8 replies to this topic

[leila]

hi yesterday i managed to rid my laptop of the torpig and possibly vundo trojans using xoftspy se but i still have annoying random popups which popup blockers dont block.
all my virus scans come up with nothing.
heres my hijack this log

thanks everyone in advance


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:34:37, on 25/07/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Kontiki\KService.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\eBay\eBay Toolbar2\eBayTBDaemon.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Documents and Settings\NEW USER\My Documents\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.myspace.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = www.myspace.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Orange UK
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = ;<local>
O2 - BHO: (no name) - {04364200-F86B-4B42-ABCB-4EAAB6EDFF1E} - C:\WINDOWS\system32\mljklmj.dll (file missing)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: eBay Toolbar Helper - {22D8E815-4A5E-4DFB-845E-AAB64207F5BD} - C:\Program Files\eBay\eBay Toolbar2\eBayTB.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: (no name) - {B1F2C4F1-F036-4823-A4F6-693D9C7372AF} - C:\WINDOWS\system32\efedb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: eBay Toolbar - {92085AD4-F48A-450D-BD93-B28CC7DF67CE} - C:\Program Files\eBay\eBay Toolbar2\eBayTB.dll
O4 - HKLM\..\Run: [XoftSpySE] C:\Program Files\XoftSpySE\xoftspy.exe -s
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: &eBay Search - res://C:\Program Files\eBay\eBay Toolbar2\eBayTb.dll/RCSearch.html
O8 - Extra context menu item: Download FLV video content with IDM - C:\Program Files\Internet Download Manager\IEGetVL.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akama...ex/qtplugin.cab
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zon...kr.cab56986.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zon...er.cab31267.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www.snapfish....shUKActivia.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg...l_v1-0-3-48.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by122w.bay122...es/MsnPUpld.cab
O16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} (Solitaire Showdown Class) - http://messenger.zon...wn.cab56986.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zon...1/GAME_UNO1.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1164066532038
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1145451077770
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {A8482EAF-A1F3-4934-AE3F-56EB195A50BF} (DeskUpdate - Activex Control) - http://support.fujit...api/activex.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zon...nt.cab56907.cab
O16 - DPF: {C606BA60-AB76-48B6-96A7-2C4D5C386F70} (PreQualifier Class) - http://www.telewest....tivePreQual.cab
O16 - DPF: {CE69F98F-2AF3-4306-BAC6-A79070EDA1B4} (Zylom Loader Object) - http://eu.download.g...zylomloader.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.m...ash/swflash.cab
O16 - DPF: {DE625294-70E6-45ED-B895-CFFA13AEB044} (AxisMediaControlEmb Class) - http://213.129.66.245/activex/AMC.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.shockwave...ploader_v10.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zon...er.cab56986.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zon...wn.cab31267.cab
O20 - Winlogon Notify: efedb - C:\WINDOWS\system32\efedb.dll
O20 - Winlogon Notify: mljklmj - mljklmj.dll (file missing)
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgemc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: KService - Unknown owner - C:\Program Files\Kontiki\KService.exe

--
End of file - 8728 bytes

Edited by leila, 25 July 2007 - 12:16 PM.

[Blade81]

Hi

1. Download this file -
combofix.exe
2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log in your
next reply with a fresh hjt log.

Note:
Do not mouseclick combofix's window whilst it's running. That may cause
it to stall

[leila]

okay the vundo and torpig torjans are back i had to attempt to remove them so i could post on here as they crash my internet.

well heres the first log

"NEW USER" - 2007-07-25 16:22:10 - ComboFix 07-07-23.6 - Service Pack 2 NTFS


(((((((((((((((((((((((((((((((((((((((((((( V Log )))))))))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\system32\efedb.dll
C:\WINDOWS\system32\bdefe.bak1
C:\WINDOWS\system32\bdefe.ini
C:\WINDOWS\system32\bdefe.ini2
C:\WINDOWS\system32\bdefe.tmp
C:\WINDOWS\system32\bdefe.bak1
C:\WINDOWS\system32\bdefe.ini
C:\WINDOWS\system32\bdefe.ini2
C:\WINDOWS\system32\bdefe.tmp
C:\WINDOWS\system32\bdefe.bak1
C:\WINDOWS\system32\bdefe.ini
C:\WINDOWS\system32\bdefe.ini2
C:\WINDOWS\system32\bdefe.tmp


* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\system32\drivers\core.cache.dsk
C:\WINDOWS\system32\drivers\core.sys


((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


-------\LEGACY_CORE
-------\LEGACY_IPRIP
-------\LEGACY_NTMLSVC
-------\asc3550u
-------\core
-------\Iprip


((((((((((((((((((((((((( Files Created from 2007-06-25 to 2007-07-25 )))))))))))))))))))))))))))))))


2007-07-25 16:21 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-07-25 15:25 <DIR> d-------- C:\Program Files\Lavasoft
2007-07-25 15:25 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Lavasoft
2007-07-25 15:22 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-07-25 13:25 <DIR> d-------- C:\DOCUME~1\NEWUSE~1\APPLIC~1\IDM
2007-07-25 13:24 <DIR> d-------- C:\Program Files\Internet Download Manager
2007-07-24 23:01 <DIR> d-------- C:\Program Files\XoftSpySE
2007-07-24 22:59 <DIR> d-------- C:\Program Files\Alwil Software
2007-07-24 15:01 192,622 --a------ C:\WINDOWS\system32\owinkodt.exe
2007-07-20 03:44 0 --a------ C:\WINDOWS\nsreg.dat
2007-07-15 03:02 <DIR> d-------- C:\DOCUME~1\NEWUSE~1\APPLIC~1\MySpace
2007-07-15 01:19 <DIR> d-------- C:\Program Files\Apple Software Update
2007-07-15 01:19 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Apple
2007-07-02 01:31 <DIR> d-------- C:\Program Files\eBay
2007-07-02 01:31 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\WholeSecurity
2007-06-29 13:00 <DIR> d-------- C:\Program Files\Axis Communications
2007-06-27 02:16 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Zylom
2007-06-26 01:58 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\PopCap
2007-06-26 01:31 <DIR> d-------- C:\DOCUME~1\NEWUSE~1\APPLIC~1\PlayFirst
2007-06-26 01:31 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Trymedia
2007-06-26 01:31 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\PlayFirst


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-07-25 15:32:58 -------- d-----w C:\DOCUME~1\NEWUSE~1\APPLIC~1\DMCache
2007-07-25 15:32:56 24,176 ----a-w C:\WINDOWS\system32\dxdllreg.exe
2007-07-25 14:23:45 -------- d-----w C:\DOCUME~1\NEWUSE~1\APPLIC~1\Lavasoft
2007-07-25 12:29:25 -------- d-----w C:\DOCUME~1\NEWUSE~1\APPLIC~1\Azureus
2007-07-25 00:15:21 -------- d-----w C:\Program Files\DivX
2007-07-15 00:23:26 -------- d-----w C:\Program Files\QuickTime
2007-07-02 00:31:20 -------- d--h--w C:\Program Files\InstallShield Installation Information
2007-06-24 19:12:21 -------- d-----w C:\Program Files\Azureus
2007-06-23 17:49:56 -------- d-----w C:\Program Files\Google
2007-06-23 17:46:46 -------- d-----w C:\DOCUME~1\NEWUSE~1\APPLIC~1\Google
2007-06-19 13:22:09 202,424 ----a-w C:\WINDOWS\system32\idmmbc.dll
2007-06-14 19:02:21 -------- d-----w C:\Program Files\Yahoo!
2007-06-06 00:29:36 -------- d-----w C:\Program Files\Illustrate
2007-06-06 00:29:21 4,112,760 ----a-w C:\WINDOWS\system32\SpoonUninstall.exe
2007-06-04 14:18:48 9,344 ----a-w C:\WINDOWS\system32\drivers\NSDriver.sys
2007-06-04 14:17:02 8,320 ----a-w C:\WINDOWS\system32\drivers\AWRTRD.sys
2007-06-04 14:14:56 6,272 ----a-w C:\WINDOWS\system32\drivers\AWRTPD.sys
2007-05-31 16:13:08 -------- d-----w C:\DOCUME~1\NEWUSE~1\APPLIC~1\WinRAR
2007-05-31 16:12:38 -------- d-----w C:\Program Files\Windows Media Bonus Pack for Windows XP
2007-05-31 14:56:59 56 --sh--r C:\WINDOWS\system32\C7284D9832.sys
2007-05-31 14:56:59 12,208 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
2007-05-31 06:45:07 524,288 ----a-w C:\WINDOWS\system32\DivXsm.exe
2007-05-31 06:44:55 823,296 ----a-w C:\WINDOWS\system32\divx_xx07.dll
2007-05-31 06:44:54 823,296 ----a-w C:\WINDOWS\system32\divx_xx0c.dll
2007-05-31 06:44:54 802,816 ----a-w C:\WINDOWS\system32\divx_xx11.dll
2007-05-31 06:44:54 740,442 ----a-w C:\WINDOWS\system32\DivX.dll
2007-05-16 15:12:02 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
2007-04-25 14:21:15 144,896 ----a-w C:\WINDOWS\system32\schannel.dll
2006-06-09 22:57:45 278,528 -c--a-w C:\Program Files\Common Files\FDEUnInstaller.exe


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"XoftSpySE"="-C:\Program Files\XoftSpySE\xoftspy.exe" []

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="-C:\Program Files\MSN Messenger\msnmsgr.exe" []
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 13:00]
"IDMan"="C:\Program Files\Internet Download Manager\IDMan.exe" [2007-07-25 13:35]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"DisableTaskMgr"=1 (0x1)
"DisableRegistryTools"=1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoClose"=1 (0x1)
"NoRun"=1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\mljklmj]
mljklmj.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\aawservice]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^ZDWLan Utility.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ZDWLan Utility.lnk
backup=C:\WINDOWS\pss\ZDWLan Utility.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^NEW USER^Start Menu^Programs^Startup^TA_Start.lnk]
path=C:\Documents and Settings\NEW USER\Start Menu\Programs\Startup\TA_Start.lnk
backup=C:\WINDOWS\pss\TA_Start.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^NEW USER^Start Menu^Programs^Startup^Yahoo! Widget Engine.lnk]
path=C:\Documents and Settings\NEW USER\Start Menu\Programs\Startup\Yahoo! Widget Engine.lnk
backup=C:\WINDOWS\pss\Yahoo! Widget Engine.lnkStartup


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\4oD]
"C:\Program Files\Kontiki\KHost.exe" -all

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AGRSMMSG]
AGRSMMSG.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Apoint]
C:\Program Files\Apoint2K\Apoint.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\avast!]
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG7_CC]
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\avgnt]
"C:\Program Files\AntiVir PersonalEdition Classic\avgnt.exe" /min

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BluetoothAuthenticationAgent]
rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTFMON.EXE]
C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\eBayToolbar]
C:\Program Files\eBay\eBay Toolbar2\eBayTBDaemon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IMJPMIG8.1]
"C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\kdx]
C:\Program Files\Kontiki\KHost.exe -all

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
%systemroot%\system32\dumprep 0 -k

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MemoryManager]
rundll32.exe "C:\WINDOWS\system32\kifmdswc.dll",forkonce

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
"C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
C:\WINDOWS\system32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ProgramPath]
C:\Program Files\Power Manager\PM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Sony Ericsson PC Suite]
"C:\Program Files\Sony Ericsson\Mobile2\Application Launcher\Application Launcher.exe" /startoptions

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SoundMan]
SOUNDMAN.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VTTimer]
VTTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VTTrayp]
VTtrayp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
"C:\Program Files\Windows Defender\MSASCui.exe" -hide

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\{43-33-3E-E1-ZN}]
C:\windows\system32\njdsregs.exe OLI001

R0 uagp35;Microsoft AGPv3.5 Filter;C:\WINDOWS\system32\DRIVERS\uagp35.sys
R1 Tcpip6;Microsoft IPv6 Protocol Driver;C:\WINDOWS\system32\DRIVERS\tcpip6.sys
R2 6to4;IPv6 Helper Service;C:\WINDOWS\system32\svchost.exe -k netsvcs
R2 BthServ;Bluetooth Support Service;C:\WINDOWS\system32\svchost.exe -k bthsvcs
R2 SimpTcp;Simple TCP/IP Services;C:\WINDOWS\system32\tcpsvcs.exe
R2 SNMP;SNMP Service;C:\WINDOWS\System32\snmp.exe
R2 STEC3;STEC3;\??\C:\WINDOWS\system32\STEC3.sys
R3 ApfiltrService;Alps Pointing-device Filter Driver;C:\WINDOWS\system32\DRIVERS\Apfiltr.sys
R3 EKBfltr;ENE Keyboard Controller;C:\WINDOWS\system32\DRIVERS\EKBfltr.sys
R3 FETNDISB;VIA Rhine Family Fast Ethernet Adapter Driver Service;C:\WINDOWS\system32\DRIVERS\fetnd5b.sys
R3 tunmp;Microsoft Tun Miniport Adapter Driver;C:\WINDOWS\system32\DRIVERS\tunmp.sys
R3 viagfx;viagfx;C:\WINDOWS\system32\DRIVERS\vtmini.sys
S2 Fax;Fax;C:\WINDOWS\system32\fxssvc.exe
S3 AdWatchDrv;AW Realtime Driver;\??\C:\WINDOWS\system32\drivers\AWRTPD.sys
S3 BRGSp50;BRGSp50 NDIS Protocol Driver;C:\WINDOWS\system32\Drivers\BRGSp50.sys
S3 BthEnum;Bluetooth Request Block Driver;C:\WINDOWS\system32\DRIVERS\BthEnum.sys
S3 BTHMODEM;Bluetooth Serial Communications Driver;C:\WINDOWS\system32\DRIVERS\bthmodem.sys
S3 BthPan;Bluetooth Device (Personal Area Network);C:\WINDOWS\system32\DRIVERS\bthpan.sys
S3 BTHPORT;Bluetooth Port Driver;C:\WINDOWS\system32\Drivers\BTHport.sys
S3 BTHUSB;Bluetooth Radio USB Driver;C:\WINDOWS\system32\Drivers\BTHUSB.sys
S3 FETNDIS;VIA PCI 10/100Mb Fast Ethernet Adapter NT Driver;C:\WINDOWS\system32\DRIVERS\fetnd5.sys
S3 HidBth;Microsoft Bluetooth HID Miniport;C:\WINDOWS\system32\DRIVERS\hidbth.sys
S3 k600bus;Sony Ericsson 600i driver (WDM);C:\WINDOWS\system32\DRIVERS\k600bus.sys
S3 LPDSVC;TCP/IP Print Server;C:\WINDOWS\system32\tcpsvcs.exe
S3 ovt519;EyeToy;C:\WINDOWS\system32\Drivers\ov519vid.sys
S3 p2pgasvc;Peer Networking Group Authentication;C:\WINDOWS\system32\svchost.exe -k p2psvc
S3 p2pimsvc;Peer Networking Identity Manager;C:\WINDOWS\system32\svchost.exe -k p2psvc
S3 p2psvc;Peer Networking;C:\WINDOWS\system32\svchost.exe -k p2psvc
S3 PNRPSvc;Peer Name Resolution Protocol;C:\WINDOWS\system32\svchost.exe -k p2psvc
S3 RFCOMM;Bluetooth Device (RFCOMM Protocol TDI);C:\WINDOWS\system32\DRIVERS\rfcomm.sys
S3 SNMPTRAP;SNMP Trap Service;C:\WINDOWS\System32\snmptrap.exe
S3 umtsbus;WCDMA Handset USB Composite Device driver (WDM);C:\WINDOWS\system32\DRIVERS\umtsbus.sys
S3 umtsmdfl;WCDMA Handset Filter;C:\WINDOWS\system32\DRIVERS\umtsmdfl.sys
S3 umtsmdm;WCDMA Handset Drivers;C:\WINDOWS\system32\DRIVERS\umtsmdm.sys
S3 umtsserd;WCDMA Handset Diagnostic Serial Port (WDM);C:\WINDOWS\system32\DRIVERS\umtsserd.sys
S3 ZD1211BU(ZyDAS);ZyDAS ZD1211B IEEE 802.11 b+g Wireless LAN Driver (USB)(ZyDAS);C:\WINDOWS\system32\DRIVERS\zd1211Bu.sys
S3 ZDPSp50;ZDPSp50 NDIS Protocol Driver;C:\WINDOWS\system32\Drivers\ZDPSp50.sys

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
p2psvc p2psvc p2pimsvc p2pgasvc PNRPSvc
bthsvcs BthServ


Contents of the 'Scheduled Tasks' folder
2007-07-16 09:18:14 C:\WINDOWS\tasks\AppleSoftwareUpdate.job
2007-07-25 15:32:29 C:\WINDOWS\tasks\XoftSpySE 2.job
2007-07-25 00:17:21 C:\WINDOWS\tasks\XoftSpySE.job

**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-07-25 16:32:49
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

C:\WINDOWS\system32\protector.exe [3416] 0x852F6020


scanning hidden registry entries ...

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Prefetcher]
"TracesProcessed"=dword:00000208
"TracesSuccessful"=dword:0000002c
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{115A6D1B-9CB4-B6CD-E452-6669B9837ED9}]
"bbbgohccjjdnbffbpgpagnekhidhlnbghaan"=hex:6a,61,6d,6d,65,68,61,66,63,61,66,6d,64,69,70,6a,69,66,6d,68,00,..
"abhfejdbodajgmmbinflffjegjhpgkcjac"=hex:6a,61,6d,6d,65,68,61,66,63,61,66,6d,64,69,70,6a,69,66,6d,68,00,..
"iabgohccjjdnbffbpg"=hex:61,61,00,01
"hahfejdbodajgmmb"=hex:61,61,00,01
"iangoionmihmpmbjgk"=hex:61,61,00,01

scanning hidden files ...

**************************************************************************

Completion time: 2007-07-25 16:36:57 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-07-25 16:34

--- E O F ---



and heres a new hijack one


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 16:59:58, on 25/07/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16473)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Internet Download Manager\IEMonitor.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\eBay\eBay Toolbar2\eBayTBDaemon.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\XoftSpySE\XoftSpy.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32Info.exe
C:\Documents and Settings\NEW USER\My Documents\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.myspace.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = www.myspace.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = ;<local>
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: eBay Toolbar - {92085AD4-F48A-450D-BD93-B28CC7DF67CE} - C:\Program Files\eBay\eBay Toolbar2\eBayTB.dll
O4 - HKLM\..\Run: [XoftSpySE] -C:\Program Files\XoftSpySE\xoftspy.exe -s
O4 - HKLM\..\Run: [MemoryManager] rundll32.exe "C:\WINDOWS\system32\lppmldpi.dll",forkonce
O4 - HKCU\..\Run: [msnmsgr] -"C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [IDMan] C:\Program Files\Internet Download Manager\IDMan.exe /onboot
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Startup: TA_Start.lnk = C:\Documents and Settings\NEW USER\Local Settings\Temp\bundle.exe
O8 - Extra context menu item: &eBay Search - res://C:\Program Files\eBay\eBay Toolbar2\eBayTb.dll/RCSearch.html
O8 - Extra context menu item: Download All Links with IDM - C:\Program Files\Internet Download Manager\IEGetAll.htm
O8 - Extra context menu item: Download FLV video content with IDM - C:\Program Files\Internet Download Manager\IEGetVL.htm
O8 - Extra context menu item: Download with IDM - C:\Program Files\Internet Download Manager\IEExt.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akama...ex/qtplugin.cab
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zon...kr.cab56986.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zon...er.cab31267.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {406B5949-7190-4245-91A9-30A17DE16AD0} (Snapfish Activia) - http://www.snapfish....shUKActivia.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg...l_v1-0-3-48.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by122w.bay122...es/MsnPUpld.cab
O16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} (Solitaire Showdown Class) - http://messenger.zon...wn.cab56986.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zon...1/GAME_UNO1.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1164066532038
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1145451077770
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {A8482EAF-A1F3-4934-AE3F-56EB195A50BF} (DeskUpdate - Activex Control) - http://support.fujit...api/activex.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zon...nt.cab56907.cab
O16 - DPF: {C606BA60-AB76-48B6-96A7-2C4D5C386F70} (PreQualifier Class) - http://www.telewest....tivePreQual.cab
O16 - DPF: {CE69F98F-2AF3-4306-BAC6-A79070EDA1B4} (Zylom Loader Object) - http://eu.download.g...zylomloader.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.m...ash/swflash.cab
O16 - DPF: {DE625294-70E6-45ED-B895-CFFA13AEB044} (AxisMediaControlEmb Class) - http://213.129.66.245/activex/AMC.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.shockwave...ploader_v10.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zon...er.cab56986.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zon...wn.cab31267.cab
O20 - AppInit_DLLs: ??\windows\system32\ldcore.dll c:\windows\system32\ldcore.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Unknown owner - -"C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe" (file missing)
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - Unknown owner - -C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe (file missing)
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - Unknown owner - -C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe (file missing)
O23 - Service: AVG E-mail Scanner (AVGEMS) - Unknown owner - -C:\PROGRA~1\Grisoft\AVG7\avgemc.exe (file missing)
O23 - Service: Google Updater Service (gusvc) - Unknown owner - -"C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe" (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Unknown owner - -"C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe" (file missing)
O23 - Service: KService - Unknown owner - -"C:\Program Files\Kontiki\KService.exe" (file missing)
O23 - Service: Messenger Sharing Folders USN Journal Reader service (usnjsvc) - Unknown owner - -"C:\Program Files\MSN Messenger\usnsvc.exe" (file missing)
O23 - Service: Windows Media Player Network Sharing Service (WMPNetworkSvc) - Unknown owner - -C:\Program Files\Windows Media Player\WMPNetwk.exe (file missing)

--
End of file - 8787 bytes

i hope someone can help me this is driving me mad!

thanks again

[Blade81]

Start hjt, click do a system scan only, check:
O4 - HKLM\..\Run: [MemoryManager] rundll32.exe "C:\WINDOWS\system32\lppmldpi.dll",forkonce
O4 - Startup: TA_Start.lnk = C:\Documents and Settings\NEW USER\Local Settings\Temp\bundle.exe
O16 - DPF: {CE69F98F-2AF3-4306-BAC6-A79070EDA1B4} (Zylom Loader Object) - http://eu.download.g...zylomloader.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://www.shockwave...ploader_v10.cab
O20 - AppInit_DLLs: ??\windows\system32\ldcore.dll c:\windows\system32\ldcore.dll

Close browsers and other windows. Click fix checked.


Show hidden files
-----------------
* Click Start.
* Open My Computer.
* Select the Tools menu and click Folder Options.
* Select the View Tab.
* Under the Hidden files and folders heading select Show hidden files and folders.
* Uncheck the Hide protected operating system files (recommended) option.
* Click Yes to confirm.
* Click OK.

Delete following files (if found):
C:\WINDOWS\system32\lppmldpi.dll
C:\Documents and Settings\NEW USER\Local Settings\Temp\bundle.exe
c:\windows\system32\ldcore.dll
C:\WINDOWS\system32\protector.exe


Open notepad and copy/paste the text in the quotebox below into it:

File::
C:\WINDOWS\system32\owinkodt.exe
C:\WINDOWS\system32\SpoonUninstall.exe

Folder::
C:\DOCUME~1\ALLUSE~1\APPLIC~1\Zylom
C:\DOCUME~1\ALLUSE~1\APPLIC~1\PopCap
C:\DOCUME~1\NEWUSE~1\APPLIC~1\PlayFirst
C:\DOCUME~1\ALLUSE~1\APPLIC~1\Trymedia
C:\DOCUME~1\ALLUSE~1\APPLIC~1\PlayFirst

DirLook:: 
C:\DOCUME~1\ALLUSE~1\APPLIC~1\WholeSecurity

Save this as
CFScript




Refering to the picture above, drag CFScript into ComboFix.exe
Then post the resultant log and a fresh hjt log.

[leila]

[leila]

oh and in my start menu my shut down button has disappeared and all i have is a log off button, when im the only user on here!

[Blade81]

Hi

One or more of the identified infections is a backdoor trojan.

This allows hackers to remotely control your computer, steal critical system information and Download and Execute files

I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the Trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of Trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall

However, if you do not have the resources to reinstall your computer and would like me to attempt to clean it, I will be happy to do so.
Should you have any questions, please feel free to ask.

Please let us know what you have decided to do in your next post.

[leila]

hi yeah im gonna attempt to back up my musis and movies and pictures then im gonna reinstall windows.
good job i dont keep personal info on my laptop
thanks for all your help

Leila

[Blade81]

Since this issue appears to be resolved ... this Topic has been closed. Glad we could help.

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.