Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Computer Reads Nt Authority/system & Shuts Down In 60 Secs.


  • Please log in to reply
20 replies to this topic

#1 danalembke

danalembke

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:02:22 PM

Posted 17 April 2007 - 08:15 PM

So here is what I have on my computer. I run Avast Anti-Virus and keep it up to date. I also use SpyBot and Ad-Aware SE. I left my computer running today and when I got home everything was shot. My Avast Mail scanner had scanned over 100 messages and was pumping out emails like there was no tomorrow. I have no idea what the virus or worm was. bit I ended up spending 6 hours trying to figure it out by reading forums. I keep on getting messages that my Firewall was turned off and I turn it back on, but after I restart I get the same prompt. I went into Windows (in safe mode) and got rid of a bunch of files that had been created today, while I was @ school (student teacher). I also went through Hijackthis and using web forums, got rid of a bunch of files that were problematic. I am still having problems though.

One file that I could not get rid of was A3dxq.dll (in System32). I'm not sure what it is, but I suspect that it is Fing up shop. When I brought up Windows Task Manager (ctrl. alt del.), and tried to stop a program (svchost) that was chewing up the CPU usage, the computer brought up a box that said that the computer had to shut down and gave me a 60 sec. count down. It also read something to do with NT Authority/System. I'm posting my Hijackthis log and hopefully someone can help me out. I am currently a student teacher and really really really need my computer to help me prepare my lessons. If anyone could help I would be forever in debt to you. Thanks for the help in advance.

Here is the Hijackthis log:

Logfile of HijackThis v1.99.1
Scan saved at 9:11:22 PM, on 4/17/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\AIM\aim.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\AOL\1149691682\ee\AOLHostManager.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Common Files\AOL\1149691682\ee\AOLServiceHost.exe
C:\WINDOWS\system32\taskmgr.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\AOL\1149691682\ee\AOLServiceHost.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Family\Desktop\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: AOLTBSearch Class - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1147746098234
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

BC AdBot (Login to Remove)

 


#2 danalembke

danalembke
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:02:22 PM

Posted 18 April 2007 - 04:31 PM

I also just did a spybot search and had the Smitfraud 888 toolbar come up on my computer, so I downloaded SmitFraudFix v2.171 and scanned the computer to see what it would come up w/. Below, I have posted the report, so hopefully that should aid in diagnosing the problem.

SmitFraudFix v2.171

Scan done at 17:20:04.96, Wed 04/18/2007
Run from D:\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

Process

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\AIM\aim.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\AOL\1149691682\ee\AOLHostManager.exe
C:\Program Files\Common Files\AOL\1149691682\ee\AOLServiceHost.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\taskmgr.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\cmd.exe

hosts


C:\


C:\WINDOWS

C:\WINDOWS\keyboard1.dat FOUND !

C:\WINDOWS\system


C:\WINDOWS\Web


C:\WINDOWS\system32


C:\WINDOWS\system32\LogFiles


C:\Documents and Settings\Family


C:\Documents and Settings\Family\Application Data

C:\Documents and Settings\Family\Application Data\Install.dat FOUND !

Start Menu


C:\DOCUME~1\Family\FAVORI~1


Desktop


C:\Program Files

C:\Program Files\Video ActiveX Object\ FOUND !

Corrupted keys


Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"


Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""


Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


pe386-msguard-lzx32-huy32



DNS

Description: VIA PCI 10/100Mb Fast Ethernet Adapter - Packet Scheduler Miniport
DNS Server Search Order: 68.168.64.19
DNS Server Search Order: 68.168.64.20

HKLM\SYSTEM\CCS\Services\Tcpip\..\{DD0C3BD0-5FCC-49E7-A2A6-7A87EB7D8A09}: DhcpNameServer=68.168.64.19 68.168.64.20
HKLM\SYSTEM\CS1\Services\Tcpip\..\{DD0C3BD0-5FCC-49E7-A2A6-7A87EB7D8A09}: DhcpNameServer=68.168.64.19 68.168.64.20
HKLM\SYSTEM\CS3\Services\Tcpip\..\{DD0C3BD0-5FCC-49E7-A2A6-7A87EB7D8A09}: DhcpNameServer=68.168.64.19 68.168.64.20
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=68.168.64.19 68.168.64.20
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=68.168.64.19 68.168.64.20
HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=68.168.64.19 68.168.64.20


Scanning for wininet.dll infection


End

#3 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:01:22 PM

Posted 19 April 2007 - 04:00 PM

Hi and welcome to Bleeping Computer! My name is Sam and I will be helping you. :thumbsup:

Please download ComboFix and save it to your desktop.
Double click combofix.exe and follow the prompts.
When it's done running it will produce a log for you. Please post that log in your next reply.

Important Note - Do not mouseclick combofix's window whilst it's running. That may cause it to stall.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#4 danalembke

danalembke
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:02:22 PM

Posted 19 April 2007 - 04:49 PM

Hi Sam and thanks for helping, here is the ComboFix log:

"Family" - 07-04-19 17:27:56 Service Pack 2
ComboFix 07-04-19.2V - Running from: D:\


(((((((((((((((((((((((((((((((((((((((((((((((((( V Log )))))))))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\system32\krvjppnr.dll
C:\WINDOWS\system32\lcwcvcvh.dll
C:\WINDOWS\system32\saoavmmp.dll


* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\keyboard1.dat
C:\stub_113_4_0_4_0new.exe
C:\WINDOWS\system32\eraseme_18081.exe
C:\WINDOWS\system32\eraseme_87164.exe
C:\Program Files\pshope\Uninstall.exe
C:\WINDOWS\system32\bund1\ClientBundle1.exe
C:\WINDOWS\system32\bund1\temp.txt
C:\DOCUME~1\Family\APPLIC~1.\install.dat
C:\visfx500new.exe
C:\Program Files\pshope
C:\Program Files\video activex object
C:\WINDOWS\system32\bund1
C:\WINDOWS\system32\a3dxq.dll


((((((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


-------\LEGACY_WINCOM32
-------\LEGACY_WINDOWS_OVERLAY_COMPONENTS


((((((((((((((((((((((((((((((( Files Created from 2007-03-19 to 2007-04-19 ))))))))))))))))))))))))))))))))))


2007-04-18 17:20 1,800 --a------ C:\WINDOWS\system32\tmp.reg
2007-04-18 17:19 79,360 --a------ C:\WINDOWS\system32\swxcacls.exe
2007-04-18 17:19 53,248 --a------ C:\WINDOWS\system32\Process.exe
2007-04-18 17:19 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2007-04-18 17:19 40,960 --a------ C:\WINDOWS\system32\swsc.exe
2007-04-18 17:19 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2007-04-18 17:19 135,168 --a------ C:\WINDOWS\system32\swreg.exe
2007-04-17 09:58 72,320 --a------ C:\WINDOWS\system32\drivers\core.sys
2007-04-17 09:58 <DIR> d-------- C:\WINDOWS\system32\micro1
2007-04-05 22:27 <DIR> d-------- C:\Program Files\Movie Converter V2
2007-03-25 18:36 <DIR> d-------- C:\Program Files\Picasa2
2007-03-24 21:42 <DIR> d-------- C:\Program Files\MagicISO
2007-03-20 20:15 <DIR> d-------- C:\Program Files\QuickTake
2007-03-19 21:31 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Adobe
2007-03-19 17:36 <DIR> d-------- C:\Program Files\LessonView
2007-03-19 17:29 86,016 --a------ C:\WINDOWS\unvise32.exe
2007-03-19 17:28 <DIR> d-------- C:\Program Files\TeacherEXPRESS
2007-03-19 17:28 <DIR> d-------- C:\ExamView


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2007-04-14 03:47 94552 --a------ C:\WINDOWS\system32\drivers\aswmon2.sys
2007-04-14 03:47 85952 --a------ C:\WINDOWS\system32\drivers\aswmon.sys
2007-04-14 03:45 23416 --a------ C:\WINDOWS\system32\drivers\aswRdr.sys
2007-04-14 03:44 43176 --a------ C:\WINDOWS\system32\drivers\aswTdi.sys
2007-04-14 03:43 26888 --a------ C:\WINDOWS\system32\drivers\aavmker4.sys
2007-04-10 07:18 712832 --a------ C:\WINDOWS\system32\aswboot.exe
2007-04-05 20:59 -------- d-------- C:\DOCUME~1\Family\APPLIC~1\utorrent
2007-03-25 18:36 -------- d-------- C:\Program Files\google
2007-03-19 17:34 3397 --a------ C:\DOCUME~1\Family\APPLIC~1\evpro32.prf
2007-03-17 09:43 292864 --a------ C:\WINDOWS\system32\winsrv.dll
2007-03-10 21:39 131604 --a------ C:\WINDOWS\system32\eyveuavn.dll
2007-03-10 09:09 131604 --a------ C:\WINDOWS\system32\usdicahu.dll
2007-03-08 11:36 577536 --a------ C:\WINDOWS\system32\user32.dll
2007-03-08 11:36 40960 --a------ C:\WINDOWS\system32\mf3216.dll
2007-03-08 11:36 281600 --a------ C:\WINDOWS\system32\gdi32.dll
2007-03-08 09:47 1843584 --a------ C:\WINDOWS\system32\win32k.sys
2007-03-06 18:16 -------- d-------- C:\DOCUME~1\Family\APPLIC~1\real
2007-03-06 18:13 -------- d-------- C:\Program Files\Common Files\xing shared
2007-03-06 18:13 -------- d-------- C:\Program Files\Common Files\real
2007-03-06 18:11 -------- d-------- C:\Program Files\real
2007-03-06 07:53 276500 --a------ C:\WINDOWS\system32\qdtepdmw.dll
2007-03-05 06:37 276500 --a------ C:\WINDOWS\system32\mggwychr.dll
2007-03-05 00:11 276500 --a------ C:\WINDOWS\system32\vkcdupxf.dll
2007-03-04 09:49 276500 --a------ C:\WINDOWS\system32\cnvrjovt.dll
2007-03-03 19:09 276500 --a------ C:\WINDOWS\system32\uihdinsm.dll
2007-03-01 17:42 276500 --a------ C:\WINDOWS\system32\ajbcdlvm.dll
2007-02-27 18:22 276500 --a------ C:\WINDOWS\system32\euhmwuyp.dll
2007-02-27 07:20 276500 --a------ C:\WINDOWS\system32\bxopgmnb.dll
2007-02-26 17:48 276500 --a------ C:\WINDOWS\system32\umlclfxh.dll
2007-02-24 10:09 276500 --a------ C:\WINDOWS\system32\ysxvxbuk.dll
2007-02-23 11:52 276500 --a------ C:\WINDOWS\system32\shuvvids.dll
2007-02-22 09:46 276500 --a------ C:\WINDOWS\system32\jiicsyug.dll
2007-02-21 11:38 276500 --a------ C:\WINDOWS\system32\bgxecahl.dll
2007-02-19 18:17 -------- d-------- C:\Program Files\winamp
2007-02-19 11:33 276500 --a------ C:\WINDOWS\system32\drojlvpv.dll
2007-02-19 11:19 13013 --a------ C:\WINDOWS\system32\spoonuninstall-dbpoweramp music converter.dat
2007-02-19 11:18 4103032 --a------ C:\WINDOWS\system32\spoonuninstall.exe
2007-02-19 11:18 -------- d-------- C:\Program Files\illustrate
2007-02-19 10:17 276500 --a------ C:\WINDOWS\system32\jdsthohm.dll
2007-02-18 08:51 276500 --a------ C:\WINDOWS\system32\rolkxddt.dll
2007-02-17 22:41 276500 --a------ C:\WINDOWS\system32\vgksnsjs.dll
2007-02-17 08:38 276500 --a------ C:\WINDOWS\system32\smaetoey.dll
2007-02-16 23:02 276500 --a------ C:\WINDOWS\system32\jeffrwjt.dll
2007-02-14 06:55 276500 --a------ C:\WINDOWS\system32\ddqkapic.dll
2007-02-13 18:14 276500 --a------ C:\WINDOWS\system32\quaymxrx.dll
2007-02-12 17:13 276500 --a------ C:\WINDOWS\system32\rdfhjpkk.dll
2007-02-11 10:52 276500 --a------ C:\WINDOWS\system32\atdhksla.dll
2007-02-10 11:01 276500 --a------ C:\WINDOWS\system32\hjtdnfhh.dll
2007-02-07 17:08 276500 --a------ C:\WINDOWS\system32\gbpmlnta.dll
2007-02-06 10:00 276500 --a------ C:\WINDOWS\system32\gwedmmrk.dll
2007-02-06 09:39 276500 --a------ C:\WINDOWS\system32\ansobefp.dll
2007-02-05 16:17 185344 --a------ C:\WINDOWS\system32\upnphost.dll
2007-02-05 13:03 276500 --a------ C:\WINDOWS\system32\wmknbfpx.dll
2007-02-03 16:31 276500 --a------ C:\WINDOWS\system32\ojeehqoa.dll
2007-02-01 16:31 276500 --a------ C:\WINDOWS\system32\advwwbsv.dll
2007-01-31 16:33 276500 --a------ C:\WINDOWS\system32\vdenibrg.dll
2007-01-30 17:24 276500 --a------ C:\WINDOWS\system32\rtyrhtit.dll
2007-01-29 08:25 276500 --a------ C:\WINDOWS\system32\rdhsrhre.dll
2007-01-28 09:35 335 --a------ C:\WINDOWS\nsreg.dat
2007-01-28 09:34 276500 --a------ C:\WINDOWS\system32\xkrdkjuf.dll
2007-01-27 18:47 276500 --a------ C:\WINDOWS\system32\snvgpyny.dll
2007-01-26 19:00 276500 --a------ C:\WINDOWS\system32\cawpluxt.dll
2007-01-25 11:47 276500 --a------ C:\WINDOWS\system32\aptkrpkx.dll
2007-01-24 09:54 276500 --a------ C:\WINDOWS\system32\xgtqpyvn.dll
2007-01-23 16:47 276500 --a------ C:\WINDOWS\system32\cmambimk.dll
2007-01-22 08:03 276500 --a------ C:\WINDOWS\system32\hgevftok.dll
2007-01-21 13:54 276500 --a------ C:\WINDOWS\system32\obwwkkip.dll
2007-01-20 16:47 276500 --a------ C:\WINDOWS\system32\xwjloyjy.dll
2007-01-20 13:12 276500 --a------ C:\WINDOWS\system32\nfdpcnga.dll
2007-01-20 12:53 276500 --a------ C:\WINDOWS\system32\txqjknwf.dll
2007-01-20 01:07 276500 --a------ C:\WINDOWS\system32\faoyscye.dll
2007-01-19 15:31 276500 --a------ C:\WINDOWS\system32\crcyouvn.dll
2007-01-19 09:25 276500 --a------ C:\WINDOWS\system32\meiviaia.dll
2007-01-19 00:55 276500 --a------ C:\WINDOWS\system32\rxrleocj.dll


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{02478D38-C3F9-4EFB-9B51-7695ECA05670} C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
{53707962-6F74-2D53-2644-206D7942484F} C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} C:\Program Files\Java\jre1.6.0\bin\ssv.dll
{7C554162-8CB7-45A4-B8F4-8EA1C75885F9} C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
{BFF7330F-DB0C-4A1D-877A-F1418ECB67F0} C:\WINDOWS\system32\qwnukpog.dll [x]
{F1202BDA-4FDC-4790-A60C-65EE94056FD1} C:\WINDOWS\AppPatch\bvatsk.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"avast!"="C:\\PROGRA~1\\ALWILS~1\\Avast4\\ashDisp.exe"
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvCpl.dll,NvStartup"
"WinampAgent"="C:\\Program Files\\Winamp\\winampa.exe"
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"AIM"="C:\\Program Files\\AIM\\aim.exe -cnetwait.odl"
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\bvatsk
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\jkkjjkk

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa
Authentication Packages REG_MULTI_SZ msv1_0\0\0
Security Packages REG_MULTI_SZ kerberos\0msv1_0\0schannel\0wdigest\0\0
Notification Packages REG_MULTI_SZ scecli\0\0


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Adobe Gamma Loader.lnk"
"backup"="C:\\WINDOWS\\pss\\Adobe Gamma Loader.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\COMMON~1\\Adobe\\CALIBR~1\\ADOBEG~1.EXE "
"item"="Adobe Gamma Loader"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Microsoft Office.lnk"
"backup"="C:\\WINDOWS\\pss\\Microsoft Office.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\MI1933~1\\Office\\OSA9.EXE -b -l"
"item"="Microsoft Office"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Works Calendar Reminders.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Microsoft Works Calendar Reminders.lnk"
"backup"="C:\\WINDOWS\\pss\\Microsoft Works Calendar Reminders.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\COMMON~1\\MICROS~1\\WORKSS~1\\wkcalrem.exe "
"item"="Microsoft Works Calendar Reminders"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Family^Start Menu^Programs^Startup^TDK Launcher.lnk]
"path"="C:\\Documents and Settings\\Family\\Start Menu\\Programs\\Startup\\TDK Launcher.lnk"
"backup"="C:\\WINDOWS\\pss\\TDK Launcher.lnkStartup"
"location"="Startup"
"command"="C:\\PROGRA~1\\TDK\\TDKLAU~1\\TDKLAU~1.EXE min"
"item"="TDK Launcher"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ad8rIU3s]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="cvn0"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\System32\\cvn0.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Cmaudio]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="RunDll32 cmicnfg"
"hkey"="HKLM"
"command"="RunDll32 cmicnfg.cpl,CMICtrlWnd"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ctfmon"
"hkey"="HKCU"
"command"="C:\\WINDOWS\\system32\\ctfmon.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\defender]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="dfndrfg_7"
"hkey"="HKLM"
"command"="C:\\\\dfndrfg_7.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DllRunning]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="iedvjusu"
"hkey"="HKLM"
"command"="rundll32.exe \"C:\\WINDOWS\\system32\\iedvjusu.dll\",setvm"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dvd43]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="dvd43_tray"
"hkey"="HKLM"
"command"="C:\\Program Files\\dvd43\\dvd43_tray.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="AOLHostManager"
"hkey"="HKLM"
"command"="C:\\Program Files\\Common Files\\AOL\\1149691682\\ee\\AOLHostManager.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\k6mmN5IOU]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="wfxqhv"
"hkey"="HKLM"
"command"="\"C:\\WINDOWS\\System32\\wfxqhv.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\keyboard]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="kybrdfg_7"
"hkey"="HKLM"
"command"="C:\\\\kybrdfg_7.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Works Portfolio]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="WksSb"
"hkey"="HKLM"
"command"="C:\\Program Files\\Microsoft Works\\WksSb.exe /AllUsers"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Works Update Detection]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="WkDetect"
"hkey"="HKLM"
"command"="C:\\Program Files\\Microsoft Works\\WkDetect.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="msnmsgr"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\MSN Messenger\\msnmsgr.exe\" /background"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\newname]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="nwnmfg_7"
"hkey"="HKLM"
"command"="C:\\\\nwnmfg_7.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="NvCpl"
"hkey"="HKLM"
"command"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvCpl.dll,NvStartup"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="NvMcTray"
"hkey"="HKLM"
"command"="RUNDLL32.EXE C:\\WINDOWS\\System32\\NvMcTray.dll,NvTaskbarInit"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="nwiz"
"hkey"="HKLM"
"command"="nwiz.exe /install"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OPSE reminder]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ereg"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\ScanSoft\\OmniPageSE2.0\\EregEng\\Ereg.exe\" -r \"C:\\Program Files\\ScanSoft\\OmniPageSE2.0\\EregEng\\ereg.ini\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OpwareSE2]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="OpwareSE2"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\ScanSoft\\OmniPageSE2.0\\OpwareSE2.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PSHope]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="PSHope"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\PSHope\\PSHope.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="qttask"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioAudioCentral]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="RxMon"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Roxio\\Easy CD Creator 6\\AudioCentral\\RxMon.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioDragToDisc]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="DrgToDsc"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Roxio\\Easy CD Creator 6\\DragToDisc\\DrgToDsc.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioEngineUtility]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="EngUtil"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Common Files\\Roxio Shared\\System\\EngUtil.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="jusched"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Java\\jre1.6.0\\bin\\jusched.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ViewMgr]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ViewMgr"
"hkey"="HKLM"
"command"="C:\\Program Files\\Viewpoint\\Viewpoint Manager\\ViewMgr.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WorksFUD]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="wkfud"
"hkey"="HKLM"
"command"="C:\\Program Files\\Microsoft Works\\wkfud.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\znlowozA]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="znlowozA"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\znlowozA.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0
Usnsvc REG_MULTI_SZ usnsvc\0\0
WudfServiceGroup REG_MULTI_SZ WUDFSvc\0\0



Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\AppleSoftwareUpdate.job

********************************************************************

catchme 0.2 W2K/XP/Vista - userland rootkit detector by Gmer, 17 October 2006
http://www.gmer.net

scanning hidden processes ...

scanning hidden services ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0

********************************************************************

Completion time: 07-04-19 17:39:49 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 07-04-19 17:39

#5 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:01:22 PM

Posted 19 April 2007 - 05:06 PM

That took care of it some of it for us, but you've got what appears to be a nasty Vundo infection. For that we'll need another tool.

Please download VundoFix.exe to your desktop.
  • Double-click VundoFix.exe to run it.
  • Click the Scan for Vundo button.
  • Once it's done scanning, click the Remove Vundo button.
  • You will receive a prompt asking if you want to remove the files, click YES
  • Once you click yes, your desktop will go blank as it starts removing Vundo.
  • When completed, it will prompt that it will reboot your computer, click OK.
  • Please post the contents of C:\vundofix.txt even if Vundofix found no infected files.
Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears upon rebooting.


Also post a new hijackthis log and a new log from Combofix.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#6 danalembke

danalembke
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:02:22 PM

Posted 20 April 2007 - 10:53 PM

Thanks again, here is the VundoFix Log:

VundoFix V6.3.19

Checking Java version...

Java version is 1.5.0.6
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.9
Old versions of java are exploitable and should be removed.

Scan started at 6:12:17 PM 4/20/2007

Listing files found while scanning....

C:\WINDOWS\AppPatch\bvatsk.dll
C:\WINDOWS\AppPatch\kstavb.bak1
C:\WINDOWS\AppPatch\kstavb.bak2
C:\WINDOWS\AppPatch\kstavb.ini
C:\WINDOWS\system32\advwwbsv.dll
C:\WINDOWS\system32\ajbcdlvm.dll
C:\WINDOWS\system32\ansobefp.dll
C:\WINDOWS\system32\aptkrpkx.dll
C:\WINDOWS\system32\atdhksla.dll
C:\WINDOWS\system32\bgxecahl.dll
C:\WINDOWS\system32\bhgisqqr.dll
C:\WINDOWS\system32\bxopgmnb.dll
C:\WINDOWS\system32\cawpluxt.dll
C:\WINDOWS\system32\cixutxiv.dll
C:\WINDOWS\system32\cmambimk.dll
C:\WINDOWS\system32\cnvrjovt.dll
C:\WINDOWS\system32\cpyrnrcm.dll
C:\WINDOWS\system32\crcyouvn.dll
C:\WINDOWS\system32\cysboxkk.dll
C:\WINDOWS\system32\ddqkapic.dll
C:\WINDOWS\system32\drojlvpv.dll
C:\WINDOWS\system32\duqiyqsl.dll
C:\WINDOWS\system32\ecsuybqf.dll
C:\WINDOWS\system32\ehofprgl.dll
C:\WINDOWS\system32\eoekjied.dll
C:\WINDOWS\system32\euhmwuyp.dll
C:\WINDOWS\system32\faoyscye.dll
C:\WINDOWS\system32\gbpmlnta.dll
C:\WINDOWS\system32\gnfiljfe.dll
C:\WINDOWS\system32\gpownmfx.dll
C:\WINDOWS\system32\gwedmmrk.dll
C:\WINDOWS\system32\hdqrafye.dll
C:\WINDOWS\system32\hgevftok.dll
C:\WINDOWS\system32\hibksosd.dll
C:\WINDOWS\system32\hjtdnfhh.dll
C:\WINDOWS\system32\hvixoovw.dll
C:\WINDOWS\system32\ingvnbkk.dll
C:\WINDOWS\system32\jdsthohm.dll
C:\WINDOWS\system32\jeffrwjt.dll
C:\WINDOWS\system32\jiicsyug.dll
C:\WINDOWS\system32\kkltcfpm.dll
C:\WINDOWS\system32\llsucejy.dll
C:\WINDOWS\system32\meiviaia.dll
C:\WINDOWS\system32\mfblbexh.dll
C:\WINDOWS\system32\mfgqjtmv.dll
C:\WINDOWS\system32\mggwychr.dll
C:\WINDOWS\system32\mgvholak.dll
C:\WINDOWS\system32\nfdpcnga.dll
C:\WINDOWS\system32\nuinrxtt.dll
C:\WINDOWS\system32\obwwkkip.dll
C:\WINDOWS\system32\ojeehqoa.dll
C:\WINDOWS\system32\qdtepdmw.dll
C:\WINDOWS\system32\qtiupakt.dll
C:\WINDOWS\system32\quaymxrx.dll
C:\WINDOWS\system32\raqyoixn.dll
C:\WINDOWS\system32\rdfhjpkk.dll
C:\WINDOWS\system32\rdhsrhre.dll
C:\WINDOWS\system32\rjxptocb.dll
C:\WINDOWS\system32\rolkxddt.dll
C:\WINDOWS\system32\rtyrhtit.dll
C:\WINDOWS\system32\rxrleocj.dll
C:\WINDOWS\system32\shuvvids.dll
C:\WINDOWS\system32\smaetoey.dll
C:\WINDOWS\system32\snvgpyny.dll
C:\WINDOWS\system32\txqjknwf.dll
C:\WINDOWS\system32\uihdinsm.dll
C:\WINDOWS\system32\umlclfxh.dll
C:\WINDOWS\system32\uqtigvee.dll
C:\WINDOWS\system32\vdenibrg.dll
C:\WINDOWS\system32\vgksnsjs.dll
C:\WINDOWS\system32\vkcdupxf.dll
C:\WINDOWS\system32\vtblnqtl.dll
C:\WINDOWS\system32\wbipbvsu.dll
C:\WINDOWS\system32\wmknbfpx.dll
C:\WINDOWS\system32\wpxenetk.dll
C:\WINDOWS\system32\wuxbqxgo.dll
C:\WINDOWS\system32\wvpsqokq.dll
C:\WINDOWS\system32\xedglabt.dll
C:\WINDOWS\system32\xgtqpyvn.dll
C:\WINDOWS\system32\xkkfosbw.dll
C:\WINDOWS\system32\xkrdkjuf.dll
C:\WINDOWS\system32\xwjloyjy.dll
C:\WINDOWS\system32\xwuoheeq.dll
C:\WINDOWS\system32\ydlkfatj.dll
C:\WINDOWS\system32\ysxvxbuk.dll

Beginning removal...

Attempting to delete C:\WINDOWS\AppPatch\bvatsk.dll
C:\WINDOWS\AppPatch\bvatsk.dll Has been deleted!

Attempting to delete C:\WINDOWS\AppPatch\kstavb.bak1
C:\WINDOWS\AppPatch\kstavb.bak1 Has been deleted!

Attempting to delete C:\WINDOWS\AppPatch\kstavb.bak2
C:\WINDOWS\AppPatch\kstavb.bak2 Has been deleted!

Attempting to delete C:\WINDOWS\AppPatch\kstavb.ini
C:\WINDOWS\AppPatch\kstavb.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\advwwbsv.dll
C:\WINDOWS\system32\advwwbsv.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\ajbcdlvm.dll
C:\WINDOWS\system32\ajbcdlvm.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\ansobefp.dll
C:\WINDOWS\system32\ansobefp.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\aptkrpkx.dll
C:\WINDOWS\system32\aptkrpkx.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\atdhksla.dll
C:\WINDOWS\system32\atdhksla.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\bgxecahl.dll
C:\WINDOWS\system32\bgxecahl.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\bhgisqqr.dll
C:\WINDOWS\system32\bhgisqqr.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\bxopgmnb.dll
C:\WINDOWS\system32\bxopgmnb.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\cawpluxt.dll
C:\WINDOWS\system32\cawpluxt.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\cixutxiv.dll
C:\WINDOWS\system32\cixutxiv.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\cmambimk.dll
C:\WINDOWS\system32\cmambimk.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\cnvrjovt.dll
C:\WINDOWS\system32\cnvrjovt.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\cpyrnrcm.dll
C:\WINDOWS\system32\cpyrnrcm.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\crcyouvn.dll
C:\WINDOWS\system32\crcyouvn.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\cysboxkk.dll
C:\WINDOWS\system32\cysboxkk.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\ddqkapic.dll
C:\WINDOWS\system32\ddqkapic.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\drojlvpv.dll
C:\WINDOWS\system32\drojlvpv.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\duqiyqsl.dll
C:\WINDOWS\system32\duqiyqsl.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\ecsuybqf.dll
C:\WINDOWS\system32\ecsuybqf.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\ehofprgl.dll
C:\WINDOWS\system32\ehofprgl.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\eoekjied.dll
C:\WINDOWS\system32\eoekjied.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\euhmwuyp.dll
C:\WINDOWS\system32\euhmwuyp.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\faoyscye.dll
C:\WINDOWS\system32\faoyscye.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\gbpmlnta.dll
C:\WINDOWS\system32\gbpmlnta.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\gnfiljfe.dll
C:\WINDOWS\system32\gnfiljfe.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\gpownmfx.dll
C:\WINDOWS\system32\gpownmfx.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\gwedmmrk.dll
C:\WINDOWS\system32\gwedmmrk.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\hdqrafye.dll
C:\WINDOWS\system32\hdqrafye.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\hgevftok.dll
C:\WINDOWS\system32\hgevftok.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\hibksosd.dll
C:\WINDOWS\system32\hibksosd.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\hjtdnfhh.dll
C:\WINDOWS\system32\hjtdnfhh.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\hvixoovw.dll
C:\WINDOWS\system32\hvixoovw.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\ingvnbkk.dll
C:\WINDOWS\system32\ingvnbkk.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\jdsthohm.dll
C:\WINDOWS\system32\jdsthohm.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\jeffrwjt.dll
C:\WINDOWS\system32\jeffrwjt.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\jiicsyug.dll
C:\WINDOWS\system32\jiicsyug.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\kkltcfpm.dll
C:\WINDOWS\system32\kkltcfpm.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\llsucejy.dll
C:\WINDOWS\system32\llsucejy.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\meiviaia.dll
C:\WINDOWS\system32\meiviaia.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\mfblbexh.dll
C:\WINDOWS\system32\mfblbexh.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\mfgqjtmv.dll
C:\WINDOWS\system32\mfgqjtmv.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\mggwychr.dll
C:\WINDOWS\system32\mggwychr.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\mgvholak.dll
C:\WINDOWS\system32\mgvholak.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\nfdpcnga.dll
C:\WINDOWS\system32\nfdpcnga.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\nuinrxtt.dll
C:\WINDOWS\system32\nuinrxtt.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\obwwkkip.dll
C:\WINDOWS\system32\obwwkkip.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\ojeehqoa.dll
C:\WINDOWS\system32\ojeehqoa.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\qdtepdmw.dll
C:\WINDOWS\system32\qdtepdmw.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\qtiupakt.dll
C:\WINDOWS\system32\qtiupakt.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\quaymxrx.dll
C:\WINDOWS\system32\quaymxrx.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\raqyoixn.dll
C:\WINDOWS\system32\raqyoixn.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\rdfhjpkk.dll
C:\WINDOWS\system32\rdfhjpkk.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\rdhsrhre.dll
C:\WINDOWS\system32\rdhsrhre.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\rjxptocb.dll
C:\WINDOWS\system32\rjxptocb.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\rolkxddt.dll
C:\WINDOWS\system32\rolkxddt.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\rtyrhtit.dll
C:\WINDOWS\system32\rtyrhtit.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\rxrleocj.dll
C:\WINDOWS\system32\rxrleocj.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\shuvvids.dll
C:\WINDOWS\system32\shuvvids.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\smaetoey.dll
C:\WINDOWS\system32\smaetoey.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\snvgpyny.dll
C:\WINDOWS\system32\snvgpyny.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\txqjknwf.dll
C:\WINDOWS\system32\txqjknwf.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\uihdinsm.dll
C:\WINDOWS\system32\uihdinsm.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\umlclfxh.dll
C:\WINDOWS\system32\umlclfxh.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\uqtigvee.dll
C:\WINDOWS\system32\uqtigvee.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\vdenibrg.dll
C:\WINDOWS\system32\vdenibrg.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\vgksnsjs.dll
C:\WINDOWS\system32\vgksnsjs.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\vkcdupxf.dll
C:\WINDOWS\system32\vkcdupxf.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\vtblnqtl.dll
C:\WINDOWS\system32\vtblnqtl.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\wbipbvsu.dll
C:\WINDOWS\system32\wbipbvsu.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\wmknbfpx.dll
C:\WINDOWS\system32\wmknbfpx.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\wpxenetk.dll
C:\WINDOWS\system32\wpxenetk.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\wuxbqxgo.dll
C:\WINDOWS\system32\wuxbqxgo.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\wvpsqokq.dll
C:\WINDOWS\system32\wvpsqokq.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\xedglabt.dll
C:\WINDOWS\system32\xedglabt.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\xgtqpyvn.dll
C:\WINDOWS\system32\xgtqpyvn.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\xkkfosbw.dll
C:\WINDOWS\system32\xkkfosbw.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\xkrdkjuf.dll
C:\WINDOWS\system32\xkrdkjuf.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\xwjloyjy.dll
C:\WINDOWS\system32\xwjloyjy.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\xwuoheeq.dll
C:\WINDOWS\system32\xwuoheeq.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\ydlkfatj.dll
C:\WINDOWS\system32\ydlkfatj.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\ysxvxbuk.dll
C:\WINDOWS\system32\ysxvxbuk.dll Has been deleted!

Performing Repairs to the registry.
Done!

Here is the Hijackthis log:

Logfile of HijackThis v1.99.1
Scan saved at 11:39:55 PM, on 4/20/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\AIM\aim.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\AOL\1149691682\ee\AOLHostManager.exe
C:\Program Files\Common Files\AOL\1149691682\ee\AOLServiceHost.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Common Files\AOL\1149691682\ee\AOLServiceHost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Family\Desktop\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R3 - URLSearchHook: AOLTBSearch Class - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {3164E090-A28B-4717-B6A4-D12DCDA55959} - C:\WINDOWS\AppPatch\bvatsk.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {67C55A8D-E808-4caa-9EA7-F77102DE0BB6} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O2 - BHO: (no name) - {BFF7330F-DB0C-4A1D-877A-F1418ECB67F0} - C:\WINDOWS\system32\qwnukpog.dll (file missing)
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PrintDrive] rundll32.exe "C:\WINDOWS\system32\kkltcfpm.dll",setvm
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1147746098234
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: jkkjjkk - jkkjjkk.dll (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

And Lastly, here is the ComboFix log:

"Family" - 07-04-20 23:41:57 Service Pack 2
ComboFix 07-04-19.2V - Running from: C:\Documents and Settings\Family\


((((((((((((((((((((((((((((((( Files Created from 2007-03-20 to 2007-04-20 ))))))))))))))))))))))))))))))))))


2007-04-20 18:12 <DIR> d-------- C:\VundoFix Backups
2007-04-18 17:20 1,800 --a------ C:\WINDOWS\system32\tmp.reg
2007-04-18 17:19 79,360 --a------ C:\WINDOWS\system32\swxcacls.exe
2007-04-18 17:19 53,248 --a------ C:\WINDOWS\system32\Process.exe
2007-04-18 17:19 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2007-04-18 17:19 40,960 --a------ C:\WINDOWS\system32\swsc.exe
2007-04-18 17:19 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2007-04-18 17:19 135,168 --a------ C:\WINDOWS\system32\swreg.exe
2007-04-17 09:58 72,320 --a------ C:\WINDOWS\system32\drivers\core.sys
2007-04-17 09:58 <DIR> d-------- C:\WINDOWS\system32\micro1
2007-04-05 22:27 <DIR> d-------- C:\Program Files\Movie Converter V2
2007-03-25 18:36 <DIR> d-------- C:\Program Files\Picasa2
2007-03-24 21:42 <DIR> d-------- C:\Program Files\MagicISO
2007-03-20 20:15 <DIR> d-------- C:\Program Files\QuickTake


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2007-04-14 03:47 94552 --a------ C:\WINDOWS\system32\drivers\aswmon2.sys
2007-04-14 03:47 85952 --a------ C:\WINDOWS\system32\drivers\aswmon.sys
2007-04-14 03:45 23416 --a------ C:\WINDOWS\system32\drivers\aswRdr.sys
2007-04-14 03:44 43176 --a------ C:\WINDOWS\system32\drivers\aswTdi.sys
2007-04-14 03:43 26888 --a------ C:\WINDOWS\system32\drivers\aavmker4.sys
2007-04-10 07:18 712832 --a------ C:\WINDOWS\system32\aswboot.exe
2007-04-05 20:59 -------- d-------- C:\DOCUME~1\Family\APPLIC~1\utorrent
2007-03-25 18:36 -------- d-------- C:\Program Files\google
2007-03-20 20:45 -------- d-------- C:\Program Files\lessonview
2007-03-20 20:22 -------- d-------- C:\Program Files\teacherexpress
2007-03-19 17:34 3397 --a------ C:\DOCUME~1\Family\APPLIC~1\evpro32.prf
2007-03-17 09:43 292864 --a------ C:\WINDOWS\system32\winsrv.dll
2007-03-10 21:39 131604 --a------ C:\WINDOWS\system32\eyveuavn.dll
2007-03-10 09:09 131604 --a------ C:\WINDOWS\system32\usdicahu.dll
2007-03-08 11:36 577536 --a------ C:\WINDOWS\system32\user32.dll
2007-03-08 11:36 40960 --a------ C:\WINDOWS\system32\mf3216.dll
2007-03-08 11:36 281600 --a------ C:\WINDOWS\system32\gdi32.dll
2007-03-08 09:47 1843584 --a------ C:\WINDOWS\system32\win32k.sys
2007-03-06 18:16 -------- d-------- C:\DOCUME~1\Family\APPLIC~1\real
2007-03-06 18:13 -------- d-------- C:\Program Files\Common Files\xing shared
2007-03-06 18:13 -------- d-------- C:\Program Files\Common Files\real
2007-03-06 18:11 -------- d-------- C:\Program Files\real
2007-02-19 11:19 13013 --a------ C:\WINDOWS\system32\spoonuninstall-dbpoweramp music converter.dat
2007-02-19 11:18 4103032 --a------ C:\WINDOWS\system32\spoonuninstall.exe
2007-02-05 16:17 185344 --a------ C:\WINDOWS\system32\upnphost.dll
2007-01-28 09:35 335 --a------ C:\WINDOWS\nsreg.dat


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{02478D38-C3F9-4EFB-9B51-7695ECA05670} C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
{3164E090-A28B-4717-B6A4-D12DCDA55959} C:\WINDOWS\AppPatch\bvatsk.dll [x]
{53707962-6F74-2D53-2644-206D7942484F} C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} C:\Program Files\Java\jre1.6.0\bin\ssv.dll
{7C554162-8CB7-45A4-B8F4-8EA1C75885F9} C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
{BFF7330F-DB0C-4A1D-877A-F1418ECB67F0} C:\WINDOWS\system32\qwnukpog.dll [x]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"avast!"="C:\\PROGRA~1\\ALWILS~1\\Avast4\\ashDisp.exe"
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvCpl.dll,NvStartup"
"WinampAgent"="C:\\Program Files\\Winamp\\winampa.exe"
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"AIM"="C:\\Program Files\\AIM\\aim.exe -cnetwait.odl"
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\jkkjjkk

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa
Authentication Packages REG_MULTI_SZ msv1_0\0\0
Security Packages REG_MULTI_SZ kerberos\0msv1_0\0schannel\0wdigest\0\0
Notification Packages REG_MULTI_SZ scecli\0\0


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Adobe Gamma Loader.lnk"
"backup"="C:\\WINDOWS\\pss\\Adobe Gamma Loader.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\COMMON~1\\Adobe\\CALIBR~1\\ADOBEG~1.EXE "
"item"="Adobe Gamma Loader"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Microsoft Office.lnk"
"backup"="C:\\WINDOWS\\pss\\Microsoft Office.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\MI1933~1\\Office\\OSA9.EXE -b -l"
"item"="Microsoft Office"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Works Calendar Reminders.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Microsoft Works Calendar Reminders.lnk"
"backup"="C:\\WINDOWS\\pss\\Microsoft Works Calendar Reminders.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\COMMON~1\\MICROS~1\\WORKSS~1\\wkcalrem.exe "
"item"="Microsoft Works Calendar Reminders"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Family^Start Menu^Programs^Startup^TDK Launcher.lnk]
"path"="C:\\Documents and Settings\\Family\\Start Menu\\Programs\\Startup\\TDK Launcher.lnk"
"backup"="C:\\WINDOWS\\pss\\TDK Launcher.lnkStartup"
"location"="Startup"
"command"="C:\\PROGRA~1\\TDK\\TDKLAU~1\\TDKLAU~1.EXE min"
"item"="TDK Launcher"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ad8rIU3s]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="cvn0"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\System32\\cvn0.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Cmaudio]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="RunDll32 cmicnfg"
"hkey"="HKLM"
"command"="RunDll32 cmicnfg.cpl,CMICtrlWnd"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ctfmon"
"hkey"="HKCU"
"command"="C:\\WINDOWS\\system32\\ctfmon.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\defender]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="dfndrfg_7"
"hkey"="HKLM"
"command"="C:\\\\dfndrfg_7.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DllRunning]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="iedvjusu"
"hkey"="HKLM"
"command"="rundll32.exe \"C:\\WINDOWS\\system32\\iedvjusu.dll\",setvm"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dvd43]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="dvd43_tray"
"hkey"="HKLM"
"command"="C:\\Program Files\\dvd43\\dvd43_tray.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="AOLHostManager"
"hkey"="HKLM"
"command"="C:\\Program Files\\Common Files\\AOL\\1149691682\\ee\\AOLHostManager.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\k6mmN5IOU]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="wfxqhv"
"hkey"="HKLM"
"command"="\"C:\\WINDOWS\\System32\\wfxqhv.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\keyboard]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="kybrdfg_7"
"hkey"="HKLM"
"command"="C:\\\\kybrdfg_7.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Works Portfolio]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="WksSb"
"hkey"="HKLM"
"command"="C:\\Program Files\\Microsoft Works\\WksSb.exe /AllUsers"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Works Update Detection]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="WkDetect"
"hkey"="HKLM"
"command"="C:\\Program Files\\Microsoft Works\\WkDetect.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="msnmsgr"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\MSN Messenger\\msnmsgr.exe\" /background"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\newname]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="nwnmfg_7"
"hkey"="HKLM"
"command"="C:\\\\nwnmfg_7.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="NvCpl"
"hkey"="HKLM"
"command"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvCpl.dll,NvStartup"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="NvMcTray"
"hkey"="HKLM"
"command"="RUNDLL32.EXE C:\\WINDOWS\\System32\\NvMcTray.dll,NvTaskbarInit"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="nwiz"
"hkey"="HKLM"
"command"="nwiz.exe /install"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OPSE reminder]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ereg"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\ScanSoft\\OmniPageSE2.0\\EregEng\\Ereg.exe\" -r \"C:\\Program Files\\ScanSoft\\OmniPageSE2.0\\EregEng\\ereg.ini\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OpwareSE2]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="OpwareSE2"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\ScanSoft\\OmniPageSE2.0\\OpwareSE2.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PSHope]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="PSHope"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\PSHope\\PSHope.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="qttask"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioAudioCentral]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="RxMon"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Roxio\\Easy CD Creator 6\\AudioCentral\\RxMon.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioDragToDisc]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="DrgToDsc"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Roxio\\Easy CD Creator 6\\DragToDisc\\DrgToDsc.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioEngineUtility]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="EngUtil"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Common Files\\Roxio Shared\\System\\EngUtil.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="jusched"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Java\\jre1.6.0\\bin\\jusched.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ViewMgr]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ViewMgr"
"hkey"="HKLM"
"command"="C:\\Program Files\\Viewpoint\\Viewpoint Manager\\ViewMgr.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WorksFUD]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="wkfud"
"hkey"="HKLM"
"command"="C:\\Program Files\\Microsoft Works\\wkfud.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\znlowozA]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="znlowozA"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\znlowozA.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0
Usnsvc REG_MULTI_SZ usnsvc\0\0
WudfServiceGroup REG_MULTI_SZ WUDFSvc\0\0



Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\AppleSoftwareUpdate.job

********************************************************************

catchme 0.2 W2K/XP/Vista - userland rootkit detector by Gmer, 17 October 2006
http://www.gmer.net

scanning hidden processes ...

scanning hidden services ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0

********************************************************************

Completion time: 07-04-20 23:44:39
C:\ComboFix-quarantined-files.txt ... 07-04-20 23:44
C:\ComboFix2.txt ... 07-04-19 17:39

#7 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:01:22 PM

Posted 21 April 2007 - 08:10 AM

Well done! :thumbsup:

Open Notepad, and copy everything in the code box below and paste it into a new notepad file. Change the "Save As Type" to "All Files". Save it as fixme.reg on your Desktop. Make sure there is NO blank line above "REGEDIT4"!

REGEDIT4

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ad8rIU3s]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\defender]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DllRunning]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\k6mmN5IOU]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\keyboard]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\newname]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PSHope]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ViewMgr]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\znlowozA]
Locate fixme.reg on your Desktop and double-click on it. When it asks if you want to merge with the registry, click YES.



===============


Run Hijackthis again, click scan, and Put a checkmark next to each of the lines listed below. Then close all other windows--you should only see HijackThis on your Desktop--and click the Fix Checked button.

O2 - BHO: (no name) - {3164E090-A28B-4717-B6A4-D12DCDA55959} - C:\WINDOWS\AppPatch\bvatsk.dll (file missing)
O2 - BHO: (no name) - {67C55A8D-E808-4caa-9EA7-F77102DE0BB6} - (no file)
O2 - BHO: (no name) - {BFF7330F-DB0C-4A1D-877A-F1418ECB67F0} - C:\WINDOWS\system32\qwnukpog.dll (file missing)
O4 - HKLM\..\Run: [PrintDrive] rundll32.exe "C:\WINDOWS\system32\kkltcfpm.dll",setvm
O20 - Winlogon Notify: jkkjjkk - jkkjjkk.dll (file missing)



Reboot your computer.


===============



Please go HERE to run Panda's ActiveScan
  • Once you are on the Panda site click the Scan your PC button
  • A new window will open...click the Check Now button
  • Enter your Country
  • Enter your State/Province
  • Enter your e-mail address and click send
  • Select either Home User or Company
  • Click the big Scan Now button
  • If it wants to install an ActiveX component allow it
  • It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
  • When download is complete, click on My Computer to start the scan
  • When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location. Post the contents of the ActiveScan report along with a new hijackthis log.

Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#8 danalembke

danalembke
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:02:22 PM

Posted 22 April 2007 - 10:10 AM

Sorry it took so long to reply, but IE wasnt working so well w/ Panda, but I figured out the problem. Here is the Panda report, I'm not sure that it was totally completed though. Halfway through it stopped and said it was done, so I guess it is good. Well, here is the ActiveScan Report:


Incident Status Location

Adware:adware/seekmo Not disinfected Windows Registry
Spyware:spyware/virtumonde Not disinfected Windows Registry
Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\Family\Application Data\Mozilla\Firefox\Profiles\9ibvsncl.default\cookies.txt[.statcounter.com/]
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\Family\Cookies\family@2o7[2].txt
Spyware:Cookie/Advertising Not disinfected C:\Documents and Settings\Family\Cookies\family@advertising[1].txt
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Family\Cookies\family@atdmt[1].txt
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\Family\Cookies\family@atdmt[2].txt
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Family\Cookies\family@atwola[1].txt
Spyware:Cookie/Doubleclick Not disinfected C:\Documents and Settings\Family\Cookies\family@doubleclick[1].txt
Potentially unwanted tool:Application/NirCmd.A Not disinfected C:\Documents and Settings\Family\My Documents\My Downloads\ComboFix.exe[ComboFixT\nircmd.cfexe]
Spyware:Spyware/7r7t Not disinfected C:\QooBox\Quarantine\C\Program Files\PSHope\Uninstall.exe.vir
Spyware:Spyware/New.net Not disinfected C:\QooBox\Quarantine\C\WINDOWS\system32\bund1\ClientBundle1.exe.vir[f1.exe]
Adware:Adware/TTC Not disinfected C:\QooBox\Quarantine\C\WINDOWS\system32\bund1\ClientBundle1.exe.vir[f33.exe]
Adware:Adware/DeluxeComunications Not disinfected C:\QooBox\Quarantine\C\WINDOWS\system32\bund1\ClientBundle1.exe.vir[f4.exe]
Spyware:Spyware/Virtumonde Not disinfected C:\QooBox\Quarantine\C\WINDOWS\system32\krvjppnr.dll.vir
Spyware:Spyware/Virtumonde Not disinfected C:\QooBox\Quarantine\C\WINDOWS\system32\lcwcvcvh.dll.vir
Spyware:Spyware/Vundo Not disinfected C:\QooBox\Quarantine\C\WINDOWS\system32\saoavmmp.dll.vir
Spyware:Spyware/Virtumonde Not disinfected C:\VundoFix Backups\advwwbsv.dll.bad
Spyware:Spyware/Virtumonde Not disinfected C:\VundoFix Backups\ajbcdlvm.dll.bad
Spyware:Spyware/Virtumonde Not disinfected C:\VundoFix Backups\ansobefp.dll.bad
Spyware:Spyware/Virtumonde Not disinfected C:\VundoFix Backups\aptkrpkx.dll.bad
Spyware:Spyware/Virtumonde Not disinfected C:\VundoFix Backups\atdhksla.dll.bad
Spyware:Spyware/Virtumonde Not disinfected C:\VundoFix Backups\bgxecahl.dll.bad
Spyware:Spyware/Virtumonde Not disinfected C:\VundoFix Backups\bhgisqqr.dll.bad
Spyware:Spyware/Virtumonde Not disinfected C:\VundoFix Backups\bvatsk.dll.bad
Spyware:Spyware/Virtumonde Not disinfected C:\VundoFix Backups\bxopgmnb.dll.bad
Spyware:Spyware/Virtumonde Not disinfected C:\VundoFix Backups\cawpluxt.dll.bad
Spyware:Spyware/Virtumonde Not disinfected C:\VundoFix Backups\cixutxiv.dll.bad
Spyware:Spyware/Virtumonde Not disinfected C:\VundoFix Backups\cmambimk.dll.bad
Spyware:Spyware/Virtumonde Not disinfected C:\VundoFix Backups\cnvrjovt.dll.bad
Spyware:Spyware/Virtumonde Not disinfected C:\VundoFix Backups\cpyrnrcm.dll.bad
Spyware:Spyware/Virtumonde Not disinfected C:\VundoFix Backups\crcyouvn.dll.bad
Spyware:Spyware/Virtumonde Not disinfected C:\VundoFix Backups\cysboxkk.dll.bad
Spyware:Spyware/Virtumonde Not disinfected C:\VundoFix Backups\ddqkapic.dll.bad
Spyware:Spyware/Virtumonde Not disinfected C:\VundoFix Backups\drojlvpv.dll.bad
Spyware:Spyware/Virtumonde Not disinfected C:\VundoFix Backups\duqiyqsl.dll.bad
Spyware:Spyware/Virtumonde Not disinfected C:\VundoFix Backups\ecsuybqf.dll.bad
Spyware:Spyware/Virtumonde Not disinfected C:\VundoFix Backups\ehofprgl.dll.bad
Spyware:Spyware/Virtumonde Not disinfected C:\VundoFix Backups\eoekjied.dll.bad
Spyware:Spyware/Virtumonde Not disinfected C:\VundoFix Backups\euhmwuyp.dll.bad
Spyware:Spyware/Virtumonde Not disinfected C:\VundoFix Backups\faoyscye.dll.bad
Spyware:Spyware/Virtumonde Not disinfected C:\VundoFix Backups\gbpmlnta.dll.bad
Spyware:Spyware/Virtumonde Not disinfected C:\VundoFix Backups\gnfiljfe.dll.bad
Spyware:Spyware/Virtumonde Not disinfected C:\VundoFix Backups\gpownmfx.dll.bad
Spyware:Spyware/Virtumonde Not disinfected C:\VundoFix Backups\gwedmmrk.dll.bad
Spyware:Spyware/Virtumonde Not disinfected C:\VundoFix Backups\hdqrafye.dll.bad
Spyware:Spyware/Virtumonde Not disinfected C:\VundoFix Backups\hgevftok.dll.bad
Spyware:Spyware/Virtumonde Not disinfected C:\VundoFix Backups\hibksosd.dll.bad
Spyware:Spyware/Virtumonde Not disinfected C:\VundoFix Backups\hjtdnfhh.dll.bad
Spyware:Spyware/Virtumonde Not disinfected C:\VundoFix Backups\hvixoovw.dll.bad
Spyware:Spyware/Virtumonde Not disinfected C:\VundoFix Backups\ingvnbkk.dll.bad
Spyware:Spyware/Virtumonde Not disinfected C:\VundoFix Backups\jdsthohm.dll.bad
Spyware:Spyware/Virtumonde Not disinfected C:\VundoFix Backups\jeffrwjt.dll.bad
Spyware:Spyware/Virtumonde Not disinfected C:\VundoFix Backups\jiicsyug.dll.bad
Spyware:Spyware/Virtumonde Not disinfected C:\VundoFix Backups\kkltcfpm.dll.bad
Spyware:Spyware/Virtumonde Not disinfected C:\VundoFix Backups\llsucejy.dll.bad
Spyware:Spyware/Virtumonde Not disinfected C:\VundoFix Backups\meiviaia.dll.bad
Spyware:Spyware/Virtumonde Not disinfected C:\VundoFix Backups\mfblbexh.dll.bad
Spyware:Spyware/Virtumonde Not disinfected C:\VundoFix Backups\mfgqjtmv.dll.bad
Spyware:Spyware/Virtumonde Not disinfected C:\VundoFix Backups\mggwychr.dll.bad
Spyware:Spyware/Virtumonde Not disinfected C:\VundoFix Backups\mgvholak.dll.bad
Spyware:Spyware/Virtumonde Not disinfected C:\VundoFix Backups\nfdpcnga.dll.bad
Spyware:Spyware/Virtumonde Not disinfected C:\VundoFix Backups\nuinrxtt.dll.bad
Spyware:Spyware/Virtumonde Not disinfected C:\VundoFix Backups\obwwkkip.dll.bad
Spyware:Spyware/Virtumonde Not disinfected C:\VundoFix Backups\ojeehqoa.dll.bad
Spyware:Spyware/Virtumonde Not disinfected C:\VundoFix Backups\qdtepdmw.dll.bad
Spyware:Spyware/Virtumonde Not disinfected C:\VundoFix Backups\qtiupakt.dll.bad
Spyware:Spyware/Virtumonde Not disinfected C:\VundoFix Backups\quaymxrx.dll.bad
Spyware:Spyware/Virtumonde Not disinfected C:\VundoFix Backups\raqyoixn.dll.bad
Spyware:Spyware/Virtumonde Not disinfected C:\VundoFix Backups\rdfhjpkk.dll.bad
Spyware:Spyware/Virtumonde Not disinfected C:\VundoFix Backups\rdhsrhre.dll.bad
Spyware:Spyware/Virtumonde Not disinfected C:\VundoFix Backups\rjxptocb.dll.bad
Spyware:Spyware/Virtumonde Not disinfected C:\VundoFix Backups\rolkxddt.dll.bad
Spyware:Spyware/Virtumonde Not disinfected C:\VundoFix Backups\rtyrhtit.dll.bad
Spyware:Spyware/Virtumonde Not disinfected C:\VundoFix Backups\rxrleocj.dll.bad
Spyware:Spyware/Virtumonde Not disinfected C:\VundoFix Backups\shuvvids.dll.bad
Spyware:Spyware/Virtumonde Not disinfected C:\VundoFix Backups\smaetoey.dll.bad
Spyware:Spyware/Virtumonde Not disinfected C:\VundoFix Backups\snvgpyny.dll.bad
Spyware:Spyware/Virtumonde Not disinfected C:\VundoFix Backups\txqjknwf.dll.bad
Spyware:Spyware/Virtumonde Not disinfected C:\VundoFix Backups\uihdinsm.dll.bad
Spyware:Spyware/Virtumonde Not disinfected C:\VundoFix Backups\umlclfxh.dll.bad
Spyware:Spyware/Virtumonde Not disinfected C:\VundoFix Backups\uqtigvee.dll.bad
Spyware:Spyware/Virtumonde Not disinfected C:\VundoFix Backups\vdenibrg.dll.bad
Spyware:Spyware/Virtumonde Not disinfected C:\VundoFix Backups\vgksnsjs.dll.bad
Spyware:Spyware/Virtumonde Not disinfected C:\VundoFix Backups\vkcdupxf.dll.bad
Spyware:Spyware/Virtumonde Not disinfected C:\VundoFix Backups\vtblnqtl.dll.bad
Spyware:Spyware/Virtumonde Not disinfected C:\VundoFix Backups\wbipbvsu.dll.bad
Spyware:Spyware/Virtumonde Not disinfected C:\VundoFix Backups\wmknbfpx.dll.bad
Spyware:Spyware/Virtumonde Not disinfected C:\VundoFix Backups\wpxenetk.dll.bad
Spyware:Spyware/Virtumonde Not disinfected C:\VundoFix Backups\wuxbqxgo.dll.bad
Spyware:Spyware/Virtumonde Not disinfected C:\VundoFix Backups\wvpsqokq.dll.bad
Spyware:Spyware/Virtumonde Not disinfected C:\VundoFix Backups\xedglabt.dll.bad
Spyware:Spyware/Virtumonde Not disinfected C:\VundoFix Backups\xgtqpyvn.dll.bad
Spyware:Spyware/Virtumonde Not disinfected C:\VundoFix Backups\xkkfosbw.dll.bad
Spyware:Spyware/Virtumonde Not disinfected C:\VundoFix Backups\xkrdkjuf.dll.bad
Spyware:Spyware/Virtumonde Not disinfected C:\VundoFix Backups\xwjloyjy.dll.bad
Spyware:Spyware/Virtumonde Not disinfected C:\VundoFix Backups\xwuoheeq.dll.bad
Spyware:Spyware/Virtumonde Not disinfected C:\VundoFix Backups\ydlkfatj.dll.bad
Spyware:Spyware/Virtumonde Not disinfected C:\VundoFix Backups\ysxvxbuk.dll.bad
Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\system32\eyveuavn.dll
Virus:W32/Sdbot.ftp.worm Disinfected C:\WINDOWS\system32\i
Potentially unwanted tool:Application/Processor Not disinfected C:\WINDOWS\system32\Process.exe
Virus:W32/Sdbot.HUX.worm Disinfected C:\WINDOWS\system32\setup_10507.exe
Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\system32\trz2F.tmp
Spyware:Spyware/Virtumonde Not disinfected C:\WINDOWS\system32\usdicahu.dll
Potentially unwanted tool:Application/Processor Not disinfected D:\SmitfraudFix\Process.exe
Virus:Trj/Shutdown.Z Disinfected D:\SmitfraudFix\RESTART.EXE

And here is the HiJackThis Log:

Logfile of HijackThis v1.99.1
Scan saved at 11:06:24 AM, on 4/22/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\AIM\aim.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\AOL\1149691682\ee\AOLHostManager.exe
C:\Program Files\Common Files\AOL\1149691682\ee\AOLServiceHost.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Common Files\AOL\1149691682\ee\AOLServiceHost.exe
C:\Program Files\internet explorer\iexplore.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Documents and Settings\Family\Desktop\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R3 - URLSearchHook: AOLTBSearch Class - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1147746098234
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

#9 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:01:22 PM

Posted 22 April 2007 - 01:57 PM

That looks like a pretty good log. Let's get rid of the baddies that it found.


Please download the Killbox by Option^Explicit.

Note: In the event you already have Killbox, this is a new version that I need you to download.
  • Save it to your desktop.
  • Please double-click Killbox.exe to run it.
  • Select:
    • Delete on Reboot
    • then Click on the All Files button.
  • Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):



    C:\WINDOWS\system32\eyveuavn.dll
    C:\WINDOWS\system32\setup_10507.exe
    C:\WINDOWS\system32\trz2F.tmp
    C:\WINDOWS\system32\usdicahu.dll



  • Return to Killbox, go to the File menu, and choose Paste from Clipboard.
  • Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt. Click OK at any PendingFileRenameOperations prompt (and please let me know if you receive this message!).

    If your computer does not restart automatically, please restart it manually.

  • After rebooting, open up Killbox again. Click File -> Logs -> Actions History Log
  • Post this log in your next reply.
Please post one more log from Hijackthis and a new log from Combofix.
Let me know how your computer is working now. Any problems?
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#10 danalembke

danalembke
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:02:22 PM

Posted 22 April 2007 - 06:19 PM

The computer is speeding up all the time and I am having way less trouble w/ pop-ups, THANKS!!!

Here is the log/report for Killbox:

Pocket Killbox version 2.0.0.648
Running on Windows XP as Family(Administrator)
was started @ Sunday, April 22, 2007, 6:52 PM

# 1 [Delete on Reboot]
Path = C:\WINDOWS\system32\eyveuavn.dll


# 2 [Delete on Reboot]
Path = C:\WINDOWS\system32\trz2F.tmp


# 3 [Delete on Reboot]
Path = C:\WINDOWS\system32\usdicahu.dll


I Rebooted @ 6:57:09 PM
Killbox Closed(Exit) @ 6:57:19 PM
__________________________________________________

Pocket Killbox version 2.0.0.648
Running on Windows XP as Family(Administrator)
was started @ Sunday, April 22, 2007, 7:01 PM

One thing to note, the C:\WINDOWS\system32\trz2F.tmp would not paste in Killbox. I tried multiple times to put it there, but to no avail.

Here is the HiJackThis log:

Logfile of HijackThis v1.99.1
Scan saved at 7:05:16 PM, on 4/22/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Winamp\winampa.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\AIM\aim.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
C:\Program Files\Common Files\AOL\1149691682\ee\AOLHostManager.exe
C:\Program Files\Common Files\AOL\1149691682\ee\AOLServiceHost.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Common Files\AOL\1149691682\ee\AOLServiceHost.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\notepad.exe
C:\Documents and Settings\Family\Desktop\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R3 - URLSearchHook: AOLTBSearch Class - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O2 - BHO: AOL Toolbar Launcher - {7C554162-8CB7-45A4-B8F4-8EA1C75885F9} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/...b?1147746098234
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoftware.com/activescan/as5free/asinst.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\MSNMES~1\MSGRAP~1.DLL
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

Ok and here is the ComboFix log:

"Family" - 07-04-22 19:07:17 Service Pack 2
ComboFix 07-04-19.2V - Running from: C:\Documents and Settings\Family\My Documents\My Downloads\


((((((((((((((((((((((((((((((( Files Created from 2007-03-22 to 2007-04-22 ))))))))))))))))))))))))))))))))))


2007-04-22 18:52 <DIR> d-------- C:\!KillBox
2007-04-22 09:53 <DIR> d-------- C:\WINDOWS\system32\ActiveScan
2007-04-20 18:12 <DIR> d-------- C:\VundoFix Backups
2007-04-18 17:20 1,800 --a------ C:\WINDOWS\system32\tmp.reg
2007-04-18 17:19 79,360 --a------ C:\WINDOWS\system32\swxcacls.exe
2007-04-18 17:19 53,248 --a------ C:\WINDOWS\system32\Process.exe
2007-04-18 17:19 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2007-04-18 17:19 40,960 --a------ C:\WINDOWS\system32\swsc.exe
2007-04-18 17:19 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2007-04-18 17:19 135,168 --a------ C:\WINDOWS\system32\swreg.exe
2007-04-17 09:58 72,320 --a------ C:\WINDOWS\system32\drivers\core.sys
2007-04-17 09:58 <DIR> d-------- C:\WINDOWS\system32\micro1
2007-04-05 22:27 <DIR> d-------- C:\Program Files\Movie Converter V2
2007-03-25 18:36 <DIR> d-------- C:\Program Files\Picasa2
2007-03-24 21:42 <DIR> d-------- C:\Program Files\MagicISO


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2007-04-22 10:34 -------- d-------- C:\Program Files\winamp
2007-04-22 10:34 -------- d-------- C:\Program Files\quicktime
2007-04-14 03:47 94552 --a------ C:\WINDOWS\system32\drivers\aswmon2.sys
2007-04-14 03:47 85952 --a------ C:\WINDOWS\system32\drivers\aswmon.sys
2007-04-14 03:45 23416 --a------ C:\WINDOWS\system32\drivers\aswRdr.sys
2007-04-14 03:44 43176 --a------ C:\WINDOWS\system32\drivers\aswTdi.sys
2007-04-14 03:43 26888 --a------ C:\WINDOWS\system32\drivers\aavmker4.sys
2007-04-10 07:18 712832 --a------ C:\WINDOWS\system32\aswboot.exe
2007-04-05 20:59 -------- d-------- C:\DOCUME~1\Family\APPLIC~1\utorrent
2007-03-25 18:36 -------- d-------- C:\Program Files\google
2007-03-20 20:45 -------- d-------- C:\Program Files\lessonview
2007-03-20 20:22 -------- d-------- C:\Program Files\teacherexpress
2007-03-20 20:16 -------- d-------- C:\Program Files\quicktake
2007-03-19 17:34 3397 --a------ C:\DOCUME~1\Family\APPLIC~1\evpro32.prf
2007-03-17 09:43 292864 --a------ C:\WINDOWS\system32\winsrv.dll
2007-03-08 11:36 577536 --a------ C:\WINDOWS\system32\user32.dll
2007-03-08 11:36 40960 --a------ C:\WINDOWS\system32\mf3216.dll
2007-03-08 11:36 281600 --a------ C:\WINDOWS\system32\gdi32.dll
2007-03-08 09:47 1843584 --a------ C:\WINDOWS\system32\win32k.sys
2007-03-06 18:16 -------- d-------- C:\DOCUME~1\Family\APPLIC~1\real
2007-03-06 18:13 -------- d-------- C:\Program Files\Common Files\xing shared
2007-03-06 18:13 -------- d-------- C:\Program Files\Common Files\real
2007-03-06 18:11 -------- d-------- C:\Program Files\real
2007-02-19 11:19 13013 --a------ C:\WINDOWS\system32\spoonuninstall-dbpoweramp music converter.dat
2007-02-19 11:18 4103032 --a------ C:\WINDOWS\system32\spoonuninstall.exe
2007-02-05 16:17 185344 --a------ C:\WINDOWS\system32\upnphost.dll
2007-01-28 09:35 335 --a------ C:\WINDOWS\nsreg.dat


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{02478D38-C3F9-4EFB-9B51-7695ECA05670} C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
{53707962-6F74-2D53-2644-206D7942484F} C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
{761497BB-D6F0-462C-B6EB-D4DAF1D92D43} C:\Program Files\Java\jre1.6.0\bin\ssv.dll
{7C554162-8CB7-45A4-B8F4-8EA1C75885F9} C:\Program Files\AOL\AOL Toolbar 2.0\aoltb.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"avast!"="C:\\PROGRA~1\\ALWILS~1\\Avast4\\ashDisp.exe"
"NvCplDaemon"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvCpl.dll,NvStartup"
"WinampAgent"="C:\\Program Files\\Winamp\\winampa.exe"
"TkBellExe"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"AIM"="C:\\Program Files\\AIM\\aim.exe -cnetwait.odl"
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa
Authentication Packages REG_MULTI_SZ msv1_0\0\0
Security Packages REG_MULTI_SZ kerberos\0msv1_0\0schannel\0wdigest\0\0
Notification Packages REG_MULTI_SZ scecli\0\0


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Gamma Loader.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Adobe Gamma Loader.lnk"
"backup"="C:\\WINDOWS\\pss\\Adobe Gamma Loader.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\COMMON~1\\Adobe\\CALIBR~1\\ADOBEG~1.EXE "
"item"="Adobe Gamma Loader"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Microsoft Office.lnk"
"backup"="C:\\WINDOWS\\pss\\Microsoft Office.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\MI1933~1\\Office\\OSA9.EXE -b -l"
"item"="Microsoft Office"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Works Calendar Reminders.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\Microsoft Works Calendar Reminders.lnk"
"backup"="C:\\WINDOWS\\pss\\Microsoft Works Calendar Reminders.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\COMMON~1\\MICROS~1\\WORKSS~1\\wkcalrem.exe "
"item"="Microsoft Works Calendar Reminders"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^Family^Start Menu^Programs^Startup^TDK Launcher.lnk]
"path"="C:\\Documents and Settings\\Family\\Start Menu\\Programs\\Startup\\TDK Launcher.lnk"
"backup"="C:\\WINDOWS\\pss\\TDK Launcher.lnkStartup"
"location"="Startup"
"command"="C:\\PROGRA~1\\TDK\\TDKLAU~1\\TDKLAU~1.EXE min"
"item"="TDK Launcher"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Cmaudio]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="RunDll32 cmicnfg"
"hkey"="HKLM"
"command"="RunDll32 cmicnfg.cpl,CMICtrlWnd"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ctfmon"
"hkey"="HKCU"
"command"="C:\\WINDOWS\\system32\\ctfmon.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dvd43]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="dvd43_tray"
"hkey"="HKLM"
"command"="C:\\Program Files\\dvd43\\dvd43_tray.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="AOLHostManager"
"hkey"="HKLM"
"command"="C:\\Program Files\\Common Files\\AOL\\1149691682\\ee\\AOLHostManager.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Works Portfolio]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="WksSb"
"hkey"="HKLM"
"command"="C:\\Program Files\\Microsoft Works\\WksSb.exe /AllUsers"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Works Update Detection]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="WkDetect"
"hkey"="HKLM"
"command"="C:\\Program Files\\Microsoft Works\\WkDetect.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="msnmsgr"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\MSN Messenger\\msnmsgr.exe\" /background"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="NvCpl"
"hkey"="HKLM"
"command"="RUNDLL32.EXE C:\\WINDOWS\\system32\\NvCpl.dll,NvStartup"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="NvMcTray"
"hkey"="HKLM"
"command"="RUNDLL32.EXE C:\\WINDOWS\\System32\\NvMcTray.dll,NvTaskbarInit"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="nwiz"
"hkey"="HKLM"
"command"="nwiz.exe /install"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OPSE reminder]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ereg"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\ScanSoft\\OmniPageSE2.0\\EregEng\\Ereg.exe\" -r \"C:\\Program Files\\ScanSoft\\OmniPageSE2.0\\EregEng\\ereg.ini\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OpwareSE2]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="OpwareSE2"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\ScanSoft\\OmniPageSE2.0\\OpwareSE2.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="qttask"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioAudioCentral]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="RxMon"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Roxio\\Easy CD Creator 6\\AudioCentral\\RxMon.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioDragToDisc]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="DrgToDsc"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Roxio\\Easy CD Creator 6\\DragToDisc\\DrgToDsc.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RoxioEngineUtility]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="EngUtil"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Common Files\\Roxio Shared\\System\\EngUtil.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="jusched"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Java\\jre1.6.0\\bin\\jusched.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WorksFUD]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="wkfud"
"hkey"="HKLM"
"command"="C:\\Program Files\\Microsoft Works\\wkfud.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0
Usnsvc REG_MULTI_SZ usnsvc\0\0
WudfServiceGroup REG_MULTI_SZ WUDFSvc\0\0



Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\AppleSoftwareUpdate.job

********************************************************************

catchme 0.2 W2K/XP/Vista - userland rootkit detector by Gmer, 17 October 2006
http://www.gmer.net

scanning hidden processes ...

scanning hidden services ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0

********************************************************************

Completion time: 07-04-22 19:10:00
C:\ComboFix-quarantined-files.txt ... 07-04-22 19:10
C:\ComboFix2.txt ... 07-04-20 23:44
C:\ComboFix3.txt ... 07-04-19 17:39


One more thing though, I am still getting a pop up from Power Zedo. I don't know what it is, or if you will either, but I thought that I would mention it. Oh one more other thing, I was wondering if Avasts Firewall is a good one? Do you recommend it or should I get something else. I am trying to stay low budget, but if you think it is worth it to shell out the dough, lemme know. Once Again, thanks for all of your help Sam, You Rock!

#11 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:01:22 PM

Posted 22 April 2007 - 08:54 PM

Your log is looking pretty good, but since you are still getting popups we must be missing something.

Download and scan with the free 15 day trial of Counterspy
Save the report when it's finished:
  • Once Counterspy has done scanning,the 'Scan Results' box will appear.
  • Click on 'View Results'.
  • Under (Recommended Action),using the drop down menus at the side of each entry found,set EVERYTHING to Remove.
  • Then click on Take Action.
  • Once everything has been removed,click on View Details.
  • Copy and Paste those details into your next reply here.
I don't have any experience with Avast as a firewall. I know it to be a decent antivirus program, but I could vouch for it's effectiveness as a firewall one way or the other. I've always recommended Zone Alarm as an excellent firewall.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#12 danalembke

danalembke
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:02:22 PM

Posted 23 April 2007 - 04:45 PM

My computer is crapping out again, hopefully this helps.
Here is the log:

Scan History Details
Start Date: 4/23/2007 4:05:56 PM
End Date: 4/23/2007 5:31:07 PM
Total Time: 85 Min 11 Sec
Detected security risks

Cookie: ATDMT.com Cookie (General) more information...
Details: Cookies are small "data tags" that web sites store on PCs in order to recognize unique visitors. Cookies are used to identify returning visitors who have registered for special services; to measure and analyze visitors' use of web site features; to count unique visitors to web pages; and to allow web surfers to use virtual "shopping carts." Online advertising networks use cookies to track users across web sites and to measure ad impressions and click-throughs.
Status: Deleted

Cookies detected
c:\documents and settings\family\cookies\family@atdmt[2].txt
c:\documents and settings\family\cookies\family@atdmt[3].txt


Cookie: DoubleClick Cookie (General) more information...
Details: Cookies are small "data tags" that web sites store on PCs in order to recognize unique visitors. Cookies are used to identify returning visitors who have registered for special services; to measure and analyze visitors' use of web site features; to count unique visitors to web pages; and to allow web surfers to use virtual "shopping carts." Online advertising networks use cookies to track users across web sites and to measure ad impressions and click-throughs.
Status: Deleted

Cookies detected
c:\documents and settings\family\cookies\family@doubleclick[1].txt


Cookie: FastClick.com Cookie (General) more information...
Details: Cookies are small "data tags" that web sites store on PCs in order to recognize unique visitors. Cookies are used to identify returning visitors who have registered for special services; to measure and analyze visitors' use of web site features; to count unique visitors to web pages; and to allow web surfers to use virtual "shopping carts." Online advertising networks use cookies to track users across web sites and to measure ad impressions and click-throughs.
Status: Deleted

Cookies detected
c:\documents and settings\family\cookies\family@fastclick[2].txt


Cookie: Findwhat Cookie (General) more information...
Details: Cookies are small "data tags" that web sites store on PCs in order to recognize unique visitors. Cookies are used to identify returning visitors who have registered for special services; to measure and analyze visitors' use of web site features; to count unique visitors to web pages; and to allow web surfers to use virtual "shopping carts." Online advertising networks use cookies to track users across web sites and to measure ad impressions and click-throughs.
Status: Deleted

Cookies detected
c:\documents and settings\family\cookies\family@findwhat[1].txt


Cookie: LookSmart Cookie (General) more information...
Details: Cookies are small "data tags" that web sites store on PCs in order to recognize unique visitors. Cookies are used to identify returning visitors who have registered for special services; to measure and analyze visitors' use of web site features; to count unique visitors to web pages; and to allow web surfers to use virtual "shopping carts." Online advertising networks use cookies to track users across web sites and to measure ad impressions and click-throughs.
Status: Deleted

Cookies detected
c:\documents and settings\family\cookies\family@looksmart[1].txt


Cookie: Mediaplex.com Cookie (General) more information...
Details: Cookies are small "data tags" that web sites store on PCs in order to recognize unique visitors. Cookies are used to identify returning visitors who have registered for special services; to measure and analyze visitors' use of web site features; to count unique visitors to web pages; and to allow web surfers to use virtual "shopping carts." Online advertising networks use cookies to track users across web sites and to measure ad impressions and click-throughs.
Status: Deleted

Cookies detected
c:\documents and settings\family\cookies\family@mediaplex[1].txt


Cookie: QuestionMarket.com Cookie (General) more information...
Details: Cookies are small "data tags" that web sites store on PCs in order to recognize unique visitors. Cookies are used to identify returning visitors who have registered for special services; to measure and analyze visitors' use of web site features; to count unique visitors to web pages; and to allow web surfers to use virtual "shopping carts." Online advertising networks use cookies to track users across web sites and to measure ad impressions and click-throughs.
Status: Deleted

Cookies detected
c:\documents and settings\family\cookies\family@questionmarket[2].txt


Cookie: Ru4.com Cookie (General) more information...
Details: Cookies are small "data tags" that web sites store on PCs in order to recognize unique visitors. Cookies are used to identify returning visitors who have registered for special services; to measure and analyze visitors' use of web site features; to count unique visitors to web pages; and to allow web surfers to use virtual "shopping carts." Online advertising networks use cookies to track users across web sites and to measure ad impressions and click-throughs.
Status: Deleted

Cookies detected
c:\documents and settings\family\cookies\family@edge.ru4[2].txt


Cookie: Advertising.com Cookie (General) more information...
Details: Cookies are small "data tags" that web sites store on PCs in order to recognize unique visitors. Cookies are used to identify returning visitors who have registered for special services; to measure and analyze visitors' use of web site features; to count unique visitors to web pages; and to allow web surfers to use virtual "shopping carts." Online advertising networks use cookies to track users across web sites and to measure ad impressions and click-throughs.
Status: Deleted

Cookies detected
c:\documents and settings\family\cookies\family@advertising[1].txt


Cookie: Zedo Cookie (General) more information...
Details: Cookies are small "data tags" that web sites store on PCs in order to recognize unique visitors. Cookies are used to identify returning visitors who have registered for special services; to measure and analyze visitors' use of web site features; to count unique visitors to web pages; and to allow web surfers to use virtual "shopping carts." Online advertising networks use cookies to track users across web sites and to measure ad impressions and click-throughs.
Status: Deleted

Cookies detected
c:\documents and settings\family\cookies\family@zedo[2].txt


Cookie: TribalFusion.com Cookie (General) more information...
Details: Cookies are small "data tags" that web sites store on PCs in order to recognize unique visitors. Cookies are used to identify returning visitors who have registered for special services; to measure and analyze visitors' use of web site features; to count unique visitors to web pages; and to allow web surfers to use virtual "shopping carts." Online advertising networks use cookies to track users across web sites and to measure ad impressions and click-throughs.
Status: Deleted

Cookies detected
c:\documents and settings\family\cookies\family@tribalfusion[1].txt


Cookie: adrevolver Cookie (General) more information...
Details: Cookies are small "data tags" that web sites store on PCs in order to recognize unique visitors. Cookies are used to identify returning visitors who have registered for special services; to measure and analyze visitors' use of web site features; to count unique visitors to web pages; and to allow web surfers to use virtual "shopping carts." Online advertising networks use cookies to track users across web sites and to measure ad impressions and click-throughs.
Status: Deleted

Cookies detected
c:\documents and settings\family\cookies\family@adrevolver[2].txt


Zango.SearchAssistant Adware (General) more information...
Details: Zango Search Assistant opens new browser windows showing websites based on the previous websites you visit.
Status: Quarantined

Files detected
C:\Program Files\Mozilla Firefox\plugins\npclntax.dll


Cookie: ad.yieldmanager Cookie (General) more information...
Details: Cookies are small "data tags" that web sites store on PCs in order to recognize unique visitors. Cookies are used to identify returning visitors who have registered for special services; to measure and analyze visitors' use of web site features; to count unique visitors to web pages; and to allow web surfers to use virtual "shopping carts." Online advertising networks use cookies to track users across web sites and to measure ad impressions and click-throughs.
Status: Deleted

Cookies detected
c:\documents and settings\family\cookies\family@ad.yieldmanager[1].txt


Trojan-Dropper.Win32.Agent.hl Trojan Downloader more information...
Status: Quarantined

Files detected
C:\numbsoftnew.exe


Zango.CommonElements Adware (General) more information...
Details: Zango.CommonElements is a collection of traces that are found in multiple adware programs from 180solutions / Zango.
Status: Quarantined

Registry entries detected
HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXT\PREAPPROVED\{0AC49246-419B-4EE0-8917-8818DAAD6A4E}
HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXT\PREAPPROVED\{99410CDE-6F16-42CE-9D49-3807F78F0287}
HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXT\PREAPPROVED\{F31A5D11-BF0B-4A4E-90AF-274F2090AAA6}


Trojan-Dropper.Win32.Agent.bfr Trojan Downloader more information...
Status: Quarantined

Files detected
C:\WINDOWS\system32\micro1\fin5.exe

#13 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:01:22 PM

Posted 23 April 2007 - 06:52 PM

My computer is crapping out again, hopefully this helps.

Can you be more descriptive? What exactly is happening with your computer now?

The log from Counterspy doesn't look to be complete. Can you repost the rest of it?
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================

#14 danalembke

danalembke
  • Topic Starter

  • Members
  • 11 posts
  • OFFLINE
  •  
  • Local time:02:22 PM

Posted 24 April 2007 - 09:33 PM

My computer was speeding up for a while, but now it is back to the same stage that it was at before. After my computer runs for a bit, the screen will flash and then the bar that runs along the bottom of the screen (task bar?) will turn grey and look very olschool (block leters, non rounded edges to the boxes). It then goes back to normal (1 min. later). But during this time the computer in unresponsive. I am also getting a lot of pop ups again. Both through IE and Firefox. Also when I go into Windows task manager, my memory is being clogged up once again by svchost.exe (one of them, 6 different ones show up in the task manager). I just right click on it and end the process and then my computer is back to normal, but I still get a lot of pop ups.

Here is the log again, this is all that I got, so if it is lacking, I will run it again.

Thanks Again for the help.

Scan History Details
Start Date: 4/23/2007 4:05:56 PM
End Date: 4/23/2007 5:31:07 PM
Total Time: 85 Min 11 Sec
Detected security risks

Cookie: ATDMT.com Cookie (General) more information...
Details: Cookies are small "data tags" that web sites store on PCs in order to recognize unique visitors. Cookies are used to identify returning visitors who have registered for special services; to measure and analyze visitors' use of web site features; to count unique visitors to web pages; and to allow web surfers to use virtual "shopping carts." Online advertising networks use cookies to track users across web sites and to measure ad impressions and click-throughs.
Status: Deleted

Cookies detected
c:\documents and settings\family\cookies\family@atdmt[2].txt
c:\documents and settings\family\cookies\family@atdmt[3].txt


Cookie: DoubleClick Cookie (General) more information...
Details: Cookies are small "data tags" that web sites store on PCs in order to recognize unique visitors. Cookies are used to identify returning visitors who have registered for special services; to measure and analyze visitors' use of web site features; to count unique visitors to web pages; and to allow web surfers to use virtual "shopping carts." Online advertising networks use cookies to track users across web sites and to measure ad impressions and click-throughs.
Status: Deleted

Cookies detected
c:\documents and settings\family\cookies\family@doubleclick[1].txt


Cookie: FastClick.com Cookie (General) more information...
Details: Cookies are small "data tags" that web sites store on PCs in order to recognize unique visitors. Cookies are used to identify returning visitors who have registered for special services; to measure and analyze visitors' use of web site features; to count unique visitors to web pages; and to allow web surfers to use virtual "shopping carts." Online advertising networks use cookies to track users across web sites and to measure ad impressions and click-throughs.
Status: Deleted

Cookies detected
c:\documents and settings\family\cookies\family@fastclick[2].txt


Cookie: Findwhat Cookie (General) more information...
Details: Cookies are small "data tags" that web sites store on PCs in order to recognize unique visitors. Cookies are used to identify returning visitors who have registered for special services; to measure and analyze visitors' use of web site features; to count unique visitors to web pages; and to allow web surfers to use virtual "shopping carts." Online advertising networks use cookies to track users across web sites and to measure ad impressions and click-throughs.
Status: Deleted

Cookies detected
c:\documents and settings\family\cookies\family@findwhat[1].txt


Cookie: LookSmart Cookie (General) more information...
Details: Cookies are small "data tags" that web sites store on PCs in order to recognize unique visitors. Cookies are used to identify returning visitors who have registered for special services; to measure and analyze visitors' use of web site features; to count unique visitors to web pages; and to allow web surfers to use virtual "shopping carts." Online advertising networks use cookies to track users across web sites and to measure ad impressions and click-throughs.
Status: Deleted

Cookies detected
c:\documents and settings\family\cookies\family@looksmart[1].txt


Cookie: Mediaplex.com Cookie (General) more information...
Details: Cookies are small "data tags" that web sites store on PCs in order to recognize unique visitors. Cookies are used to identify returning visitors who have registered for special services; to measure and analyze visitors' use of web site features; to count unique visitors to web pages; and to allow web surfers to use virtual "shopping carts." Online advertising networks use cookies to track users across web sites and to measure ad impressions and click-throughs.
Status: Deleted

Cookies detected
c:\documents and settings\family\cookies\family@mediaplex[1].txt


Cookie: QuestionMarket.com Cookie (General) more information...
Details: Cookies are small "data tags" that web sites store on PCs in order to recognize unique visitors. Cookies are used to identify returning visitors who have registered for special services; to measure and analyze visitors' use of web site features; to count unique visitors to web pages; and to allow web surfers to use virtual "shopping carts." Online advertising networks use cookies to track users across web sites and to measure ad impressions and click-throughs.
Status: Deleted

Cookies detected
c:\documents and settings\family\cookies\family@questionmarket[2].txt


Cookie: Ru4.com Cookie (General) more information...
Details: Cookies are small "data tags" that web sites store on PCs in order to recognize unique visitors. Cookies are used to identify returning visitors who have registered for special services; to measure and analyze visitors' use of web site features; to count unique visitors to web pages; and to allow web surfers to use virtual "shopping carts." Online advertising networks use cookies to track users across web sites and to measure ad impressions and click-throughs.
Status: Deleted

Cookies detected
c:\documents and settings\family\cookies\family@edge.ru4[2].txt


Cookie: Advertising.com Cookie (General) more information...
Details: Cookies are small "data tags" that web sites store on PCs in order to recognize unique visitors. Cookies are used to identify returning visitors who have registered for special services; to measure and analyze visitors' use of web site features; to count unique visitors to web pages; and to allow web surfers to use virtual "shopping carts." Online advertising networks use cookies to track users across web sites and to measure ad impressions and click-throughs.
Status: Deleted

Cookies detected
c:\documents and settings\family\cookies\family@advertising[1].txt


Cookie: Zedo Cookie (General) more information...
Details: Cookies are small "data tags" that web sites store on PCs in order to recognize unique visitors. Cookies are used to identify returning visitors who have registered for special services; to measure and analyze visitors' use of web site features; to count unique visitors to web pages; and to allow web surfers to use virtual "shopping carts." Online advertising networks use cookies to track users across web sites and to measure ad impressions and click-throughs.
Status: Deleted

Cookies detected
c:\documents and settings\family\cookies\family@zedo[2].txt


Cookie: TribalFusion.com Cookie (General) more information...
Details: Cookies are small "data tags" that web sites store on PCs in order to recognize unique visitors. Cookies are used to identify returning visitors who have registered for special services; to measure and analyze visitors' use of web site features; to count unique visitors to web pages; and to allow web surfers to use virtual "shopping carts." Online advertising networks use cookies to track users across web sites and to measure ad impressions and click-throughs.
Status: Deleted

Cookies detected
c:\documents and settings\family\cookies\family@tribalfusion[1].txt


Cookie: adrevolver Cookie (General) more information...
Details: Cookies are small "data tags" that web sites store on PCs in order to recognize unique visitors. Cookies are used to identify returning visitors who have registered for special services; to measure and analyze visitors' use of web site features; to count unique visitors to web pages; and to allow web surfers to use virtual "shopping carts." Online advertising networks use cookies to track users across web sites and to measure ad impressions and click-throughs.
Status: Deleted

Cookies detected
c:\documents and settings\family\cookies\family@adrevolver[2].txt


Zango.SearchAssistant Adware (General) more information...
Details: Zango Search Assistant opens new browser windows showing websites based on the previous websites you visit.
Status: Quarantined

Files detected
C:\Program Files\Mozilla Firefox\plugins\npclntax.dll


Cookie: ad.yieldmanager Cookie (General) more information...
Details: Cookies are small "data tags" that web sites store on PCs in order to recognize unique visitors. Cookies are used to identify returning visitors who have registered for special services; to measure and analyze visitors' use of web site features; to count unique visitors to web pages; and to allow web surfers to use virtual "shopping carts." Online advertising networks use cookies to track users across web sites and to measure ad impressions and click-throughs.
Status: Deleted

Cookies detected
c:\documents and settings\family\cookies\family@ad.yieldmanager[1].txt


Trojan-Dropper.Win32.Agent.hl Trojan Downloader more information...
Status: Quarantined

Files detected
C:\numbsoftnew.exe


Zango.CommonElements Adware (General) more information...
Details: Zango.CommonElements is a collection of traces that are found in multiple adware programs from 180solutions / Zango.
Status: Quarantined

Registry entries detected
HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXT\PREAPPROVED\{0AC49246-419B-4EE0-8917-8818DAAD6A4E}
HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXT\PREAPPROVED\{99410CDE-6F16-42CE-9D49-3807F78F0287}
HKEY_LOCAL_MACHINE\SOFTWARE\MICROSOFT\WINDOWS\CURRENTVERSION\EXT\PREAPPROVED\{F31A5D11-BF0B-4A4E-90AF-274F2090AAA6}


Trojan-Dropper.Win32.Agent.bfr Trojan Downloader more information...
Status: Quarantined

Files detected
C:\WINDOWS\system32\micro1\fin5.exe

#15 Buckeye_Sam

Buckeye_Sam

    Malware Expert


  • Members
  • 17,382 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:Pickerington, Ohio
  • Local time:01:22 PM

Posted 25 April 2007 - 09:27 AM

We may be dealing with a hardware issue, possibly a faulty video card. But that wouldn't explain the popups.

Please post a new hijackthis log and a new log from Combofix.
Posted Image If I have helped you in any way, please consider a donation to help me continue the fight against malware.


Failing to respond back to the person that is giving up their own time to help you not only is insensitive and disrespectful, but it guarantees that you will never receive help from me again. Please thank your helpers and there will always be help here when you need it!


========================================================




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users