ok here is Combo fix:
ComboFix 08-02.01.5 - Nate 2008-02-01 2:17:00.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1536 [GMT -5:00]
Running from: C:\Documents and Settings\Nate\Desktop\ComboFix.exe
* Created a new restore point
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\WINDOWS\system32\jkkji.dll
C:\WINDOWS\system32\wvusssp.dll
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
C:\Program Files\Helper
C:\WINDOWS\system32\drvtonr.dll
C:\WINDOWS\system32\ijkkj.ini
C:\WINDOWS\system32\ijkkj.ini2
C:\WINDOWS\system32\jkkji.dll
C:\WINDOWS\system32\jqxrufrx.ini
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\vvvwa.ini
C:\WINDOWS\system32\vvvwa.ini2
C:\WINDOWS\system32\wvusssp.dll
----- BITS: Possible infected sites -----
hxxp://au.download.windowsupdate.com
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.
-------\LEGACY_DOMAINSERVICE
((((((((((((((((((((((((( Files Created from 2008-01-01 to 2008-02-01 )))))))))))))))))))))))))))))))
.
2008-02-01 02:22 . 2008-02-01 02:22 54,680 --a------ C:\WINDOWS\system32\BMXStateBkp-{00000002-00000000-00000001-00001102-00000005-00211102}.rfx
2008-01-31 14:06 . 2008-01-31 14:06 <DIR> d-------- C:\Program Files\Trend Micro
2008-01-29 23:50 . 2008-01-29 23:50 <DIR> d-------- C:\Program Files\Alwil Software
2008-01-29 23:50 . 2003-03-18 16:20 1,060,864 --a------ C:\WINDOWS\system32\MFC71.dll
2008-01-29 23:50 . 2007-12-04 08:04 837,496 --a------ C:\WINDOWS\system32\aswBoot.exe
2008-01-29 23:50 . 2004-01-09 04:13 380,928 --a------ C:\WINDOWS\system32\actskin4.ocx
2008-01-29 23:50 . 2007-12-04 07:54 95,608 --a------ C:\WINDOWS\system32\AvastSS.scr
2008-01-29 23:50 . 2007-12-04 09:55 94,544 --a------ C:\WINDOWS\system32\drivers\aswmon2.sys
2008-01-29 23:50 . 2007-12-04 09:56 93,264 --a------ C:\WINDOWS\system32\drivers\aswmon.sys
2008-01-29 23:50 . 2007-12-04 09:51 42,912 --a------ C:\WINDOWS\system32\drivers\aswTdi.sys
2008-01-29 23:50 . 2007-12-04 09:49 26,624 --a------ C:\WINDOWS\system32\drivers\aavmker4.sys
2008-01-29 23:50 . 2007-12-04 09:53 23,152 --a------ C:\WINDOWS\system32\drivers\aswRdr.sys
2008-01-29 23:34 . 2008-01-29 23:35 204 --a------ C:\WINDOWS\wininit.ini
2008-01-29 13:16 . 2008-01-30 00:36 22 --a------ C:\WINDOWS\pskt.ini
2008-01-29 01:23 . 2008-01-29 01:37 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-01-29 01:08 . 2008-01-29 01:08 4,286 --a------ C:\WINDOWS\system32\everybodybets.32x32.4.ico
2008-01-29 00:58 . 2008-01-29 15:39 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\McAfee
2008-01-18 01:40 . 2008-01-27 03:25 <DIR> d-------- C:\Program Files\Steam
2008-01-10 21:36 . 2008-01-10 21:44 <DIR> d-------- C:\Documents and Settings\Nate\Application Data\Ventrilo
2008-01-10 21:33 . 2008-01-10 21:33 <DIR> d-------- C:\Program Files\Ventrilo
2008-01-10 21:33 . 2008-01-10 21:33 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-01-09 13:46 . 2008-01-12 12:13 <DIR> d-------- C:\Sshock2
2008-01-09 13:36 . 2008-01-09 13:48 285 --a------ C:\WINDOWS\EReg072.dat
2008-01-09 13:35 . 1998-09-02 03:02 194,320 --a------ C:\WINDOWS\system32\qcut.dll
2008-01-09 13:35 . 1998-08-26 23:51 182,032 --a------ C:\WINDOWS\system32\dxtmsft3.dll
2008-01-09 13:35 . 1998-08-20 06:02 140,800 --a------ C:\WINDOWS\system32\tm20dec.ax
2008-01-09 13:35 . 1998-09-02 03:28 63,488 --a------ C:\WINDOWS\system32\unam4ie.exe
2008-01-09 13:35 . 1998-09-02 03:28 38,160 --a------ C:\WINDOWS\system32\LMRTREND.dll
2008-01-09 13:35 . 1998-08-17 04:21 11,776 --a------ C:\WINDOWS\system32\mciqtz.drv
2008-01-09 13:35 . 1998-08-17 04:21 10,240 --a------ C:\WINDOWS\system32\vidx16.dll
2008-01-09 13:35 . 1998-08-17 04:21 5,672 --a------ C:\WINDOWS\system32\quartz.vxd
2008-01-09 13:35 . 2008-01-09 13:35 4,608 --a------ C:\WINDOWS\system32\w95inf32.dll
2008-01-09 13:35 . 2008-01-09 13:35 2,272 --a------ C:\WINDOWS\system32\w95inf16.dll
2008-01-09 13:33 . 2008-01-09 13:33 <DIR> d-------- C:\Documents and Settings\Nate\WINDOWS
2008-01-09 13:33 . 1998-10-02 19:00 327,168 --a------ C:\WINDOWS\IsUninst.exe
2008-01-09 13:31 . 2008-01-27 03:24 <DIR> d-------- C:\Documents and Settings\Nate\Application Data\IGN_DLM
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-27 10:33 --------- d-----w C:\Program Files\THQ
2008-01-09 15:25 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-01-09 15:24 --------- d-----w C:\Program Files\EA GAMES
2008-01-08 01:21 --------- d-----w C:\Documents and Settings\Nate\Application Data\Bioshock
2007-12-26 02:32 --------- d-----w C:\Program Files\Codemasters
2007-12-26 02:30 40,960 ----a-w C:\WINDOWS\_ds7.tmp
2007-12-26 02:27 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2007-12-22 04:43 107,888 ----a-w C:\WINDOWS\system32\CmdLineExt.dll
2007-12-15 05:00 --------- d-----w C:\Program Files\2K Games
2007-12-15 05:00 --------- d-----w C:\Documents and Settings\Nate\Application Data\InstallShield
2007-12-11 06:20 --------- d--h--r C:\Documents and Settings\Nate\Application Data\SecuROM
2007-12-11 06:02 --------- d-----w C:\Program Files\Flagship Studios
2007-12-09 19:48 --------- d-----w C:\Program Files\Ubisoft
2007-12-09 11:36 --------- d-----w C:\Documents and Settings\Nate\Application Data\AdobeUM
2007-12-09 11:35 --------- d-----w C:\Program Files\Common Files\Adobe
2007-12-09 11:08 --------- d-----w C:\Program Files\Creative
2007-12-09 11:08 --------- d-----w C:\Program Files\Common Files\InstallShield
2007-12-09 11:07 --------- d-----w C:\Documents and Settings\Nate\Application Data\Creative
2007-12-09 11:05 --------- d-----w C:\Documents and Settings\All Users\Application Data\Creative
2007-12-09 10:33 --------- d-----w C:\Program Files\Broadcom
2007-12-09 10:26 --------- d--h--w C:\Program Files\Uninstall Information
2007-12-09 10:22 --------- d-----w C:\Program Files\microsoft frontpage
2007-11-07 09:26 721,920 ----a-w C:\WINDOWS\system32\lsasrv.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{54475CED-26A9-4779-BA74-318C4A0AE577}]
C:\WINDOWS\system32\awvvv.dll
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 07:00 15360]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"VolPanel"="C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanel.exe" [2005-10-14 11:01 122880]
"UpdReg"="C:\WINDOWS\UpdReg.EXE" [2000-05-11 01:00 90112]
"Secure"="C:\WINDOWS\WindowsUpdates.exe" [ ]
"UserFaultCheck"="C:\WINDOWS\system32\dumprep 0 -u" [ ]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-10-04 17:14 8491008]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-12-04 08:00 79224]
"BM07360ebd"="C:\WINDOWS\system32\kbuxyaww.dll" [ ]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\drlvwatv]
drlvwatv.dll
[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTHelper]
--a------ 2005-10-29 06:31 16384 C:\WINDOWS\CTHELPER.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTxfiHlp]
--a------ 2005-10-29 06:31 18944 C:\WINDOWS\system32\CTXFIHLP.EXE
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\igndlm.exe]
C:\Program Files\Download Manager\DLM.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--------- 2004-10-13 11:24 1694208 C:\Program Files\Messenger\msmsgs.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
--a------ 2007-10-04 17:14 8491008 C:\WINDOWS\system32\NvCpl.dll
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
--a------ 2007-10-04 17:14 81920 C:\WINDOWS\system32\NvMcTray.dll
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
--a------ 2007-10-04 17:14 1626112 C:\WINDOWS\system32\nwiz.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Outerinfo]
C:\Program Files\Outerinfo\Outerinfo.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\OuterinfoUpdate]
C:\Program Files\Outerinfo\OuterinfoUpdate.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
--a------ 2007-08-31 16:46 1460560 C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
--a------ 2008-01-18 01:41 1266936 C:\Program Files\Steam\Steam.exe
R3 ha20x2k;Creative 20X HAL Driver;C:\WINDOWS\system32\drivers\ha20x2k.sys [2005-10-29 06:16]
.
**************************************************************************
catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer,
http://www.gmer.netRootkit scan 2008-02-01 02:23:41
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanel.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\SYSTEM32\CTXFISPI.EXE
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
.
**************************************************************************
.
Completion time: 2008-02-01 2:26:42 - machine was rebooted
ComboFix-quarantined-files.txt 2008-02-01 07:26:31
.
2008-01-10 03:55:52 --- E O F ---
here is combo fix quarantined files list:
2008-01-09 17:13 4232 --a------ C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat.vir
2008-01-09 17:13 4617 --a------ C:\Qoobox\Quarantine\C\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat.vir
2008-01-29 00:49 39424 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\wvusssp.dll.vir
2008-01-29 00:50 15360 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\drvtonr.dll.vir
2008-01-29 23:49 371823 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\vvvwa.ini2.vir
2008-01-29 23:51 371823 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\vvvwa.ini.vir
2008-01-30 00:41 332288 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\jkkji.dll.vir
2008-01-30 00:52 1167357 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\jqxrufrx.ini.vir
2008-01-30 11:05 143 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\mcrh.tmp.vir
2008-02-01 02:17 367239 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\ijkkj.ini2.vir
2008-02-01 02:19 367362 --a------ C:\Qoobox\Quarantine\C\WINDOWS\system32\ijkkj.ini.vir
2008-02-01 02:19 846 --a------ C:\Qoobox\Quarantine\Registry_backups\LEGACY_DOMAINSERVICE.reg.dat
2008-02-01 02:20 309 --a------ C:\Qoobox\Quarantine\catchme.log
2008-02-01 02:20 325126 --a------ C:\Qoobox\Quarantine\catchme2008-02-01_ 22318.35.zip
here is "Gotcha" log file:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:35:39 AM, on 2/1/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanel.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\SYSTEM32\CTXFISPI.EXE
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\Gotcha.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
http://webmaila.juno...ount=1201851051R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL =
http://go.microsoft....k/?LinkId=69157R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL =
http://go.microsoft....k/?LinkId=54896R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page =
http://go.microsoft....k/?LinkId=54896R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page =
http://go.microsoft....k/?LinkId=69157O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {54475CED-26A9-4779-BA74-318C4A0AE577} - C:\WINDOWS\system32\awvvv.dll (file missing)
O4 - HKLM\..\Run: [VolPanel] "C:\Program Files\Creative\Sound Blaster X-Fi\Volume Panel\VolPanel.exe" /r
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [Secure] C:\WINDOWS\WindowsUpdates.exe
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [BM07360ebd] Rundll32.exe "C:\WINDOWS\system32\kbuxyaww.dll",s
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} -
http://www.fileplane...C_2.3.6.108.cabO20 - Winlogon Notify: drlvwatv - drlvwatv.dll (file missing)
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
--
End of file - 4109 bytes
All id love to hear is ALL FIXED!!!
lol
and BTW. thanks for all your time!! it is much appreciated.