:01 69,632 --a------ C:\WINDOWS\system32\ztvcabinet.dll
2008-06-14 02:05 . 2008-06-14 02:08 <DIR> d-------- C:\Program Files\Trojan Remover
2008-06-14 02:05 . 2008-06-14 02:05 <DIR> d-------- C:\Documents and Settings\Candy\Application Data\Simply Super Software
2008-06-14 02:05 . 2008-06-14 02:05 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Simply Super Software
2008-06-14 00:48 . 2008-06-14 00:48 <DIR> d-------- C:\Program Files\CleanUp!
2008-06-14 00:48 . 2008-06-14 00:48 <DIR> d-------- C:\Program Files\CCleaner
2008-06-14 00:47 . 2008-06-14 00:47 <DIR> d-------- C:\Program Files\MSConfig CleanUp
2008-06-13 22:41 . 2008-06-13 22:41 <DIR> d-------- C:\Documents and Settings\Candy\Application Data\GlarySoft
2008-06-13 22:33 . 2008-06-13 22:33 <DIR> d-------- C:\Program Files\Glary Utilities
2008-06-13 17:43 . 2008-06-13 18:24 102,664 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2008-06-13 17:35 . 2008-06-13 23:00 <DIR> d-------- C:\Documents and Settings\Candy\.housecall6.6
2008-06-12 23:52 . 2008-01-16 21:42 44,544 --a------ C:\WINDOWS\system32\msxml4a.dll
2008-06-12 23:42 . 1998-06-18 00:00 89,360 --a------ C:\WINDOWS\system32\VB5DB.DLL
2008-06-12 14:51 . 2008-06-13 23:00 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-06-12 14:50 . 2008-06-12 14:50 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-06-07 22:04 . 2008-06-07 22:04 <DIR> d-------- C:\Program Files\NextLink
2008-05-23 08:07 . 2008-05-23 08:07 <DIR> d-------- C:\Program Files\NamiRobot
2008-05-23 00:16 . 2008-05-23 00:16 516 --a------ C:\WINDOWS\NSSHAFT.INI
2008-05-23 00:15 . 2008-05-23 00:15 616 --a------ C:\WINDOWS\nstower.ini
2008-05-21 22:22 . 2008-05-21 22:22 23,392 --a------ C:\WINDOWS\system32\nscompat.tlb
2008-05-21 22:22 . 2008-05-21 22:22 16,832 --a------ C:\WINDOWS\system32\amcompat.tlb
2008-05-21 21:52 . 2008-05-21 21:53 <DIR> d-------- C:\WINDOWS\system32\drivers\UMDF
2008-05-16 11:58 . 2008-05-16 11:58 12,632 --a------ C:\WINDOWS\system32\lsdelete.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-14 12:20 --------- d-----w C:\Program Files\eMule
2008-06-14 10:01 --------- d-----w C:\Program Files\FlashGet
2008-06-13 13:00 --------- d-----w C:\Program Files\Real Alternative
2008-06-13 13:00 --------- d-----w C:\Program Files\QQ2005Beta2
2008-06-13 13:00 --------- d-----w C:\Program Files\Photoshop CS2
2008-06-13 13:00 --------- d-----w C:\Program Files\Messenger Plus! Live
2008-06-13 13:00 --------- d-----w C:\Program Files\DivX
2008-06-13 13:00 --------- d-----w C:\Documents and Settings\Candy\Application Data\Azureus
2008-06-13 13:00 --------- d-----w C:\Documents and Settings\Candy\Application Data\Ahead
2008-06-13 13:00 --------- d-----w C:\Documents and Settings\All Users\Application Data\Symantec
2008-06-12 13:46 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-06-12 05:00 --------- d-----w C:\Program Files\Lavasoft
2008-06-11 16:23 --------- d-----w C:\Documents and Settings\Candy\Application Data\U3
2008-05-03 02:33 --------- d-----w C:\Program Files\NCH Swift Sound
2008-04-29 01:20 15,648 ----a-w C:\WINDOWS\system32\drivers\NSDriver.sys
2008-04-29 01:19 15,648 ----a-w C:\WINDOWS\system32\drivers\Awrtrd.sys
2008-04-29 01:19 12,960 ----a-w C:\WINDOWS\system32\drivers\Awrtpd.sys
2008-04-16 12:41 --------- d-----w C:\Documents and Settings\All Users\Application Data\WLInstaller
2008-03-31 12:39 69,568 -c--a-w C:\Documents and Settings\Candy\Application Data\GDIPFONTCACHEV1.DAT
.

------- Sigcheck -------

2002-08-29 01:58 332928 244a2f9816bc9b593957281ef577d976 C:\WINDOWS\$NtServicePackUninstall$\tcpip.sys
2004-08-03 23:14 359040 9f4b36614a0fc234525ba224957de55c C:\WINDOWS\ServicePackFiles\i386\tcpip.sys
2004-08-03 23:14 359040 6a603809f598332dbedd535bdbce313e C:\WINDOWS\system32\drivers\tcpip.sys
.
((((((((((((((((((((((((((((( snapshot@2008-06-14_14.17.42.50 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-06-14 03:24:38 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-06-16 01:19:33 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-06-16 01:19:38 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_67c.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-04-19 13:26 7700480]
"TrojanScanner"="C:\Program Files\Trojan Remover\Trjscan.exe" [2008-06-03 20:33 878672]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\System32\CTFMON.EXE" [2004-08-04 00:56 15360]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2004-08-04 00:56 53760 C:\WINDOWS\system32\narrator.exe]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"StartMenuLogOff"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.YV12"= yv12vfw.dll
"msacm.l3fhg"= mp3fhg.acm
"VIDC.HFYU"= huffyuv.dll
"vidc.i263"= i263_32.drv
"msacm.divxa32"= divxa32.acm

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2004-08-04 00:56 15360 C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
--a------ 2007-04-19 13:26 7700480 C:\WINDOWS\system32\NvCpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
"FirewallOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Messenger\\msmsgs.exe"=
"C:\\WINDOWS\\PCHEALTH\\HELPCTR\\Binaries\\helpctr.exe"=
"C:\\Program Files\\IVT Corporation\\BlueSoleil\\BlueSoleil.exe"=
"C:\\Program Files\\FlashGet\\flashget.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"15789:TCP"= 15789:TCP:BitComet 15789 TCP
"15789:UDP"= 15789:UDP:BitComet 15789 UDP
"23829:TCP"= 23829:TCP:BitComet 23829 TCP
"23829:UDP"= 23829:UDP:BitComet 23829 UDP
"3389:TCP"= 3389:TCPxpsp2res.dll,-22009
"6881:TCP"= 6881:TCP:Azureus
"22288:TCP"= 22288:TCP:Azureus

R1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys [2008-05-16 09:20]
R2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-05-16 09:16]
S3 glauiad;D-Link DSL-302G Modem;C:\WINDOWS\system32\DRIVERS\glauiad.sys [2003-03-07 15:07]
S3 NOWMEMDF;NOWMEMDF;C:\WINDOWS\system32\NOWMEMDF.sys [2005-11-02 12:23]
S3 pacdcacm;pacdcacm;C:\WINDOWS\system32\DRIVERS\pacdcacm.sys [2005-06-15 12:28]
S3 PciCon;PciCon;E:\PciCon.sys []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\G]
\Shell\AutoRun\command - G:\LaunchU3.exe -a

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{ae2ce9ea-f5a6-11da-ac33-00138f60d5f8}]
\Shell\Auto\command - Windir.exe
\Shell\AutoRun\command - C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL Windir.exe


[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{18B0E5C2-99CB-11CF-AYX5-00401C648513}]
C:\RECYCLER\S-1-5-21-1482476501-1644491937-682003330-1013\iuhi64.exe
.
Contents of the 'Scheduled Tasks' folder
"2008-06-16 01:19:42 C:\WINDOWS\Tasks\GlaryInitialize.job"
- C:\Program Files\Glary Utilities\initialize.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-16 11:20:01
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\conime.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe
C:\WINDOWS\system32\nvsvc32.exe
.
**************************************************************************
.
Completion time: 2008-06-16 11:26:53 - machine was rebooted
ComboFix-quarantined-files.txt 2008-06-16 01:26:51
ComboFix2.txt 2008-06-14 04:18:57

Pre-Run: 3,954,176,000 bytes free
Post-Run: 3,936,628,736 bytes free

188









Malwarebytes' Anti-Malware 1.17
Database version: 858

11:36:36 AM 16/06/2008
mbam-log-6-16-2008 (11-36-36).txt

Scan type: Quick Scan
Objects scanned: 36407
Time elapsed: 3 minute(s), 21 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 9
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\{df780f87-ff2b-4df8-92d0-73db16a1543a} (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{3c2d2a1e-031f-4397-9614-87c932a848e0} (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{6f553c18-15e6-4e5e-8f44-add50de754ed} (Adware.CWS) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{a22b8fd2-4caa-4efb-82f7-680cd656d9b0} (Adware.CWS) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\minibugtransporter.minibugtransporterx (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\minibugtransporter.minibugtransporterx.1 (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\popcaploader.popcaploaderctrl2 (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\popcaploader.popcaploaderctrl2.1 (Adware.PopCap) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\nowstarter.nowstarterctrl.2 (Adware.CWS) -> Quarantined and deleted successfully.

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Program Files\NextLink\GOGOBOX\GNowStarter.ocx (Adware.CWS) -> Quarantined and deleted successfully.

 

[techpro5238]

Your logs are looking better but I would like these final scans to be done.

Step1 | Kasperky WebScanner

Please do an online scan with Kaspersky WebScanner

Click on Accept

You will be promted to install an ActiveX component from Kaspersky, Click Yes.

• The program will launch and then begin downloading the latest definition files:
• Once the files have been downloaded click on NEXT
  
• Now click on Scan Settings
• In the scan settings make that the following are selected:
  • Scan using the following Anti-Virus database:
  • Extended (if available otherwise Standard)
  • Scan Options:
  • Scan Archives
    Scan Mail Bases
• Click OK
• Now under select a target to scan:
  • Select My Computer
• This will program will start and scan your system.
• The scan will take a while so be patient and let it run.
• Once the scan is complete it will display if your system has been infected.
  • Now click on the Save as Text button:
• Save the file to your desktop.
• Copy and paste that information in your next post.

Step2 | MWav Virus Scan

I need you to download MWav to a convenient location.

This scan might take around 3+ hours to finish when set to scan everything.
I need you to run MWav by double-clicking on mwav.exe.
Put a check next to the below items before scanning:

• Memory
• Startup Folders
• Drive - All Local Drives
• Folder - then click "browse" to change the directory to C: (default is C:\Windows)
• Registry
• System Folders
• Services
• Include Sub-Directory
• Scan All Files

Please make sure ALL of these are checked, then press the Scan button. This typically will take hours to complete.

**NOTE*** Sometimes MWav will pause and it appears to be finished, but it isn't done. Just let it run until it says it's complete.

On the bottom portion of the window, you will see the lower panel where MWav is listing "infected items". When it's done scanning, please highlight everything in that lower panel and copy them by holding CTRL + C then paste it here. The whole log will be extremely BIG so there is no way to post the log. I just need the infected items list.

Logs Required In Next Post
--------------------------------

Kasperky Log
MWav Scan Log

 

[KiLiCatLet]

Dear techpro5238,
Kaspersky scan log is attached. I cannot download MWav, it return with "Error:The system cannot find the file specified."

KiLiCatLet


KASPERSKY ONLINE SCANNER 7 REPORT
Tuesday, June 17, 2008
Operating System: Microsoft Windows XP Professional Service Pack 2 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Tuesday, June 17, 2008 01:43:35
Records in database: 875514
Scan settings
Scan using the following database extended
Scan archives yes
Scan mail databases yes
Scan area My Computer
A:\
C:\
D:\
E:\
Z:\
Scan statistics
Files scanned 68528
Threat name 3
Infected objects 4
Suspicious objects 0
Duration of the scan 00:59:16

File name Threat name Threats count
C:\Downloads\!anti-virus\SmitfraudFix\Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f 1
C:\Downloads\!anti-virus\SmitfraudFix.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f 1
C:\QooBox\Quarantine\C\WINDOWS\system32\bitsprx.dll.vir Infected: Rootkit.Win32.Podnuha.gg 1
C:\QooBox\Quarantine\C\WINDOWS\system32\trmsmfcv.dll.vir Infected: Trojan.Win32.Monder.nb 1
The selected area was scanned.

 

[techpro5238]

Do these final steps and your all clean

I now need you to uninstall ComboFix. To do so please go to Start => Run, and copy/paste the following text in quotes:

"combofix /u"

ComboFix will flash and then state that it has been uninstalled. It will remove the tools, and archive folders we used during our fixing your computer to make it more cleanly.

-----------------------------------

Please download ATF Cleaner by Atribune.
This program is for XP and Windows 2000 only

• 
  Double-click ATF-Cleaner.exe to run the program.
  Under Main choose: Select All
  Click the Empty Selected button.

If you use Firefox browser

• Click Firefox at the top and choose: Select All
  Click the Empty Selected button.
  NOTE: If you would like to keep your saved passwords, please click No at the prompt.

If you use Opera browser

• Click Opera at the top and choose: Select All
  Click the Empty Selected button.
  NOTE: If you would like to keep your saved passwords, please click No at the prompt.

Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.