need help(RESOLVED)

**ramesh help** · 28-10-2007

can u please check my log

Logfile of HijackThis v1.99.1
Scan saved at 2:12:25 PM, on 10/28/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\UStorSrv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32.exe
C:\HijackThis\foolyou.exe.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: IeCatch5 Class - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\PROGRA~1\FlashGet\jccatch.dll
O2 - BHO: (no name) - {539BE4B3-9011-46D3-8246-30E412DE5043} - blank (file missing)
O2 - BHO: (no name) - {7F4D1146-EF3B-42D7-9CFD-47856901083B} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [WCOLOREAL] "C:\Program Files\Coloreal\coloreal.exe"
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O8 - Extra context menu item: Add to AMV Convert Tool... - C:\Program Files\MP3 Player Utilities 3.75\AMVConverter\grab.html
O8 - Extra context menu item: Add to Media Manager... - C:\Program Files\MP3 Player Utilities 3.75\MediaManager\grab.html
O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: Download with Star Downloader - C:\Program Files\Star Downloader\sdie.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Open with BitPump - C:\Program Files\AnalogX\BitPump\ieint.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - %windir%\bdoscandel.exe (file missing)
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: QuickSet Internet Zone - {3417D8E1-5942-11d6-A0E0-0002B364F69B} - C:\Program Files\QSIZ\qsiz.EXE (HKCU)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {54BE6B6F-3056-470B-97E1-BB92E051B6C4} (DeviceEnum Class) - http://h30155.www3.hp.com/ediags/dd/...osticsxp2k.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} - http://download.bitdefender.com/reso...an8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/wind...?1188901880687
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1188902392515
O16 - DPF: {70EE0AA4-5A3A-4052-8FFA-2EEDA43F7942} (Innotive Cibrowser Control 1.1) - http://www.innotive.com/download/cibrowser11.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} - http://www.symantec.com/techsupp/asa/ctrl/SymAData.cab
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{BBE1F9E2-D9A2-414D-A17A-C6CC7A5A6257}: NameServer = 202.188.0.133 202.188.1.5
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: geeda - C:\WINDOWS\
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: jkkjg - C:\WINDOWS\
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: WRNotifier - WRLogonNTF.dll (file missing)
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: UStorage Server Service - OTi - C:\WINDOWS\system32\UStorSrv.exe

**Neal** · 29-10-2007

Welcome back,

Please delete the version of HiJackThis.exe you have installed, then download the new version from here:

HIJACKTHIS

Make sure hijackthis is in it's own folder like this:

Program Files\hijackthis\hijackthis.exe

Please go to hijackthis.exe and right click on it and then click on rename and rename it to foolyou.exe, press enter
and post a new log from the newly renamed hijackthis.exe. Sometimes malware hides from hijackthis.exe.

Thanks,

Please download VundoFix.exe to your desktop.

Double-click VundoFix.exe to run it.
Click the Scan for Vundo button.
Once it's done scanning, click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will reboot your computer, click OK.
Please post the contents of C:\vundofix.txt and a new HiJackThis log.

Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.

1. Download this file - COMBOFIX
2. Double click combofix.exe & follow the prompts.
3. When finished, it will produce a log for you. Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

Post a new hijackthis log also please.

**ramesh help** · 30-10-2007

1.this is the hijackthis log after renaming

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:44:34 AM, on 10/30/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\UStorSrv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\foolyou.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: IeCatch5 Class - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - C:\PROGRA~1\FlashGet\jccatch.dll
O2 - BHO: (no name) - {539BE4B3-9011-46D3-8246-30E412DE5043} - blank (file missing)
O2 - BHO: (no name) - {7F4D1146-EF3B-42D7-9CFD-47856901083B} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [WCOLOREAL] "C:\Program Files\Coloreal\coloreal.exe"
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'Default user')
O8 - Extra context menu item: Add to AMV Convert Tool... - C:\Program Files\MP3 Player Utilities 3.75\AMVConverter\grab.html
O8 - Extra context menu item: Add to Media Manager... - C:\Program Files\MP3 Player Utilities 3.75\MediaManager\grab.html
O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: Download with Star Downloader - C:\Program Files\Star Downloader\sdie.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Open with BitPump - C:\Program Files\AnalogX\BitPump\ieint.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe (file missing)
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe (file missing)
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: QuickSet Internet Zone - {3417D8E1-5942-11d6-A0E0-0002B364F69B} - C:\Program Files\QSIZ\qsiz.EXE (HKCU)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {54BE6B6F-3056-470B-97E1-BB92E051B6C4} (DeviceEnum Class) - http://h30155.www3.hp.com/ediags/dd/...osticsxp2k.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} - http://download.bitdefender.com/reso...an8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/wind...?1188901880687
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1188902392515
O16 - DPF: {70EE0AA4-5A3A-4052-8FFA-2EEDA43F7942} (Innotive Cibrowser Control 1.1) - http://www.innotive.com/download/cibrowser11.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} - http://www.symantec.com/techsupp/asa/ctrl/SymAData.cab
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{BBE1F9E2-D9A2-414D-A17A-C6CC7A5A6257}: NameServer = 202.188.0.133 202.188.1.5
O20 - Winlogon Notify: geeda - C:\WINDOWS\
O20 - Winlogon Notify: jkkjg - C:\WINDOWS\
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: UStorage Server Service - OTi - C:\WINDOWS\system32\UStorSrv.exe
O24 - Desktop Component 0: (no name) - http://www.plal.com/images/brick.jpg
O24 - Desktop Component 1: (no name) - http://www.indianchild.com/images/tree_01.gif
O24 - Desktop Component 2: (no name) - http://imgi.maps.yahoo.com/mapimage?...pCSirH73a_Sf6p
O24 - Desktop Component 3: (no name) - http://cguesthouse.homestead.com/fil...QS_main_bg.jpg
O24 - Desktop Component 4: (no name) - http://www.theweathernetwork.com/com...ground1024.gif
O24 - Desktop Component 5: (no name) - https://secure4.worldweb.com/Activit...son_tours3.gif
O24 - Desktop Component 6: (no name) - http://www.vancouvertrolley.com/images/bg.gif

--
End of file - 7683 bytes

2.There is nothing found in the vundofix so there is nothing to be deleted. This is the log

VundoFix V4.2.35

Checking Java version...

Sun Java not detected
Scan started at 9:51:09 PM 3/24/2006

Listing files found while scanning....

No infected files were found.

VundoFix V6.5.4

Checking Java version...

Java version is 1.5.0.6
Old versions of java are exploitable and should be removed.

Scan started at 6:05:33 PM 7/4/2007

Listing files found while scanning....

C:\WINDOWS\system32\adeeg.bak2
C:\WINDOWS\system32\adeeg.ini2
C:\WINDOWS\system32\adeeg.tmp
C:\WINDOWS\system32\geeda.dll

Beginning removal...

Attempting to delete C:\WINDOWS\system32\adeeg.bak2
C:\WINDOWS\system32\adeeg.bak2 Has been deleted!

Attempting to delete C:\WINDOWS\system32\adeeg.ini2
C:\WINDOWS\system32\adeeg.ini2 Has been deleted!

Attempting to delete C:\WINDOWS\system32\adeeg.tmp
C:\WINDOWS\system32\adeeg.tmp Has been deleted!

Performing Repairs to the registry.
Done!

VundoFix V6.5.4

Checking Java version...

Java version is 1.5.0.6
Old versions of java are exploitable and should be removed.

Scan started at 11:46:54 AM 10/30/2007

Listing files found while scanning....

No infected files were found.

3.this is the combofix log

"Owner" - 2007-10-30 11

11 - ComboFix 07-06-27.7 - Service Pack 2 NTFS

((((((((((((((((((((((((( Files Created from 2007-09-28 to 2007-10-30 )))))))))))))))))))))))))))))))

2007-10-30 11:42 <DIR> d-------- C:\Program Files\Trend Micro
2007-10-26 16:50 <DIR> d-------- C:\WINDOWS\system32\CatRoot2
2007-10-26 16:44 <DIR> d-------- C:\Program Files\Common Files\Macromedia Shared
2007-10-26 16:44 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Macrovision
2007-10-26 16:41 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\TEMP
2007-10-26 11:15 <DIR> d-------- C:\Program Files\VeryPDF PDF2Word v3.0
2007-10-26 11:14 1,024 --a------ C:\WINDOWS\system32\pdf2word.DAT
2007-10-15 16:09 <DIR> d-------- C:\temp\FixEngine
2007-10-15 16:08 <DIR> d-------- C:\Program Files\Hp
2007-09-27 17:11 544,768 --a-s---- C:\WINDOWS\system32\msvcr71d.dll
2007-09-27 17:11 2,179,072 --a-s---- C:\WINDOWS\system32\mfc71d.dll
2007-09-27 17:11 <DIR> d-------- C:\Program Files\TicketBench Plus
2007-09-24 22:28 0 --a------ C:\WINDOWS\nsreg.dat
2007-09-04 18:38 <DIR> d-------- C:\WINDOWS\system32\SoftwareDistribution
2007-09-03 00:45 <DIR> d-------- C:\Program Files\MP3 Player Utilities 3.75
2007-09-02 23:40 <DIR> d-------- C:\Program Files\Philips

(((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))) ))

2007-10-30 04:01:10 -------- d-----w C:\Program Files\FlashGet
2007-10-19 08:19:25 -------- d-----w C:\DOCUME~1\Owner\APPLIC~1\AdobeUM
2007-10-16 02:25:59 80,256 ----a-w C:\DOCUME~1\Owner\APPLIC~1\GDIPFONTCACHEV1.DAT
2007-09-28 11:01:52 -------- d-----w C:\Program Files\Ahead
2007-09-28 11:00:19 -------- d-----w C:\Program Files\Simple Backup for My Pictures
2007-09-27 09:10:01 -------- d-----w C:\Program Files\ProxyFox
2007-09-04 10:38:31 -------- d--h--w C:\Program Files\WindowsUpdate
2007-09-02 15:40:02 -------- d--h--w C:\Program Files\InstallShield Installation Information
2007-08-31 13:44:27 -------- d-----w C:\Program Files\NoAdware4
2007-08-31 13:20:41 -------- d-----w C:\Program Files\SpywareBlaster
2007-08-31 10:34:02 -------- d-----w C:\Program Files\ewido anti-spyware 4.0
2007-07-30 11:19:46 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll
2007-07-30 11:19:42 1,712,984 ----a-w C:\WINDOWS\system32\wuaueng.dll
2007-07-30 11:19:36 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll
2007-07-30 11:19:32 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll
2007-07-30 11:19:20 92,504 ----a-w C:\WINDOWS\system32\cdm.dll
2007-07-30 11:19:16 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe
2007-07-30 11:19:12 43,352 ----a-w C:\WINDOWS\system32\wups2.dll
2007-07-30 11:18:40 33,624 ----a-w C:\WINDOWS\system32\wups.dll
2007-07-30 11:18:34 207,736 ----a-w C:\WINDOWS\system32\muweb.dll

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Explorer\Browser Helper Objects]
{02478D38-C3F9-4EFB-9B51-7695ECA05670}=C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll [2006-10-26 10:28]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}=C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll [2004-12-14 01:56]
{2F364306-AA45-47B5-9F9D-39A8B94E7EF7}=C:\PROGRA~1\FlashGet\jccatch.dll [2006-05-16 15:19]
{539BE4B3-9011-46D3-8246-30E412DE5043}=blank []
{9030D464-4C02-4ABF-8ECC-5164760863C6}=C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll [2006-08-31 20:33]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Curr entVersion\Run]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc. exe" [2007-10-26 11:58]
"AVG7_EMC"="C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.ex e" [2007-10-26 11:58]
"WCOLOREAL"="C:\Program Files\Coloreal\coloreal.exe" [2002-11-26 17:14]
"InCD"="C:\Program Files\Ahead\InCD\InCD.exe" []

[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\policies\explorer]
@=

[HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\policies\explorer]
"NoSharedDocuments"=00000000
"GreyMSIAds"=1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\geeda]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\jkkjg]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AutoTBar]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FreeRAM XP]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HotKeysCmds]
C:\WINDOWS\System32\hkcmd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hp Silent Service]
C:\Windows\system32\HpSrvUI.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\hpScannerFirstBoot]
c:\hp\drivers\scanners\scannerfb.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"C:\Program Files\iTunes\iTunesHelper.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KYE_Showicon]
"C:\Program Files\USB Storage RW\shwicon.exe" -t"KYE\USB Storage RW"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LCIDCHNG]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Mercora]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PS2]
C:\WINDOWS\system32\ps2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Recguard]
C:\WINDOWS\SMINST\RECGUARD.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Repair Registry Pro]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Share-to-Web Namespace Daemon]
c:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SSC_UserPrompt]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\StorageGuard]
"C:\Program Files\VERITAS Software\Update Manager\sgtray.exe" /r

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
C:\Program Files\Java\jre1.5.0_06\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Symantec NetDriver Monitor]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Uniblue Quick Access]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Registry Repair Pro]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
"C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Fax"=3 (0x3)
"ccPwdSvc"=3 (0x3)
"Automatic LiveUpdate Scheduler"=2 (0x2)
"Adobe LM Service"=3 (0x3)
"RDSessMgr"=3 (0x3)
"mnmsrvc"=3 (0x3)
"wuauserv"=2 (0x2)
"lanmanworkstation"=2 (0x2)
"iPodService"=3 (0x3)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\curr entversion\run-]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe"
"AlcxMonitor"=ALCXMNTR.EXE
"PHIME2002A"=C:\WINDOWS\system32\IME\TINTLGNT\TINT SETP.EXE /IMEName
"HotKeysCmds"=C:\WINDOWS\system32\hkcmd.exe
"IMJPMIG8.1"="C:\WINDOWS\IME\imjp8_1\IMJPMIG.E XE" /Spoil /RemAdvDef /Migration32
"MSPY2002"=C:\WINDOWS\system32\IME\PINTLGNT\ImScIn st.exe /SYNC
"IMEKRMIG6.1"=C:\WINDOWS\ime\imkr6_1\IMEKRMIG. EXE
"PHIME2002ASync"=C:\WINDOWS\system32\IME\TINTLGNT\ TINTSETP.EXE /SYNC

[HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\explorer\mountpoints2\{1025cd84-6db9-11dc-aa2f-000c760025ce}]
Auto\command- infrom.exe
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL infrom.exe

[HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\explorer\mountpoints2\{21086163-69c9-11dc-aa21-000c760025ce}]
Auto\command- sxs.exe
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL sxs.exe

[HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\explorer\mountpoints2\{25f9610d-f870-11db-a94a-000c760025ce}]
Auto\command- infrom.exe
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL infrom.exe

[HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\explorer\mountpoints2\{6be80fe6-c013-11db-a90c-000c760025ce}]
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL copy.exe

[HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\explorer\mountpoints2\{6be80fed-c013-11db-a90c-000c760025ce}]
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL copy.exe

[HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\explorer\mountpoints2\{6be80ff0-c013-11db-a90c-000c760025ce}]
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL copy.exe

[HKEY_CURRENT_USER\software\microsoft\windows\curre ntversion\explorer\mountpoints2\{cd2d9e20-4feb-11dc-a9f0-000c760025ce}]
AutoRun\command- C:\WINDOWS\system32\RunDLL32.EXE Shell32.DLL,ShellExec_RunDLL copy.exe

Contents of the 'Scheduled Tasks' folder
2007-08-31 13:55:12 C:\WINDOWS\tasks\LiveUpdate.job
2007-03-05 12:50:01 C:\WINDOWS\tasks\Uniblue SpyEraser.job

************************************************** ************************

catchme 0.3.721 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-10-30 12:03:27
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

************************************************** ************************

Completion time: 2007-10-30 12:05:21
C:\ComboFix-quarantined-files.txt ... 2007-10-30 12:04
C:\ComboFix2.txt ... 2007-07-03 20:59

--- E O F ---

**Neal** · 30-10-2007

Vundofix ran twice the first time it found and deleted files related to vundo trojan, second time none was found and is good.

How is your PC running now?

Go here BitDefender and run an online scan with BitDefender (you will need to use Internet Explorer for this scan). When the ActiveX Control has loaded, click on "Click here to scan" and grab a coffee.

When BitDefender completes the scan, select the "Detected Problems" tab. Click on "Click here to export scan". Save the file as an HTML to your Desktop. Then click on the saved file and allow it to open with your browser. Go to Edit - Select All then copy/paste that log back here. Post back and let us know what it found (post the log).

And post a new HJT log also..

**ramesh help** · 31-10-2007

i got this pop up when i have agreed for the ActiveX Control. i received this error. (look at attachment). should i overwrite it??

**Neal** · 31-10-2007

yes it is ok

**ramesh help** · 01-11-2007

1) this is the online scan. **but i change the settings to scan all files... its okay right..?? instead of just program files. after it detect for virus the 2nd action is supposed to be delete right..?? i'm afraid that i might have messed up the setting on the online scan. Please advice

BitDefender Online Scanner
Scan report generated at: Thu, Nov 01, 2007 - 15:30:49

Scan path: A:\;C:\;D:\;E:\;

Statistics
Time 02:23:11
Files 495206
Folders 8890
Boot Sectors 3
Archives 58213
Packed Files 36225

Results
Identified Viruses 10
Infected Files 19
Suspect Files 0
Warnings 0
Disinfected 0
Deleted Files 19

Engines Info
Virus Definitions 859683
Engine build AVCORE v1.0 (build 2422) (i386) (Sep 25 2007 08:26:36)
Scan plugins 14
Archive plugins 38
Unpack plugins 7
E-mail plugins 6
System plugins 1

Scan Settings
First Action Disinfect
Second Action Delete
Heuristics Yes
Enable Warnings Yes
Scanned Extensions *;
Exclude Extensions
Scan Emails Yes
Scan Archives Yes
Scan Packed Yes
Scan Files Yes
Scan Boot Yes

Scanned File Status
C:\Documents and Settings\Owner\Desktop\2nd desktop\ramesh\setup\antivirus\Norton Antivirus 2005 (crack)\KEYGEN!!.exe Infected with: Packer.FSG.A
C:\Documents and Settings\Owner\Desktop\2nd desktop\ramesh\setup\antivirus\Norton Antivirus 2005 (crack)\KEYGEN!!.exe Disinfection failed
C:\Documents and Settings\Owner\Desktop\2nd desktop\ramesh\setup\antivirus\Norton Antivirus 2005 (crack)\KEYGEN!!.exe Deleted
C:\Documents and Settings\Owner\Desktop\2nd desktop\ramesh\setup\antivirus\Norton Antivirus 2005 (Full Version)\KEYGEN!!.exe Infected with: Packer.FSG.A
C:\Documents and Settings\Owner\Desktop\2nd desktop\ramesh\setup\antivirus\Norton Antivirus 2005 (Full Version)\KEYGEN!!.exe Disinfection failed
C:\Documents and Settings\Owner\Desktop\2nd desktop\ramesh\setup\antivirus\Norton Antivirus 2005 (Full Version)\KEYGEN!!.exe Deleted
C:\Documents and Settings\Owner\Desktop\2nd desktop\ramesh\setup\antivirus\Norton Antivirus 2005 (Full Version).zip=>Norton Antivirus 2005/KEYGEN!!.exe Infected with: Packer.FSG.A
C:\Documents and Settings\Owner\Desktop\2nd desktop\ramesh\setup\antivirus\Norton Antivirus 2005 (Full Version).zip=>Norton Antivirus 2005/KEYGEN!!.exe Disinfection failed
C:\Documents and Settings\Owner\Desktop\2nd desktop\ramesh\setup\antivirus\Norton Antivirus 2005 (Full Version).zip=>Norton Antivirus 2005/KEYGEN!!.exe Deleted
C:\Documents and Settings\Owner\Desktop\2nd desktop\ramesh\setup\antivirus\Norton Antivirus 2005 (Full Version).zip Updated
C:\Documents and Settings\Owner\Desktop\cleaning tools now\ComboFix.exe=>(RAR Sfx o)=>CFCleanUp.bat Infected with: Trojan.Bat.Sdel.AC
C:\Documents and Settings\Owner\Desktop\cleaning tools now\ComboFix.exe=>(RAR Sfx o)=>CFCleanUp.bat Disinfection failed
C:\Documents and Settings\Owner\Desktop\cleaning tools now\ComboFix.exe=>(RAR Sfx o)=>CFCleanUp.bat Deleted
C:\Documents and Settings\Owner\Desktop\cleaning tools now\ComboFix.exe=>(RAR Sfx o) Update failed
C:\QooBox\Quarantine\C\WINDOWS\autorun.inf.vir Infected with: Trojan.Autorun.EU
C:\QooBox\Quarantine\C\WINDOWS\autorun.inf.vir Disinfection failed
C:\QooBox\Quarantine\C\WINDOWS\autorun.inf.vir Deleted
C:\QooBox\Quarantine\C\WINDOWS\system32\cbqyopsc.d ll.vir Infected with: Trojan.BHO.AU
C:\QooBox\Quarantine\C\WINDOWS\system32\cbqyopsc.d ll.vir Disinfection failed
C:\QooBox\Quarantine\C\WINDOWS\system32\cbqyopsc.d ll.vir Deleted
C:\QooBox\Quarantine\C\WINDOWS\system32\hgthhpyx.d ll.vir Infected with: Trojan.Virtumod.ADI
C:\QooBox\Quarantine\C\WINDOWS\system32\hgthhpyx.d ll.vir Disinfection failed
C:\QooBox\Quarantine\C\WINDOWS\system32\hgthhpyx.d ll.vir Deleted
C:\QooBox\Quarantine\C\WINDOWS\system32\movtysny.d ll.vir Infected with: Trojan.Bho.O
C:\QooBox\Quarantine\C\WINDOWS\system32\movtysny.d ll.vir Disinfection failed
C:\QooBox\Quarantine\C\WINDOWS\system32\movtysny.d ll.vir Deleted
C:\QooBox\Quarantine\C\WINDOWS\system32\mrixqhsm.d ll.vir Infected with: Trojan.BHO.BN
C:\QooBox\Quarantine\C\WINDOWS\system32\mrixqhsm.d ll.vir Disinfection failed
C:\QooBox\Quarantine\C\WINDOWS\system32\mrixqhsm.d ll.vir Deleted
C:\QooBox\Quarantine\C\WINDOWS\system32\pmnnn.dll. vir Infected with: MemScan:Trojan.Virtumod.ALX
C:\QooBox\Quarantine\C\WINDOWS\system32\pmnnn.dll. vir Disinfection failed
C:\QooBox\Quarantine\C\WINDOWS\system32\pmnnn.dll. vir Deleted
C:\QooBox\Quarantine\C\WINDOWS\system32\tahjfyfa.d ll.vir Infected with: Trojan.Vundo.AN
C:\QooBox\Quarantine\C\WINDOWS\system32\tahjfyfa.d ll.vir Disinfection failed
C:\QooBox\Quarantine\C\WINDOWS\system32\tahjfyfa.d ll.vir Deleted
C:\QooBox\Quarantine\C\WINDOWS\system32\veceuuxt.d ll.vir Infected with: Trojan.Virtumod.DG
C:\QooBox\Quarantine\C\WINDOWS\system32\veceuuxt.d ll.vir Disinfection failed
C:\QooBox\Quarantine\C\WINDOWS\system32\veceuuxt.d ll.vir Deleted
C:\QooBox\Quarantine\C\WINDOWS\system32\xkluylxl.d ll.vir Infected with: Trojan.BHO.BN
C:\QooBox\Quarantine\C\WINDOWS\system32\xkluylxl.d ll.vir Disinfection failed
C:\QooBox\Quarantine\C\WINDOWS\system32\xkluylxl.d ll.vir Deleted
C:\QooBox\Quarantine\d\Autorun.inf.vir Infected with: Trojan.Autorun.EU
C:\QooBox\Quarantine\d\Autorun.inf.vir Disinfection failed
C:\QooBox\Quarantine\d\Autorun.inf.vir Deleted
C:\System Volume Information\_restore{48447FBC-DEC0-4563-94A0-F3A22744F87A}\RP322\A0210856.exe=>(RAR Sfx o)=>CFCleanUp.bat Infected with: Trojan.Bat.Sdel.AC
C:\System Volume Information\_restore{48447FBC-DEC0-4563-94A0-F3A22744F87A}\RP322\A0210856.exe=>(RAR Sfx o)=>CFCleanUp.bat Disinfection failed
C:\System Volume Information\_restore{48447FBC-DEC0-4563-94A0-F3A22744F87A}\RP322\A0210856.exe=>(RAR Sfx o)=>CFCleanUp.bat Deleted
C:\System Volume Information\_restore{48447FBC-DEC0-4563-94A0-F3A22744F87A}\RP322\A0210856.exe=>(RAR Sfx o) Update failed
C:\System Volume Information\_restore{48447FBC-DEC0-4563-94A0-F3A22744F87A}\RP322\A0210870.bat Infected with: Trojan.Bat.Sdel.AC
C:\System Volume Information\_restore{48447FBC-DEC0-4563-94A0-F3A22744F87A}\RP322\A0210870.bat Disinfection failed
C:\System Volume Information\_restore{48447FBC-DEC0-4563-94A0-F3A22744F87A}\RP322\A0210870.bat Deleted
C:\System Volume Information\_restore{48447FBC-DEC0-4563-94A0-F3A22744F87A}\RP322\A0210891.exe=>(RAR Sfx o)=>CFCleanUp.bat Infected with: Trojan.Bat.Sdel.AC
C:\System Volume Information\_restore{48447FBC-DEC0-4563-94A0-F3A22744F87A}\RP322\A0210891.exe=>(RAR Sfx o)=>CFCleanUp.bat Disinfection failed
C:\System Volume Information\_restore{48447FBC-DEC0-4563-94A0-F3A22744F87A}\RP322\A0210891.exe=>(RAR Sfx o)=>CFCleanUp.bat Deleted
C:\System Volume Information\_restore{48447FBC-DEC0-4563-94A0-F3A22744F87A}\RP322\A0210891.exe=>(RAR Sfx o) Update failed
C:\System Volume Information\_restore{48447FBC-DEC0-4563-94A0-F3A22744F87A}\RP322\A0210977.exe Infected with: Packer.FSG.A
C:\System Volume Information\_restore{48447FBC-DEC0-4563-94A0-F3A22744F87A}\RP322\A0210977.exe Disinfection failed
C:\System Volume Information\_restore{48447FBC-DEC0-4563-94A0-F3A22744F87A}\RP322\A0210977.exe Deleted
C:\System Volume Information\_restore{48447FBC-DEC0-4563-94A0-F3A22744F87A}\RP322\A0210978.exe Infected with: Packer.FSG.A
C:\System Volume Information\_restore{48447FBC-DEC0-4563-94A0-F3A22744F87A}\RP322\A0210978.exe Disinfection failed
C:\System Volume Information\_restore{48447FBC-DEC0-4563-94A0-F3A22744F87A}\RP322\A0210978.exe Deleted

2) this is the hjt log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:39:03 PM, on 11/1/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\UStorSrv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\foolyou.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {539BE4B3-9011-46D3-8246-30E412DE5043} - blank (file missing)
O2 - BHO: (no name) - {7F4D1146-EF3B-42D7-9CFD-47856901083B} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: FlashGet Bar - {E0E899AB-F487-11D5-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\fgiebar.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVG7_EMC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O4 - HKLM\..\Run: [WCOLOREAL] "C:\Program Files\Coloreal\coloreal.exe"
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'Default user')
O8 - Extra context menu item: Add to AMV Convert Tool... - C:\Program Files\MP3 Player Utilities 3.75\AMVConverter\grab.html
O8 - Extra context menu item: Add to Media Manager... - C:\Program Files\MP3 Player Utilities 3.75\MediaManager\grab.html
O8 - Extra context menu item: Download All by FlashGet - C:\Program Files\FlashGet\jc_all.htm
O8 - Extra context menu item: Download using FlashGet - C:\Program Files\FlashGet\jc_link.htm
O8 - Extra context menu item: Download with Star Downloader - C:\Program Files\Star Downloader\sdie.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Open with BitPump - C:\Program Files\AnalogX\BitPump\ieint.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra 'Tools' menuitem: &FlashGet - {D6E814A0-E0C5-11d4-8D29-0050BA6940E3} - C:\PROGRA~1\FlashGet\flashget.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: QuickSet Internet Zone - {3417D8E1-5942-11d6-A0E0-0002B364F69B} - C:\Program Files\QSIZ\qsiz.EXE (HKCU)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {54BE6B6F-3056-470B-97E1-BB92E051B6C4} (DeviceEnum Class) - http://h30155.www3.hp.com/ediags/dd/...osticsxp2k.cab
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/reso...an8/oscan8.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/wind...?1188901880687
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsof...?1188902392515
O16 - DPF: {70EE0AA4-5A3A-4052-8FFA-2EEDA43F7942} (Innotive Cibrowser Control 1.1) - http://www.innotive.com/download/cibrowser11.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} - http://www.symantec.com/techsupp/asa/ctrl/SymAData.cab
O16 - DPF: {CF40ACC5-E1BB-4AFF-AC72-04C2F616BCA7} (get_atlcom Class) - http://www.adobe.com/products/acrobat/nos/gp.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{BBE1F9E2-D9A2-414D-A17A-C6CC7A5A6257}: NameServer = 202.188.0.133 202.188.1.5
O20 - Winlogon Notify: geeda - C:\WINDOWS\
O20 - Winlogon Notify: jkkjg - C:\WINDOWS\
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: UStorage Server Service - OTi - C:\WINDOWS\system32\UStorSrv.exe
O24 - Desktop Component 0: (no name) - http://www.plal.com/images/brick.jpg
O24 - Desktop Component 1: (no name) - http://www.indianchild.com/images/tree_01.gif
O24 - Desktop Component 2: (no name) - http://imgi.maps.yahoo.com/mapimage?...pCSirH73a_Sf6p
O24 - Desktop Component 3: (no name) - http://cguesthouse.homestead.com/fil...QS_main_bg.jpg
O24 - Desktop Component 4: (no name) - http://www.theweathernetwork.com/com...ground1024.gif
O24 - Desktop Component 5: (no name) - https://secure4.worldweb.com/Activit...son_tours3.gif
O24 - Desktop Component 6: (no name) - http://www.vancouvertrolley.com/images/bg.gif

--
End of file - 7556 bytes

**Neal** · 01-11-2007

You did it right.

Run hijackthis and click on scan system only button and put checks next to these:

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm

O2 - BHO: (no name) - {539BE4B3-9011-46D3-8246-30E412DE5043} - blank (file missing)
O2 - BHO: (no name) - {7F4D1146-EF3B-42D7-9CFD-47856901083B} - (no file)

O20 - Winlogon Notify: geeda - C:\WINDOWS\
O20 - Winlogon Notify: jkkjg - C:\WINDOWS\

Close everything out except hijackthis and click fix checked.

Reboot your computer and come back and tell me how things are running now please.

**ramesh help** · 02-11-2007

Actually what is my computer's problem?? i dont see any problem and it feels abit faster then before. please tell me what was my computer's problem.?? when i did the hijackthis to delete those programs, it said hijackthis is going to remove a BHO and the corresponding file from the system

**Neal** · 02-11-2007

that is ok and you had the vundo trojan, I will mark this as resolved and good luck and happy surfing.

Excellent,

Congratulations, your log shows that your SYSTEM IS CLEAN

There are a few things you must do once you are completely clean:

Re-hide your System Files and Folders to prevent any future accidents.

Reconfigure Windows XP to hide hidden files:
- Click Start. Open My Computer.
- Select the Tools menu and click Folder Options. Select the View Tab.
- Under the Hidden files and folders heading deselect "Show hidden files and folders".
- Check the "Hide protected operating system files (recommended)" option.
- Click Yes to confirm. Click OK.
Please download ATF Cleaner by Atribune.
This program is for XP and Windows 2000 only
- Double-click ATF-Cleaner.exe to run the program.
  Under Main choose: Select All
  Click the Empty Selected button.
If you use Firefox browser
- Click Firefox at the top and choose: Select All
  Click the Empty Selected button.
  NOTE: If you would like to keep your saved passwords, please click No at the prompt.
If you use Opera browser
- Click Opera at the top and choose: Select All
  Click the Empty Selected button.
  NOTE: If you would like to keep your saved passwords, please click No at the prompt.
Click Exit on the Main menu to close the program.
For Technical Support, double-click the e-mail address located at the bottom of each menu.
Reset and Re-enable your System Restore to remove bad files from the backup that Windows makes as no program is able to clean those files:

TO DISABLE SYSTEM RESTORE
1. Right-click "My Computer", and then left click "Properties".
2. Left click on "System Restore Tab"
3. Check box beside "Turn Off System Restore"
4. Left click on "Apply"
Reboot your System

TO ENABLE SYSTEM RESTORE
1. Remove check mark from "Turn Off System Restore"
2. Click on "Apply"

Here are some tips to reduce the potential for spyware infection in the future:

Make sure you keep your Windows OS current by visiting Windows update
regularly to download and install any critical updates and service packs. With out these you are leaving the backdoor open.

I strongly recommend installing the following applications:

Spywareblaster <= SpywareBlaster will prevent spyware from being installed.
Spywareguard <= SpywareGuard offers realtime protection from spyware installation attempts.
How to use Spybot to remove Spyware <= If you suspect that you have spyware installed on your computer, here are instructions on how to download, install and then use Spybot. Similar to Ad-Aware, I strongly recommend both to catch most spyware.

To protect yourself further:

Spyad <= IE/Spyad places over 4000 websites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (Cookies etc) from the sites listed, although you will still be able to connect to the sites.
MVPS Hosts file <= The MVPS Hosts file replaces your current HOSTS file with one containing well know ad sites etc. Basically, this prevents your coputer from connecting to those sites by redirecting them to 127.0.0.1 which is your local computer
Google Toolbar <= Get the free google toolbar to help stop pop up windows.

And also see TonyKlein's good advice
So how did I get infected in the first place? (My Favorite)