I Need A Fast Answer Quick Please !

HELP !!!! I THINK I HAVE SOME BAD VIRUS :( !!!


My explorer.exe just crashes by itself i didn't do anything when it occured , just like the explorer.exe crashed , i tried to create a new task: explorer.exe but it didn't help . Can you please help me fast , or atleast tell me how to backup my files , so that if i need to format local disc C: then i have my files backed up ! This is urgent .

«1

Comments

  • HELP !!!! I THINK I HAVE SOME BAD VIRUS !!!


    My explorer.exe just crashes by itself i didn't do anything when it occured , just like the explorer.exe crashed , i tried to create a new task: explorer.exe but it didn't help . Can you please help me fast , or atleast tell me how to backup my files , so that if i need to format local disc C: then i have my files backed up ! This is urgent .


    Hi,


    A very difficult situation. Have you tried to see if you can go to safe mode preferably with networking?


    Have you had the recent Vundo variant that creates a lot of junk files (P*.tmp)?


    If you can I can assist you remove the Vundo, or at least free the explorer then you decide on the next step.


    To get into the Windows XP Safe mode:


    As the Computer is booting, start tapping the "F8 key" before WinXP starts loading, which should bring up the "Windows Advanced Options Menu".


    Use your arrow keys to move to "Safe Mode with networking " and press your Enter key.

  • Dear TotalErik,


    To see what crashed explorer.exe once you are in safe mode press the windows button together with r now type eventvwr press enter open the application logbook and look for logged errors on the time that you had this issue more specificly application error. Double click on these entries and post if you see what module that caused the crash in explorer that is normally written after module. If that still fails please put in your windows installation cd-rom press the windows button together with r now type cmd press enter,after that type sfc /scannow and press enter.


    Best regards


    Niels

  • The reason I asked if you are infected with the recent Vundo is that it creates a lot of junk files which sometimes overloads the system. Besides it tends to make a copy of running processes that then interfere with the legit processes. Every reboot creats more and more trouble. You may know it if you have some of the followings:


    * a common symptom is getting pop ups and error warnings.


    *your Internet privacy is lowered, and gets lowered after every reboot,


    *you may see a lot of P*.tmp files usually on the root of C drive or in My Documents folder


    * in some cases when you open the task manger you see more than usual processes running, some processes which have usually one entry have two entries, one is a .exe the other . exe (note the space in between), in some cases you may even see . exe. exe.


    * BD detects Vundo, removes or blocks them but they come back again.


    * in some cases there appears some Icons on the desktop (help and support center, window update, etc.),


    * in some cases there is a red x on the the c drive


    So if your system is not infected follow the suggestion made by Niels. Otherwise it may be just a temporary solution, which is also good because it open up the way to the next step. In case you are infected the short cut is removing the infection and at the end running the sfc /scannow command. If you opted for disinfection let me know.

  • The reason I asked if you are infected with the recent Vundo is that it creates a lot of junk files which sometimes overloads the system. Besides it tends to make a copy of running processes that then interfere with the legit processes. Every reboot creats more and more trouble. You may know it if you have some of the followings:


    * a common symptom is getting pop ups and error warnings.


    *your Internet privacy is lowered, and gets lowered after every reboot,


    *you may see a lot of P*.tmp files usually on the root of C drive or in My Documents folder


    * in some cases when you open the task manger you see more than usual processes running, some processes which have usually one entry have two entries, one is a .exe the other . exe (note the space in between), in some cases you may even see . exe. exe.


    * BD detects Vundo, removes or blocks them but they come back again.


    * in some cases there appears some Icons on the desktop (help and support center, window update, etc.),


    * in some cases there is a red x on the the c drive


    So if your system is not infected follow the suggestion made by Niels. Otherwise it may be just a temporary solution, which is also good because it open up the way to the next step. In case you are infected the short cut is removing the infection and at the end running the sfc /scannow command. If you opted for disinfection let me know.


    Well i've been noticing unusual processes yes . Like is it normal to have 5 svchost.exe's running ? if yes then what about unusual huge CPU Usage it's like 55% most of the time . (before it was like 2% at normal state )


    Oh and im in a normal mode at the moment , but i run programs with task manager .

  • Dear TotalErik,


    To see what crashed explorer.exe once you are in safe mode press the windows button together with r now type eventvwr press enter open the application logbook and look for logged errors on the time that you had this issue more specificly application error. Double click on these entries and post if you see what module that caused the crash in explorer that is normally written after module. If that still fails please put in your windows installation cd-rom press the windows button together with r now type cmd press enter,after that type sfc /scannow and press enter.


    Best regards


    Niels


    Ok i'll try it and i'll post the news as soon as i can ;) !

  • TotalBalance
    edited February 2008
    Dear TotalErik,


    To see what crashed explorer.exe once you are in safe mode press the windows button together with r now type eventvwr press enter open the application logbook and look for logged errors on the time that you had this issue more specificly application error. Double click on these entries and post if you see what module that caused the crash in explorer that is normally written after module. If that still fails please put in your windows installation cd-rom press the windows button together with r now type cmd press enter,after that type sfc /scannow and press enter.


    Best regards


    Niels


    I didn't find exactly any logs for explorer.exe , but i did find something like this :Source: Winlogon , Description: The shell stopped unexpectedly and Explorer.exe was restarted. i hope this means anything to you , though it does not for me :) And there were alot of such kind of logs in the event viewer.

  • TotalBalance
    edited February 2008

    Farbar ,


    There was this one virus Trojan.Vundo.DVS but they said that it might just be a configuration file used by the Vundo virus . But as they said , if the file reappears then im infected with vundo , but no it hasn't reappeared .

  • Farbar ,


    There was this one virus Trojan.Vundo.DVS but they said that it might just be a configuration file used by the Vundo virus . But as they said , if the file reappears then im infected with vundo , but no it hasn't reappeared .


    Frankly when I saw your post I thought you are in trouble not able to stay in normal mode.


    Ok, if you are in normal mode and you don't recognize those symptoms it is good news. Having 5 svchost.exe or more is normal. It looks like you are not infected by Vundo. But the 55% CPU is not normal. If you want to be sure post a hijackthis log into your replay. I can tell you if you are infected.


    Then we can see what happened and why the winlogon shell stopped. The main question is if this is a system malfunction or a malware.


    So I suggest you to do this:


    You can download a Trend Micro Hijackthis installer from here:


    http://www.trendsecure.com/portal/en-US/to...ckthis/download


    Install it, run it and click Do a system scan and save a logfile.


    Please copy and paste the content of the logfile into your next reply.


    Can you please check which process is having a hight CPU usage.

  • OK, NOW I HAVE SOME VUNDOS ALERTS !!! Bitdefender found 2 vundos : Trojan.Vundo.DWB and Trojan.Vundo.DZK .


    And i must add that the bitdefender File zone scanner is like always GREEN. ( i know it means that it's scanning some stuff ) . is it possible to scan with bitdefender in safe mode too ? (and im gonna reply you with the hijack-this logs soon )

  • Logfile of Trend Micro HijackThis v2.0.2


    Scan saved at 23:18:25, on 22.02.2008


    Platform: Windows XP SP2 (WinNT 5.01.2600)


    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)


    Boot mode: Normal


    Running processes:


    C:\WINDOWS\System32\smss.exe


    C:\WINDOWS\system32\winlogon.exe


    C:\WINDOWS\system32\services.exe


    C:\WINDOWS\system32\lsass.exe


    C:\WINDOWS\system32\svchost.exe


    C:\WINDOWS\System32\svchost.exe


    C:\WINDOWS\system32\spoolsv.exe


    C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe


    C:\Program Files\Winamp\winampa.exe


    C:\Program Files\DAP\DAP.EXE


    C:\Program Files\Softwin\BitDefender10\bdmcon.exe


    C:\Program Files\Softwin\BitDefender10\bdagent.exe


    C:\WINDOWS\system32\RUNDLL32.EXE


    C:\WINDOWS\system32\cisvc.exe


    C:\WINDOWS\sttray.exe


    C:\WINDOWS\system32\rundll32.exe


    C:\WINDOWS\system32\nvsvc32.exe


    C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe


    C:\WINDOWS\system32\ctfmon.exe


    C:\Program Files\uTorrent\uTorrent.exe


    C:\Program Files\Macrogaming\SweetIM\SweetIM.exe


    C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe


    C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe


    C:\Program Files\Softwin\BitDefender10\vsserv.exe


    C:\WINDOWS\system32\wuauclt.exe


    C:\WINDOWS\system32\taskmgr.exe


    C:\Program Files\Mozilla Firefox\firefox.exe


    C:\WINDOWS\system32\cidaemon.exe


    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe


    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.sweetim.com


    R3 - URLSearchHook: SweetIM For Internet Explorer - {BC4FFE41-DE9F-46fa-B455-AAD49B9F9938} - C:\Program Files\Macrogaming\SweetIMBarForIE\toolbar.dll


    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll


    O2 - BHO: SWEETIE - {1A0AADCD-3A72-4b5f-900F-E3BB5A838E2A} - C:\PROGRA~1\MACROG~1\SWEETI~1\toolbar.dll


    O2 - BHO: (no name) - {239F0C96-9D01-4146-B90F-3F52B7E39B04} - C:\WINDOWS\system32\ddaba.dll


    O2 - BHO: IeCatch5 Class - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\PROGRA~1\FlashGet\jccatch.dll


    O2 - BHO: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL


    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll


    O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)


    O2 - BHO: Windows Live'i sisselogimisabiline - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll


    O2 - BHO: (no name) - {A95B2816-1D7E-4561-A202-68C0DE02353A} - C:\WINDOWS\system32\xloydjio.dll


    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll


    O2 - BHO: (no name) - {BA6C6CB6-676C-4DEA-9BDA-3BC4AB075F7C} - C:\WINDOWS\system32\ljjkhed.dll


    O2 - BHO: {7bd4294f-7957-fe78-89c4-962ed07afaab} - {baafa70d-e269-4c98-87ef-7597f4924db7} - C:\WINDOWS\system32\nldnpbpf.dll


    O2 - BHO: gFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\PROGRA~1\FlashGet\getflash.dll


    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll


    O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll


    O3 - Toolbar: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL


    O3 - Toolbar: SweetIM For Internet Explorer - {BC4FFE41-DE9F-46fa-B455-AAD49B9F9938} - C:\Program Files\Macrogaming\SweetIMBarForIE\toolbar.dll


    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup


    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install


    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"


    O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"


    O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"


    O4 - HKLM\..\Run: [DownloadAccelerator] "C:\Program Files\DAP\DAP.EXE" /STARTUP


    O4 - HKLM\..\Run: [bDMCon] "C:\Program Files\Softwin\BitDefender10\bdmcon.exe" /reg


    O4 - HKLM\..\Run: [bDAgent] "C:\Program Files\Softwin\BitDefender10\bdagent.exe"


    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit


    O4 - HKLM\..\Run: [sigmatelSysTrayApp] sttray.exe


    O4 - HKLM\..\Run: [149d6d99] rundll32.exe "C:\WINDOWS\system32\wsvbgbxv.dll",b


    O4 - HKLM\..\RunOnce: [Execute] C:\WINDOWS\System32\Tools\DelFolders.exe


    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background


    O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe


    O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe"


    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe


    O4 - HKCU\..\Run: [uTorrent] "C:\Program Files\uTorrent\uTorrent.exe"


    O4 - HKCU\..\Run: [sweetIM] C:\Program Files\Macrogaming\SweetIM\SweetIM.exe


    O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')


    O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')


    O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe


    O4 - Global Startup: Reboot.exe


    O8 - Extra context menu item: &Clean Traces - C:\Program Files\DAP\Privacy Package\dapcleanerie.htm


    O8 - Extra context menu item: &Download with &DAP - C:\Program Files\DAP\dapextie.htm


    O8 - Extra context menu item: Download &all with DAP - C:\Program Files\DAP\dapextie2.htm


    O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm


    O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm


    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll


    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll


    O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe


    O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe


    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe


    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe


    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe


    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe


    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1198603750796


    O16 - DPF: {AA07EBD2-EBDD-4BD6-9F8F-114BD513492C} (NeffyLauncherCtl Class) - http://dist.globalgamecdn.com/dist/neffy/NeffyLauncher.cab


    O20 - Winlogon Notify: ljjkhed - C:\WINDOWS\SYSTEM32\ljjkhed.dll


    O20 - Winlogon Notify: xloydjio - C:\WINDOWS\SYSTEM32\xloydjio.dll


    O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe


    O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe


    O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe


    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe


    O23 - Service: BitDefender Desktop Update Service (LIVESRV) - SOFTWIN S.R.L. - C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe


    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe


    O23 - Service: BitDefender Virus Shield (VSSERV) - SOFTWIN S.R.L. - C:\Program Files\Softwin\BitDefender10\vsserv.exe


    O23 - Service: BitDefender Communicator (XCOMM) - SOFTWIN S.R.L - C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe


    --


    End of file - 8375 bytes

  • Chesda
    edited February 2008

    Please, send these files in a zip folder with the password infected on your next reply.


    C:\WINDOWS\system32\xloydjio.dll


    C:\WINDOWS\system32\ljjkhed.dll


    C:\WINDOWS\system32\wsvbgbxv.dll

  • Now I am sure you have Vundo. But there is no time to do it tonight. I'll come back tomorrow.

  • i forgot to put the INFECTED as a password is it bad ?

  • I got this error today :


    Important - Potential Errors found in the system.


    During a scan of files at system startup , potential errors in the system registry were found.


    p-07-0100 irwl: 1f SYSVER 0xff00024


    NT_Kernel error 1256


    KMODE_EXCEPTION_NOT_HANDLED.


    Ok i hope this is ain't something real bad :/

  • ... You may know it if you have some of the followings:


    * a common symptom is getting pop ups and error warnings.


    *your Internet privacy is lowered, and gets lowered after every reboot,


    *you may see a lot of P*.tmp files usually on the root of C drive or in My Documents folder


    * in some cases when you open the task manger you see more than usual processes running, some processes which have usually one entry have two entries, one is a .exe the other . exe (note the space in between), in some cases you may even see . exe. exe.


    * BD detects Vundo, removes or blocks them but they come back again.


    * in some cases there appears some Icons on the desktop (help and support center, window update, etc.),


    * in some cases there is a red x on the the c drive


    It is the recent Vundo variant.

  • is there a removal tool for that Vundo ?


    Or any way to get rid of it ?

  • Chesda
    edited February 2008

    TotalErik,


    Yes there is a Vundo Removal Tool (VundoFix), download here: http://www.majorgeeks.com/download4954.html


    Please download VundoFix.exe to your desktop.

    1. Double-click VundoFix.exe to run it.
    2. When VundoFix re-opens, click the Scan for Vundo button.
    3. Once it's done scanning, click the Remove Vundo button.
    4. You will receive a prompt asking if you want to remove the files, click YES
    5. Once you click yes, your desktop will go blank as it starts removing Vundo.
    6. When completed, it will prompt that it will reboot your computer, click OK.
    Best of luck
  • erm... it says


    Error 404!


    /download4954.html/url


    File Not Found!

  • Chesda
    edited February 2008
    erm... it says


    Error 404!


    /download4954.html/url


    File Not Found!


    TotalErik,


    Try downloading at a different mirror location. If this does not work either, please download VundoFix here: http://www.atribune.org/ccount/click.php?id=4

  • Hi,


    I am know looking at your log. I can assist you removing the malware. It is not just vundo, it is multiple infection. If you want me to help you step by step removing the malware post back. In that case I want you to follow the steps I am going to give you and fix nothing on your own or the suggestions of others. I am waiting for your reply.

  • Hi,


    I am know looking at your log. I can assist you removing the malware. It is not just vundo, it is multiple infection. If you want me to help you step by step removing the malware post back. In that case I want you to follow the steps I am going to give you and fix nothing on your own or the suggestions of others. I am waiting for your reply.


    Well i think i got the vundo fixed but if you think i have something more then i think , yes of course i want you to help me remove the malware but i can't at the moment because i have to go away for like 6 hours or something like that :) .


    AND I WANT TO THANK YOU ALL WHO WAS HELPING ME WITH THIS VUNDO THING !!!!!!!

  • I had some happiness tears in my eyes when i fixed the vundo :) because i thought that i have to format local disk C . :) I love ya'll at bitdefender and other guys :) . Thank you again :)

  • Logfile of Trend Micro HijackThis v2.0.2


    Scan saved at 12:15:28, on 23.02.2008


    Platform: Windows XP SP2 (WinNT 5.01.2600)


    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)


    Boot mode: Normal


    Running processes:


    C:\WINDOWS\System32\smss.exe


    C:\WINDOWS\system32\winlogon.exe


    C:\WINDOWS\system32\services.exe


    C:\WINDOWS\system32\lsass.exe


    C:\WINDOWS\system32\svchost.exe


    C:\WINDOWS\System32\svchost.exe


    C:\WINDOWS\system32\spoolsv.exe


    C:\WINDOWS\Explorer.EXE


    C:\WINDOWS\system32\cisvc.exe


    C:\WINDOWS\system32\nvsvc32.exe


    C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe


    C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe


    C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe


    C:\Program Files\Softwin\BitDefender10\vsserv.exe


    C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe


    C:\Program Files\Winamp\winampa.exe


    C:\Program Files\Softwin\BitDefender10\bdmcon.exe


    C:\Program Files\Softwin\BitDefender10\bdagent.exe


    C:\WINDOWS\system32\RUNDLL32.EXE


    C:\WINDOWS\sttray.exe


    C:\Program Files\Windows Live\Messenger\msnmsgr.exe


    C:\WINDOWS\system32\ctfmon.exe


    C:\Program Files\Macrogaming\SweetIM\SweetIM.exe


    C:\Program Files\Internet Explorer\iexplore.exe


    C:\Program Files\Internet Explorer\iexplore.exe


    C:\WINDOWS\system32\rundll32.exe


    C:\WINDOWS\system32\cidaemon.exe


    C:\Documents and Settings\Kodu\Desktop\VundoFix.exe


    C:\WINDOWS\system32\rundll32.exe


    C:\Program Files\Softwin\BitDefender10\bdlite.exe


    C:\WINDOWS\system32\wuauclt.exe


    C:\Program Files\Mozilla Firefox\firefox.exe


    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe


    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.sweetim.com


    R3 - URLSearchHook: SweetIM For Internet Explorer - {BC4FFE41-DE9F-46fa-B455-AAD49B9F9938} - C:\Program Files\Macrogaming\SweetIMBarForIE\toolbar.dll


    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll


    O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll


    O3 - Toolbar: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL


    O3 - Toolbar: SweetIM For Internet Explorer - {BC4FFE41-DE9F-46fa-B455-AAD49B9F9938} - C:\Program Files\Macrogaming\SweetIMBarForIE\toolbar.dll


    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup


    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install


    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"


    O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"


    O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"


    O4 - HKLM\..\Run: [bDMCon] "C:\Program Files\Softwin\BitDefender10\bdmcon.exe" /reg


    O4 - HKLM\..\Run: [bDAgent] "C:\Program Files\Softwin\BitDefender10\bdagent.exe"


    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit


    O4 - HKLM\..\Run: [sigmatelSysTrayApp] sttray.exe


    O4 - HKLM\..\Run: [149d6d99] rundll32.exe "C:\WINDOWS\system32\hcujscof.dll",b


    O4 - HKLM\..\RunOnce: [Execute] C:\WINDOWS\System32\Tools\DelFolders.exe


    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background


    O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe


    O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe"


    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe


    O4 - HKCU\..\Run: [sweetIM] C:\Program Files\Macrogaming\SweetIM\SweetIM.exe


    O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')


    O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')


    O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe


    O4 - Global Startup: Reboot.exe


    O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm


    O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm


    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll


    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll


    O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe


    O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe


    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe


    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe


    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe


    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe


    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1198603750796


    O16 - DPF: {AA07EBD2-EBDD-4BD6-9F8F-114BD513492C} (NeffyLauncherCtl Class) - http://dist.globalgamecdn.com/dist/neffy/NeffyLauncher.cab


    O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe


    O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe


    O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe


    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe


    O23 - Service: BitDefender Desktop Update Service (LIVESRV) - SOFTWIN S.R.L. - C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe


    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe


    O23 - Service: BitDefender Virus Shield (VSSERV) - SOFTWIN S.R.L. - C:\Program Files\Softwin\BitDefender10\vsserv.exe


    O23 - Service: BitDefender Communicator (XCOMM) - SOFTWIN S.R.L - C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe


    --


    End of file - 6563 bytes

  • Chesda
    edited February 2008

    TotalErik


    Your system is not 100% clean yet (sorry to ruin your parade).


    Run HijackThis and do a System Scan Only. Place a check beside each of the following, and fix:


    O4 - HKLM\..\Run: [149d6d99] rundll32.exe "C:\WINDOWS\system32\hcujscof.dll",b


    bdgc1.png

  • I don't want to disapoint you, but you are not clean yet. You don't need reformat at all.


    So if you are away so long I can't help you today.


    I suggest you do this: Go to the folder where hijachthis.exe resides (C:\Program Files\Trend Micro\HijackThis\HijackThis.exe). Rename hijackthis.exe to something like clear.exe. Double click clear.exe and make a new log and post it to your reply. For me it is the first step and the short cut.

  • I am editing the post:


    I don't want to disappoint you, but you are not clean yet. You don't need reformat at all.


    So if you are away so long I can't help you today.


    The things which are showing on your HJT are not the whole story because now the infection is hiding itself partially from the log. I suggest you do this: Go to the folder where hijachthis.exe resides (C:\Program Files\Trend Micro\HijackThis\HijackThis.exe). Rename hijackthis.exe to something like clear.exe. Double click clear.exe and make a new log and post it to your reply. For me it is the first step and the short cut. I remind you again that I commit myself totally but I expect it also from you.


    To Chesda: I am sure you have the intention to help and make also good suggestions. But sometime the case becomes more complicated if different people give conflicting directions. Besides, when somebody with more experience is helping, you can sit back and follow the course or try to help others who have initiated a topic but don't get any assistance

  • Logfile of Trend Micro HijackThis v2.0.2


    Scan saved at 19:12:22, on 23.02.2008


    Platform: Windows XP SP2 (WinNT 5.01.2600)


    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)


    Boot mode: Normal


    Running processes:


    C:\WINDOWS\System32\smss.exe


    C:\WINDOWS\system32\winlogon.exe


    C:\WINDOWS\system32\services.exe


    C:\WINDOWS\system32\lsass.exe


    C:\WINDOWS\system32\svchost.exe


    C:\WINDOWS\System32\svchost.exe


    C:\WINDOWS\system32\spoolsv.exe


    C:\WINDOWS\Explorer.EXE


    C:\WINDOWS\system32\cisvc.exe


    C:\WINDOWS\system32\nvsvc32.exe


    C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe


    C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe


    C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe


    C:\Program Files\Softwin\BitDefender10\vsserv.exe


    C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe


    C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe


    C:\Program Files\Softwin\BitDefender10\bdmcon.exe


    C:\Program Files\Softwin\BitDefender10\bdagent.exe


    C:\WINDOWS\system32\RUNDLL32.EXE


    C:\WINDOWS\sttray.exe


    C:\Program Files\Windows Live\Messenger\msnmsgr.exe


    C:\WINDOWS\system32\ctfmon.exe


    C:\Program Files\Macrogaming\SweetIM\SweetIM.exe


    C:\WINDOWS\system32\wuauclt.exe


    C:\Program Files\Mozilla Firefox\firefox.exe


    C:\Program Files\Windows Live\Messenger\usnsvc.exe


    C:\WINDOWS\system32\wuauclt.exe


    C:\WINDOWS\system32\rundll32.exe


    C:\Program Files\Trend Micro\HijackThis\clear.exe.exe


    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.sweetim.com


    R3 - URLSearchHook: SweetIM For Internet Explorer - {BC4FFE41-DE9F-46fa-B455-AAD49B9F9938} - C:\Program Files\Macrogaming\SweetIMBarForIE\toolbar.dll


    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll


    O2 - BHO: SWEETIE - {1A0AADCD-3A72-4b5f-900F-E3BB5A838E2A} - C:\PROGRA~1\MACROG~1\SWEETI~1\toolbar.dll


    O2 - BHO: IeCatch5 Class - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\PROGRA~1\FlashGet\jccatch.dll


    O2 - BHO: {350ab0c6-7ea0-fe48-d0a4-4554e43ca473} - {374ac34e-4554-4a0d-84ef-0ae76c0ba053} - C:\WINDOWS\system32\vopfevsb.dll (file missing)


    O2 - BHO: (no name) - {4AFC929C-14E6-405F-80B8-76312A32540C} - C:\WINDOWS\system32\gebcb.dll


    O2 - BHO: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL


    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll


    O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)


    O2 - BHO: Windows Live'i sisselogimisabiline - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll


    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll


    O2 - BHO: (no name) - {BA6C6CB6-676C-4DEA-9BDA-3BC4AB075F7C} - C:\WINDOWS\system32\ljjkhed.dll


    O2 - BHO: (no name) - {C809AB14-C67F-408A-B541-A5A6A7411AD1} - C:\WINDOWS\system32\ddaba.dll (file missing)


    O2 - BHO: gFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\PROGRA~1\FlashGet\getflash.dll


    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll


    O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll


    O3 - Toolbar: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL


    O3 - Toolbar: SweetIM For Internet Explorer - {BC4FFE41-DE9F-46fa-B455-AAD49B9F9938} - C:\Program Files\Macrogaming\SweetIMBarForIE\toolbar.dll


    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup


    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install


    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"


    O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"


    O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"


    O4 - HKLM\..\Run: [bDMCon] "C:\Program Files\Softwin\BitDefender10\bdmcon.exe" /reg


    O4 - HKLM\..\Run: [bDAgent] "C:\Program Files\Softwin\BitDefender10\bdagent.exe"


    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit


    O4 - HKLM\..\Run: [sigmatelSysTrayApp] sttray.exe


    O4 - HKLM\..\Run: [149d6d99] rundll32.exe "C:\WINDOWS\system32\ocvknxsh.dll",b


    O4 - HKCU\..\Run: [MsnMsgr] ~"C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background


    O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe


    O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe"


    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe


    O4 - HKCU\..\Run: [sweetIM] C:\Program Files\Macrogaming\SweetIM\SweetIM.exe


    O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')


    O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')


    O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe


    O4 - Global Startup: Reboot.exe


    O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm


    O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm


    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll


    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll


    O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe


    O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe


    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe


    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe


    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe


    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe


    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1198603750796


    O16 - DPF: {AA07EBD2-EBDD-4BD6-9F8F-114BD513492C} (NeffyLauncherCtl Class) - http://dist.globalgamecdn.com/dist/neffy/NeffyLauncher.cab


    O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe


    O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe


    O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe


    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe


    O23 - Service: BitDefender Desktop Update Service (LIVESRV) - SOFTWIN S.R.L. - C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe


    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe


    O23 - Service: BitDefender Virus Shield (VSSERV) - SOFTWIN S.R.L. - C:\Program Files\Softwin\BitDefender10\vsserv.exe


    O23 - Service: BitDefender Communicator (XCOMM) - SOFTWIN S.R.L - C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe


    --


    End of file - 7808 bytes

  • TotalBalance
    edited February 2008

    my documents is full of files named like this : pos1A , pos1A1 , pos1F7 what should i do about them ? just delete them ? (and local disk C: too

  • I saw your PM. Yes I am going to help you but these are not "left overs" (as you mention) by any means, these are multiple infections.


    To be frank with you it looks like either you get panicked or you go into denial. We could have done this the day before yesterday after my second post but I couldn't get your attention at the time. Anyway please follow the steps and give feedback on doing them.


    Please make sure that you can view all hidden files. Instructions on how to do this can be found here:


    Step 1


    Please set your system to show all files.


    Click Start, open My Computer, select the Tools menu and click Folder Options.


    Select the View Tab. Under the Hidden files and folders heading, check Show hidden files and folders.


    Uncheck: Hide file extensions for known file types


    Uncheck: Hide protected operating system files (recommended) option.


    Click Yes to confirm.


    Then click this link--> http://www.virustotal.com/


    When the page has finished loading, click the Browse button and navigate to the following file and click Submit.


    C:\Program Files\Winamp\winampa.exe


    If the file is clean just report back if not please add it to the files in step 2 and copy and paste the scan results in your next post.


    Step 2.


    The virus researchers may want to take a look at some files and if needed add them to BD for future detection.


    Please copy the files in bold.


    Archive them password protected (using .rar,7.zip, etc.).


    The password you use should be infected.


    Upload them as attachment.


    If they are more than 2 MB you should make more than one archive file/folder.


    If you don't know how read this topic Virus Submission.


    C:\WINDOWS\system32\gebcb.dll


    C:\WINDOWS\system32\ljjkhed.dll


    C:\WINDOWS\system32\ocvknxsh.dll


    C:\Program Files\Windows Live\Messenger\msnmsgr.exe


    I'll prepare the next step. I see when you finish these ones and give the next.

  • it takes alot of time to upload it :S

  • TotalBalance
    edited December 2019


    /applications/core/interface/file/attachment.php?id=19759" data-fileext="zip" rel="">suspected_files.rar.zipok these are the files that farbar wanted me to upload , but i didn't find those files : gebcb.dll and ocvknxsh.dll i think VundoFix deleted/fixed those files , and winampa.exe isn't infected .(i don't know if the .rar file is password protected , because it has a weird password system , so honestly i don't know if it is password protected :S :D/uploads/emoticons/default_biggrin.png">)

  • farbar
    farbar
    edited December 2019


    TotalErik said:




    /applications/core/interface/file/attachment.php?id=19759" rel="" data-fileext="zip">suspected_files.rar ok these are the files that farbar wanted me to upload , but i didn't find those files : gebcb.dll and ocvknxsh.dll i think VundoFix deleted/fixed those files , and winampa.exe isn't infected .(i don't know if the .rar file is password protected , because it has a weird password system , so honestly i don't know if it is password protected :S :D/uploads/emoticons/default_biggrin.png"> )



    The file is there on your last log:


    O2 - BHO: (no name) - {4AFC929C-14E6-405F-80B8-76312A32540C} - C:\WINDOWS\system32\gebcb.dll


    I assume you followed the instruction to unhide the files and folders. The Vundofix could not have removed it as it is there after running Vundofix. But let say you have run Vundofix again or BD removed it. Lets not argue about that.


    Please follow the instruction and make a password protected file/folder and send the file as attachment. I have given you a link on how to do it.


    It is important you would be able to follow the instructions in subsequent posts, otherwise we will do more harm than good and I don't want to take the responsibility for that.


    Please post a fresh hijackthis log as it may has changed again.

  • Please follow the instruction and make a password protected file/folder and send the file as attachment. I have given you a link on how to do it.


    To attach the archive to your reply: when you press the reply, under the reply window press Browse... show the path to the file on your computer then press the green UPLOAD button.

  • Logfile of Trend Micro HijackThis v2.0.2


    Scan saved at 0:21:01, on 25.02.2008


    Platform: Windows XP SP2 (WinNT 5.01.2600)


    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)


    Boot mode: Normal


    Running processes:


    C:\WINDOWS\System32\smss.exe


    C:\WINDOWS\system32\winlogon.exe


    C:\WINDOWS\system32\services.exe


    C:\WINDOWS\system32\lsass.exe


    C:\WINDOWS\system32\svchost.exe


    C:\WINDOWS\System32\svchost.exe


    C:\WINDOWS\system32\spoolsv.exe


    C:\WINDOWS\Explorer.EXE


    C:\WINDOWS\system32\cisvc.exe


    C:\WINDOWS\system32\nvsvc32.exe


    C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe


    C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe


    C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe


    C:\Program Files\Winamp\winampa.exe


    C:\Program Files\Softwin\BitDefender10\bdmcon.exe


    C:\Program Files\Softwin\BitDefender10\bdagent.exe


    C:\WINDOWS\system32\RUNDLL32.EXE


    C:\WINDOWS\sttray.exe


    C:\WINDOWS\system32\ctfmon.exe


    C:\Program Files\Macrogaming\SweetIM\SweetIM.exe


    C:\Program Files\Internet Explorer\iexplore.exe


    C:\WINDOWS\system32\wuauclt.exe


    C:\Program Files\Windows Live\Messenger\usnsvc.exe


    C:\WINDOWS\system32\cidaemon.exe


    C:\Program Files\MySQL\MySQL Server 4.1\bin\mysqld-nt.exe


    C:\Program Files\Internet Explorer\iexplore.exe


    C:\Program Files\Internet Explorer\iexplore.exe


    C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe


    C:\Program Files\Windows Live\Messenger\msnmsgr.exe


    C:\Program Files\Winamp\winamp.exe


    C:\WINDOWS\system32\rundll32.exe


    C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe


    C:\Program Files\Softwin\BitDefender10\vsserv.exe


    C:\Program Files\Mozilla Firefox\firefox.exe


    C:\Program Files\Trend Micro\HijackThis\clear.exe.exe


    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.sweetim.com


    R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =


    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll


    O2 - BHO: {1ccadf93-521a-e928-e9e4-029f888e9b71} - {17b9e888-f920-4e9e-829e-a12539fdacc1} - C:\WINDOWS\system32\letnllwh.dll


    O2 - BHO: IeCatch5 Class - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\PROGRA~1\FlashGet\jccatch.dll


    O2 - BHO: (no name) - {4633BAF5-9A92-4DD9-9BAE-F705F04E9C87} - C:\WINDOWS\system32\awtqn.dll


    O2 - BHO: (no name) - {4AFC929C-14E6-405F-80B8-76312A32540C} - C:\WINDOWS\system32\gebcb.dll (file missing)


    O2 - BHO: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL


    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll


    O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)


    O2 - BHO: Windows Live'i sisselogimisabiline - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll


    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll


    O2 - BHO: (no name) - {BA6C6CB6-676C-4DEA-9BDA-3BC4AB075F7C} - C:\WINDOWS\system32\ljjkhed.dll


    O2 - BHO: (no name) - {C809AB14-C67F-408A-B541-A5A6A7411AD1} - C:\WINDOWS\system32\ddaba.dll (file missing)


    O2 - BHO: gFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\PROGRA~1\FlashGet\getflash.dll


    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll


    O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll


    O3 - Toolbar: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL


    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup


    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install


    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"


    O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"


    O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"


    O4 - HKLM\..\Run: [bDMCon] "C:\Program Files\Softwin\BitDefender10\bdmcon.exe" /reg


    O4 - HKLM\..\Run: [bDAgent] "C:\Program Files\Softwin\BitDefender10\bdagent.exe"


    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit


    O4 - HKLM\..\Run: [sigmatelSysTrayApp] sttray.exe


    O4 - HKLM\..\Run: [Help Creative Meow City] C:\Documents and Settings\All Users\Application Data\aim rect help creative\Wma Aim.exe


    O4 - HKLM\..\Run: [149d6d99] rundll32.exe "C:\WINDOWS\system32\nrihorgw.dll",b


    O4 - HKLM\..\RunOnce: [Execute] C:\WINDOWS\System32\Tools\DelFolders.exe


    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background


    O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe


    O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe"


    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe


    O4 - HKCU\..\Run: [sweetIM] C:\Program Files\Macrogaming\SweetIM\SweetIM.exe


    O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')


    O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')


    O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe


    O4 - Global Startup: Reboot.exe


    O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm


    O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm


    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll


    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll


    O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe


    O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe


    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe


    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe


    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe


    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe


    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1198603750796


    O16 - DPF: {AA07EBD2-EBDD-4BD6-9F8F-114BD513492C} (NeffyLauncherCtl Class) - http://dist.globalgamecdn.com/dist/neffy/NeffyLauncher.cab


    O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe


    O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe


    O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe


    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe


    O23 - Service: BitDefender Desktop Update Service (LIVESRV) - SOFTWIN S.R.L. - C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe


    O23 - Service: MySQL4 - Unknown owner - C:\Program.exe (file missing)


    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe


    O23 - Service: BitDefender Virus Shield (VSSERV) - SOFTWIN S.R.L. - C:\Program Files\Softwin\BitDefender10\vsserv.exe


    O23 - Service: BitDefender Communicator (XCOMM) - SOFTWIN S.R.L - C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe


    --


    End of file - 8154 bytes


    well this is from recent hijack-this log . what do you have to say about that ?

  • farbar
    farbar
    edited February 2008
    well this is from recent hijack-this log . what do you have to say about that ?


    I don't know really what you want me to say about that. It confirms that you do the steps backward as those files are not attached yet.


    But about the log: It confirms that the file named is indeed removed. It also confirms that you are still infected because Vundo makes a new infected file, and it confirms that the whole Sunday is gone and we are were we where at the beginning and it doesn't seem we get anywhere.


    I am going to sleep now and tomorrow the whole day I am going to be at my work.


    Perhaps the mods or virus researchers can send you a removal tool which is easier for you to use than the tools I am going to suggest.

  • I don't know really what you want me to say about that. It confirms that you do the steps backward as those files are not attached yet.


    But about the log: It confirms that the file named is indeed removed. It also confirms that you are still infected because Vundo makes a new infected file, and it confirms that the whole Sunday is gone and we are were we where at the beginning and it doesn't seem we get anywhere.


    I am going to sleep now and tomorrow the whole day I am going to be at my work.


    Perhaps the mods or virus researchers can send you a removal tool which is easier for you to use than the tools I am going to suggest.


    well they either don't want my files because they haven't downloaded any of them . but maybe i just need to post them in the other topic they made : http://forum.bitdefender.com/index.php?showtopic=3409 ??

  • well they either don't want my files because they haven't downloaded any of them . but maybe i just need to post them in the other topic they made : http://forum.bitdefender.com/index.php?showtopic=3409 ??


    You have not attached them as it is instructed. How the virus researchers could have downloaded something you have not uploaded properly. And may be they don't want the files or perhaps they are overloaded with the work they are doing and later on attend to those files. Even if the files are of no use it would be nice to do something small in return for somebody who is trying to help you just because it is asked.


    My stand is this: If you are not able to follow these instructions in order they are written to upload some files how would you be able to follow the removal instructions I was going to give you. And if you face any difficulty doing the steps you may just ask, not selectively doing what you can or what you think you need ignoring the rest of it.


    So we are still discussing about the first step I suggested to you. Don't you think we both have better things to do?

  • TotalBalance
    edited February 2008
    You have not attached them as it is instructed. How the virus researchers could have downloaded something you have not uploaded properly. And may be they don't want the files or perhaps they are overloaded with the work they are doing and later on attend to those files. Even if the files are of no use it would be nice to do something small in return for somebody who is trying to help you just because it is asked.


    My stand is this: If you are not able to follow these instructions in order they are written to upload some files how would you be able to follow the removal instructions I was going to give you. And if you face any difficulty doing the steps you may just ask, not selectively doing what you can or what you think you need ignoring the rest of it.


    So we are still discussing about the first step I suggested to you. Don't you think we both have better things to do?


    Sorry , and i do APPRECIATE everything they do , but i haven't seen the right instructions , well this is a question then : where can i see the uploading instructions . Well im doing the best i can to follow your instructions and i understand you have better things to do , but i just don't like the negative vibe that comes from your replies :)(I just feel that negative attitude in your replies, but that's just me). So , I WILL Apologize for any things i have done wrong here , but just don't think im not appreciating anything they do here . But i think we should now go on with the removal instructions , not argue about , do or do i not appreciate the work their doing or do i follow the instructions . Help me farbar i appreciate your work , and everyone elses ! So now that these words are said , i hope you understand me .(Oh and some people just ain't that smart like others , so do respect me the best way you can , even if i might be a bit light-headed :))

  • To attach the archive to your reply: when you press the reply, under the reply window press Browse... show the path to the file on your computer then press the green UPLOAD button.


    Here is the instruction.

  • Sorry , and i do APPRECIATE everything they do , but i haven't seen the right instructions , well this is a question then : where can i see the uploading instructions . Well im doing the best i can to follow your instructions and i understand you have better things to do , but i just don't like the negative vibe that comes from your replies :) (I just feel that negative attitude in your replies, but that's just me). So , I WILL Apologize for any things i have done wrong here , but just don't think im not appreciating anything they do here . But i think we should now go on with the removal instructions , not argue about , do or do i not appreciate the work their doing or do i follow the instructions . Help me farbar i appreciate your work , and everyone elses ! So now that these words are said , i hope you understand me .(Oh and some people just ain't that smart like others , so do respect me the best way you can , even if i might be a bit light-headed :) )


    Lets forget all and just go on with it. But please don't take it negative. Read every word of the post before doing it. If the instruction is not clear or is you find any difficulty just stop doing that, post me asp and don't go to the later step.

  • Step 1


    Go to start-run-control panel-add/remove programs and uninstall utorrent and any other p2p program. You may reinstall it later on after my last post.


    Uninstall Windows Live Messenger. You may reinstall it later on after cleaning everything after my last post.


    This one is optional and it is entirely up to you:I recommend not to use SweetIM.com as your startpage. Your starpage should be a totally clean site. Read more about the site and its program here (read also the comments) and decide for yourself:http://www.siteadvisor.com/sites/sweetim.com


    Step 2


    Download ComboFix.exe to your desktop using this link: BleepingComputer.com


    Close any open browsers.


    Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix. After Combofix is finished turn on/enable your anti virus again.


    Double click on combofix.exe to run the programme & then follow the prompts.


    When finished, it will produce a report for you. Please post the content of this log ("C:\ComboFix.txt") into your next post.


    ComboFix may need to reboot to finish its work. Let it.


    Note:Do not mouseclick combofix's window while it's running. That may cause it to stall.


    Step 3.


    Post a fresh hijackthis log along with the combofix log.

  • Logfile of Trend Micro HijackThis v2.0.2


    Scan saved at 15:12:02, on 26.02.2008


    Platform: Windows XP SP2 (WinNT 5.01.2600)


    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)


    Boot mode: Normal


    Running processes:


    C:\WINDOWS\System32\smss.exe


    C:\WINDOWS\system32\winlogon.exe


    C:\WINDOWS\system32\services.exe


    C:\WINDOWS\system32\lsass.exe


    C:\WINDOWS\system32\svchost.exe


    C:\WINDOWS\System32\svchost.exe


    C:\WINDOWS\system32\spoolsv.exe


    C:\Program Files\MySQL\MySQL Server 4.1\bin\mysqld-nt.exe


    C:\WINDOWS\system32\nvsvc32.exe


    C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe


    C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe


    C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe


    C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe


    C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe


    C:\Program Files\Winamp\winampa.exe


    C:\Program Files\Softwin\BitDefender10\bdagent.exe


    C:\WINDOWS\system32\RUNDLL32.EXE


    C:\WINDOWS\sttray.exe


    C:\WINDOWS\system32\ctfmon.exe


    C:\Program Files\Macrogaming\SweetIM\SweetIM.exe


    C:\Program Files\Internet Explorer\iexplore.exe


    C:\Program Files\Softwin\BitDefender10\vsserv.exe


    C:\Program Files\Internet Explorer\iexplore.exe


    C:\WINDOWS\explorer.exe


    C:\WINDOWS\system32\wuauclt.exe


    C:\WINDOWS\system32\wuauclt.exe


    C:\WINDOWS\system32\notepad.exe


    C:\Program Files\Mozilla Firefox\firefox.exe


    C:\Program Files\Softwin\BitDefender10\bdmcon.exe


    C:\Program Files\Trend Micro\HijackThis\clear.exe.exe


    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.sweetim.com


    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll


    O2 - BHO: IeCatch5 Class - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\PROGRA~1\FlashGet\jccatch.dll


    O2 - BHO: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL


    O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll


    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll


    O2 - BHO: Windows Live'i sisselogimisabiline - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll


    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll


    O2 - BHO: gFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\PROGRA~1\FlashGet\getflash.dll


    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll


    O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll


    O3 - Toolbar: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL


    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup


    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install


    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"


    O4 - HKLM\..\Run: [sunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"


    O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"


    O4 - HKLM\..\Run: [bDMCon] "C:\Program Files\Softwin\BitDefender10\bdmcon.exe" /reg


    O4 - HKLM\..\Run: [bDAgent] "C:\Program Files\Softwin\BitDefender10\bdagent.exe"


    O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit


    O4 - HKLM\..\Run: [sigmatelSysTrayApp] sttray.exe


    O4 - HKLM\..\Run: [Help Creative Meow City] C:\Documents and Settings\All Users\Application Data\aim rect help creative\Wma Aim.exe


    O4 - HKLM\..\Run: [149d6d99] rundll32.exe "C:\WINDOWS\system32\shiddqay.dll",b


    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background


    O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe


    O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe"


    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe


    O4 - HKCU\..\Run: [sweetIM] C:\Program Files\Macrogaming\SweetIM\SweetIM.exe


    O4 - HKCU\..\Run: [spybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe


    O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')


    O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')


    O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe


    O4 - Global Startup: Reboot.exe


    O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm


    O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm


    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll


    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll


    O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe


    O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe


    O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll


    O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll


    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe


    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe


    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe


    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe


    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1198603750796


    O16 - DPF: {AA07EBD2-EBDD-4BD6-9F8F-114BD513492C} (NeffyLauncherCtl Class) - http://dist.globalgamecdn.com/dist/neffy/NeffyLauncher.cab


    O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe


    O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe


    O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe


    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe


    O23 - Service: BitDefender Desktop Update Service (LIVESRV) - SOFTWIN S.R.L. - C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe


    O23 - Service: MySQL4 - Unknown owner - C:\Program.exe (file missing)


    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe


    O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe


    O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe


    O23 - Service: BitDefender Virus Shield (VSSERV) - SOFTWIN S.R.L. - C:\Program Files\Softwin\BitDefender10\vsserv.exe


    O23 - Service: BitDefender Communicator (XCOMM) - SOFTWIN S.R.L - C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe


    --


    End of file - 7847 bytes

  • ComboFix 08-02-25.3 - Kodu 2008-02-26 15:03:26.1 - NTFSx86


    Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1579 [GMT 2:00]


    Running from: C:\Documents and Settings\Kodu\My Documents\ComboFix.exe


    WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!


    .


    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


    .


    C:\WINDOWS\cookies.ini


    C:\WINDOWS\system32\amvminsu.dll


    C:\WINDOWS\system32\awtqn.dll


    C:\WINDOWS\system32\fsrvnxrg.dll


    C:\WINDOWS\system32\letnllwh.dll


    C:\WINDOWS\system32\ljjkhed.dll


    C:\WINDOWS\system32\nbcgnmfq.ini


    C:\WINDOWS\system32\nqtwa.ini


    C:\WINDOWS\system32\nqtwa.ini2


    .


    ((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


    .


    -------\LEGACY_SFSYNC02


    -------\sfsync02


    ((((((((((((((((((((((((( Files Created from 2008-01-26 to 2008-02-26 )))))))))))))))))))))))))))))))


    .


    2008-02-26 01:13 . 2008-02-26 01:18 109 --a------ C:\WINDOWS\wininit.ini


    2008-02-26 00:40 . 2008-02-26 00:40 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy


    2008-02-26 00:40 . 2008-02-26 01:14 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy


    2008-02-26 00:33 . 2007-12-10 14:53 81,288 --a------ C:\WINDOWS\system32\drivers\iksyssec.sys


    2008-02-26 00:33 . 2007-12-10 14:53 66,952 --a------ C:\WINDOWS\system32\drivers\iksysflt.sys


    2008-02-26 00:33 . 2008-02-01 12:55 42,376 --a------ C:\WINDOWS\system32\drivers\ikfilesec.sys


    2008-02-26 00:33 . 2007-12-10 14:53 29,576 --a------ C:\WINDOWS\system32\drivers\kcom.sys


    2008-02-26 00:32 . 2008-02-26 00:52 <DIR> d-------- C:\Program Files\Spyware Doctor


    2008-02-26 00:32 . 2008-02-26 00:32 <DIR> d-------- C:\Documents and Settings\Kodu\Application Data\PC Tools


    2008-02-25 23:23 . 2008-02-26 01:18 1,260,406 ---hs---- C:\WINDOWS\system32\yaqddihs.ini


    2008-02-25 23:22 . 2008-02-25 23:26 178 --a------ C:\WINDOWS\system32\testscript.tmp


    2008-02-25 23:20 . 2008-02-25 23:20 1,097 --a------ C:\WINDOWS\system32\lpflnieq.dll


    2008-02-25 23:18 . 2008-02-25 23:18 1,097 --a------ C:\WINDOWS\system32\tcqtcmty.dll


    2008-02-24 23:25 . 2008-02-25 13:50 1,253,894 ---hs---- C:\WINDOWS\system32\wgrohirn.ini


    2008-02-24 23:19 . 2008-02-24 23:19 1,097 --a------ C:\WINDOWS\system32\ltdedawq.dll


    2008-02-24 16:58 . 2008-02-24 16:58 <DIR> d-------- C:\Program Files\PremiumSoft


    2008-02-24 16:56 . 2008-02-24 16:56 <DIR> d-------- C:\Program Files\MySQL


    2008-02-23 23:16 . 2008-02-24 23:17 1,253,774 ---hs---- C:\WINDOWS\system32\nsvvnvgp.ini


    2008-02-23 23:16 . 2008-02-23 23:16 1,097 --a------ C:\WINDOWS\system32\yoyinnsd.dll


    2008-02-23 20:20 . 2008-02-23 20:20 <DIR> d-------- C:\Program Files\Junk2Time


    2008-02-23 19:09 . 2008-02-23 19:10 1,253,834 ---hs---- C:\WINDOWS\system32\hsxnkvco.ini


    2008-02-23 19:08 . 2008-02-23 19:08 1,097 --a------ C:\WINDOWS\system32\wpxcmgla.dll


    2008-02-23 12:05 . 2008-02-23 19:08 1,253,774 ---hs---- C:\WINDOWS\system32\focsjuch.ini


    2008-02-23 12:03 . 2008-02-23 12:03 1,097 --a------ C:\WINDOWS\system32\rcfggpys.dll


    2008-02-23 11:46 . 2008-02-25 14:40 <DIR> d-------- C:\VundoFix Backups


    2008-02-23 09:33 . 2008-02-23 09:33 268 --ah----- C:\sqmdata01.sqm


    2008-02-23 09:33 . 2008-02-23 09:33 244 --ah----- C:\sqmnoopt01.sqm


    2008-02-22 23:18 . 2008-02-22 23:18 <DIR> d-------- C:\Program Files\Trend Micro


    2008-02-22 19:15 . 2008-02-22 23:03 1,252,804 --ahs---- C:\WINDOWS\system32\vxbgbvsw.ini


    2008-02-22 16:26 . 2006-02-28 14:00 13,463,552 --a--c--- C:\WINDOWS\system32\dllcache\hwxjpn.dll


    2008-02-22 16:25 . 2006-02-28 14:00 1,677,824 --a--c--- C:\WINDOWS\system32\dllcache\chsbrkr.dll


    2008-02-22 16:23 . 2008-02-22 16:23 749 -rah----- C:\WINDOWS\WindowsShell.Manifest


    2008-02-22 16:23 . 2008-02-22 16:23 749 -rah----- C:\WINDOWS\system32\wuaucpl.cpl.manifest


    2008-02-22 16:23 . 2008-02-22 16:23 749 -rah----- C:\WINDOWS\system32\sapi.cpl.manifest


    2008-02-22 16:23 . 2008-02-22 16:23 749 -rah----- C:\WINDOWS\system32\ncpa.cpl.manifest


    2008-02-22 16:23 . 2008-02-22 16:23 488 -rah----- C:\WINDOWS\system32\logonui.exe.manifest


    2008-02-21 19:58 . 2008-02-21 19:58 1,097 --a------ C:\WINDOWS\system32\gfurriif.dll


    2008-02-21 18:19 . 2008-02-21 18:19 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Messenger Plus!


    2008-02-21 18:17 . 2008-02-23 20:23 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\aim rect help creative


    2008-02-21 18:16 . 2008-02-23 20:19 <DIR> d-------- C:\Program Files\Messenger Plus! Live


    2008-02-21 18:16 . 2008-02-21 18:16 <DIR> d-------- C:\Program Files\Circle Developement


    2008-02-21 18:16 . 2008-02-23 20:24 <DIR> d-------- C:\Documents and Settings\Kodu\Application Data\Junk2Time


    2008-02-20 23:11 . 2008-02-26 01:15 <DIR> d-------- C:\Program Files\AdvancedCleaner Free


    2008-02-20 23:11 . 2003-03-19 05:05 89,088 --a------ C:\WINDOWS\system32\atl71.dll


    2008-02-20 20:03 . 2008-02-21 20:04 1,253,501 --ahs---- C:\WINDOWS\system32\dkswuddu.ini


    2008-02-18 23:58 . 2008-02-23 19:35 <DIR> d-------- C:\Program Files\Macrogaming


    2008-02-18 10:12 . 2008-02-18 10:12 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\nView_Profiles


    2008-02-10 22:26 . 2008-02-10 22:26 <DIR> d-------- C:\mydecal


    2008-02-10 15:42 . 2008-02-10 15:42 0 --a------ C:\WINDOWS\PROTOCOL.INI


    2008-02-10 15:41 . 2008-02-10 15:41 <DIR> d-------- C:\Documents and Settings\Kodu\WINDOWS


    2008-02-10 15:41 . 1998-02-06 21:37 299,520 --a------ C:\WINDOWS\uninst.exe


    2008-02-07 13:54 . 2008-02-07 13:54 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Trymedia


    2008-02-07 13:38 . 2008-02-07 13:38 <DIR> d-------- C:\Program Files\Sierra


    2008-02-04 07:26 . 2008-02-04 07:26 <DIR> d-------- C:\Program Files\ZhyperMU


    2008-02-02 01:14 . 2008-02-02 01:14 <DIR> d-------- C:\Documents and Settings\Kodu\Application Data\InstallShield


    2008-02-01 21:12 . 2008-02-01 21:12 <DIR> d-------- C:\WINDOWS\.jagex_cache_32


    2008-01-30 15:28 . 2008-01-30 15:28 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Adobe Systems


    2008-01-30 15:25 . 2008-01-30 15:25 <DIR> d-------- C:\Program Files\Common Files\Adobe Systems Shared


    2008-01-27 16:20 . 2008-01-27 16:20 <DIR> d-------- C:\Documents and Settings\Kodu\Application Data\Bitdefender


    2008-01-27 15:48 . 2008-01-27 15:48 <DIR> d-------- C:\Program Files\Ordi


    2008-01-27 15:48 . 2002-08-28 10:45 645,120 --a------ C:\WINDOWS\Ordi.scr


    2008-01-27 15:48 . 2008-01-27 15:48 91 --a------ C:\WINDOWS\Ordi.ini


    2008-01-27 15:48 . 2008-01-27 15:48 62 --a------ C:\WINDOWS\FSaver.ini


    2008-01-27 15:45 . 2008-01-27 17:05 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\BitDefender


    .


    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))


    .


    2008-02-26 13:07 81,984 ----a-w C:\WINDOWS\system32\bdod.bin


    2008-02-26 13:02 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP


    2008-02-26 12:55 --------- d-----w C:\Documents and Settings\Kodu\Application Data\MegauploadToolbar


    2008-02-25 19:47 --------- d-----w C:\Program Files\LimeWire


    2008-02-25 12:49 --------- d-----w C:\Program Files\World of Warcraft


    2008-02-21 12:11 --------- d-----w C:\Program Files\Windows Live Safety Center


    2008-02-13 16:36 --------- d-----w C:\Program Files\Valve


    2008-02-04 05:26 --------- d--h--w C:\Program Files\InstallShield Installation Information


    2008-02-01 23:16 --------- d-----w C:\Program Files\NCSoft


    2008-02-01 23:15 --------- d-----w C:\Program Files\EA GAMES


    2008-01-30 13:26 --------- d-----w C:\Program Files\Common Files\Adobe


    2008-01-27 15:01 913,408 ----a-w C:\WINDOWS\system32\xreglib.dll


    2008-01-27 13:49 69,632 ----a-w C:\WINDOWS\uinst001.exe


    2008-01-27 13:45 --------- d-----w C:\Program Files\Common Files\Softwin


    2008-01-23 19:12 --------- d-----w C:\Program Files\ssClient


    2008-01-18 08:21 --------- d-----w C:\Program Files\Common Files\InstallShield


    2008-01-17 09:20 --------- d-----w C:\Program Files\Common Files\Blizzard Entertainment


    2008-01-15 13:07 --------- d-----w C:\Program Files\MegauploadToolbar


    2008-01-15 06:15 --------- d-----w C:\Program Files\FlashGet


    2008-01-08 11:12 --------- d-----w C:\Documents and Settings\Kodu\Application Data\DAEMON Tools


    2008-01-08 10:46 --------- d-----w C:\Program Files\DAEMON Tools Lite


    2008-01-08 10:43 715,248 ----a-w C:\WINDOWS\system32\drivers\sptd.sys


    2008-01-07 13:57 --------- d-----w C:\Documents and Settings\All Users\Application Data\POPWWPROFILES


    2008-01-07 13:19 --------- d-----w C:\Program Files\Common Files\DirectX


    2008-01-07 02:35 --------- d-----w C:\Documents and Settings\Kodu\Application Data\GetRightToGo


    2008-01-05 23:57 --------- d-----w C:\Program Files\Lizard Interactive Co


    2008-01-05 17:54 --------- d-----w C:\Program Files\Arjaloc


    2008-01-05 12:30 --------- d-----w C:\Program Files\Neffy


    2008-01-04 17:37 --------- d-----w C:\Program Files\Ubisoft


    2008-01-02 13:15 --------- d-----w C:\Program Files\Disc2Phone


    2007-12-31 22:48 --------- d-----w C:\Documents and Settings\Kodu\Application Data\Winamp


    2007-12-31 20:43 --------- d-----w C:\Documents and Settings\Kodu\Application Data\Talkback


    2007-12-31 20:42 --------- d-----w C:\Program Files\Winamp


    2007-12-31 20:18 --------- d-----w C:\Program Files\Google


    2007-12-30 10:46 98,304 ----a-w C:\WINDOWS\system32\CmdLineExt.dll


    2007-12-29 16:20 --------- d-----w C:\Program Files\Radical Games


    2007-12-25 16:22 43,520 ----a-w C:\WINDOWS\system32\CmdLineExt03.dll


    2007-12-25 16:00 315,392 ----a-w C:\WINDOWS\HideWin.exe


    2007-12-25 14:34 286,720 ----a-w C:\WINDOWS\iun506.exe


    2005-04-04 09:21 29,998 ----a-w C:\WINDOWS\inf\install.exe


    2005-04-04 09:21 25,119 ----a-w C:\WINDOWS\inf\update.exe


    .


    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


    .


    .


    *Note* empty entries & legit default entries are not shown


    REGEDIT4


    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{27E4AB42-936F-4EB3-B357-1CA9D2E3550C}]


    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4AFC929C-14E6-405F-80B8-76312A32540C}]


    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{99cfb505-af2d-4ee2-a23c-bdc4dc949c76}]


    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{BA6C6CB6-676C-4DEA-9BDA-3BC4AB075F7C}]


    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C809AB14-C67F-408A-B541-A5A6A7411AD1}]


    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]


    "MsnMsgr"="C:\Program Files\Windows Live\Messenger\msnmsgr.exe" [ ]


    "swg"="C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" [2007-12-26 04:32 171448]


    "DAEMON Tools Lite"="C:\Program Files\DAEMON Tools Lite\daemon.exe" [2008-01-03 15:54 486856]


    "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2006-02-28 14:00 15360]


    "SweetIM"="C:\Program Files\Macrogaming\SweetIM\SweetIM.exe" [2008-01-02 20:15 103712]


    "SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43 2097488]


    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]


    "NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-04-20 06:05 8429568]


    "nwiz"="nwiz.exe" [2007-04-20 06:05 1626112 C:\WINDOWS\system32\nwiz.exe]


    "Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 19:51 39792]


    "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496]


    "WinampAgent"="C:\Program Files\Winamp\winampa.exe" [2007-12-20 17:16 37376]


    "BDMCon"="C:\Program Files\Softwin\BitDefender10\bdmcon.exe" [2008-01-27 16:51 290816]


    "BDAgent"="C:\Program Files\Softwin\BitDefender10\bdagent.exe" [2008-01-27 16:50 69632]


    "NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-04-20 06:05 81920]


    "SigmatelSysTrayApp"="sttray.exe" [2007-05-06 11:10 405504 C:\WINDOWS\sttray.exe]


    "Help Creative Meow City"="C:\Documents and Settings\All Users\Application Data\aim rect help creative\Wma Aim.exe" [2008-02-26 15:08 495104]


    "149d6d99"="C:\WINDOWS\system32\shiddqay.dll" [ ]


    C:\Documents and Settings\All Users\Start Menu\Programs\Startup\


    Reboot.exe [2006-12-29 12:35:16 409088]


    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]


    "AppInit_DLLs"=sockspy.dll


    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]


    "%windir%\\system32\\sessmgr.exe"=


    "C:\\StubInstaller.exe"=


    "C:\\Program Files\\LimeWire\\LimeWire.exe"=


    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=


    "C:\\Program Files\\FlashGet\\FlashGet.exe"=


    "C:\\Program Files\\World of Warcraft\\WoW-2.3.0-enGB-downloader.exe"=


    "C:\\Program Files\\Valve\\hlds.exe"=


    "C:\\Program Files\\Valve\\hl.exe"=


    "C:\\Program Files\\World of Warcraft\\Launcher.exe"=


    "C:\\Program Files\\Valve\\cstrike\\valve\\hl.exe"=


    "C:\\Program Files\\Messenger\\msmsgs.exe"=


    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]


    "3724:TCP"= 3724:TCP:Blizzard Downloader: 3724


    "6112:TCP"= 6112:TCP:Blizzard Downloader


    "41816:TCP"= 41816:TCP:uTorrent


    "27015:TCP"= 27015:TCP:UDP Port


    R2 MySQL4;MySQL4;"C:\Program Files\MySQL\MySQL Server 4.1\bin\mysqld-nt" []


    S3 Axtmvflt;Axesstel USB Filter Service;C:\WINDOWS\system32\DRIVERS\Axtmvflt.sys [2007-03-22 11:36]


    S3 Axtmvprt;Axesstel Diagnostic Port;C:\WINDOWS\system32\Drivers\Axtmvprt.sys [2007-03-26 09:25]


    .


    Contents of the 'Scheduled Tasks' folder


    "2008-02-26 13:00:06 C:\WINDOWS\Tasks\AC6AE3C091C596D8.job"


    - c:\docume~1\kodu\applic~1\junk2t~1\Roadeachamen.exe


    .


    **************************************************************************


    catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net


    Rootkit scan 2008-02-26 15:08:38


    Windows 5.1.2600 Service Pack 2 NTFS


    scanning hidden processes ...


    scanning hidden autostart entries ...


    scanning hidden files ...


    scan completed successfully


    hidden files: 0


    **************************************************************************


    .


    ------------------------ Other Running Processes ------------------------


    .


    C:\WINDOWS\System32\SCardSvr.exe


    C:\Program Files\MySQL\MySQL Server 4.1\bin\mysqld-nt.exe


    C:\WINDOWS\system32\nvsvc32.exe


    C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe


    C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe


    C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe


    C:\WINDOWS\system32\RUNDLL32.EXE


    C:\Program Files\Internet Explorer\iexplore.exe


    C:\Program Files\Softwin\BitDefender10\vsserv.exe


    C:\Program Files\Internet Explorer\iexplore.exe


    C:\WINDOWS\SoftwareDistribution\Download\4b6ccd5ccf72ffca11e7f7e0165f2082\update\update.exe


    .


    **************************************************************************


    .


    Completion time: 2008-02-26 15:10:48 - machine was rebooted


    ComboFix-quarantined-files.txt 2008-02-26 13:10:43


    .


    2008-02-25 23:23:04 --- E O F ---

  • TotalEric,


    Good work, I am now at work, Combofix have removed some of them but this evening (West European time) I am going to post you the next step which hopefully takes care of all the active infections at once.


    Have you uninstalled windows live messenger? Because the infected file is still there. We will take care of that.


    Let me know asap.

  • TotalBalance
    edited February 2008

    yeah i uninstalled the windows live messenger main program , but i thought , maybe the other relative programs don't disturbe the work : windows live OneCare safety scanner , and windows live login helper (or something like that)


    Edit: And i must add , i had some Blue error screen just a few moments ago that made me restart my computer . And on the computer startup i saw an error :


    RUNDLL


    Error loading C:WINDOWS\System32\shiddqay.dll


    the specified module could not be found.

  • farbar
    farbar
    edited February 2008

    TotalErik,


    I must say you are doing a good job. The other programs don't disturb and you need not uninstall them. After following steps your hijacklog is clean and your system is clean from the active infection and you may relax and enjoy. There remains still some left overs which we are going to take care of and make sure they are also clean.


    1. Open a notepad (start menu-all programs-accessorie-notepad). Make sure the word wrap under format menu is not selected.


    Copy and paste the text in bold into it.


    File::


    C:\WINDOWS\system32\shiddqay.dll


    Folder::


    C:\Program Files\Windows Live\Messenger


    Registry::


    [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]


    "149d6d99"=-


    "MsnMsgr"=-



    * Select save in:desktop


    * Fill in File name: CFScript.txt


    * save as type: All file types (*.*)


    Drag CFScript.txt into ComboFix.exe. You can see the image showing this here: http://www.fromsej.saknet.dk/billeder/cfscript.gif


    ComboFix will now run a scan on your system.


    It may reboot your system when it finishes. This is normal.


    2. Please download ATF Cleaner by Atribune. (This program is for XP and Windows 2000 only)

    • Double-click
    ATF-Cleaner.exe to run the program.


    Under Main "Select Files to Delete" choose: Select All.


    Click the Empty Selected button.

    If you use Firefox browser
    • Click
    Firefox at the top and choose: Select All


    Click the Empty Selected button.


    NOTE: If you would like to keep your saved passwords, please click No at the prompt.

    If you use Opera browser
    • Click
    Opera at the top and choose: Select All


    Click the Empty Selected button.


    NOTE: If you would like to keep your saved passwords, please click No at the prompt.

    Click Exit on the Main menu to close the program.


    For Technical Support, double-click the e-mail address located at the bottom of each menu.


    3. Remove vundofix.ex and the C:\VundoFix Backups folder.


    (we need combofix tomorrow to clean the rest after I made the list to clean)


    4.Please go to firewall and remove all suspicious allowed entries if you can.


    It has been a long day for me today. Tomorrow I am going to go through combofix log and prepare the final step. Please let me know how the things going on.


    Please post the combofix log.


  • File::


    C:\WINDOWS\system32\shiddqay.dll


    Folder::


    C:\Program Files\Windows Live\Messenger


    Registry::


    [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]


    "149d6d99"=-


    "MsnMsgr"=-



    Please note, I edited the post:


    The bold text should be this:


    File::


    C:\WINDOWS\system32\shiddqay.dll


    Folder::


    C:\Program Files\Windows Live\Messenger


    Registry::


    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]


    "149d6d99"=-


    "MsnMsgr"=-


  • ComboFix 08-02-25.3 - Kodu 2008-02-27 7:47:28.2 - NTFSx86


    Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1628 [GMT 2:00]


    Running from: C:\Documents and Settings\Kodu\My Documents\ComboFix.exe


    Command switches used :: C:\Documents and Settings\Kodu\Desktop\CFScript.txt


    WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!


    FILE ::


    C:\WINDOWS\system32\shiddqay.dll


    .


    ((((((((((((((((((((((((( Files Created from 2008-01-27 to 2008-02-27 )))))))))))))))))))))))))))))))


    .


    2008-02-27 00:04 . 2007-12-14 01:59 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl


    2008-02-27 00:03 . 2008-02-27 00:04 <DIR> d-------- C:\Program Files\Java


    2008-02-27 00:03 . 2008-02-27 00:03 <DIR> d-------- C:\Program Files\Common Files\Java


    2008-02-26 21:03 . 2008-02-26 21:03 <DIR> d-------- C:\Program Files\Junk2Time


    2008-02-26 21:00 . 2008-02-26 21:02 <DIR> d-------- C:\Program Files\MSN Messenger


    2008-02-26 01:13 . 2008-02-26 01:18 109 --a------ C:\WINDOWS\wininit.ini


    2008-02-26 00:40 . 2008-02-27 07:41 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy


    2008-02-26 00:40 . 2008-02-27 07:41 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy


    2008-02-26 00:33 . 2007-12-10 14:53 81,288 --a------ C:\WINDOWS\system32\drivers\iksyssec.sys


    2008-02-26 00:33 . 2007-12-10 14:53 66,952 --a------ C:\WINDOWS\system32\drivers\iksysflt.sys


    2008-02-26 00:33 . 2008-02-01 12:55 42,376 --a------ C:\WINDOWS\system32\drivers\ikfilesec.sys


    2008-02-26 00:33 . 2007-12-10 14:53 29,576 --a------ C:\WINDOWS\system32\drivers\kcom.sys


    2008-02-26 00:32 . 2008-02-26 00:52 <DIR> d-------- C:\Program Files\Spyware Doctor


    2008-02-26 00:32 . 2008-02-26 00:32 <DIR> d-------- C:\Documents and Settings\Kodu\Application Data\PC Tools


    2008-02-25 23:23 . 2008-02-26 01:18 1,260,406 ---hs---- C:\WINDOWS\system32\yaqddihs.ini


    2008-02-25 23:22 . 2008-02-25 23:26 178 --a------ C:\WINDOWS\system32\testscript.tmp


    2008-02-25 23:20 . 2008-02-25 23:20 1,097 --a------ C:\WINDOWS\system32\lpflnieq.dll


    2008-02-25 23:18 . 2008-02-25 23:18 1,097 --a------ C:\WINDOWS\system32\tcqtcmty.dll


    2008-02-24 23:25 . 2008-02-25 13:50 1,253,894 ---hs---- C:\WINDOWS\system32\wgrohirn.ini


    2008-02-24 23:19 . 2008-02-24 23:19 1,097 --a------ C:\WINDOWS\system32\ltdedawq.dll


    2008-02-24 16:58 . 2008-02-24 16:58 <DIR> d-------- C:\Program Files\PremiumSoft


    2008-02-24 16:56 . 2008-02-24 16:56 <DIR> d-------- C:\Program Files\MySQL


    2008-02-23 23:16 . 2008-02-24 23:17 1,253,774 ---hs---- C:\WINDOWS\system32\nsvvnvgp.ini


    2008-02-23 23:16 . 2008-02-23 23:16 1,097 --a------ C:\WINDOWS\system32\yoyinnsd.dll


    2008-02-23 19:09 . 2008-02-23 19:10 1,253,834 ---hs---- C:\WINDOWS\system32\hsxnkvco.ini


    2008-02-23 19:08 . 2008-02-23 19:08 1,097 --a------ C:\WINDOWS\system32\wpxcmgla.dll


    2008-02-23 12:05 . 2008-02-23 19:08 1,253,774 ---hs---- C:\WINDOWS\system32\focsjuch.ini


    2008-02-23 12:03 . 2008-02-23 12:03 1,097 --a------ C:\WINDOWS\system32\rcfggpys.dll


    2008-02-23 11:46 . 2008-02-26 15:17 <DIR> d-------- C:\VundoFix Backups


    2008-02-23 09:33 . 2008-02-23 09:33 268 --ah----- C:\sqmdata01.sqm


    2008-02-23 09:33 . 2008-02-23 09:33 244 --ah----- C:\sqmnoopt01.sqm


    2008-02-22 23:18 . 2008-02-22 23:18 <DIR> d-------- C:\Program Files\Trend Micro


    2008-02-22 19:15 . 2008-02-22 23:03 1,252,804 --ahs---- C:\WINDOWS\system32\vxbgbvsw.ini


    2008-02-22 17:57 . 2008-02-26 17:06 2,145,386,496 --a------ C:\WINDOWS\MEMORY.DMP


    2008-02-22 16:26 . 2006-02-28 14:00 13,463,552 --a--c--- C:\WINDOWS\system32\dllcache\hwxjpn.dll


    2008-02-22 16:25 . 2006-02-28 14:00 1,677,824 --a--c--- C:\WINDOWS\system32\dllcache\chsbrkr.dll


    2008-02-22 16:23 . 2008-02-22 16:23 749 -rah----- C:\WINDOWS\WindowsShell.Manifest


    2008-02-22 16:23 . 2008-02-22 16:23 749 -rah----- C:\WINDOWS\system32\wuaucpl.cpl.manifest


    2008-02-22 16:23 . 2008-02-22 16:23 749 -rah----- C:\WINDOWS\system32\sapi.cpl.manifest


    2008-02-22 16:23 . 2008-02-22 16:23 749 -rah----- C:\WINDOWS\system32\ncpa.cpl.manifest


    2008-02-22 16:23 . 2008-02-22 16:23 488 -rah----- C:\WINDOWS\system32\logonui.exe.manifest


    2008-02-21 19:58 . 2008-02-21 19:58 1,097 --a------ C:\WINDOWS\system32\gfurriif.dll


    2008-02-21 18:19 . 2008-02-21 18:19 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Messenger Plus!


    2008-02-21 18:17 . 2008-02-26 21:03 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\aim rect help creative


    2008-02-21 18:16 . 2008-02-26 21:02 <DIR> d-------- C:\Program Files\Messenger Plus! Live


    2008-02-21 18:16 . 2008-02-21 18:16 <DIR> d-------- C:\Program Files\Circle Developement


    2008-02-21 18:16 . 2008-02-26 21:04 <DIR> d-------- C:\Documents and Settings\Kodu\Application Data\Junk2Time


    2008-02-20 23:11 . 2008-02-26 01:15 <DIR> d-------- C:\Program Files\AdvancedCleaner Free


    2008-02-20 23:11 . 2003-03-19 05:05 89,088 --a------ C:\WINDOWS\system32\atl71.dll


    2008-02-20 20:03 . 2008-02-21 20:04 1,253,501 --ahs---- C:\WINDOWS\system32\dkswuddu.ini


    2008-02-18 23:58 . 2008-02-23 19:35 <DIR> d-------- C:\Program Files\Macrogaming


    2008-02-18 10:12 . 2008-02-18 10:12 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\nView_Profiles


    2008-02-10 22:26 . 2008-02-10 22:26 <DIR> d-------- C:\mydecal


    2008-02-10 15:42 . 2008-02-10 15:42 0 --a------ C:\WINDOWS\PROTOCOL.INI


    2008-02-10 15:41 . 2008-02-10 15:41 <DIR> d-------- C:\Documents and Settings\Kodu\WINDOWS


    2008-02-10 15:41 . 1998-02-06 21:37 299,520 --a------ C:\WINDOWS\uninst.exe


    2008-02-07 13:54 . 2008-02-07 13:54 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Trymedia


    2008-02-07 13:38 . 2008-02-07 13:38 <DIR> d-------- C:\Program Files\Sierra


    2008-02-04 07:26 . 2008-02-04 07:26 <DIR> d-------- C:\Program Files\ZhyperMU


    2008-02-02 01:14 . 2008-02-02 01:14 <DIR> d-------- C:\Documents and Settings\Kodu\Application Data\InstallShield


    2008-02-01 21:12 . 2008-02-01 21:12 <DIR> d-------- C:\WINDOWS\.jagex_cache_32


    2008-01-30 15:28 . 2008-01-30 15:28 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Adobe Systems


    2008-01-30 15:25 . 2008-01-30 15:25 <DIR> d-------- C:\Program Files\Common Files\Adobe Systems Shared


    2008-01-27 16:20 . 2008-01-27 16:20 <DIR> d-------- C:\Documents and Settings\Kodu\Application Data\Bitdefender


    2008-01-27 15:48 . 2008-01-27 15:48 <DIR> d-------- C:\Program Files\Ordi


    2008-01-27 15:48 . 2002-08-28 10:45 645,120 --a------ C:\WINDOWS\Ordi.scr


    2008-01-27 15:48 . 2008-01-27 15:48 91 --a------ C:\WINDOWS\Ordi.ini


    2008-01-27 15:48 . 2008-01-27 15:48 62 --a------ C:\WINDOWS\FSaver.ini


    2008-01-27 15:45 . 2008-01-27 17:05 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\BitDefender


    .


    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))


    .


    2008-02-27 05:47 81,984 ----a-w C:\WINDOWS\system32\bdod.bin


    2008-02-26 18:56 --------- d-----w C:\Program Files\World of Warcraft


    2008-02-26 18:45 --------- d-----w C:\Documents and Settings\All Users\Application Data\WLInstaller


    2008-02-26 18:43 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP


    2008-02-26 12:55 --------- d-----w C:\Documents and Settings\Kodu\Application Data\MegauploadToolbar


    2008-02-25 19:47 --------- d-----w C:\Program Files\LimeWire


    2008-02-21 12:11 --------- d-----w C:\Program Files\Windows Live Safety Center


    2008-02-13 16:36 --------- d-----w C:\Program Files\Valve


    2008-02-04 05:26 --------- d--h--w C:\Program Files\InstallShield Installation Information


    2008-02-01 23:16 --------- d-----w C:\Program Files\NCSoft


    2008-02-01 23:15 --------- d-----w C:\Program Files\EA GAMES


    2008-01-30 13:26 --------- d-----w C:\Program Files\Common Files\Adobe


    2008-01-27 15:01 913,408 ----a-w C:\WINDOWS\system32\xreglib.dll


    2008-01-27 13:49 69,632 ----a-w C:\WINDOWS\uinst001.exe


    2008-01-27 13:45 --------- d-----w C:\Program Files\Common Files\Softwin


    2008-01-23 19:12 --------- d-----w C:\Program Files\ssClient


    2008-01-18 08:21 --------- d-----w C:\Program Files\Common Files\InstallShield


    2008-01-17 09:20 --------- d-----w C:\Program Files\Common Files\Blizzard Entertainment


    2008-01-15 13:07 --------- d-----w C:\Program Files\MegauploadToolbar


    2008-01-15 06:15 --------- d-----w C:\Program Files\FlashGet


    2008-01-08 11:12 --------- d-----w C:\Documents and Settings\Kodu\Application Data\DAEMON Tools


    2008-01-08 10:46 --------- d-----w C:\Program Files\DAEMON Tools Lite


    2008-01-08 10:43 715,248 ----a-w C:\WINDOWS\system32\drivers\sptd.sys


    2008-01-07 13:57 --------- d-----w C:\Documents and Settings\All Users\Application Data\POPWWPROFILES


    2008-01-07 13:19 --------- d-----w C:\Program Files\Common Files\DirectX


    2008-01-07 02:35 --------- d-----w C:\Documents and Settings\Kodu\Application Data\GetRightToGo


    2008-01-05 23:57 --------- d-----w C:\Program Files\Lizard Interactive Co


    2008-01-05 17:54 --------- d-----w C:\Program Files\Arjaloc


    2008-01-05 12:30 --------- d-----w C:\Program Files\Neffy


    2008-01-04 17:37 --------- d-----w C:\Program Files\Ubisoft


    2008-01-02 13:15 --------- d-----w C:\Program Files\Disc2Phone


    2007-12-31 22:48 --------- d-----w C:\Documents and Settings\Kodu\Application Data\Winamp


    2007-12-31 20:43 --------- d-----w C:\Documents and Settings\Kodu\Application Data\Talkback


    2007-12-31 20:42 --------- d-----w C:\Program Files\Winamp


    2007-12-31 20:18 --------- d-----w C:\Program Files\Google


    2007-12-30 10:46 98,304 ----a-w C:\WINDOWS\system32\CmdLineExt.dll


    2007-12-29 16:20 --------- d-----w C:\Program Files\Radical Games


    2007-12-25 16:22 43,520 ----a-w C:\WINDOWS\system32\CmdLineExt03.dll


    2007-12-25 16:00 315,392 ----a-w C:\WINDOWS\HideWin.exe


    2007-12-25 14:34 286,720 ----a-w C:\WINDOWS\iun506.exe


    2005-04-04 09:21 29,998 ----a-w C:\WINDOWS\inf\install.exe


    2005-04-04 09:21 25,119 ----a-w C:\WINDOWS\inf\update.exe


    .


    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


    .


    .


    *Note* empty entries & legit default entries are not shown


    REGEDIT4


    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{27E4AB42-936F-4EB3-B357-1CA9D2E3550C}]


    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4AFC929C-14E6-405F-80B8-76312A32540C}]


    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{99cfb505-af2d-4ee2-a23c-bdc4dc949c76}]


    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C809AB14-C67F-408A-B541-A5A6A7411AD1}]


    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]


    "MsnMsgr"="~C:\Program Files\Windows Live\Messenger\msnmsgr.exe" [ ]


    "swg"="C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" [2007-12-26 04:32 171448]


    "DAEMON Tools Lite"="C:\Program Files\DAEMON Tools Lite\daemon.exe" [2008-01-03 15:54 486856]


    "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2006-02-28 14:00 15360]


    "SweetIM"="C:\Program Files\Macrogaming\SweetIM\SweetIM.exe" [2008-01-02 20:15 103712]


    "DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2005-04-25 13:45 36040]


    C:\Documents and Settings\All Users\Start Menu\Programs\Startup\


    Reboot.exe [2006-12-29 12:35:16 409088]


    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]


    "AppInit_DLLs"=sockspy.dll


    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]


    "%windir%\\system32\\sessmgr.exe"=


    "C:\\StubInstaller.exe"=


    "C:\\Program Files\\LimeWire\\LimeWire.exe"=


    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=


    "C:\\Program Files\\FlashGet\\FlashGet.exe"=


    "C:\\Program Files\\World of Warcraft\\WoW-2.3.0-enGB-downloader.exe"=


    "C:\\Program Files\\Valve\\hlds.exe"=


    "C:\\Program Files\\Valve\\hl.exe"=


    "C:\\Program Files\\World of Warcraft\\Launcher.exe"=


    "C:\\Program Files\\Valve\\cstrike\\valve\\hl.exe"=


    "C:\\Program Files\\Messenger\\msmsgs.exe"=


    "C:\\Program Files\\MSN Messenger\\msnmsgr.exe"=


    "C:\\Program Files\\MSN Messenger\\livecall.exe"=


    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]


    "3724:TCP"= 3724:TCP:Blizzard Downloader: 3724


    "6112:TCP"= 6112:TCP:Blizzard Downloader


    "41816:TCP"= 41816:TCP:uTorrent


    "27015:TCP"= 27015:TCP:UDP Port


    R2 MySQL4;MySQL4;"C:\Program Files\MySQL\MySQL Server 4.1\bin\mysqld-nt" []


    S3 Axtmvflt;Axesstel USB Filter Service;C:\WINDOWS\system32\DRIVERS\Axtmvflt.sys [2007-03-22 11:36]


    S3 Axtmvprt;Axesstel Diagnostic Port;C:\WINDOWS\system32\Drivers\Axtmvprt.sys [2007-03-26 09:25]


    .


    Contents of the 'Scheduled Tasks' folder


    "2008-02-26 22:00:02 C:\WINDOWS\Tasks\B18C1109915B84D9.job"


    - c:\docume~1\kodu\applic~1\junk2t~1\Roadeachamen.exe


    .


    **************************************************************************


    catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net


    Rootkit scan 2008-02-27 07:49:34


    Windows 5.1.2600 Service Pack 2 NTFS


    scanning hidden processes ...


    scanning hidden autostart entries ...


    scanning hidden files ...


    scan completed successfully


    hidden files: 0


    **************************************************************************


    .


    Completion time: 2008-02-27 7:50:10


    ComboFix-quarantined-files.txt 2008-02-27 05:50:07


    ComboFix2.txt 2008-02-26 13:10:49


    .


    2008-02-27 05:38:11 --- E O F ---

  • Logfile of Trend Micro HijackThis v2.0.2


    Scan saved at 7:59:39, on 27.02.2008


    Platform: Windows XP SP2 (WinNT 5.01.2600)


    MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)


    Boot mode: Normal


    Running processes:


    C:\WINDOWS\System32\smss.exe


    C:\WINDOWS\system32\winlogon.exe


    C:\WINDOWS\system32\services.exe


    C:\WINDOWS\system32\lsass.exe


    C:\WINDOWS\system32\svchost.exe


    C:\WINDOWS\System32\svchost.exe


    C:\WINDOWS\system32\spoolsv.exe


    C:\Program Files\Winamp\winampa.exe


    C:\Program Files\Softwin\BitDefender10\bdmcon.exe


    C:\Program Files\Softwin\BitDefender10\bdagent.exe


    C:\WINDOWS\system32\RUNDLL32.EXE


    C:\WINDOWS\sttray.exe


    C:\Program Files\Java\jre1.6.0_04\bin\jusched.exe


    C:\Program Files\MSN Messenger\MsnMsgr.Exe


    C:\WINDOWS\system32\ctfmon.exe


    C:\Program Files\Macrogaming\SweetIM\SweetIM.exe


    C:\Program Files\MySQL\MySQL Server 4.1\bin\mysqld-nt.exe


    C:\WINDOWS\system32\nvsvc32.exe


    C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe


    C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe


    C:\WINDOWS\system32\wuauclt.exe


    C:\WINDOWS\explorer.exe


    C:\Program Files\Mozilla Firefox\firefox.exe


    C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe


    C:\Program Files\Softwin\BitDefender10\vsserv.exe


    C:\Program Files\Trend Micro\HijackThis\clear.exe.exe


    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.sweetim.com


    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll


    O2 - BHO: (no name) - {27E4AB42-936F-4EB3-B357-1CA9D2E3550C} - (no file)


    O2 - BHO: IeCatch5 Class - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\PROGRA~1\FlashGet\jccatch.dll


    O2 - BHO: (no name) - {4AFC929C-14E6-405F-80B8-76312A32540C} - (no file)


    O2 - BHO: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL


    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll


    O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)


    O2 - BHO: Windows Live'i sisselogimisabiline - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll


    O2 - BHO: (no name) - {99cfb505-af2d-4ee2-a23c-bdc4dc949c76} - (no file)


    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll


    O2 - BHO: (no name) - {C809AB14-C67F-408A-B541-A5A6A7411AD1} - (no file)


    O2 - BHO: gFlash Class - {F156768E-81EF-470C-9057-481BA8380DBA} - C:\PROGRA~1\FlashGet\getflash.dll


    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll


    O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll


    O3 - Toolbar: Megaupload Toolbar - {4E7BD74F-2B8D-469E-CCB0-B130EEDBE97C} - C:\PROGRA~1\MEGAUP~1\MEGAUP~1.DLL


    O4 - HKCU\..\Run: [MsnMsgr] ~"C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background


    O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe


    O4 - HKCU\..\Run: [DAEMON Tools Lite] "C:\Program Files\DAEMON Tools Lite\daemon.exe"


    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe


    O4 - HKCU\..\Run: [sweetIM] C:\Program Files\Macrogaming\SweetIM\SweetIM.exe


    O4 - HKCU\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t


    O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')


    O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')


    O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe


    O4 - Global Startup: Reboot.exe


    O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm


    O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm


    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll


    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_04\bin\ssv.dll


    O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe


    O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe


    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe


    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe


    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe


    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe


    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1198603750796


    O16 - DPF: {AA07EBD2-EBDD-4BD6-9F8F-114BD513492C} (NeffyLauncherCtl Class) - http://dist.globalgamecdn.com/dist/neffy/NeffyLauncher.cab


    O16 - DPF: {CAFEEFAC-0016-0000-0003-ABCDEFFEDCBA} (Java Plug-in 1.6.0_03) -


    O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe


    O23 - Service: BitDefender Scan Server (bdss) - Unknown owner - C:\Program Files\Common Files\Softwin\BitDefender Scan Server\bdss.exe


    O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe


    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe


    O23 - Service: BitDefender Desktop Update Service (LIVESRV) - SOFTWIN S.R.L. - C:\Program Files\Common Files\Softwin\BitDefender Update Service\livesrv.exe


    O23 - Service: MySQL4 - Unknown owner - C:\Program.exe (file missing)


    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe


    O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe


    O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe


    O23 - Service: BitDefender Virus Shield (VSSERV) - SOFTWIN S.R.L. - C:\Program Files\Softwin\BitDefender10\vsserv.exe


    O23 - Service: BitDefender Communicator (XCOMM) - SOFTWIN S.R.L - C:\Program Files\Common Files\Softwin\BitDefender Communicator\xcommsvr.exe


    --


    End of file - 6822 bytes