# Virus infection Trojan



## cometal (May 5, 2007)

Hi,

after this notebook has been run for several days without firewall, there are plenty of virusses. There is AVG AS and AVG Free Antivirus, but there are new alerts for trojan virusses every couple of minutes, and occasionally blue screen.
The notebook right now has Zonealarm free installed.

Tried doing thing from other threads, but am at a lost here.

HJT:
Logfile of HijackThis v1.99.1
Scan saved at 1:41:32 AM, on 5/5/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\ASUS\Power4 Gear\BatteryLife.exe
C:\Program Files\ZoneAlarm\zlclient.exe
C:\Program Files\TrojanHunter 4.6\THGuard.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Program Files\internet explorer\iexplore.exe
C:\WINDOWS\NOTEPAD.EXE
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://login.yahoo.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = 
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Ññûëêè
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Power_Gear] C:\Program Files\ASUS\Power4 Gear\BatteryLife.exe 1
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.6\THGuard.exe"
O4 - HKLM\..\Run: [WindowsService] rundll32.exe "C:\WINDOWS\system32\iebojxoo.dll",realset
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [IpWins] C:\Program Files\Ipwindows\ipwins.exe
O8 - Extra context menu item: &Ýêñïîðò â Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O9 - Extra button: Ïåðåâîä - {7A2EFD41-E6B3-11D2-89E3-00E0292EE574} - C:\Program Files\X-Translator DIAMOND\PROMTIE4\promtie5.htm
O9 - Extra 'Tools' menuitem: Ïåðåâåñòè - {7A2EFD41-E6B3-11D2-89E3-00E0292EE574} - C:\Program Files\X-Translator DIAMOND\PROMTIE4\promtie5.htm
O9 - Extra button: (no name) - {7A2EFD41-E6B3-11D2-89E3-00E0292EE575} - C:\Program Files\X-Translator DIAMOND\PROMTIE4\options.htm
O9 - Extra 'Tools' menuitem: Íàñòðîéêà ïàðàìåòðîâ ïåðåâîäà - {7A2EFD41-E6B3-11D2-89E3-00E0292EE575} - C:\Program Files\X-Translator DIAMOND\PROMTIE4\options.htm
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Ïåðåâîä - {7A2EFD41-E6B3-11D2-89E3-00E0292EE574} - C:\Program Files\X-Translator DIAMOND\PROMTIE4\promtie5.htm (HKCU)
O9 - Extra 'Tools' menuitem: Ïåðåâåñòè - {7A2EFD41-E6B3-11D2-89E3-00E0292EE574} - C:\Program Files\X-Translator DIAMOND\PROMTIE4\promtie5.htm (HKCU)
O9 - Extra button: (no name) - {7A2EFD41-E6B3-11D2-89E3-00E0292EE575} - C:\Program Files\X-Translator DIAMOND\PROMTIE4\options.htm (HKCU)
O9 - Extra 'Tools' menuitem: Íàñòðîéêà ïåðåâîäà - {7A2EFD41-E6B3-11D2-89E3-00E0292EE575} - C:\Program Files\X-Translator DIAMOND\PROMTIE4\options.htm (HKCU)
O16 - DPF: {1663ed61-23eb-11d2-b92f-008048fdd814} (MeadCo ScriptX 5.5 Basic) - https://homer.homecredit.ru/common/print/ScriptX.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: Æóðíàë ñîáûòèé (Eventlog) - Êîðïîðàöèÿ Ìàéêðîñîôò - C:\WINDOWS\system32\services.exe
O23 - Service: Ñëóæáà COM çàïèñè êîìïàêò-äèñêîâ IMAPI (ImapiService) - Êîðïîðàöèÿ Ìàéêðîñîôò - C:\WINDOWS\system32\imapi.exe
O23 - Service: NetMeeting Remote Desktop Sharing (mnmsrvc) - Êîðïîðàöèÿ Ìàéêðîñîôò - C:\WINDOWS\system32\mnmsrvc.exe
O23 - Service: Plug and Play (PlugPlay) - Êîðïîðàöèÿ Ìàéêðîñîôò - C:\WINDOWS\system32\services.exe
O23 - Service: Äèñïåò÷åð ñåàíñà ñïðàâêè äëÿ óäàëåííîãî ðàáî÷åãî ñòîëà (RDSessMgr) - Êîðïîðàöèÿ Ìàéêðîñîôò - C:\WINDOWS\system32\sessmgr.exe
O23 - Service: Ñìàðò-êàðòû (SCardSvr) - Êîðïîðàöèÿ Ìàéêðîñîôò - C:\WINDOWS\System32\SCardSvr.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Æóðíàëû è îïîâåùåíèÿ ïðîèçâîäèòåëüíîñòè (SysmonLog) - Êîðïîðàöèÿ Ìàéêðîñîôò - C:\WINDOWS\system32\smlogsvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: Òåíåâîå êîïèðîâàíèå òîìà (VSS) - Êîðïîðàöèÿ Ìàéêðîñîôò - C:\WINDOWS\System32\vssvc.exe
O23 - Service: Àäàïòåð ïðîèçâîäèòåëüíîñòè WMI (WmiApSrv) - Êîðïîðàöèÿ Ìàéêðîñîôò - C:\WINDOWS\system32\wbem\wmiapsrv.exe

Rootlog:
********************************* ROOTCHK-(02-05-07)-LOG, by ejvindh
Sat 05/05/2007 1:22:18.59

The rootkits that are detected by this tool were not found.

********************************* ROOTCHK-LOG-end

catchme 0.3.660 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-05-05 01:22:19
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden services ...
HKLM\SYSTEM\CurrentControlSet\Services\winmgmt703e-18fd
scanning hidden autostart entries ...
scanning hidden files ...
C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\$RXJC.AVG
C:\Documents and Settings\All Users\Application Data\muvee Technologies\030625\preview
C:\Documents and Settings\All Users\Application Data\muvee Technologies\030625\preview\Flower1.JPG.4129e00c.jpg
C:\Documents and Settings\All Users\Application Data\muvee Technologies\030625\preview\Flower2.JPG.4129e04e.jpg
C:\Documents and Settings\All Users\Application Data\muvee Technologies\030625\preview\Flower3.JPG.4129e066.jpg
C:\Documents and Settings\All Users\Application Data\muvee Technologies\030625\preview\Flower4.JPG.4129e078.jpg
C:\Documents and Settings\All Users\Application Data\muvee Technologies\030625\preview\Flower5.JPG.4129da38.jpg
C:\Documents and Settings\All Users\Application Data\muvee Technologies\030625\preview\Nature1.JPG.4129e0b6.jpg
C:\Documents and Settings\All Users\Application Data\muvee Technologies\030625\preview\Nature2.JPG.4129e0ca.jpg
C:\Documents and Settings\All Users\Application Data\muvee Technologies\030625\preview\Nature3.JPG.4129e0dc.jpg
C:\Documents and Settings\All Users\Application Data\muvee Technologies\030625\preview\Nature4.JPG.4129e0f0.jpg
C:\Documents and Settings\All Users\Application Data\muvee Technologies\030625\preview\Nature5.JPG.4129daf2.jpg
C:\Documents and Settings\All Users\Application Data\muvee Technologies\030625\preview\Travel1.JPG.406d033a.jpg
C:\Documents and Settings\All Users\Application Data\muvee Technologies\030625\preview\Travel2.JPG.4129db2a.jpg
C:\Documents and Settings\All Users\Application Data\muvee Technologies\030625\preview\Travel3.JPG.4129db68.jpg
C:\Documents and Settings\All Users\Application Data\muvee Technologies\030625\preview\Travel4.JPG.4129db80.jpg
C:\Documents and Settings\All Users\Application Data\muvee Technologies\030625\preview\Travel5.JPG.4129db98.jpg
C:\Documents and Settings\All Users\Application Data\muvee Technologies\030625\scratch
C:\Documents and Settings\All Users\Application Data\muvee Technologies\030625\scratch\Flower1.JPG.4129e00c.mtn
C:\Documents and Settings\All Users\Application Data\muvee Technologies\030625\scratch\Flower2.JPG.4129e04e.mtn
C:\Documents and Settings\All Users\Application Data\muvee Technologies\030625\scratch\Flower3.JPG.4129e066.mtn
C:\Documents and Settings\All Users\Application Data\muvee Technologies\030625\scratch\Flower4.JPG.4129e078.mtn
C:\Documents and Settings\All Users\Application Data\muvee Technologies\030625\scratch\Flower5.JPG.4129da38.mtn
C:\Documents and Settings\All Users\Application Data\muvee Technologies\030625\scratch\Nature1.JPG.4129e0b6.mtn
C:\Documents and Settings\All Users\Application Data\muvee Technologies\030625\scratch\Nature2.JPG.4129e0ca.mtn
C:\Documents and Settings\All Users\Application Data\muvee Technologies\030625\scratch\Nature3.JPG.4129e0dc.mtn
C:\Documents and Settings\All Users\Application Data\muvee Technologies\030625\scratch\Nature4.JPG.4129e0f0.mtn
C:\Documents and Settings\All Users\Application Data\muvee Technologies\030625\scratch\Nature5.JPG.4129daf2.mtn
C:\Documents and Settings\All Users\Application Data\muvee Technologies\030625\scratch\Travel1.JPG.406d033a.mtn
C:\Documents and Settings\All Users\Application Data\muvee Technologies\030625\scratch\Travel2.JPG.4129db2a.mtn
C:\Documents and Settings\All Users\Application Data\muvee Technologies\030625\scratch\Travel3.JPG.4129db68.mtn
C:\Documents and Settings\All Users\Application Data\muvee Technologies\030625\scratch\Travel4.JPG.4129db80.mtn
C:\Documents and Settings\All Users\Application Data\muvee Technologies\030625\scratch\Travel5.JPG.4129db98.mtn
C:\WINDOWS\system32\windev-703e-18fd.sys
C:\WINDOWS\system32\windev-peers.ini
scan completed successfully
hidden processes: 0
hidden services: 1
hidden files: 35

BlackLight:
01/01/01 00:47:48 [Info]: BlackLight Engine 1.0.61 initialized
01/01/01 00:47:48 [Info]: OS: 5.1 build 2600 (Service Pack 2)
01/01/01 00:47:49 [Note]: 7019 4
01/01/01 00:47:49 [Note]: 7005 0
01/01/01 00:47:55 [Note]: 7006 0
01/01/01 00:47:55 [Note]: 7011 1564
01/01/01 00:47:56 [Note]: 7026 0
01/01/01 00:47:56 [Note]: 7026 0
01/01/01 00:47:59 [Note]: FSRAW library version 1.7.1021
01/01/01 00:51:56 [Info]: Hidden file: c:\WINDOWS\system32\windev-703e-18fd.sys
01/01/01 00:51:56 [Note]: 10002 1
01/01/01 00:51:56 [Info]: Hidden file: c:\WINDOWS\system32\windev-peers.ini
01/01/01 00:51:56 [Note]: 10002 1
01/01/01 00:58:05 [Note]: 7007 0


----------



## JSntgRvr (Jul 1, 2003)

Hi, *cometal* 

Welcome.

Please download the Suspicious File Packer from *Here*. Extract its contents to the desktop. Open the *SFP* folder on your desktop and run the *SFP.EXE *file.

Copy and Paste the following bold locations into the Suspicious File Packer window:

*c:\WINDOWS\system32\windev-703e-18fd.sys
c:\WINDOWS\system32\windev-peers.ini
*

Click on Continue to allow SFP to pack the file. This will generate a CAB archive on your desktop.

Click *Here* to upload the created CAB archive. 

Click on "New Topic"
Put your name, e-mail address, and this as the title: "*Suspicious File Packer*"
Put a link to this thread in the description box.
Then next to the file box, at the bottom, click the *browse* button, then navigate to CAB archive that was been created on your desktop.
The cab file will be called requested-files(*).cab (the * stands for the date and hour).
Click *Open*.
Click *Post*.
Let me know once you do that.

Download ComboFix from *Here* or *Here* to your Desktop.

Double click *combofix.exe * and follow the prompts.
When finished, it shall produce a log for you. Post that log and a *HiJackthis* log in your next reply
*Note: Do not mouseclick combofix's window while its running. That may cause it to stall*


----------



## cometal (May 5, 2007)

ComboFi

"admin" - 07-05-05 2:27:12 Service Pack 2 
ComboFix 07-04-25.4V - Running from: "C:\Documents and Settings\admin\*¡®ç¨© áâ®«\freeware\"

(((((((((((((((((((((((((((((((((((((((((((((((((( V Log )))))))))))))))))))))))))))))))))))))))))))))))))))))))

C:\WINDOWS\system32\lmibswco.dll

* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *

(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

C:\Program Files\Common Files\Yazzle1162OinAdmin.exe
C:\Program Files\Common Files\Yazzle1162OinUninstaller.exe
C:\DOCUME~1\admin\APPLIC~1\Microsoft\60787.dat
C:\Program Files\ipwindows\UnInstall.exe
C:\Program Files\inetget2
C:\Program Files\ipwindows

((((((((((((((((((((((((((((((( Files Created from 2007-04-05 to 2007-05-05 ))))))))))))))))))))))))))))))))))

2007-05-05 02:29	26,678	--a------	C:\WINDOWS\system32\fccayww.dll
2007-05-05 02:20	875,896	---hs----	C:\WINDOWS\system32\wyycf.bak2
2007-05-05 01:56 d--------	C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-05-05 01:09	869,218	---hs----	C:\WINDOWS\system32\wyycf.bak1
2007-05-05 01:08	284,756	---hs----	C:\WINDOWS\system32\fcyyw.dll
2007-05-05 01:08 d--------	C:\WINDOWS\system32\ActiveScan
2007-05-05 00:49 d--------	C:\VundoFix Backups
2007-04-29 11:04	4,718,592	--a------	C:\DOCUME~1\admin\ntuser.dat
2007-04-29 11:04	229,376	--a------	C:\DOCUME~1\LOCALS~1\ntuser.dat
2007-04-29 11:04 d--------	C:\Program Files\Trend Micro
2007-04-29 11:04 d--------	C:\DOCUME~1\ALLUSE~1\APPLIC~1\Trend Micro
2007-04-28 21:03	17,408	--a------	C:\WINDOWS\system32\winuwj32.dll
2007-04-23 17:37 d--------	C:\Program Files\Google
2007-04-23 17:37 d--------	C:\DOCUME~1\ALLUSE~1\APPLIC~1\Google
2007-04-23 17:37 d--------	C:\DOCUME~1\admin\APPLIC~1\Google
2007-04-22 20:08	299,520	--a------	C:\WINDOWS\unin0419.exe
2007-04-22 20:08 d--------	C:\Program Files\SLS2
2007-04-22 20:07 d--------	C:\DOCUME~1\admin\WINDOWS
2007-04-12 19:27 d--------	C:\Program Files\PCFriendly
2007-04-10 15:33	5,632	--a------	C:\WINDOWS\system32\ptpusb.dll
2007-04-10 15:33	159,232	--a------	C:\WINDOWS\system32\ptpusd.dll
2007-04-10 15:33	15,104	--a------	C:\WINDOWS\system32\drivers\usbscan.sys
2007-04-10 12:11 d--------	C:\Program Files\Skype
2007-04-10 12:11 d--------	C:\DOCUME~1\ALLUSE~1\APPLIC~1\Skype
2007-04-10 02:22 d--------	C:\Program Files\InterActual
2007-04-08 01:44 d--------	C:\WINDOWS\NKCCDViewerSetting

(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-05-05 00:14	50606	--a------	C:\WINDOWS\system32\perfc019.dat
2007-05-05 00:14	349770	--a------	C:\WINDOWS\system32\perfh019.dat
2007-04-19 08:35	240368	--a------	C:\WINDOWS\unboc.exe
2007-04-10 12:18	--------	d--------	C:\Program Files\messenger
2007-03-23 21:33	229376	--a------	C:\WINDOWS\cmdlic.dll
2007-03-15 15:08	101438	--a------	C:\WINDOWS\b122.exe
2007-03-09 02:02	75512	--a------	C:\WINDOWS\zllsputility.exe
2007-03-09 02:01	1087216	--a------	C:\WINDOWS\system32\zpeng24.dll

(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}	C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
{53707962-6F74-2D53-2644-206D7942484F}	C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
{5470A103-2BFC-481B-97A5-A274FF65D2FD}	C:\WINDOWS\system32\fcyyw.dll
{9961627E-4059-41B4-8E0E-A7D6B3854ADF}	C:\PROGRA~1\DOWNLO~1\dmiehlp.dll
{AA58ED58-01DD-4d91-8333-CF10577473F7}	c:\program files\google\googletoolbar1.dll
{AE7CD045-E861-484f-8273-0445EE161910}	C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
{D2692EE8-4795-44F4-A8FF-8FAC5D4FE947}	C:\WINDOWS\system32\ddcyxxy.dll
{D651AFF4-9590-424d-BD1E-8E33E090DFB3}	C:\WINDOWS\system32\lmibswco.dll [x]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"Power_Gear"="C:\\Program Files\\ASUS\\Power4 Gear\\BatteryLife.exe 1"
"ZoneAlarm Client"="\"C:\\Program Files\\ZoneAlarm\\zlclient.exe\""
"THGuard"="\"C:\\Program Files\\TrojanHunter 4.6\\THGuard.exe\""
"WindowsService"="rundll32.exe \"C:\\WINDOWS\\system32\\iebojxoo.dll\",realset"
"AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVG7\\avgcc.exe /STARTUP"
"SManager"="smanager.7.exe"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"CTFMON.EXE"="C:\\WINDOWS\\system32\\ctfmon.exe"
"swg"="C:\\Program Files\\Google\\GoogleToolbarNotifier\\1.2.1128.5462\\GoogleToolbarNotifier.exe"

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
Source	REG_SZ file:///C:/DOCUME~1/admin/LOCALS~1/Temp/msohtml1/01/clip_image002.jpg

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\1]
Source	REG_SZ file:///C:/DOCUME~1/admin/LOCALS~1/Temp/msohtml1/01/clip_image001.jpg

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"
"{D2692EE8-4795-44F4-A8FF-8FAC5D4FE947}"=""

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ddcyxxy
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\fcyyw
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\rpcc1
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winuwj32
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\wudb

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa
Authentication Packages	REG_MULTI_SZ msv1_0\0\0
Security Packages	REG_MULTI_SZ kerberos\0msv1_0\0schannel\0wdigest\0\0
Notification Packages	REG_MULTI_SZ scecli\0\0

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Ãëàâíîå ìåíþ^Ïðîãðàììû^Àâòîçàãðóçêà^Adobe Acrobat Speed Launcher.lnk]
"path"="C:\\Documents and Settings\\All Users\\Ãëàâíîå ìåíþ\\Ïðîãðàììû\\Àâòîçàãðóçêà\\Adobe Acrobat Speed Launcher.lnk"
"backup"="C:\\WINDOWS\\pss\\Adobe Acrobat Speed Launcher.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\WINDOWS\\Installer\\{AC76BA86-1033-F400-7760-000000000002}\\SC_Acrobat.exe "
"item"="Adobe Acrobat Speed Launcher"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"=""
"hkey"="HKLM"
"command"=""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 7.0]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="Acrotray"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Adobe\\Acrobat 7.0\\Distillr\\Acrotray.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FineReader7NewsReaderPro]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="AbbyyNewsReader"
"hkey"="HKLM"
"command"="C:\\Program Files\\ABBYY FineReader 7.0 Professional Edition\\AbbyyNewsReader.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Hcontrol]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="Hcontrol"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\ATK0100\\Hcontrol.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Key]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="18D"
"hkey"="HKCU"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Lingvo Launcher]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="Lvagent"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\ABBYY Lingvo 9.0 Multilingual Dictionary\\Lvagent.exe\" /STARTUP"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="NeroCheck"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\system32\\NeroCheck.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="qttask"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Skype]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="Skype"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\Skype\\Phone\\Skype.exe\" /nosplash /minimized"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="GoogleToolbarNotifier"
"hkey"="HKCU"
"command"="C:\\Program Files\\Google\\GoogleToolbarNotifier\\1.2.1128.5462\\GoogleToolbarNotifier.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VaCtrls]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="v7"
"hkey"="HKLM"
"command"="v7"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="winampa"
"hkey"="HKLM"
"command"="C:\\Program Files\\Winamp\\winampa.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"ose"=dword:00000003
"gusvc"=dword:00000003

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
HTTPFilter	REG_MULTI_SZ HTTPFilter\0\0
LocalService	REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService	REG_MULTI_SZ DnsCache\0\0
DcomLaunch	REG_MULTI_SZ DcomLaunch\0TermService\0\0
rpcss	REG_MULTI_SZ RpcSs\0\0
imgsvc	REG_MULTI_SZ StiSvc\0\0
termsvcs	REG_MULTI_SZ TermService\0\0

Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\AppleSoftwareUpdate.job

********************************************************************

catchme 0.3.660 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-05-05 02:32:25
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden services ...

HKLM\SYSTEM\CurrentControlSet\Services\winmgmt703e-18fd

scanning hidden autostart entries ...

scanning hidden files ...

C:\WINDOWS\system32\windev-703e-18fd.sys 139264 bytes
C:\WINDOWS\system32\windev-peers.ini 8192 bytes

scan completed successfully
hidden processes: 0
hidden services: 1
hidden files: 2

********************************************************************

Completion time: 07-05-05 2:32:28
C:\ComboFix-quarantined-files.txt ... 07-05-05 02:32
C:\ComboFix2.txt ... 01-01-01 02:36

HJT
Logfile of HijackThis v1.99.1
Scan saved at 2:41:35 AM, on 5/5/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\ASUS\Power4 Gear\BatteryLife.exe
C:\Program Files\ZoneAlarm\zlclient.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\WINDOWS\TEMP\win2C.tmp.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Documents and Settings\admin\Ðàáî÷èé ñòîë\freeware\winpfind3u\WinPFind3u\WinPFind3U.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\admin\Ðàáî÷èé ñòîë\freeware\sfp.exe
C:\Program Files\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://login.yahoo.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = 
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Ññûëêè
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Power_Gear] C:\Program Files\ASUS\Power4 Gear\BatteryLife.exe 1
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.6\THGuard.exe"
O4 - HKLM\..\Run: [WindowsService] rundll32.exe "C:\WINDOWS\system32\iebojxoo.dll",realset
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SManager] smanager.7.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O8 - Extra context menu item: &Ýêñïîðò â Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O9 - Extra button: Ïåðåâîä - {7A2EFD41-E6B3-11D2-89E3-00E0292EE574} - C:\Program Files\X-Translator DIAMOND\PROMTIE4\promtie5.htm
O9 - Extra 'Tools' menuitem: Ïåðåâåñòè - {7A2EFD41-E6B3-11D2-89E3-00E0292EE574} - C:\Program Files\X-Translator DIAMOND\PROMTIE4\promtie5.htm
O9 - Extra button: (no name) - {7A2EFD41-E6B3-11D2-89E3-00E0292EE575} - C:\Program Files\X-Translator DIAMOND\PROMTIE4\options.htm
O9 - Extra 'Tools' menuitem: Íàñòðîéêà ïàðàìåòðîâ ïåðåâîäà - {7A2EFD41-E6B3-11D2-89E3-00E0292EE575} - C:\Program Files\X-Translator DIAMOND\PROMTIE4\options.htm
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Ïåðåâîä - {7A2EFD41-E6B3-11D2-89E3-00E0292EE574} - C:\Program Files\X-Translator DIAMOND\PROMTIE4\promtie5.htm (HKCU)
O9 - Extra 'Tools' menuitem: Ïåðåâåñòè - {7A2EFD41-E6B3-11D2-89E3-00E0292EE574} - C:\Program Files\X-Translator DIAMOND\PROMTIE4\promtie5.htm (HKCU)
O9 - Extra button: (no name) - {7A2EFD41-E6B3-11D2-89E3-00E0292EE575} - C:\Program Files\X-Translator DIAMOND\PROMTIE4\options.htm (HKCU)
O9 - Extra 'Tools' menuitem: Íàñòðîéêà ïåðåâîäà - {7A2EFD41-E6B3-11D2-89E3-00E0292EE575} - C:\Program Files\X-Translator DIAMOND\PROMTIE4\options.htm (HKCU)
O16 - DPF: {1663ed61-23eb-11d2-b92f-008048fdd814} (MeadCo ScriptX 5.5 Basic) - https://homer.homecredit.ru/common/print/ScriptX.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: Æóðíàë ñîáûòèé (Eventlog) - Êîðïîðàöèÿ Ìàéêðîñîôò - C:\WINDOWS\system32\services.exe
O23 - Service: FIJLOYWUR - Unknown owner - C:\DOCUME~1\admin\LOCALS~1\Temp\FIJLOYWUR.exe (file missing)
O23 - Service: Ñëóæáà COM çàïèñè êîìïàêò-äèñêîâ IMAPI (ImapiService) - Êîðïîðàöèÿ Ìàéêðîñîôò - C:\WINDOWS\system32\imapi.exe
O23 - Service: NetMeeting Remote Desktop Sharing (mnmsrvc) - Êîðïîðàöèÿ Ìàéêðîñîôò - C:\WINDOWS\system32\mnmsrvc.exe
O23 - Service: Plug and Play (PlugPlay) - Êîðïîðàöèÿ Ìàéêðîñîôò - C:\WINDOWS\system32\services.exe
O23 - Service: Äèñïåò÷åð ñåàíñà ñïðàâêè äëÿ óäàëåííîãî ðàáî÷åãî ñòîëà (RDSessMgr) - Êîðïîðàöèÿ Ìàéêðîñîôò - C:\WINDOWS\system32\sessmgr.exe
O23 - Service: Ñìàðò-êàðòû (SCardSvr) - Êîðïîðàöèÿ Ìàéêðîñîôò - C:\WINDOWS\System32\SCardSvr.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Æóðíàëû è îïîâåùåíèÿ ïðîèçâîäèòåëüíîñòè (SysmonLog) - Êîðïîðàöèÿ Ìàéêðîñîôò - C:\WINDOWS\system32\smlogsvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: Òåíåâîå êîïèðîâàíèå òîìà (VSS) - Êîðïîðàöèÿ Ìàéêðîñîôò - C:\WINDOWS\System32\vssvc.exe
O23 - Service: Àäàïòåð ïðîèçâîäèòåëüíîñòè WMI (WmiApSrv) - Êîðïîðàöèÿ Ìàéêðîñîôò - C:\WINDOWS\system32\wbem\wmiapsrv.exe

thanks for the trouble. Must be tyring to do the same thing over and over again. You're doing good job.


----------



## cometal (May 5, 2007)

cab posted where you wanted, btw.


----------



## JSntgRvr (Jul 1, 2003)

Hi,* cometal* 

1. Please *download* *The Avenger* by Swandog46 to your *Desktop*.
Click on Avenger.zip to open the file
Extract *avenger.exe* to your desktop
Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below. *

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://login.yahoo.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = 
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Ññûëêè
O4 - HKLM\..\Run: [WindowsService] rundll32.exe "C:\WINDOWS\system32\iebojxoo.dll",realset

*Now *close all windows and browsers, other than HiJackThis*, then click Fix Checked.

Close Hijackthis.

2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (*Ctrl+C*):



> Files to delete:
> C:\WINDOWS\system32\fccayww.dll
> C:\WINDOWS\system32\wyycf.bak2
> C:\WINDOWS\system32\wyycf.bak1
> ...


_*
Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.*_

3. Now, *start The Avenger program* by clicking on its icon on your desktop.
 Under "*Script file to execute*" choose "*Input Script Manually*".
Now click on the *Magnifying Glass icon* which will open a new window titled "*View/edit script*" 
 Paste the text copied to clipboard into this window by pressing (*Ctrl+V*).
 Click *Done* 
 Now click on the *Green Light* to begin execution of the script 
 Answer "*Yes*" twice when prompted.
4. *The Avenger will automatically do the following*:
It will *Restart your computer*. ( In cases where the code to execute contains "*Drivers to Unload*", The Avenger will actually *restart your system twice.*) 
On reboot, it will briefly *open a black command window* on your desktop, this is normal.
After the restart, it *creates a log file* that should open with the results of Avenger's actions. This log file will be located at *C:\avenger.txt*
 The Avenger will also have *backed up all the files, etc., that you asked it to delete*, and will have zipped them and moved the zip archives to *C:\avenger\backup.zip*.
5. Please *copy/paste* the content of *c:\avenger.txt* into your reply *along with a fresh HJT log *.

I will check those files a the Spykiller forum now.


----------



## JSntgRvr (Jul 1, 2003)

Hi, *cometal* 

The files failed to upload. I will attempt to copy these files to your desktop, and if successful, you will be able to upload these from there.

Download the enclosed folder. It containd a batch file. Save and extract ts contents to the desktop. Once extracted double click on the Copyfiles batch file. If successful, follow these steps:

Please go here:
*The Spy Killer Forum*
Click on "New Topic"
Put your name, e-mail address, and this as the title: "*Suspicious files*"
Put a link to this thread in the description box.
Then next to the file box, at the bottom, click the *browse* button, then navigate to this file:
*Desktop\windev-703e-18fd.sys
*

Click *Open*.
Press the more attachments button .
click the *browse* button, then navigate to this file:

*Desktop\windev-peers.ini*

When all the files are listed in the window Click *Post*.

Let me know when done.


----------



## cometal (May 5, 2007)

Hi,

I got a bluescreen when Avenger restarted the firt time while Avenger was doing something in the command window. Not sure whether it was a success, therefore.

Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\dvihgnbh

*******************

Script file located at: \??\C:\Documents and Settings\gamlrpud.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

File C:\WINDOWS\system32\fccayww.dll deleted successfully.
File C:\WINDOWS\system32\wyycf.bak2 deleted successfully.
File C:\WINDOWS\system32\wyycf.bak1 deleted successfully.
File C:\WINDOWS\system32\fcyyw.dll deleted successfully.
File C:\WINDOWS\system32\winuwj32.dll deleted successfully.
File C:\WINDOWS\system32\iebojxoo.dll deleted successfully.
Registry key HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ddcyxxy deleted successfully.
Registry key HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\fcyyw deleted successfully.
Registry key HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\rpcc1 deleted successfully.
Registry key HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winuwj32 deleted successfully.
Registry key HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\wudb deleted successfully.

Completed script processing.

*******************

Finished! Terminate.//////////////////////////////////////////

Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\dvihgnbh

*******************

Script file located at: \??\C:\Documents and Settings\gamlrpud.txt

Script file not found! Error

Could not open script file! Status: 0xc0000034 Abort!

HJT:
Logfile of HijackThis v1.99.1
Scan saved at 3:43:43 AM, on 5/5/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\ASUS\Power4 Gear\BatteryLife.exe
C:\Program Files\ZoneAlarm\zlclient.exe
C:\Program Files\TrojanHunter 4.6\THGuard.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Hijackthis\HijackThis.exe

O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1A9087A4-FC5D-48DE-BA3E-E8DB817BB4C1} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: IE 4.x-6.x BHO for Download Master - {9961627E-4059-41B4-8E0E-A7D6B3854ADF} - C:\PROGRA~1\DOWNLO~1\dmiehlp.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: (no name) - {D2692EE8-4795-44F4-A8FF-8FAC5D4FE947} - C:\WINDOWS\system32\ddcyxxy.dll
O2 - BHO: (no name) - {D446E04E-E9E2-4CEB-AB9B-498B6501BDB7} - C:\WINDOWS\system32\fcyyw.dll (file missing)
O2 - BHO: (no name) - {D651AFF4-9590-424d-BD1E-8E33E090DFB3} - C:\WINDOWS\system32\lmibswco.dll (file missing)
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Power_Gear] C:\Program Files\ASUS\Power4 Gear\BatteryLife.exe 1
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.6\THGuard.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [SManager] smanager.7.exe
O4 - HKLM\..\Run: [WindowsService] rundll32.exe "C:\WINDOWS\system32\xaukrhlw.dll",realset
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O8 - Extra context menu item: &Экспорт в Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O9 - Extra button: Перевод - {7A2EFD41-E6B3-11D2-89E3-00E0292EE574} - C:\Program Files\X-Translator DIAMOND\PROMTIE4\promtie5.htm
O9 - Extra 'Tools' menuitem: Перевести - {7A2EFD41-E6B3-11D2-89E3-00E0292EE574} - C:\Program Files\X-Translator DIAMOND\PROMTIE4\promtie5.htm
O9 - Extra button: (no name) - {7A2EFD41-E6B3-11D2-89E3-00E0292EE575} - C:\Program Files\X-Translator DIAMOND\PROMTIE4\options.htm
O9 - Extra 'Tools' menuitem: Настройка параметров перевода - {7A2EFD41-E6B3-11D2-89E3-00E0292EE575} - C:\Program Files\X-Translator DIAMOND\PROMTIE4\options.htm
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Перевод - {7A2EFD41-E6B3-11D2-89E3-00E0292EE574} - C:\Program Files\X-Translator DIAMOND\PROMTIE4\promtie5.htm (HKCU)
O9 - Extra 'Tools' menuitem: Перевести - {7A2EFD41-E6B3-11D2-89E3-00E0292EE574} - C:\Program Files\X-Translator DIAMOND\PROMTIE4\promtie5.htm (HKCU)
O9 - Extra button: (no name) - {7A2EFD41-E6B3-11D2-89E3-00E0292EE575} - C:\Program Files\X-Translator DIAMOND\PROMTIE4\options.htm (HKCU)
O9 - Extra 'Tools' menuitem: Настройка перевода - {7A2EFD41-E6B3-11D2-89E3-00E0292EE575} - C:\Program Files\X-Translator DIAMOND\PROMTIE4\options.htm (HKCU)
O16 - DPF: {1663ed61-23eb-11d2-b92f-008048fdd814} (MeadCo ScriptX 5.5 Basic) - https://homer.homecredit.ru/common/print/ScriptX.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1178330179248
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: Журнал событий (Eventlog) - Корпорация Майкрософт - C:\WINDOWS\system32\services.exe
O23 - Service: FIJLOYWUR - Unknown owner - C:\DOCUME~1\admin\LOCALS~1\Temp\FIJLOYWUR.exe (file missing)
O23 - Service: Служба COM записи компакт-дисков IMAPI (ImapiService) - Корпорация Майкрософт - C:\WINDOWS\system32\imapi.exe
O23 - Service: NetMeeting Remote Desktop Sharing (mnmsrvc) - Корпорация Майкрософт - C:\WINDOWS\system32\mnmsrvc.exe
O23 - Service: Plug and Play (PlugPlay) - Корпорация Майкрософт - C:\WINDOWS\system32\services.exe
O23 - Service: Диспетчер сеанса справки для удаленного рабочего стола (RDSessMgr) - Корпорация Майкрософт - C:\WINDOWS\system32\sessmgr.exe
O23 - Service: Смарт-карты (SCardSvr) - Корпорация Майкрософт - C:\WINDOWS\System32\SCardSvr.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Журналы и оповещения производительности (SysmonLog) - Корпорация Майкрософт - C:\WINDOWS\system32\smlogsvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: Теневое копирование тома (VSS) - Корпорация Майкрософт - C:\WINDOWS\System32\vssvc.exe
O23 - Service: Адаптер производительности WMI (WmiApSrv) - Корпорация Майкрософт - C:\WINDOWS\system32\wbem\wmiapsrv.exe


----------



## JSntgRvr (Jul 1, 2003)

Hi, *cometal* 

*Were you able to upload the files?*

1. Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below. *

O2 - BHO: (no name) - {1A9087A4-FC5D-48DE-BA3E-E8DB817BB4C1} - (no file)
O2 - BHO: IE 4.x-6.x BHO for Download Master - {9961627E-4059-41B4-8E0E-A7D6B3854ADF} - C:\PROGRA~1\DOWNLO~1\dmiehlp.dll
O2 - BHO: (no name) - {D2692EE8-4795-44F4-A8FF-8FAC5D4FE947} - C:\WINDOWS\system32\ddcyxxy.dll
O2 - BHO: (no name) - {D446E04E-E9E2-4CEB-AB9B-498B6501BDB7} - C:\WINDOWS\system32\fcyyw.dll (file missing)
O2 - BHO: (no name) - {D651AFF4-9590-424d-BD1E-8E33E090DFB3} - C:\WINDOWS\system32\lmibswco.dll (file missing)
O4 - HKLM\..\Run: [SManager] smanager.7.exe
O4 - HKLM\..\Run: [WindowsService] rundll32.exe "C:\WINDOWS\system32\xaukrhlw.dll",realset

*Now *close all windows and browsers, other than HiJackThis*, then click Fix Checked.

Close Hijackthis.

2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (*Ctrl+C*):



> Files to delete:
> C:\WINDOWS\system32\ddcyxxy.dll
> C:\WINDOWS\system32\smanager.7.exe
> C:\WINDOWS\system32\xaukrhlw.dll
> C:\PROGRA~1\DOWNLO~1\dmiehlp.dll


_*
Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.*_

3. Now, *start The Avenger program* by clicking on its icon on your desktop.
 Under "*Script file to execute*" choose "*Input Script Manually*".
Now click on the *Magnifying Glass icon* which will open a new window titled "*View/edit script*" 
 Paste the text copied to clipboard into this window by pressing (*Ctrl+V*).
 Click *Done* 
 Now click on the *Green Light* to begin execution of the script 
 Answer "*Yes*" twice when prompted.
4. *The Avenger will automatically do the following*:
It will *Restart your computer*. ( In cases where the code to execute contains "*Drivers to Unload*", The Avenger will actually *restart your system twice.*) 
On reboot, it will briefly *open a black command window* on your desktop, this is normal.
After the restart, it *creates a log file* that should open with the results of Avengers actions. This log file will be located at *C:\avenger.txt*
 The Avenger will also have *backed up all the files, etc., that you asked it to delete*, and will have zipped them and moved the zip archives to *C:\avenger\backup.zip*.
5. Please *copy/paste* the content of *c:\avenger.txt* into your reply *along with a fresh HJT log *


----------



## cometal (May 5, 2007)

Hi,

the windev files cannot be found. Not sure how they disappeared. did not touch them myself, but had Spybot S&D run which removed an agent.
Had a bluescreen again.


----------



## JSntgRvr (Jul 1, 2003)

Please download gmer rootkit detector from any of the following links:

*Link 1*
*Link 2*
*Link 3*

Unzip it and double click the gmer.exe file
Select rootkit tab.
Make sure all the boxes on the right of the screen are checked, *EXCEPT* for Show All.
Press scan 
When it has finished press save & post back the log it makes 
Repeat the proces with the Autostarts tab and do the same there
Download catchme.exe ( 25kB ) from *Here* to your desktop.

Double click the catchme.exe to run it.
Press Scan
When it finishes, if there are any files listed in the window, press zip to make a copy of any files to submit if we ask for it
It shall produce a log for you.
Open catchme.log and post its contents in a reply.


----------



## JSntgRvr (Jul 1, 2003)

Hi, *cometal* 

Just had a hit on those files *here*.

Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (*Ctrl+C*):



> Drivers to unload:
> windev-703e-18fd
> 
> Files to delete:
> ...


_*
Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.*_

Now, *start The Avenger program* by clicking on its icon on your desktop.
 Under "*Script file to execute*" choose "*Input Script Manually*".
Now click on the *Magnifying Glass icon* which will open a new window titled "*View/edit script*" 
 Paste the text copied to clipboard into this window by pressing (*Ctrl+V*).
 Click *Done* 
 Now click on the *Green Light* to begin execution of the script 
 Answer "*Yes*" twice when prompted.
*The Avenger will automatically do the following*:
It will *Restart your computer*. ( In cases where the code to execute contains "*Drivers to Unload*", The Avenger will actually *restart your system twice.*) 
On reboot, it will briefly *open a black command window* on your desktop, this is normal.
After the restart, it *creates a log file* that should open with the results of Avengers actions. This log file will be located at *C:\avenger.txt*
 The Avenger will also have *backed up all the files, etc., that you asked it to delete*, and will have zipped them and moved the zip archives to *C:\avenger\backup.zip*.
Please *copy/paste* the content of *c:\avenger.txt* into your reply *along with a fresh HJT log *


----------



## cometal (May 5, 2007)

Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\stkfoldn

*******************

Script file located at: \??\C:\WINDOWS\system32\wnvhixkj.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Driver windev-703e-18fd unloaded successfully.
File C:\WINDOWS\system32\windev-703e-18fd.sys deleted successfully.
File C:\WINDOWS\system32\windev-peers.ini deleted successfully.
File C:\WINDOWS\system32\ddcyxxy.dll deleted successfully.


File C:\WINDOWS\system32\smanager.7.exe not found!
Deletion of file C:\WINDOWS\system32\smanager.7.exe failed!

Could not process line:
C:\WINDOWS\system32\smanager.7.exe
Status: 0xc0000034



File C:\WINDOWS\system32\xaukrhlw.dll not found!
Deletion of file C:\WINDOWS\system32\xaukrhlw.dll failed!

Could not process line:
C:\WINDOWS\system32\xaukrhlw.dll
Status: 0xc0000034

File C:\PROGRA~1\DOWNLO~1\dmiehlp.dll deleted successfully.

Completed script processing.

*******************

Finished! Terminate.


----------



## cometal (May 5, 2007)

Logfile of HijackThis v1.99.1
Scan saved at 10:20:40 AM, on 5/5/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\ASUS\Power4 Gear\BatteryLife.exe
C:\Program Files\ZoneAlarm\zlclient.exe
C:\Program Files\TrojanHunter 4.6\THGuard.exe
C:\PROGRA~1\Grisoft\AVG7\avgcc.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Hijackthis\HijackThis.exe

O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [Power_Gear] C:\Program Files\ASUS\Power4 Gear\BatteryLife.exe 1
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.6\THGuard.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [WindowsService] rundll32.exe "C:\WINDOWS\system32\xwopsepe.dll",realset
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
O8 - Extra context menu item: &Экспорт в Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O9 - Extra button: Перевод - {7A2EFD41-E6B3-11D2-89E3-00E0292EE574} - C:\Program Files\X-Translator DIAMOND\PROMTIE4\promtie5.htm
O9 - Extra 'Tools' menuitem: Перевести - {7A2EFD41-E6B3-11D2-89E3-00E0292EE574} - C:\Program Files\X-Translator DIAMOND\PROMTIE4\promtie5.htm
O9 - Extra button: (no name) - {7A2EFD41-E6B3-11D2-89E3-00E0292EE575} - C:\Program Files\X-Translator DIAMOND\PROMTIE4\options.htm
O9 - Extra 'Tools' menuitem: Настройка параметров перевода - {7A2EFD41-E6B3-11D2-89E3-00E0292EE575} - C:\Program Files\X-Translator DIAMOND\PROMTIE4\options.htm
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Перевод - {7A2EFD41-E6B3-11D2-89E3-00E0292EE574} - C:\Program Files\X-Translator DIAMOND\PROMTIE4\promtie5.htm (HKCU)
O9 - Extra 'Tools' menuitem: Перевести - {7A2EFD41-E6B3-11D2-89E3-00E0292EE574} - C:\Program Files\X-Translator DIAMOND\PROMTIE4\promtie5.htm (HKCU)
O9 - Extra button: (no name) - {7A2EFD41-E6B3-11D2-89E3-00E0292EE575} - C:\Program Files\X-Translator DIAMOND\PROMTIE4\options.htm (HKCU)
O9 - Extra 'Tools' menuitem: Настройка перевода - {7A2EFD41-E6B3-11D2-89E3-00E0292EE575} - C:\Program Files\X-Translator DIAMOND\PROMTIE4\options.htm (HKCU)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1178330179248
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: Журнал событий (Eventlog) - Корпорация Майкрософт - C:\WINDOWS\system32\services.exe
O23 - Service: FIJLOYWUR - Unknown owner - C:\DOCUME~1\admin\LOCALS~1\Temp\FIJLOYWUR.exe (file missing)
O23 - Service: Служба COM записи компакт-дисков IMAPI (ImapiService) - Корпорация Майкрософт - C:\WINDOWS\system32\imapi.exe
O23 - Service: NetMeeting Remote Desktop Sharing (mnmsrvc) - Корпорация Майкрософт - C:\WINDOWS\system32\mnmsrvc.exe
O23 - Service: Plug and Play (PlugPlay) - Корпорация Майкрософт - C:\WINDOWS\system32\services.exe
O23 - Service: QWG - Sysinternals - www.sysinternals.com - C:\DOCUME~1\admin\LOCALS~1\Temp\QWG.exe
O23 - Service: Диспетчер сеанса справки для удаленного рабочего стола (RDSessMgr) - Корпорация Майкрософт - C:\WINDOWS\system32\sessmgr.exe
O23 - Service: Смарт-карты (SCardSvr) - Корпорация Майкрософт - C:\WINDOWS\System32\SCardSvr.exe
O23 - Service: SoundMAX Agent Service (SoundMAX Agent Service (default)) - Analog Devices, Inc. - C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
O23 - Service: Журналы и оповещения производительности (SysmonLog) - Корпорация Майкрософт - C:\WINDOWS\system32\smlogsvc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O23 - Service: Теневое копирование тома (VSS) - Корпорация Майкрософт - C:\WINDOWS\System32\vssvc.exe
O23 - Service: Адаптер производительности WMI (WmiApSrv) - Корпорация Майкрософт - C:\WINDOWS\system32\wbem\wmiapsrv.exe


----------



## cometal (May 5, 2007)

had to go to sleep yesterday.


----------



## cometal (May 5, 2007)

will do gmer and catchme next


----------



## cometal (May 5, 2007)

GMER Rootkit

GMER 1.0.12.12011 - http://www.gmer.net
Rootkit scan 2007-05-05 10:29:10
Windows 5.1.2600 Service Pack 2

---- System - GMER 1.0.12 ----

SSDT \SystemRoot\System32\vsdatant.sys ZwConnectPort
SSDT \SystemRoot\System32\vsdatant.sys ZwCreateFile
SSDT \SystemRoot\System32\vsdatant.sys ZwCreateKey
SSDT \SystemRoot\System32\vsdatant.sys ZwCreatePort
SSDT \SystemRoot\System32\vsdatant.sys ZwCreateProcess
SSDT \SystemRoot\System32\vsdatant.sys ZwCreateProcessEx
SSDT \SystemRoot\System32\vsdatant.sys ZwCreateSection
SSDT \SystemRoot\System32\vsdatant.sys ZwCreateWaitablePort
SSDT \SystemRoot\System32\vsdatant.sys ZwDeleteFile
SSDT \SystemRoot\System32\vsdatant.sys ZwDeleteKey
SSDT \SystemRoot\System32\vsdatant.sys ZwDeleteValueKey
SSDT \SystemRoot\System32\vsdatant.sys ZwDuplicateObject
SSDT \SystemRoot\System32\vsdatant.sys ZwLoadKey
SSDT \SystemRoot\System32\vsdatant.sys ZwOpenFile
SSDT \SystemRoot\System32\vsdatant.sys ZwOpenProcess
SSDT \SystemRoot\System32\vsdatant.sys ZwOpenThread
SSDT \SystemRoot\System32\vsdatant.sys ZwReplaceKey
SSDT \SystemRoot\System32\vsdatant.sys ZwRequestWaitReplyPort
SSDT \SystemRoot\System32\vsdatant.sys ZwRestoreKey
SSDT \SystemRoot\System32\vsdatant.sys ZwSecureConnectPort
SSDT \SystemRoot\System32\vsdatant.sys ZwSetInformationFile
SSDT \SystemRoot\System32\vsdatant.sys ZwSetValueKey
SSDT \SystemRoot\System32\vsdatant.sys ZwTerminateProcess

---- Kernel code sections - GMER 1.0.12 ----

.text ntoskrnl.exe!_abnormal_termination + 107 804E2DD8 12 Bytes [ F0, 81, AD, A5, 80, E4, AD, ... ]

---- User code sections - GMER 1.0.12 ----

.text C:\Program Files\Mozilla Firefox\firefox.exe[3444] kernel32.dll!MultiByteToWideChar 7C809CAD 5 Bytes JMP 10031B00 C:\WINDOWS\system32\ljhig.dll

---- Devices - GMER 1.0.12 ----

Device \Driver\Tcpip \Device\Ip IRP_MJ_CREATE [A5AE98A0] vsdatant.sys
Device \Driver\Tcpip \Device\Ip IRP_MJ_CLOSE [A5AE98A0] vsdatant.sys
Device \Driver\Tcpip \Device\Ip IRP_MJ_DEVICE_CONTROL [A5AE98A0] vsdatant.sys
Device \Driver\Tcpip \Device\Ip IRP_MJ_INTERNAL_DEVICE_CONTROL  [A5AE98A0] vsdatant.sys
Device \Driver\Tcpip \Device\Ip IRP_MJ_CLEANUP [A5AE98A0] vsdatant.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_CREATE [A5AE98A0] vsdatant.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_CLOSE [A5AE98A0] vsdatant.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_DEVICE_CONTROL [A5AE98A0] vsdatant.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_INTERNAL_DEVICE_CONTROL [A5AE98A0] vsdatant.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_CLEANUP [A5AE98A0] vsdatant.sys
Device \Driver\Tcpip \Device\Udp IRP_MJ_CREATE [A5AE98A0] vsdatant.sys
Device \Driver\Tcpip \Device\Udp IRP_MJ_CLOSE [A5AE98A0] vsdatant.sys
Device \Driver\Tcpip \Device\Udp IRP_MJ_DEVICE_CONTROL [A5AE98A0] vsdatant.sys
Device \Driver\Tcpip \Device\Udp IRP_MJ_INTERNAL_DEVICE_CONTROL [A5AE98A0] vsdatant.sys
Device \Driver\Tcpip \Device\Udp IRP_MJ_CLEANUP [A5AE98A0] vsdatant.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_CREATE [A5AE98A0] vsdatant.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_CLOSE [A5AE98A0] vsdatant.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_DEVICE_CONTROL [A5AE98A0] vsdatant.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_INTERNAL_DEVICE_CONTROL [A5AE98A0] vsdatant.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_CLEANUP [A5AE98A0] vsdatant.sys
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_CREATE [A5AE98A0] vsdatant.sys
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_CLOSE [A5AE98A0] vsdatant.sys
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_DEVICE_CONTROL [A5AE98A0] vsdatant.sys
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_INTERNAL_DEVICE_CONTROL [A5AE98A0] vsdatant.sys
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_CLEANUP [A5AE98A0] vsdatant.sys

---- Files - GMER 1.0.12 ----

ADS C:\asus1\ExpoTol\art\belkin.doc:KAVICHS 
ADS C:\asus1\ExpoTol\art\Oformlenie_zayavki-konkurs.rtf:KAVICHS 
ADS C:\asus1\ExpoTol\art\:KAVICHS 
ADS C:\asus1\ExpoTol\art\:KAVICHS 
ADS C:\asus1\ExpoTol\art\:KAVICHS 
ADS C:\asus1\ExpoTol\art\:KAVICHS 
ADS C:\asus1\ExpoTol\art\:KAVICHS 
ADS C:\asus1\ExpoTol\art\:KAVICHS 
ADS C:\asus1\ExpoTol\art\:KAVICHS  
ADS C:\asus1\ExpoTol\art\:KAVICHS 
ADS C:\asus1\ExpoTol\art\:KAVICHS 
ADS ... 
ADS D:\System Volume Information\_restore{17DAC3F2-BCAE-41B2-8F12-97A5A236D8C7}\RP103\A0037564.exe:KAVICHS 
ADS D:\System Volume Information\_restore{17DAC3F2-BCAE-41B2-8F12-97A5A236D8C7}\RP103\A0037565.EXE:KAVICHS 
ADS D:\System Volume Information\_restore{17DAC3F2-BCAE-41B2-8F12-97A5A236D8C7}\RP103\A0037566.exe:KAVICHS

---- EOF - GMER 1.0.12 ----


----------



## cometal (May 5, 2007)

GMER 1.0.12.12011 - http://www.gmer.net
Autostart scan 2007-05-05 10:30:45
Windows 5.1.2600 Service Pack 2

HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\[email protected] = %SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,3072,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ProfileControl=Off MaxRequestThreads=16

HKLM\Software\Microsoft\Windows NT\CurrentVersion\[email protected] = C:\WINDOWS\system32\userinit.exe,

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\[email protected] = C:\WINDOWS\system32\ljhig.dll

HKLM\SYSTEM\CurrentControlSet\Services\ >>>
Ati HotKey [email protected] = %SystemRoot%\system32\Ati2evxx.exe
AVG Anti-Spyware Guard /*AVG Anti-Spyware Guard*/@ = C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
Avg7Alrt /*AVG7 Alert Manager Server*/@ = C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
Avg7UpdSvc /*AVG7 Update Service*/@ = C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
MDM /*Machine Debug Manager*/@ = "C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE"
SoundMAX Agent Service (default) /*SoundMAX Agent Service*/@ = C:\Program Files\Analog Devices\SoundMAX\SMAgent.exe
Spooler /**/@ = %SystemRoot%\system32\spoolsv.exe
vsmon /*TrueVector Internet Monitor*/@ = C:\WINDOWS\system32\ZoneLabs\vsmon.exe -service

HKLM\Software\Microsoft\Windows\CurrentVersion\Run >>>
@Power_GearC:\Program Files\ASUS\Power4 Gear\BatteryLife.exe 1 /*file not found*/ = C:\Program Files\ASUS\Power4 Gear\BatteryLife.exe 1 /*file not found*/
@ZoneAlarm Client"C:\Program Files\ZoneAlarm\zlclient.exe" = "C:\Program Files\ZoneAlarm\zlclient.exe"
@THGuard"C:\Program Files\TrojanHunter 4.6\THGuard.exe" = "C:\Program Files\TrojanHunter 4.6\THGuard.exe"
@AVG7_CCC:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP = C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP

HKCU\Software\Microsoft\Windows\CurrentVersion\Run >>>
@CTFMON.EXEC:\WINDOWS\system32\ctfmon.exe = C:\WINDOWS\system32\ctfmon.exe
@swgC:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe = C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks >>>
@{57B86673-276A-48B2-BAE7-C6DBB3020EB8}C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll = C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll
@{D2692EE8-4795-44F4-A8FF-8FAC5D4FE947}C:\WINDOWS\system32\ddcyxxy.dll /*file not found*/ = C:\WINDOWS\system32\ddcyxxy.dll /*file not found*/

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved >>>
@{42071714-76d4-11d1-8b24-00a0c9068ff3} /**/deskpan.dll /*file not found*/ = deskpan.dll /*file not found*/
@{596AB062-B4D2-4215-9F74-E9109B0A8153} /**/%SystemRoot%\system32\twext.dll = %SystemRoot%\system32\twext.dll
@{9DB7A13C-F208-4981-8353-73CC61AE2783} /**/%SystemRoot%\system32\twext.dll = %SystemRoot%\system32\twext.dll
@{00E7B358-F65B-4dcf-83DF-CD026B94BFD4} /*Autoplay for SlideShow*/(null) = 
@{692F0339-CBAA-47e6-B5B5-3B84DB604E87} /*Extensions Manager Folder*/%SystemRoot%\system32\extmgr.dll = %SystemRoot%\system32\extmgr.dll
@{B41DB860-8EE4-11D2-9906-E49FADC173CA} /*WinRAR shell extension*/C:\Program Files\WinRAR\rarext.dll = C:\Program Files\WinRAR\rarext.dll
@{BDEADF00-C265-11D0-BCED-00A0C90AB50F} /*Web Folders*/C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL = C:\PROGRA~1\COMMON~1\MICROS~1\WEBFOL~1\MSONSEXT.DLL
@{73B24247-042E-4EF5-ADC2-42F62E6FD654} /*ICQ Lite Shell Extension*/C:\Program Files\ICQLite\ICQLiteShell.dll = C:\Program Files\ICQLite\ICQLiteShell.dll
@{00020D75-0000-0000-C000-000000000046} /*Microsoft Office Outlook Desktop Icon Handler*/C:\PROGRA~1\MICROS~2\OFFICE11\MLSHEXT.DLL = C:\PROGRA~1\MICROS~2\OFFICE11\MLSHEXT.DLL
@{0006F045-0000-0000-C000-000000000046} /*Microsoft Office Outlook Custom Icon Handler*/C:\PROGRA~1\MICROS~2\OFFICE11\OLKFSTUB.DLL = C:\PROGRA~1\MICROS~2\OFFICE11\OLKFSTUB.DLL
@{42042206-2D85-11D3-8CFF-005004838597} /*Microsoft Office HTML Icon Handler*/C:\Program Files\Microsoft Office\OFFICE11\msohev.dll = C:\Program Files\Microsoft Office\OFFICE11\msohev.dll
@{D25B2CAB-8A9A-4517-A9B2-CB5F68A5A802} /*Adobe.Acrobat.ContextMenu*/C:\Program Files\Adobe\Acrobat 7.0\Acrobat Elements\ContextMenu.dll = C:\Program Files\Adobe\Acrobat 7.0\Acrobat Elements\ContextMenu.dll
@{506F4668-F13E-4AA1-BB04-B43203AB3CC0} /*{506F4668-F13E-4AA1-BB04-B43203AB3CC0}*/C:\Program Files\Microsoft Office\Visio11\VISSHE.DLL = C:\Program Files\Microsoft Office\Visio11\VISSHE.DLL
@{D66DC78C-4F61-447F-942B-3FB6980118CF} /*{D66DC78C-4F61-447F-942B-3FB6980118CF}*/C:\Program Files\Microsoft Office\Visio11\VISSHE.DLL = C:\Program Files\Microsoft Office\Visio11\VISSHE.DLL
@{D9872D13-7651-4471-9EEE-F0A00218BEBB} /*Multiscan*/C:\Program Files\ZoneAlarm\zlavscan.dll = C:\Program Files\ZoneAlarm\zlavscan.dll
@{EBDF1F20-C829-11D1-8233-FF20AF3E97A9} /*TrojanHunter Menu Shell Extension*/C:\PROGRA~1\TROJAN~1.6\contmenu.dll = C:\PROGRA~1\TROJAN~1.6\contmenu.dll
@{9F97547E-4609-42C5-AE0C-81C61FFAEBC3} /*AVG7 Shell Extension*/C:\Program Files\Grisoft\AVG7\avgse.dll = C:\Program Files\Grisoft\AVG7\avgse.dll
@{9F97547E-460A-42C5-AE0C-81C61FFAEBC3} /*AVG7 Find Extension*/C:\Program Files\Grisoft\AVG7\avgse.dll = C:\Program Files\Grisoft\AVG7\avgse.dll

HKLM\Software\Classes\*\shellex\ContextMenuHandlers\ >>>
[email protected]{D25B2CAB-8A9A-4517-A9B2-CB5F68A5A802} = C:\Program Files\Adobe\Acrobat 7.0\Acrobat Elements\ContextMenu.dll
AVG [email protected]{8934FCEF-F5B8-468f-951F-78A921CD3920} = C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\context.dll
AVG7 Shell [email protected]{9F97547E-4609-42C5-AE0C-81C61FFAEBC3} = C:\Program Files\Grisoft\AVG7\avgse.dll
[email protected]{73B24247-042E-4EF5-ADC2-42F62E6FD654} = C:\Program Files\ICQLite\ICQLiteShell.dll
[email protected]{EBDF1F20-C829-11D1-8233-FF20AF3E97A9} = C:\PROGRA~1\TROJAN~1.6\contmenu.dll
[email protected]{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Program Files\WinRAR\rarext.dll
[email protected]{D9872D13-7651-4471-9EEE-F0A00218BEBB} = C:\Program Files\ZoneAlarm\zlavscan.dll

HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\ >>>
AVG [email protected]{8934FCEF-F5B8-468f-951F-78A921CD3920} = C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\context.dll
[email protected]{73B24247-042E-4EF5-ADC2-42F62E6FD654} = C:\Program Files\ICQLite\ICQLiteShell.dll
[email protected]{EBDF1F20-C829-11D1-8233-FF20AF3E97A9} = C:\PROGRA~1\TROJAN~1.6\contmenu.dll
[email protected]{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Program Files\WinRAR\rarext.dll

HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\ >>>
AVG7 Shell [email protected]{9F97547E-4609-42C5-AE0C-81C61FFAEBC3} = C:\Program Files\Grisoft\AVG7\avgse.dll
[email protected]{AC0DD14A-8F29-4F88-BE1D-0F0ED1B06C9F} = c:\program files\abbyy finereader 7.0 professional edition\fecmenu.dll
[email protected]{EBDF1F20-C829-11D1-8233-FF20AF3E97A9} = C:\PROGRA~1\TROJAN~1.6\contmenu.dll
[email protected]{B41DB860-8EE4-11D2-9906-E49FADC173CA} = C:\Program Files\WinRAR\rarext.dll
[email protected]{D9872D13-7651-4471-9EEE-F0A00218BEBB} = C:\Program Files\ZoneAlarm\zlavscan.dll

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects >>>
@{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll = C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
@{53707962-6F74-2D53-2644-206D7942484F}C:\PROGRA~1\SPYBOT~1\SDHelper.dll = C:\PROGRA~1\SPYBOT~1\SDHelper.dll
@{897C56B4-B147-4D8A-9B3D-95DE58E59017}C:\WINDOWS\system32\ljhig.dll = C:\WINDOWS\system32\ljhig.dll
@{9961627E-4059-41B4-8E0E-A7D6B3854ADF}C:\PROGRA~1\DOWNLO~1\dmiehlp.dll /*file not found*/ = C:\PROGRA~1\DOWNLO~1\dmiehlp.dll /*file not found*/
@{AA58ED58-01DD-4d91-8333-CF10577473F7}c:\program files\google\googletoolbar1.dll = c:\program files\google\googletoolbar1.dll
@{AE7CD045-E861-484f-8273-0445EE161910}C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll = C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
@{D2692EE8-4795-44F4-A8FF-8FAC5D4FE947}C:\WINDOWS\system32\ddcyxxy.dll /*file not found*/ = C:\WINDOWS\system32\ddcyxxy.dll /*file not found*/
@{D446E04E-E9E2-4CEB-AB9B-498B6501BDB7}C:\WINDOWS\system32\fcyyw.dll /*file not found*/ = C:\WINDOWS\system32\fcyyw.dll /*file not found*/
@{D651AFF4-9590-424d-BD1E-8E33E090DFB3}C:\WINDOWS\system32\lmibswco.dll /*file not found*/ = C:\WINDOWS\system32\lmibswco.dll /*file not found*/

HKCU\Control Panel\[email protected] = C:\WINDOWS\system32\logon.scr

HKLM\Software\Microsoft\Internet Explorer\Main >>>
@Default_Page_URLhttp://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome = http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
@Start Pageabout:blank = about:blank
@Local Page%SystemRoot%\system32\blank.htm = %SystemRoot%\system32\blank.htm

HKCU\Software\Microsoft\Internet Explorer\Main >>>
@Start Pageabout:blank = about:blank
@Local PageC:\WINDOWS\SYSTEM32\blank.htm = C:\WINDOWS\SYSTEM32\blank.htm

HKLM\Software\Classes\PROTOCOLS\Filter\text/[email protected] = C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL

HKLM\Software\Classes\PROTOCOLS\Handler\ >>>
[email protected] = C:\WINDOWS\system32\msvidctl.dll
[email protected] = C:\WINDOWS\system32\itss.dll
[email protected] = %SystemRoot%\system32\inetcomm.dll
[email protected] = C:\WINDOWS\system32\itss.dll
[email protected] = C:\Program Files\Common Files\Microsoft Shared\Information Retrieval\MSITSS.DLL
[email protected] = C:\PROGRA~1\COMMON~1\MICROS~1\WEBCOM~1\10\OWC10.DLL
[email protected] = C:\PROGRA~1\COMMON~1\MICROS~1\WEBCOM~1\11\OWC11.DLL
[email protected] = C:\WINDOWS\system32\msvidctl.dll
[email protected] = C:\WINDOWS\system32\wiascr.dll

HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{6A5DCE55-1192-4AD6-B089-2350DFE47B65} /**/ >>>
@IPAddress192.168.16.5 = 192.168.16.5
@NameServer = 
@DefaultGateway = 
@Domain =

---- EOF - GMER 1.0.12 ----


----------



## cometal (May 5, 2007)

Catchme ended saying
0 hidden processes
0 hidden services
0 hidden files
Am I clean? HJT still had xwopsepe.dll


----------



## cometal (May 5, 2007)

no, am not clean, AVG shield alert for trojan virus


----------



## JSntgRvr (Jul 1, 2003)

Hi, *cometal* 

1. Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below. *

O4 - HKLM\..\Run: [WindowsService] rundll32.exe "C:\WINDOWS\system32\xwopsepe.dll",realset

*Now *close all windows and browsers, other than HiJackThis*, then click Fix Checked.

Close Hijackthis.

2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (*Ctrl+C*):



> Files to delete:
> C:\WINDOWS\system32\xwopsepe.dll
> C:\WINDOWS\system32\ljhig.dll
> 
> ...


_*
Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.*_

3. Now, *start The Avenger program* by clicking on its icon on your desktop.
 Under "*Script file to execute*" choose "*Input Script Manually*".
Now click on the *Magnifying Glass icon* which will open a new window titled "*View/edit script*" 
 Paste the text copied to clipboard into this window by pressing (*Ctrl+V*).
 Click *Done* 
 Now click on the *Green Light* to begin execution of the script 
 Answer "*Yes*" twice when prompted.
4. *The Avenger will automatically do the following*:
It will *Restart your computer*. ( In cases where the code to execute contains "*Drivers to Unload*", The Avenger will actually *restart your system twice.*) 
On reboot, it will briefly *open a black command window* on your desktop, this is normal.
After the restart, it *creates a log file* that should open with the results of Avengers actions. This log file will be located at *C:\avenger.txt*
 The Avenger will also have *backed up all the files, etc., that you asked it to delete*, and will have zipped them and moved the zip archives to *C:\avenger\backup.zip*.
5. Please *copy/paste* the content of *c:\avenger.txt* into your reply *along with a fresh HJT log *.

In addition, Download *WinPFind3U.exe *to your Desktop and double-click on it to extract the files. It will create a folder named *WinPFind3u* on your desktop.

Open the *WinPFind3u* folder and double-click on WinPFind3U.exe to start the program.
In the *Processes* group click *All *
In the *Win32 Services *group click *Non-Microsoft *
In the *Driver Services *group click *Non-Microsoft *
In the *Registry* group click *Non-Microsoft *
In the *Files Created Within *group click *60 days *Make sure *Non-Microsoft only is UNCHECKED*
In the Files *Modified Within *group select *30 days *Make sure *Non-Microsoft only is CHECKED*
In the *File String Search *group select *Non-Microsoft*

Now click the *Run Scan *button on the toolbar.
The program will be scanning huge amounts of data so depending on your system it could take a long time to complete. Let it run unhindered until it finishes.
When the scan is complete Notepad will open with the report file loaded in it.
Save that notepad file
Use the *Reply* button and attach the notepad file here *(Do not copy and paste in a reply, rather attach it to it).*


----------



## cometal (May 5, 2007)

here it is 
thanks


----------



## cometal (May 5, 2007)

hi
here is .log 

looking forward!!
thanks


----------



## JSntgRvr (Jul 1, 2003)

Hi, *cometal* 

Start *WinPFind3U*. Copy/Paste the information in the Quotebox below into the pane where it says *"Paste fix here"* and then click the Run Fix button.


```
[Kill Explorer]
[Unregister Dlls]
[Win32 Services - Non-Microsoft Only]
YN -> (FIJLOYWUR) FIJLOYWUR [Win32_Own | On_Demand | Stopped] -> %SystemDrive%\DOCUME~1\admin\LOCALS~1\Temp\FIJLOYWUR.exe
YN -> (QWG) QWG [Win32_Own | On_Demand | Stopped] -> %SystemDrive%\DOCUME~1\admin\LOCALS~1\Temp\QWG.exe
[Driver Services - Non-Microsoft Only]
YY -> (oreans32) oreans32 [Kernel | System | Running] -> %System32%\drivers\oreans32.sys
[Registry - Non-Microsoft Only]
< Winlogon\Notify settings [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
YN -> ljhig -> %System32%\ljhig.dll
< BHO's > -> HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
YN -> {1A9087A4-FC5D-48DE-BA3E-E8DB817BB4C1} [HKLM] -> Reg Data - Value does not exist [Reg Data - Value does not exist]
YN -> {1D4FC33E-B5D3-4D04-A6F6-00F15972CCCD} [HKLM] -> %System32%\ljhig.dll [Reg Data - Value does not exist]
[Files/Folders - Created Within 60 days]
NY -> CopyFiles.bat -> %SystemDrive%\CopyFiles.bat
NY -> aygesbot.dll -> %System32%\aygesbot.dll
NY -> ayjxmfvp.ini -> %System32%\ayjxmfvp.ini
NY -> epespowx.ini -> %System32%\epespowx.ini
NY -> gihjl.bak1 -> %System32%\gihjl.bak1
NY -> gihjl.bak2 -> %System32%\gihjl.bak2
NY -> gihjl.ini -> %System32%\gihjl.ini
NY -> kgxqnhqq.dll -> %System32%\kgxqnhqq.dll
NY -> pvfmxjya.dll -> %System32%\pvfmxjya.dll
NY -> qqhnqxgk.ini -> %System32%\qqhnqxgk.ini
NY -> tobsegya.ini -> %System32%\tobsegya.ini
NY -> wlhrkuax.ini -> %System32%\wlhrkuax.ini
NY -> wyycf.ini -> %System32%\wyycf.ini
NY -> tmvsthfss.bin -> %System32%\drivers\etc\tmvsthfss.bin
NY -> tmvsthfud.bin -> %System32%\drivers\etc\tmvsthfud.bin
[Files/Folders - Modified Within 30 days]
NY -> imsins.BAK -> %SystemRoot%\imsins.BAK
NY -> aygesbot.dll -> %System32%\aygesbot.dll
NY -> ayjxmfvp.ini -> %System32%\ayjxmfvp.ini
NY -> epespowx.ini -> %System32%\epespowx.ini
NY -> gihjl.bak1 -> %System32%\gihjl.bak1
NY -> gihjl.bak2 -> %System32%\gihjl.bak2
NY -> gihjl.ini -> %System32%\gihjl.ini
NY -> kgxqnhqq.dll -> %System32%\kgxqnhqq.dll
NY -> ooxjobei.ini -> %System32%\ooxjobei.ini
NY -> pvfmxjya.dll -> %System32%\pvfmxjya.dll
NY -> qqhnqxgk.ini -> %System32%\qqhnqxgk.ini
NY -> thxcfg.ini -> %System32%\thxcfg.ini
NY -> tobsegya.ini -> %System32%\tobsegya.ini
NY -> wlhrkuax.ini -> %System32%\wlhrkuax.ini
NY -> wyycf.ini -> %System32%\wyycf.ini
NY -> tmvsthfss.bin -> %System32%\drivers\etc\tmvsthfss.bin
NY -> tmvsthfud.bin -> %System32%\drivers\etc\tmvsthfud.bin
[File String Scan - Non-Microsoft Only]
NY -> UPX! , UPX0 , -> %SystemRoot%\cygz.dll
NY -> UPX! , UPX0 , -> %SystemRoot%\g6425849.exe
NY -> UPX! , -> %SystemRoot%\retadpu1000272.exe
NY -> UPX! , -> %System32%\aygesbot.dll
NY -> UPX! , UPX0 , -> %System32%\cygz.dll
NY -> UPX! , -> %System32%\kgxqnhqq.dll
NY -> UPX! , -> %System32%\opnonno.dll
NY -> UPX! , -> %System32%\pvfmxjya.dll
NY -> UPX! , UPX0 , -> %System32%\wudb.dll
[Empty Temp Folders]
[Start Explorer]
[Reboot]
```
The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. CLick the Ok button and Notepad will open with a log of actions taken during the fix. *Post that information back here along with a new WinPFind3u scan and a Hijackthis log, separately *(the Hijackthis can be pasted on the reply).

I will review the information when it comes back in.

Also let me know of any problems you encountered performing the steps above or any continuing problems you are still having with the computer.


----------



## cometal (May 5, 2007)

hi
today it says again trojan horse infected!!!!


----------



## JSntgRvr (Jul 1, 2003)

> The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. CLick the Ok button and Notepad will open with a log of actions taken during the fix. Post that information back here along with a new WinPFind3u scan and a Hijackthis log, separately (the Hijackthis can be pasted on the reply).


I need to see these reports. Also, expand on the alert message you have received, including the location of the trojan.


----------

