Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Outerinfo!?!? [RESOLVED]

Started by nt6142 , Jan 31 2008 01:15 PM

  • This topic is locked This topic is locked

#1
nt6142
Posted 31 January 2008 - 01:15 PM

nt6142

    Member

  • Member
  • PipPip
  • 16 posts
kids were using pc said a window popped up and it was a "windows" memory error i clicked ok on three of them before i saw that the grammar was wrong..i got hit. i have weird icons on the desktop when i use properites find target it opens a webpage. i have mcafee doesnt help...i got spybot..it finds stuff over and over and over etc... i got avast and it is controlling things but it is still there see what you guys can do...i give up...and i WORK on windows machines for a living.

here is the hijack file..
im gonna play stalker for about an hour and check back...
:)
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:06:24 PM, on 1/31/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanel.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\SYSTEM32\CTXFISPI.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://webmaila.juno...ount=1199886977
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
O4 - HKLM\..\Run: [VolPanel] "C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanel.exe" /r
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [Secure] C:\WINDOWS\WindowsUpdates.exe
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [BM07360ebd] Rundll32.exe "C:\WINDOWS\system32\kbuxyaww.dll",s
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - http://www.fileplane...C_2.3.6.108.cab
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 3640 bytes
  • 0

Advertisements

#2
Essexboy
Posted 31 January 2008 - 03:30 PM

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
Ok methinks I see the problem so first

Download ComboFix from Here or Here to your Desktop.
  • Double click combofix.exe and follow the prompts.
  • When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall

You have some infections that target Hijackthis.
I will need you to rename Hijackthis:
To do this:*Go to Start
*Right click and choose Explore
*Navigate to this location C:\Program Files\TrendMicro\Hijackthis
*Open the Hijackthis folder
*Right click on the Hijackthis icon and click rename
*rename it to Gotcha

Then re-run Gotcha and post that along with the Combofix log
  • 0

#3
nt6142
Posted 01 February 2008 - 01:41 AM

nt6142

    Member

  • Topic Starter
  • Member
  • PipPip
  • 16 posts
ok here is Combo fix:
ComboFix 08-02.01.5 - Nate 2008-02-01 2:17:00.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1536 [GMT -5:00]
Running from: C:\Documents and Settings\Nate\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\jkkji.dll
C:\WINDOWS\system32\wvusssp.dll
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
C:\Program Files\Helper
C:\WINDOWS\system32\drvtonr.dll
C:\WINDOWS\system32\ijkkj.ini
C:\WINDOWS\system32\ijkkj.ini2
C:\WINDOWS\system32\jkkji.dll
C:\WINDOWS\system32\jqxrufrx.ini
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\vvvwa.ini
C:\WINDOWS\system32\vvvwa.ini2
C:\WINDOWS\system32\wvusssp.dll

----- BITS: Possible infected sites -----

hxxp://au.download.windowsupdate.com
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_DOMAINSERVICE


((((((((((((((((((((((((( Files Created from 2008-01-01 to 2008-02-01 )))))))))))))))))))))))))))))))
.

2008-02-01 02:22 . 2008-02-01 02:22 54,680 --a------ C:\WINDOWS\system32\BMXStateBkp-{00000002-00000000-00000001-00001102-00000005-00211102}.rfx
2008-01-31 14:06 . 2008-01-31 14:06 <DIR> d-------- C:\Program Files\Trend Micro
2008-01-29 23:50 . 2008-01-29 23:50 <DIR> d-------- C:\Program Files\Alwil Software
2008-01-29 23:50 . 2003-03-18 16:20 1,060,864 --a------ C:\WINDOWS\system32\MFC71.dll
2008-01-29 23:50 . 2007-12-04 08:04 837,496 --a------ C:\WINDOWS\system32\aswBoot.exe
2008-01-29 23:50 . 2004-01-09 04:13 380,928 --a------ C:\WINDOWS\system32\actskin4.ocx
2008-01-29 23:50 . 2007-12-04 07:54 95,608 --a------ C:\WINDOWS\system32\AvastSS.scr
2008-01-29 23:50 . 2007-12-04 09:55 94,544 --a------ C:\WINDOWS\system32\drivers\aswmon2.sys
2008-01-29 23:50 . 2007-12-04 09:56 93,264 --a------ C:\WINDOWS\system32\drivers\aswmon.sys
2008-01-29 23:50 . 2007-12-04 09:51 42,912 --a------ C:\WINDOWS\system32\drivers\aswTdi.sys
2008-01-29 23:50 . 2007-12-04 09:49 26,624 --a------ C:\WINDOWS\system32\drivers\aavmker4.sys
2008-01-29 23:50 . 2007-12-04 09:53 23,152 --a------ C:\WINDOWS\system32\drivers\aswRdr.sys
2008-01-29 23:34 . 2008-01-29 23:35 204 --a------ C:\WINDOWS\wininit.ini
2008-01-29 13:16 . 2008-01-30 00:36 22 --a------ C:\WINDOWS\pskt.ini
2008-01-29 01:23 . 2008-01-29 01:37 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-01-29 01:08 . 2008-01-29 01:08 4,286 --a------ C:\WINDOWS\system32\everybodybets.32x32.4.ico
2008-01-29 00:58 . 2008-01-29 15:39 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\McAfee
2008-01-18 01:40 . 2008-01-27 03:25 <DIR> d-------- C:\Program Files\Steam
2008-01-10 21:36 . 2008-01-10 21:44 <DIR> d-------- C:\Documents and Settings\Nate\Application Data\Ventrilo
2008-01-10 21:33 . 2008-01-10 21:33 <DIR> d-------- C:\Program Files\Ventrilo
2008-01-10 21:33 . 2008-01-10 21:33 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-01-09 13:46 . 2008-01-12 12:13 <DIR> d-------- C:\Sshock2
2008-01-09 13:36 . 2008-01-09 13:48 285 --a------ C:\WINDOWS\EReg072.dat
2008-01-09 13:35 . 1998-09-02 03:02 194,320 --a------ C:\WINDOWS\system32\qcut.dll
2008-01-09 13:35 . 1998-08-26 23:51 182,032 --a------ C:\WINDOWS\system32\dxtmsft3.dll
2008-01-09 13:35 . 1998-08-20 06:02 140,800 --a------ C:\WINDOWS\system32\tm20dec.ax
2008-01-09 13:35 . 1998-09-02 03:28 63,488 --a------ C:\WINDOWS\system32\unam4ie.exe
2008-01-09 13:35 . 1998-09-02 03:28 38,160 --a------ C:\WINDOWS\system32\LMRTREND.dll
2008-01-09 13:35 . 1998-08-17 04:21 11,776 --a------ C:\WINDOWS\system32\mciqtz.drv
2008-01-09 13:35 . 1998-08-17 04:21 10,240 --a------ C:\WINDOWS\system32\vidx16.dll
2008-01-09 13:35 . 1998-08-17 04:21 5,672 --a------ C:\WINDOWS\system32\quartz.vxd
2008-01-09 13:35 . 2008-01-09 13:35 4,608 --a------ C:\WINDOWS\system32\w95inf32.dll
2008-01-09 13:35 . 2008-01-09 13:35 2,272 --a------ C:\WINDOWS\system32\w95inf16.dll
2008-01-09 13:33 . 2008-01-09 13:33 <DIR> d-------- C:\Documents and Settings\Nate\WINDOWS
2008-01-09 13:33 . 1998-10-02 19:00 327,168 --a------ C:\WINDOWS\IsUninst.exe
2008-01-09 13:31 . 2008-01-27 03:24 <DIR> d-------- C:\Documents and Settings\Nate\Application Data\IGN_DLM

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-27 10:33 --------- d-----w C:\Program Files\THQ
2008-01-09 15:25 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-01-09 15:24 --------- d-----w C:\Program Files\EA GAMES
2008-01-08 01:21 --------- d-----w C:\Documents and Settings\Nate\Application Data\Bioshock
2007-12-26 02:32 --------- d-----w C:\Program Files\Codemasters
2007-12-26 02:30 40,960 ----a-w C:\WINDOWS\_ds7.tmp
2007-12-26 02:27 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2007-12-22 04:43 107,888 ----a-w C:\WINDOWS\system32\CmdLineExt.dll
2007-12-15 05:00 --------- d-----w C:\Program Files\2K Games
2007-12-15 05:00 --------- d-----w C:\Documents and Settings\Nate\Application Data\InstallShield
2007-12-11 06:20 --------- d--h--r C:\Documents and Settings\Nate\Application Data\SecuROM
2007-12-11 06:02 --------- d-----w C:\Program Files\Flagship Studios
2007-12-09 19:48 --------- d-----w C:\Program Files\Ubisoft
2007-12-09 11:36 --------- d-----w C:\Documents and Settings\Nate\Application Data\AdobeUM
2007-12-09 11:35 --------- d-----w C:\Program Files\Common Files\Adobe
2007-12-09 11:08 --------- d-----w C:\Program Files\Creative
2007-12-09 11:08 --------- d-----w C:\Program Files\Common Files\InstallShield
2007-12-09 11:07 --------- d-----w C:\Documents and Settings\Nate\Application Data\Creative
2007-12-09 11:05 --------- d-----w C:\Documents and Settings\All Users\Application Data\Creative
2007-12-09 10:33 --------- d-----w C:\Program Files\Broadcom
2007-12-09 10:26 --------- d--h--w C:\Program Files\Uninstall Information
2007-12-09 10:22 --------- d-----w C:\Program Files\microsoft frontpage
2007-11-07 09:26 721,920 ----a-w C:\WINDOWS\system32\lsasrv.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{54475CED-26A9-4779-BA74-318C4A0AE577}]
C:\WINDOWS\system32\awvvv.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 07:00 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"VolPanel"="C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanel.exe" [2005-10-14 11:01 122880]
"UpdReg"="C:\WINDOWS\UpdReg.EXE" [2000-05-11 01:00 90112]
"Secure"="C:\WINDOWS\WindowsUpdates.exe" [ ]
"UserFaultCheck"="C:\WINDOWS\system32\dumprep 0 -u" [ ]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-10-04 17:14 8491008]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-12-04 08:00 79224]
"BM07360ebd"="C:\WINDOWS\system32\kbuxyaww.dll" [ ]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\drlvwatv]
drlvwatv.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTHelper]
--a------ 2005-10-29 06:31 16384 C:\WINDOWS\CTHELPER.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTxfiHlp]
--a------ 2005-10-29 06:31 18944 C:\WINDOWS\system32\CTXFIHLP.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igndlm.exe]
C:\Program Files\Download Manager\DLM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--------- 2004-10-13 11:24 1694208 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
--a------ 2007-10-04 17:14 8491008 C:\WINDOWS\system32\NvCpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
--a------ 2007-10-04 17:14 81920 C:\WINDOWS\system32\NvMcTray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
--a------ 2007-10-04 17:14 1626112 C:\WINDOWS\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Outerinfo]
C:\Program Files\Outerinfo\Outerinfo.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OuterinfoUpdate]
C:\Program Files\Outerinfo\OuterinfoUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
--a------ 2007-08-31 16:46 1460560 C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
--a------ 2008-01-18 01:41 1266936 C:\Program Files\Steam\Steam.exe

R3 ha20x2k;Creative 20X HAL Driver;C:\WINDOWS\system32\drivers\ha20x2k.sys [2005-10-29 06:16]

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-01 02:23:41
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanel.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\SYSTEM32\CTXFISPI.EXE
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
.
**************************************************************************
.
Completion time: 2008-02-01 2:26:42 - machine was rebooted
ComboFix-quarantined-files.txt 2008-02-01 07:26:31
.
2008-01-10 03:55:52 --- E O F ---


here is combo fix quarantined files list:
2008-01-09 17:13 4232 --a------ C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat.vir
2008-01-09 17:13 4617 --a------ C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat.vir
2008-01-29 00:49 39424 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\wvusssp.dll.vir
2008-01-29 00:50 15360 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\drvtonr.dll.vir
2008-01-29 23:49 371823 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\vvvwa.ini2.vir
2008-01-29 23:51 371823 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\vvvwa.ini.vir
2008-01-30 00:41 332288 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\jkkji.dll.vir
2008-01-30 00:52 1167357 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\jqxrufrx.ini.vir
2008-01-30 11:05 143 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\mcrh.tmp.vir
2008-02-01 02:17 367239 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\ijkkj.ini2.vir
2008-02-01 02:19 367362 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\ijkkj.ini.vir
2008-02-01 02:19 846 --a------ C:\Qoobox\Quarantine\Registry_backups\LEGACY_DOMAINSERVICE.reg.dat
2008-02-01 02:20 309 --a------ C:\Qoobox\Quarantine\catchme.log
2008-02-01 02:20 325126 --a------ C:\Qoobox\Quarantine\catchme2008-02-01_ 22318.35.zip

here is "Gotcha" log file:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:35:39 AM, on 2/1/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanel.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\SYSTEM32\CTXFISPI.EXE
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\Gotcha.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://webmaila.juno...ount=1201851051
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {54475CED-26A9-4779-BA74-318C4A0AE577} - C:\WINDOWS\system32\awvvv.dll (file missing)
O4 - HKLM\..\Run: [VolPanel] "C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanel.exe" /r
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [Secure] C:\WINDOWS\WindowsUpdates.exe
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [BM07360ebd] Rundll32.exe "C:\WINDOWS\system32\kbuxyaww.dll",s
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - http://www.fileplane...C_2.3.6.108.cab
O20 - Winlogon Notify: drlvwatv - drlvwatv.dll (file missing)
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 4109 bytes

All id love to hear is ALL FIXED!!!
lol
and BTW. thanks for all your time!! it is much appreciated. :)
  • 0

#4
nt6142
Posted 01 February 2008 - 01:43 AM

nt6142

    Member

  • Topic Starter
  • Member
  • PipPip
  • 16 posts
ALSO!!!! when windows laoded after combo fix ran i got a windows error window from RUN.DLL that said it couldnt run this...C:\WINDOWS\system32\kbuxyaww.dll" [ ]
  • 0

#5
Essexboy
Posted 01 February 2008 - 10:01 AM

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts

All id love to hear is ALL FIXED!!!

Not quite

ALSO!!!! when windows laoded after combo fix ran i got a windows error window from RUN.DLL that said it couldnt run this...C:\WINDOWS\system32\kbuxyaww.dll" [ ]

As if by magic after this fix it will disappear :)

1. Please open Notepad
  • Click Start , then Run
  • Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

File::
C:\WINDOWS\system32\everybodybets.32x32.4.ico
C:\WINDOWS\system32\awvvv.dll
C:\WINDOWS\system32\kbuxyaww.dll
C:\WINDOWS\WindowsUpdates.exe
C:\WINDOWS\_ds7.tmp

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{54475CED-26A9-4779-BA74-318C4A0AE577}]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Outerinfo]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OuterinfoUpdate]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\drlvwatv]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BM07360ebd"=-
"Secure"=-

3. Then in the text file go to FILE > SAVE AS and in the dropdown box select SAVE AS TYPE to ALL FILES

4. Save the above as CFScript.txt

5. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image


5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
  • Combofix.txt
  • A new HijackThis log.
Plus how is your computer running now ?
  • 0

#6
nt6142
Posted 02 February 2008 - 09:39 PM

nt6142

    Member

  • Topic Starter
  • Member
  • PipPip
  • 16 posts
:) here are the log files!!
hijackthis:Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:27:56 PM, on 2/2/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanel.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\SYSTEM32\CTXFISPI.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\HijackThis\Gotcha.exe
C:\WINDOWS\system32\wuauclt.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://webmaila.juno...ount=1201851051
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {54475CED-26A9-4779-BA74-318C4A0AE577} - C:\WINDOWS\system32\awvvv.dll (file missing)
O4 - HKLM\..\Run: [VolPanel] "C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanel.exe" /r
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - http://www.fileplane...C_2.3.6.108.cab
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 3858 bytes

combofix:
ComboFix 08-02.01.5 - Nate 2008-02-01 2:17:00.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1536 [GMT -5:00]
Running from: C:\Documents and Settings\Nate\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\jkkji.dll
C:\WINDOWS\system32\wvusssp.dll
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
C:\Program Files\Helper
C:\WINDOWS\system32\drvtonr.dll
C:\WINDOWS\system32\ijkkj.ini
C:\WINDOWS\system32\ijkkj.ini2
C:\WINDOWS\system32\jkkji.dll
C:\WINDOWS\system32\jqxrufrx.ini
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\vvvwa.ini
C:\WINDOWS\system32\vvvwa.ini2
C:\WINDOWS\system32\wvusssp.dll

----- BITS: Possible infected sites -----

hxxp://au.download.windowsupdate.com
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_DOMAINSERVICE


((((((((((((((((((((((((( Files Created from 2008-01-01 to 2008-02-01 )))))))))))))))))))))))))))))))
.

2008-02-01 02:22 . 2008-02-01 02:22 54,680 --a------ C:\WINDOWS\system32\BMXStateBkp-{00000002-00000000-00000001-00001102-00000005-00211102}.rfx
2008-01-31 14:06 . 2008-01-31 14:06 <DIR> d-------- C:\Program Files\Trend Micro
2008-01-29 23:50 . 2008-01-29 23:50 <DIR> d-------- C:\Program Files\Alwil Software
2008-01-29 23:50 . 2003-03-18 16:20 1,060,864 --a------ C:\WINDOWS\system32\MFC71.dll
2008-01-29 23:50 . 2007-12-04 08:04 837,496 --a------ C:\WINDOWS\system32\aswBoot.exe
2008-01-29 23:50 . 2004-01-09 04:13 380,928 --a------ C:\WINDOWS\system32\actskin4.ocx
2008-01-29 23:50 . 2007-12-04 07:54 95,608 --a------ C:\WINDOWS\system32\AvastSS.scr
2008-01-29 23:50 . 2007-12-04 09:55 94,544 --a------ C:\WINDOWS\system32\drivers\aswmon2.sys
2008-01-29 23:50 . 2007-12-04 09:56 93,264 --a------ C:\WINDOWS\system32\drivers\aswmon.sys
2008-01-29 23:50 . 2007-12-04 09:51 42,912 --a------ C:\WINDOWS\system32\drivers\aswTdi.sys
2008-01-29 23:50 . 2007-12-04 09:49 26,624 --a------ C:\WINDOWS\system32\drivers\aavmker4.sys
2008-01-29 23:50 . 2007-12-04 09:53 23,152 --a------ C:\WINDOWS\system32\drivers\aswRdr.sys
2008-01-29 23:34 . 2008-01-29 23:35 204 --a------ C:\WINDOWS\wininit.ini
2008-01-29 13:16 . 2008-01-30 00:36 22 --a------ C:\WINDOWS\pskt.ini
2008-01-29 01:23 . 2008-01-29 01:37 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-01-29 01:08 . 2008-01-29 01:08 4,286 --a------ C:\WINDOWS\system32\everybodybets.32x32.4.ico
2008-01-29 00:58 . 2008-01-29 15:39 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\McAfee
2008-01-18 01:40 . 2008-01-27 03:25 <DIR> d-------- C:\Program Files\Steam
2008-01-10 21:36 . 2008-01-10 21:44 <DIR> d-------- C:\Documents and Settings\Nate\Application Data\Ventrilo
2008-01-10 21:33 . 2008-01-10 21:33 <DIR> d-------- C:\Program Files\Ventrilo
2008-01-10 21:33 . 2008-01-10 21:33 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-01-09 13:46 . 2008-01-12 12:13 <DIR> d-------- C:\Sshock2
2008-01-09 13:36 . 2008-01-09 13:48 285 --a------ C:\WINDOWS\EReg072.dat
2008-01-09 13:35 . 1998-09-02 03:02 194,320 --a------ C:\WINDOWS\system32\qcut.dll
2008-01-09 13:35 . 1998-08-26 23:51 182,032 --a------ C:\WINDOWS\system32\dxtmsft3.dll
2008-01-09 13:35 . 1998-08-20 06:02 140,800 --a------ C:\WINDOWS\system32\tm20dec.ax
2008-01-09 13:35 . 1998-09-02 03:28 63,488 --a------ C:\WINDOWS\system32\unam4ie.exe
2008-01-09 13:35 . 1998-09-02 03:28 38,160 --a------ C:\WINDOWS\system32\LMRTREND.dll
2008-01-09 13:35 . 1998-08-17 04:21 11,776 --a------ C:\WINDOWS\system32\mciqtz.drv
2008-01-09 13:35 . 1998-08-17 04:21 10,240 --a------ C:\WINDOWS\system32\vidx16.dll
2008-01-09 13:35 . 1998-08-17 04:21 5,672 --a------ C:\WINDOWS\system32\quartz.vxd
2008-01-09 13:35 . 2008-01-09 13:35 4,608 --a------ C:\WINDOWS\system32\w95inf32.dll
2008-01-09 13:35 . 2008-01-09 13:35 2,272 --a------ C:\WINDOWS\system32\w95inf16.dll
2008-01-09 13:33 . 2008-01-09 13:33 <DIR> d-------- C:\Documents and Settings\Nate\WINDOWS
2008-01-09 13:33 . 1998-10-02 19:00 327,168 --a------ C:\WINDOWS\IsUninst.exe
2008-01-09 13:31 . 2008-01-27 03:24 <DIR> d-------- C:\Documents and Settings\Nate\Application Data\IGN_DLM

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-27 10:33 --------- d-----w C:\Program Files\THQ
2008-01-09 15:25 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-01-09 15:24 --------- d-----w C:\Program Files\EA GAMES
2008-01-08 01:21 --------- d-----w C:\Documents and Settings\Nate\Application Data\Bioshock
2007-12-26 02:32 --------- d-----w C:\Program Files\Codemasters
2007-12-26 02:30 40,960 ----a-w C:\WINDOWS\_ds7.tmp
2007-12-26 02:27 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2007-12-22 04:43 107,888 ----a-w C:\WINDOWS\system32\CmdLineExt.dll
2007-12-15 05:00 --------- d-----w C:\Program Files\2K Games
2007-12-15 05:00 --------- d-----w C:\Documents and Settings\Nate\Application Data\InstallShield
2007-12-11 06:20 --------- d--h--r C:\Documents and Settings\Nate\Application Data\SecuROM
2007-12-11 06:02 --------- d-----w C:\Program Files\Flagship Studios
2007-12-09 19:48 --------- d-----w C:\Program Files\Ubisoft
2007-12-09 11:36 --------- d-----w C:\Documents and Settings\Nate\Application Data\AdobeUM
2007-12-09 11:35 --------- d-----w C:\Program Files\Common Files\Adobe
2007-12-09 11:08 --------- d-----w C:\Program Files\Creative
2007-12-09 11:08 --------- d-----w C:\Program Files\Common Files\InstallShield
2007-12-09 11:07 --------- d-----w C:\Documents and Settings\Nate\Application Data\Creative
2007-12-09 11:05 --------- d-----w C:\Documents and Settings\All Users\Application Data\Creative
2007-12-09 10:33 --------- d-----w C:\Program Files\Broadcom
2007-12-09 10:26 --------- d--h--w C:\Program Files\Uninstall Information
2007-12-09 10:22 --------- d-----w C:\Program Files\microsoft frontpage
2007-11-07 09:26 721,920 ----a-w C:\WINDOWS\system32\lsasrv.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{54475CED-26A9-4779-BA74-318C4A0AE577}]
C:\WINDOWS\system32\awvvv.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 07:00 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"VolPanel"="C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanel.exe" [2005-10-14 11:01 122880]
"UpdReg"="C:\WINDOWS\UpdReg.EXE" [2000-05-11 01:00 90112]
"Secure"="C:\WINDOWS\WindowsUpdates.exe" [ ]
"UserFaultCheck"="C:\WINDOWS\system32\dumprep 0 -u" [ ]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-10-04 17:14 8491008]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-12-04 08:00 79224]
"BM07360ebd"="C:\WINDOWS\system32\kbuxyaww.dll" [ ]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\drlvwatv]
drlvwatv.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTHelper]
--a------ 2005-10-29 06:31 16384 C:\WINDOWS\CTHELPER.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTxfiHlp]
--a------ 2005-10-29 06:31 18944 C:\WINDOWS\system32\CTXFIHLP.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igndlm.exe]
C:\Program Files\Download Manager\DLM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--------- 2004-10-13 11:24 1694208 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
--a------ 2007-10-04 17:14 8491008 C:\WINDOWS\system32\NvCpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
--a------ 2007-10-04 17:14 81920 C:\WINDOWS\system32\NvMcTray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
--a------ 2007-10-04 17:14 1626112 C:\WINDOWS\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Outerinfo]
C:\Program Files\Outerinfo\Outerinfo.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OuterinfoUpdate]
C:\Program Files\Outerinfo\OuterinfoUpdate.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
--a------ 2007-08-31 16:46 1460560 C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
--a------ 2008-01-18 01:41 1266936 C:\Program Files\Steam\Steam.exe

R3 ha20x2k;Creative 20X HAL Driver;C:\WINDOWS\system32\drivers\ha20x2k.sys [2005-10-29 06:16]

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-01 02:23:41
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanel.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\SYSTEM32\CTXFISPI.EXE
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
.
**************************************************************************
.
Completion time: 2008-02-01 2:26:42 - machine was rebooted
ComboFix-quarantined-files.txt 2008-02-01 07:26:31
.
2008-01-10 03:55:52 --- E O F ---

Machine is running smoother than it has in 6 months or longer, AND the run.dll 32 berror is gone!!!

Thanks a bunch!!

:)
  • 0

#7
Essexboy
Posted 03 February 2008 - 06:16 AM

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
Hi again - there are a few that are proving a PITA. They can run but they can't hide this time I will kill them :)

Download and run ERUNT http://www.larsheder...nline.de/erunt/

Start ERUNT, confirm the Welcome message.

Type in the name of a restore folder where the backed up registry
files should be saved, or click "..." to browse your computer's drives
and select a folder. You can also simply leave the default, which is a
folder named ERDNT inside your Windows folder, the advantage being
that you have access to this folder from the Windows Recovery Console
in case Windows does not boot anymore.


Next, select the backup options:

- System registry:

- Current user registy: .

- Other open user registries:

Click "OK" and wait until the backup process is complete. (Note that
depending on your system configuration this may take some time, and
that the first bar is NOT a progress bar, just an indicator that the
program is still running.) The ERDNT program for later restoration of
the registry is automatically copied to the restore folder.

WARNING these fixes are designed for this user only and may cause damage if run on an uninfected machine

REGISTRY FIX

REGEDIT4

[-HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{54475CED-26A9-4779-BA74-318C4A0AE577}]

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\drlvwatv]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Outerinfo]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OuterinfoUpdate]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Secure"=-
"BM07360ebd"=-


Next you will need to create the repair registry fix to do that copy and paste ALL of the above in the quote box to a notepad file. Ensure there is no space above the REGEDIT4.
Then in notepad go to FILE > SAVE AS and in the dropdown box select SAVE AS TYPE to ALL FILES
Then in the FILE NAME box type fix.reg
This will create a fix.reg file on your desktop Posted Image

To use this file you will need to right click the icon and select merge, accept the warning if it appears and you are done.

NOW FOR THE REMNANTS

Download WinPFind3u.exe to your Desktop and double-click on it to extract the files. It will create a folder named WinPFind3u on your desktop.
  • Close ALL OTHER PROGRAMS.
  • Open the WinPFind3u folder and double-click on WinPFind3U.exe to start the program.
  • Now click the Run Scan button on the toolbar.
  • Let it run unhindered until it finishes.
  • When the scan is complete Notepad will open with the report file loaded in it.
  • Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.
Use the Add Reply button and attach the log. I will review it when it comes in. If, after posting, the last line is not < End of Report > then the log is too big to fit into a single post and you will need to split it into multiple posts.
  • 0

#8
Essexboy
Posted 09 February 2008 - 11:21 AM

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.
  • 0

#9
Essexboy
Posted 12 February 2008 - 04:35 PM

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
User returned
  • 0

#10
nt6142
Posted 13 February 2008 - 02:01 AM

nt6142

    Member

  • Topic Starter
  • Member
  • PipPip
  • 16 posts
:) sorry about the absence, here is the log file:

WinPFind3 logfile created on: 2/12/2008 4:51:10 PM
WinPFind3U by OldTimer - Version 1.0.44 Folder = C:\Documents and Settings\Nate\Desktop\WinPFind3u\
Microsoft Windows XP Service Pack 2 (Version = 5.1.2600)
Internet Explorer (Version = 7.0.5730.13)

2.00 Gb Total Physical Memory | 1.66 Gb Available Physical Memory | 82.85% Memory free
3.85 Gb Paging File | 3.64 Gb Available in Paging File | 94.63% Paging File free
Paging file location(s): C:\pagefile.sys 2046 4092;

%SystemDrive% = C: | %SystemRoot% = C:\WINDOWS | %ProgramFiles% = C:\Program Files
Drive C: | 37.27 Gb Total Space | 8.14 Gb Free Space | 21.84% Space Free
Drive D: | 71.58 Gb Total Space | 50.77 Gb Free Space | 70.93% Space Free
E: Drive not present or media not loaded
F: Drive not present or media not loaded

Computer Name: NATE-39
Current User Name: Nate
Logged in as Administrator.
Current Boot Mode: Normal


[Processes - Non-Microsoft Only]
ashdisp.exe -> %ProgramFiles%\Alwil Software\Avast4\ashDisp.exe -> ALWIL Software [Ver = 4, 7, 1098, 0 | Size = 79224 bytes | Modified Date = 12/4/2007 8:00:24 AM | Attr = ]
ashserv.exe -> %ProgramFiles%\Alwil Software\Avast4\ashServ.exe -> ALWIL Software [Ver = 4, 7, 1098, 0 | Size = 140664 bytes | Modified Date = 12/4/2007 8:00:16 AM | Attr = ]
aswupdsv.exe -> %ProgramFiles%\Alwil Software\Avast4\aswUpdSv.exe -> ALWIL Software [Ver = 4, 7, 1098, 0 | Size = 17272 bytes | Modified Date = 12/4/2007 9:36:34 AM | Attr = ]
nvsvc32.exe -> %System32%\nvsvc32.exe -> NVIDIA Corporation [Ver = 6.14.11.6375 | Size = 155716 bytes | Modified Date = 10/4/2007 5:14:00 PM | Attr = ]
winpfind3u.exe -> %UserDesktop%\WinPFind3u\WinPFind3U.exe -> OldTimer Tools [Ver = 1.0.44.0 | Size = 371200 bytes | Modified Date = 11/21/2007 9:19:46 AM | Attr = ]

[Win32 Services - Non-Microsoft Only]
(aswUpdSv) avast! iAVS4 Control Service [Win32_Own | Auto | Running] -> %ProgramFiles%\Alwil Software\Avast4\aswUpdSv.exe -> ALWIL Software [Ver = 4, 7, 1098, 0 | Size = 17272 bytes | Modified Date = 12/4/2007 9:36:34 AM | Attr = ]
(avast! Antivirus) avast! Antivirus [Win32_Own | Auto | Running] -> %ProgramFiles%\Alwil Software\Avast4\ashServ.exe -> ALWIL Software [Ver = 4, 7, 1098, 0 | Size = 140664 bytes | Modified Date = 12/4/2007 8:00:16 AM | Attr = ]
(avast! Mail Scanner) avast! Mail Scanner [Win32_Own | On_Demand | Stopped] -> %ProgramFiles%\Alwil Software\Avast4\ashMaiSv.exe -> ALWIL Software [Ver = 4, 7, 1098, 0 | Size = 247160 bytes | Modified Date = 12/4/2007 7:59:54 AM | Attr = ]
(avast! Web Scanner) avast! Web Scanner [Win32_Own | On_Demand | Stopped] -> %ProgramFiles%\Alwil Software\Avast4\ashWebSv.exe -> ALWIL Software [Ver = 4, 7, 1098, 0 | Size = 345464 bytes | Modified Date = 12/4/2007 7:59:02 AM | Attr = ]
(dmadmin) Logical Disk Manager Administrative Service [Win32_Shared | On_Demand | Stopped] -> %System32%\dmadmin.exe -> Microsoft Corp., Veritas Software [Ver = 2600.2180.503.0 | Size = 224768 bytes | Modified Date = 8/4/2004 7:00:00 AM | Attr = ]
(NVSvc) NVIDIA Display Driver Service [Win32_Own | Auto | Running] -> %System32%\nvsvc32.exe -> NVIDIA Corporation [Ver = 6.14.11.6375 | Size = 155716 bytes | Modified Date = 10/4/2007 5:14:00 PM | Attr = ]

[Registry - Non-Microsoft Only]
< Run [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run ->
avast! -> %ProgramFiles%\Alwil Software\Avast4\ashDisp.exe -> ALWIL Software [Ver = 4, 7, 1098, 0 | Size = 79224 bytes | Modified Date = 12/4/2007 8:00:24 AM | Attr = ]
KernelFaultCheck -> -> File not found
NvCplDaemon -> %System32%\nvcpl.dll [RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup] -> NVIDIA Corporation [Ver = 6.14.11.6375 | Size = 8491008 bytes | Modified Date = 10/4/2007 5:14:00 PM | Attr = ]
UpdReg -> %SystemRoot%\Updreg.EXE -> Creative Technology Ltd. [Ver = 1.0.2 | Size = 90112 bytes | Modified Date = 5/11/2000 1:00:00 AM | Attr = ]
UserFaultCheck -> -> File not found
VolPanel -> %ProgramFiles%\Creative\Sound Blaster X-Fi\Volume Panel\VolPanel.exe -> Creative Technology Ltd [Ver = 1.0.52.0 | Size = 122880 bytes | Modified Date = 10/14/2005 11:01:06 AM | Attr = ]
< OptionalComponents [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OptionalComponents\ ->
IMAIL -> Installed = 1 ->
MAPI -> Installed = 1 ->
MSFS -> Installed = 1 ->
< User Startup > -> C:\Documents and Settings\Nate\Start Menu\Programs\Startup ->
%UserStartup%\ERUNT AutoBackup.lnk -> %ProgramFiles%\ERUNT\AUTOBACK.EXE -> [Ver = | Size = 38912 bytes | Modified Date = 10/20/2005 12:04:08 PM | Attr = ]
< SecurityProviders [HKLM] > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\\SecurityProviders ->
< Winlogon settings [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon ->
< Winlogon settings [HKCU] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon ->
< CurrentVersion Policy Settings [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ActiveDesktop\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\\NoDriveAutoRun -> 67108863 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\\NoDriveTypeAutoRun -> 255 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum\\{BDEADF00-C265-11D0-BCED-00A0C90AB50F} -> 1 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum\\{6DFD7C5C-2451-11d3-A299-00C04F8EF6AF} -> 1073741857 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\NonEnum\\{0DF44EAA-FF21-4412-828E-260A8728E7F1} -> 32 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\dontdisplaylastusername -> 0 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\legalnoticecaption -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\legalnoticetext -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\shutdownwithoutlogon -> 1 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\\undockwithoutlogon -> 1 ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Uninstall\ -> ->
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\WindowsUpdate\ -> ->
< CurrentVersion Policy Settings [HKCU] > -> HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ -> ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\ActiveDesktop\ -> ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Associations\ -> ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\ -> ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\\NoDriveTypeAutoRun -> 145 ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\Run\ -> ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system\ -> ->
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\WindowsUpdate\ -> ->
< HOSTS File > (27 bytes) -> C:\WINDOWS\System32\drivers\etc\Hosts ->
127.0.0.1 localhost -> ->
< Internet Explorer Settings > -> ->
HKLM: Default_Page_URL -> http://go.microsoft....k/?LinkId=69157 ->
HKLM: Main\\Default_Search_URL -> http://go.microsoft....k/?LinkId=54896 ->
HKLM: Local Page -> %SystemRoot%\system32\blank.htm ->
HKLM: Search Page -> http://go.microsoft....k/?LinkId=54896 ->
HKLM: Start Page -> http://go.microsoft....k/?LinkId=69157 ->
HKLM: CustomizeSearch -> http://ie.search.msn...st/srchcust.htm ->
HKLM: SearchAssistant -> http://ie.search.msn...st/srchasst.htm ->
HKCU: Local Page -> C:\WINDOWS\system32\blank.htm ->
HKCU: Search Page -> http://www.microsoft...amp;ar=iesearch ->
HKCU: Start Page -> http://my.juno.com/s/sp?cf=www ->
HKCU: ProxyEnable -> 0 ->
< Trusted Sites > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains\ ->
msn.com [ - ] -> ->
< BHO's > -> HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ ->
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} [HKLM] -> %ProgramFiles%\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll [AcroIEHlprObj Class] -> Adobe Systems Incorporated [Ver = 7.0.0.2004121400 | Size = 63136 bytes | Modified Date = 12/14/2004 1:56:50 AM | Attr = ]
{53707962-6F74-2D53-2644-206D7942484F} [HKLM] -> %ProgramFiles%\Spybot - Search & Destroy\SDHelper.dll [Spybot-S&D IE Protection] -> Safer Networking Limited [Ver = 1, 5, 0, 8 | Size = 1122128 bytes | Modified Date = 8/31/2007 4:46:14 PM | Attr = ]
{54475CED-26A9-4779-BA74-318C4A0AE577} [HKLM] -> %System32%\awvvv.dll [Reg Data - Value does not exist] -> File not found
< Internet Explorer Extensions [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Extensions\ ->
{DFB852A3-47F8-48C4-A200-58CAB36FD2A2} [HKLM] -> %ProgramFiles%\Spybot - Search & Destroy\SDHelper.dll [MenuText: Spybot - Search & Destroy Configuration] -> Safer Networking Limited [Ver = 1, 5, 0, 8 | Size = 1122128 bytes | Modified Date = 8/31/2007 4:46:14 PM | Attr = ]
{e2e2dd38-d088-4134-82b7-f2ba38496583} [HKLM] -> Reg Data - Key not found [MenuText: @xpsp3res.dll,-20001] -> File not found
< DNS Name Servers [HKLM] > -> HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Adapters\ ->
{C6632BD1-2D23-4213-81B0-E0921D5721EB} -> (Intel® PRO/100 VE Network Connection) ->
< Protocol Handlers [HKLM] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\ ->
ipp -> Reg Data - Key not found -> File not found
msdaipp -> Reg Data - Key not found -> File not found
< Downloaded Program Files > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\ ->
{17492023-C23A-453E-A040-C7C580BBF700} -> Windows Genuine Advantage Validation Tool - CodeBase = http://download.micr...heckControl.cab ->
{39B0684F-D7BF-4743-B050-FDC3F48F7E3B} -> - CodeBase = http://www.fileplane...C_2.3.6.108.cab ->
{8FFBE65D-2C9C-4669-84BD-5829DC0B603C} -> - CodeBase = http://fpdownload.ma...t/ultrashim.cab ->


[Files/Folders - Created Within 30 days]
QooBox -> %SystemDrive%\QooBox -> [Folder | Created Date = 2/1/2008 2:15:28 AM | Attr = ]
erdnt -> %SystemRoot%\erdnt -> [Folder | Created Date = 2/1/2008 2:16:00 AM | Attr = ]
Minidump -> %SystemRoot%\Minidump -> [Folder | Created Date = 2/6/2008 2:37:04 PM | Attr = ]
Nircmd.exe -> %SystemRoot%\Nircmd.exe -> NirSoft [Ver = 2.00 | Size = 51200 bytes | Created Date = 2/1/2008 2:15:17 AM | Attr = ]
pskt.ini -> %SystemRoot%\pskt.ini -> [Ver = | Size = 22 bytes | Created Date = 1/29/2008 1:16:40 PM | Attr = ]
wininit.ini -> %SystemRoot%\wininit.ini -> [Ver = | Size = 204 bytes | Created Date = 1/29/2008 11:34:53 PM | Attr = ]
actskin4.ocx -> %System32%\actskin4.ocx -> [Ver = 4, 2, 7, 3 | Size = 380928 bytes | Created Date = 1/29/2008 11:50:39 PM | Attr = ]
aswBoot.exe -> %System32%\aswBoot.exe -> ALWIL Software [Ver = 4, 7, 1098, 0 | Size = 837496 bytes | Created Date = 1/29/2008 11:50:39 PM | Attr = ]
AvastSS.scr -> %System32%\AvastSS.scr -> ALWIL Software [Ver = 4, 7, 1098, 0 | Size = 95608 bytes | Created Date = 1/29/2008 11:50:52 PM | Attr = ]
BMXStateBkp-{00000002-00000000-00000001-00001102-00000005-00211102}.rfx -> %System32%\BMXStateBkp-{00000002-00000000-00000001-00001102-00000005-00211102}.rfx -> [Ver = | Size = 54680 bytes | Created Date = 2/1/2008 2:22:23 AM | Attr = ]
swreg.exe -> %System32%\swreg.exe -> SteelWerX [Ver = 3.0.0.0 | Size = 161792 bytes | Created Date = 2/1/2008 2:15:17 AM | Attr = ]
swsc.exe -> %System32%\swsc.exe -> SteelWerX [Ver = 2.0.0.5 | Size = 136704 bytes | Created Date = 2/1/2008 2:15:17 AM | Attr = ]
swxcacls.exe -> %System32%\swxcacls.exe -> SteelWerX [Ver = 1.0.1.1 | Size = 212480 bytes | Created Date = 2/1/2008 2:15:17 AM | Attr = ]
VFind.exe -> %System32%\VFind.exe -> [Ver = | Size = 49152 bytes | Created Date = 2/1/2008 2:15:17 AM | Attr = ]
aavmker4.sys -> %System32%\drivers\aavmker4.sys -> ALWIL Software [Ver = 4.7.1098.0 | Size = 26624 bytes | Created Date = 1/29/2008 11:50:55 PM | Attr = ]
aswmon.sys -> %System32%\drivers\aswmon.sys -> ALWIL Software [Ver = 4.7.1098.0 | Size = 93264 bytes | Created Date = 1/29/2008 11:50:48 PM | Attr = ]
aswmon2.sys -> %System32%\drivers\aswmon2.sys -> ALWIL Software [Ver = 4.7.1098.0 | Size = 94544 bytes | Created Date = 1/29/2008 11:50:48 PM | Attr = ]
aswRdr.sys -> %System32%\drivers\aswRdr.sys -> ALWIL Software [Ver = 4.7.1098.0 | Size = 23152 bytes | Created Date = 1/29/2008 11:50:57 PM | Attr = ]
aswTdi.sys -> %System32%\drivers\aswTdi.sys -> ALWIL Software [Ver = 4.7.1098.0 | Size = 42912 bytes | Created Date = 1/29/2008 11:50:56 PM | Attr = ]

[Files/Folders - Modified Within 30 days]
boot.ini -> %SystemDrive%\boot.ini -> [Ver = | Size = 211 bytes | Modified Date = 1/29/2008 6:01:52 AM | Attr = HS]
Program Files -> %ProgramFiles% -> [Folder | Modified Date = 2/12/2008 4:39:58 PM | Attr = R ]
QooBox -> %SystemDrive%\QooBox -> [Folder | Modified Date = 2/2/2008 10:24:32 PM | Attr = ]
WINDOWS -> %SystemRoot% -> [Folder | Modified Date = 2/6/2008 2:37:06 PM | Attr = ]
bootstat.dat -> %SystemRoot%\bootstat.dat -> [Ver = | Size = 2048 bytes | Modified Date = 2/12/2008 4:28:02 PM | Attr = S]
erdnt -> %SystemRoot%\erdnt -> [Folder | Modified Date = 2/12/2008 4:40:14 PM | Attr = ]
Help -> %SystemRoot%\Help -> [Folder | Modified Date = 1/23/2008 2:23:14 AM | Attr = ]
inf -> %SystemRoot%\inf -> [Folder | Modified Date = 1/29/2008 1:14:22 AM | Attr = H ]
Installer -> %SystemRoot%\Installer -> [Folder | Modified Date = 1/27/2008 3:24:38 AM | Attr = HS]
Minidump -> %SystemRoot%\Minidump -> [Folder | Modified Date = 2/6/2008 2:37:06 PM | Attr = ]
Prefetch -> %SystemRoot%\Prefetch -> [Folder | Modified Date = 2/12/2008 4:44:54 PM | Attr = ]
pskt.ini -> %SystemRoot%\pskt.ini -> [Ver = | Size = 22 bytes | Modified Date = 1/30/2008 12:36:46 AM | Attr = ]
system.ini -> %SystemRoot%\system.ini -> [Ver = | Size = 227 bytes | Modified Date = 2/2/2008 10:24:42 PM | Attr = ]
system32 -> %System32% -> [Folder | Modified Date = 2/2/2008 10:24:32 PM | Attr = ]
Tasks -> %SystemRoot%\Tasks -> [Folder | Modified Date = 2/1/2008 2:20:36 AM | Attr = S]
Temp -> %SystemRoot%\Temp -> [Folder | Modified Date = 2/12/2008 4:30:48 PM | Attr = ]
win.ini -> %SystemRoot%\win.ini -> [Ver = | Size = 477 bytes | Modified Date = 1/29/2008 6:01:52 AM | Attr = ]
wininit.ini -> %SystemRoot%\wininit.ini -> [Ver = | Size = 204 bytes | Modified Date = 1/29/2008 11:35:04 PM | Attr = ]
SA.DAT -> %SystemRoot%\tasks\SA.DAT -> [Ver = | Size = 6 bytes | Modified Date = 2/12/2008 4:28:08 PM | Attr = H ]
BMXState-{00000002-00000000-00000001-00001102-00000005-00211102}.rfx -> %System32%\BMXState-{00000002-00000000-00000001-00001102-00000005-00211102}.rfx -> [Ver = | Size = 54680 bytes | Modified Date = 2/12/2008 5:10:08 AM | Attr = ]
BMXStateBkp-{00000002-00000000-00000001-00001102-00000005-00211102}.rfx -> %System32%\BMXStateBkp-{00000002-00000000-00000001-00001102-00000005-00211102}.rfx -> [Ver = | Size = 54680 bytes | Modified Date = 2/12/2008 5:10:08 AM | Attr = ]
CatRoot2 -> %System32%\CatRoot2 -> [Folder | Modified Date = 2/10/2008 1:44:34 PM | Attr = ]
config -> %System32%\config -> [Folder | Modified Date = 2/1/2008 2:21:54 AM | Attr = ]
CONFIG.NT -> %System32%\CONFIG.NT -> [Ver = | Size = 2626 bytes | Modified Date = 1/29/2008 11:50:56 PM | Attr = ]
drivers -> %System32%\drivers -> [Folder | Modified Date = 2/2/2008 10:24:26 PM | Attr = ]
DVCState-{00000002-00000000-00000001-00001102-00000005-00211102}.rfx -> %System32%\DVCState-{00000002-00000000-00000001-00001102-00000005-00211102}.rfx -> [Ver = | Size = 64984 bytes | Modified Date = 2/12/2008 5:10:08 AM | Attr = ]
settings.sfm -> %System32%\settings.sfm -> [Ver = | Size = 1080 bytes | Modified Date = 2/12/2008 5:10:08 AM | Attr = ]
settingsbkup.sfm -> %System32%\settingsbkup.sfm -> [Ver = | Size = 1080 bytes | Modified Date = 2/12/2008 5:10:08 AM | Attr = ]
wpa.dbl -> %System32%\wpa.dbl -> [Ver = | Size = 13646 bytes | Modified Date = 2/12/2008 4:28:04 PM | Attr = ]
etc -> %System32%\drivers\etc -> [Folder | Modified Date = 2/1/2008 2:23:12 AM | Attr = ]

[File String Scan - Non-Microsoft Only]
UPX! , UPX0 , -> %System32%\aswBoot.exe -> ALWIL Software [Ver = 4, 7, 1098, 0 | Size = 837496 bytes | Modified Date = 12/4/2007 8:04:28 AM | Attr = ]
PEC2 , -> %System32%\dfrg.msc -> [Ver = | Size = 41397 bytes | Modified Date = 8/4/2004 7:00:00 AM | Attr = ]
UPX! , UPX0 , -> %System32%\swreg.exe -> SteelWerX [Ver = 3.0.0.0 | Size = 161792 bytes | Modified Date = 8/31/2000 8:00:00 AM | Attr = ]
UPX! , UPX0 , -> %System32%\swsc.exe -> SteelWerX [Ver = 2.0.0.5 | Size = 136704 bytes | Modified Date = 8/31/2000 8:00:00 AM | Attr = ]
winsync , -> %System32%\wbdbase.deu -> [Ver = | Size = 1309184 bytes | Modified Date = 8/4/2004 7:00:00 AM | Attr = ]
WSUD , UPX0 , -> %System32%\dllcache\hwxjpn.dll -> [Ver = | Size = 13463552 bytes | Modified Date = 8/4/2004 7:00:00 AM | Attr = ]

< End of report >

am i cured?!?!
  • 0

#11
Essexboy
Posted 13 February 2008 - 12:36 PM

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
Near enough just one smidgeon to remove :)

Start WinPFind3U. Copy/Paste the information in the quotebox below into the pane where it says "Paste fix here" and then click the Run Fix button.

[Unregister Dlls]
[Registry - Non-Microsoft Only]
< BHO's > -> HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
YN -> {54475CED-26A9-4779-BA74-318C4A0AE577} [HKLM] -> %System32%\awvvv.dll [Reg Data - Value does not exist]
[Empty Temp Folders]


The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. CLick the Ok button and Notepad will open with a log of actions taken during the fix. Post that information back here along with a new Hijackthis log.

I will review the information when it comes back in.

Also let me know of any problems you encountered performing the steps above or any continuing problems you are still having with the computer.
  • 0

#12
nt6142
Posted 13 February 2008 - 01:47 PM

nt6142

    Member

  • Topic Starter
  • Member
  • PipPip
  • 16 posts
here is the winpfind log:
[Registry - Non-Microsoft Only]
Registry key HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{54475CED-26A9-4779-BA74-318C4A0AE577} not found.
[Empty Temp Folders]
C:\DOCUME~1\Nate\LOCALS~1\Temp\ -> emptied.
C:\Documents and Settings\Nate\Local Settings\Temporary Internet Files\Content.IE5\ -> emptied
RecycleBin -> emptied.
< End of log >
Created on 02/13/2008 14:38:34

and hijackthis:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:44:35 PM, on 2/13/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanel.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\SYSTEM32\CTXFISPI.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Thunderbird\thunderbird.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Documents and Settings\Nate\Desktop\WinPFind3u\WinPFind3U.exe
C:\WINDOWS\notepad.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\Gotcha.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://my.juno.com/s/sp?cf=www
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [VolPanel] "C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanel.exe" /r
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Startup: ERUNT AutoBackup.lnk = C:\Program Files\ERUNT\AUTOBACK.EXE
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} - http://www.fileplane...C_2.3.6.108.cab
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 4043 bytes
when i did the winpfind it told me i had to restart to finish removal, i did and the log file never showed up when it restarted...so i ran the fix again and clicked no to the restart and i got the log file that i posted above

i installed thunderbird and firefox today let me know if i was wrong to do so?!?!?

Nate
  • 0

#13
Essexboy
Posted 13 February 2008 - 04:06 PM

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
Not at all - in fact if you are exeriencing no further problems

Da Da .......

Now the best part of the day ----- Your log now appears clean :)

You may now delete the programmes I had you download


Now to get you off to a good start we will re-set your restore points so that all the bad stuff is gone for good. Then if you need to restore at some stage you will be clean. There are several ways to reset your your restore point but this is my method:

1. Select Start > All Programs > Accessories > System tools > System Restore.
2. On the dialogue box that appears select Create a Restore Point
3. Click NEXT
4. Enter a name e.g. Clean
5. Click CREATE

You now have a clean restore point, to get rid of the bad ones:

1. Select Start > All Programs > Accessories > System tools > Disk Cleanup.
2. In the Drop down box that appears select your main drive e.g. C
3. Click OK
4. The System will do some calculation and the display a dialogue box with TABS
5. Select the More Options Tab.
6. At the bottom will be a system restore box with a CLEANUP button click this
7. Accept the Warning and select OK again, the program will close and you are done



Now that you are clean, to help protect your computer in the future I recommend that you get the following free program: It is critical to have both a firewall and anti virus to protect your system and to keep them updated.

To keep your operating system up to date visit

To learn more about how to protect yourself while on the internet read this article by Tony Klien: So how did I get infected in the first place?


Keep safe :)
  • 0

#14
nt6142
Posted 14 February 2008 - 01:22 AM

nt6142

    Member

  • Topic Starter
  • Member
  • PipPip
  • 16 posts
thanks for all the help....ill have a talk with the young-uns and set up my system for safer browsing..

Nate
  • 0

#15
Essexboy
Posted 14 February 2008 - 12:11 PM

Essexboy

    GeekU Moderator

  • Retired Staff
  • 69,964 posts
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :)

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP