Author Topic: Command Service / Downloader.tibs (Read 1224 times)

1yn · « **on:** October 28, 2006, 12:49:07 PM »

Thanks for the help beforehand. So my computer is recently reformatted, Then all types of virus and spyware poped up when i connected to the internet. Of the many issues was downlaoder.tibs which AVG Anti-virus cant get rid of. After some steps i was informed to turn system restore off, DL AVG Anti-Spyware, update, run in safe mode, fix the problem and restart. Then i reran AVG-Anti-virus and the problem was gone. But then i opened I.E and AVG went crazy with all types of virus and Downloader.TIbs resurfacing. and BTW i keep getting this Error loading w004ddaa.dll The specified module could not be found. I downloaded Spybot S&D and found the source to be Command Service. Of the 3 problems found in Command serice only 1 can be deleted. I dont know if i explained my situation enough but here is the HJT

Logfile of HijackThis v1.99.1
Scan saved at 1:18:15 PM, on 10/28/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\system32\tcpip.exe
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - {A8BD6820-6ED7-423E-9558-2D1486B0FEEA} - (no file)
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,vlumwxy.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [hfd59da9] RUNDLL32.EXE w004ddaa.dll,n 00659da300000006004ddaa
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\RunServices: [_mzu_stonedrv3] c:\windows\system32\_mzu_stonedrv3.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://click.getmirar.com (HKLM)
O15 - Trusted Zone: http://click.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://redirect.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://awbeta.net-nucleus.com (HKLM)
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewido.net/ewidoOnlineScan.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe

guestolo · « **Reply #1 on:** October 28, 2006, 12:53:57 PM »

Download this file - Combofix.exe and save it too desktop
Double click combofix.exe & follow the prompts.
When finished, it shall produce a log for you.
Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Post the log from combofix please

1yn · « **Reply #2 on:** October 28, 2006, 01:05:29 PM »

Administrator - 06-10-28 13:56:13.81 Service Pack 2
ComboFix 06.10.19 - Running from: "C:\Documents and Settings\Administrator\Desktop"

((((((((((((((((((((((((((((((((((((((((((( E-Give / Ssk's Log )))))))))))))))))))))))))))))))))))))))))))))))))

C:\Documents and Settings\Administrator\Application Data\Dxcdmns.dll
C:\Documents and Settings\Administrator\Application Data\Dxcknwrd.dll

* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

C:\Documents and Settings\Administrator\Application Data\Install.dat
C:\WINDOWS\system32\aaa00000.sys
C:\Program Files\Common Files\Yazzle1281OinUninstaller.exe
C:\Documents and Settings\All Users\Documents\Settings
C:\WINDOWS\RS1UZWNo

~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ Purity ~ ~ ~ ~ ~ ~ ~ ~~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~

Folders Quarantined:

C:\QooBox\Purity\Documents and Settings\Administrator\Application Data\SMBOLS~1
C:\QooBox\Purity\Documents and Settings\Administrator\Application Data\SMBOLS~1\s?mbols

((((((((((((((((((((((((((((((( Files Created from 2006-09-28 to 2006-10-28 ))))))))))))))))))))))))))))))))))

2006-10-27 13:51 245,408 --a------ C:\WINDOWS\system32\unicows.dll
2006-10-27 13:42 99,965 --a------ C:\WINDOWS\UninstallFirefox.exe
2006-10-27 13:32 217,346 --a------ C:\WINDOWS\srvclxrcpe.exe
2006-10-27 13:31 217,346 --a------ C:\WINDOWS\srvevnbieo.exe
2006-10-27 02:55 3,968 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2006-10-27 02:50 217,346 --a------ C:\WINDOWS\srvwrgleib.exe
2006-10-27 00:15 217,346 --a------ C:\WINDOWS\srvmhtjglh.exe
2006-10-27 00:13 217,346 --a------ C:\WINDOWS\srvxstwlgm.exe
2006-10-27 00:12 217,346 --a------ C:\WINDOWS\srvwhebfkj.exe
2006-10-26 22:27 217,346 --a------ C:\WINDOWS\srvdfmdtpz.exe
2006-10-26 22:26 217,346 --a------ C:\WINDOWS\srvngogrwj.exe
2006-10-26 22:17 967 --a------ C:\WINDOWS\ScUnin.pif
2006-10-26 22:17 94,208 --a------ C:\WINDOWS\ScUnin.exe
2006-10-26 20:50 22,752 --a------ C:\WINDOWS\system32\spupdsvc.exe
2006-10-26 20:04 49,428 --a------ C:\WINDOWS\system32\rmuwoiss.dll
2006-10-26 20:03 971 --a------ C:\WINDOWS\system32\winpfg32.sys
2006-10-26 20:03 69,652 --a------ C:\WINDOWS\system32\eucwried.exe
2006-10-26 20:03 645,804 ---hs---- C:\WINDOWS\system32\ttutv.bak2
2006-10-26 12:35 217,346 --a------ C:\WINDOWS\srvhsuncdb.exe
2006-10-26 12:33 217,346 --a------ C:\WINDOWS\srvposbxek.exe
2006-10-26 12:33 217,346 --a------ C:\WINDOWS\srvfoqqyfi.exe
2006-10-26 12:32 688,180 ---hs---- C:\WINDOWS\system32\vtutt.dll
2006-10-26 12:30 217,346 --a------ C:\WINDOWS\srvqbfkjhp.exe
2006-10-26 12:30 217,346 --a------ C:\WINDOWS\srvgxdftpc.exe
2006-10-26 12:30 217,346 --a------ C:\WINDOWS\srvcfytgra.exe

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

2006-10-28 13:56 -------- d-------- C:\Program Files\Common Files
2006-10-28 12:45 -------- d-------- C:\Program Files\Enigma Software Group
2006-10-28 11:36 -------- d-------- C:\Documents and Settings\Administrator\Application Data\AVG7
2006-10-28 00:27 -------- d-------- C:\Program Files\Starcraft
2006-10-28 00:24 -------- d-------- C:\Program Files\Mozilla Firefox
2006-10-27 18:12 -------- d--h----- C:\Program Files\BHO Plugin
2006-10-27 18:00 -------- d---s---- C:\Documents and Settings\Administrator\Application Data\Microsoft
2006-10-27 18:00 -------- d-------- C:\Program Files\MSN Messenger
2006-10-27 13:51 -------- d-------- C:\Program Files\MsnMusic
2006-10-27 13:50 -------- d-------- C:\Program Files\Windows Media Player
2006-10-27 13:47 -------- d-------- C:\Program Files\WinZip
2006-10-27 13:43 -------- d-------- C:\Documents and Settings\Administrator\Application Data\Mozilla
2006-10-27 03:22 -------- d-------- C:\Program Files\Internet Explorer
2006-10-27 02:55 -------- d-------- C:\Program Files\Grisoft
2006-10-27 00:05 -------- d-------- C:\Program Files\Online Services
2006-10-27 00:01 -------- d-------- C:\Program Files\Messenger
2006-10-26 23:59 -------- d-------- C:\Program Files\Outlook Express
2006-10-26 23:59 -------- d-------- C:\Program Files\Common Files\System
2006-10-26 23:59 -------- d-------- C:\Documents and Settings\Administrator\Application Data\Macromedia
2006-10-26 22:13 5468 --ahs---- C:\Documents and Settings\Administrator\Application Data\F66022CBC7AA4769BC48A3C22B3B57D4.sta
2006-10-26 22:13 17414 --ahs---- C:\Documents and Settings\Administrator\Application Data\F66022CBC7AA4769BC48A3C22B3B57D4.rul
2006-10-26 20:03 -------- d-------- C:\Program Files\VSAdd-in
2006-10-26 02:11 -------- d-------- C:\Documents and Settings\Administrator\Application Data\Help
2006-09-15 17:16 53248 --a------ C:\WINDOWS\uni_e6h.exe
2006-09-13 01:01 1084416 --a------ C:\WINDOWS\system32\msxml3.dll
2006-08-25 11:45 617472 --a------ C:\WINDOWS\system32\comctl32.dll
2006-08-21 08:21 16896 --a------ C:\WINDOWS\system32\fltlib.dll
2006-08-21 05:14 23040 --a------ C:\WINDOWS\system32\fltmc.exe
2006-08-16 07:58 100352 --a------ C:\WINDOWS\system32\6to4svc.dll

(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"MsnMsgr"="\"C:\\Program Files\\MSN Messenger\\MsnMsgr.Exe\" /background"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"ATIPTA"="C:\\Program Files\\ATI Technologies\\ATI Control Panel\\atiptaxx.exe"
"hfd59da9"="RUNDLL32.EXE w004ddaa.dll,n 00659da300000006004ddaa"
"PHIME2002ASync"="C:\\WINDOWS\\system32\\IME\\TINTLGNT\\TINTSETP.EXE /SYNC"
"PHIME2002A"="C:\\WINDOWS\\system32\\IME\\TINTLGNT\\TINTSETP.EXE /IMEName"
"AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgcc.exe /STARTUP"
"!AVG Anti-Spyware"="\"C:\\Program Files\\Grisoft\\AVG Anti-Spyware 7.5\\avgas.exe\" /minimized"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runservices]
"_mzu_stonedrv3"="c:\\windows\\system32\\_mzu_stonedrv3.exe"

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000001

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"Source"="C:\\Program Files\\Internet Explorer\\pojogagag.html"
"SubscribedURL"=""
"FriendlyName"=""
"Flags"=dword:00002000
"Position"=hex:2c,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,00,00,e8,\
03,00,00,00,00,00,00,00,00,00,00,00,00,00,00,14,00,00,00,14,00,00,00
"CurrentState"=hex:01,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,\
00,00,01,00,00,00
"RestoredStateInfo"=hex:00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\1]
"Source"="C:\\Program Files\\Windows Media Player\\meged.html"
"SubscribedURL"=""
"FriendlyName"=""
"Flags"=dword:00002000
"Position"=hex:2c,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,00,00,ea,\
03,00,00,00,00,00,00,00,00,00,00,00,00,00,00,14,00,00,00,14,00,00,00
"CurrentState"=hex:01,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,\
00,00,01,00,00,00
"RestoredStateInfo"=hex:00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\2]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,80,00,00,00,00,00,00,00,00,02,00,00,e0,01,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,80,00,00,00,00,00,00,00,00,02,00,00,c2,01,\
00,00,04,00,00,40
"RestoredStateInfo"=hex:18,00,00,00,80,00,00,00,00,00,00,00,00,02,00,00,c2,01,\
00,00,01,00,00,00

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
"NoActiveDesktop"=dword:00000000
"ClassicShell"=dword:00000000
"ForceActiveDesktopOn"=dword:00000000

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Administrator^Start Menu^Programs^Startup^TA_Start.lnk]
"path"="C:\\Documents and Settings\\Administrator\\Start Menu\\Programs\\Startup\\TA_Start.lnk"
"backup"="C:\\WINDOWS\\pss\\TA_Start.lnkStartup"
"location"="Startup"
"command"="C:\\WINDOWS\\system32\\oqdsregq.exe GEN001"
"item"="TA_Start"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Administrator^Start Menu^Programs^Startup^Think-Adz.lnk]
"path"="C:\\Documents and Settings\\Administrator\\Start Menu\\Programs\\Startup\\Think-Adz.lnk"
"backup"="C:\\WINDOWS\\pss\\Think-Adz.lnkStartup"
"location"="Startup"
"command"="C:\\WINDOWS\\system32\\swinppem.exe GEN001"
"item"="Think-Adz"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATICCC]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="cli"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\ATI Technologies\\ATI.ACE\\cli.exe\" runtime"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AudioDeck]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ADeck"
"hkey"="HKLM"
"command"="C:\\Program Files\\VIAudioi\\SBADeck\\ADeck.exe 1"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DeluxeCommunications]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="Dxc"
"hkey"="HKCU"
"command"="C:\\Program Files\\DeluxeCommunications\\Dxc.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ExploreUpdSched]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="swinppem"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\system32\\swinppem.exe GEN001"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hnydjtb.dll]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="hnydjtb"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\system32\\rundll32.exe C:\\WINDOWS\\system32\\hnydjtb.dll,ldaliqf"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMJPMIG8.1]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="IMJPMIG"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\IME\\imjp8_1\\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mmcrat06]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="mmputt"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\mmputt.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSPY2002]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ImScInst"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\system32\\IME\\PINTLGNT\\ImScInst.exe /SYNC"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\quiwn]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="uhwems"
"hkey"="HKCU"
"command"="C:\\WINDOWS\\system32\\uhwems.exe reg_run"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\sys027993650414]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="sys027993650414"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\sys027993650414.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\_mzu_stonedrv3]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="_mzu_stonedrv3"
"hkey"="HKCU"
"command"="c:\\windows\\system32\\_mzu_stonedrv3.exe"
"inimapping"="0"

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\rpcc
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\vtutt
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winsys2freg

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

Completion time: 06-10-28 14:00:57.26
C:\ComboFix.txt ... 06-10-28 14:00

guestolo · « **Reply #3 on:** October 28, 2006, 01:24:34 PM »

Can I have you do the following
I need to see EVERYTHING running on startup, your disabling entries with msconfig
Go to START>>RUN>>Type in
msconfig
Hit OK
Under the STARTUP tab>>Enable ALL.>>Apply it
Under the SERVICES tab>>Enable ALL>>Apply it
Under the GENERAL tab>>Select NORMAL startup
APPLY it and CLOSE

Restart the computer

Supply a fresh Hijackthis log

Also
supply an uninstall list from Hijackthis
Open Hijackthis>>Open MISC TOOLS SECTION>>Open UNINSTALL MANAGER
Click the SAVE LIST... button
Save the list to your desktop then copy>>Paste back here the Whole contents

1yn · « **Reply #4 on:** October 28, 2006, 01:39:40 PM »

I followed your above steps, but the list you want me to get whne i click the Save LIst... button isnt prompting me to where to save it. so i dont know how to get the list to you. i tried to manuelly shift select all of the items but that didnt work. Here is the new HJT list

Logfile of HijackThis v1.99.1
Scan saved at 2:31:15 PM, on 10/28/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\WINDOWS\mmputt.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\VIAudioi\SBADeck\ADeck.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\system32\tcpip.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,vlumwxy.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [hfd59da9] RUNDLL32.EXE w004ddaa.dll,n 00659da300000006004ddaa
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [sys027993650414] C:\WINDOWS\sys027993650414.exe
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [mmcrat06] C:\WINDOWS\mmputt.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [hnydjtb.dll] C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\hnydjtb.dll,ldaliqf
O4 - HKLM\..\Run: [ExploreUpdSched] C:\WINDOWS\system32\swinppem.exe GEN001
O4 - HKLM\..\Run: [AudioDeck] C:\Program Files\VIAudioi\SBADeck\ADeck.exe 1
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime
O4 - HKLM\..\RunServices: [_mzu_stonedrv3] c:\windows\system32\_mzu_stonedrv3.exe
O4 - HKCU\..\Run: [_mzu_stonedrv3] c:\windows\system32\_mzu_stonedrv3.exe
O4 - HKCU\..\Run: [quiwn] C:\WINDOWS\system32\uhwems.exe reg_run
O4 - HKCU\..\Run: [DeluxeCommunications] C:\Program Files\DeluxeCommunications\Dxc.exe
O4 - Startup: TA_Start.lnk = C:\WINDOWS\system32\oqdsregq.exe
O4 - Startup: Think-Adz.lnk = C:\WINDOWS\system32\swinppem.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://click.getmirar.com (HKLM)
O15 - Trusted Zone: http://click.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://redirect.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://awbeta.net-nucleus.com (HKLM)
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewido.net/ewidoOnlineScan.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe

guestolo · « **Reply #5 on:** October 28, 2006, 01:44:33 PM »

After you click the SAVE LIST button

You should see Save in... at the top
Use the drop down menu and select Desktop

1yn · « **Reply #6 on:** October 28, 2006, 01:55:23 PM »

HJT closes the moment i click Save list... i will try to manuelly list the programs i see but i will exclude stuff such ass Security Update for windows xp, update for windows xp, and windows xp hotfix.

ad-aware se
ati software uninstall utilty
ati catalyst control center
ati control panel
ati display driver
anv anti-spyware
avg free edition
HJT 1.99.1
microsoft .NET framwork 1.1
mozilla
msn mesenger 7.5
msn music assintent
spybot S&D
starcraft
VIP platform device manager
windows installer 3.1
winzip

guestolo · « **Reply #7 on:** October 28, 2006, 02:04:10 PM »

Can you do the following instead

Download and unzip to your desktop InstalledPrograms.zip
Double click on InstalledPrograms.vbs

Click OK at the IP prompt and click YES to view the results now
A text file will open, can you copy and paste back here the whole contents

1yn · « **Reply #8 on:** October 28, 2006, 02:08:33 PM »

INSTALLED SOFTWARE (86) - E-0B828A199F114 - 10/28/2006 3:06:20 PM

Ad-Aware SE Personal
ATI - Software Uninstall Utility Ver: 6.14.10.1012
ATI Catalyst Control Center Ver: 1.2.1949.42406 Installed: 12/31/2001
ATI Control Panel Ver: 6.14.10.5154
ATI Display Driver Ver: 8.252-060503a-032464C-ATI
AVG Anti-Spyware 7.5
AVG Free Edition
HijackThis 1.99.1 Ver: 1.99.1
Microsoft .NET Framework 1.1 Ver: 1.1.4322 Installed: 12/31/2001
Mozilla Firefox (1.0.7) Ver: 1.0.7 (en-US)
MSN Messenger 7.5 Ver: 7.5.0306.0 Installed: 10/27/2006
MSN Music Assistant
Platform Ver: 1.12 Installed: 1/1/2002
Security Update for Windows Media Player (KB911564) Installed: 10/27/2006
Security Update for Windows Media Player 10 (KB917734) Installed: 10/27/2006
Security Update for Windows Media Player 9 (KB917734) Installed: 10/27/2006
Security Update for Windows XP (KB890046) Ver: 1 Installed: 10/26/2006
Security Update for Windows XP (KB893756) Ver: 1 Installed: 10/27/2006
Security Update for Windows XP (KB896358) Ver: 1 Installed: 10/27/2006
Security Update for Windows XP (KB896423) Ver: 1 Installed: 10/26/2006
Security Update for Windows XP (KB896424) Ver: 1 Installed: 10/27/2006
Security Update for Windows XP (KB896428) Ver: 1 Installed: 10/26/2006
Security Update for Windows XP (KB899587) Ver: 1 Installed: 10/27/2006
Security Update for Windows XP (KB899589) Ver: 1 Installed: 10/26/2006
Security Update for Windows XP (KB899591) Ver: 1 Installed: 10/27/2006
Security Update for Windows XP (KB900725) Ver: 1 Installed: 10/26/2006
Security Update for Windows XP (KB901017) Ver: 1 Installed: 10/27/2006
Security Update for Windows XP (KB901190) Ver: 1 Installed: 10/27/2006
Security Update for Windows XP (KB901214) Ver: 1 Installed: 10/26/2006
Security Update for Windows XP (KB902400) Ver: 1 Installed: 10/26/2006
Security Update for Windows XP (KB904706) Ver: 2 Installed: 10/27/2006
Security Update for Windows XP (KB905414) Ver: 1 Installed: 10/26/2006
Security Update for Windows XP (KB905749) Ver: 1 Installed: 10/26/2006
Security Update for Windows XP (KB908519) Ver: 1 Installed: 10/27/2006
Security Update for Windows XP (KB911562) Ver: 1 Installed: 10/27/2006
Security Update for Windows XP (KB911567) Ver: 1 Installed: 10/27/2006
Security Update for Windows XP (KB911927) Ver: 1 Installed: 10/27/2006
Security Update for Windows XP (KB912919) Ver: 1 Installed: 10/27/2006
Security Update for Windows XP (KB913433)
Security Update for Windows XP (KB913580) Ver: 1 Installed: 10/27/2006
Security Update for Windows XP (KB914388) Ver: 1 Installed: 10/27/2006
Security Update for Windows XP (KB914389) Ver: 1 Installed: 10/27/2006
Security Update for Windows XP (KB917344) Ver: 1 Installed: 10/27/2006
Security Update for Windows XP (KB917422) Ver: 1 Installed: 10/27/2006
Security Update for Windows XP (KB917953) Ver: 1 Installed: 10/27/2006
Security Update for Windows XP (KB918439) Ver: 1 Installed: 10/27/2006
Security Update for Windows XP (KB918899) Ver: 1 Installed: 10/27/2006
Security Update for Windows XP (KB919007) Ver: 1 Installed: 10/27/2006
Security Update for Windows XP (KB920214) Ver: 1 Installed: 10/27/2006
Security Update for Windows XP (KB920670) Ver: 1 Installed: 10/27/2006
Security Update for Windows XP (KB920683) Ver: 1 Installed: 10/27/2006
Security Update for Windows XP (KB920685) Ver: 1 Installed: 10/27/2006
Security Update for Windows XP (KB921398) Ver: 1 Installed: 10/27/2006
Security Update for Windows XP (KB921883) Ver: 1 Installed: 10/27/2006
Security Update for Windows XP (KB922616) Ver: 1 Installed: 10/27/2006
Security Update for Windows XP (KB922819) Ver: 1 Installed: 10/27/2006
Security Update for Windows XP (KB923191) Ver: 1 Installed: 10/27/2006
Security Update for Windows XP (KB923414) Ver: 1 Installed: 10/27/2006
Security Update for Windows XP (KB924191) Ver: 1 Installed: 10/27/2006
Security Update for Windows XP (KB924496) Ver: 1 Installed: 10/27/2006
Security Update for Windows XP (KB925486) Ver: 1 Installed: 10/27/2006
Spybot - Search & Destroy 1.4 Ver: 1.4
Starcraft
Update for Windows XP (KB894391) Ver: 1 Installed: 10/26/2006
Update for Windows XP (KB898461) Ver: 1 Installed: 10/26/2006
Update for Windows XP (KB900485) Ver: 2 Installed: 10/27/2006
Update for Windows XP (KB908531) Ver: 2 Installed: 10/27/2006
Update for Windows XP (KB910437) Ver: 1 Installed: 10/27/2006
Update for Windows XP (KB911280) Ver: 2 Installed: 10/27/2006
Update for Windows XP (KB916595) Ver: 1 Installed: 10/27/2006
Update for Windows XP (KB920872) Ver: 1 Installed: 10/27/2006
Update for Windows XP (KB922582) Ver: 1 Installed: 10/27/2006
VIA Platform Device Manager Ver: 1.12 Installed: 1/1/2002
WebFldrs XP Ver: 9.50.7523 Installed: 12/31/2001
Windows Installer 3.1 (KB893803) Ver: 3.1
Windows Media Format Runtime
Windows Media Player 10
Windows XP Hotfix - KB873339 Ver: 20041117.092459
Windows XP Hotfix - KB885835 Ver: 20041027.181713
Windows XP Hotfix - KB885836 Ver: 20041028.173203
Windows XP Hotfix - KB886185 Ver: 20041021.090540
Windows XP Hotfix - KB887472 Ver: 20041014.162858
Windows XP Hotfix - KB888302 Ver: 20041207.111426
Windows XP Hotfix - KB890859 Ver: 1 Installed: 10/26/2006
Windows XP Hotfix - KB891781 Ver: 20050110.165439
WinZip Ver: 9.0 SR-1 (6224)

guestolo · « **Reply #9 on:** October 28, 2006, 02:34:04 PM »

We're going to run some tools on your computer and see what we can clean

I advise you too Print all these instructions or save them too a text file on desktop

Download [color=\"red\"]SDFix[/color] and save it to your Desktop.

Double click SDFix.exe and choose Install to extract it to its own folder on the Desktop.

Download Delcmdservice.zip to your Desktop.
Now, unpack(extract) delcmdservice-folder to you desktop.

Please download Qoofix by RubbeR DuckY from http://www.malwarebytes.org/Qoofix.zip
Unzip all files to a convenient location such as C:\Qoofix.
We'll need it later

Download [color=\"blue\"]VundoFix.exe[/color]
to your desktop.

Do a "System scan only" with Hijackthis and put a check next to these entries:

F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,vlumwxy.exe
O4 - HKLM\..\Run: [hfd59da9] RUNDLL32.EXE w004ddaa.dll,n 00659da300000006004ddaa
O4 - HKLM\..\Run: [sys027993650414] C:\WINDOWS\sys027993650414.exe
O4 - HKLM\..\Run: [mmcrat06] C:\WINDOWS\mmputt.exe
O4 - HKLM\..\Run: [hnydjtb.dll] C:\WINDOWS\system32\rundll32.exe C:\WINDOWS\system32\hnydjtb.dll,ldaliqf
O4 - HKLM\..\Run: [ExploreUpdSched] C:\WINDOWS\system32\swinppem.exe GEN001
O4 - HKLM\..\RunServices: [_mzu_stonedrv3] c:\windows\system32\_mzu_stonedrv3.exe
O4 - HKCU\..\Run: [_mzu_stonedrv3] c:\windows\system32\_mzu_stonedrv3.exe
O4 - HKCU\..\Run: [quiwn] C:\WINDOWS\system32\uhwems.exe reg_run
O4 - HKCU\..\Run: [DeluxeCommunications] C:\Program Files\DeluxeCommunications\Dxc.exe
O4 - Startup: TA_Start.lnk = C:\WINDOWS\system32\oqdsregq.exe
O4 - Startup: Think-Adz.lnk = C:\WINDOWS\system32\swinppem.exe
O15 - Trusted Zone: http://click.getmirar.com (HKLM)
O15 - Trusted Zone: http://click.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://redirect.mirarsearch.com (HKLM)
O15 - Trusted Zone: http://awbeta.net-nucleus.com (HKLM)

After you have ticked the above entries, close All other open windows
Including this one
Leave Hijackthis open and click FIX CHECKED
OK the prompt and exit Hijackthis

Please then reboot your computer in Safe Mode by doing the following :

Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, the Advanced Options Menu should appear;
Select the first option, to run Windows in Safe Mode, then press Enter.
Choose your usual account.

Open the delcmdservice-folder on your desktop and double-click on DelReg.bat, a DOS-window will open and rapidly close - this is normal -
close thedelcmdservice-folder

SDFix

Open the extracted SDFix folder and double click RunThis.bat to start the script.
Type Y to begin the cleanup process.
It will remove any Trojan Services or Registry Entries found then prompt you to press any key to Reboot.
Press any Key and it will restart the PC.
When the PC restarts the Fixtool will run again and complete the removal process then display Finished, press any key to end the script and load your desktop icons.
Once the desktop icons load the SDFix report will open on screen and also save into the SDFix folder as Report.txt.

Qoofix by RubberDucky[list=1]

Go to the folder you unzipped all files and run Qoofix.exe.
Click Begin Removal and wait for the scan to finish.
If an infection has been found, select yes to restart your computer.

VundoFix.exe

Double-click VundoFix.exe to run it.
Click the Scan for Vundo button.
Once it's done scanning, click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will reboot your computer, click OK.

Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will run on reboot, simply follow the above
instructions starting from "Click the Scan for Vundo button."

I need to see back here all the next logs please
Even if it takes more than one reply to do so

1. Post a fresh Hijackthis log
2. The report from SDFix>>Report.txt in the SDFix folder
3. The Qoofix report>>Found in the Qoofix folder
4. The report from Vundofix>>by default found here>>C:\Vundofix.txt

After the above, can I have your run combofix one more time and post the fresh log that opens please

~~Finally copy and paste the contents of the results file Report.txt back onto the forum with a new HijackThis log[/s]~~

1yn · « **Reply #10 on:** October 28, 2006, 03:29:36 PM »

1. THE NEW HJT

Logfile of HijackThis v1.99.1
Scan saved at 4:15:29 PM, on 10/28/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\system32\tcpip.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\VIAudioi\SBADeck\ADeck.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\system32\wuauclt.exe
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: (no name) - {036BDF71-785C-4E29-9C2B-ED2A89EAE9DC} - C:\WINDOWS\system32\vtutt.dll (file missing)
O2 - BHO: (no name) - {104FD479-1D03-1C5C-8D76-04C43703AE4D} - C:\WINDOWS\system32\dgaladd.dll (file missing)
O2 - BHO: (no name) - {249065D9-9A39-D14C-FCEF-038880B8B971} - C:\WINDOWS\system32\hnydjtb.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {871A54C1-1EB3-48bd-A879-5DBA4EF16BE6} - C:\WINDOWS\system32\qmqhodsn.dll
O2 - BHO: BHO - {9BB5B49C-0D59-418d-A6A5-F6373B8FEF64} - C:\Program Files\BHO Plugin\plugin1.dll
O2 - BHO: (no name) - {BE118DBF-BA95-4ECE-98D5-C9CC0E22449C} - C:\Program Files\MSN Gaming Zone\mebos.dll (file missing)
O2 - BHO: (no name) - {F18F04B0-9CF1-4b93-B004-77A288BEE28B} - C:\WINDOWS\system32\rmuwoiss.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [AudioDeck] C:\Program Files\VIAudioi\SBADeck\ADeck.exe 1
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewido.net/ewidoOnlineScan.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: rpcc - C:\WINDOWS\system32\rpcc.dll
O20 - Winlogon Notify: winsys2freg - C:\Documents and Settings\All Users\Documents\Settings\winsys2f.dll (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe

2. THE REPORT

SDFix: Version 1.32
-------------------

Scan run on:
Sat 10/28/2006

Time:
03:54 PM

Microsoft Windows XP [Version 5.1.2600]

Running from: C:\Documents and Settings\Administrator\Desktop\SDFix

Stage One...

Checking Services...

Name:
-----

MZU_RK

Path:
----

\??\C:\WINDOWS\system32\MZU_DRV.sys

MZU_RK Deleted...

Repairing Registry...

Restoring Default Hosts File...

Stage One Complete

Rebooting...

Stage Two...

Checking For Malware:
--------------------

C:\WINDOWS\system32\mini3tone.ini
C:\WINDOWS\system32\form.txt
C:\WINDOWS\system32\info.txt
C:\WINDOWS\system32\ipv6monl.dll

Backing Up and Removing any Files Found...

Final Check:

Services:
---------

Files:
------

Any files removed are saved to the SDFix\backups Folder

FINISHED

3. QOOFIX REPORT

Qoofix v1.03 by http://www.malwarebytes.org
Scan started on [10/28/2006] at [4:03:50 PM]
-------------------------------------------------------------
No malicious modules found!
-------------------------------------------------------------
No Qoologic infected files found!
-------------------------------------------------------------
Scan COMPLETED SUCCESSFULLY on [10/28/2006] at [4:04:58 PM]

Note: Some registry keys may have been removed.

4. VUNDOFIX REPORT

VundoFix V6.2.6

Checking Java version...

Sun Java not detected
Scan started at 4:06:05 PM 10/28/2006

Listing files found while scanning....

C:\WINDOWS\system32\dgaladd.dll
C:\WINDOWS\system32\vtutt.dll
C:\WINDOWS\system32\ttutv.ini
C:\WINDOWS\system32\ttutv.bak2

Beginning removal...

Attempting to delete C:\WINDOWS\system32\dgaladd.dll
C:\WINDOWS\system32\dgaladd.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\vtutt.dll
C:\WINDOWS\system32\vtutt.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\ttutv.ini
C:\WINDOWS\system32\ttutv.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\ttutv.bak2
C:\WINDOWS\system32\ttutv.bak2 Has been deleted!

Performing Repairs to the registry.
Done!

Rest i will continue on next post

1yn · « **Reply #11 on:** October 28, 2006, 03:33:25 PM »

THE NEW COMBO FIX LOG

Administrator - 06-10-28 16:19:08.82 Service Pack 2
ComboFix 06.10.19 - Running from: "C:\Documents and Settings\Administrator\Desktop"

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ Purity ~ ~ ~ ~ ~ ~ ~ ~~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~

Folders Quarantined:

C:\QooBox\Purity\Documents and Settings\Administrator\Application Data\SMBOLS~1
C:\QooBox\Purity\Documents and Settings\Administrator\Application Data\SMBOLS~1\s?mbols

((((((((((((((((((((((((((((((( Files Created from 2006-09-28 to 2006-10-28 ))))))))))))))))))))))))))))))))))

2006-10-27 13:51 245,408 --a------ C:\WINDOWS\system32\unicows.dll
2006-10-27 13:42 99,965 --a------ C:\WINDOWS\UninstallFirefox.exe
2006-10-27 13:32 217,346 --a------ C:\WINDOWS\srvclxrcpe.exe
2006-10-27 13:31 217,346 --a------ C:\WINDOWS\srvevnbieo.exe
2006-10-27 02:55 3,968 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2006-10-27 02:50 217,346 --a------ C:\WINDOWS\srvwrgleib.exe
2006-10-27 00:15 217,346 --a------ C:\WINDOWS\srvmhtjglh.exe
2006-10-27 00:13 217,346 --a------ C:\WINDOWS\srvxstwlgm.exe
2006-10-27 00:12 217,346 --a------ C:\WINDOWS\srvwhebfkj.exe
2006-10-26 22:27 217,346 --a------ C:\WINDOWS\srvdfmdtpz.exe
2006-10-26 22:26 217,346 --a------ C:\WINDOWS\srvngogrwj.exe
2006-10-26 22:17 967 --a------ C:\WINDOWS\ScUnin.pif
2006-10-26 22:17 94,208 --a------ C:\WINDOWS\ScUnin.exe
2006-10-26 20:50 22,752 --a------ C:\WINDOWS\system32\spupdsvc.exe
2006-10-26 20:04 49,428 --a------ C:\WINDOWS\system32\rmuwoiss.dll
2006-10-26 20:03 971 --a------ C:\WINDOWS\system32\winpfg32.sys
2006-10-26 20:03 69,652 --a------ C:\WINDOWS\system32\eucwried.exe
2006-10-26 12:35 217,346 --a------ C:\WINDOWS\srvhsuncdb.exe
2006-10-26 12:33 217,346 --a------ C:\WINDOWS\srvposbxek.exe
2006-10-26 12:33 217,346 --a------ C:\WINDOWS\srvfoqqyfi.exe
2006-10-26 12:30 217,346 --a------ C:\WINDOWS\srvqbfkjhp.exe
2006-10-26 12:30 217,346 --a------ C:\WINDOWS\srvgxdftpc.exe
2006-10-26 12:30 217,346 --a------ C:\WINDOWS\srvcfytgra.exe

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

2006-10-28 13:56 -------- d-------- C:\Program Files\Common Files
2006-10-28 12:45 -------- d-------- C:\Program Files\Enigma Software Group
2006-10-28 11:36 -------- d-------- C:\Documents and Settings\Administrator\Application Data\AVG7
2006-10-28 00:27 -------- d-------- C:\Program Files\Starcraft
2006-10-28 00:24 -------- d-------- C:\Program Files\Mozilla Firefox
2006-10-27 18:12 -------- d--h----- C:\Program Files\BHO Plugin
2006-10-27 18:00 -------- d---s---- C:\Documents and Settings\Administrator\Application Data\Microsoft
2006-10-27 18:00 -------- d-------- C:\Program Files\MSN Messenger
2006-10-27 13:51 -------- d-------- C:\Program Files\MsnMusic
2006-10-27 13:50 -------- d-------- C:\Program Files\Windows Media Player
2006-10-27 13:47 -------- d-------- C:\Program Files\WinZip
2006-10-27 13:43 -------- d-------- C:\Documents and Settings\Administrator\Application Data\Mozilla
2006-10-27 03:22 -------- d-------- C:\Program Files\Internet Explorer
2006-10-27 02:55 -------- d-------- C:\Program Files\Grisoft
2006-10-27 00:05 -------- d-------- C:\Program Files\Online Services
2006-10-27 00:01 -------- d-------- C:\Program Files\Messenger
2006-10-26 23:59 -------- d-------- C:\Program Files\Outlook Express
2006-10-26 23:59 -------- d-------- C:\Program Files\Common Files\System
2006-10-26 23:59 -------- d-------- C:\Documents and Settings\Administrator\Application Data\Macromedia
2006-10-26 22:13 5468 --ahs---- C:\Documents and Settings\Administrator\Application Data\F66022CBC7AA4769BC48A3C22B3B57D4.sta
2006-10-26 22:13 17414 --ahs---- C:\Documents and Settings\Administrator\Application Data\F66022CBC7AA4769BC48A3C22B3B57D4.rul
2006-10-26 20:03 -------- d-------- C:\Program Files\VSAdd-in
2006-10-26 02:11 -------- d-------- C:\Documents and Settings\Administrator\Application Data\Help
2006-09-15 17:16 53248 --a------ C:\WINDOWS\uni_e6h.exe
2006-09-13 01:01 1084416 --a------ C:\WINDOWS\system32\msxml3.dll
2006-08-25 11:45 617472 --a------ C:\WINDOWS\system32\comctl32.dll
2006-08-21 08:21 16896 --a------ C:\WINDOWS\system32\fltlib.dll
2006-08-21 05:14 23040 --a------ C:\WINDOWS\system32\fltmc.exe
2006-08-16 07:58 100352 --a------ C:\WINDOWS\system32\6to4svc.dll

(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"ATIPTA"="C:\\Program Files\\ATI Technologies\\ATI Control Panel\\atiptaxx.exe"
"PHIME2002ASync"="C:\\WINDOWS\\system32\\IME\\TINTLGNT\\TINTSETP.EXE /SYNC"
"PHIME2002A"="C:\\WINDOWS\\system32\\IME\\TINTLGNT\\TINTSETP.EXE /IMEName"
"AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgcc.exe /STARTUP"
"!AVG Anti-Spyware"="\"C:\\Program Files\\Grisoft\\AVG Anti-Spyware 7.5\\avgas.exe\" /minimized"
"MSPY2002"="C:\\WINDOWS\\system32\\IME\\PINTLGNT\\ImScInst.exe /SYNC"
"IMJPMIG8.1"="C:\\WINDOWS\\IME\\imjp8_1\\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32"
"AudioDeck"="C:\\Program Files\\VIAudioi\\SBADeck\\ADeck.exe 1"
"ATICCC"="\"C:\\Program Files\\ATI Technologies\\ATI.ACE\\cli.exe\" runtime"

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000001

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"Source"="C:\\Program Files\\Internet Explorer\\pojogagag.html"
"SubscribedURL"=""
"FriendlyName"=""
"Flags"=dword:00002000
"Position"=hex:2c,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,00,00,e8,\
03,00,00,00,00,00,00,00,00,00,00,00,00,00,00,14,00,00,00,14,00,00,00
"CurrentState"=hex:01,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,\
00,00,01,00,00,00
"RestoredStateInfo"=hex:00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\1]
"Source"="C:\\Program Files\\Windows Media Player\\meged.html"
"SubscribedURL"=""
"FriendlyName"=""
"Flags"=dword:00002000
"Position"=hex:2c,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,00,00,ea,\
03,00,00,00,00,00,00,00,00,00,00,00,00,00,00,14,00,00,00,14,00,00,00
"CurrentState"=hex:01,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,\
00,00,01,00,00,00
"RestoredStateInfo"=hex:00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\2]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,80,00,00,00,00,00,00,00,00,02,00,00,e0,01,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,80,00,00,00,00,00,00,00,00,02,00,00,c2,01,\
00,00,04,00,00,40
"RestoredStateInfo"=hex:18,00,00,00,80,00,00,00,00,00,00,00,00,02,00,00,c2,01,\
00,00,01,00,00,00

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
"NoActiveDesktop"=dword:00000000
"ClassicShell"=dword:00000000
"ForceActiveDesktopOn"=dword:00000000

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\rpcc
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winsys2freg

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

Completion time: 06-10-28 16:19:47.93
C:\ComboFix.txt ... 06-10-28 16:19
C:\ComboFix2.txt ... 06-10-28 14:00

THE REPORT LOG

SDFix: Version 1.32
-------------------

Scan run on:
Sat 10/28/2006

Time:
03:54 PM

Microsoft Windows XP [Version 5.1.2600]

Running from: C:\Documents and Settings\Administrator\Desktop\SDFix

Stage One...

Checking Services...

Name:
-----

MZU_RK

Path:
----

\??\C:\WINDOWS\system32\MZU_DRV.sys

MZU_RK Deleted...

Repairing Registry...

Restoring Default Hosts File...

Stage One Complete

Rebooting...

Stage Two...

Checking For Malware:
--------------------

C:\WINDOWS\system32\mini3tone.ini
C:\WINDOWS\system32\form.txt
C:\WINDOWS\system32\info.txt
C:\WINDOWS\system32\ipv6monl.dll

Backing Up and Removing any Files Found...

Final Check:

Services:
---------

Files:
------

Any files removed are saved to the SDFix\backups Folder

FINISHED

THE NEW HJT PART 2 OF UR REQUEST

Logfile of HijackThis v1.99.1
Scan saved at 4:22:10 PM, on 10/28/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\system32\tcpip.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\VIAudioi\SBADeck\ADeck.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: (no name) - {036BDF71-785C-4E29-9C2B-ED2A89EAE9DC} - C:\WINDOWS\system32\vtutt.dll (file missing)
O2 - BHO: (no name) - {104FD479-1D03-1C5C-8D76-04C43703AE4D} - C:\WINDOWS\system32\dgaladd.dll (file missing)
O2 - BHO: (no name) - {249065D9-9A39-D14C-FCEF-038880B8B971} - C:\WINDOWS\system32\hnydjtb.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {871A54C1-1EB3-48bd-A879-5DBA4EF16BE6} - C:\WINDOWS\system32\qmqhodsn.dll
O2 - BHO: BHO - {9BB5B49C-0D59-418d-A6A5-F6373B8FEF64} - C:\Program Files\BHO Plugin\plugin1.dll
O2 - BHO: (no name) - {BE118DBF-BA95-4ECE-98D5-C9CC0E22449C} - C:\Program Files\MSN Gaming Zone\mebos.dll (file missing)
O2 - BHO: (no name) - {F18F04B0-9CF1-4b93-B004-77A288BEE28B} - C:\WINDOWS\system32\rmuwoiss.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [AudioDeck] C:\Program Files\VIAudioi\SBADeck\ADeck.exe 1
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewido.net/ewidoOnlineScan.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O20 - Winlogon Notify: rpcc - C:\WINDOWS\system32\rpcc.dll
O20 - Winlogon Notify: winsys2freg - C:\Documents and Settings\All Users\Documents\Settings\winsys2f.dll (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe

guestolo · « **Reply #12 on:** October 28, 2006, 04:42:45 PM »

Can you now do the following
I recommend you print this again or save too a text file

Download The Avenger.zip by Swandog46 to your Desktop.

* Click on Avenger.zip to open the file
* Extract avenger.exe to your desktop

Copy ALL the text contained in [color=\"#0000FF\"]blue[/color] below to your Clipboard by highlighting it and pressing the (Ctrl+C) on your keyboard,
=============================================================
[color=\"#0000FF\"]
files to delete:
C:\WINDOWS\srvclxrcpe.exe
C:\WINDOWS\srvevnbieo.exe
C:\WINDOWS\srvwrgleib.exe
C:\WINDOWS\srvmhtjglh.exe
C:\WINDOWS\srvxstwlgm.exe
C:\WINDOWS\srvwhebfkj.exe
C:\WINDOWS\srvdfmdtpz.exe
C:\WINDOWS\srvngogrwj.exe
C:\WINDOWS\ScUnin.pif
C:\WINDOWS\ScUnin.exe
C:\WINDOWS\system32\rmuwoiss.dll
C:\WINDOWS\system32\winpfg32.sys
C:\WINDOWS\system32\eucwried.exe
C:\WINDOWS\srvhsuncdb.exe
C:\WINDOWS\srvposbxek.exe
C:\WINDOWS\srvfoqqyfi.exe
C:\WINDOWS\srvqbfkjhp.exe
C:\WINDOWS\srvgxdftpc.exe
C:\WINDOWS\srvcfytgra.exe
C:\WINDOWS\system32\qmqhodsn.dll
C:\Program Files\BHO Plugin\plugin1.dll
C:\WINDOWS\system32\hnydjtb.dll
C:\WINDOWS\system32\rpcc.dll
C:\WINDOWS\uni_e6h.exe
C:\Program Files\Windows Media Player\meged.html
C:\Program Files\Internet Explorer\pojogagag.html
C:\Documents and Settings\All Users\Documents\Settings\winsys2f.dll

Folders to delete:
C:\Program Files\BHO Plugin[/color]

==========================================================================
Now, start The Avenger program by clicking on its icon on your desktop

* Under "Script file to execute" choose "Input Script Manually".
* Now click on the Magnifying Glass icon which will open a new window titled "View/edit script"
* Paste the text copied to clipboard into this window by pressing (Ctrl+V).
* Click Done
* Now click on the [color=\"#00FF00\"]Green Light[/color] to begin execution of the script
* Answer "Yes" twice when prompted.

Avenger should now Reboot your computer

Back in Windows

===Go to start > control panel > Display properties > Desktop > Customize Desktop... > Web tab
Uncheck and delete everything you find in there. (except for "My current home page")

Do a "System scan only" with Hijackthis and put a check next to these entries:

R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: (no name) - {036BDF71-785C-4E29-9C2B-ED2A89EAE9DC} - C:\WINDOWS\system32\vtutt.dll (file missing)
O2 - BHO: (no name) - {104FD479-1D03-1C5C-8D76-04C43703AE4D} - C:\WINDOWS\system32\dgaladd.dll (file missing)
O2 - BHO: (no name) - {249065D9-9A39-D14C-FCEF-038880B8B971} - C:\WINDOWS\system32\hnydjtb.dll

O2 - BHO: (no name) - {871A54C1-1EB3-48bd-A879-5DBA4EF16BE6} - C:\WINDOWS\system32\qmqhodsn.dll
O2 - BHO: BHO - {9BB5B49C-0D59-418d-A6A5-F6373B8FEF64} - C:\Program Files\BHO Plugin\plugin1.dll
O2 - BHO: (no name) - {BE118DBF-BA95-4ECE-98D5-C9CC0E22449C} - C:\Program Files\MSN Gaming Zone\mebos.dll (file missing)
O2 - BHO: (no name) - {F18F04B0-9CF1-4b93-B004-77A288BEE28B} - C:\WINDOWS\system32\rmuwoiss.dll

O20 - Winlogon Notify: rpcc - C:\WINDOWS\system32\rpcc.dll
O20 - Winlogon Notify: winsys2freg - C:\Documents and Settings\All Users\Documents\Settings\winsys2f.dll (file missing)

After you have ticked the above entries, close All other open windows
Including this one
Leave Hijackthis open and click FIX CHECKED
OK the prompt and exit Hijackthis

Reboot your computer one more time

Can you post back the following please
1. Post a fresh Hijackthis log
2. Post the log from Avenger, found here>>C:\Avenger.txt

3. Can you run combofix again and post one more log please

1yn · « **Reply #13 on:** October 28, 2006, 05:03:18 PM »

1. NEW HJT

Logfile of HijackThis v1.99.1
Scan saved at 5:58:21 PM, on 10/28/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\VIAudioi\SBADeck\ADeck.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\WINDOWS\system32\tcpip.exe
C:\HJT\HijackThis.exe
C:\WINDOWS\system32\wuauclt.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [AudioDeck] C:\Program Files\VIAudioi\SBADeck\ADeck.exe 1
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewido.net/ewidoOnlineScan.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe

2. AVENGER TXT

Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\kxjdbbte

*******************

Script file located at: \??\C:\Program Files\pskdwwao.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

File C:\WINDOWS\srvclxrcpe.exe deleted successfully.
File C:\WINDOWS\srvevnbieo.exe deleted successfully.
File C:\WINDOWS\srvwrgleib.exe deleted successfully.
File C:\WINDOWS\srvmhtjglh.exe deleted successfully.
File C:\WINDOWS\srvxstwlgm.exe deleted successfully.
File C:\WINDOWS\srvwhebfkj.exe deleted successfully.
File C:\WINDOWS\srvdfmdtpz.exe deleted successfully.
File C:\WINDOWS\srvngogrwj.exe deleted successfully.
File C:\WINDOWS\ScUnin.pif deleted successfully.
File C:\WINDOWS\ScUnin.exe deleted successfully.
File C:\WINDOWS\system32\rmuwoiss.dll deleted successfully.
File C:\WINDOWS\system32\winpfg32.sys deleted successfully.
File C:\WINDOWS\system32\eucwried.exe deleted successfully.
File C:\WINDOWS\srvhsuncdb.exe deleted successfully.
File C:\WINDOWS\srvposbxek.exe deleted successfully.
File C:\WINDOWS\srvfoqqyfi.exe deleted successfully.
File C:\WINDOWS\srvqbfkjhp.exe deleted successfully.
File C:\WINDOWS\srvgxdftpc.exe deleted successfully.
File C:\WINDOWS\srvcfytgra.exe deleted successfully.
File C:\WINDOWS\system32\qmqhodsn.dll deleted successfully.
File C:\Program Files\BHO Plugin\plugin1.dll deleted successfully.
File C:\WINDOWS\system32\hnydjtb.dll deleted successfully.
File C:\WINDOWS\system32\rpcc.dll deleted successfully.
File C:\WINDOWS\uni_e6h.exe deleted successfully.

File C:\Program Files\Windows Media Player\meged.html not found!
Deletion of file C:\Program Files\Windows Media Player\meged.html failed!

Could not process line:
C:\Program Files\Windows Media Player\meged.html
Status: 0xc0000034

File C:\Program Files\Internet Explorer\pojogagag.html not found!
Deletion of file C:\Program Files\Internet Explorer\pojogagag.html failed!

Could not process line:
C:\Program Files\Internet Explorer\pojogagag.html
Status: 0xc0000034

Could not open file C:\Documents and Settings\All Users\Documents\Settings\winsys2f.dll for deletion
Deletion of file C:\Documents and Settings\All Users\Documents\Settings\winsys2f.dll failed!

Could not process line:
C:\Documents and Settings\All Users\Documents\Settings\winsys2f.dll
Status: 0xc000003a

Folder C:\Program Files\BHO Plugin deleted successfully.

Completed script processing.

*******************

Finished! Terminate.

3. COMBO FIX TXT

Administrator - 06-10-28 17:59:41.06 Service Pack 2
ComboFix 06.10.19 - Running from: "C:\Documents and Settings\Administrator\Desktop"

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ Purity ~ ~ ~ ~ ~ ~ ~ ~~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~

Folders Quarantined:

C:\QooBox\Purity\Documents and Settings\Administrator\Application Data\SMBOLS~1
C:\QooBox\Purity\Documents and Settings\Administrator\Application Data\SMBOLS~1\s?mbols

((((((((((((((((((((((((((((((( Files Created from 2006-09-28 to 2006-10-28 ))))))))))))))))))))))))))))))))))

2006-10-27 13:51 245,408 --a------ C:\WINDOWS\system32\unicows.dll
2006-10-27 13:42 99,965 --a------ C:\WINDOWS\UninstallFirefox.exe
2006-10-27 02:55 3,968 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2006-10-26 20:50 22,752 --a------ C:\WINDOWS\system32\spupdsvc.exe

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

2006-10-28 17:50 -------- d--h----- C:\Program Files\BHO Plugin
2006-10-28 13:56 -------- d-------- C:\Program Files\Common Files
2006-10-28 12:45 -------- d-------- C:\Program Files\Enigma Software Group
2006-10-28 11:36 -------- d-------- C:\Documents and Settings\Administrator\Application Data\AVG7
2006-10-28 00:27 -------- d-------- C:\Program Files\Starcraft
2006-10-28 00:24 -------- d-------- C:\Program Files\Mozilla Firefox
2006-10-27 18:00 -------- d---s---- C:\Documents and Settings\Administrator\Application Data\Microsoft
2006-10-27 18:00 -------- d-------- C:\Program Files\MSN Messenger
2006-10-27 13:51 -------- d-------- C:\Program Files\MsnMusic
2006-10-27 13:50 -------- d-------- C:\Program Files\Windows Media Player
2006-10-27 13:47 -------- d-------- C:\Program Files\WinZip
2006-10-27 13:43 -------- d-------- C:\Documents and Settings\Administrator\Application Data\Mozilla
2006-10-27 03:22 -------- d-------- C:\Program Files\Internet Explorer
2006-10-27 02:55 -------- d-------- C:\Program Files\Grisoft
2006-10-27 00:05 -------- d-------- C:\Program Files\Online Services
2006-10-27 00:01 -------- d-------- C:\Program Files\Messenger
2006-10-26 23:59 -------- d-------- C:\Program Files\Outlook Express
2006-10-26 23:59 -------- d-------- C:\Program Files\Common Files\System
2006-10-26 23:59 -------- d-------- C:\Documents and Settings\Administrator\Application Data\Macromedia
2006-10-26 22:13 5468 --ahs---- C:\Documents and Settings\Administrator\Application Data\F66022CBC7AA4769BC48A3C22B3B57D4.sta
2006-10-26 22:13 17414 --ahs---- C:\Documents and Settings\Administrator\Application Data\F66022CBC7AA4769BC48A3C22B3B57D4.rul
2006-10-26 20:03 -------- d-------- C:\Program Files\VSAdd-in
2006-10-26 02:11 -------- d-------- C:\Documents and Settings\Administrator\Application Data\Help
2006-09-13 01:01 1084416 --a------ C:\WINDOWS\system32\msxml3.dll
2006-08-25 11:45 617472 --a------ C:\WINDOWS\system32\comctl32.dll
2006-08-21 08:21 16896 --a------ C:\WINDOWS\system32\fltlib.dll
2006-08-21 05:14 23040 --a------ C:\WINDOWS\system32\fltmc.exe
2006-08-16 07:58 100352 --a------ C:\WINDOWS\system32\6to4svc.dll

(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"ATIPTA"="C:\\Program Files\\ATI Technologies\\ATI Control Panel\\atiptaxx.exe"
"PHIME2002ASync"="C:\\WINDOWS\\system32\\IME\\TINTLGNT\\TINTSETP.EXE /SYNC"
"PHIME2002A"="C:\\WINDOWS\\system32\\IME\\TINTLGNT\\TINTSETP.EXE /IMEName"
"AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgcc.exe /STARTUP"
"!AVG Anti-Spyware"="\"C:\\Program Files\\Grisoft\\AVG Anti-Spyware 7.5\\avgas.exe\" /minimized"
"MSPY2002"="C:\\WINDOWS\\system32\\IME\\PINTLGNT\\ImScInst.exe /SYNC"
"IMJPMIG8.1"="C:\\WINDOWS\\IME\\imjp8_1\\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32"
"AudioDeck"="C:\\Program Files\\VIAudioi\\SBADeck\\ADeck.exe 1"
"ATICCC"="\"C:\\Program Files\\ATI Technologies\\ATI.ACE\\cli.exe\" runtime"

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000005

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,00,03,00,00,00,\
00,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=hex:04,00,00,40
"OriginalStateInfo"=hex:18,00,00,00,80,00,00,00,00,00,00,00,00,02,00,00,e0,01,\
00,00,04,00,00,40
"RestoredStateInfo"=hex:18,00,00,00,80,00,00,00,00,00,00,00,00,02,00,00,e0,01,\
00,00,01,00,00,00

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\run]
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
"NoActiveDesktop"=dword:00000000
"ClassicShell"=dword:00000000
"ForceActiveDesktopOn"=dword:00000000

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"dontdisplaylastusername"=dword:00000000
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"CDBurn"="{fbeb8a05-beee-4442-804e-409d6c4515e9}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

Completion time: 06-10-28 18:00:19.48
C:\ComboFix.txt ... 06-10-28 18:00
C:\ComboFix2.txt ... 06-10-28 16:19
C:\ComboFix3.txt ... 06-10-28 14:00

guestolo · « **Reply #14 on:** October 28, 2006, 05:21:22 PM »

Can you do the following for me
Set Windows To Show Hidden Files and Folders
* Click Start.
* Open My Computer.
* Select the Tools menu and click Folder Options.
* Select the View Tab.
* Under the Hidden files and folders heading select Show hidden files and folders.
* Uncheck the Hide protected operating system files (recommended) option.
* Uncheck the Hide Extensions for known file types
* Click Yes to confirm.
* Click OK.

Can you delete this folder if found
C:\Program Files\BHO Plugin
In the same location of the Program Files folder
You can delete
Enigma Software Group folder, if you have nothing installed by them, looks as a leftover

Go to either of these links
http://virusscan.jotti.org/
OR
http://www.virustotal.com/flash/index_en.html

Use the browse button and navigate to the file on your harddrive if you can find it

C:\Documents and Settings\Administrator\Application Data\F66022CBC7AA4769BC48A3C22B3B57D4.sta <-this file
Right click on the file and choose Select
Then use the Submit button
Let it finish scanning
Could you post back the results of the scan back here please
Can you do the same with these files too please
C:\Documents and Settings\Administrator\Application Data\F66022CBC7AA4769BC48A3C22B3B57D4.rul
C:\WINDOWS\system32\tcpip.exe

One more scanner please
I just want to check on something
Download and save too desktop
F-Secure Blacklight(blbeta.exe)

Double click to run blbeta.exe
* Accept the user agreement.
* Click Scan.
* After the scan finishes, click on Next, then Exit.
Do not rename any files if found by blacklight, I need to see the log

BlackLight will create a log on your desktop with the name "fsbl-xxxxxxx.log".

Post that log please

How's everything running?

EDIT>>Can you also check to see if you can run and save the Uninstall list from Hijackthis again
If you can, please post the contents

1yn · « **Reply #15 on:** October 28, 2006, 06:15:44 PM »

I found the egnima software group and deleted it, then i went to RUN and copy/paste C:\Program Files\BHO Plugin it was found but i cant delete it.The computer is running great and the error in the begining has long been gone. But on that note i havnt been using I.E at all (from what i tihnk to be the source of which all my virus resurface). i have been using a laptop to download the stuff u ask then transfering it to run on the infected comp. With your latest intruction it is the first time i connected internet to the infected computer. And yes i am able to save the HJT file and will post below.

RESULTS FOR C:\Documents and Settings\Administrator\Application Data\F66022CBC7AA4769BC48A3C22B3B57D4.sta

Service load:
0% 100%
File: F66022CBC7AA4769BC48A3C22B3B57D4.sta
Status:
OK
MD5 3aae6789a625e5c7754af85c006a9580
Packers detected:
-
Scanner results
AntiVir
Found nothing
ArcaVir
Found nothing
Avast
Found nothing
AVG Antivirus
Found nothing
BitDefender
Found nothing
ClamAV
Found nothing
Dr.Web
Found nothing
F-Prot Antivirus
Found nothing
Fortinet
Found nothing
Kaspersky Anti-Virus
Found nothing
NOD32
Found nothing
Norman Virus Control
Found nothing
VirusBuster
Found nothing
VBA32
Found nothing

RESULTS FOR C:\Documents and Settings\Administrator\Application Data\F66022CBC7AA4769BC48A3C22B3B57D4.rul

Service load:
0% 100%
File: F66022CBC7AA4769BC48A3C22B3B57D4.rul
Status:
OK
MD5 07806ccb15ba7e04b44cfeb0b89f4e93
Packers detected:
-
Scanner results
AntiVir
Found nothing
ArcaVir
Found nothing
Avast
Found nothing
AVG Antivirus
Found nothing
BitDefender
Found nothing
ClamAV
Found nothing
Dr.Web
Found nothing
F-Prot Antivirus
Found nothing
Fortinet
Found nothing
Kaspersky Anti-Virus
Found nothing
NOD32
Found nothing
Norman Virus Control
Found nothing
VirusBuster
Found nothing
VBA32
Found nothing

RESULTS FOR C:\WINDOWS\system32\tcpip.exe

Service load:
0% 100%
File: tcpip.exe
Status:
POSSIBLY INFECTED/MALWARE (Note: this file has been scanned before. Therefore, this file's scan results will not be stored in the database) (Note: this file was only classified as malware by scanners known to generate more false positives than the average scanner. Do not consider these results definately accurate. Also, because of this, results of this scan will not be recorded in the database.)
MD5 7d8241b2edcc6750e7719af24da153d9
Packers detected:
PE_PATCH.UPX, UPX
Scanner results
AntiVir
Found Heuristic/Crypted (probable variant)
ArcaVir
Found nothing
Avast
Found nothing
AVG Antivirus
Found nothing
BitDefender
Found Generic.Malware.Yd.FDABD5F9 (probable variant)
ClamAV
Found nothing
Dr.Web
Found nothing
F-Prot Antivirus
Found nothing
Fortinet
Found W32/AYL!tr.dldr
Kaspersky Anti-Virus
Found nothing
NOD32
Found nothing
Norman Virus Control
Found nothing
VirusBuster
Found nothing
VBA32
Found nothing

BLACK LIGHT REPORT

10/28/06 19:00:43 [Info]: BlackLight Engine 1.0.47 initialized
10/28/06 19:00:43 [Info]: OS: 5.1 build 2600 (Service Pack 2)
10/28/06 19:00:43 [Note]: 7019 4
10/28/06 19:00:43 [Note]: 7005 0
10/28/06 19:00:54 [Note]: 7006 0
10/28/06 19:00:54 [Note]: 7011 1180
10/28/06 19:00:55 [Note]: 7026 0
10/28/06 19:00:55 [Note]: 7026 0
10/28/06 19:00:59 [Note]: FSRAW library version 1.7.1020
10/28/06 19:06:04 [Note]: 2000 1012
10/28/06 19:06:04 [Note]: 2000 1012
10/28/06 19:11:17 [Note]: 7007 0

HJT UNINSTALL LIST

Ad-Aware SE Personal
ATI - Software Uninstall Utility
ATI Catalyst Control Center
ATI Control Panel
ATI Display Driver
AVG Anti-Spyware 7.5
AVG Free Edition
HijackThis 1.99.1
Microsoft .NET Framework 1.1
Mozilla Firefox (1.0.7)
MSN Messenger 7.5
MSN Music Assistant
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 9 (KB917734)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899589)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901190)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911567)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913433)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB918899)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920214)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921398)
Security Update for Windows XP (KB921883)
Security Update for Windows XP (KB922616)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB925486)
Spybot - Search & Destroy 1.4
Starcraft
Update for Windows XP (KB894391)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB908531)
Update for Windows XP (KB910437)
Update for Windows XP (KB911280)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
VIA Platform Device Manager
Windows Installer 3.1 (KB893803)
Windows Media Format Runtime
Windows Media Player 10
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB891781
WinZip

guestolo · « **Reply #16 on:** October 29, 2006, 10:50:17 AM »

Sorry for the delay

Can you do the following
Copy ALL the text contained in [color=\"#0000FF\"]blue[/color] below to your Clipboard by highlighting it and pressing the (Ctrl+C) on your keyboard,
=============================================================
[color=\"#0000FF\"]
files to delete:
C:\WINDOWS\system32\tcpip.exe[/color]

==========================================================================
Now, start The Avenger program by clicking on its icon on your desktop

* Under "Script file to execute" choose "Input Script Manually".
* Now click on the Magnifying Glass icon which will open a new window titled "View/edit script"
* Paste the text copied to clipboard into this window by pressing (Ctrl+V).
* Click Done
* Now click on the [color=\"#00FF00\"]Green Light[/color] to begin execution of the script
* Answer "Yes" twice when prompted.

Avenger should now Reboot your computer

Back in Windows
Since you already have AVG-Antispyware installed, can you do the following

Load AVG-antispyware and then click the Update tab at the top. Under Manual Update click Start update.
After the update finishes (the status bar at the bottom will display "Update successful")
Select the "Scanner" tab
Click the "Settings" tab and then change the recommended action to Quarantine and ensure that Automatically generate report after every scan is selected
Click back to the "Scan" tab and then click on Complete System Scan.
Let this scan complete
AVG will list any infections found on the left hand side. When the scan has finished, it will automatically set the recommended action. Click the Apply all actions button. Ewido will display "All actions have been applied" on the right hand side.
Click on "Save Report", then "Save Report As". This will create a text file. Make sure you know where to find this file again (like on the Desktop).

Reboot one more time

Post a fresh Hijackthis log afterwards and the whole report from AVG-antispyware
That should do it, just some quick final steps

1yn · « **Reply #17 on:** October 29, 2006, 12:15:22 PM »

NEW HJT

Logfile of HijackThis v1.99.1
Scan saved at 12:12:31 PM, on 10/29/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\VIAudioi\SBADeck\ADeck.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: BHO - {9BB5B49C-0D59-418d-A6A5-F6373B8FEF64} - C:\Program Files\BHO Plugin\plugin.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [AudioDeck] C:\Program Files\VIAudioi\SBADeck\ADeck.exe 1
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewido.net/ewidoOnlineScan.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: TCP and UDP Support - Unknown owner - C:\WINDOWS\system32\tcpip.exe (file missing)

AVG REPORT

---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 12:09:12 PM 10/29/2006

+ Scan result:

Nothing found.

::Report end

guestolo · « **Reply #18 on:** October 29, 2006, 11:28:56 PM »

Can you do the following for me please

Create a .reg file
Open Notepad (START>>>RUN>>>type in notepad)
Hit OK
Copy the contents of the CODE box, not including the word "code"
Paste it to the empty Notepad file
In Notepad click FILE>>SAVE AS
IMPORTANT>>>Change the Save as Type to All Files.
Name the file as fix.reg

Save this file on the desktop
Ensure to copy from REGEDIT4 and down in the code box

Code: [Select]

REGEDIT4

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Explorer\Browser Helper Objects\{9BB5B49C-0D59-418d-A6A5-F6373B8FEF64}]

[HKEY_CLASSES_ROOT\CLSID\{9BB5B49C-0D59-418d-A6A5-F6373B8FEF64}\InProcServer32]
(Define) =-

[HKEY_CLASSES_ROOT\CLSID\{9BB5B49C-0D59-418d-A6A5-F6373B8FEF64}]
(Define) =-

[-HKEY_CLASSES_ROOT\CLSID\{9BB5B49C-0D59-418d-A6A5-F6373B8FEF64}\InProcServer32]


[-HKEY_CLASSES_ROOT\CLSID\{9BB5B49C-0D59-418d-A6A5-F6373B8FEF64}]

Close down all browser windows, including this one

Do a "System scan only" with Hijackthis and put a check next to these entries:

O2 - BHO: BHO - {9BB5B49C-0D59-418d-A6A5-F6373B8FEF64} - C:\Program Files\BHO Plugin\plugin.dll
O23 - Service: TCP and UDP Support - Unknown owner - C:\WINDOWS\system32\tcpip.exe (file missing)

After you have ticked the above entries, close All other open windows
Including this one
Leave Hijackthis open and click FIX CHECKED
OK the prompt and exit Hijackthis

Double click on fix.reg, allow to add/merge to the registry
Reboot the computer and post a fresh hijackthis log please

1yn · « **Reply #19 on:** October 30, 2006, 12:33:03 AM »

Logfile of HijackThis v1.99.1
Scan saved at 12:30:27 AM, on 10/30/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\VIAudioi\SBADeck\ADeck.exe
C:\Program Files\ATI Technologies\ATI.ACE\cli.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\system32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [IMJPMIG8.1] C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [AudioDeck] C:\Program Files\VIAudioi\SBADeck\ADeck.exe 1
O4 - HKLM\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {193C772A-87BE-4B19-A7BB-445B226FE9A1} (ewidoOnlineScan Control) - http://download.ewido.net/ewidoOnlineScan.cab
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe

News:

Author Topic: Command Service / Downloader.tibs (Read 1224 times)