Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.


Messages - Chris24

Pages: [1]
1
Tech Clinic / ligijowe.dll, Please help
« on: August 17, 2009, 02:20:39 PM »
Hi, I need some help with my machine.
Saturday, I found that my machine has been infected.
I installed and ran Spyware Doctor and also Malaware Bytes. I dont see this dll now when I run Hyjackthis but am sure its there somewhere.

Attached are the log files for Hyjackthis and MalawareBytes.

############### Hyjackthis log starts #############
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:11:45 PM, on 8/17/2009
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\SCardSvr.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
C:\WINDOWS\system32\DWRCS.EXE
C:\Program Files\Citrix\ICA Client\ssonsvr.exe
C:\Program Files\iPass\iPassConnect\iPCAgent.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\Network Associates\VirusScan\Mcshield.exe
C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Neoteris\Installer Service\NeoterisSetupService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\McAfee\Common Framework\naPrdMgr.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Spyware Doctor\pctsSvc.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\cryptainersrv.exe
C:\WINDOWS\system32\CCM\CcmExec.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\system32\DWRCST.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\iPass\iPassConnect\downloader\ipccheck.exe
C:\Program Files\Messenger\Msmsgs.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\PROGRA~1\MICROS~2\Office12\OUTLOOK.EXE
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\MATRIX10.6\BIN\winnt\mql.exe
C:\MATRIX10.6\BIN\winnt\mql.exe
C:\MATRIX10.6\BIN\winnt\mql.exe
C:\MATRIX10.6\BIN\winnt\mql.exe
C:\PROGRA~1\EDITPL~1\EDITPLUS.EXE
C:\Program Files\CuteFTP\cutftp32.exe
C:\WINDOWS\system32\mstsc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\TextPad 4\TextPad.exe
C:\Program Files\Wisdom-soft ScreenHunter 5 Free\ScreenHunter.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.eenadu.net/home.asp
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_14\bin\ssv.dll
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O4 - HKLM\..\Run: [DameWare MRC Agent] C:\WINDOWS\system32\DWRCST.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\Msmsgs.exe" /background
O8 - Extra context menu item: &WordWeb... - res://C:\WINDOWS\wweb32.dll/lookup.html
O8 - Extra context menu item: Add to Google Photos Screensa&ver - res://C:\WINDOWS\system32\GPhotos.scr/200
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.prod.miswaco.com
O15 - Trusted Zone: *.web.miswaco.com
O15 - Trusted Zone: *.prod.miswaco.com (HKLM)
O15 - Trusted Zone: *.web.miswaco.com (HKLM)
O16 - DPF: {493ACF15-5CD9-4474-82A6-91670C3DD66E} (LinkedIn ContactFinderControl) - http://www.linkedin.com/cab/LinkedInContactFinderControl.cab
O16 - DPF: {6B75345B-AA36-438A-BBE6-4078B4C6984D} (HpProductDetection Class) - http://h20270.www2.hp.com/ediags/gmn2/inst...ctDetection.cab
O16 - DPF: {CAFECAFE-0013-0001-0029-ABCDEFABCDEF} (JInitiator 1.3.1.29) -
O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} (JuniperSetupSP1 Control) - https://nc.smith.com/dana-cached/setup/JuniperSetupSP1.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = net.smith.com
O17 - HKLM\Software\..\Telephony: DomainName = net.smith.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = net.smith.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = net.smith.com
O20 - AppInit_DLLs:  ,
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Bluetooth Service (btwdins) - Broadcom Corporation. - C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
O23 - Service: Juniper Network Connect Service (dsNcService) - Juniper Networks - C:\Program Files\Juniper Networks\Common Files\dsNcService.exe
O23 - Service: DameWare Mini Remote Control (DWMRCS) - DameWare Development LLC - C:\WINDOWS\system32\DWRCS.EXE
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPassConnectEngine - iPass - C:\Program Files\iPass\iPassConnect\iPassConnectEngine.exe
O23 - Service: iPCAgent - iPass, Inc. - C:\Program Files\iPass\iPassConnect\iPCAgent.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe
O23 - Service: Network Associates McShield (McShield) - McAfee, Inc. - C:\Program Files\Network Associates\VirusScan\Mcshield.exe
O23 - Service: Network Associates Task Manager (McTaskManager) - Network Associates, Inc. - C:\Program Files\Network Associates\VirusScan\VsTskMgr.exe
O23 - Service: NeoterisSetupService - Juniper Networks - C:\Program Files\Neoteris\Installer Service\NeoterisSetupService.exe
O23 - Service: OracleOraHome92ClientCache - Unknown owner - C:\oracle\ora92\BIN\ONRSD.EXE
O23 - Service: Roxio UPnP Renderer 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUPnPRenderer9.exe
O23 - Service: Roxio Upnp Server 9 - Sonic Solutions - C:\Program Files\Roxio\Digital Home 9\RoxioUpnpService9.exe
O23 - Service: LiveShare P2P Server 9 (RoxLiveShare9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxLiveShare9.exe
O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Cryptainer service (ssoftservice) - Cypherix Software (India) Pvt. Ltd. - C:\WINDOWS\SYSTEM32\cryptainersrv.exe

--
End of file - 9239 bytes

############### Hyjackthis log starts #############


############### Malawarebytes log starts #############
Malwarebytes' Anti-Malware 1.40
Database version: 2633
Windows 5.1.2600 Service Pack 2

8/16/2009 5:30:08 PM
mbam-log-2009-08-16 (17-30-08).txt

Scan type: Quick Scan
Objects scanned: 101056
Time elapsed: 12 minute(s), 31 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)

############### Malawarebytes log starts #############

2
Tech Clinic / trojan infected..pls help, HyjackThis log
« on: May 16, 2008, 10:32:30 PM »
Yes I had added those entries.

Thank you verymuch for your hep. It looks fine now.

As a small token of my appreciation, I have made a small payment to your paypal account.

Thank you once again.

 

 

Also, Can you pls advise me some software that I can install to not get into this mess again.

I have stopped logging in using my admin account unless its required.

3
Tech Clinic / trojan infected..pls help, HyjackThis log
« on: May 15, 2008, 09:44:39 PM »
Following is Hyjack This Log :

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:48:37 PM, on 5/15/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Yahoo!\Antivirus\ISafe.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Yahoo!\Antivirus\VetMsg.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
C:\Program Files\Yahoo!\Antivirus\CAVTray.exe
C:\Program Files\Yahoo!\Antivirus\CAVRID.exe
C:\PROGRA~1\Yahoo!\YOP\yop.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\WordWeb\wweb32.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\PROGRA~1\Yahoo!\YUM\yum.exe
C:\Program Files\EditPlus 2\editplus.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ycomp/def...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\Common\YIeTagBm.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [CamMonitor] C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\Yahoo!\Antivirus\CAVTray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\Yahoo!\Antivirus\CAVRID.exe"
O4 - HKLM\..\Run: [YOP] C:\PROGRA~1\Yahoo!\YOP\yop.exe /autostart
O4 - HKLM\..\Run: [IPInSightLAN 02] "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe" -l
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKUS\S-1-5-21-3943393980-1111375530-1268058753-1009\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background (User 'Malathi')
O4 - HKUS\S-1-5-21-3943393980-1111375530-1268058753-1009\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe (User 'Malathi')
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: WordWeb.lnk = C:\Program Files\WordWeb\wweb32.exe
O8 - Extra context menu item: &WordWeb... - res://C:\WINDOWS\System32\wweb32.dll/lookup.html
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://us8l.hpwis.com
O15 - Trusted Zone: www.pctools.com
O15 - Trusted Zone: http://yahoo.sbc.com
O15 - Trusted Zone: smithlink.smith.com
O15 - Trusted Zone: www.corp.smith.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {3EA4FA88-E0BE-419A-A732-9B79B87A6ED0} (CTVUAxCtrl Object) - http://dl.tvunetworks.com/TVUAx.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photo.walgreens.com/WalgreensActivia.cab
O16 - DPF: {474F00F5-3853-492C-AC3A-476512BBC336} (UploadListView Class) - http://picasaweb.google.com/s/v/25.23/uploader2.cab
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/OnlineScanner.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://go.divx.com/plugin/DivXBrowserPlugin.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1157908995765
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secur...loadManager.ocx
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {C5E28B9D-0A68-4B50-94E9-E8F6B4697514} (NsvPlayX Control) - http://www.nullsoft.com/nsv/embed/nsvplayx_vp3_mp3.cab
O16 - DPF: {C5E28B9D-0A68-4B50-94E9-E8F6B4697516} (NsvPlayX Control) - http://www.nullsoft.com/nsv/embed/nsvplayx_vp6_mp3.cab
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.yahoo.com/ocx/us/yexplorer1_9us.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://freetrial.webex.com/client/v_mywebe...bex/ieatgpc.cab
O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} (JuniperSetupSP1 Control) - https://nc.smith.com/dana-cached/setup/JuniperSetupSP1.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\Yahoo!\Antivirus\ISafe.exe
O23 - Service: FileZilla Server FTP server (FileZilla Server) - Unknown owner - C:\Program Files\FileZilla Server\FileZilla Server.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: OracleOraHome92ClientCache - Unknown owner - C:\oracle\ora92\BIN\ONRSD.EXE
O23 - Service: OracleOraHome92PagingServer - Unknown owner - C:\oracle\ora92/bin/pagntsrv.exe
O23 - Service: OracleOraHome92SNMPPeerEncapsulator - Unknown owner - C:\oracle\ora92\BIN\ENCSVC.EXE
O23 - Service: OracleOraHome92SNMPPeerMasterAgent - Unknown owner - C:\oracle\ora92\BIN\AGNTSVC.EXE
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\Yahoo!\Antivirus\VetMsg.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE

--
End of file - 9631 bytes


Please advise.
Thank you very much for helping me out.

4
Tech Clinic / trojan infected..pls help, HyjackThis log
« on: May 15, 2008, 09:43:25 PM »
Here is the OTMove log :
C:\Program Files\q330994.exe moved successfully.
C:\WINDOWS\cvchost.exe moved successfully.
C:\WINDOWS\egcng.dat moved successfully.
C:\WINDOWS\givip.dat moved successfully.
C:\WINDOWS\msstasks.exe moved successfully.
C:\WINDOWS\mssys.com moved successfully.
C:\WINDOWS\mstaskss.exe moved successfully.
C:\WINDOWS\msxmidi.exe moved successfully.
C:\WINDOWS\ntldr.exe moved successfully.
C:\WINDOWS\rocky.exe moved successfully.
C:\WINDOWS\seksdialer.exe moved successfully.
C:\WINDOWS\vjrkb.dat moved successfully.
C:\WINDOWS\vsdbk.dat moved successfully.
C:\WINDOWS\worst.dat moved successfully.
C:\WINDOWS\system\system.exe moved successfully.
C:\WINDOWS\system\wmscrop.exe moved successfully.
LoadLibrary failed for C:\WINDOWS\system32\d2kpax.dll
C:\WINDOWS\system32\d2kpax.dll NOT unregistered.
C:\WINDOWS\system32\d2kpax.dll moved successfully.
C:\WINDOWS\system32\d2kpax.exe moved successfully.
C:\WINDOWS\system32\dntwj.dat moved successfully.
C:\WINDOWS\system32\hahhu.dat moved successfully.
LoadLibrary failed for C:\WINDOWS\system32\jac.dll
C:\WINDOWS\system32\jac.dll NOT unregistered.
C:\WINDOWS\system32\jac.dll moved successfully.
C:\WINDOWS\system32\lmzri.dat moved successfully.
C:\WINDOWS\system32\lqvef.dat moved successfully.
LoadLibrary failed for C:\WINDOWS\system32\msxslab.dll
C:\WINDOWS\system32\msxslab.dll NOT unregistered.
C:\WINDOWS\system32\msxslab.dll moved successfully.
C:\WINDOWS\system32\qjeuv.dat moved successfully.
C:\Temp moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\system32\hijnffgr.dll
C:\WINDOWS\system32\hijnffgr.dll NOT unregistered.
C:\WINDOWS\system32\hijnffgr.dll moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\system32\vwnbyduq.dll
C:\WINDOWS\system32\vwnbyduq.dll NOT unregistered.
C:\WINDOWS\system32\vwnbyduq.dll moved successfully.
LoadLibrary failed for C:\WINDOWS\system32\ktkuqcrk.dll
C:\WINDOWS\system32\ktkuqcrk.dll NOT unregistered.
C:\WINDOWS\system32\ktkuqcrk.dll moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\system32\iorvuhgh.dll
C:\WINDOWS\system32\iorvuhgh.dll NOT unregistered.
C:\WINDOWS\system32\iorvuhgh.dll moved successfully.
C:\WINDOWS\BM348c2f85.xml moved successfully.
LoadLibrary failed for C:\WINDOWS\system32\fccdcBQI.dll
C:\WINDOWS\system32\fccdcBQI.dll NOT unregistered.
C:\WINDOWS\system32\fccdcBQI.dll moved successfully.
LoadLibrary failed for C:\WINDOWS\system32\yayxvWMg.dll
C:\WINDOWS\system32\yayxvWMg.dll NOT unregistered.
C:\WINDOWS\system32\yayxvWMg.dll moved successfully.
 
OTMoveIt2 by OldTimer - Version 1.0.4.1 log created on 05152008_214624

5
Tech Clinic / trojan infected..pls help, HyjackThis log
« on: May 14, 2008, 07:01:35 PM »
Following is HjackThis log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:03:40 PM, on 5/14/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Yahoo!\Antivirus\ISafe.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Yahoo!\Antivirus\VetMsg.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
C:\Program Files\Yahoo!\Antivirus\CAVTray.exe
C:\Program Files\Yahoo!\Antivirus\CAVRID.exe
C:\PROGRA~1\Yahoo!\YOP\yop.exe
C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\WordWeb\wweb32.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\internet explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ycomp/def...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: UberButton Class - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: YahooTaggedBM Class - {65D886A2-7CA7-479B-BB95-14D1EFB7946A} - C:\Program Files\Yahoo!\Common\YIeTagBm.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [CamMonitor] C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
O4 - HKLM\..\Run: [RoxioEngineUtility] "C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe"
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe"
O4 - HKLM\..\Run: [CaAvTray] "C:\Program Files\Yahoo!\Antivirus\CAVTray.exe"
O4 - HKLM\..\Run: [CAVRID] "C:\Program Files\Yahoo!\Antivirus\CAVRID.exe"
O4 - HKLM\..\Run: [YOP] C:\PROGRA~1\Yahoo!\YOP\yop.exe /autostart
O4 - HKLM\..\Run: [IPInSightLAN 02] "C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe" -l
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKUS\S-1-5-18\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [DWQueuedReporting] "C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" -t (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: WordWeb.lnk = C:\Program Files\WordWeb\wweb32.exe
O8 - Extra context menu item: &WordWeb... - res://C:\WINDOWS\System32\wweb32.dll/lookup.html
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: www.pctools.com
O15 - Trusted Zone: http://yahoo.sbc.com
O15 - Trusted Zone: smithlink.smith.com
O15 - Trusted Zone: www.corp.smith.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {3EA4FA88-E0BE-419A-A732-9B79B87A6ED0} (CTVUAxCtrl Object) - http://dl.tvunetworks.com/TVUAx.cab
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://photo.walgreens.com/WalgreensActivia.cab
O16 - DPF: {474F00F5-3853-492C-AC3A-476512BBC336} (UploadListView Class) - http://picasaweb.google.com/s/v/25.23/uploader2.cab
O16 - DPF: {56762DEC-6B0D-4AB4-A8AD-989993B5D08B} (OnlineScanner Control) - http://www.eset.eu/OnlineScanner.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://go.divx.com/plugin/DivXBrowserPlugin.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdat...b?1157908995765
O16 - DPF: {AB86CE53-AC9F-449F-9399-D8ABCA09EC09} (Get_ActiveX Control) - https://h17000.www1.hp.com/ewfrf-JAVA/Secur...loadManager.ocx
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O16 - DPF: {C5E28B9D-0A68-4B50-94E9-E8F6B4697514} (NsvPlayX Control) - http://www.nullsoft.com/nsv/embed/nsvplayx_vp3_mp3.cab
O16 - DPF: {C5E28B9D-0A68-4B50-94E9-E8F6B4697516} (NsvPlayX Control) - http://www.nullsoft.com/nsv/embed/nsvplayx_vp6_mp3.cab
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.yahoo.com/ocx/us/yexplorer1_9us.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://freetrial.webex.com/client/v_mywebe...bex/ieatgpc.cab
O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} (JuniperSetupSP1 Control) - https://nc.smith.com/dana-cached/setup/JuniperSetupSP1.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\Yahoo!\Antivirus\ISafe.exe
O23 - Service: FileZilla Server FTP server (FileZilla Server) - Unknown owner - C:\Program Files\FileZilla Server\FileZilla Server.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: OracleOraHome92ClientCache - Unknown owner - C:\oracle\ora92\BIN\ONRSD.EXE
O23 - Service: OracleOraHome92PagingServer - Unknown owner - C:\oracle\ora92/bin/pagntsrv.exe
O23 - Service: OracleOraHome92SNMPPeerEncapsulator - Unknown owner - C:\oracle\ora92\BIN\ENCSVC.EXE
O23 - Service: OracleOraHome92SNMPPeerMasterAgent - Unknown owner - C:\oracle\ora92\BIN\AGNTSVC.EXE
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\Yahoo!\Antivirus\VetMsg.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE

--
End of file - 9199 bytes


Please advise.

6
Tech Clinic / trojan infected..pls help, HyjackThis log
« on: May 14, 2008, 07:00:23 PM »
Combo Fix log is as follows :
ComboFix 08-05-12.1 - VAMSHI ATMAKUR 2008-05-14 18:24:29.2 - NTFSx86
Running from: C:\Documents and Settings\VAMSHI ATMAKUR\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\VAMSHI ATMAKUR\Desktop\CFScript.txt
 * Created a new restore point

[color=\"red\"]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/color]
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Temp\maxsv15
C:\Temp\maxsv15\rLCubd.log
C:\VundoFix Backups
C:\VundoFix Backups\cbeeg.bak1.bad
C:\VundoFix Backups\cbeeg.bak2.bad
C:\VundoFix Backups\cbeeg.ini.bad
C:\VundoFix Backups\cbeeg.ini2.bad
C:\VundoFix Backups\cbeeg.tmp.bad
C:\WINDOWS\system32\2033b
C:\WINDOWS\system32\bkEur01
C:\WINDOWS\system32\hNF
C:\WINDOWS\system32\Ndb2
C:\WINDOWS\system32\rgffnjih.ini
C:\WINDOWS\system32\vdTMP

.
(((((((((((((((((((((((((   Files Created from 2008-04-14 to 2008-05-14  )))))))))))))))))))))))))))))))
.

2008-05-14 18:16 . 2008-05-14 18:16 <DIR> d-------- C:\WINDOWS\LastGood
2008-05-13 20:24 . 2008-05-13 23:15 <DIR> d-------- C:\Program Files\EsetOnlineScanner
2008-05-12 21:05 . 2008-05-12 21:05 114,688 --a------ C:\WINDOWS\system32\hijnffgr.dll
2008-05-12 21:02 . 2008-05-12 21:02 132,608 --a------ C:\WINDOWS\system32\vwnbyduq.dll
2008-05-12 20:59 . 2008-05-12 22:20 124,416 --------- C:\WINDOWS\system32\ktkuqcrk.dll
2008-05-12 20:56 . 2008-05-12 20:56 <DIR> d-------- C:\Documents and Settings\VAMSHI ATMAKUR\Application Data\Malwarebytes
2008-05-12 20:56 . 2008-05-12 20:56 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-05-12 20:56 . 2008-05-05 20:46 27,048 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys
2008-05-12 20:56 . 2008-05-05 20:46 15,864 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-05-12 20:55 . 2008-05-12 20:56 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-05-12 20:53 . 2008-05-12 20:53 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avg8
2008-05-11 21:22 . 2008-05-12 20:29 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-05-11 16:08 . 2008-05-11 16:08 125,440 --a------ C:\WINDOWS\system32\iorvuhgh.dll
2008-05-11 16:08 . 2008-05-12 20:59 109,807 --a------ C:\WINDOWS\BM348c2f85.xml
2008-05-11 16:04 . 2008-05-12 22:20 372,224 --------- C:\WINDOWS\system32\fccdcBQI.dll
2008-05-11 15:57 . 2008-05-12 22:20 52,736 --------- C:\WINDOWS\system32\yayxvWMg.dll
2008-05-04 09:52 . 2008-05-04 09:53 <DIR> d-------- C:\Program Files\SopCast

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-12 00:41 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-05-11 23:53 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-05-11 21:35 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-05-11 21:34 9,344 ----a-w C:\WINDOWS\system32\drivers\NSDriver.sys
2008-05-11 21:34 8,320 ----a-w C:\WINDOWS\system32\drivers\AWRTRD.sys
2008-05-11 21:34 12,632 ----a-w C:\WINDOWS\system32\lsdelete.exe
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-19 09:47 1,845,248 ------w C:\WINDOWS\system32\dllcache\win32k.sys
2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\system32\gdi32.dll
2008-02-20 06:51 282,624 ------w C:\WINDOWS\system32\dllcache\gdi32.dll
2008-02-20 05:32 45,568 ----a-w C:\WINDOWS\system32\dnsrslvr.dll
2008-02-20 05:32 45,568 ------w C:\WINDOWS\system32\dllcache\dnsrslvr.dll
2008-02-20 05:32 148,992 ------w C:\WINDOWS\system32\dllcache\dnsapi.dll
2008-02-16 22:29 3,059,712 ------w C:\WINDOWS\system32\dllcache\mshtml.dll
2008-02-15 09:23 18,432 ------w C:\WINDOWS\system32\dllcache\iedw.exe
2007-03-07 13:29 47,344 ----a-w C:\Documents and Settings\VAMSHI ATMAKUR\Application Data\GDIPFONTCACHEV1.DAT
2006-01-08 17:03 560 ----a-w C:\Documents and Settings\VAMSHI ATMAKUR\Application Data\ViewerApp.dat
2004-08-21 14:51 21,447 ----a-w C:\Documents and Settings\VAMSHI ATMAKUR\Favorites.zip
2004-07-31 16:23 0 --sh--r C:\Program Files\q330994.exe
2004-07-23 01:45 1,160,964 ----a-w C:\Documents and Settings\Guest\wrar34b2.exe
2004-07-23 01:44 9,228,986 ----a-w C:\Documents and Settings\Guest\vlc-0.7.2-win32.exe
2004-07-23 01:41 3,292,584 ----a-w C:\Documents and Settings\Guest\DivXPlayerInstaller.exe
2004-07-31 16:23 0 --sh--r C:\WINDOWS\cvchost.exe
2004-06-28 09:02 2,926 --sha-w C:\WINDOWS\egcng.dat
2004-07-03 03:37 2,926 --sha-w C:\WINDOWS\givip.dat
2004-07-31 16:23 0 --sh--r C:\WINDOWS\msstasks.exe
2004-07-31 16:23 0 --sh--r C:\WINDOWS\mssys.com
2004-07-31 16:23 0 --sh--r C:\WINDOWS\mstaskss.exe
2004-07-31 16:23 0 --sh--r C:\WINDOWS\msxmidi.exe
2004-07-31 16:23 0 --sh--r C:\WINDOWS\ntldr.exe
2004-07-31 16:23 0 --sh--r C:\WINDOWS\rocky.exe
2004-07-31 16:23 0 --sh--r C:\WINDOWS\seksdialer.exe
2004-07-04 04:47 2,926 --sha-w C:\WINDOWS\vjrkb.dat
2004-06-21 09:24 2,926 --sha-w C:\WINDOWS\vsdbk.dat
2004-07-03 22:27 2,926 --sha-w C:\WINDOWS\worst.dat
2004-07-31 16:23 0 --sh--r C:\WINDOWS\system\system.exe
2004-07-31 16:23 0 --sh--r C:\WINDOWS\system\wmscrop.exe
2004-07-31 16:23 0 --sh--r C:\WINDOWS\system32\d2kpax.dll
2004-07-31 16:23 0 --sh--r C:\WINDOWS\system32\d2kpax.exe
2004-07-10 03:00 2,926 --sha-w C:\WINDOWS\system32\dntwj.dat
2004-07-07 21:08 2,926 --sha-w C:\WINDOWS\system32\hahhu.dat
2004-07-31 16:23 0 --sh--r C:\WINDOWS\system32\jac.dll
2004-07-10 00:28 2,926 --sha-w C:\WINDOWS\system32\lmzri.dat
2004-06-27 23:19 2,926 --sha-w C:\WINDOWS\system32\lqvef.dat
2004-07-31 16:23 0 --sh--r C:\WINDOWS\system32\msxslab.dll
2004-07-13 10:44 2,926 --sha-w C:\WINDOWS\system32\qjeuv.dat
.

((((((((((((((((((((((((((((((((((((((((((((   Look   )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.

---- Directory of C:\Temp ----

2008-05-11 15:57 1858 --a------ C:\Temp\maxsv15\rLCubd.log
2006-01-22 16:02 18179 --a------ C:\Temp\fftrace.log
2005-12-15 21:05 851 --a------ C:\Temp\mxAEFAdminRegDynamicNaming-12-15-2005-20-02-54.log
2005-11-07 21:54 879 --a------ C:\Temp\mxAEFAdminRegDynamicNaming-11-07-2005-20-52-01.log
2005-10-18 20:42 1562 --a------ C:\Temp\mxAEFAdminRegDynamicNaming-10-18-2005-20-39-35.log
2005-08-20 12:13 1618 --a------ C:\Temp\mxAEFAdminRegDynamicNaming-08-20-2005-12-10-27.log
2005-05-01 18:29 14432 --a------ C:\Temp\mxAEFAdminRegDynamicNaming-05-01-2005-18-26-41.log
2005-05-01 18:29 14432 --a------ C:\Temp\mxAEFAdminRegDynamicNaming-05-01-2005-18-26-39.log
2005-05-01 18:29 14432 --a------ C:\Temp\mxAEFAdminRegDynamicNaming-05-01-2005-18-26-16.log
2005-05-01 18:08 844 --a------ C:\Temp\mxAEFAdminRegDynamicNaming-05-01-2005-18-05-59.log
2005-05-01 18:06 844 --a------ C:\Temp\mxAEFAdminRegDynamicNaming-05-01-2005-18-03-20.log
2005-05-01 17:52 844 --a------ C:\Temp\mxAEFAdminRegDynamicNaming-05-01-2005-17-49-17.log
2003-11-18 09:31 69101 --------- C:\Temp\ETH1.jpg
2003-11-18 09:26 112 --------- C:\Temp\QuickStartGuide.html


(((((((((((((((((((((((((((((   snapshot@2008-05-12_22.50.06.34   )))))))))))))))))))))))))))))))))))))))))
.
- 2008-05-13 03:39:25 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-05-14 23:12:42 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2007-07-27 20:49:02 196,683 ----a-w C:\WINDOWS\system32\lnod32apiA.dll
+ 2007-07-27 20:49:02 225,355 ----a-w C:\WINDOWS\system32\lnod32apiW.dll
+ 2005-12-06 01:25:22 139,264 ----a-w C:\WINDOWS\system32\lnod32umc.dll
+ 2005-12-05 18:37:10 106,496 ----a-w C:\WINDOWS\system32\lnod32upd.dll
+ 2007-08-02 23:11:28 253,952 ----a-w C:\WINDOWS\system32\OnlineScannerDLLA.dll
+ 2007-08-02 23:11:14 241,664 ----a-w C:\WINDOWS\system32\OnlineScannerDLLW.dll
+ 2007-08-06 18:17:40 19,456 ----a-w C:\WINDOWS\system32\OnlineScannerLang.dll
+ 2007-06-13 16:10:34 77,824 ----a-w C:\WINDOWS\system32\OnlineScannerUninstaller.exe
.
(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2006-11-30 22:49 4662776]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-05-15 21:00 335872]
"CamMonitor"="C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe" [2002-10-07 03:23 90112]
"RoxioEngineUtility"="C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe" [2003-05-01 21:44 65536]
"RoxioDragToDisc"="C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe" [2003-07-18 20:23 868352]
"CaAvTray"="C:\Program Files\Yahoo!\Antivirus\CAVTray.exe" [2006-02-05 18:26 230512]
"CAVRID"="C:\Program Files\Yahoo!\Antivirus\CAVRID.exe" [2006-02-05 18:26 185456]
"YOP"="C:\PROGRA~1\Yahoo!\YOP\yop.exe" [2005-04-22 20:49 397312]
"IPInSightLAN 02"="C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe" [2003-06-11 02:52 380928]
"HP Software Update"="C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe" [2005-02-16 23:11 49152]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 19:20 866584]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-13 16:38 39264]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 04:44:06 29696]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04 83360]
WordWeb.lnk - C:\Program Files\WordWeb\wweb32.exe [2004-07-24 11:10:43 18432]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=
"C:\\Program Files\\TVUPlayer\\TVUPlayer.exe"=
"C:\\Program Files\\SopCast\\SopCast.exe"=
"C:\\Program Files\\SopCast\\adv\\SopAdver.exe"=
"C:\\Program Files\\Internet Explorer\\iexplore.exe"=

R0 atiide;atiide;C:\WINDOWS\system32\DRIVERS\atiide.sys [2004-04-14 17:52]
R0 sonypvl3;sonypvl3;C:\WINDOWS\system32\drivers\sonypvl3.sys [2004-09-22 12:55]
R1 sonypvf3;sonypvf3;C:\WINDOWS\system32\drivers\sonypvf3.sys [2004-11-15 14:55]
R1 sonypvt3;sonypvt3;C:\WINDOWS\system32\drivers\sonypvt3.sys [2004-12-06 15:26]
R3 dsNcAdpt;Juniper Network Connect Adapter;C:\WINDOWS\system32\DRIVERS\dsNcAdpt.sys [2006-09-22 05:05]
R3 WedgeTransport;IPSec Adapter;C:\WINDOWS\system32\DRIVERS\VIPSecMP.sys [2004-03-09 18:20]
S1 sonypvd3;Sony DVD Handycam;C:\WINDOWS\system32\DRIVERS\sonypvd3.sys [2004-12-07 16:00]
S2 pciinfo;HP Pci Information;C:\DOCUME~1\VAMSHI~1\LOCALS~1\Temp\HPISPz\hpdom\pciinfo.sys []
S3 OracleOraHome92ClientCache;OracleOraHome92ClientCache;C:\oracle\ora92\BIN\ONRSD.EXE [2002-04-26 19:34]
S3 OracleOraHome92SNMPPeerEncapsulator;OracleOraHome92SNMPPeerEncapsulator;C:\oracle\ora92\BIN\ENCSVC.EXE [2002-02-13 08:23]
S3 OracleOraHome92SNMPPeerMasterAgent;OracleOraHome92SNMPPeerMasterAgent;C:\oracle\ora92\BIN\AGNTSVC.EXE [2002-02-13 08:23]
S3 P1001VID;Creative WebCam (WDM);C:\WINDOWS\system32\DRIVERS\P1001Vid.sys [2002-06-03 21:38]
S3 ZSMC0305;ZVC7100 PC CAMERA (VC0305);C:\WINDOWS\system32\Drivers\usbVM305.sys [2006-02-09 15:50]
S4 OracleOraHome92Agent;OracleOraHome92Agent;C:\oracle\ora92\bin\agntsrvc.exe [2002-04-26 17:29]
S4 OracleOraHome92HTTPServer;OracleOraHome92HTTPServer;"C:\oracle\ora92\Apache\Apache\apache.exe" --ntservice []
S4 OracleServiceVAMSHI;OracleServiceVAMSHI;c:\oracle\ora92\bin\ORACLE.EXE VAMSHI []

.
Contents of the 'Scheduled Tasks' folder
"2008-05-14 23:15:58 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
"2004-07-23 23:08:16 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-14 18:31:51
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\OracleOraHome92PagingServer]
"ImagePath"="C:\oracle\ora92/bin/pagntsrv.exe"

[HKEY_LOCAL_MACHINE\system\ControlSet001\Services\OracleOraHome92TNSListener]
"ImagePath"="C:\oracle\ora92\BIN\TNSLSNR "
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\Ati2evxx.dll
.
Completion time: 2008-05-14 18:41:07
ComboFix-quarantined-files.txt  2008-05-14 23:40:53
ComboFix2.txt  2008-05-13 03:51:14
ComboFix3.txt  2007-06-18 01:16:17

Pre-Run: 23,959,216,128 bytes free
Post-Run: 23,951,253,504 bytes free

203 --- E O F --- 2008-05-09 02:59:52

7
Tech Clinic / trojan infected..pls help, HyjackThis log
« on: May 13, 2008, 11:16:20 PM »
Sorry for the delay.
Following is the eset log:

# version=4
# OnlineScanner.ocx=1.0.0.56
# OnlineScannerDLLA.dll=1, 0, 0, 51
# OnlineScannerDLLW.dll=1, 0, 0, 51
# OnlineScannerUninstaller.exe=1, 0, 0, 49
# vers_standard_module=3096 (20080513)
# vers_arch_module=1.064 (20080214)
# vers_adv_heur_module=1.064 (20070717)
# EOSSerial=17ab7f944722ff4daae1e8ba992eeea1
# end=finished
# remove_checked=true
# unwanted_checked=true
# utc_time=2008-05-14 04:15:41
# local_time=2008-05-13 11:15:41 (-0600, Central Daylight Time)
# country="United States"
# osver=5.1.2600 NT Service Pack 2
# scanned=1076803
# found=11
# scan_time=10096
C:\Documents and Settings\VAMSHI ATMAKUR\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Quarantine\QUAR1.33375 probably a variant of Win32/TrojanDownloader.PurityScan trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\QooBox\Quarantine\catchme2007-06-17_201249.35.zip Win32/Rootkit.Agent.EQ trojan (deleted) 00000000000000000000000000000000
C:\QooBox\Quarantine\catchme2007-06-17_201249.35.zip »ZIP »core.sys Win32/Rootkit.Agent.EQ trojan (error while cleaning - operation unavailable for this type of object - error while deleting - operation unavailable for this type of object - was a part of the deleted object) 00000000000000000000000000000000
C:\QooBox\Quarantine\C\WINDOWS\zxbowokA.exe.vir probably a variant of Win32/TrojanDownloader.VB trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\QooBox\Quarantine\C\WINDOWS\system32\dwncfpac.dll.vir Win32/Adware.Virtumonde.KI application (unable to clean - deleted) 00000000000000000000000000000000
C:\VundoFix Backups\geebc.dll.bad Win32/Adware.Virtumonde application (unable to clean - deleted) 00000000000000000000000000000000
C:\VundoFix Backups\pmnnoon.dll.bad Win32/TrojanDownloader.ConHook.NAI trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\WINDOWS\browser.exe probably a variant of Win32/Agent trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\WINDOWS\system32\kstbripf.exe Win32/PrivacySet.A trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\WINDOWS\system32\mbempmqt.exe Win32/PrivacySet.A trojan (unable to clean - deleted) 00000000000000000000000000000000
C:\WINDOWS\system32\bkEur01\bkEur011065.exe a variant of Win32/TrojanDownloader.VB.AW trojan (unable to clean - deleted) 00000000000000000000000000000000


Please advise.

8
Tech Clinic / trojan infected..pls help, HyjackThis log
« on: May 12, 2008, 10:56:52 PM »
Hi,
Following is the combofix log:
ComboFix 08-05-12.1 - VAMSHI ATMAKUR 2008-05-12 22:28:36.1 - NTFSx86
Running from: C:\Documents and Settings\VAMSHI ATMAKUR\Desktop\ComboFix.exe
 * Created a new restore point

[color=\"red\"]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/color]
.

(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Temp\1cb
C:\Temp\1cb\syscheck.log
C:\temp\iee
C:\temp\iee\tmpZTF.log
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\acsegbhk.ini
C:\WINDOWS\system32\cbeeg.tmp2
C:\WINDOWS\system32\cyinxphn.ini
C:\WINDOWS\system32\IQBcdccf.ini
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\win
C:\WINDOWS\zxbowokA.exe

.
(((((((((((((((((((((((((((((((((((((((   Drivers/Services   )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_TNIDRIVER
-------\Service_TnIDriver


(((((((((((((((((((((((((   Files Created from 2008-04-13 to 2008-05-13  )))))))))))))))))))))))))))))))
.

2008-05-12 21:05 . 2008-05-12 21:05 114,688 --a------ C:\WINDOWS\system32\hijnffgr.dll
2008-05-12 21:05 . 2008-05-12 22:41 474 ---hs---- C:\WINDOWS\system32\rgffnjih.ini
2008-05-12 21:02 . 2008-05-12 21:02 132,608 --a------ C:\WINDOWS\system32\vwnbyduq.dll
2008-05-12 21:02 . 2008-05-12 21:02 2,048 --a------ C:\WINDOWS\system32\mbempmqt.exe
2008-05-12 20:59 . 2008-05-12 22:20 124,416 --------- C:\WINDOWS\system32\ktkuqcrk.dll
2008-05-12 20:56 . 2008-05-12 20:56 <DIR> d-------- C:\Documents and Settings\VAMSHI ATMAKUR\Application Data\Malwarebytes
2008-05-12 20:56 . 2008-05-12 20:56 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-05-12 20:56 . 2008-05-05 20:46 27,048 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys
2008-05-12 20:56 . 2008-05-05 20:46 15,864 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-05-12 20:55 . 2008-05-12 20:56 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-05-12 20:53 . 2008-05-12 20:53 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avg8
2008-05-11 21:22 . 2008-05-12 20:29 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-05-11 16:10 . 2008-05-11 16:10 2,048 --a------ C:\WINDOWS\system32\kstbripf.exe
2008-05-11 16:08 . 2008-05-11 16:08 125,440 --a------ C:\WINDOWS\system32\iorvuhgh.dll
2008-05-11 16:08 . 2008-05-12 20:59 109,807 --a------ C:\WINDOWS\BM348c2f85.xml
2008-05-11 16:04 . 2008-05-12 22:20 372,224 --------- C:\WINDOWS\system32\fccdcBQI.dll
2008-05-11 15:57 . 2008-05-12 22:20 <DIR> d-------- C:\WINDOWS\system32\vdTMP
2008-05-11 15:57 . 2008-05-12 22:20 <DIR> d-------- C:\WINDOWS\system32\Ndb2
2008-05-11 15:57 . 2008-05-12 22:20 <DIR> d-------- C:\WINDOWS\system32\hNF
2008-05-11 15:57 . 2008-05-11 15:57 <DIR> d-------- C:\WINDOWS\system32\bkEur01
2008-05-11 15:57 . 2008-05-11 15:57 <DIR> d-------- C:\WINDOWS\system32\2033b
2008-05-11 15:57 . 2008-05-11 15:57 <DIR> d-------- C:\Temp\maxsv15
2008-05-11 15:57 . 2008-05-12 22:20 52,736 --------- C:\WINDOWS\system32\yayxvWMg.dll
2008-05-04 09:52 . 2008-05-04 09:53 <DIR> d-------- C:\Program Files\SopCast

.
((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-12 00:41 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-05-11 23:53 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-05-11 21:35 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-05-11 21:34 9,344 ----a-w C:\WINDOWS\system32\drivers\NSDriver.sys
2008-05-11 21:34 8,320 ----a-w C:\WINDOWS\system32\drivers\AWRTRD.sys
2008-05-11 21:34 12,632 ----a-w C:\WINDOWS\system32\lsdelete.exe
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-19 09:47 1,845,248 ------w C:\WINDOWS\system32\dllcache\win32k.sys
2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\system32\gdi32.dll
2008-02-20 06:51 282,624 ------w C:\WINDOWS\system32\dllcache\gdi32.dll
2008-02-20 05:32 45,568 ----a-w C:\WINDOWS\system32\dnsrslvr.dll
2008-02-20 05:32 45,568 ------w C:\WINDOWS\system32\dllcache\dnsrslvr.dll
2008-02-20 05:32 148,992 ------w C:\WINDOWS\system32\dllcache\dnsapi.dll
2008-02-16 22:29 3,059,712 ------w C:\WINDOWS\system32\dllcache\mshtml.dll
2008-02-15 09:23 18,432 ------w C:\WINDOWS\system32\dllcache\iedw.exe
2007-03-07 13:29 47,344 ----a-w C:\Documents and Settings\VAMSHI ATMAKUR\Application Data\GDIPFONTCACHEV1.DAT
2006-01-08 17:03 560 ----a-w C:\Documents and Settings\VAMSHI ATMAKUR\Application Data\ViewerApp.dat
2004-08-21 14:51 21,447 ----a-w C:\Documents and Settings\VAMSHI ATMAKUR\Favorites.zip
2004-07-31 16:23 0 --sh--r C:\Program Files\q330994.exe
2004-07-23 01:45 1,160,964 ----a-w C:\Documents and Settings\Guest\wrar34b2.exe
2004-07-23 01:44 9,228,986 ----a-w C:\Documents and Settings\Guest\vlc-0.7.2-win32.exe
2004-07-23 01:41 3,292,584 ----a-w C:\Documents and Settings\Guest\DivXPlayerInstaller.exe
2004-07-31 16:23 0 --sh--r C:\WINDOWS\cvchost.exe
2004-06-28 09:02 2,926 --sha-w C:\WINDOWS\egcng.dat
2004-07-03 03:37 2,926 --sha-w C:\WINDOWS\givip.dat
2004-07-31 16:23 0 --sh--r C:\WINDOWS\msstasks.exe
2004-07-31 16:23 0 --sh--r C:\WINDOWS\mssys.com
2004-07-31 16:23 0 --sh--r C:\WINDOWS\mstaskss.exe
2004-07-31 16:23 0 --sh--r C:\WINDOWS\msxmidi.exe
2004-07-31 16:23 0 --sh--r C:\WINDOWS\ntldr.exe
2004-07-31 16:23 0 --sh--r C:\WINDOWS\rocky.exe
2004-07-31 16:23 0 --sh--r C:\WINDOWS\seksdialer.exe
2004-07-04 04:47 2,926 --sha-w C:\WINDOWS\vjrkb.dat
2004-06-21 09:24 2,926 --sha-w C:\WINDOWS\vsdbk.dat
2004-07-03 22:27 2,926 --sha-w C:\WINDOWS\worst.dat
2004-07-31 16:23 0 --sh--r C:\WINDOWS\system\system.exe
2004-07-31 16:23 0 --sh--r C:\WINDOWS\system\wmscrop.exe
2004-07-31 16:23 0 --sh--r C:\WINDOWS\system32\d2kpax.dll
2004-07-31 16:23 0 --sh--r C:\WINDOWS\system32\d2kpax.exe
2004-07-10 03:00 2,926 --sha-w C:\WINDOWS\system32\dntwj.dat
2004-07-07 21:08 2,926 --sha-w C:\WINDOWS\system32\hahhu.dat
2004-07-31 16:23 0 --sh--r C:\WINDOWS\system32\jac.dll
2004-07-10 00:28 2,926 --sha-w C:\WINDOWS\system32\lmzri.dat
2004-06-27 23:19 2,926 --sha-w C:\WINDOWS\system32\lqvef.dat
2004-07-31 16:23 0 --sh--r C:\WINDOWS\system32\msxslab.dll
2004-07-13 10:44 2,926 --sha-w C:\WINDOWS\system32\qjeuv.dat
.

(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{20AFE46C-B5B2-46FB-820B-75AB0066558A}]
   C:\WINDOWS\system32\geebc.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8709e651-514d-424f-ac80-b4de631f6762}]
2008-05-12 21:02 132608 --a------ C:\WINDOWS\system32\vwnbyduq.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{d905490f-7eef-48be-8bc5-1ce778714bac}]
   C:\WINDOWS\system32\ypuigup.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{f611b61e-b4c8-471d-932b-8466e2bb9f75}]
   C:\WINDOWS\System32\cdfesk.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2006-11-30 22:49 4662776]
"uninstal"="regsvr32 /u /s image.dll" []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2004-05-15 21:00 335872]
"CamMonitor"="C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe" [2002-10-07 03:23 90112]
"MMTray"="" []
"RoxioEngineUtility"="C:\Program Files\Common Files\Roxio Shared\System\EngUtil.exe" [2003-05-01 21:44 65536]
"RoxioDragToDisc"="C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe" [2003-07-18 20:23 868352]
"CaAvTray"="C:\Program Files\Yahoo!\Antivirus\CAVTray.exe" [2006-02-05 18:26 230512]
"CAVRID"="C:\Program Files\Yahoo!\Antivirus\CAVRID.exe" [2006-02-05 18:26 185456]
"YOP"="C:\PROGRA~1\Yahoo!\YOP\yop.exe" [2005-04-22 20:49 397312]
"IPInSightLAN 02"="C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe" [2003-06-11 02:52 380928]
"HP Software Update"="C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe" [2005-02-16 23:11 49152]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2006-11-03 19:20 866584]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2006-05-23 10:39 180269]
"37bf1c19"="C:\WINDOWS\system32\hijnffgr.dll" [2008-05-12 21:05 114688]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"DWQueuedReporting"="C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe" [2007-03-13 16:38 39264]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2004-12-14 04:44:06 29696]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04 83360]
WordWeb.lnk - C:\Program Files\WordWeb\wweb32.exe [2004-07-24 11:10:43 18432]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\cdfesk]
cdfesk.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"C:\\Program Files\\Skype\\Phone\\Skype.exe"=
"C:\\Program Files\\TVUPlayer\\TVUPlayer.exe"=
"C:\\Program Files\\SopCast\\SopCast.exe"=
"C:\\Program Files\\SopCast\\adv\\SopAdver.exe"=
"C:\\Program Files\\Internet Explorer\\iexplore.exe"=

R0 atiide;atiide;C:\WINDOWS\system32\DRIVERS\atiide.sys [2004-04-14 17:52]
R0 sonypvl3;sonypvl3;C:\WINDOWS\system32\drivers\sonypvl3.sys [2004-09-22 12:55]
R1 sonypvf3;sonypvf3;C:\WINDOWS\system32\drivers\sonypvf3.sys [2004-11-15 14:55]
R1 sonypvt3;sonypvt3;C:\WINDOWS\system32\drivers\sonypvt3.sys [2004-12-06 15:26]
R3 dsNcAdpt;Juniper Network Connect Adapter;C:\WINDOWS\system32\DRIVERS\dsNcAdpt.sys [2006-09-22 05:05]
R3 WedgeTransport;IPSec Adapter;C:\WINDOWS\system32\DRIVERS\VIPSecMP.sys [2004-03-09 18:20]
S1 sonypvd3;Sony DVD Handycam;C:\WINDOWS\system32\DRIVERS\sonypvd3.sys [2004-12-07 16:00]
S2 pciinfo;HP Pci Information;C:\DOCUME~1\VAMSHI~1\LOCALS~1\Temp\HPISPz\hpdom\pciinfo.sys []
S3 OracleOraHome92ClientCache;OracleOraHome92ClientCache;C:\oracle\ora92\BIN\ONRSD.EXE [2002-04-26 19:34]
S3 OracleOraHome92SNMPPeerEncapsulator;OracleOraHome92SNMPPeerEncapsulator;C:\oracle\ora92\BIN\ENCSVC.EXE [2002-02-13 08:23]
S3 OracleOraHome92SNMPPeerMasterAgent;OracleOraHome92SNMPPeerMasterAgent;C:\oracle\ora92\BIN\AGNTSVC.EXE [2002-02-13 08:23]
S3 P1001VID;Creative WebCam (WDM);C:\WINDOWS\system32\DRIVERS\P1001Vid.sys [2002-06-03 21:38]
S3 ZSMC0305;ZVC7100 PC CAMERA (VC0305);C:\WINDOWS\system32\Drivers\usbVM305.sys [2006-02-09 15:50]
S4 OracleOraHome92Agent;OracleOraHome92Agent;C:\oracle\ora92\bin\agntsrvc.exe [2002-04-26 17:29]
S4 OracleOraHome92HTTPServer;OracleOraHome92HTTPServer;"C:\oracle\ora92\Apache\Apache\apache.exe" --ntservice []
S4 OracleServiceVAMSHI;OracleServiceVAMSHI;c:\oracle\ora92\bin\ORACLE.EXE VAMSHI []

.
Contents of the 'Scheduled Tasks' folder
"2008-05-13 03:42:52 C:\WINDOWS\Tasks\MP Scheduled Scan.job"
- C:\Program Files\Windows Defender\MpCmdRun.exe
"2004-07-23 23:08:16 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-12 22:41:35
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\OracleOraHome92PagingServer]
"ImagePath"="C:\oracle\ora92/bin/pagntsrv.exe"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\OracleOraHome92TNSListener]
"ImagePath"="C:\oracle\ora92\BIN\TNSLSNR "
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\Ati2evxx.dll

PROCESS: C:\WINDOWS\explorer.exe
-> C:\WINDOWS\system32\hijnffgr.dll
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\ati2evxx.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\system32\ati2evxx.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Yahoo!\Antivirus\iSafe.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\Yahoo!\Antivirus\VetMsg.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\rundll32.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\Yahoo!\Messenger\Ymsgr_tray.exe
.
**************************************************************************
.
Completion time: 2008-05-12 22:51:11 - machine was rebooted
ComboFix-quarantined-files.txt  2008-05-13 03:50:40
ComboFix2.txt  2007-06-18 01:16:17

Pre-Run: 23,515,140,096 bytes free
Post-Run: 24,015,654,912 bytes free

213 --- E O F --- 2008-05-09 02:59:52

9
Tech Clinic / trojan infected..pls help, HyjackThis log
« on: May 12, 2008, 10:54:38 PM »
Thank you very much.

Following is the MBAM log

Malwarebytes' Anti-Malware 1.12
Database version: 744

Scan type: Full Scan (C:\|)
Objects scanned: 192149
Time elapsed: 1 hour(s), 14 minute(s), 46 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 2
Registry Keys Infected: 13
Registry Values Infected: 2
Registry Data Items Infected: 2
Folders Infected: 2
Files Infected: 25

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\system32\fccdcBQI.dll (Trojan.Vundo) -> Unloaded module successfully.
C:\WINDOWS\system32\yayxvWMg.dll (Trojan.Vundo) -> Unloaded module successfully.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{ab374ace-4320-4727-8cba-55bba8958486} (Trojan.Vundo) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{ab374ace-4320-4727-8cba-55bba8958486} (Trojan.Vundo) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\xpre (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\aoprndtws (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\winvi (Adware.SoftMate) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{f9df827a-8fa7-48a3-b268-ca4db563ea40} (Trojan.Vundo) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{f9df827a-8fa7-48a3-b268-ca4db563ea40} (Trojan.Vundo) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\yayxvwmg (Trojan.Vundo) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\BM348c2f85 (Trojan.Agent) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{f9df827a-8fa7-48a3-b268-ca4db563ea40} (Trojan.Vundo) -> Delete on reboot.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Authentication Packages (Trojan.Vundo) -> Data: c:\windows\system32\fccdcbqi -> Delete on reboot.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Authentication Packages (Trojan.Vundo) -> Data: c:\windows\system32\fccdcbqi  -> Delete on reboot.

Folders Infected:
C:\Program Files\winvi (Adware.SoftMate) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\din3 (Trojan.Agent) -> Quarantined and deleted successfully.

Files Infected:
C:\WINDOWS\system32\fccdcBQI.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\IQBcdccf.ini (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\IQBcdccf.ini2 (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\rukgknlr.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\rlnkgkur.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\VAMSHI ATMAKUR\Local Settings\Temp\wavvsnet.exe (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\VAMSHI ATMAKUR\Local Settings\Temporary Internet Files\Content.IE5\B7HF7T8W\wavvsnet[1].exe (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Program Files\TTC.dll (Adware.WebSearch) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\Program Files\Web Buying\v1.7.4\wbuninst.exe.vir (Adware.WebBuying) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\Program Files\Web Buying\v1.7.4\webbuying.exe.vir (Adware.WebBuying) -> Quarantined and deleted successfully.
C:\QooBox\Quarantine\C\WINDOWS\b122.exe.vir (Adware.Softomate) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{970BF179-4538-46F7-A171-F13CFC09440B}\RP814\A0087480.exe (Adware.Winpop) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{970BF179-4538-46F7-A171-F13CFC09440B}\RP814\A0087481.exe (Adware.PurityScan) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{970BF179-4538-46F7-A171-F13CFC09440B}\RP814\A0087482.exe (Adware.PurityScan) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\din3\PI-setup03x.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\hNF\srkawe3.exe (Trojan.StartPage) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\Ndb2\BD-2bin.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\vdTMP\bvre32.exe (Adware.ZeroSearch) -> Quarantined and deleted successfully.
C:\Program Files\winvi\Uninst.exe (Adware.SoftMate) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ktkuqcrk.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\pac.txt (Malware.Trace) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\yayxvWMg.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\ClickToFindandFixErrors_US.ico (Malware.Trace) -> Quarantined and deleted successfully.
C:\Documents and Settings\VAMSHI ATMAKUR\Local Settings\Temp\snapsnet.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\Documents and Settings\VAMSHI ATMAKUR\Desktop\Click to Find and Fix Errors.url (Rogue.Link) -> Quarantined and deleted successfully.

10
Tech Clinic / trojan infected..pls help, HyjackThis log
« on: May 12, 2008, 08:08:17 PM »
Hi All..
my laptop got infected yesterday and its slowing my machine and opening different pop-ups..
Please help..

Here is the HyjackThis Log

Logfile of HijackThis v1.99.1
Scan saved at 8:01:52 PM, on 5/12/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Yahoo!\Antivirus\ISafe.exe
C:\Program Files\Spyware Doctor\pctsAuxs.exe
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\Program Files\Spyware Doctor\pctsTray.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Yahoo!\Antivirus\VetMsg.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\Unload\hpqcmon.exe
C:\Program Files\Roxio\Easy CD Creator 6\DragToDisc\DrgToDsc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Yahoo!\Antivirus\CAVTray.exe
C:\Program Files\Yahoo!\Antivirus\CAVRID.exe
C:\PROGRA~1\Yahoo!\YOP\yop.exe
C:\Program Files\Visual Networks\Visual IP InSight\SBC\IPClient.exe
C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\WordWeb\wweb32.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe"  -osboot
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\Spyware Doctor\pctsTray.exe"
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: www.pctools.com
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {3EA4FA88-E0BE-419A-A732-9B79B87A6ED0} (CTVUAxCtrl Object) - http://dl.tvunetworks.com/TVUAx.cab
O16 - DPF: {474F00F5-3853-492C-AC3A-476512BBC336} (UploadListView Class) - http://picasaweb.google.com/s/v/25.23/uploader2.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://go.divx.com/plugin/DivXBrowserPlugin.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: CAISafe - Computer Associates International, Inc. - C:\Program Files\Yahoo!\Antivirus\ISafe.exe
O23 - Service: FileZilla Server FTP server (FileZilla Server) - Unknown owner - C:\Program Files\FileZilla Server\FileZilla Server.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: OracleOraHome92ClientCache - Unknown owner - C:\oracle\ora92\BIN\ONRSD.EXE
O23 - Service: OracleOraHome92PagingServer - Unknown owner - C:\oracle\ora92/bin/pagntsrv.exe
O23 - Service: OracleOraHome92SNMPPeerEncapsulator - Unknown owner - C:\oracle\ora92\BIN\ENCSVC.EXE
O23 - Service: OracleOraHome92SNMPPeerMasterAgent - Unknown owner - C:\oracle\ora92\BIN\AGNTSVC.EXE
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\pctsSvc.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: VET Message Service (VETMSGNT) - Computer Associates International, Inc. - C:\Program Files\Yahoo!\Antivirus\VetMsg.exe
O23 - Service: YPCService - Yahoo! Inc. - C:\WINDOWS\system32\YPCSER~1.EXE


 
Please help................   :-(

Pages: [1]