Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.

Messages - 1yn

Pages: [1]

Tech Clinic / Command Service / Downloader.tibs

« on: October 31, 2006, 07:59:20 PM »

I have completed all of your final steps. Thank you so much once again. i have learned a lot.

Tech Clinic / Command Service / Downloader.tibs

« on: October 30, 2006, 09:31:14 PM »

The computer had been running without any problem at all. Thank you SO much guestolo for your amazing help. I will highly promote this forum to all my friends. And here is the 2 reports you asked for

SDFIX

SDFix: Version 1.34
-------------------

Scan run on:
Mon 10/30/2006

Time:
09:19 PM

Microsoft Windows XP [Version 5.1.2600]

Running from: C:\Documents and Settings\Administrator\Desktop\SDFix

Stage One...

Checking Services...

Name:
-----

TCP and UDP Support

Path:
----

C:\WINDOWS\system32\tcpip.exe /winnt

TCP and UDP Support Deleted...

Repairing Registry...

Restoring Default Hosts File...

Stage One Complete

Rebooting...

Stage Two...

Checking For Malware:
--------------------

Backing Up and Removing any Files Found...

Final Check:

Services:
---------

Files:
------

Any files removed are saved to the SDFix\backups Folder

FINISHED

HJT

Logfile of HijackThis v1.99.1
Scan saved at 9:28:58 PM, on 10/30/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\VIAudioi\SBADeck\ADeck.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [AudioDeck] C:\Program Files\VIAudioi\SBADeck\ADeck.exe 1
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewido.net/ewidoOnlineScan.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe

Tech Clinic / Command Service / Downloader.tibs

« on: October 30, 2006, 12:33:03 AM »

Logfile of HijackThis v1.99.1
Scan saved at 12:30:27 AM, on 10/30/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\VIAudioi\SBADeck\ADeck.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [AudioDeck] C:\Program Files\VIAudioi\SBADeck\ADeck.exe 1
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewido.net/ewidoOnlineScan.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe

Tech Clinic / Command Service / Downloader.tibs

« on: October 29, 2006, 12:15:22 PM »

NEW HJT

Logfile of HijackThis v1.99.1
Scan saved at 12:12:31 PM, on 10/29/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\VIAudioi\SBADeck\ADeck.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: BHO - {9BB5B49C-0D59-418d-A6A5-F6373B8FEF64} - C:\Program Files\BHO Plugin\plugin.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [AudioDeck] C:\Program Files\VIAudioi\SBADeck\ADeck.exe 1
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewido.net/ewidoOnlineScan.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: TCP and UDP Support - Unknown owner - C:\WINDOWS\system32\tcpip.exe (file missing)

AVG REPORT

---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 12:09:12 PM 10/29/2006

+ Scan result:

Nothing found.

::Report end

Tech Clinic / Command Service / Downloader.tibs

« on: October 28, 2006, 06:15:44 PM »

I found the egnima software group and deleted it, then i went to RUN and copy/paste C:\Program Files\BHO Plugin it was found but i cant delete it.The computer is running great and the error in the begining has long been gone. But on that note i havnt been using I.E at all (from what i tihnk to be the source of which all my virus resurface). i have been using a laptop to download the stuff u ask then transfering it to run on the infected comp. With your latest intruction it is the first time i connected internet to the infected computer. And yes i am able to save the HJT file and will post below.

RESULTS FOR C:\Documents and Settings\Administrator\Application Data\F66022CBC7AA4769BC48A3C22B3B57D4.sta

Service load:
0% 100%
File: F66022CBC7AA4769BC48A3C22B3B57D4.sta
Status:
OK
MD5 3aae6789a625e5c7754af85c006a9580
Packers detected:
-
Scanner results
AntiVir
Found nothing
ArcaVir
Found nothing
Avast
Found nothing
AVG Antivirus
Found nothing
BitDefender
Found nothing
ClamAV
Found nothing
Dr.Web
Found nothing
F-Prot Antivirus
Found nothing
Fortinet
Found nothing
Kaspersky Anti-Virus
Found nothing
NOD32
Found nothing
Norman Virus Control
Found nothing
VirusBuster
Found nothing
VBA32
Found nothing

RESULTS FOR C:\Documents and Settings\Administrator\Application Data\F66022CBC7AA4769BC48A3C22B3B57D4.rul

Service load:
0% 100%
File: F66022CBC7AA4769BC48A3C22B3B57D4.rul
Status:
OK
MD5 07806ccb15ba7e04b44cfeb0b89f4e93
Packers detected:
-
Scanner results
AntiVir
Found nothing
ArcaVir
Found nothing
Avast
Found nothing
AVG Antivirus
Found nothing
BitDefender
Found nothing
ClamAV
Found nothing
Dr.Web
Found nothing
F-Prot Antivirus
Found nothing
Fortinet
Found nothing
Kaspersky Anti-Virus
Found nothing
NOD32
Found nothing
Norman Virus Control
Found nothing
VirusBuster
Found nothing
VBA32
Found nothing

RESULTS FOR C:\WINDOWS\system32\tcpip.exe

Service load:
0% 100%
File: tcpip.exe
Status:
POSSIBLY INFECTED/MALWARE (Note: this file has been scanned before. Therefore, this file's scan results will not be stored in the database) (Note: this file was only classified as malware by scanners known to generate more false positives than the average scanner. Do not consider these results definately accurate. Also, because of this, results of this scan will not be recorded in the database.)
MD5 7d8241b2edcc6750e7719af24da153d9
Packers detected:
PE_PATCH.UPX, UPX
Scanner results
AntiVir
Found Heuristic/Crypted (probable variant)
ArcaVir
Found nothing
Avast
Found nothing
AVG Antivirus
Found nothing
BitDefender
Found Generic.Malware.Yd.FDABD5F9 (probable variant)
ClamAV
Found nothing
Dr.Web
Found nothing
F-Prot Antivirus
Found nothing
Fortinet
Found W32/AYL!tr.dldr
Kaspersky Anti-Virus
Found nothing
NOD32
Found nothing
Norman Virus Control
Found nothing
VirusBuster
Found nothing
VBA32
Found nothing

BLACK LIGHT REPORT

10/28/06 19:00:43 [Info]: BlackLight Engine 1.0.47 initialized
10/28/06 19:00:43 [Info]: OS: 5.1 build 2600 (Service Pack 2)
10/28/06 19:00:43 [Note]: 7019 4
10/28/06 19:00:43 [Note]: 7005 0
10/28/06 19:00:54 [Note]: 7006 0
10/28/06 19:00:54 [Note]: 7011 1180
10/28/06 19:00:55 [Note]: 7026 0
10/28/06 19:00:55 [Note]: 7026 0
10/28/06 19:00:59 [Note]: FSRAW library version 1.7.1020
10/28/06 19:06:04 [Note]: 2000 1012
10/28/06 19:06:04 [Note]: 2000 1012
10/28/06 19:11:17 [Note]: 7007 0

HJT UNINSTALL LIST

Ad-Aware SE Personal
ATI - Software Uninstall Utility
ATI Catalyst Control Center
ATI Control Panel
ATI Display Driver
AVG Anti-Spyware 7.5
AVG Free Edition
HijackThis 1.99.1
Microsoft .NET Framework 1.1
Mozilla Firefox (1.0.7)
MSN Messenger 7.5
MSN Music Assistant
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 9 (KB917734)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899589)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901190)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911567)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913433)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB918899)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920214)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921398)
Security Update for Windows XP (KB921883)
Security Update for Windows XP (KB922616)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB925486)
Spybot - Search & Destroy 1.4
Starcraft
Update for Windows XP (KB894391)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB908531)
Update for Windows XP (KB910437)
Update for Windows XP (KB911280)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
VIA Platform Device Manager
Windows Installer 3.1 (KB893803)
Windows Media Format Runtime
Windows Media Player 10
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781
WinZip

Tech Clinic / Command Service / Downloader.tibs

« on: October 28, 2006, 05:03:18 PM »

1. NEW HJT

Logfile of HijackThis v1.99.1
Scan saved at 5:58:21 PM, on 10/28/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\VIAudioi\SBADeck\ADeck.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\system32\tcpip.exe
C:\HJT\HijackThis.exe
C:\WINDOWS\system32\wuauclt.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [AudioDeck] C:\Program Files\VIAudioi\SBADeck\ADeck.exe 1
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewido.net/ewidoOnlineScan.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe

2. AVENGER TXT

Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\kxjdbbte

*******************

Script file located at: \??\C:\Program Files\pskdwwao.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

File C:\WINDOWS\srvclxrcpe.exe deleted successfully.
File C:\WINDOWS\srvevnbieo.exe deleted successfully.
File C:\WINDOWS\srvwrgleib.exe deleted successfully.
File C:\WINDOWS\srvmhtjglh.exe deleted successfully.
File C:\WINDOWS\srvxstwlgm.exe deleted successfully.
File C:\WINDOWS\srvwhebfkj.exe deleted successfully.
File C:\WINDOWS\srvdfmdtpz.exe deleted successfully.
File C:\WINDOWS\srvngogrwj.exe deleted successfully.
File C:\WINDOWS\ScUnin.pif deleted successfully.
File C:\WINDOWS\ScUnin.exe deleted successfully.
File C:\WINDOWS\system32\rmuwoiss.dll deleted successfully.
File C:\WINDOWS\system32\winpfg32.sys deleted successfully.
File C:\WINDOWS\system32\eucwried.exe deleted successfully.
File C:\WINDOWS\srvhsuncdb.exe deleted successfully.
File C:\WINDOWS\srvposbxek.exe deleted successfully.
File C:\WINDOWS\srvfoqqyfi.exe deleted successfully.
File C:\WINDOWS\srvqbfkjhp.exe deleted successfully.
File C:\WINDOWS\srvgxdftpc.exe deleted successfully.
File C:\WINDOWS\srvcfytgra.exe deleted successfully.
File C:\WINDOWS\system32\qmqhodsn.dll deleted successfully.
File C:\Program Files\BHO Plugin\plugin1.dll deleted successfully.
File C:\WINDOWS\system32\hnydjtb.dll deleted successfully.
File C:\WINDOWS\system32\rpcc.dll deleted successfully.
File C:\WINDOWS\uni_e6h.exe deleted successfully.

File C:\Program Files\Windows Media Player\meged.html not found!
Deletion of file C:\Program Files\Windows Media Player\meged.html failed!

Could not process line:
C:\Program Files\Windows Media Player\meged.html
Status: 0xc0000034

File C:\Program Files\Internet Explorer\pojogagag.html not found!
Deletion of file C:\Program Files\Internet Explorer\pojogagag.html failed!

Could not process line:
C:\Program Files\Internet Explorer\pojogagag.html
Status: 0xc0000034

Could not open file C:\Documents and Settings\All Users\Documents\Settings\winsys2f.dll for deletion
Deletion of file C:\Documents and Settings\All Users\Documents\Settings\winsys2f.dll failed!

Could not process line:
C:\Documents and Settings\All Users\Documents\Settings\winsys2f.dll
Status: 0xc000003a

Folder C:\Program Files\BHO Plugin deleted successfully.

Completed script processing.

*******************

Finished! Terminate.

3. COMBO FIX TXT

Administrator - 06-10-28 17:59:41.06 Service Pack 2
ComboFix 06.10.19 - Running from: "C:\Documents and Settings\Administrator\Desktop"

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ Purity ~ ~ ~ ~ ~ ~ ~ ~~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~

Folders Quarantined:

C:\QooBox\Purity\Documents and Settings\Administrator\Application Data\SMBOLS~1
C:\QooBox\Purity\Documents and Settings\Administrator\Application Data\SMBOLS~1\s?mbols

((((((((((((((((((((((((((((((( Files Created from 2006-09-28 to 2006-10-28 ))))))))))))))))))))))))))))))))))

2006-10-27 13:51 245,408 --a------ C:\WINDOWS\system32\unicows.dll
2006-10-27 13:42 99,965 --a------ C:\WINDOWS\UninstallFirefox.exe
2006-10-27 02:55 3,968 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2006-10-26 20:50 22,752 --a------ C:\WINDOWS\system32\spupdsvc.exe

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

2006-10-28 17:50 -------- d--h----- C:\Program Files\BHO Plugin
2006-10-28 13:56 -------- d-------- C:\Program Files\Common Files
2006-10-28 12:45 -------- d-------- C:\Program Files\Enigma Software Group
2006-10-28 11:36 -------- d-------- C:\Documents and Settings\Administrator\Application Data\AVG7
2006-10-28 00:27 -------- d-------- C:\Program Files\Starcraft
2006-10-28 00:24 -------- d-------- C:\Program Files\Mozilla Firefox
2006-10-27 18:00 -------- d---s---- C:\Documents and Settings\Administrator\Application Data\Microsoft
2006-10-27 18:00 -------- d-------- C:\Program Files\MSN Messenger
2006-10-27 13:51 -------- d-------- C:\Program Files\MsnMusic
2006-10-27 13:50 -------- d-------- C:\Program Files\Windows Media Player
2006-10-27 13:47 -------- d-------- C:\Program Files\WinZip
2006-10-27 13:43 -------- d-------- C:\Documents and Settings\Administrator\Application Data\Mozilla
2006-10-27 03:22 -------- d-------- C:\Program Files\Internet Explorer
2006-10-27 02:55 -------- d-------- C:\Program Files\Grisoft
2006-10-27 00:05 -------- d-------- C:\Program Files\Online Services
2006-10-27 00:01 -------- d-------- C:\Program Files\Messenger
2006-10-26 23:59 -------- d-------- C:\Program Files\Outlook Express
2006-10-26 23:59 -------- d-------- C:\Program Files\Common Files\System
2006-10-26 23:59 -------- d-------- C:\Documents and Settings\Administrator\Application Data\Macromedia
2006-10-26 22:13 5468 --ahs---- C:\Documents and Settings\Administrator\Application Data\F66022CBC7AA4769BC48A3C22B3B57D4.sta
2006-10-26 22:13 17414 --ahs---- C:\Documents and Settings\Administrator\Application Data\F66022CBC7AA4769BC48A3C22B3B57D4.rul
2006-10-26 20:03 -------- d-------- C:\Program Files\VSAdd-in
2006-10-26 02:11 -------- d-------- C:\Documents and Settings\Administrator\Application Data\Help
2006-09-13 01:01 1084416 --a------ C:\WINDOWS\system32\msxml3.dll
2006-08-25 11:45 617472 --a------ C:\WINDOWS\system32\comctl32.dll
2006-08-21 08:21 16896 --a------ C:\WINDOWS\system32\fltlib.dll
2006-08-21 05:14 23040 --a------ C:\WINDOWS\system32\fltmc.exe
2006-08-16 07:58 100352 --a------ C:\WINDOWS\system32\6to4svc.dll

(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"ATIPTA"="C:\\Program Files\\ATI Technologies\\ATI Control Panel\\atiptaxx.exe"
"PHIME2002ASync"="C:\\WINDOWS\\system32\\IME\\TINTLGNT\\TINTSETP.EXE /SYNC"
"PHIME2002A"="C:\\WINDOWS\\system32\\IME\\TINTLGNT\\TINTSETP.EXE /IMEName"
"AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgcc.exe /STARTUP"
"!AVG Anti-Spyware"="\"C:\\Program Files\\Grisoft\\AVG Anti-Spyware 7.5\\avgas.exe\" /minimized"
"MSPY2002"="C:\\WINDOWS\\system32\\IME\\PINTLGNT\\ImScInst.exe /SYNC"
"IMJPMIG8.1"="C:\\WINDOWS\\IME\\imjp8_1\\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32"
"AudioDeck"="C:\\Program Files\\VIAudioi\\SBADeck\\ADeck.exe 1"
"ATICCC"="\"C:\\Program Files\\ATI Technologies\\ATI.ACE\\cli.exe\" runtime"

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000005

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,00,03,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,80,00,00,00,00,00,00,00,00,02,00,00,e0,01,\
00,00,04,00,00,40
"RestoredStateInfo"=hex:18,00,00,00,80,00,00,00,00,00,00,00,00,02,00,00,e0,01,\
00,00,01,00,00,00

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
"NoActiveDesktop"=dword:00000000
"ClassicShell"=dword:00000000
"ForceActiveDesktopOn"=dword:00000000

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

Completion time: 06-10-28 18:00:19.48
C:\ComboFix.txt ... 06-10-28 18:00
C:\ComboFix2.txt ... 06-10-28 16:19
C:\ComboFix3.txt ... 06-10-28 14:00

Tech Clinic / Command Service / Downloader.tibs

« on: October 28, 2006, 03:33:25 PM »

THE NEW COMBO FIX LOG

Administrator - 06-10-28 16:19:08.82 Service Pack 2
ComboFix 06.10.19 - Running from: "C:\Documents and Settings\Administrator\Desktop"

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ Purity ~ ~ ~ ~ ~ ~ ~ ~~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~

Folders Quarantined:

C:\QooBox\Purity\Documents and Settings\Administrator\Application Data\SMBOLS~1
C:\QooBox\Purity\Documents and Settings\Administrator\Application Data\SMBOLS~1\s?mbols

((((((((((((((((((((((((((((((( Files Created from 2006-09-28 to 2006-10-28 ))))))))))))))))))))))))))))))))))

2006-10-27 13:51 245,408 --a------ C:\WINDOWS\system32\unicows.dll
2006-10-27 13:42 99,965 --a------ C:\WINDOWS\UninstallFirefox.exe
2006-10-27 13:32 217,346 --a------ C:\WINDOWS\srvclxrcpe.exe
2006-10-27 13:31 217,346 --a------ C:\WINDOWS\srvevnbieo.exe
2006-10-27 02:55 3,968 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2006-10-27 02:50 217,346 --a------ C:\WINDOWS\srvwrgleib.exe
2006-10-27 00:15 217,346 --a------ C:\WINDOWS\srvmhtjglh.exe
2006-10-27 00:13 217,346 --a------ C:\WINDOWS\srvxstwlgm.exe
2006-10-27 00:12 217,346 --a------ C:\WINDOWS\srvwhebfkj.exe
2006-10-26 22:27 217,346 --a------ C:\WINDOWS\srvdfmdtpz.exe
2006-10-26 22:26 217,346 --a------ C:\WINDOWS\srvngogrwj.exe
2006-10-26 22:17 967 --a------ C:\WINDOWS\ScUnin.pif
2006-10-26 22:17 94,208 --a------ C:\WINDOWS\ScUnin.exe
2006-10-26 20:50 22,752 --a------ C:\WINDOWS\system32\spupdsvc.exe
2006-10-26 20:04 49,428 --a------ C:\WINDOWS\system32\rmuwoiss.dll
2006-10-26 20:03 971 --a------ C:\WINDOWS\system32\winpfg32.sys
2006-10-26 20:03 69,652 --a------ C:\WINDOWS\system32\eucwried.exe
2006-10-26 12:35 217,346 --a------ C:\WINDOWS\srvhsuncdb.exe
2006-10-26 12:33 217,346 --a------ C:\WINDOWS\srvposbxek.exe
2006-10-26 12:33 217,346 --a------ C:\WINDOWS\srvfoqqyfi.exe
2006-10-26 12:30 217,346 --a------ C:\WINDOWS\srvqbfkjhp.exe
2006-10-26 12:30 217,346 --a------ C:\WINDOWS\srvgxdftpc.exe
2006-10-26 12:30 217,346 --a------ C:\WINDOWS\srvcfytgra.exe

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

2006-10-28 13:56 -------- d-------- C:\Program Files\Common Files
2006-10-28 12:45 -------- d-------- C:\Program Files\Enigma Software Group
2006-10-28 11:36 -------- d-------- C:\Documents and Settings\Administrator\Application Data\AVG7
2006-10-28 00:27 -------- d-------- C:\Program Files\Starcraft
2006-10-28 00:24 -------- d-------- C:\Program Files\Mozilla Firefox
2006-10-27 18:12 -------- d--h----- C:\Program Files\BHO Plugin
2006-10-27 18:00 -------- d---s---- C:\Documents and Settings\Administrator\Application Data\Microsoft
2006-10-27 18:00 -------- d-------- C:\Program Files\MSN Messenger
2006-10-27 13:51 -------- d-------- C:\Program Files\MsnMusic
2006-10-27 13:50 -------- d-------- C:\Program Files\Windows Media Player
2006-10-27 13:47 -------- d-------- C:\Program Files\WinZip
2006-10-27 13:43 -------- d-------- C:\Documents and Settings\Administrator\Application Data\Mozilla
2006-10-27 03:22 -------- d-------- C:\Program Files\Internet Explorer
2006-10-27 02:55 -------- d-------- C:\Program Files\Grisoft
2006-10-27 00:05 -------- d-------- C:\Program Files\Online Services
2006-10-27 00:01 -------- d-------- C:\Program Files\Messenger
2006-10-26 23:59 -------- d-------- C:\Program Files\Outlook Express
2006-10-26 23:59 -------- d-------- C:\Program Files\Common Files\System
2006-10-26 23:59 -------- d-------- C:\Documents and Settings\Administrator\Application Data\Macromedia
2006-10-26 22:13 5468 --ahs---- C:\Documents and Settings\Administrator\Application Data\F66022CBC7AA4769BC48A3C22B3B57D4.sta
2006-10-26 22:13 17414 --ahs---- C:\Documents and Settings\Administrator\Application Data\F66022CBC7AA4769BC48A3C22B3B57D4.rul
2006-10-26 20:03 -------- d-------- C:\Program Files\VSAdd-in
2006-10-26 02:11 -------- d-------- C:\Documents and Settings\Administrator\Application Data\Help
2006-09-15 17:16 53248 --a------ C:\WINDOWS\uni_e6h.exe
2006-09-13 01:01 1084416 --a------ C:\WINDOWS\system32\msxml3.dll
2006-08-25 11:45 617472 --a------ C:\WINDOWS\system32\comctl32.dll
2006-08-21 08:21 16896 --a------ C:\WINDOWS\system32\fltlib.dll
2006-08-21 05:14 23040 --a------ C:\WINDOWS\system32\fltmc.exe
2006-08-16 07:58 100352 --a------ C:\WINDOWS\system32\6to4svc.dll

(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"ATIPTA"="C:\\Program Files\\ATI Technologies\\ATI Control Panel\\atiptaxx.exe"
"PHIME2002ASync"="C:\\WINDOWS\\system32\\IME\\TINTLGNT\\TINTSETP.EXE /SYNC"
"PHIME2002A"="C:\\WINDOWS\\system32\\IME\\TINTLGNT\\TINTSETP.EXE /IMEName"
"AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgcc.exe /STARTUP"
"!AVG Anti-Spyware"="\"C:\\Program Files\\Grisoft\\AVG Anti-Spyware 7.5\\avgas.exe\" /minimized"
"MSPY2002"="C:\\WINDOWS\\system32\\IME\\PINTLGNT\\ImScInst.exe /SYNC"
"IMJPMIG8.1"="C:\\WINDOWS\\IME\\imjp8_1\\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32"
"AudioDeck"="C:\\Program Files\\VIAudioi\\SBADeck\\ADeck.exe 1"
"ATICCC"="\"C:\\Program Files\\ATI Technologies\\ATI.ACE\\cli.exe\" runtime"

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000001

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"Source"="C:\\Program Files\\Internet Explorer\\pojogagag.html"
"SubscribedURL"=""
"FriendlyName"=""
"Flags"=dword:00002000
"Position"=hex:2c,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,00,00,e8,\
03,00,00,00,00,00,00,00,00,00,00,00,00,00,00,14,00,00,00,14,00,00,00
"CurrentState"=hex:01,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,\
00,00,01,00,00,00
"RestoredStateInfo"=hex:00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\1]
"Source"="C:\\Program Files\\Windows Media Player\\meged.html"
"SubscribedURL"=""
"FriendlyName"=""
"Flags"=dword:00002000
"Position"=hex:2c,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,00,00,ea,\
03,00,00,00,00,00,00,00,00,00,00,00,00,00,00,14,00,00,00,14,00,00,00
"CurrentState"=hex:01,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,\
00,00,01,00,00,00
"RestoredStateInfo"=hex:00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\2]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,80,00,00,00,00,00,00,00,00,02,00,00,e0,01,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,80,00,00,00,00,00,00,00,00,02,00,00,c2,01,\
00,00,04,00,00,40
"RestoredStateInfo"=hex:18,00,00,00,80,00,00,00,00,00,00,00,00,02,00,00,c2,01,\
00,00,01,00,00,00

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
"NoActiveDesktop"=dword:00000000
"ClassicShell"=dword:00000000
"ForceActiveDesktopOn"=dword:00000000

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\rpcc
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winsys2freg

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

Completion time: 06-10-28 16:19:47.93
C:\ComboFix.txt ... 06-10-28 16:19
C:\ComboFix2.txt ... 06-10-28 14:00

THE REPORT LOG

SDFix: Version 1.32
-------------------

Scan run on:
Sat 10/28/2006

Time:
03:54 PM

Microsoft Windows XP [Version 5.1.2600]

Running from: C:\Documents and Settings\Administrator\Desktop\SDFix

Stage One...

Checking Services...

Name:
-----

MZU_RK

Path:
----

\??\C:\WINDOWS\system32\MZU_DRV.sys

MZU_RK Deleted...

Repairing Registry...

Restoring Default Hosts File...

Stage One Complete

Rebooting...

Stage Two...

Checking For Malware:
--------------------

C:\WINDOWS\system32\mini3tone.ini
C:\WINDOWS\system32\form.txt
C:\WINDOWS\system32\info.txt
C:\WINDOWS\system32\ipv6monl.dll

Backing Up and Removing any Files Found...

Final Check:

Services:
---------

Files:
------

Any files removed are saved to the SDFix\backups Folder

FINISHED

THE NEW HJT PART 2 OF UR REQUEST

Logfile of HijackThis v1.99.1
Scan saved at 4:22:10 PM, on 10/28/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\system32\tcpip.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\VIAudioi\SBADeck\ADeck.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: (no name) - {036BDF71-785C-4E29-9C2B-ED2A89EAE9DC} - C:\WINDOWS\system32\vtutt.dll (file missing)
O2 - BHO: (no name) - {104FD479-1D03-1C5C-8D76-04C43703AE4D} - C:\WINDOWS\system32\dgaladd.dll (file missing)
O2 - BHO: (no name) - {249065D9-9A39-D14C-FCEF-038880B8B971} - C:\WINDOWS\system32\hnydjtb.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {871A54C1-1EB3-48bd-A879-5DBA4EF16BE6} - C:\WINDOWS\system32\qmqhodsn.dll
O2 - BHO: BHO - {9BB5B49C-0D59-418d-A6A5-F6373B8FEF64} - C:\Program Files\BHO Plugin\plugin1.dll
O2 - BHO: (no name) - {BE118DBF-BA95-4ECE-98D5-C9CC0E22449C} - C:\Program Files\MSN Gaming Zone\mebos.dll (file missing)
O2 - BHO: (no name) - {F18F04B0-9CF1-4b93-B004-77A288BEE28B} - C:\WINDOWS\system32\rmuwoiss.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [AudioDeck] C:\Program Files\VIAudioi\SBADeck\ADeck.exe 1
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewido.net/ewidoOnlineScan.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: rpcc - C:\WINDOWS\system32\rpcc.dll
O20 - Winlogon Notify: winsys2freg - C:\Documents and Settings\All Users\Documents\Settings\winsys2f.dll (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe

Tech Clinic / Command Service / Downloader.tibs

« on: October 28, 2006, 03:29:36 PM »

1. THE NEW HJT

Logfile of HijackThis v1.99.1
Scan saved at 4:15:29 PM, on 10/28/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\system32\tcpip.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\VIAudioi\SBADeck\ADeck.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\system32\wuauclt.exe
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: (no name) - {036BDF71-785C-4E29-9C2B-ED2A89EAE9DC} - C:\WINDOWS\system32\vtutt.dll (file missing)
O2 - BHO: (no name) - {104FD479-1D03-1C5C-8D76-04C43703AE4D} - C:\WINDOWS\system32\dgaladd.dll (file missing)
O2 - BHO: (no name) - {249065D9-9A39-D14C-FCEF-038880B8B971} - C:\WINDOWS\system32\hnydjtb.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {871A54C1-1EB3-48bd-A879-5DBA4EF16BE6} - C:\WINDOWS\system32\qmqhodsn.dll
O2 - BHO: BHO - {9BB5B49C-0D59-418d-A6A5-F6373B8FEF64} - C:\Program Files\BHO Plugin\plugin1.dll
O2 - BHO: (no name) - {BE118DBF-BA95-4ECE-98D5-C9CC0E22449C} - C:\Program Files\MSN Gaming Zone\mebos.dll (file missing)
O2 - BHO: (no name) - {F18F04B0-9CF1-4b93-B004-77A288BEE28B} - C:\WINDOWS\system32\rmuwoiss.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [AudioDeck] C:\Program Files\VIAudioi\SBADeck\ADeck.exe 1
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewido.net/ewidoOnlineScan.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: rpcc - C:\WINDOWS\system32\rpcc.dll
O20 - Winlogon Notify: winsys2freg - C:\Documents and Settings\All Users\Documents\Settings\winsys2f.dll (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe

2. THE REPORT

SDFix: Version 1.32
-------------------

Scan run on:
Sat 10/28/2006

Time:
03:54 PM

Microsoft Windows XP [Version 5.1.2600]

Running from: C:\Documents and Settings\Administrator\Desktop\SDFix

Stage One...

Checking Services...

Name:
-----

MZU_RK

Path:
----

\??\C:\WINDOWS\system32\MZU_DRV.sys

MZU_RK Deleted...

Repairing Registry...

Restoring Default Hosts File...

Stage One Complete

Rebooting...

Stage Two...

Checking For Malware:
--------------------

C:\WINDOWS\system32\mini3tone.ini
C:\WINDOWS\system32\form.txt
C:\WINDOWS\system32\info.txt
C:\WINDOWS\system32\ipv6monl.dll

Backing Up and Removing any Files Found...

Final Check:

Services:
---------

Files:
------

Any files removed are saved to the SDFix\backups Folder

FINISHED

3. QOOFIX REPORT

Qoofix v1.03 by http://www.malwarebytes.org
Scan started on [10/28/2006] at [4:03:50 PM]
-------------------------------------------------------------
No malicious modules found!
-------------------------------------------------------------
No Qoologic infected files found!
-------------------------------------------------------------
Scan COMPLETED SUCCESSFULLY on [10/28/2006] at [4:04:58 PM]

Note: Some registry keys may have been removed.

4. VUNDOFIX REPORT

VundoFix V6.2.6

Checking Java version...

Sun Java not detected
Scan started at 4:06:05 PM 10/28/2006

Listing files found while scanning....

C:\WINDOWS\system32\dgaladd.dll
C:\WINDOWS\system32\vtutt.dll
C:\WINDOWS\system32\ttutv.ini
C:\WINDOWS\system32\ttutv.bak2

Beginning removal...

Attempting to delete C:\WINDOWS\system32\dgaladd.dll
C:\WINDOWS\system32\dgaladd.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\vtutt.dll
C:\WINDOWS\system32\vtutt.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\ttutv.ini
C:\WINDOWS\system32\ttutv.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\ttutv.bak2
C:\WINDOWS\system32\ttutv.bak2 Has been deleted!

Performing Repairs to the registry.
Done!

Rest i will continue on next post

Tech Clinic / Command Service / Downloader.tibs

« on: October 28, 2006, 02:08:33 PM »

INSTALLED SOFTWARE (86) - E-0B828A199F114 - 10/28/2006 3:06:20 PM

Ad-Aware SE Personal
ATI - Software Uninstall Utility Ver: 6.14.10.1012
ATI Catalyst Control Center Ver: 1.2.1949.42406 Installed: 12/31/2001
ATI Control Panel Ver: 6.14.10.5154
ATI Display Driver Ver: 8.252-060503a-032464C-ATI
AVG Anti-Spyware 7.5
AVG Free Edition
HijackThis 1.99.1 Ver: 1.99.1
Microsoft .NET Framework 1.1 Ver: 1.1.4322 Installed: 12/31/2001
Mozilla Firefox (1.0.7) Ver: 1.0.7 (en-US)
MSN Messenger 7.5 Ver: 7.5.0306.0 Installed: 10/27/2006
MSN Music Assistant
Platform Ver: 1.12 Installed: 1/1/2002
Security Update for Windows Media Player (KB911564) Installed: 10/27/2006
Security Update for Windows Media Player 10 (KB917734) Installed: 10/27/2006
Security Update for Windows Media Player 9 (KB917734) Installed: 10/27/2006
Security Update for Windows XP (KB890046) Ver: 1 Installed: 10/26/2006
Security Update for Windows XP (KB893756) Ver: 1 Installed: 10/27/2006
Security Update for Windows XP (KB896358) Ver: 1 Installed: 10/27/2006
Security Update for Windows XP (KB896423) Ver: 1 Installed: 10/26/2006
Security Update for Windows XP (KB896424) Ver: 1 Installed: 10/27/2006
Security Update for Windows XP (KB896428) Ver: 1 Installed: 10/26/2006
Security Update for Windows XP (KB899587) Ver: 1 Installed: 10/27/2006
Security Update for Windows XP (KB899589) Ver: 1 Installed: 10/26/2006
Security Update for Windows XP (KB899591) Ver: 1 Installed: 10/27/2006
Security Update for Windows XP (KB900725) Ver: 1 Installed: 10/26/2006
Security Update for Windows XP (KB901017) Ver: 1 Installed: 10/27/2006
Security Update for Windows XP (KB901190) Ver: 1 Installed: 10/27/2006
Security Update for Windows XP (KB901214) Ver: 1 Installed: 10/26/2006
Security Update for Windows XP (KB902400) Ver: 1 Installed: 10/26/2006
Security Update for Windows XP (KB904706) Ver: 2 Installed: 10/27/2006
Security Update for Windows XP (KB905414) Ver: 1 Installed: 10/26/2006
Security Update for Windows XP (KB905749) Ver: 1 Installed: 10/26/2006
Security Update for Windows XP (KB908519) Ver: 1 Installed: 10/27/2006
Security Update for Windows XP (KB911562) Ver: 1 Installed: 10/27/2006
Security Update for Windows XP (KB911567) Ver: 1 Installed: 10/27/2006
Security Update for Windows XP (KB911927) Ver: 1 Installed: 10/27/2006
Security Update for Windows XP (KB912919) Ver: 1 Installed: 10/27/2006
Security Update for Windows XP (KB913433)
Security Update for Windows XP (KB913580) Ver: 1 Installed: 10/27/2006
Security Update for Windows XP (KB914388) Ver: 1 Installed: 10/27/2006
Security Update for Windows XP (KB914389) Ver: 1 Installed: 10/27/2006
Security Update for Windows XP (KB917344) Ver: 1 Installed: 10/27/2006
Security Update for Windows XP (KB917422) Ver: 1 Installed: 10/27/2006
Security Update for Windows XP (KB917953) Ver: 1 Installed: 10/27/2006
Security Update for Windows XP (KB918439) Ver: 1 Installed: 10/27/2006
Security Update for Windows XP (KB918899) Ver: 1 Installed: 10/27/2006
Security Update for Windows XP (KB919007) Ver: 1 Installed: 10/27/2006
Security Update for Windows XP (KB920214) Ver: 1 Installed: 10/27/2006
Security Update for Windows XP (KB920670) Ver: 1 Installed: 10/27/2006
Security Update for Windows XP (KB920683) Ver: 1 Installed: 10/27/2006
Security Update for Windows XP (KB920685) Ver: 1 Installed: 10/27/2006
Security Update for Windows XP (KB921398) Ver: 1 Installed: 10/27/2006
Security Update for Windows XP (KB921883) Ver: 1 Installed: 10/27/2006
Security Update for Windows XP (KB922616) Ver: 1 Installed: 10/27/2006
Security Update for Windows XP (KB922819) Ver: 1 Installed: 10/27/2006
Security Update for Windows XP (KB923191) Ver: 1 Installed: 10/27/2006
Security Update for Windows XP (KB923414) Ver: 1 Installed: 10/27/2006
Security Update for Windows XP (KB924191) Ver: 1 Installed: 10/27/2006
Security Update for Windows XP (KB924496) Ver: 1 Installed: 10/27/2006
Security Update for Windows XP (KB925486) Ver: 1 Installed: 10/27/2006
Spybot - Search & Destroy 1.4 Ver: 1.4
Starcraft
Update for Windows XP (KB894391) Ver: 1 Installed: 10/26/2006
Update for Windows XP (KB898461) Ver: 1 Installed: 10/26/2006
Update for Windows XP (KB900485) Ver: 2 Installed: 10/27/2006
Update for Windows XP (KB908531) Ver: 2 Installed: 10/27/2006
Update for Windows XP (KB910437) Ver: 1 Installed: 10/27/2006
Update for Windows XP (KB911280) Ver: 2 Installed: 10/27/2006
Update for Windows XP (KB916595) Ver: 1 Installed: 10/27/2006
Update for Windows XP (KB920872) Ver: 1 Installed: 10/27/2006
Update for Windows XP (KB922582) Ver: 1 Installed: 10/27/2006
VIA Platform Device Manager Ver: 1.12 Installed: 1/1/2002
WebFldrs XP Ver: 9.50.7523 Installed: 12/31/2001
Windows Installer 3.1 (KB893803) Ver: 3.1
Windows Media Format Runtime
Windows Media Player 10
Windows XP Hotfix - KB873339 Ver: 20041117.092459
Windows XP Hotfix - KB885835 Ver: 20041027.181713
Windows XP Hotfix - KB885836 Ver: 20041028.173203
Windows XP Hotfix - KB886185 Ver: 20041021.090540
Windows XP Hotfix - KB887472 Ver: 20041014.162858
Windows XP Hotfix - KB888302 Ver: 20041207.111426
Windows XP Hotfix - KB890859 Ver: 1 Installed: 10/26/2006
Windows XP Hotfix - KB891781 Ver: 20050110.165439
WinZip Ver: 9.0 SR-1 (6224)

Tech Clinic / Command Service / Downloader.tibs

« on: October 28, 2006, 01:55:23 PM »

HJT closes the moment i click Save list... i will try to manuelly list the programs i see but i will exclude stuff such ass Security Update for windows xp, update for windows xp, and windows xp hotfix.

ad-aware se
ati software uninstall utilty
ati catalyst control center
ati control panel
ati display driver
anv anti-spyware
avg free edition
HJT 1.99.1
microsoft .NET framwork 1.1
mozilla
msn mesenger 7.5
msn music assintent
spybot S&D
starcraft
VIP platform device manager
windows installer 3.1
winzip

Tech Clinic / Command Service / Downloader.tibs

« on: October 28, 2006, 01:39:40 PM »

I followed your above steps, but the list you want me to get whne i click the Save LIst... button isnt prompting me to where to save it. so i dont know how to get the list to you. i tried to manuelly shift select all of the items but that didnt work. Here is the new HJT list

Logfile of HijackThis v1.99.1
Scan saved at 2:31:15 PM, on 10/28/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\mmputt.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\VIAudioi\SBADeck\ADeck.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\system32\tcpip.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,vlumwxy.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [hfd59da9] RUNDLL32.EXE w004ddaa.dll,n 00659da300000006004ddaa
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [sys027993650414] C:\WINDOWS\sys027993650414.exe
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [mmcrat06] C:\WINDOWS\mmputt.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [hnydjtb.dll] C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\hnydjtb.dll,ldaliqf
O4 - HKLM\..\Run: [ExploreUpdSched] C:\WINDOWS\system32\swinppem.exe GEN001
O4 - HKLM\..\Run: [AudioDeck] C:\Program Files\VIAudioi\SBADeck\ADeck.exe 1
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime
O4 - HKLM\..\RunServices: [_mzu_stonedrv3] c:\windows\system32\_mzu_stonedrv3.exe
O4 - HKCU\..\Run: [_mzu_stonedrv3] c:\windows\system32\_mzu_stonedrv3.exe
O4 - HKCU\..\Run: [quiwn] C:\WINDOWS\system32\uhwems.exe reg_run
O4 - HKCU\..\Run: [DeluxeCommunications] C:\Program Files\DeluxeCommunications\Dxc.exe
O4 - Startup: TA_Start.lnk = C:\WINDOWS\system32\oqdsregq.exe
O4 - Startup: Think-Adz.lnk = C:\WINDOWS\system32\swinppem.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://click.getmirar.com (HKLM)
O15 - Trusted Zone: http://click.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://redirect.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://awbeta.net-nucleus.com (HKLM)
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewido.net/ewidoOnlineScan.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe

Tech Clinic / Command Service / Downloader.tibs

« on: October 28, 2006, 01:05:29 PM »

Administrator - 06-10-28 13:56:13.81 Service Pack 2
ComboFix 06.10.19 - Running from: "C:\Documents and Settings\Administrator\Desktop"

((((((((((((((((((((((((((((((((((((((((((( E-Give / Ssk's Log )))))))))))))))))))))))))))))))))))))))))))))))))

C:\Documents and Settings\Administrator\Application Data\Dxcdmns.dll
C:\Documents and Settings\Administrator\Application Data\Dxcknwrd.dll

* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

C:\Documents and Settings\Administrator\Application Data\Install.dat
C:\WINDOWS\system32\aaa00000.sys
C:\Program Files\Common Files\Yazzle1281OinUninstaller.exe
C:\Documents and Settings\All Users\Documents\Settings
C:\WINDOWS\RS1UZWNo

~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ Purity ~ ~ ~ ~ ~ ~ ~ ~~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~

Folders Quarantined:

C:\QooBox\Purity\Documents and Settings\Administrator\Application Data\SMBOLS~1
C:\QooBox\Purity\Documents and Settings\Administrator\Application Data\SMBOLS~1\s?mbols

((((((((((((((((((((((((((((((( Files Created from 2006-09-28 to 2006-10-28 ))))))))))))))))))))))))))))))))))

2006-10-27 13:51 245,408 --a------ C:\WINDOWS\system32\unicows.dll
2006-10-27 13:42 99,965 --a------ C:\WINDOWS\UninstallFirefox.exe
2006-10-27 13:32 217,346 --a------ C:\WINDOWS\srvclxrcpe.exe
2006-10-27 13:31 217,346 --a------ C:\WINDOWS\srvevnbieo.exe
2006-10-27 02:55 3,968 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2006-10-27 02:50 217,346 --a------ C:\WINDOWS\srvwrgleib.exe
2006-10-27 00:15 217,346 --a------ C:\WINDOWS\srvmhtjglh.exe
2006-10-27 00:13 217,346 --a------ C:\WINDOWS\srvxstwlgm.exe
2006-10-27 00:12 217,346 --a------ C:\WINDOWS\srvwhebfkj.exe
2006-10-26 22:27 217,346 --a------ C:\WINDOWS\srvdfmdtpz.exe
2006-10-26 22:26 217,346 --a------ C:\WINDOWS\srvngogrwj.exe
2006-10-26 22:17 967 --a------ C:\WINDOWS\ScUnin.pif
2006-10-26 22:17 94,208 --a------ C:\WINDOWS\ScUnin.exe
2006-10-26 20:50 22,752 --a------ C:\WINDOWS\system32\spupdsvc.exe
2006-10-26 20:04 49,428 --a------ C:\WINDOWS\system32\rmuwoiss.dll
2006-10-26 20:03 971 --a------ C:\WINDOWS\system32\winpfg32.sys
2006-10-26 20:03 69,652 --a------ C:\WINDOWS\system32\eucwried.exe
2006-10-26 20:03 645,804 ---hs---- C:\WINDOWS\system32\ttutv.bak2
2006-10-26 12:35 217,346 --a------ C:\WINDOWS\srvhsuncdb.exe
2006-10-26 12:33 217,346 --a------ C:\WINDOWS\srvposbxek.exe
2006-10-26 12:33 217,346 --a------ C:\WINDOWS\srvfoqqyfi.exe
2006-10-26 12:32 688,180 ---hs---- C:\WINDOWS\system32\vtutt.dll
2006-10-26 12:30 217,346 --a------ C:\WINDOWS\srvqbfkjhp.exe
2006-10-26 12:30 217,346 --a------ C:\WINDOWS\srvgxdftpc.exe
2006-10-26 12:30 217,346 --a------ C:\WINDOWS\srvcfytgra.exe

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

2006-10-28 13:56 -------- d-------- C:\Program Files\Common Files
2006-10-28 12:45 -------- d-------- C:\Program Files\Enigma Software Group
2006-10-28 11:36 -------- d-------- C:\Documents and Settings\Administrator\Application Data\AVG7
2006-10-28 00:27 -------- d-------- C:\Program Files\Starcraft
2006-10-28 00:24 -------- d-------- C:\Program Files\Mozilla Firefox
2006-10-27 18:12 -------- d--h----- C:\Program Files\BHO Plugin
2006-10-27 18:00 -------- d---s---- C:\Documents and Settings\Administrator\Application Data\Microsoft
2006-10-27 18:00 -------- d-------- C:\Program Files\MSN Messenger
2006-10-27 13:51 -------- d-------- C:\Program Files\MsnMusic
2006-10-27 13:50 -------- d-------- C:\Program Files\Windows Media Player
2006-10-27 13:47 -------- d-------- C:\Program Files\WinZip
2006-10-27 13:43 -------- d-------- C:\Documents and Settings\Administrator\Application Data\Mozilla
2006-10-27 03:22 -------- d-------- C:\Program Files\Internet Explorer
2006-10-27 02:55 -------- d-------- C:\Program Files\Grisoft
2006-10-27 00:05 -------- d-------- C:\Program Files\Online Services
2006-10-27 00:01 -------- d-------- C:\Program Files\Messenger
2006-10-26 23:59 -------- d-------- C:\Program Files\Outlook Express
2006-10-26 23:59 -------- d-------- C:\Program Files\Common Files\System
2006-10-26 23:59 -------- d-------- C:\Documents and Settings\Administrator\Application Data\Macromedia
2006-10-26 22:13 5468 --ahs---- C:\Documents and Settings\Administrator\Application Data\F66022CBC7AA4769BC48A3C22B3B57D4.sta
2006-10-26 22:13 17414 --ahs---- C:\Documents and Settings\Administrator\Application Data\F66022CBC7AA4769BC48A3C22B3B57D4.rul
2006-10-26 20:03 -------- d-------- C:\Program Files\VSAdd-in
2006-10-26 02:11 -------- d-------- C:\Documents and Settings\Administrator\Application Data\Help
2006-09-15 17:16 53248 --a------ C:\WINDOWS\uni_e6h.exe
2006-09-13 01:01 1084416 --a------ C:\WINDOWS\system32\msxml3.dll
2006-08-25 11:45 617472 --a------ C:\WINDOWS\system32\comctl32.dll
2006-08-21 08:21 16896 --a------ C:\WINDOWS\system32\fltlib.dll
2006-08-21 05:14 23040 --a------ C:\WINDOWS\system32\fltmc.exe
2006-08-16 07:58 100352 --a------ C:\WINDOWS\system32\6to4svc.dll

(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"MsnMsgr"="\"C:\\Program Files\\MSN Messenger\\MsnMsgr.Exe\" /background"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"ATIPTA"="C:\\Program Files\\ATI Technologies\\ATI Control Panel\\atiptaxx.exe"
"hfd59da9"="RUNDLL32.EXE w004ddaa.dll,n 00659da300000006004ddaa"
"PHIME2002ASync"="C:\\WINDOWS\\system32\\IME\\TINTLGNT\\TINTSETP.EXE /SYNC"
"PHIME2002A"="C:\\WINDOWS\\system32\\IME\\TINTLGNT\\TINTSETP.EXE /IMEName"
"AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgcc.exe /STARTUP"
"!AVG Anti-Spyware"="\"C:\\Program Files\\Grisoft\\AVG Anti-Spyware 7.5\\avgas.exe\" /minimized"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices]
"_mzu_stonedrv3"="c:\\windows\\system32\\_mzu_stonedrv3.exe"

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000001

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"Source"="C:\\Program Files\\Internet Explorer\\pojogagag.html"
"SubscribedURL"=""
"FriendlyName"=""
"Flags"=dword:00002000
"Position"=hex:2c,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,00,00,e8,\
03,00,00,00,00,00,00,00,00,00,00,00,00,00,00,14,00,00,00,14,00,00,00
"CurrentState"=hex:01,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,\
00,00,01,00,00,00
"RestoredStateInfo"=hex:00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\1]
"Source"="C:\\Program Files\\Windows Media Player\\meged.html"
"SubscribedURL"=""
"FriendlyName"=""
"Flags"=dword:00002000
"Position"=hex:2c,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,00,00,ea,\
03,00,00,00,00,00,00,00,00,00,00,00,00,00,00,14,00,00,00,14,00,00,00
"CurrentState"=hex:01,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,\
00,00,01,00,00,00
"RestoredStateInfo"=hex:00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\2]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,80,00,00,00,00,00,00,00,00,02,00,00,e0,01,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,80,00,00,00,00,00,00,00,00,02,00,00,c2,01,\
00,00,04,00,00,40
"RestoredStateInfo"=hex:18,00,00,00,80,00,00,00,00,00,00,00,00,02,00,00,c2,01,\
00,00,01,00,00,00

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
"NoActiveDesktop"=dword:00000000
"ClassicShell"=dword:00000000
"ForceActiveDesktopOn"=dword:00000000

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Administrator^Start Menu^Programs^Startup^TA_Start.lnk]
"path"="C:\\Documents and Settings\\Administrator\\Start Menu\\Programs\\Startup\\TA_Start.lnk"
"backup"="C:\\WINDOWS\\pss\\TA_Start.lnkStartup"
"location"="Startup"
"command"="C:\\WINDOWS\\system32\\oqdsregq.exe GEN001"
"item"="TA_Start"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Administrator^Start Menu^Programs^Startup^Think-Adz.lnk]
"path"="C:\\Documents and Settings\\Administrator\\Start Menu\\Programs\\Startup\\Think-Adz.lnk"
"backup"="C:\\WINDOWS\\pss\\Think-Adz.lnkStartup"
"location"="Startup"
"command"="C:\\WINDOWS\\system32\\swinppem.exe GEN001"
"item"="Think-Adz"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATICCC]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="cli"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\ATI Technologies\\ATI.ACE\\cli.exe\" runtime"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AudioDeck]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ADeck"
"hkey"="HKLM"
"command"="C:\\Program Files\\VIAudioi\\SBADeck\\ADeck.exe 1"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DeluxeCommunications]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="Dxc"
"hkey"="HKCU"
"command"="C:\\Program Files\\DeluxeCommunications\\Dxc.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ExploreUpdSched]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="swinppem"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\system32\\swinppem.exe GEN001"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hnydjtb.dll]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="hnydjtb"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\system32\\rundll32.exe C:\\WINDOWS\\system32\\hnydjtb.dll,ldaliqf"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMJPMIG8.1]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="IMJPMIG"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\IME\\imjp8_1\\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mmcrat06]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="mmputt"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\mmputt.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSPY2002]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ImScInst"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\system32\\IME\\PINTLGNT\\ImScInst.exe /SYNC"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\quiwn]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="uhwems"
"hkey"="HKCU"
"command"="C:\\WINDOWS\\system32\\uhwems.exe reg_run"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\sys027993650414]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="sys027993650414"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\sys027993650414.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\_mzu_stonedrv3]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="_mzu_stonedrv3"
"hkey"="HKCU"
"command"="c:\\windows\\system32\\_mzu_stonedrv3.exe"
"inimapping"="0"

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\rpcc
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\vtutt
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winsys2freg

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

Completion time: 06-10-28 14:00:57.26
C:\ComboFix.txt ... 06-10-28 14:00

Tech Clinic / Command Service / Downloader.tibs

« on: October 28, 2006, 12:49:07 PM »

Thanks for the help beforehand. So my computer is recently reformatted, Then all types of virus and spyware poped up when i connected to the internet. Of the many issues was downlaoder.tibs which AVG Anti-virus cant get rid of. After some steps i was informed to turn system restore off, DL AVG Anti-Spyware, update, run in safe mode, fix the problem and restart. Then i reran AVG-Anti-virus and the problem was gone. But then i opened I.E and AVG went crazy with all types of virus and Downloader.TIbs resurfacing. and BTW i keep getting this Error loading w004ddaa.dll The specified module could not be found. I downloaded Spybot S&D and found the source to be Command Service. Of the 3 problems found in Command serice only 1 can be deleted. I dont know if i explained my situation enough but here is the HJT

Logfile of HijackThis v1.99.1
Scan saved at 1:18:15 PM, on 10/28/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\tcpip.exe
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - {A8BD6820-6ED7-423E-9558-2D1486B0FEEA} - (no file)
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,vlumwxy.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [hfd59da9] RUNDLL32.EXE w004ddaa.dll,n 00659da300000006004ddaa
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\RunServices: [_mzu_stonedrv3] c:\windows\system32\_mzu_stonedrv3.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://click.getmirar.com (HKLM)
O15 - Trusted Zone: http://click.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://redirect.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://awbeta.net-nucleus.com (HKLM)
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewido.net/ewidoOnlineScan.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe

Pages: [1]

TheTechGuide Forum

News:

Show Posts

Messages - 1yn

Tech Clinic / Command Service / Downloader.tibs

Tech Clinic / Command Service / Downloader.tibs

Tech Clinic / Command Service / Downloader.tibs

Tech Clinic / Command Service / Downloader.tibs

Tech Clinic / Command Service / Downloader.tibs

Tech Clinic / Command Service / Downloader.tibs

Tech Clinic / Command Service / Downloader.tibs

Tech Clinic / Command Service / Downloader.tibs

Tech Clinic / Command Service / Downloader.tibs

Tech Clinic / Command Service / Downloader.tibs

Tech Clinic / Command Service / Downloader.tibs

Tech Clinic / Command Service / Downloader.tibs

Tech Clinic / Command Service / Downloader.tibs