Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

A Good Bit Of Computer Problems.


  • Please log in to reply
15 replies to this topic

#1 Nekoyasha

Nekoyasha

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Location:Sumter SC, USA
  • Local time:02:19 AM

Posted 25 June 2007 - 01:02 PM

All right, so I'm here and I think I'm infected with something. It might be more than one thing, it might be big or small. Well my problems are my 1. computer will not stop shutting down at random times. The only time it shuts down not randomly is when I'm running a scan with any antivirus or spyware program other than Avast. Then I know that it will shut down in the middle of the scan. 2. Computer runs kind of slow. I know this is a basic problem, but I think its running slow due to unconventional means. 3. Internet will not stay connected. I'm kind of hoping its the virus's fault and I won't have to call my provider because it works everywhere else in the house. 4. The one that I hope will bring it all together as one problem. There are these viruses that won't go away permanently. I guess about a week ago I got infected with Outerinfo and then un-installed it. It came back later and I ran Avast and it got rid of some viruses, but not all of them. I used a program called Vundofix V 6.5.1 and it found C:\WINDOWS\system32\awvtq.dll, C:\WINDOWS\system32\qtvwa.bak1 , C:WINDOWS\system32\qtvwa.ini. There are a lot more it finds but that is my most recent scan. Along with this Spybot Search and Destroy finds a problem with Network Monitor in the system and registry key and I can't get rid of it if I'm supposed to. So I was hoping that someone could help me with this problem. I wasn't sure what type of problem this was so I also posting this in another topic.

Logfile of HijackThis v1.99.1
Scan saved at 2:00:14 PM, on 6/25/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\bjtyejys.exe
C:\Program Files\Softex\OmniPass\Omniserv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Softex\OmniPass\OPXPApp.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Motorola Wireless\WU830G USB Adapter\OdHost.exe
C:\Documents and Settings\Owner\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us9.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us9.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us9.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://srch-us9.hpwis.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://us9.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us9.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us9.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us9.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://srch-us9.hpwis.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://us9.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://us9.hpwis.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: (no name) - {345ECE31-6898-4F30-9F87-A304791E5369} - C:\WINDOWS\system32\jkkll.dll (file missing)
O2 - BHO: (no name) - {400DF7DE-CEAE-4BAE-8303-3FAA97680605} - C:\Program Files\ComPlus Applications\vihykilux58441.dll
O2 - BHO: (no name) - {4099F875-6E0E-4084-B37D-381D757E6D94} - C:\WINDOWS\system32\vtsqp.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {63E35656-56FB-49D3-B814-9726FF3C73F3} - C:\WINDOWS\system32\ddcyy.dll (file missing)
O2 - BHO: (no name) - {BEF7A862-1A2F-494B-ADDE-F01FE5AFDC14} - C:\Program Files\ComPlus Applications\vihykilux43855.dll
O2 - BHO: (no name) - {DC192567-65F9-4AB6-ADB7-E13575F81726} - C:\WINDOWS\system32\byxxyyx.dll
O2 - BHO: (no name) - {E0FF5F70-D99A-451A-BB82-81531D9766AB} - C:\WINDOWS\system32\awvtq.dll (file missing)
O2 - BHO: (no name) - {E37B185A-F643-4D8A-A3B9-FE4D003DD2C9} - C:\WINDOWS\system32\gebcy.dll (file missing)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: HP View - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpdtlk02.dll
O4 - HKCU\..\Run: [BackupNotify] c:\Program Files\Hewlett-Packard\Digital Imaging\bin\backupnotify.exe
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [µTorrent] "C:\Program Files\uTorrent\utorrent.exe"
O4 - Startup: TA_Start.lnk = C:\Documents and Settings\Owner\Local Settings\Temp\thinksnet.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Motorola Wireless USB Adapter.lnk = ?
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O20 - Winlogon Notify: byxxyyx - C:\WINDOWS\SYSTEM32\byxxyyx.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: OPXPGina - C:\Program Files\Softex\OmniPass\opxpgina.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: DomainService - - C:\WINDOWS\system32\bjtyejys.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Softex OmniPass Service (omniserv) - Unknown owner - C:\Program Files\Softex\OmniPass\Omniserv.exe

Edit: I don't use Internet Explorer much but when I'm on Firefox I'll get Internet Explorer pop-ups. I just thought I might say that since I just looked at the hijackthislogs and saw that Explorer stuff at the top.

Edited by Nekoyasha, 25 June 2007 - 01:04 PM.

I thank all who help me and beforehand I would like to say forgive me if I ask some stupid question. It happens to me a lot and I usually just need someone to say the obvious to me. Although I still live by my motto
"What I say is sealed in my words." or a variant of that. (I have it written down, trust me.)

BC AdBot (Login to Remove)

 


#2 Aaflac

Aaflac

    Doin' Dis 'n Dat...


  • Malware Response Team
  • 2,307 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:USA
  • Local time:01:19 AM

Posted 25 June 2007 - 10:48 PM

First, make sure HijackThis is run from its own folder. This will ensure we have backups made and are kept securely. Backups allow the restoring of fixed entries when necessary.

On the Desktop, right click an empty area, select New > Folder, and name the folder Hijack This. place the HijackThis.exe file in it, and then run the program from its own folder from now on...

~~~~
Next, go to Start > Run, and type in the following commands one at a time and hit Enter after each line:
sc stop DomainService
sc delete DomainService


~~~~
Run HijackThis, Scan
Check box for:

O2 - BHO: (no name) - {345ECE31-6898-4F30-9F87-A304791E5369} - C:\WINDOWS\system32\jkkll.dll (file missing)
O2 - BHO: (no name) - {400DF7DE-CEAE-4BAE-8303-3FAA97680605} - C:\Program Files\ComPlus Applications\vihykilux58441.dll
O2 - BHO: (no name) - {4099F875-6E0E-4084-B37D-381D757E6D94} - C:\WINDOWS\system32\vtsqp.dll (file missing)
O2 - BHO: (no name) - {63E35656-56FB-49D3-B814-9726FF3C73F3} - C:\WINDOWS\system32\ddcyy.dll (file missing)
O2 - BHO: (no name) - {BEF7A862-1A2F-494B-ADDE-F01FE5AFDC14} - C:\Program Files\ComPlus Applications\vihykilux43855.dll
O2 - BHO: (no name) - {DC192567-65F9-4AB6-ADB7-E13575F81726} - C:\WINDOWS\system32\byxxyyx.dll
O2 - BHO: (no name) - {E0FF5F70-D99A-451A-BB82-81531D9766AB} - C:\WINDOWS\system32\awvtq.dll (file missing)
O2 - BHO: (no name) - {E37B185A-F643-4D8A-A3B9-FE4D003DD2C9} - C:\WINDOWS\system32\gebcy.dll (file missing)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)

O4 - Startup: TA_Start.lnk = C:\Documents and Settings\Owner\Local Settings\Temp\thinksnet.exe

O20 - Winlogon Notify: byxxyyx - C:\WINDOWS\SYSTEM32\byxxyyx.dll

O23 - Service: DomainService - - C:\WINDOWS\system32\bjtyejys.exe
(This last entry is probably gone from the log)

Select: Fix checked

~~~~
Now, download ComboFix to the Desktop:
http://www.techsupportforum.com/sectools/sUBs/ComboFix.exe

Double-click combofix.exe
Follow the prompts.
(Don't click on the window while the program is running, it may cause your system to hang.)

A log, combofix.txt is produced.

~~~~
Also download AVG Anti-Spyware:
http://www.ewido.net/en/download/
Locate the icon on the Desktop and double-click it to launch the program.

Now, update the definition files:
On the main screen select Update, and then select the Update Now link.
Next, select the Start Update button
(The update starts and a progress bar shows the updates installed.)

Once the update completes select: Scanner (the top of the screen)
Select the Settings tab
Once in the Settings screen click on: Recommended actions
Select: Quarantine
Under: Reports, select: Automatically generate report after every scan
Un-Select: Only if threats were found
Close AVG AS for now.

~~~~
Reboot to Safe Mode :
-When the machine starts again, tap the F8 key before Windows starts
-You are presented with a Windows XP Advanced Options menu.
-Select the option for Safe Mode using the arrow keys.
-Press Enter to boot into Safe Mode.

~~~~
In Safe Mode, launch AVG AS once again
Select: Scanner (at the top)
Select the Scan tab
Click on: Complete System Scan
AVG AS begins the scanning process, and it may take a while.
Please do not open any other windows or programs while AVG AS is scanning, it may interfere with the scanning process!!

Once the scan is complete, AVG AS lists any infections found.
It also automatically sets the recommended action.
Click: Apply all actions
AVG AS will then display: All actions have been applied

Next select: Reports (at the top)
Select: Save report as (lower left of the screen)
Save the report to a text file in a location where you can find it!
Close AVG AS.

~~~~
Restart the computer.

~~~~
Run HijackThis once again to obtain a new log.

~~~~
Please provide the following in your reply:
The ComboFix.txt
The AVG AS report
A new HijackThis log.

Old duck...


#3 Nekoyasha

Nekoyasha
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Location:Sumter SC, USA
  • Local time:02:19 AM

Posted 27 June 2007 - 12:30 AM

I'm not sure why but after running AVG I found 6 high risk levels and the program prompted me to restart to save changes. I clicked no and then for some reason I could not create a log. I had the options to automatically do it so I figured if I restarted it would do it for me and I did and no log to be found. Also the 6 or so things that were supposed to be quarantined were not in the Infections tab. Currently in the infections tab is C:\WINDOWS\system32\vtutr.dll infected with error along with ffglurbx.dll in the same location infected with error and another vtutr.dll. There are about 8 C:\WINDOWS\system32\byxxyyx.dll infected with Adware.Virtumonde and C:\WINDOWS\system32\hjewqpas.exe infected with Trojan.Agent.anr and C:\WINDOWS\system32\kfqhtbcf.exe infected with Trojan.Agent.aoy. Currently I am running another scan, but as the last one took about 4 hours I'm guessing this one will take just as long.


Logfile of HijackThis v1.99.1
Scan saved at 9:08:14 AM, on 6/26/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Softex\OmniPass\Omniserv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Softex\OmniPass\OPXPApp.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Motorola Wireless\WU830G USB Adapter\OdHost.exe
C:\Program Files\Motorola Wireless\WU830G USB Adapter\WLUSBCfg.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Alwil Software\Avast4\ashEnhcd.exe
C:\Documents and Settings\Owner\Desktop\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us9.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us9.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us9.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://srch-us9.hpwis.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://us9.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us9.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us9.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us9.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://srch-us9.hpwis.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://us9.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://us9.hpwis.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O3 - Toolbar: HP View - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpdtlk02.dll
O4 - HKCU\..\Run: [BackupNotify] c:\Program Files\Hewlett-Packard\Digital Imaging\bin\backupnotify.exe
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [µTorrent] "C:\Program Files\uTorrent\utorrent.exe"
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Motorola Wireless USB Adapter.lnk = ?
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Softex OmniPass Service (omniserv) - Unknown owner - C:\Program Files\Softex\OmniPass\Omniserv.exe

ComboFix 07-06-18.2 - G:\ComboFix.exe
"Owner" - 2007-06-26 9:12:19 - Service Pack 2 NTFS


(((((((((((((((((((((((((((((((((((((((((((( V Log )))))))))))))))))))))))))))))))))))))))))))))))))))))))


C:\WINDOWS\system32\ddccd.dll
C:\WINDOWS\system32\jkkjg.dll
C:\WINDOWS\system32\dccdd.bak1
C:\WINDOWS\system32\dccdd.ini
C:\WINDOWS\system32\pqstv.bak1
C:\WINDOWS\system32\pqstv.bak2
C:\WINDOWS\system32\pqstv.ini


* * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\DOCUME~1\LOCALS~1\APPLIC~1\netmon
C:\DOCUME~1\LOCALS~1\APPLIC~1\netmon\domains.txt
C:\DOCUME~1\LOCALS~1\APPLIC~1\netmon\log.txt
C:\Program Files\Common Files\appatc~1
C:\Program Files\inetget2
C:\Program Files\network monitor
C:\Temp\0b9
C:\Temp\0b9\tmpTF.log
C:\WINDOWS\b122.exe
C:\WINDOWS\b136.exe
C:\WINDOWS\system32\tsuninst.exe
C:\WINDOWS\system32\wnsapisv.exe
C:\WINDOWS\uninstall_nmon.vbs
C:\WINDOWS\wr.txt


((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


-------\LEGACY_CMDSERVICE
-------\LEGACY_NETWORK_MONITOR
-------\core
-------\Network Monitor


((((((((((((((((((((((((( Files Created from 2007-05-26 to 2007-06-26 )))))))))))))))))))))))))))))))


2007-06-26 09:09 49,152 --a------ C:\WINDOWS\nircmd.exe
2007-06-25 10:33 122,944 --a------ C:\WINDOWS\system32\vodphvyf.exe
2007-06-24 15:22 <DIR> d---s---- C:\DOCUME~1\Owner\UserData
2007-06-24 07:33 122,944 --a------ C:\WINDOWS\system32\lwibpxmh.exe
2007-06-23 14:51 <DIR> d-------- C:\DOCUME~1\Owner\APPLIC~1\Help
2007-06-23 13:20 4,672 --a------ C:\WINDOWS\system32\nwaqvvop.exe
2007-06-22 16:44 56,320 --a------ C:\WINDOWS\pkill.exe
2007-06-22 16:44 274,424 --a------ C:\WINDOWS\us2.exe
2007-06-22 16:36 9,600 --a------ C:\WINDOWS\system32\drivers\hidusb.sys
2007-06-22 16:36 21,504 --a------ C:\WINDOWS\system32\hidserv.dll
2007-06-22 16:36 12,160 --a------ C:\WINDOWS\system32\drivers\mouhid.sys
2007-06-22 16:25 31,254 --a------ C:\WINDOWS\system32\opnkjgg.dll
2007-06-22 16:22 31,254 --a------ C:\WINDOWS\system32\byxxyyx.dll
2007-06-22 13:27 <DIR> d-------- C:\Program Files\DivX
2007-06-21 07:18 <DIR> d-------- C:\VundoFix Backups
2007-06-21 04:44 122,900 --a------ C:\WINDOWS\system32\srwxcuyb.exe
2007-06-20 04:42 122,900 --a------ C:\WINDOWS\system32\bjtyejys.exe
2007-06-20 04:12 <DIR> d-------- C:\Program Files\MSXML 4.0
2007-06-20 01:31 95,872 --a------ C:\WINDOWS\system32\AvastSS.scr
2007-06-20 01:31 94,552 --a------ C:\WINDOWS\system32\drivers\aswmon2.sys
2007-06-20 01:31 85,952 --a------ C:\WINDOWS\system32\drivers\aswmon.sys
2007-06-20 01:31 43,176 --a------ C:\WINDOWS\system32\drivers\aswTdi.sys
2007-06-20 01:31 26,888 --a------ C:\WINDOWS\system32\drivers\aavmker4.sys
2007-06-20 01:31 23,416 --a------ C:\WINDOWS\system32\drivers\aswRdr.sys
2007-06-20 01:30 745,600 --a------ C:\WINDOWS\system32\aswBoot.exe
2007-06-20 01:30 <DIR> d-------- C:\Program Files\Alwil Software
2007-06-19 22:33 <DIR> d-------- C:\WINDOWS\provisioning
2007-06-19 22:33 <DIR> d-------- C:\WINDOWS\peernet
2007-06-19 22:28 <DIR> d-------- C:\WINDOWS\ServicePackFiles
2007-06-19 22:17 <DIR> d-------- C:\WINDOWS\EHome
2007-06-17 16:30 <DIR> d-------- C:\Program Files\Flash Player Pro
2007-06-17 16:24 <DIR> d-------- C:\Program Files\Any FLV Player
2007-06-15 19:54 <DIR> d-------- C:\DOCUME~1\Owner\APPLIC~1\Motive
2007-06-15 19:53 682,232 --a------ C:\WINDOWS\system32\drivers\sptd.sys
2007-06-15 19:09 <DIR> d-------- C:\WINDOWS\system32\win
2007-06-15 19:09 <DIR> d-------- C:\WINDOWS\system32\S7
2007-06-15 19:09 <DIR> d-------- C:\WINDOWS\system32\S6
2007-06-15 19:09 <DIR> d-------- C:\WINDOWS\system32\S2
2007-06-15 19:09 <DIR> d-------- C:\WINDOWS\system32\S1
2007-06-15 19:09 <DIR> d-------- C:\WINDOWS\system32\o02PrEz
2007-06-15 19:09 <DIR> d-------- C:\temp\iee
2007-06-14 22:21 26,680 --ah----- C:\WINDOWS\system32\mlfcache.dat
2007-06-12 16:17 <DIR> d-------- C:\temp
2007-06-12 16:13 90,112 --a------ C:\WINDOWS\system32\LXCZCUR.DLL
2007-06-12 16:13 73,728 --a------ C:\WINDOWS\system32\lxczpwr.dll
2007-06-12 16:13 69,632 --a------ C:\WINDOWS\system32\LXCZCU.DLL
2007-06-12 16:13 40,960 --a------ C:\WINDOWS\system32\lxczvs.dll
2007-06-12 16:13 40,960 --a------ C:\WINDOWS\system32\INSTMON.EXE
2007-06-12 16:13 311,296 --a------ C:\WINDOWS\system32\LEXBCES.EXE
2007-06-12 16:13 201,216 --a------ C:\WINDOWS\system32\LEXP2P32.DLL
2007-06-12 16:13 200,704 --a------ C:\WINDOWS\system32\LEXLMPM.DLL
2007-06-12 16:13 198,144 --a------ C:\WINDOWS\system32\LEX2KUSB.DLL
2007-06-12 16:13 174,592 --a------ C:\WINDOWS\system32\LEXPPS.EXE
2007-06-12 16:13 155,648 --a------ C:\WINDOWS\system32\LEXPING.EXE
2007-06-12 16:13 147,456 --a------ C:\WINDOWS\system32\LEXBCE.DLL
2007-06-12 16:12 87,040 --a------ C:\WINDOWS\system32\wiafbdrv.dll
2007-06-12 16:12 15,104 --a------ C:\WINDOWS\system32\drivers\usbscan.sys
2007-06-12 16:10 983,107 --a------ C:\WINDOWS\system32\LXCZGF.DLL
2007-06-12 16:10 69,632 --a------ C:\WINDOWS\system32\lxczscin.dll
2007-06-12 16:10 57,344 --a------ C:\WINDOWS\system32\lxczcinf.dll
2007-06-12 16:10 49,152 --a------ C:\WINDOWS\system32\lxczcoin.dll
2007-06-12 16:10 458,752 --a------ C:\WINDOWS\system32\LXCZJSWR.DLL
2007-06-12 16:10 356,352 --a------ C:\WINDOWS\system32\LXCZUTIL.DLL
2007-06-12 16:10 <DIR> d-------- C:\Program Files\Lexmark 1200 Series
2007-06-12 16:09 <DIR> d-------- C:\Lexmark
2007-06-12 08:27 299,520 --a------ C:\WINDOWS\uninst.exe
2007-06-10 10:48 <DIR> d-------- C:\Program Files\Microsoft Games
2007-06-09 22:04 <DIR> d-------- C:\Program Files\mIRC
2007-06-09 19:18 <DIR> d-------- C:\DOCUME~1\Owner\APPLIC~1\WinRAR
2007-06-09 12:08 <DIR> d--hs---- C:\WINDOWS\ftpcache
2007-06-09 10:20 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-06-09 09:16 <DIR> d-------- C:\DOCUME~1\Owner\.jpi_cache
2007-06-09 09:10 4,569 --------- C:\WINDOWS\system32\secupd.dat
2007-06-09 09:10 11,776 --------- C:\WINDOWS\system32\spnpinst.exe
2007-06-09 01:01 <DIR> d-------- C:\DOCUME~1\Owner\APPLIC~1\U3
2007-06-08 21:35 614,912 --a------ C:\WINDOWS\system32\h323msp.dll
2007-06-08 21:35 331,264 --a------ C:\WINDOWS\system32\ipnathlp.dll
2007-06-08 21:22 221,184 --a------ C:\WINDOWS\system32\wmpns.dll
2007-06-08 21:19 947,472 --a------ C:\WINDOWS\system32\msjava.dll
2007-06-08 21:19 63,248 --a------ C:\WINDOWS\system32\javaprxy.dll
2007-06-08 21:19 6,550 --a------ C:\WINDOWS\jautoexp.dat
2007-06-08 21:19 49,424 --a------ C:\WINDOWS\system32\clspack.exe
2007-06-08 21:19 46,352 --a------ C:\WINDOWS\setdebug.exe
2007-06-08 21:19 404,752 --a------ C:\WINDOWS\system32\javart.dll
2007-06-08 21:19 313,856 --a------ C:\WINDOWS\system32\dx3j.dll
2007-06-08 21:19 286,992 --a------ C:\WINDOWS\system32\vmhelper.dll
2007-06-08 21:19 21,264 --a------ C:\WINDOWS\system32\msjdbc10.dll
2007-06-08 21:19 187,152 --a------ C:\WINDOWS\system32\javacypt.dll
2007-06-08 21:19 172,304 --a------ C:\WINDOWS\system32\jview.exe
2007-06-08 21:19 171,792 --a------ C:\WINDOWS\system32\wjview.exe
2007-06-08 21:19 171,280 --a------ C:\WINDOWS\system32\jit.dll
2007-06-08 21:19 154,384 --a------ C:\WINDOWS\system32\msawt.dll
2007-06-08 21:19 15,120 --a------ C:\WINDOWS\system32\jdbgmgr.exe
2007-06-08 21:19 139,536 --a------ C:\WINDOWS\system32\javaee.dll
2007-06-08 21:19 113 --a------ C:\WINDOWS\system32\zonedon.reg
2007-06-08 21:19 113 --a------ C:\WINDOWS\system32\zonedoff.reg
2007-06-08 21:07 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Windows Genuine Advantage
2007-06-08 21:03 60,288 --a------ C:\WINDOWS\system32\drivers\drmk.sys
2007-06-08 21:03 145,792 --a------ C:\WINDOWS\system32\drivers\portcls.sys
2007-06-08 20:49 1,082,368 --a------ C:\WINDOWS\system32\esent.dll


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-06-23 19:06:12 -------- d--h--w C:\Program Files\InstallShield Installation Information
2007-06-23 19:06:00 -------- d-----w C:\Program Files\PC-Doctor for Windows
2007-06-20 08:16:11 -------- d-----w C:\Program Files\Messenger
2007-06-20 05:34:26 -------- d-----w C:\Program Files\Common Files\Symantec Shared
2007-06-20 05:30:08 -------- d-----w C:\Program Files\Symantec
2007-06-20 02:33:15 -------- d-----w C:\Program Files\Movie Maker
2007-06-20 02:28:12 -------- d-----w C:\Program Files\Windows NT
2007-06-08 19:24:56 -------- d--h--w C:\Program Files\WindowsUpdate
2007-05-16 15:12:02 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
2007-04-25 14:21:15 144,896 ----a-w C:\WINDOWS\system32\schannel.dll
2007-04-23 00:15:18 200,704 ----a-w C:\WINDOWS\system32\ssldivx.dll
2007-04-23 00:15:18 1,044,480 ----a-w C:\WINDOWS\system32\libdivx.dll
2007-04-18 16:12:23 2,854,400 ----a-w C:\WINDOWS\system32\msi.dll
2007-04-17 02:45:54 1,710,936 ----a-w C:\WINDOWS\system32\wuaueng.dll
2007-04-17 02:45:28 92,504 ----a-w C:\WINDOWS\system32\cdm.dll
2007-04-17 02:45:20 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe
2007-04-17 02:45:20 43,352 ----a-w C:\WINDOWS\system32\wups2.dll


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}=C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll [2003-05-15 10:47]
{243B17DE-77C7-46BF-B94B-0B5F309A0E64}=C:\Program Files\Microsoft Money\System\mnyside.dll [2002-07-17 21:00]
{345ECE31-6898-4F30-9F87-A304791E5369}=C:\WINDOWS\system32\jkkll.dll []
{400DF7DE-CEAE-4BAE-8303-3FAA97680605}=C:\Program Files\ComPlus Applications\vihykilux58441.dll [2007-06-14 07:54]
{4099F875-6E0E-4084-B37D-381D757E6D94}=C:\WINDOWS\system32\vtsqp.dll []
{53707962-6F74-2D53-2644-206D7942484F}=C:\PROGRA~1\SPYBOT~1\SDHelper.dll [2005-05-31 01:04]
{63E35656-56FB-49D3-B814-9726FF3C73F3}=C:\WINDOWS\system32\ddcyy.dll []
{BEF7A862-1A2F-494B-ADDE-F01FE5AFDC14}=C:\Program Files\ComPlus Applications\vihykilux43855.dll [2007-06-14 07:54]
{DC192567-65F9-4AB6-ADB7-E13575F81726}=C:\WINDOWS\system32\byxxyyx.dll [2007-06-22 16:22]
{E0FF5F70-D99A-451A-BB82-81531D9766AB}=C:\WINDOWS\system32\awvtq.dll []
{E37B185A-F643-4D8A-A3B9-FE4D003DD2C9}=C:\WINDOWS\system32\gebcy.dll []

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BackupNotify"="c:\Program Files\Hewlett-Packard\Digital Imaging\bin\backupnotify.exe" [2003-06-23 00:25]
"NVIEW"="nview.dll,nViewLoadHook" []
"µTorrent"="C:\Program Files\uTorrent\utorrent.exe" [2007-02-15 16:17]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{DC192567-65F9-4AB6-ADB7-E13575F81726}"="C:\WINDOWS\system32\byxxyyx.dll" [2007-06-22 16:22]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\byxxyyx]
byxxyyx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\OPXPGina]
C:\Program Files\Softex\OmniPass\opxpgina.dll


Contents of the 'Scheduled Tasks' folder
2007-06-26 13:25:00 C:\WINDOWS\tasks\Symantec NetDetect.job

**************************************************************************

catchme 0.3.721 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-06-26 09:21:40
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-06-26 9:26:08 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-06-26 09:26

--- E O F ---
I thank all who help me and beforehand I would like to say forgive me if I ask some stupid question. It happens to me a lot and I usually just need someone to say the obvious to me. Although I still live by my motto
"What I say is sealed in my words." or a variant of that. (I have it written down, trust me.)

#4 Aaflac

Aaflac

    Doin' Dis 'n Dat...


  • Malware Response Team
  • 2,307 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:USA
  • Local time:01:19 AM

Posted 27 June 2007 - 10:35 PM

Please do the following in this order:

First, download the following to the Desktop:
VundoFix.exe
* Double-click VundoFix.exe to run it
* Click: Scan for Vundo
* Once done scanning, click: Remove Vundo
* A prompt asking if you want to remove the files appears, click: Yes
* The Desktop goes blank as it starts removing Vundo.
* When completed, a prompt to shutdown the computer appears, click OK
* Turn the computer back on.

A log is created and found in C:\vundofix.txt

~~~~
Second, run ComboFix once again.

~~~~
Last, run HijackThis to obtain a new log.

~~~~
Please post the C:\vundofix.txt, a new ComboFix report, and a new HijackThis log.

Old duck...


#5 Nekoyasha

Nekoyasha
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Location:Sumter SC, USA
  • Local time:02:19 AM

Posted 28 June 2007 - 04:17 PM

VundoFix V6.5.1

Checking Java version...

Scan started at 7:18:24 AM 6/21/2007

Listing files found while scanning....

C:\windows\system32\bsqkgprs.ini
C:\windows\system32\fkhhyxsl.dll
C:\WINDOWS\System32\hggeedd.dll
C:\windows\system32\hgghghi.dll
C:\windows\system32\ilwjshby.exe
C:\WINDOWS\system32\jkkll.dll
C:\windows\system32\llkkj.bak1
C:\windows\system32\llkkj.bak2
C:\windows\system32\llkkj.ini
C:\windows\system32\mfhhpljs.ini
C:\WINDOWS\system32\pchywnuf.dll
C:\WINDOWS\system32\sjlphhfm.dll
C:\windows\system32\srpgkqsb.dll

Beginning removal...

Attempting to delete C:\windows\system32\bsqkgprs.ini
C:\windows\system32\bsqkgprs.ini Has been deleted!

Attempting to delete C:\windows\system32\fkhhyxsl.dll
C:\windows\system32\fkhhyxsl.dll Has been deleted!

Attempting to delete C:\WINDOWS\System32\hggeedd.dll
C:\WINDOWS\System32\hggeedd.dll Has been deleted!

Attempting to delete C:\windows\system32\hgghghi.dll
C:\windows\system32\hgghghi.dll Has been deleted!

Attempting to delete C:\windows\system32\ilwjshby.exe
C:\windows\system32\ilwjshby.exe Has been deleted!

Attempting to delete C:\WINDOWS\system32\jkkll.dll
C:\WINDOWS\system32\jkkll.dll Has been deleted!

Attempting to delete C:\windows\system32\llkkj.bak1
C:\windows\system32\llkkj.bak1 Has been deleted!

Attempting to delete C:\windows\system32\llkkj.bak2
C:\windows\system32\llkkj.bak2 Has been deleted!

Attempting to delete C:\windows\system32\llkkj.ini
C:\windows\system32\llkkj.ini Has been deleted!

Attempting to delete C:\windows\system32\mfhhpljs.ini
C:\windows\system32\mfhhpljs.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\pchywnuf.dll
C:\WINDOWS\system32\pchywnuf.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\sjlphhfm.dll
C:\WINDOWS\system32\sjlphhfm.dll Could not be deleted.

Attempting to delete C:\windows\system32\srpgkqsb.dll
C:\windows\system32\srpgkqsb.dll Has been deleted!

Performing Repairs to the registry.
Done!

Beginning removal...

Attempting to delete C:\WINDOWS\system32\sjlphhfm.dll
C:\WINDOWS\system32\sjlphhfm.dll Has been deleted!

Performing Repairs to the registry.
Done!

VundoFix V6.5.1

Checking Java version...

Scan started at 4:26:30 PM 6/22/2007

Listing files found while scanning....

C:\WINDOWS\system32\ddcyy.dll
C:\WINDOWS\system32\yycdd.bak1
C:\WINDOWS\system32\yycdd.ini

Beginning removal...

Attempting to delete C:\WINDOWS\system32\ddcyy.dll
C:\WINDOWS\system32\ddcyy.dll Could not be deleted.

Attempting to delete C:\WINDOWS\system32\yycdd.bak1
C:\WINDOWS\system32\yycdd.bak1 Has been deleted!

Attempting to delete C:\WINDOWS\system32\yycdd.ini
C:\WINDOWS\system32\yycdd.ini Has been deleted!

Performing Repairs to the registry.
Done!

Beginning removal...

Attempting to delete C:\WINDOWS\system32\ddcyy.dll
C:\WINDOWS\system32\ddcyy.dll Has been deleted!

Performing Repairs to the registry.
Done!

VundoFix V6.5.1

Checking Java version...

Scan started at 4:52:07 PM 6/22/2007

Listing files found while scanning....

No infected files were found.


VundoFix V6.5.1

Checking Java version...

Scan started at 2:49:47 PM 6/23/2007

Listing files found while scanning....

C:\windows\system32\dbdflnvn.dll
C:\WINDOWS\system32\gebcy.dll
C:\windows\system32\nvnlfdbd.ini
C:\WINDOWS\system32\pjrehmov.dll
C:\windows\system32\uqhvbrki.exe
C:\WINDOWS\system32\ycbeg.bak1
C:\WINDOWS\system32\ycbeg.bak2
C:\WINDOWS\system32\ycbeg.ini

Beginning removal...

VundoFix V6.5.1

Checking Java version...

Scan started at 2:57:36 PM 6/23/2007

Listing files found while scanning....

C:\windows\system32\dbdflnvn.dll
C:\WINDOWS\system32\gebcy.dll
C:\windows\system32\nvnlfdbd.ini
C:\WINDOWS\system32\pjrehmov.dll
C:\windows\system32\uqhvbrki.exe
C:\WINDOWS\system32\ycbeg.bak1
C:\WINDOWS\system32\ycbeg.bak2
C:\WINDOWS\system32\ycbeg.ini

Beginning removal...

Attempting to delete C:\windows\system32\dbdflnvn.dll
C:\windows\system32\dbdflnvn.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\gebcy.dll
C:\WINDOWS\system32\gebcy.dll Has been deleted!

Attempting to delete C:\windows\system32\nvnlfdbd.ini
C:\windows\system32\nvnlfdbd.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\pjrehmov.dll
C:\WINDOWS\system32\pjrehmov.dll Has been deleted!

Attempting to delete C:\windows\system32\uqhvbrki.exe
C:\windows\system32\uqhvbrki.exe Has been deleted!

Attempting to delete C:\WINDOWS\system32\ycbeg.bak1
C:\WINDOWS\system32\ycbeg.bak1 Has been deleted!

Attempting to delete C:\WINDOWS\system32\ycbeg.bak2
C:\WINDOWS\system32\ycbeg.bak2 Has been deleted!

Attempting to delete C:\WINDOWS\system32\ycbeg.ini
C:\WINDOWS\system32\ycbeg.ini Has been deleted!

Performing Repairs to the registry.
Done!

VundoFix V6.5.1

Checking Java version...

Scan started at 10:50:35 AM 6/25/2007

Listing files found while scanning....

C:\windows\system32\cocanjyf.ini
C:\WINDOWS\system32\fyjnacoc.dll
C:\WINDOWS\system32\kuddnpjs.dll
C:\windows\system32\rdeqvmmi.exe
C:\windows\system32\uykivhtq.exe
C:\WINDOWS\system32\vtsqp.dll

Beginning removal...

Attempting to delete C:\windows\system32\cocanjyf.ini
C:\windows\system32\cocanjyf.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\fyjnacoc.dll
C:\WINDOWS\system32\fyjnacoc.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\kuddnpjs.dll
C:\WINDOWS\system32\kuddnpjs.dll Has been deleted!

Attempting to delete C:\windows\system32\rdeqvmmi.exe
C:\windows\system32\rdeqvmmi.exe Has been deleted!

Attempting to delete C:\windows\system32\uykivhtq.exe
C:\windows\system32\uykivhtq.exe Has been deleted!

Attempting to delete C:\WINDOWS\system32\vtsqp.dll
C:\WINDOWS\system32\vtsqp.dll Has been deleted!

Performing Repairs to the registry.
Done!

VundoFix V6.5.1

Checking Java version...

Scan started at 1:15:20 PM 6/25/2007

Listing files found while scanning....

C:\WINDOWS\system32\awvtq.dll
C:\WINDOWS\system32\qtvwa.bak1
C:\WINDOWS\system32\qtvwa.ini

Beginning removal...

Attempting to delete C:\WINDOWS\system32\awvtq.dll
C:\WINDOWS\system32\awvtq.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\qtvwa.bak1
C:\WINDOWS\system32\qtvwa.bak1 Has been deleted!

Attempting to delete C:\WINDOWS\system32\qtvwa.ini
C:\WINDOWS\system32\qtvwa.ini Has been deleted!

Performing Repairs to the registry.
Done!

VundoFix V6.5.1

Checking Java version...

Scan started at 7:32:21 AM 6/28/2007

Listing files found while scanning....

C:\WINDOWS\system32\rtutv.bak1
C:\WINDOWS\system32\rtutv.bak2
C:\WINDOWS\system32\rtutv.ini
C:\WINDOWS\system32\vtutr.dll

Beginning removal...

Attempting to delete C:\WINDOWS\system32\rtutv.bak1
C:\WINDOWS\system32\rtutv.bak1 Has been deleted!

Attempting to delete C:\WINDOWS\system32\rtutv.bak2
C:\WINDOWS\system32\rtutv.bak2 Has been deleted!

Attempting to delete C:\WINDOWS\system32\rtutv.ini
C:\WINDOWS\system32\rtutv.ini Has been deleted!

Performing Repairs to the registry.
Done!

ComboFix 07-06-18.2 - C:\Documents and Settings\Owner\Desktop\ComboFix.exe
"Owner" - 2007-06-28 10:48:08 - Service Pack 2 NTFS


((((((((((((((((((((((((( Files Created from 2007-05-28 to 2007-06-28 )))))))))))))))))))))))))))))))


2007-06-26 23:36 128,576 --a------ C:\WINDOWS\system32\kujvgwxo.dll
2007-06-26 20:41 32,592 --a------ C:\WINDOWS\system32\msonpmon.dll
2007-06-26 19:30 <DIR> d-------- C:\Program Files\MSBuild
2007-06-26 19:17 <DIR> d-------- C:\Program Files\Microsoft.NET
2007-06-26 18:54 <DIR> d-------- C:\WINDOWS\SHELLNEW
2007-06-26 18:52 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Microsoft Help
2007-06-26 18:47 <DIR> dr-h----- C:\MSOCache
2007-06-26 16:29 247,866 --a------ C:\WINDOWS\Alcohol_Toolbar_Uninstaller_3265.exe
2007-06-26 16:29 <DIR> d-------- C:\Program Files\Alcohol Toolbar
2007-06-26 16:28 223,128 --a------ C:\WINDOWS\system32\drivers\vaxscsi.sys
2007-06-26 16:28 <DIR> d-------- C:\Program Files\Alcohol Soft
2007-06-26 09:45 1,048,576 --ah----- C:\DOCUME~1\ADMINI~1\NTUSER.DAT
2007-06-26 09:45 <DIR> d-------- C:\DOCUME~1\ADMINI~1\WINDOWS
2007-06-26 09:45 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\Symantec
2007-06-26 09:45 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\Sonic
2007-06-26 09:45 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\SampleView
2007-06-26 09:45 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\Real
2007-06-26 09:45 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\interMute
2007-06-26 09:31 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-06-26 09:09 49,152 --a------ C:\WINDOWS\nircmd.exe
2007-06-24 15:22 <DIR> d---s---- C:\DOCUME~1\Owner\UserData
2007-06-23 14:51 <DIR> d-------- C:\DOCUME~1\Owner\APPLIC~1\Help
2007-06-23 13:20 4,672 --a------ C:\WINDOWS\system32\nwaqvvop.exe
2007-06-22 16:44 56,320 --a------ C:\WINDOWS\pkill.exe
2007-06-22 16:44 274,424 --a------ C:\WINDOWS\us2.exe
2007-06-22 16:36 9,600 --a------ C:\WINDOWS\system32\drivers\hidusb.sys
2007-06-22 16:36 21,504 --a------ C:\WINDOWS\system32\hidserv.dll
2007-06-22 16:36 12,160 --a------ C:\WINDOWS\system32\drivers\mouhid.sys
2007-06-22 13:27 <DIR> d-------- C:\Program Files\DivX
2007-06-21 07:18 <DIR> d-------- C:\VundoFix Backups
2007-06-20 04:12 <DIR> d-------- C:\Program Files\MSXML 4.0
2007-06-20 01:31 95,872 --a------ C:\WINDOWS\system32\AvastSS.scr
2007-06-20 01:31 94,552 --a------ C:\WINDOWS\system32\drivers\aswmon2.sys
2007-06-20 01:31 85,952 --a------ C:\WINDOWS\system32\drivers\aswmon.sys
2007-06-20 01:31 43,176 --a------ C:\WINDOWS\system32\drivers\aswTdi.sys
2007-06-20 01:31 26,888 --a------ C:\WINDOWS\system32\drivers\aavmker4.sys
2007-06-20 01:31 23,416 --a------ C:\WINDOWS\system32\drivers\aswRdr.sys
2007-06-20 01:30 745,600 --a------ C:\WINDOWS\system32\aswBoot.exe
2007-06-20 01:30 <DIR> d-------- C:\Program Files\Alwil Software
2007-06-19 22:33 <DIR> d-------- C:\WINDOWS\provisioning
2007-06-19 22:33 <DIR> d-------- C:\WINDOWS\peernet
2007-06-19 22:28 <DIR> d-------- C:\WINDOWS\ServicePackFiles
2007-06-19 22:17 <DIR> d-------- C:\WINDOWS\EHome
2007-06-17 16:30 <DIR> d-------- C:\Program Files\Flash Player Pro
2007-06-17 16:24 <DIR> d-------- C:\Program Files\Any FLV Player
2007-06-15 19:54 <DIR> d-------- C:\DOCUME~1\Owner\APPLIC~1\Motive
2007-06-15 19:53 682,232 --a------ C:\WINDOWS\system32\drivers\sptd.sys
2007-06-15 19:09 <DIR> d-------- C:\WINDOWS\system32\win
2007-06-15 19:09 <DIR> d-------- C:\WINDOWS\system32\S7
2007-06-15 19:09 <DIR> d-------- C:\WINDOWS\system32\S6
2007-06-15 19:09 <DIR> d-------- C:\WINDOWS\system32\S2
2007-06-15 19:09 <DIR> d-------- C:\WINDOWS\system32\S1
2007-06-15 19:09 <DIR> d-------- C:\WINDOWS\system32\o02PrEz
2007-06-15 19:09 <DIR> d-------- C:\temp\iee
2007-06-14 22:21 26,680 --ah----- C:\WINDOWS\system32\mlfcache.dat
2007-06-12 16:17 <DIR> d-------- C:\temp
2007-06-12 16:13 90,112 --a------ C:\WINDOWS\system32\LXCZCUR.DLL
2007-06-12 16:13 73,728 --a------ C:\WINDOWS\system32\lxczpwr.dll
2007-06-12 16:13 69,632 --a------ C:\WINDOWS\system32\LXCZCU.DLL
2007-06-12 16:13 40,960 --a------ C:\WINDOWS\system32\lxczvs.dll
2007-06-12 16:13 40,960 --a------ C:\WINDOWS\system32\INSTMON.EXE
2007-06-12 16:13 311,296 --a------ C:\WINDOWS\system32\LEXBCES.EXE
2007-06-12 16:13 201,216 --a------ C:\WINDOWS\system32\LEXP2P32.DLL
2007-06-12 16:13 200,704 --a------ C:\WINDOWS\system32\LEXLMPM.DLL
2007-06-12 16:13 198,144 --a------ C:\WINDOWS\system32\LEX2KUSB.DLL
2007-06-12 16:13 174,592 --a------ C:\WINDOWS\system32\LEXPPS.EXE
2007-06-12 16:13 155,648 --a------ C:\WINDOWS\system32\LEXPING.EXE
2007-06-12 16:13 147,456 --a------ C:\WINDOWS\system32\LEXBCE.DLL
2007-06-12 16:12 87,040 --a------ C:\WINDOWS\system32\wiafbdrv.dll
2007-06-12 16:12 15,104 --a------ C:\WINDOWS\system32\drivers\usbscan.sys
2007-06-12 16:10 983,107 --a------ C:\WINDOWS\system32\LXCZGF.DLL
2007-06-12 16:10 69,632 --a------ C:\WINDOWS\system32\lxczscin.dll
2007-06-12 16:10 57,344 --a------ C:\WINDOWS\system32\lxczcinf.dll
2007-06-12 16:10 49,152 --a------ C:\WINDOWS\system32\lxczcoin.dll
2007-06-12 16:10 458,752 --a------ C:\WINDOWS\system32\LXCZJSWR.DLL
2007-06-12 16:10 356,352 --a------ C:\WINDOWS\system32\LXCZUTIL.DLL
2007-06-12 16:10 <DIR> d-------- C:\Program Files\Lexmark 1200 Series
2007-06-12 16:09 <DIR> d-------- C:\Lexmark
2007-06-12 08:27 299,520 --a------ C:\WINDOWS\uninst.exe
2007-06-10 10:48 <DIR> d-------- C:\Program Files\Microsoft Games
2007-06-09 22:04 <DIR> d-------- C:\Program Files\mIRC
2007-06-09 19:18 <DIR> d-------- C:\DOCUME~1\Owner\APPLIC~1\WinRAR
2007-06-09 12:08 <DIR> d--hs---- C:\WINDOWS\ftpcache
2007-06-09 10:20 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-06-09 09:16 <DIR> d-------- C:\DOCUME~1\Owner\.jpi_cache
2007-06-09 09:10 4,569 --------- C:\WINDOWS\system32\secupd.dat
2007-06-09 09:10 11,776 --------- C:\WINDOWS\system32\spnpinst.exe
2007-06-09 01:01 <DIR> d-------- C:\DOCUME~1\Owner\APPLIC~1\U3
2007-06-08 21:35 614,912 --a------ C:\WINDOWS\system32\h323msp.dll
2007-06-08 21:35 331,264 --a------ C:\WINDOWS\system32\ipnathlp.dll
2007-06-08 21:22 221,184 --a------ C:\WINDOWS\system32\wmpns.dll
2007-06-08 21:19 947,472 --a------ C:\WINDOWS\system32\msjava.dll
2007-06-08 21:19 63,248 --a------ C:\WINDOWS\system32\javaprxy.dll
2007-06-08 21:19 6,550 --a------ C:\WINDOWS\jautoexp.dat
2007-06-08 21:19 49,424 --a------ C:\WINDOWS\system32\clspack.exe
2007-06-08 21:19 46,352 --a------ C:\WINDOWS\setdebug.exe
2007-06-08 21:19 404,752 --a------ C:\WINDOWS\system32\javart.dll
2007-06-08 21:19 313,856 --a------ C:\WINDOWS\system32\dx3j.dll
2007-06-08 21:19 286,992 --a------ C:\WINDOWS\system32\vmhelper.dll
2007-06-08 21:19 21,264 --a------ C:\WINDOWS\system32\msjdbc10.dll


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-06-26 23:32:45 -------- d-----w C:\Program Files\Microsoft Works
2007-06-23 19:06:12 -------- d--h--w C:\Program Files\InstallShield Installation Information
2007-06-23 19:06:00 -------- d-----w C:\Program Files\PC-Doctor for Windows
2007-06-20 08:16:11 -------- d-----w C:\Program Files\Messenger
2007-06-20 05:34:26 -------- d-----w C:\Program Files\Common Files\Symantec Shared
2007-06-20 05:30:08 -------- d-----w C:\Program Files\Symantec
2007-06-20 02:33:15 -------- d-----w C:\Program Files\Movie Maker
2007-06-20 02:28:12 -------- d-----w C:\Program Files\Windows NT
2007-06-08 19:24:56 -------- d--h--w C:\Program Files\WindowsUpdate
2007-05-16 15:12:02 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
2007-04-25 14:21:15 144,896 ----a-w C:\WINDOWS\system32\schannel.dll
2007-04-23 00:15:18 200,704 ----a-w C:\WINDOWS\system32\ssldivx.dll
2007-04-23 00:15:18 1,044,480 ----a-w C:\WINDOWS\system32\libdivx.dll
2007-04-18 16:12:23 2,854,400 ----a-w C:\WINDOWS\system32\msi.dll
2007-04-17 02:45:54 1,710,936 ----a-w C:\WINDOWS\system32\wuaueng.dll
2007-04-17 02:45:28 92,504 ----a-w C:\WINDOWS\system32\cdm.dll
2007-04-17 02:45:20 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe
2007-04-17 02:45:20 43,352 ----a-w C:\WINDOWS\system32\wups2.dll


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}=C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll [2003-05-15 10:47]
{0ACF00E0-C1E4-4F6B-B290-10AC7505C47A}=C:\Program Files\Alcohol Toolbar\v3.0.0.0\AudioGizmo_Toolbar.dll [2007-06-26 16:29]
{1A493D65-C386-4199-AA79-583FB3C1EA88}=C:\WINDOWS\system32\vtutr.dll []
{243B17DE-77C7-46BF-B94B-0B5F309A0E64}=C:\Program Files\Microsoft Money\System\mnyside.dll [2002-07-17 21:00]
{345ECE31-6898-4F30-9F87-A304791E5369}=C:\WINDOWS\system32\jkkll.dll []
{400DF7DE-CEAE-4BAE-8303-3FAA97680605}=C:\Program Files\ComPlus Applications\vihykilux58441.dll []
{4099F875-6E0E-4084-B37D-381D757E6D94}=C:\WINDOWS\system32\vtsqp.dll []
{53707962-6F74-2D53-2644-206D7942484F}=C:\PROGRA~1\SPYBOT~1\SDHelper.dll [2005-05-31 01:04]
{63E35656-56FB-49D3-B814-9726FF3C73F3}=C:\WINDOWS\system32\ddcyy.dll []
{72853161-30C5-4D22-B7F9-0BBC1D38A37E}=C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL [2006-10-27 00:48]
{BEF7A862-1A2F-494B-ADDE-F01FE5AFDC14}=C:\Program Files\ComPlus Applications\vihykilux43855.dll []
{DC192567-65F9-4AB6-ADB7-E13575F81726}=C:\WINDOWS\system32\byxxyyx.dll []
{E0FF5F70-D99A-451A-BB82-81531D9766AB}=C:\WINDOWS\system32\awvtq.dll []
{E37B185A-F643-4D8A-A3B9-FE4D003DD2C9}=C:\WINDOWS\system32\gebcy.dll []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 05:25]
"GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 00:47]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BackupNotify"="c:\Program Files\Hewlett-Packard\Digital Imaging\bin\backupnotify.exe" [2003-06-23 00:25]
"NVIEW"="nview.dll,nViewLoadHook" []
"µTorrent"="C:\Program Files\uTorrent\utorrent.exe" [2007-02-15 16:17]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 03:56]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{DC192567-65F9-4AB6-ADB7-E13575F81726}"="C:\WINDOWS\system32\byxxyyx.dll" []
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll" [2007-05-30 08:29]
"{B5A7F190-DDA6-4420-B3BA-52453494E6CD}"="C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL" [2006-10-27 00:48]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\byxxyyx]
byxxyyx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\OPXPGina]
C:\Program Files\Softex\OmniPass\opxpgina.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\vtutr]
C:\WINDOWS\system32\vtutr.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\AVG Anti-Spyware Driver]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\AVG Anti-Spyware Guard]


Contents of the 'Scheduled Tasks' folder
2007-06-28 14:55:00 C:\WINDOWS\tasks\Symantec NetDetect.job

**************************************************************************

catchme 0.3.721 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-06-28 10:53:32
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

cmd.exe [1376]


scanning hidden autostart entries ...

scanning hidden files ...

**************************************************************************

Completion time: 2007-06-28 10:56:19
C:\ComboFix-quarantined-files.txt ... 2007-06-28 10:55
C:\ComboFix2.txt ... 2007-06-28 08:10
C:\ComboFix3.txt ... 2007-06-26 09:26

--- E O F ---
Logfile of HijackThis v1.99.1
Scan saved at 11:01:35 AM, on 6/28/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Softex\OmniPass\Omniserv.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Softex\OmniPass\OPXPApp.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\uTorrent\utorrent.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Motorola Wireless\WU830G USB Adapter\OdHost.exe
C:\Program Files\Motorola Wireless\WU830G USB Adapter\WLUSBCfg.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Owner\Desktop\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us9.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us9.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us9.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us9.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://srch-us9.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://us9.hpwis.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Alcohol Toolbar Helper - {0ACF00E0-C1E4-4F6B-B290-10AC7505C47A} - C:\Program Files\Alcohol Toolbar\v3.0.0.0\AudioGizmo_Toolbar.dll
O2 - BHO: (no name) - {1A493D65-C386-4199-AA79-583FB3C1EA88} - C:\WINDOWS\system32\vtutr.dll (file missing)
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: (no name) - {345ECE31-6898-4F30-9F87-A304791E5369} - C:\WINDOWS\system32\jkkll.dll (file missing)
O2 - BHO: (no name) - {400DF7DE-CEAE-4BAE-8303-3FAA97680605} - C:\Program Files\ComPlus Applications\vihykilux58441.dll (file missing)
O2 - BHO: (no name) - {4099F875-6E0E-4084-B37D-381D757E6D94} - C:\WINDOWS\system32\vtsqp.dll (file missing)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {63E35656-56FB-49D3-B814-9726FF3C73F3} - C:\WINDOWS\system32\ddcyy.dll (file missing)
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O2 - BHO: (no name) - {BEF7A862-1A2F-494B-ADDE-F01FE5AFDC14} - C:\Program Files\ComPlus Applications\vihykilux43855.dll (file missing)
O2 - BHO: (no name) - {DC192567-65F9-4AB6-ADB7-E13575F81726} - C:\WINDOWS\system32\byxxyyx.dll (file missing)
O2 - BHO: (no name) - {E0FF5F70-D99A-451A-BB82-81531D9766AB} - C:\WINDOWS\system32\awvtq.dll (file missing)
O2 - BHO: (no name) - {E37B185A-F643-4D8A-A3B9-FE4D003DD2C9} - C:\WINDOWS\system32\gebcy.dll (file missing)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)
O3 - Toolbar: HP View - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpdtlk02.dll
O3 - Toolbar: Alcohol Toolbar - {DC59A0D4-0ED6-4A73-B356-1B977F2A7725} - C:\Program Files\Alcohol Toolbar\v3.0.0.0\AudioGizmo_Toolbar.dll
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKCU\..\Run: [BackupNotify] c:\Program Files\Hewlett-Packard\Digital Imaging\bin\backupnotify.exe
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [µTorrent] "C:\Program Files\uTorrent\utorrent.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Motorola Wireless USB Adapter.lnk = ?
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL
O20 - Winlogon Notify: byxxyyx - byxxyyx.dll (file missing)
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: OPXPGina - C:\Program Files\Softex\OmniPass\opxpgina.dll
O20 - Winlogon Notify: vtutr - C:\WINDOWS\system32\vtutr.dll (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Softex OmniPass Service (omniserv) - Unknown owner - C:\Program Files\Softex\OmniPass\Omniserv.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
I thank all who help me and beforehand I would like to say forgive me if I ask some stupid question. It happens to me a lot and I usually just need someone to say the obvious to me. Although I still live by my motto
"What I say is sealed in my words." or a variant of that. (I have it written down, trust me.)

#6 Aaflac

Aaflac

    Doin' Dis 'n Dat...


  • Malware Response Team
  • 2,307 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:USA
  • Local time:01:19 AM

Posted 28 June 2007 - 06:15 PM

Please download AVG Anti-Spyware:
http://www.ewido.net/en/download/
Locate the icon on the Desktop and double-click it to launch the program.

Now, update the definition files:
On the main screen select Update, and then select the Update Now link.
Next, select the Start Update button
(The update starts and a progress bar shows the updates installed.)

Once the update completes select: Scanner (the top of the screen)
Select the Settings tab
Once in the Settings screen click on: Recommended actions
Select: Quarantine
Under: Reports, select: Automatically generate report after every scan
Un-Select: Only if threats were found
Close AVG AS for now.

~~~~
Run HijackThis once again
Check box for:

O2 - BHO: (no name) - {1A493D65-C386-4199-AA79-583FB3C1EA88} - C:\WINDOWS\system32\vtutr.dll (file missing)
O2 - BHO: (no name) - {345ECE31-6898-4F30-9F87-A304791E5369} - C:\WINDOWS\system32\jkkll.dll (file missing)
O2 - BHO: (no name) - {400DF7DE-CEAE-4BAE-8303-3FAA97680605} - C:\Program Files\ComPlus Applications\vihykilux58441.dll (file missing)
O2 - BHO: (no name) - {4099F875-6E0E-4084-B37D-381D757E6D94} - C:\WINDOWS\system32\vtsqp.dll (file missing)
O2 - BHO: (no name) - {63E35656-56FB-49D3-B814-9726FF3C73F3} - C:\WINDOWS\system32\ddcyy.dll (file missing)
O2 - BHO: (no name) - {BEF7A862-1A2F-494B-ADDE-F01FE5AFDC14} - C:\Program Files\ComPlus Applications\vihykilux43855.dll (file missing)
O2 - BHO: (no name) - {DC192567-65F9-4AB6-ADB7-E13575F81726} - C:\WINDOWS\system32\byxxyyx.dll (file missing)
O2 - BHO: (no name) - {E0FF5F70-D99A-451A-BB82-81531D9766AB} - C:\WINDOWS\system32\awvtq.dll (file missing)
O2 - BHO: (no name) - {E37B185A-F643-4D8A-A3B9-FE4D003DD2C9} - C:\WINDOWS\system32\gebcy.dll (file missing)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - (no file)

O20 - Winlogon Notify: byxxyyx - byxxyyx.dll (file missing)
O20 - Winlogon Notify: vtutr - C:\WINDOWS\system32\vtutr.dll (file missing)

Select: Fix checked

~~~~


Reboot to Safe Mode :
-When the machine starts again, tap the F8 key before Windows starts
-You are presented with a Windows XP Advanced Options menu.
-Select the option for Safe Mode using the arrow keys.
-Press Enter to boot into Safe Mode.

~~~~
In Safe Mode, launch AVG AS once again
Select: Scanner (at the top)
Select the Scan tab
Click on: Complete System Scan
AVG AS begins the scanning process, and it may take a while.
Please do not open any other windows or programs while AVG AS is scanning, it may interfere with the scanning process!!

Once the scan is complete, AVG AS lists any infections found.
It also automatically sets the recommended action.
Click: Apply all actions
AVG AS will then display: All actions have been applied

Next select: Reports (at the top)
Select: Save report as (lower left of the screen)
Save the report to a text file in a location where you can find it!
Close AVG AS.

~~~~
Restart the computer.

~~~~
Please provide the following in you reply:
The AVG AS report
A new HijackThis log

Old duck...


#7 Nekoyasha

Nekoyasha
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Location:Sumter SC, USA
  • Local time:02:19 AM

Posted 07 July 2007 - 05:31 PM

---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 4:46:04 PM 7/7/2007

+ Scan result:



C:\System Volume Information\_restore{F2681A7D-91E5-401A-AC8B-015335799DC0}\RP134\A0011854.exe -> Adware.Small : Cleaned with backup (quarantined).
C:\WINDOWS\system32\S2\cogyaga58441.exe -> Adware.TTC : Cleaned with backup (quarantined).
C:\WINDOWS\system32\nwaqvvop.exe -> Downloader.Tiny.id : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{F2681A7D-91E5-401A-AC8B-015335799DC0}\RP146\A0026681.exe -> Downloader.VB.aya : Cleaned with backup (quarantined).
:mozilla.108:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\6nw76qgf.default\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.101:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\6nw76qgf.default\cookies.txt -> TrackingCookie.Adbrite : Cleaned.
:mozilla.102:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\6nw76qgf.default\cookies.txt -> TrackingCookie.Adbrite : Cleaned.
:mozilla.88:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\6nw76qgf.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned.
:mozilla.89:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\6nw76qgf.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned.
:mozilla.90:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\6nw76qgf.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned.
:mozilla.91:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\6nw76qgf.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned.
:mozilla.92:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\6nw76qgf.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned.
:mozilla.93:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\6nw76qgf.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned.
:mozilla.94:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\6nw76qgf.default\cookies.txt -> TrackingCookie.Adrevolver : Cleaned.
:mozilla.24:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\6nw76qgf.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.25:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\6nw76qgf.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.26:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\6nw76qgf.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.27:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\6nw76qgf.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.28:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\6nw76qgf.default\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.17:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\6nw76qgf.default\cookies.txt -> TrackingCookie.Atdmt : Cleaned.
:mozilla.175:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\6nw76qgf.default\cookies.txt -> TrackingCookie.Bluestreak : Cleaned.
:mozilla.183:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\6nw76qgf.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned.
:mozilla.184:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\6nw76qgf.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned.
:mozilla.185:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\6nw76qgf.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned.
:mozilla.186:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\6nw76qgf.default\cookies.txt -> TrackingCookie.Casalemedia : Cleaned.
:mozilla.107:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\6nw76qgf.default\cookies.txt -> TrackingCookie.Cnn : Cleaned.
:mozilla.173:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\6nw76qgf.default\cookies.txt -> TrackingCookie.Com : Cleaned.
:mozilla.23:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\6nw76qgf.default\cookies.txt -> TrackingCookie.Doubleclick : Cleaned.
:mozilla.81:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\6nw76qgf.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned.
:mozilla.82:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\6nw76qgf.default\cookies.txt -> TrackingCookie.Fastclick : Cleaned.
:mozilla.103:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\6nw76qgf.default\cookies.txt -> TrackingCookie.Fortunecity : Cleaned.
:mozilla.18:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\6nw76qgf.default\cookies.txt -> TrackingCookie.Mediaplex : Cleaned.
:mozilla.178:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\6nw76qgf.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned.
:mozilla.179:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\6nw76qgf.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned.
:mozilla.180:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\6nw76qgf.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned.
:mozilla.181:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\6nw76qgf.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned.
:mozilla.182:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\6nw76qgf.default\cookies.txt -> TrackingCookie.Pointroll : Cleaned.
:mozilla.135:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\6nw76qgf.default\cookies.txt -> TrackingCookie.Questionmarket : Cleaned.
:mozilla.136:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\6nw76qgf.default\cookies.txt -> TrackingCookie.Questionmarket : Cleaned.
:mozilla.137:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\6nw76qgf.default\cookies.txt -> TrackingCookie.Questionmarket : Cleaned.
:mozilla.138:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\6nw76qgf.default\cookies.txt -> TrackingCookie.Questionmarket : Cleaned.
:mozilla.139:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\6nw76qgf.default\cookies.txt -> TrackingCookie.Questionmarket : Cleaned.
:mozilla.140:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\6nw76qgf.default\cookies.txt -> TrackingCookie.Questionmarket : Cleaned.
:mozilla.141:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\6nw76qgf.default\cookies.txt -> TrackingCookie.Questionmarket : Cleaned.
:mozilla.125:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\6nw76qgf.default\cookies.txt -> TrackingCookie.Revsci : Cleaned.
:mozilla.126:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\6nw76qgf.default\cookies.txt -> TrackingCookie.Revsci : Cleaned.
:mozilla.127:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\6nw76qgf.default\cookies.txt -> TrackingCookie.Revsci : Cleaned.
:mozilla.128:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\6nw76qgf.default\cookies.txt -> TrackingCookie.Revsci : Cleaned.
:mozilla.131:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\6nw76qgf.default\cookies.txt -> TrackingCookie.Revsci : Cleaned.
:mozilla.144:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\6nw76qgf.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned.
:mozilla.145:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\6nw76qgf.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned.
:mozilla.146:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\6nw76qgf.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned.
:mozilla.147:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\6nw76qgf.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned.
:mozilla.148:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\6nw76qgf.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned.
:mozilla.149:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\6nw76qgf.default\cookies.txt -> TrackingCookie.Serving-sys : Cleaned.
:mozilla.111:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\6nw76qgf.default\cookies.txt -> TrackingCookie.Specificclick : Cleaned.
:mozilla.112:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\6nw76qgf.default\cookies.txt -> TrackingCookie.Specificclick : Cleaned.
:mozilla.113:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\6nw76qgf.default\cookies.txt -> TrackingCookie.Specificclick : Cleaned.
:mozilla.114:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\6nw76qgf.default\cookies.txt -> TrackingCookie.Specificclick : Cleaned.
:mozilla.167:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\6nw76qgf.default\cookies.txt -> TrackingCookie.Statcounter : Cleaned.
:mozilla.199:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\6nw76qgf.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned.
:mozilla.200:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\6nw76qgf.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned.
:mozilla.201:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\6nw76qgf.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned.
:mozilla.202:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\6nw76qgf.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned.
:mozilla.203:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\6nw76qgf.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned.
:mozilla.204:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\6nw76qgf.default\cookies.txt -> TrackingCookie.Trafficmp : Cleaned.
:mozilla.115:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\6nw76qgf.default\cookies.txt -> TrackingCookie.Tribalfusion : Cleaned.
:mozilla.62:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\6nw76qgf.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.63:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\6nw76qgf.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
:mozilla.64:C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\6nw76qgf.default\cookies.txt -> TrackingCookie.Yieldmanager : Cleaned.
C:\Program Files\Alcohol Soft\Alcohol 120\star_syn_client.dll -> Trojan.Agent.abd : Cleaned with backup (quarantined).


::Report end

Logfile of HijackThis v1.99.1
Scan saved at 6:28:41 PM, on 7/7/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Softex\OmniPass\Omniserv.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Softex\OmniPass\OPXPApp.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\uTorrent\utorrent.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Motorola Wireless\WU830G USB Adapter\OdHost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Motorola Wireless\WU830G USB Adapter\WLUSBCfg.exe
C:\Documents and Settings\Owner\Desktop\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us9.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us9.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us9.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://srch-us9.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://srch-us9.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://us9.hpwis.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: Alcohol Toolbar Helper - {0ACF00E0-C1E4-4F6B-B290-10AC7505C47A} - C:\Program Files\Alcohol Toolbar\v3.0.0.0\AudioGizmo_Toolbar.dll
O2 - BHO: (no name) - {243B17DE-77C7-46BF-B94B-0B5F309A0E64} - C:\Program Files\Microsoft Money\System\mnyside.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL
O3 - Toolbar: HP View - {B2847E28-5D7D-4DEB-8B67-05D28BCF79F5} - c:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpdtlk02.dll
O3 - Toolbar: Alcohol Toolbar - {DC59A0D4-0ED6-4A73-B356-1B977F2A7725} - C:\Program Files\Alcohol Toolbar\v3.0.0.0\AudioGizmo_Toolbar.dll
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [BackupNotify] c:\Program Files\Hewlett-Packard\Digital Imaging\bin\backupnotify.exe
O4 - HKCU\..\Run: [NVIEW] rundll32.exe nview.dll,nViewLoadHook
O4 - HKCU\..\Run: [µTorrent] "C:\Program Files\uTorrent\utorrent.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Motorola Wireless USB Adapter.lnk = ?
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyside.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MICROS~2\Office12\GR99D3~1.DLL
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: OPXPGina - C:\Program Files\Softex\OmniPass\opxpgina.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Softex OmniPass Service (omniserv) - Unknown owner - C:\Program Files\Softex\OmniPass\Omniserv.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe


Edit: Most problems seem to be gotten rid of as far as I can see, but the computer still insists on shutting down. No specific action seems to cause this and there's no required uptime for it to do it either.

Edited by Nekoyasha, 08 July 2007 - 04:09 PM.

I thank all who help me and beforehand I would like to say forgive me if I ask some stupid question. It happens to me a lot and I usually just need someone to say the obvious to me. Although I still live by my motto
"What I say is sealed in my words." or a variant of that. (I have it written down, trust me.)

#8 Aaflac

Aaflac

    Doin' Dis 'n Dat...


  • Malware Response Team
  • 2,307 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:USA
  • Local time:01:19 AM

Posted 09 July 2007 - 05:05 PM

My apology for not responding. For some reason, was not notified of your post.

The HijackThis log looks OK. No apparent malware issues.

On the random shutdown problem, you may want to post this matter in the Windows XP forum:
http://www.bleepingcomputer.com/forums/f/56/windows-xp-home-and-professional/.

Someone there may be able to troubleshoot the problem with you

Old duck...


#9 Nekoyasha

Nekoyasha
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Location:Sumter SC, USA
  • Local time:02:19 AM

Posted 09 July 2007 - 06:13 PM

Besides the shutdown issue, the computer is running pretty good with no more pop-ups. I would like to thank you for your help and hope to talk to you again soon Aaflac. Thank you again and bye.
I thank all who help me and beforehand I would like to say forgive me if I ask some stupid question. It happens to me a lot and I usually just need someone to say the obvious to me. Although I still live by my motto
"What I say is sealed in my words." or a variant of that. (I have it written down, trust me.)

#10 Aaflac

Aaflac

    Doin' Dis 'n Dat...


  • Malware Response Team
  • 2,307 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:USA
  • Local time:01:19 AM

Posted 09 July 2007 - 07:51 PM

You can remove the files from the AVG AS Quarantine:
-Launch AVG AS and click the Infections button.
-Click the Quarantine tab
-Choose: Select All
-Click: Remove finally
-A window pops asking "Are you sure you want to remove the selected files...??"
-Select: Yes

~~~~
Was taking a final look at the reports provided, and saw some suspicious files and folders, even though the HijackThis log appears OK.

Please do the following:

Download SmitfraudFix (by S!Ri) to the Desktop.
http://siri.urz.free.fr/Fix/SmitfraudFix.zip
Extract the files to the Desktop

Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Only select option #1 - Search by typing 1 and press Enter
This program scans large amounts of files on your computer, so please be patient while it works.
When it is done, a log named rapport.txt is created, listing infected files (if present).

Please post C:\rapport.txt in your reply.

~~~~
Also, open Notepad (Start > Run > in the Open field type: notepad)
Click: OK

Copy/ paste the blue text below to Notepad:

File::
C:\WINDOWS\system32\kujvgwxo.dll
C:\WINDOWS\system32\nwaqvvop.exe
C:\WINDOWS\Alcohol_Toolbar_Uninstaller_3265.exe
C:\WINDOWS\pkill.exe
C:\WINDOWS\system32\mlfcache.dat

Folder::
C:\WINDOWS\system32\win
C:\WINDOWS\system32\S7
C:\WINDOWS\system32\S6
C:\WINDOWS\system32\S2
C:\WINDOWS\system32\S1
C:\WINDOWS\system32\o02PrEz


Save as CFScript.txt
Change the "Save as type" to "All Files"
Save it to the Desktop.

Posted Image


Referring to the screen shot above, drag CFScript.txt into ComboFix.exe
ComboFix now runs a scan on your system, and may reboot when it finishes. This is normal.

CAUTION: Do not mouse-click ComboFix while it is running. It may cause it to stall.

When finished, a log is produced.

Also provide the contents of the new ComboFix log in your next reply.

Edited by Aaflac, 09 July 2007 - 08:16 PM.

Old duck...


#11 Nekoyasha

Nekoyasha
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Location:Sumter SC, USA
  • Local time:02:19 AM

Posted 09 July 2007 - 11:40 PM

So the plot thickens... Thanks for taking another look.

SmitFraudFix v2.202

Scan done at 23:47:52.45, Mon 07/09/2007
Run from C:\Documents and Settings\Owner\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» Process

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Softex\OmniPass\Omniserv.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Softex\OmniPass\OPXPApp.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Hewlett-Packard\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Motorola Wireless\WU830G USB Adapter\OdHost.exe
C:\Program Files\Motorola Wireless\WU830G USB Adapter\WLUSBCfg.exe
C:\WINDOWS\system32\cmd.exe

»»»»»»»»»»»»»»»»»»»»»»»» hosts


»»»»»»»»»»»»»»»»»»»»»»»» C:\


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Owner


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Owner\Application Data


»»»»»»»»»»»»»»»»»»»»»»»» Start Menu


»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\Owner\FAVORI~1


»»»»»»»»»»»»»»»»»»»»»»»» Desktop


»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files


»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"


»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""


»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""


»»»»»»»»»»»»»»»»»»»»»»»» Rustock



»»»»»»»»»»»»»»»»»»»»»»»» DNS

HKLM\SYSTEM\CS2\Services\Tcpip\..\{23AFC2D2-0A22-4482-9554-44DCE100591B}: DhcpNameServer=24.25.5.150 24.25.5.149
HKLM\SYSTEM\CS3\Services\Tcpip\..\{23AFC2D2-0A22-4482-9554-44DCE100591B}: DhcpNameServer=24.25.5.150 24.25.5.149
HKLM\SYSTEM\CS2\Services\Tcpip\Parameters: DhcpNameServer=24.25.5.150 24.25.5.149
HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=24.25.5.150 24.25.5.149


»»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection


»»»»»»»»»»»»»»»»»»»»»»»» End

ComboFix 07-06-18.2 - C:\Documents and Settings\Owner\Desktop\ComboFix.exe
"Owner" - 2007-07-09 23:52:14 - Service Pack 2 NTFS
Command switches used :: C:\Documents and Settings\Owner\Desktop\CFScript.txt


((((((((((((((((((((((((( Files Created from 2007-06-10 to 2007-07-10 )))))))))))))))))))))))))))))))


2007-07-09 23:48 852 --a------ C:\WINDOWS\system32\tmp.reg
2007-07-09 23:46 53,248 --a------ C:\WINDOWS\system32\Process.exe
2007-07-09 23:46 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2007-07-09 23:46 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2007-07-09 16:42 <DIR> d-------- C:\Program Files\QuickTime
2007-07-09 16:40 <DIR> d-------- C:\Program Files\Apple Software Update
2007-07-09 16:39 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Apple Computer
2007-07-09 16:12 4,682 --a------ C:\WINDOWS\system32\npptNT2.sys
2007-07-09 16:03 <DIR> d-------- C:\Nexon
2007-06-29 16:58 43,176 --a------ C:\WINDOWS\system32\drivers\aswTdi.sys
2007-06-29 16:58 26,888 --a------ C:\WINDOWS\system32\drivers\aavmker4.sys
2007-06-29 16:58 23,416 --a------ C:\WINDOWS\system32\drivers\aswRdr.sys
2007-06-29 16:57 94,552 --a------ C:\WINDOWS\system32\drivers\aswmon2.sys
2007-06-29 16:57 90,112 --a------ C:\WINDOWS\system32\AvastSS.scr
2007-06-29 16:57 85,952 --a------ C:\WINDOWS\system32\drivers\aswmon.sys
2007-06-29 16:57 733,824 --a------ C:\WINDOWS\system32\aswBoot.exe
2007-06-26 23:36 128,576 --a------ C:\WINDOWS\system32\kujvgwxo.dll
2007-06-26 20:41 32,592 --a------ C:\WINDOWS\system32\msonpmon.dll
2007-06-26 19:30 <DIR> d-------- C:\Program Files\MSBuild
2007-06-26 19:17 <DIR> d-------- C:\Program Files\Microsoft.NET
2007-06-26 18:54 <DIR> d-------- C:\WINDOWS\SHELLNEW
2007-06-26 18:52 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Microsoft Help
2007-06-26 18:47 <DIR> dr-h----- C:\MSOCache
2007-06-26 16:29 247,866 --a------ C:\WINDOWS\Alcohol_Toolbar_Uninstaller_3265.exe
2007-06-26 16:29 <DIR> d-------- C:\Program Files\Alcohol Toolbar
2007-06-26 16:28 223,128 --a------ C:\WINDOWS\system32\drivers\vaxscsi.sys
2007-06-26 16:28 <DIR> d-------- C:\Program Files\Alcohol Soft
2007-06-26 09:45 1,048,576 --ah----- C:\DOCUME~1\ADMINI~1\NTUSER.DAT
2007-06-26 09:45 <DIR> d-------- C:\DOCUME~1\ADMINI~1\WINDOWS
2007-06-26 09:45 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\Symantec
2007-06-26 09:45 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\Sonic
2007-06-26 09:45 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\SampleView
2007-06-26 09:45 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\Real
2007-06-26 09:45 <DIR> d-------- C:\DOCUME~1\ADMINI~1\APPLIC~1\interMute
2007-06-26 09:31 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-06-26 09:09 49,152 --a------ C:\WINDOWS\nircmd.exe
2007-06-24 15:22 <DIR> d---s---- C:\DOCUME~1\Owner\UserData
2007-06-23 14:51 <DIR> d-------- C:\DOCUME~1\Owner\APPLIC~1\Help
2007-06-22 16:44 56,320 --a------ C:\WINDOWS\pkill.exe
2007-06-22 16:44 274,424 --a------ C:\WINDOWS\us2.exe
2007-06-22 16:36 9,600 --a------ C:\WINDOWS\system32\drivers\hidusb.sys
2007-06-22 16:36 21,504 --a------ C:\WINDOWS\system32\hidserv.dll
2007-06-22 16:36 12,160 --a------ C:\WINDOWS\system32\drivers\mouhid.sys
2007-06-22 13:27 <DIR> d-------- C:\Program Files\DivX
2007-06-21 07:18 <DIR> d-------- C:\VundoFix Backups
2007-06-20 04:12 <DIR> d-------- C:\Program Files\MSXML 4.0
2007-06-20 01:30 <DIR> d-------- C:\Program Files\Alwil Software
2007-06-19 22:33 <DIR> d-------- C:\WINDOWS\provisioning
2007-06-19 22:33 <DIR> d-------- C:\WINDOWS\peernet
2007-06-19 22:28 <DIR> d-------- C:\WINDOWS\ServicePackFiles
2007-06-19 22:17 <DIR> d-------- C:\WINDOWS\EHome
2007-06-17 16:30 <DIR> d-------- C:\Program Files\Flash Player Pro
2007-06-17 16:24 <DIR> d-------- C:\Program Files\Any FLV Player
2007-06-15 19:54 <DIR> d-------- C:\DOCUME~1\Owner\APPLIC~1\Motive
2007-06-15 19:53 682,232 --a------ C:\WINDOWS\system32\drivers\sptd.sys
2007-06-15 19:09 <DIR> d-------- C:\WINDOWS\system32\win
2007-06-15 19:09 <DIR> d-------- C:\WINDOWS\system32\S7
2007-06-15 19:09 <DIR> d-------- C:\WINDOWS\system32\S6
2007-06-15 19:09 <DIR> d-------- C:\WINDOWS\system32\S2
2007-06-15 19:09 <DIR> d-------- C:\WINDOWS\system32\S1
2007-06-15 19:09 <DIR> d-------- C:\WINDOWS\system32\o02PrEz
2007-06-15 19:09 <DIR> d-------- C:\temp\iee
2007-06-14 22:21 26,680 --ah----- C:\WINDOWS\system32\mlfcache.dat
2007-06-12 16:17 <DIR> d-------- C:\temp
2007-06-12 16:13 90,112 --a------ C:\WINDOWS\system32\LXCZCUR.DLL
2007-06-12 16:13 73,728 --a------ C:\WINDOWS\system32\lxczpwr.dll
2007-06-12 16:13 69,632 --a------ C:\WINDOWS\system32\LXCZCU.DLL
2007-06-12 16:13 40,960 --a------ C:\WINDOWS\system32\lxczvs.dll
2007-06-12 16:13 40,960 --a------ C:\WINDOWS\system32\INSTMON.EXE
2007-06-12 16:13 311,296 --a------ C:\WINDOWS\system32\LEXBCES.EXE
2007-06-12 16:13 201,216 --a------ C:\WINDOWS\system32\LEXP2P32.DLL
2007-06-12 16:13 200,704 --a------ C:\WINDOWS\system32\LEXLMPM.DLL
2007-06-12 16:13 198,144 --a------ C:\WINDOWS\system32\LEX2KUSB.DLL
2007-06-12 16:13 174,592 --a------ C:\WINDOWS\system32\LEXPPS.EXE
2007-06-12 16:13 155,648 --a------ C:\WINDOWS\system32\LEXPING.EXE
2007-06-12 16:13 147,456 --a------ C:\WINDOWS\system32\LEXBCE.DLL
2007-06-12 16:12 87,040 --a------ C:\WINDOWS\system32\wiafbdrv.dll
2007-06-12 16:12 15,104 --a------ C:\WINDOWS\system32\drivers\usbscan.sys
2007-06-12 16:10 983,107 --a------ C:\WINDOWS\system32\LXCZGF.DLL
2007-06-12 16:10 69,632 --a------ C:\WINDOWS\system32\lxczscin.dll
2007-06-12 16:10 57,344 --a------ C:\WINDOWS\system32\lxczcinf.dll
2007-06-12 16:10 49,152 --a------ C:\WINDOWS\system32\lxczcoin.dll
2007-06-12 16:10 458,752 --a------ C:\WINDOWS\system32\LXCZJSWR.DLL
2007-06-12 16:10 356,352 --a------ C:\WINDOWS\system32\LXCZUTIL.DLL
2007-06-12 16:10 <DIR> d-------- C:\Program Files\Lexmark 1200 Series
2007-06-12 16:09 <DIR> d-------- C:\Lexmark
2007-06-12 08:27 299,520 --a------ C:\WINDOWS\uninst.exe
2007-06-10 10:48 <DIR> d-------- C:\Program Files\Microsoft Games
2007-06-09 22:04 <DIR> d-------- C:\Program Files\mIRC
2007-06-09 19:18 <DIR> d-------- C:\DOCUME~1\Owner\APPLIC~1\WinRAR
2007-06-09 12:08 <DIR> d--hs---- C:\WINDOWS\ftpcache
2007-06-09 10:20 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
2007-06-09 09:16 <DIR> d-------- C:\DOCUME~1\Owner\.jpi_cache
2007-06-09 09:10 4,569 --------- C:\WINDOWS\system32\secupd.dat
2007-06-09 09:10 11,776 --------- C:\WINDOWS\system32\spnpinst.exe
2007-06-09 01:01 <DIR> d-------- C:\DOCUME~1\Owner\APPLIC~1\U3


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-07-09 21:47:01 -------- d-----w C:\DOCUME~1\Owner\APPLIC~1\uTorrent
2007-06-26 23:32:45 -------- d-----w C:\Program Files\Microsoft Works
2007-06-23 19:06:12 -------- d--h--w C:\Program Files\InstallShield Installation Information
2007-06-23 19:06:00 -------- d-----w C:\Program Files\PC-Doctor for Windows
2007-06-22 17:27:40 1,299 ----a-w C:\WINDOWS\mozver.dat
2007-06-20 08:16:11 -------- d-----w C:\Program Files\Messenger
2007-06-20 05:34:26 -------- d-----w C:\Program Files\Common Files\Symantec Shared
2007-06-20 05:30:08 -------- d-----w C:\Program Files\Symantec
2007-06-20 02:33:15 -------- d-----w C:\Program Files\Movie Maker
2007-06-20 02:28:12 -------- d-----w C:\Program Files\Windows NT
2007-06-08 20:59:24 -------- d-----w C:\DOCUME~1\Owner\APPLIC~1\Media Player Classic
2007-06-08 20:06:25 -------- d-----w C:\Program Files\Combined Community Codec Pack
2007-06-08 19:24:56 -------- d--h--w C:\Program Files\WindowsUpdate
2007-06-08 19:20:04 -------- d-----w C:\DOCUME~1\Owner\APPLIC~1\Talkback
2007-06-08 19:19:55 0 ----a-w C:\WINDOWS\nsreg.dat
2007-06-08 19:15:50 -------- d-----w C:\Program Files\uTorrent
2007-06-08 15:01:07 -------- d-----w C:\Program Files\Motorola Wireless
2007-06-08 15:00:37 -------- d-----w C:\Program Files\Common Files\Funk Software
2007-06-08 15:00:36 -------- d-----w C:\Program Files\Funk Software
2007-06-08 13:47:28 -------- d-----w C:\Program Files\Java Web Start
2007-06-08 13:46:02 0 ----a-w C:\WINDOWS\system32\iAlmcoin.dll
2007-06-08 13:45:26 -------- d-----w C:\Program Files\Encarta Online
2007-05-16 15:12:02 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
2007-04-25 14:21:15 144,896 ----a-w C:\WINDOWS\system32\schannel.dll
2007-04-23 00:15:18 200,704 ----a-w C:\WINDOWS\system32\ssldivx.dll
2007-04-23 00:15:18 1,044,480 ----a-w C:\WINDOWS\system32\libdivx.dll
2007-04-18 16:12:23 2,854,400 ----a-w C:\WINDOWS\system32\msi.dll
2007-04-17 02:47:36 33,624 ----a-w C:\WINDOWS\system32\wups.dll
2007-04-17 02:45:54 1,710,936 ----a-w C:\WINDOWS\system32\wuaueng.dll
2007-04-17 02:45:48 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll
2007-04-17 02:45:42 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll
2007-04-17 02:45:36 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll
2007-04-17 02:45:28 92,504 ----a-w C:\WINDOWS\system32\cdm.dll
2007-04-17 02:45:20 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe
2007-04-17 02:45:20 43,352 ----a-w C:\WINDOWS\system32\wups2.dll


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}=C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll [2003-05-15 10:47]
{0ACF00E0-C1E4-4F6B-B290-10AC7505C47A}=C:\Program Files\Alcohol Toolbar\v3.0.0.0\AudioGizmo_Toolbar.dll [2007-06-26 16:29]
{243B17DE-77C7-46BF-B94B-0B5F309A0E64}=C:\Program Files\Microsoft Money\System\mnyside.dll [2002-07-17 21:00]
{53707962-6F74-2D53-2644-206D7942484F}=C:\PROGRA~1\SPYBOT~1\SDHelper.dll [2005-05-31 01:04]
{72853161-30C5-4D22-B7F9-0BBC1D38A37E}=C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL [2006-10-27 00:48]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" [2007-06-11 05:25]
"GrooveMonitor"="C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe" [2006-10-27 00:47]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-04-18 12:13]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-04-27 09:41]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BackupNotify"="c:\Program Files\Hewlett-Packard\Digital Imaging\bin\backupnotify.exe" [2003-06-23 00:25]
"NVIEW"="nview.dll,nViewLoadHook" []
"µTorrent"="C:\Program Files\uTorrent\utorrent.exe" [2007-02-15 16:17]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 03:56]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\shellexecutehook.dll" [2007-05-30 08:29]
"{B5A7F190-DDA6-4420-B3BA-52453494E6CD}"="C:\PROGRA~1\MICROS~2\Office12\GRA8E1~1.DLL" [2006-10-27 00:48]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\OPXPGina]
C:\Program Files\Softex\OmniPass\opxpgina.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\AVG Anti-Spyware Driver]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\AVG Anti-Spyware Guard]


Contents of the 'Scheduled Tasks' folder
2007-07-09 20:40:43 C:\WINDOWS\tasks\AppleSoftwareUpdate.job
2007-07-10 03:55:01 C:\WINDOWS\tasks\Symantec NetDetect.job

**************************************************************************

catchme 0.3.721 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-07-09 23:55:58
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

**************************************************************************

Completion time: 2007-07-09 23:58:00
C:\ComboFix-quarantined-files.txt ... 2007-07-09 23:57
C:\ComboFix2.txt ... 2007-06-28 10:56
C:\ComboFix3.txt ... 2007-06-28 08:10

--- E O F ---
I thank all who help me and beforehand I would like to say forgive me if I ask some stupid question. It happens to me a lot and I usually just need someone to say the obvious to me. Although I still live by my motto
"What I say is sealed in my words." or a variant of that. (I have it written down, trust me.)

#12 Aaflac

Aaflac

    Doin' Dis 'n Dat...


  • Malware Response Team
  • 2,307 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:USA
  • Local time:01:19 AM

Posted 10 July 2007 - 09:25 PM

Please download OTMoveIt by OldTimer.
Save it to the Desktop.


Double-click OTMoveIt.exe to run it.
Copy the file paths below (blue) by highlighting all of them, right-clicking and choosing Copy:

C:\WINDOWS\system32\kujvgwxo.dll
C:\WINDOWS\Alcohol_Toolbar_Uninstaller_3265.exe
C:\WINDOWS\pkill.exe
C:\WINDOWS\system32\mlfcache.dat
C:\WINDOWS\system32\win
C:\WINDOWS\system32\S7
C:\WINDOWS\system32\S6
C:\WINDOWS\system32\S2
C:\WINDOWS\system32\S1
C:\WINDOWS\system32\o02PrEz


Return to OTMoveIt, right click Paste List of Files/Folders to be moved and choose Paste.
Click the red Moveit! button.

If a file or folder cannot be moved immediately, you are asked to reboot the machine to finish the moving process.
If asked to reboot the machine choose Yes

You need to post the log from OTMoveIt located at:

C:\_OTMoveIt\MovedFiles\mmddyyyy_hhmmss.log

Where mmddyyyy_hhmmss is the date the tool was run.
Close OTMoveIt

~~~~
If OTMoveIt does not reboot the computer, please do so now.

~~~~
Please provide the OTMoveIt log in your reply:

Edited by Aaflac, 10 July 2007 - 09:26 PM.

Old duck...


#13 Nekoyasha

Nekoyasha
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Location:Sumter SC, USA
  • Local time:02:19 AM

Posted 12 July 2007 - 04:56 AM

DllUnregisterServer procedure not found in C:\WINDOWS\system32\kujvgwxo.dll
C:\WINDOWS\system32\kujvgwxo.dll NOT unregistered.
C:\WINDOWS\system32\kujvgwxo.dll moved successfully.
C:\WINDOWS\Alcohol_Toolbar_Uninstaller_3265.exe moved successfully.
C:\WINDOWS\pkill.exe moved successfully.
C:\WINDOWS\system32\mlfcache.dat moved successfully.
C:\WINDOWS\system32\win moved successfully.
C:\WINDOWS\system32\S7 moved successfully.
C:\WINDOWS\system32\S6 moved successfully.
C:\WINDOWS\system32\S2 moved successfully.
C:\WINDOWS\system32\S1 moved successfully.
C:\WINDOWS\system32\o02PrEz moved successfully.

Created on 07/11/2007 09:41:27

There's the log.
I thank all who help me and beforehand I would like to say forgive me if I ask some stupid question. It happens to me a lot and I usually just need someone to say the obvious to me. Although I still live by my motto
"What I say is sealed in my words." or a variant of that. (I have it written down, trust me.)

#14 Aaflac

Aaflac

    Doin' Dis 'n Dat...


  • Malware Response Team
  • 2,307 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:USA
  • Local time:01:19 AM

Posted 12 July 2007 - 11:30 PM

:thumbsup:

Are you still having problems?

Old duck...


#15 Nekoyasha

Nekoyasha
  • Topic Starter

  • Members
  • 31 posts
  • OFFLINE
  •  
  • Location:Sumter SC, USA
  • Local time:02:19 AM

Posted 13 July 2007 - 03:56 PM

I wasn't home for two days, but at the moment everything seems to be running ok. When it shuts down its a random event so I won't know until it happens when it happens. Thanks for the help.

Edited by Nekoyasha, 13 July 2007 - 03:57 PM.

I thank all who help me and beforehand I would like to say forgive me if I ask some stupid question. It happens to me a lot and I usually just need someone to say the obvious to me. Although I still live by my motto
"What I say is sealed in my words." or a variant of that. (I have it written down, trust me.)




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users