Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Possible Virtumonde Infection


  • This topic is locked This topic is locked
9 replies to this topic

#1 MSSJ

MSSJ

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:12:16 PM

Posted 09 February 2008 - 10:27 AM

About 2 days ago I got a random ad popup in both Mozzila and Internet explorer so I disabled my local area connection and started scanning my computer. Either Adaware and/or AVG kept finding a virtumonde infection and something they described as a Trojan Downloader. They were able to remove half of the infections they found and Adaware even attempted to remove them at startup but all of my scans continue to show infection. Spybot was also unable to find/remove the problem. I eventually tried installing Trend Micro Internet Security 2008 b/c Trend Micro was able to solve my problems in the past. When I scanned it found a bunch of stuff and was able to remove all but two of them. The one it couldn't remove was czeciklw.dll in System32 I believe. I cannot remember the other one, please forgive me. Trend micro then asked me to restart so it could remove and I did. I didn't notice anything taking place so I scanned again with Trend micro and now it's not finding it. However when I open IE I still get ads. I opened HijackThis v1.99.1 and scanned, I didn't see nething out of the ordinary. So then I searched around and found Trend Micro's Newest version of HJT and scanned with that. When I did this I found three lines that looked like they might be causing a problem.

O20 - Winlogon Notify: czeciklw - czeciklw.dll (file missing)
O20 - Winlogon Notify: pwvoynrj - pwvoynrj.dll (file missing)
O20 - Winlogon Notify: yayvwts - yayvwts.dll (file missing)

All of those .dll's were found in my virus scans as causing problems. However, I didn't save a logfile with this scan so I closed the old HJT and new one and then I scanned again with the new HJT. However this time those 3 lines didn't show up. So I opened the old HJT and scanned again, still they did not show up. So I left the old one open and then opened and scanned with the new HJT again. This time they showed up. Here's my latest log. Any help would be greatly appreciated. I apologize if I haven't provided enough information.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:12:16 AM, on 2/9/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\COMMON~1\Stardock\SDMCP.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Razer\Copperhead\razerhid.exe
C:\WINDOWS\CTHELPER.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Winamp\winampa.exe
C:\Program Files\a-squared Anti-Dialer\a2adguard.exe
C:\Program Files\a-squared Anti-Dialer\a2adguard.exe
C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe
C:\Program Files\Rokario\BandMon.exe
C:\Documents and Settings\Martin\Start Menu\Programs\Startup\MediaKeySim.exe
C:\Program Files\a-squared Anti-Dialer\a2service.exe
C:\Program Files\a-squared Free\a2service.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Trend Micro\BM\TMBMSRV.exe
C:\Program Files\Razer\Copperhead\razerofa.exe
C:\WINDOWS\system32\wscntfy.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
C:\WINDOWS\system32\mdm.exe
C:\Program Files\Trend Micro\Internet Security\UfNavi.exe
C:\Program Files\Opera\Opera.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Documents and Settings\Martin\Desktop\HijackThis.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/myway
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll (file missing)
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {A95B2816-1D7E-4561-A202-68C0DE02353A} - C:\WINDOWS\system32\czeciklw.dll (file missing)
O2 - BHO: (no name) - {E753B799-65DE-433F-976E-123D4A1EA82C} - C:\WINDOWS\system32\mljgg.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [Copperhead] C:\Program Files\Razer\Copperhead\razerhid.exe
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [a-squared] "C:\Program Files\a-squared Anti-Dialer\a2adguard.exe"
O4 - HKLM\..\Run: [a-squared Anti-Dialer] "C:\Program Files\a-squared Anti-Dialer\a2adguard.exe" /d=60
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [UfSeAgnt.exe] "C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe"
O4 - HKCU\..\Run: [bandmon] C:\Program Files\Rokario\BandMon.exe
O4 - HKCU\..\Run: [Active Desktop Calendar] C:\Program Files\XemiComputers\Active Desktop Calendar\ADC.exe
O4 - HKCU\..\Run: [NVIDIA nTune] "C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe" clear
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: MediaKeySim.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\mawfice\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Sothink SWF Catcher - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra 'Tools' menuitem: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15031/CTSUEng.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15033/CTPID.cab
O20 - Winlogon Notify: czeciklw - czeciklw.dll (file missing)
O20 - Winlogon Notify: pwvoynrj - pwvoynrj.dll (file missing)
O20 - Winlogon Notify: yayvwts - yayvwts.dll (file missing)
O23 - Service: a-squared Anti-Dialer Service (a2AntiDialer) - Emsi Software GmbH - C:\Program Files\a-squared Anti-Dialer\a2service.exe
O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - C:\Program Files\a-squared Free\a2service.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: FVJHWNEP - Sysinternals - www.sysinternals.com - C:\DOCUME~1\Martin\LOCALS~1\Temp\FVJHWNEP.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: nTune Service (nTuneService) - NVIDIA - C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: Trend Micro Central Control Component (SfCtlCom) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
O23 - Service: Trend Micro Unauthorized Change Prevention Service (TMBMServer) - Trend Micro Inc. - C:\Program Files\Trend Micro\BM\TMBMSRV.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\TmProxy.exe

--
End of file - 7977 bytes

BC AdBot (Login to Remove)

 


#2 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:07:16 PM

Posted 09 February 2008 - 03:16 PM

Hi,

However, I didn't save a logfile with this scan so I closed the old HJT and new one and then I scanned again with the new HJT. However this time those 3 lines didn't show up. So I opened the old HJT and scanned again, still they did not show up. So I left the old one open and then opened and scanned with the new HJT again. This time they showed up.

If you rename HijackThis.exe to something else, for example scan.exe, they will show up as well. :thumbsup:

Anyway,

* Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

This includes installing the Windows XP Recovery Console in case you have not installed it yet.

Post the log from ComboFix when you've accomplished that, along with a new HijackThis log.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 MSSJ

MSSJ
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:12:16 PM

Posted 10 February 2008 - 05:24 PM

Here is the Hijackthis log before running Combo Fix but after changing the name of the .exe to HJT.exe It seems to have caught more suspicious dll's this time than when it had it's original name.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:34:35 PM, on 2/10/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Razer\Copperhead\razerhid.exe
C:\WINDOWS\CTHELPER.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Winamp\winampa.exe
C:\Program Files\a-squared Anti-Dialer\a2adguard.exe
C:\Program Files\a-squared Anti-Dialer\a2adguard.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Rokario\BandMon.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Documents and Settings\Martin\Start Menu\Programs\Startup\MediaKeySim.exe
C:\Program Files\a-squared Anti-Dialer\a2service.exe
C:\Program Files\a-squared Free\a2service.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Razer\Copperhead\razertra.exe
C:\Program Files\Razer\Copperhead\razerofa.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe
C:\Program Files\Trend Micro\BM\TMBMSRV.exe
C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
C:\Program Files\Trend Micro\Internet Security\TmProxy.exe
C:\WINDOWS\system32\mdm.exe
C:\Program Files\Opera\Opera.exe
C:\Program Files\Trend Micro\HijackThis\Hjt.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/myway
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: {ccdd831e-c17a-b97a-dcb4-313774080484} - {48408047-7313-4bcd-a79b-a71ce138ddcc} - C:\WINDOWS\system32\kvbdnnao.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll (file missing)
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {E6B5EBB9-F529-42DC-B7C2-3ABC385972CE} - C:\WINDOWS\system32\mljgg.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [Copperhead] C:\Program Files\Razer\Copperhead\razerhid.exe
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [a-squared] "C:\Program Files\a-squared Anti-Dialer\a2adguard.exe"
O4 - HKLM\..\Run: [a-squared Anti-Dialer] "C:\Program Files\a-squared Anti-Dialer\a2adguard.exe" /d=60
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [UfSeAgnt.exe] "C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe"
O4 - HKLM\..\Run: [fcb0e929] rundll32.exe "C:\WINDOWS\system32\uageqnxp.dll",b
O4 - HKCU\..\Run: [bandmon] C:\Program Files\Rokario\BandMon.exe
O4 - HKCU\..\Run: [Active Desktop Calendar] C:\Program Files\XemiComputers\Active Desktop Calendar\ADC.exe
O4 - HKCU\..\Run: [NVIDIA nTune] "C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe" clear
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: MediaKeySim.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\mawfice\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Sothink SWF Catcher - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra 'Tools' menuitem: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15031/CTSUEng.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15033/CTPID.cab
O20 - Winlogon Notify: asuatkgb - asuatkgb.dll (file missing)
O23 - Service: a-squared Anti-Dialer Service (a2AntiDialer) - Emsi Software GmbH - C:\Program Files\a-squared Anti-Dialer\a2service.exe
O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - C:\Program Files\a-squared Free\a2service.exe
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: FVJHWNEP - Sysinternals - www.sysinternals.com - C:\DOCUME~1\Martin\LOCALS~1\Temp\FVJHWNEP.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: nTune Service (nTuneService) - NVIDIA - C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: Trend Micro Central Control Component (SfCtlCom) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
O23 - Service: Trend Micro Unauthorized Change Prevention Service (TMBMServer) - Trend Micro Inc. - C:\Program Files\Trend Micro\BM\TMBMSRV.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\TmProxy.exe

--
End of file - 8006 bytes

====================================================
====================================================
And here is the ComboFix log and the new Hijackthis log after running Combofix.
====================================================
====================================================

ComboFix 08-02.05.3 - Martin 2008-02-10 17:11:06.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1405 [GMT -5:00]
Running from: C:\Documents and Settings\Martin\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\mljgg.dll
C:\WINDOWS\system32\asuatkgb.dllbox
C:\WINDOWS\system32\ggjlm.ini
C:\WINDOWS\system32\ggjlm.ini2
C:\WINDOWS\system32\kvbdnnao.dll
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\mljgg.dll
C:\WINDOWS\system32\pwvoynrj.dllbox
C:\WINDOWS\system32\pxnqegau.ini
C:\WINDOWS\system32\uageqnxp.dll
C:\WINDOWS\system32\vljwhefe.ini

.
((((((((((((((((((((((((( Files Created from 2008-01-10 to 2008-02-10 )))))))))))))))))))))))))))))))
.

2008-02-10 17:05 . 2004-08-10 06:00 260,272 -r-hs---- C:\cmldr
2008-02-10 00:29 . 2008-02-10 13:58 23 --a------ C:\WINDOWS\BlendSettings.ini
2008-02-09 00:03 . 2008-02-09 21:41 10,752 --a------ C:\WINDOWS\DCEBoot.exe
2008-02-08 23:51 . 2007-09-18 01:10 52,496 --a------ C:\WINDOWS\system32\drivers\tmactmon.sys
2008-02-08 23:51 . 2007-09-18 01:10 52,368 --a------ C:\WINDOWS\system32\drivers\tmevtmgr.sys
2008-02-08 23:50 . 2008-02-10 17:07 <DIR> d-------- C:\Program Files\Trend Micro
2008-02-08 23:50 . 2008-02-08 23:50 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Trend Micro
2008-02-08 23:43 . 2008-02-08 23:43 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avg7
2008-02-08 22:19 . 2008-02-08 22:19 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-02-08 00:04 . 2008-02-08 00:06 <DIR> d-------- C:\Program Files\a-squared Anti-Dialer
2008-02-07 23:41 . 2008-02-07 23:41 <DIR> d-------- C:\Program Files\a-squared HiJackFree
2008-02-07 23:39 . 2008-02-08 00:03 <DIR> d-------- C:\Program Files\a-squared Free
2008-02-07 22:56 . 2008-02-07 23:15 <DIR> d-------- C:\Documents and Settings\Martin\Application Data\Winamp
2008-02-07 19:33 . 2008-02-09 11:21 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SecTaskMan
2008-02-07 19:32 . 2008-02-07 19:32 <DIR> d-------- C:\Program Files\Security Task Manager
2008-02-07 18:57 . 2007-09-18 01:10 138,512 --a------ C:\WINDOWS\system32\drivers\tmcomm.sys
2008-02-07 18:50 . 2008-02-07 19:29 <DIR> d-------- C:\Documents and Settings\Martin\.housecall6.6
2008-02-07 18:43 . 2008-02-07 18:43 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\DFX
2008-02-07 18:42 . 2008-02-07 18:42 75 --a------ C:\WINDOWS\winamp.ini
2008-02-07 18:28 . 2008-02-07 18:28 <DIR> d-------- C:\Program Files\DFX
2008-02-04 17:10 . 2007-03-07 18:51 129,784 --a------ C:\WINDOWS\system32\pxafs.dll
2008-01-30 21:02 . 2008-01-30 21:02 54,608 --a------ C:\WINDOWS\system32\xfcodec.dll
2008-01-30 15:51 . 2008-01-30 16:02 <DIR> d-------- C:\Program Files\Wolfenstein - Enemy Territory
2008-01-26 18:56 . 2008-01-26 20:33 <DIR> d-------- C:\Program Files\Coffee Tycoon
2008-01-26 18:37 . 2008-01-26 18:37 <DIR> d-------- C:\Program Files\ReflexiveArcade
2008-01-26 18:37 . 2008-02-02 00:11 <DIR> d-------- C:\Program Files\Fish Tycoon
2008-01-14 21:26 . 2008-01-27 22:17 <DIR> d-------- C:\Program Files\ESEA
2008-01-14 20:35 . 2008-01-14 20:35 32,772 --ah----- C:\WINDOWS\system32\mlfcache.dat
2008-01-14 19:48 . 2008-01-14 19:48 <DIR> d-------- C:\Program Files\Macromedia
2008-01-13 22:51 . 2008-01-13 22:51 <DIR> d-------- C:\Documents and Settings\Martin\Application Data\InstallShield
2008-01-12 16:26 . 2008-01-12 16:26 <DIR> d-------- C:\Program Files\NVIDIA nTune Performance Application
2008-01-12 16:19 . 2008-01-12 16:19 <DIR> d-------- C:\Program Files\Belarc
2008-01-12 16:19 . 2005-04-07 16:18 3,840 --a------ C:\WINDOWS\system32\drivers\BANTExt.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-10 05:54 --------- d-----w C:\Program Files\Trillian
2008-02-10 02:53 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-02-10 02:53 --------- d-----w C:\Program Files\Bethesda Softworks
2008-02-10 02:25 --------- d-----w C:\Program Files\mIRC
2008-02-10 02:25 --------- d-----w C:\Documents and Settings\Martin\Application Data\Xfire
2008-02-10 01:43 --------- d-----w C:\Documents and Settings\Martin\Application Data\uTorrent
2008-02-09 23:34 --------- d-----w C:\Program Files\Real
2008-02-09 23:29 --------- d-----w C:\Program Files\ChessBase
2008-02-09 23:29 --------- d-----w C:\Documents and Settings\Martin\Application Data\ChessBase
2008-02-09 21:53 22,328 ----a-w C:\WINDOWS\system32\drivers\PnkBstrK.sys
2008-02-09 21:53 107,832 ----a-w C:\WINDOWS\system32\PnkBstrB.exe
2008-02-09 19:45 --------- d-----w C:\Program Files\Lavasoft
2008-02-09 19:45 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-02-09 04:46 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-02-09 04:46 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-02-08 05:03 --------- d-----w C:\Program Files\DIGStream
2008-02-08 03:57 --------- d-----w C:\Program Files\Winamp
2008-02-07 22:26 --------- d-s---w C:\Program Files\Xfire
2008-02-06 01:58 --------- d-----w C:\Program Files\Minilyrics
2008-02-04 22:57 --------- d-----w C:\Program Files\World of Warcraft
2008-02-03 06:11 --------- d-----w C:\Program Files\Whomp Buddy Pogo
2008-02-03 06:11 --------- d-----w C:\Program Files\Checkers Buddy Pogo
2008-02-01 02:56 --------- d-----w C:\Documents and Settings\Martin\Application Data\AdobeUM
2008-01-15 00:49 --------- d-----w C:\Program Files\Common Files\Macromedia
2008-01-12 21:27 --------- d-----w C:\Program Files\NVIDIA Corporation
2007-12-31 20:38 86,016 ----a-w C:\WINDOWS\system32\OpenAL32.dll
2007-12-31 20:38 409,600 ----a-w C:\WINDOWS\system32\wrap_oal.dll
2007-12-31 20:38 --------- d-----w C:\Program Files\Creative
2007-12-31 20:38 --------- d-----w C:\Documents and Settings\Martin\Application Data\Creative
2007-12-31 09:32 --------- d-----w C:\Program Files\SystemRequirementsLab
2007-12-31 09:32 --------- d-----w C:\Documents and Settings\Martin\Application Data\SystemRequirementsLab
2007-12-30 17:53 66,872 ----a-w C:\WINDOWS\system32\PnkBstrA.exe
2007-12-30 17:51 22,328 ----a-w C:\Documents and Settings\Martin\Application Data\PnkBstrK.sys
2007-12-30 17:41 --------- d-----w C:\Program Files\Activision
2007-12-27 05:56 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2007-12-24 20:34 98,304 ----a-w C:\WINDOWS\system32\CmdLineExt.dll
2007-12-24 19:42 --------- d-----w C:\Program Files\Eidos
2007-12-24 19:39 --------- d-----w C:\Program Files\Microsoft Games
2007-12-24 03:06 --------- d-----w C:\Program Files\Common Files\eSellerate
2007-12-24 00:10 --------- d-----w C:\Documents and Settings\Martin\Application Data\PogoChessBuddy
2007-12-22 03:40 --------- d-----w C:\Program Files\Opera
2007-12-22 03:37 --------- d-----w C:\Program Files\Java
2007-12-14 16:32 12,632 ----a-w C:\WINDOWS\system32\lsdelete.exe
2007-12-05 07:53 356,352 ----a-w C:\WINDOWS\system32\NVUNINST.EXE
2007-12-05 06:41 753,664 ----a-w C:\WINDOWS\system32\nvcplui.exe
2007-12-05 06:41 466,944 ----a-w C:\WINDOWS\system32\nvshell.dll
2007-12-05 06:41 45,056 ----a-w C:\WINDOWS\system32\nvmccsrs.dll
2007-12-05 06:41 442,368 ----a-w C:\WINDOWS\system32\nvappbar.exe
2007-12-05 06:41 425,984 ----a-w C:\WINDOWS\system32\keystone.exe
2007-12-05 06:41 356,352 ----a-w C:\WINDOWS\system32\nvudisp.exe
2007-12-05 06:41 307,200 ----a-w C:\WINDOWS\system32\nvexpbar.dll
2007-12-05 06:41 147,456 ----a-w C:\WINDOWS\system32\nvcolor.exe
2007-12-05 06:41 1,703,936 ----a-w C:\WINDOWS\system32\nvwdmcpl.dll
2007-12-05 06:41 1,626,112 ----a-w C:\WINDOWS\system32\nwiz.exe
2007-12-05 06:41 1,474,560 ----a-w C:\WINDOWS\system32\nview.dll
2007-12-05 06:41 1,339,392 ----a-w C:\WINDOWS\system32\nvdspsch.exe
2007-12-05 06:41 1,089,536 ----a-w C:\WINDOWS\system32\nvcuda.dll
2007-12-05 06:41 1,019,904 ----a-w C:\WINDOWS\system32\nvwimg.dll
2007-01-29 22:06 14 ----a-w C:\Documents and Settings\Martin\getfile.dat
2006-11-08 04:08 56 --sh--r C:\WINDOWS\system32\57A0D80AD1.sys
2006-11-08 04:08 1,682 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"bandmon"="C:\Program Files\Rokario\BandMon.exe" [2006-02-06 21:48 944128]
"Active Desktop Calendar"="C:\Program Files\XemiComputers\Active Desktop Calendar\ADC.exe" [2007-01-11 15:13 3330048]
"NVIDIA nTune"="C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe" [2007-09-04 19:25 81920]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496]
"CTSysVol"="C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe" [2003-09-17 11:43 57344]
"dla"="C:\WINDOWS\system32\dla\tfswctrl.exe" [2004-12-06 02:05 127035]
"Copperhead"="C:\Program Files\Razer\Copperhead\razerhid.exe" [2005-11-02 10:48 155648]
"CTHelper"="CTHELPER.EXE" [2006-08-11 14:56 17920 C:\WINDOWS\CTHELPER.EXE]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [2007-06-29 00:43 81920]
"WinampAgent"="C:\Program Files\Winamp\winampa.exe" [2008-01-15 17:54 37376]
"a-squared"="C:\Program Files\a-squared Anti-Dialer\a2adguard.exe" [2008-02-08 00:05 1329152]
"a-squared Anti-Dialer"="C:\Program Files\a-squared Anti-Dialer\a2adguard.exe" [2008-02-08 00:05 1329152]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-06-29 00:43 8466432]
"UfSeAgnt.exe"="C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe" [2008-01-21 12:16 1393928]

C:\Documents and Settings\Martin\Start Menu\Programs\Startup\
Adobe Gamma.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-12-16 00:50:48 113664]
MediaKeySim.exe [2006-04-27 21:05:33 53248]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"InstallVisualStyle"= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
"InstallTheme"= C:\WINDOWS\Resources\Themes\Royale.theme

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\asuatkgb]
asuatkgb.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\avast!]
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]
C:\Program Files\Common Files\AOL\1148874131\ee\AOLSoftware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MimBoot]
C:\PROGRA~1\MUSICM~1\MUSICM~3\mimboot.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2006-01-12 15:40 155648 C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PeerGuardian]
--a------ 2005-09-18 17:40 1421824 C:\Program Files\PeerGuardian2\pg2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"ehSched"=2 (0x2)
"ehRecvr"=2 (0x2)
"AVGEMS"=2 (0x2)
"Avg7UpdSvc"=3 (0x3)
"Avg7Alrt"=2 (0x2)
"avast! Web Scanner"=3 (0x3)
"avast! Mail Scanner"=3 (0x3)
"avast! Antivirus"=2 (0x2)
"aswUpdSv"=2 (0x2)
"aspnet_state"=3 (0x3)
"PnkBstrB"=3 (0x3)
"PnkBstrA"=2 (0x2)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"CTDVDDET"="C:\Program Files\Creative\SBAudigy2ZS\DVDAudio\CTDVDDET.EXE"
"CTxfiHlp"=CTXFIHLP.EXE
"NvCplDaemon"=RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
"ISUSPM Startup"="C:\Program Files\Common Files\InstallShield\UpdateService\isuspm.exe" -startup
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
"ehTray"=C:\WINDOWS\ehome\ehtray.exe

R1 oreans32;oreans32;C:\WINDOWS\system32\drivers\oreans32.sys [2006-12-26 23:21]
R2 a2AntiDialer;a-squared Anti-Dialer Service;"C:\Program Files\a-squared Anti-Dialer\a2service.exe" [2008-02-08 00:05]
R3 UsbFltr;%SvcDisplayName%;C:\WINDOWS\system32\drivers\copperhd.sys [2005-11-02 10:54]
S3 CEDRIVER53;CEDRIVER53;C:\Program Files\Cheat Engine\dbk32.sys []
S3 FVJHWNEP;FVJHWNEP;C:\DOCUME~1\Martin\LOCALS~1\Temp\FVJHWNEP.exe []
S3 Razerlow;Razer Copperhead Driver;C:\WINDOWS\system32\Drivers\Razerlow.sys [2005-08-09 11:50]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}]
\Shell\AutoRun\command - E:\setup.exe

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{47c443ec-8682-11dc-b0ed-0014223c50f2}]
\Shell\AutoRun\command - H:\auto.bat
\Shell\dinstall\command - H:\appz\svchost.exe

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-10 17:18:40
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Documents and Settings\Martin\Start Menu\Programs\Startup\MediaKeySim.exe
C:\Program Files\a-squared Free\a2service.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\ehome\mcrdsvc.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Razer\Copperhead\razertra.exe
C:\Program Files\Razer\Copperhead\razerofa.exe
.
**************************************************************************
.
Completion time: 2008-02-10 17:22:59 - machine was rebooted
ComboFix-quarantined-files.txt 2008-02-10 22:22:56


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:26:38 PM, on 2/10/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\Razer\Copperhead\razerhid.exe
C:\WINDOWS\CTHELPER.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\Winamp\winampa.exe
C:\Program Files\a-squared Anti-Dialer\a2adguard.exe
C:\Program Files\a-squared Anti-Dialer\a2adguard.exe
C:\Program Files\XemiComputers\Active Desktop Calendar\ADC.exe
C:\Documents and Settings\Martin\Start Menu\Programs\Startup\MediaKeySim.exe
C:\Program Files\a-squared Anti-Dialer\a2service.exe
C:\Program Files\a-squared Free\a2service.exe
C:\WINDOWS\system32\CTsvcCDA.EXE
C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Razer\Copperhead\razertra.exe
C:\Program Files\Razer\Copperhead\razerofa.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Opera\Opera.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\Hjt.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/myway
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/myway
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.dell4me.com/myway
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll (file missing)
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy2ZS\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM\..\Run: [Copperhead] C:\Program Files\Razer\Copperhead\razerhid.exe
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [WinampAgent] "C:\Program Files\Winamp\winampa.exe"
O4 - HKLM\..\Run: [a-squared] "C:\Program Files\a-squared Anti-Dialer\a2adguard.exe"
O4 - HKLM\..\Run: [a-squared Anti-Dialer] "C:\Program Files\a-squared Anti-Dialer\a2adguard.exe" /d=60
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [UfSeAgnt.exe] "C:\Program Files\Trend Micro\Internet Security\UfSeAgnt.exe"
O4 - HKCU\..\Run: [bandmon] C:\Program Files\Rokario\BandMon.exe
O4 - HKCU\..\Run: [Active Desktop Calendar] C:\Program Files\XemiComputers\Active Desktop Calendar\ADC.exe
O4 - HKCU\..\Run: [NVIDIA nTune] "C:\Program Files\NVIDIA Corporation\nTune\nTuneCmd.exe" clear
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: MediaKeySim.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\mawfice\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Sothink SWF Catcher - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra 'Tools' menuitem: Sothink SWF Catcher - {E19ADC6E-3909-43E4-9A89-B7B676377EE3} - C:\Program Files\Common Files\SourceTec\SWF Catcher\InternetExplorer.htm
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15031/CTSUEng.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15033/CTPID.cab
O20 - Winlogon Notify: asuatkgb - asuatkgb.dll (file missing)
O23 - Service: a-squared Anti-Dialer Service (a2AntiDialer) - Emsi Software GmbH - C:\Program Files\a-squared Anti-Dialer\a2service.exe
O23 - Service: a-squared Free Service (a2free) - Emsi Software GmbH - C:\Program Files\a-squared Free\a2service.exe
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\system32\CTsvcCDA.EXE
O23 - Service: Diskeeper - Diskeeper Corporation - C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe
O23 - Service: FVJHWNEP - Unknown owner - C:\DOCUME~1\Martin\LOCALS~1\Temp\FVJHWNEP.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: nTune Service (nTuneService) - NVIDIA - C:\Program Files\NVIDIA Corporation\nTune\nTuneService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: Trend Micro Central Control Component (SfCtlCom) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\SfCtlCom.exe
O23 - Service: Trend Micro Unauthorized Change Prevention Service (TMBMServer) - Trend Micro Inc. - C:\Program Files\Trend Micro\BM\TMBMSRV.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\Internet Security\TmProxy.exe

--
End of file - 7359 bytes

Edited by MSSJ, 10 February 2008 - 05:26 PM.


#4 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:07:16 PM

Posted 10 February 2008 - 05:39 PM

Hi,

Check and fix next entries in HijackThis:

O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll (file missing)
O20 - Winlogon Notify: asuatkgb - asuatkgb.dll (file missing)

I see you had Avast installed - but disabled in your case. Is it still installed? If so, please uninstall it since you already have an Antivirus present, because they are not compatible, even though you disabled Avast.

Also, Is it possible you ran Rootkitrevealer? Because I see this entry present in your log:

O23 - Service: FVJHWNEP - Unknown owner - C:\DOCUME~1\Martin\LOCALS~1\Temp\FVJHWNEP.exe (file missing)

Since the file is deleted anyway, you may delete the service as well. To do this, go to start > run and copy and paste:

sc delete FVJHWNEP

Hit enter

Then, * Go to start > run and copy and paste next command in the field:

ComboFix /u

Make sure there's a space between Combofix and /
Then hit enter.

This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

Let me know in your next reply how things are now.

You'll see, once if the infection is gone, if you rename Hjt.exe back to what it was before (HijackThis.exe); it will now display everything again, because previously, it was hiding every O2 and O20 entry in your log :thumbsup:
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 MSSJ

MSSJ
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:12:16 PM

Posted 10 February 2008 - 05:42 PM

One quick question. Are there any command line parameters I can add with /u to avoid hiding the system and hidden files and file extensions?

Btw Thank you for your help.

Edit: I also don't see anything from Avast, I'm pretty sure I uninstalled it long ago. And I did run rootkitrevealer btw.

Edited by MSSJ, 10 February 2008 - 05:46 PM.


#6 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:07:16 PM

Posted 10 February 2008 - 05:46 PM

Well.. no, but you can just change that again afterwardss in your folder/file options:


Click Start.
Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
Uncheck: Hide file extensions for known file types
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm.
Click OK.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#7 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:07:16 PM

Posted 10 February 2008 - 05:49 PM

Edit: I also don't see anything from Avast, I'm pretty sure I uninstalled it long ago. And I did run rootkitrevealer btw.


In that case... let's delete the leftovers from msconfig - including the services you disabled related with a previous install of AVG:

To do this, Open notepad and copy and paste next present in the quotebox below in it:
(don't forget to copy and paste REGEDIT4)

REGEDIT4

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"AVGEMS"=-
"Avg7UpdSvc"=-
"Avg7Alrt"=-
"avast! Web Scanner"=-
"avast! Mail Scanner"=-
"avast! Antivirus"=-
"aswUpdSv"=-

Save this as fix.reg Choose to save as *all files and place it on your desktop.
It should look like this: Posted Image
Doubleclick on it and when it asks you if you want to merge the contents to the registry, click yes/ok.
(In case you are unsure how to create a reg file, take a look here with screenshots.)

Please do not disble your Antivirus anymore, because how are you supposed to prevent malware if you disable it?
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#8 MSSJ

MSSJ
  • Topic Starter

  • Members
  • 4 posts
  • OFFLINE
  •  
  • Local time:12:16 PM

Posted 10 February 2008 - 05:49 PM

Ok, I completed everything. I just wanted to know about the command for informational purposes. Should I run anymore scans with HJT, Adaware, TrendMicro, or any other software? Or does it appear as though everything is cleared. My system currently seems fine. I'm hoping nothing that nothing will survive in the registry when I restart. Hopefully my suspicions are unfounded.

Thanks again for your help. I really appreciate it.

#9 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:07:16 PM

Posted 10 February 2008 - 05:50 PM

Yes, everything is cleared now :thumbsup:
Glad I could help.

Please read my Prevention page with lots of info and tips how to prevent this in the future.
And if you want to improve speed/system performance after malware removal, take a look here.
Extra note: Make sure your programs are up to date - because older versions may contain Security Leaks. To find out what programs need to be updated, please run the Secunia Software Inspector Scan.

Happy Surfing again!
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#10 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:07:16 PM

Posted 17 February 2008 - 09:55 AM

Since this issue appears resolved ... this Topic is closed.
If you need this topic reopened for continuations of existing problems, please request this by sending me a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users