Jump to content

Welcome to Geeks to Go - Register now for FREE

Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Create Account How it Works
Photo

Malware Problem [RESOLVED]


  • This topic is locked This topic is locked

#1
whitewlf930

whitewlf930

    New Member

  • Member
  • Pip
  • 7 posts
hey i got a virus or something and its very annoying, i keep getting system alerts saying spyware detected etc.... and my comp shuts down if i try to scan it with ad-aware 07.

i scanned with hijack this and here is my log..

O3 - Toolbar: stfngdvw - {CE27F2E4-ED57-4453-8997-27C9E6F49AD9} - C:\WINDOWS\stfngdvw.dll
O3 - Toolbar: vnbptxlf - {3AB99368-48AF-4A01-B845-2904204948B5} - C:\WINDOWS\vnbptxlf.dll
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [runner1] C:\WINDOWS\mrofinu1645.exe 61A847B5BBF72813349F3D466188719AB689201522886B092CBD44BD8689220221DD325762EA4EBF
968951185EFC412806867680AEDE604D64C2661373FF15E6DCD66A47
O4 - HKLM\..\Run: [quicktime task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\RunServices: [Microsoft Updates] wkssvrs.exe
O4 - HKCU\..\Run: [Jnskdfmf9eldfd] C:\DOCUME~1\Owner\LOCALS~1\Temp\csrssc.exe
O4 - HKCU\..\Run: [JavaCore] C:\Program Files\\JavaCore\\JavaCore.exe
O4 - HKCU\..\Run: [SpeedRunner] C:\Documents and Settings\Owner\Application Data\SpeedRunner\SpeedRunner.exe
O4 - HKCU\..\Run: [SfKg6wIP] C:\Documents and Settings\Owner\Application Data\Microsoft\Windows\ooapdx.exe
O4 - HKCU\..\Run: [Twain] C:\Program Files\Twain\Twain.exe
O4 - HKCU\..\Run: [WinTouch] C:\Documents and Settings\Owner\Application Data\WinTouch\WinTouch.exe
O4 - HKCU\..\Run: [SfKg6w] C:\Documents and Settings\Owner\Application Data\Microsoft\Windows\oaawjni.exe
O4 - HKCU\..\Run: [Aaoo] "C:\WINDOWS\system32\PPPATC~1\msdtc.exe" -vt yazb
O4 - HKCU\..\Run: [Psocwecy] "C:\Program Files\Common Files\a?sembly\l?[bleep].exe"
O4 - HKCU\..\Run: [uzkf] C:\PROGRA~1\COMMON~1\uzkf\uzkfm.exe
O4 - HKLM\..\Policies\Explorer\Run: [Zj48TX8VTP] C:\Documents and Settings\All Users\Application Data\huhqjazw\hafivgdk.exe
O4 - HKUS\.DEFAULT\..\Run: [Microsoft Updates] wkssvr.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\Run: [Spyware Doctor] (User 'Default user')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - HKUS\.DEFAULT\..\Run: [ntuser] C:\WINDOWS\system32\drivers\svchost.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\Run: [autoload] C:\Documents and Settings\LocalService\Local Settings\Application Data\windowsupdate.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\Run: [Jnskdfmf9eldfd] C:\WINDOWS\TEMP\csrssc.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\Run: [xrtocrmp] C:\WINDOWS\system32\gtkjchoj.exe (User 'Default user')
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.nvidia.co.../sysreqlab2.cab
O16 - DPF: {74DBCB52-F298-4110-951D-AD2FF67BC8AB} (NVIDIA Smart Scan) - http://www.nvidia.co...iaSmartScan.cab
O21 - SSODL: AlrtService - {6881b700-7bca-4c7c-8b9a-a81b8c878862} - C:\WINDOWS\Installer\{6881b700-7bca-4c7c-8b9a-a81b8c878862}\AlrtService.dll
O21 - SSODL: RamRam - {a95810c3-0735-45b6-a15d-a1c161f5c81b} - C:\WINDOWS\Installer\{a95810c3-0735-45b6-a15d-a1c161f5c81b}\RamRam.dll
O21 - SSODL: sxfnewqb - {1C556045-7C30-4E3D-BF1D-C2B05D1449C3} - C:\WINDOWS\sxfnewqb.dll
O21 - SSODL: RomSetup - {dc2ad0dd-1e54-48c3-8c22-09ec3f5cc80e} - C:\WINDOWS\Resources\RomSetup.dll
O21 - SSODL: zip - {be64ee06-8d80-42ea-b9e3-0efb5c62ed63} - C:\WINDOWS\Installer\{be64ee06-8d80-42ea-b9e3-0efb5c62ed63}\zip.dll
O22 - SharedTaskScheduler: jhsf8d984jief8dsfus98jkefn - {C5AF49A2-94F3-42BD-F434-2604812C897D} - C:\WINDOWS\system32\jfiehayd.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Command Service (cmdservice) - Unknown owner - C:\WINDOWS\dXNlcg\command.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Network Monitor (network monitor) - Unknown owner - C:\Program Files\Network Monitor\netmon.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Task Scheduler (Schedule) - Unknown owner - C:\WINDOWS\system32\drivers\svchost.exe (file missing)

if someone can help me out here that would be appreciated.

thanks
  • 0

Advertisements


#2
miekiemoes

miekiemoes

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 5,503 posts
  • MVP
Hi,

First of all, your HijackThislog is incomplete. I'm missing the top part.

Second, Your system is severly infected. Problem with these infections nowadays is, it causes a lot of damage. Even if we clean the malware off your system, I can't guarantee that your system will be clean afterwards, because these infections/bundles leave a lot of leftovers behind that most scanners won't even recognise and logs won't show.
Also, I can't promise you we can repair all the damage it caused... Even after cleaning the malware, you can still get errors afterwards because of the damage. Solving these is not always possible since it will be searching for a needle in a haystack to find the right cause and solution.
So, we can try to clean this up and do what we can, but keep in mind that we can't solve ALL problems this malware already caused.

In light of this it would be wise for you to back up any files and folders that you don't want to lose before we start. Reason I am telling this is because when a system is so terribly infected and we try to clean this up manually, the damage that is already present may interfere with our removal attempts.

This actually doesn't suprise me at all...

I understand that you need help in order to get rid of the malware that is present on your system - But you need to help us first..
I notice that you never scanned with an Antivirus previously before starting this thread - because you don't even have an Antivirus installed!
This is somewhat suicidal in today's digital world.
That's why I want you to install one first!!

* Please install Avira Antivirus: http://www.free-av.com/
This is a free Antivirus.

Perform a full scan with Avira and let it delete everything it is finding.
Then reboot.
After reboot, open your Avira and select "reports".
There doubleclick the report from the Full scan you have done. Click the "Report File" button and copy and paste this report in your next reply together with a new HijackThislog.
Then we'll start from there, because it really makes no sense otherwise that we clean this up manually if an Antivirusscan is not present which should be able to deal with most and prevent further reinfection.
  • 0

#3
whitewlf930

whitewlf930

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
kk i did everything here it is.



Avira AntiVir Personal
Report file date: Wednesday, April 16, 2008 07:54

Scanning for 1204631 virus strains and unwanted programs.

Licensed to: Avira AntiVir PersonalEdition Classic
Serial number: 0000149996-ADJIE-0001
Platform: Windows XP
Windows version: (Service Pack 2) [5.1.2600]
Boot mode: Normally booted
Username: SYSTEM
Computer name: ROSS

Version information:
BUILD.DAT : 8.1.00.295 16479 Bytes 4/9/2008 16:24:00
AVSCAN.EXE : 8.1.2.12 311553 Bytes 3/18/2008 18:02:56
AVSCAN.DLL : 8.1.1.0 53505 Bytes 2/7/2008 17:43:37
LUKE.DLL : 8.1.2.9 151809 Bytes 2/28/2008 17:41:23
LUKERES.DLL : 8.1.2.1 12033 Bytes 2/21/2008 17:28:40
ANTIVIR0.VDF : 6.40.0.0 11030528 Bytes 7/18/2007 19:33:34
ANTIVIR1.VDF : 7.0.3.2 5447168 Bytes 3/7/2008 22:08:58
ANTIVIR2.VDF : 7.0.3.156 795136 Bytes 4/11/2008 14:50:32
ANTIVIR3.VDF : 7.0.3.175 150528 Bytes 4/16/2008 14:50:47
Engineversion : 8.1.0.30
AEVDF.DLL : 8.1.0.5 102772 Bytes 2/25/2008 18:58:21
AESCRIPT.DLL : 8.1.0.23 233851 Bytes 4/16/2008 14:52:20
AESCN.DLL : 8.1.0.13 115061 Bytes 4/16/2008 14:52:11
AERDL.DLL : 8.1.0.19 418164 Bytes 4/8/2008 00:34:44
AEPACK.DLL : 8.1.1.1 364918 Bytes 4/16/2008 14:52:06
AEOFFICE.DLL : 8.1.0.17 192891 Bytes 4/16/2008 14:51:51
AEHEUR.DLL : 8.1.0.18 1167735 Bytes 4/16/2008 14:51:42
AEHELP.DLL : 8.1.0.12 115063 Bytes 4/16/2008 14:50:59
AEGEN.DLL : 8.1.0.15 299379 Bytes 4/8/2008 00:34:43
AEEMU.DLL : 8.1.0.5 430450 Bytes 4/8/2008 00:34:43
AECORE.DLL : 8.1.0.26 168311 Bytes 4/16/2008 14:50:54
AVWINLL.DLL : 1.0.0.7 14593 Bytes 1/24/2008 02:07:53
AVPREF.DLL : 8.0.0.1 25857 Bytes 2/18/2008 19:37:50
AVREP.DLL : 7.0.0.1 155688 Bytes 4/16/2007 22:26:47
AVREG.DLL : 8.0.0.0 30977 Bytes 1/24/2008 02:07:49
AVARKT.DLL : 1.0.0.23 307457 Bytes 2/12/2008 17:29:23
AVEVTLOG.DLL : 8.0.0.11 114945 Bytes 2/28/2008 17:31:31
SQLITE3.DLL : 3.3.17.1 339968 Bytes 1/23/2008 02:28:02
SMTPLIB.DLL : 1.2.0.19 28929 Bytes 1/24/2008 02:08:39
NETNT.DLL : 8.0.0.1 7937 Bytes 1/25/2008 21:05:10
RCIMAGE.DLL : 8.0.0.35 2371841 Bytes 3/10/2008 23:37:25
RCTEXT.DLL : 8.0.32.0 86273 Bytes 3/6/2008 21:02:11

Configuration settings for the scan:
Jobname..........................: Complete system scan
Configuration file...............: c:\program files\avira\antivir personaledition classic\sysscan.avp
Logging..........................: low
Primary action...................: interactive
Secondary action.................: ignore
Scan master boot sector..........: on
Scan boot sector.................: on
Boot sectors.....................: C:,
Scan memory......................: on
Process scan.....................: on
Scan registry....................: on
Search for rootkits..............: off
Scan all files...................: Intelligent file selection
Scan archives....................: on
Recursion depth..................: 20
Smart extensions.................: on
Macro heuristic..................: on
File heuristic...................: medium

Start of the scan: Wednesday, April 16, 2008 07:54

The scan of running processes will be started
Scan process 'avscan.exe' - '1' Module(s) have been scanned
Scan process 'avcenter.exe' - '1' Module(s) have been scanned
Scan process 'avgnt.exe' - '1' Module(s) have been scanned
Scan process 'alg.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'QTTask.exe' - '1' Module(s) have been scanned
Scan process 'CTSysVol.exe' - '1' Module(s) have been scanned
Scan process 'nvsvc32.exe' - '1' Module(s) have been scanned
Scan process 'netmon.exe' - '1' Module(s) have been scanned
Scan process 'command.exe' - '1' Module(s) have been scanned
Module is infected -> 'C:\WINDOWS\dXNlcg\command.exe'
Scan process 'avguard.exe' - '1' Module(s) have been scanned
Scan process 'explorer.exe' - '1' Module(s) have been scanned
Scan process 'sched.exe' - '1' Module(s) have been scanned
Scan process 'spoolsv.exe' - '1' Module(s) have been scanned
Scan process 'aawservice.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'lsass.exe' - '1' Module(s) have been scanned
Scan process 'services.exe' - '1' Module(s) have been scanned
Scan process 'winlogon.exe' - '1' Module(s) have been scanned
Scan process 'csrss.exe' - '1' Module(s) have been scanned
Scan process 'smss.exe' - '1' Module(s) have been scanned
Process 'command.exe' has been terminated
C:\WINDOWS\dXNlcg\command.exe
[DETECTION] Is the Trojan horse TR/Spy.Banbra.df.199
[NOTE] The file was deleted!

27 processes with 26 modules were scanned

Starting master boot sector scan:
Master boot sector HD0
[INFO] No virus was found!

Start scanning boot sectors:
Boot sector 'C:\'
[INFO] No virus was found!

Starting to scan the registry.
C:\WINDOWS\system32\byXRjkJA.dll
[DETECTION] Is the Trojan horse TR/Vundo.Gen
[WARNING] The file could not be deleted!
C:\WINDOWS\system32\vtUmJAsR.dll
[DETECTION] Is the Trojan horse TR/Crypt.XPACK.Gen
[WARNING] The file could not be deleted!
C:\WINDOWS\mrofinu1645.exe
[DETECTION] Is the Trojan horse TR/Crypt.ULPM.Gen
[NOTE] The file was deleted!
C:\WINDOWS\system32\ktgmcgce.dll
[DETECTION] Is the Trojan horse TR/Vundo.Gen
[WARNING] The file could not be deleted!
C:\WINDOWS\system32\yhypoufn.dll
[DETECTION] Is the Trojan horse TR/Vundo.Gen
[WARNING] The file could not be deleted!
C:\Documents and Settings\LocalService\Local Settings\Application Data\windowsupdate.exe
[DETECTION] Is the Trojan horse TR/Agent.51049
[NOTE] The file was deleted!
C:\WINDOWS\system32\gtkjchoj.exe
[DETECTION] Is the Trojan horse TR/Crypt.XPACK.Gen
[NOTE] The file was deleted!

The registry was scanned ( '30' files ).


Starting the file scan:

Begin scan in 'C:\'
C:\cusgi.exe
[DETECTION] Contains detection pattern of the dropper DR/Delphi.Gen
[NOTE] The file was deleted!
C:\hiberfil.sys
[WARNING] The file could not be opened!
C:\njhxmjb.exe
[DETECTION] Is the Trojan horse TR/Crypt.XPACK.Gen
[NOTE] The file was deleted!
C:\pagefile.sys
[WARNING] The file could not be opened!
C:\ygnat.exe
[DETECTION] Is the Trojan horse TR/PCK.PolyCrypt.D.920
[NOTE] The file was deleted!
C:\Documents and Settings\All Users\Application Data\huhqjazw\hafivgdk.exe.bak
[DETECTION] Is the Trojan horse TR/Crypt.XPACK.Gen
[NOTE] The file was deleted!
C:\Documents and Settings\All Users\Application Data\mnutgpsx\chmvelcf.exe
[DETECTION] Is the Trojan horse TR/Crypt.XPACK.Gen
[NOTE] The file was deleted!
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\GX2JC5ER\AccessMediaDownload[1].exe
[DETECTION] Is the Trojan horse TR/Dldr.Peregar.F
[NOTE] The file was deleted!
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\GX2JC5ER\AccessMediaSetup[1].exe
[DETECTION] Is the Trojan horse TR/Dldr.Delf.dke.9
[NOTE] The file was deleted!
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\WFST6DK3\AccessMediaDownload[1].exe
--> Object
[1] Archive type: RSRC
--> Object
[DETECTION] Is the Trojan horse TR/Dldr.Delf.gie.1
[NOTE] The file was deleted!
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\WFST6DK3\AccessMediaSetup[1].exe
[DETECTION] Is the Trojan horse TR/Dldr.Delf.gji.7
[NOTE] The file was deleted!
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\WFST6DK3\AccessMediaSetup[2].exe
[DETECTION] Is the Trojan horse TR/Dldr.Peregar.AI
[NOTE] The file was deleted!
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\WFST6DK3\AccessMediaSetup[3].exe
[DETECTION] Is the Trojan horse TR/Dldr.Delf.dke.12
[NOTE] The file was deleted!
C:\Documents and Settings\Owner\crtss.exe
[DETECTION] Contains detection pattern of the worm WORM/Robobot
[NOTE] The file was deleted!
C:\Documents and Settings\Owner\ipv6rop.dll
[DETECTION] Contains suspicious code HEUR/Malware
[NOTE] The file was deleted!
C:\Documents and Settings\Owner\msni32c.dll
[DETECTION] Contains suspicious code HEUR/Malware
[NOTE] The file was deleted!
C:\Documents and Settings\Owner\Application Data\Microsoft\Windows\oaawjni.exe
[DETECTION] Is the Trojan horse TR/Dldr.Agent.cgd.2
[NOTE] The file was deleted!
C:\Documents and Settings\Owner\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmimpro.jar-3ad601a5-49f5c2b1.zip
[0] Archive type: ZIP
--> vmain.class
[DETECTION] Contains detection pattern of the exploits EXP/Java.Gimsh.B.1
[NOTE] The file was deleted!
C:\Documents and Settings\Owner\Application Data\Sun\Java\Deployment\cache\javapi\v1.0\jar\jvmimpro.jar-5efd1945-2eedb10d.zip
[0] Archive type: ZIP
--> vmain.class
[DETECTION] Contains detection pattern of the exploits EXP/Java.Gimsh.B
[NOTE] The file was deleted!
C:\Documents and Settings\Owner\Application Data\WinTouch\WinTouch.exe
[DETECTION] Is the Trojan horse TR/Dldr.Agent.hcn
[NOTE] The file was deleted!
C:\Documents and Settings\Owner\Desktop\SmitfraudFix.exe
[DETECTION] Contains detection pattern of the dropper DR/Tool.Reboot.F.75
[NOTE] The file was deleted!
C:\Documents and Settings\Owner\Desktop\X\sdsetup.exe
[DETECTION] Contains detection pattern of the dropper DR/KeyLogger.DQ
[NOTE] The file was deleted!
C:\Documents and Settings\Owner\Local Settings\Application Data\windowsupdate.exe
[DETECTION] Is the Trojan horse TR/PCK.PolyCrypt.D.920
[NOTE] The file was deleted!
C:\Documents and Settings\Owner\Local Settings\Temp\!update.exe
[DETECTION] Is the Trojan horse TR/Dldr.PurityScan.FK
[NOTE] The file was deleted!
C:\Documents and Settings\Owner\Local Settings\Temp\csrssc.exe
[DETECTION] Is the Trojan horse TR/Downloader.Gen
[NOTE] The file was deleted!
C:\Documents and Settings\Owner\Local Settings\Temp\NDR1CA.tmp
[DETECTION] Is the Trojan horse TR/Dldr.PurityScan.FK
[NOTE] The file was deleted!
C:\Documents and Settings\Owner\Local Settings\Temp\tsinstall_4_0_4_0_b4.exe
[DETECTION] Is the Trojan horse TR/Dldr.TSUpdat.F.3
[NOTE] The file was deleted!
C:\Documents and Settings\Owner\Local Settings\Temp\tsupdate_4_0_4_1_b3.exe
[DETECTION] Is the Trojan horse TR/Drop.TSUpdat.A.1
[NOTE] The file was deleted!
C:\Documents and Settings\Owner\Local Settings\Temp\Temporary Internet Files\Content.IE5\3LFLV2K7\cd[1].htm
[0] Archive type: HIDDEN
--> FIL\\\?\C:\Documents and Settings\Owner\Local Settings\Temp\Temporary Internet Files\Content.IE5\3LFLV2K7\cd[1].htm
[DETECTION] The file contains an executable. This, however, is disguised by a harmless file extension (HIDDENEXT/Crypted)
[NOTE] The file was deleted!
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\SH8YQ47R\idkfa[1]
[DETECTION] Is the Trojan horse TR/Vundo.Gen
[NOTE] The file was deleted!
C:\Program Files\Common Files\Yazzle1560OinAdmin.exe
--> Object
[1] Archive type: RSRC
--> Object
[DETECTION] Is the Trojan horse TR/Dldr.Purity.BV.7
--> Object
[DETECTION] Is the Trojan horse TR/Dldr.PurityScan.FJ.2
[NOTE] The file was deleted!
C:\Program Files\Common Files\Yazzle1560OinUninstaller.exe
[DETECTION] Contains detection pattern of the dropper DR/PurityScan.GP.1
[NOTE] The file was deleted!
C:\Program Files\Common Files\uzkf\uzkfa.exe
[DETECTION] Is the Trojan horse TR/Dldr.TSUpdate.L
[NOTE] The file was deleted!
C:\Program Files\Common Files\uzkf\uzkfl.exe
[DETECTION] Is the Trojan horse TR/Drop.TSUpdat.A.2
[NOTE] The file was deleted!
C:\Program Files\Common Files\uzkf\uzkfm.exe
[DETECTION] Is the Trojan horse TR/Drop.TSUpdat.A.3
[NOTE] The file was deleted!
C:\Program Files\Common Files\uzkf\uzkfp.exe
[DETECTION] Is the Trojan horse TR/Drop.TSUpdat.A.4
[NOTE] The file was deleted!
C:\Program Files\MediaEldoradoCodec\MediaEldoradoCodec.ocx
[DETECTION] Is the Trojan horse TR/Zlob.FF.3
[NOTE] The file was deleted!
C:\Program Files\MediaEldoradoCodec\Uninstall.exe
[DETECTION] Contains detection pattern of the dropper DR/Dldr.Zlob.ABOC
[NOTE] The file was deleted!
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\07013CC7.exe
[0] Archive type: HIDDEN
--> FIL\\\?\C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\07013CC7.exe
[DETECTION] Contains detection pattern of the worm WORM/Alcra.B
[NOTE] The file was deleted!
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\200D5F28.exe
[0] Archive type: HIDDEN
--> FIL\\\?\C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\200D5F28.exe
[DETECTION] Contains detection pattern of the dial-up program DIAL/Generic
[NOTE] The file was deleted!
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\20133321.exe
[0] Archive type: HIDDEN
--> FIL\\\?\C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\20133321.exe
[DETECTION] Contains detection pattern of the dial-up program DIAL/Generic
[NOTE] The file was deleted!
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\20165D1D.exe
[0] Archive type: HIDDEN
--> FIL\\\?\C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\20165D1D.exe
[DETECTION] Contains detection pattern of the dial-up program DIAL/Generic
[NOTE] The file was deleted!
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\201A071A.dat
[0] Archive type: HIDDEN
--> FIL\\\?\C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\201A071A.dat
[DETECTION] Is the Trojan horse TR/Dldr.Agent.AP.2
[NOTE] TR/Dldr.Agent.AP.2:[HKEY_CURRENT_USER\SOFTWARE\MICROSOFT\INTERNET EXPLORER\MAIN]:<Start Page>=sz:about:blank>=SZ:about:blank
[NOTE] The file was deleted!
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\27FE1F5F.dll
[0] Archive type: HIDDEN
--> FIL\\\?\C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\27FE1F5F.dll
[DETECTION] Contains detection pattern of the worm WORM/Dedler.Q
[NOTE] The file was deleted!
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\3CDE5BE2.tmp
[0] Archive type: HIDDEN
--> FIL\\\?\C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\3CDE5BE2.tmp
[DETECTION] Contains detection pattern of the dropper DR/Hijack.Barnius.1
[NOTE] The file was deleted!
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\447C1B00.dll
[0] Archive type: HIDDEN
--> FIL\\\?\C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\447C1B00.dll
[DETECTION] Contains detection pattern of the worm WORM/Dedler.X
[NOTE] The file was deleted!
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\540448A9.dll
[0] Archive type: HIDDEN
--> FIL\\\?\C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\540448A9.dll
[DETECTION] Contains detection pattern of the worm WORM/Dedler.AA
[NOTE] The file was deleted!
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\540772A6.dll
[0] Archive type: HIDDEN
--> FIL\\\?\C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\540772A6.dll
[DETECTION] Contains detection pattern of the worm WORM/Dedler.Z.1
[NOTE] The file was deleted!
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\61006909.exe
[0] Archive type: HIDDEN
--> FIL\\\?\C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\61006909.exe
[DETECTION] Contains detection pattern of the worm WORM/Alcra.B
[NOTE] The file was deleted!
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\61EF6203.exe
[0] Archive type: HIDDEN
--> FIL\\\?\C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\61EF6203.exe
[DETECTION] Contains detection pattern of the worm WORM/Alcra.B
[NOTE] The file was deleted!
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\63CC53F6.exe
[0] Archive type: HIDDEN
--> FIL\\\?\C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\63CC53F6.exe
[DETECTION] Is the Trojan horse TR/Crypt.E
[NOTE] The file was deleted!
C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\65960AF9.exe
[0] Archive type: HIDDEN
--> FIL\\\?\C:\Program Files\Norton SystemWorks\Norton AntiVirus\Quarantine\65960AF9.exe
[DETECTION] Contains detection pattern of the worm WORM/Alcra.B
[NOTE] The file was deleted!
C:\WINDOWS\b103.exe
[DETECTION] Is the Trojan horse TR/Drop.Agent.28160
[NOTE] The file was deleted!
C:\WINDOWS\b104.exe
[DETECTION] Contains detection pattern of the dropper DR/Dldr.Small.buy
[NOTE] The file was deleted!
C:\WINDOWS\b116.exe
[DETECTION] Is the Trojan horse TR/Dldr.Agent.ezc.1
[NOTE] The file was deleted!
C:\WINDOWS\b155.exe
[DETECTION] Is the Trojan horse TR/BHO.bhg
[NOTE] The file was deleted!
C:\WINDOWS\b157.exe
[DETECTION] Is the Trojan horse TR/Dldr.Agent.jih.1
[NOTE] The file was deleted!
C:\WINDOWS\kiasys.dll
[DETECTION] Is the Trojan horse TR/Dldr.Delf.GIF.1
[NOTE] The file was deleted!
C:\WINDOWS\svpekgongpv.dll
[DETECTION] Is the Trojan horse TR/Zlob.286720
[NOTE] The file was deleted!
C:\WINDOWS\svpekgonqba.dll
[DETECTION] Is the Trojan horse TR/BHO.Agent.221184
[NOTE] The file was deleted!
C:\WINDOWS\temlxopqdla.dll
[DETECTION] Is the Trojan horse TR/Dldr.Agen.245760
[NOTE] The file was deleted!
C:\WINDOWS\uerj45kj.sys
[WARNING] The file could not be opened!
C:\WINDOWS\uninstall_nmon.vbs
[DETECTION] Is the Trojan horse TR/Small.WY
[NOTE] The file was deleted!
C:\WINDOWS\Installer\{6881b700-7bca-4c7c-8b9a-a81b8c878862}\AlrtService.dll
[DETECTION] Is the Trojan horse TR/Dldr.Agent.lsw
[WARNING] The file could not be deleted!
C:\WINDOWS\Installer\{a95810c3-0735-45b6-a15d-a1c161f5c81b}\RamRam.dll
[DETECTION] Is the Trojan horse TR/Dldr.Agent.lsw
[WARNING] The file could not be deleted!
C:\WINDOWS\Installer\{be64ee06-8d80-42ea-b9e3-0efb5c62ed63}\zip.dll
[DETECTION] Is the Trojan horse TR/Shell.Eviell
[WARNING] The file could not be deleted!
C:\WINDOWS\Resources\RomSetup.dll
[DETECTION] Is the Trojan horse TR/Agent.jqa
[WARNING] The file could not be deleted!
C:\WINDOWS\system32\apcup.dll
[DETECTION] Contains suspicious code HEUR/Malware
[NOTE] The file was deleted!
C:\WINDOWS\system32\bjlcysyj.dll
[DETECTION] Is the Trojan horse TR/Vundo.Gen
[NOTE] The file was deleted!
C:\WINDOWS\system32\byXQIAro.dll
[DETECTION] Is the Trojan horse TR/Vundo.Gen
[WARNING] The file could not be deleted!
C:\WINDOWS\system32\byXRjkJA.dll
[DETECTION] Is the Trojan horse TR/Vundo.Gen
[WARNING] The file could not be deleted!
C:\WINDOWS\system32\cedysadm.dll
[DETECTION] Is the Trojan horse TR/Vundo.Gen
[NOTE] The file was deleted!
C:\WINDOWS\system32\hxqwioui.dll
[DETECTION] Is the Trojan horse TR/Vundo.Gen
[NOTE] The file was deleted!
C:\WINDOWS\system32\iubhkovs.dll
[DETECTION] Is the Trojan horse TR/Vundo.Gen
[NOTE] The file was deleted!
C:\WINDOWS\system32\ixliysnt.dll
[DETECTION] Is the Trojan horse TR/Agent.3648.1
[NOTE] The file was deleted!
C:\WINDOWS\system32\jfiehayd.dll
[DETECTION] Is the Trojan horse TR/Agent.10000.70
[WARNING] The file could not be deleted!
C:\WINDOWS\system32\kdjwm.exe
[DETECTION] Is the Trojan horse TR/Dropper.Gen
[NOTE] The file was deleted!
C:\WINDOWS\system32\ktgmcgce.dll
[DETECTION] Is the Trojan horse TR/Vundo.Gen
[NOTE] The file was deleted!
C:\WINDOWS\system32\mferuhhh.dll
[DETECTION] Is the Trojan horse TR/Vundo.Gen
[NOTE] The file was deleted!
C:\WINDOWS\system32\mgaekcsn.dll
[DETECTION] Is the Trojan horse TR/Vundo.Gen
[NOTE] The file was deleted!
C:\WINDOWS\system32\mrofqbqf.exe
[DETECTION] Is the Trojan horse TR/Crypt.XPACK.Gen
[NOTE] The file was deleted!
C:\WINDOWS\system32\navfwxhm.dll
[DETECTION] Is the Trojan horse TR/Vundo.Gen
[NOTE] The file was deleted!
C:\WINDOWS\system32\nkhwotkp.dll
[DETECTION] Is the Trojan horse TR/Vundo.Gen
[NOTE] The file was deleted!
C:\WINDOWS\system32\proghdwb.dll
[DETECTION] Is the Trojan horse TR/Vundo.Gen
[NOTE] The file was deleted!
C:\WINDOWS\system32\qbnjpwpr.dll
[DETECTION] Is the Trojan horse TR/Vundo.Gen
[NOTE] The file was deleted!
C:\WINDOWS\system32\ryirkfiq.dll
[DETECTION] Is the Trojan horse TR/Vundo.EFU
[NOTE] The file was deleted!
C:\WINDOWS\system32\tuieyism.dll
[DETECTION] Is the Trojan horse TR/Agent.3648.1
[NOTE] The file was deleted!
C:\WINDOWS\system32\vtUmJAsR.dll
[DETECTION] Is the Trojan horse TR/Crypt.XPACK.Gen
[WARNING] The file could not be deleted!
C:\WINDOWS\system32\wvUkHYsP.dll
[DETECTION] Is the Trojan horse TR/Crypt.XPACK.Gen
[NOTE] The file was deleted!
C:\WINDOWS\system32\yhypoufn.dll
[DETECTION] Is the Trojan horse TR/Vundo.Gen
[NOTE] The file was deleted!
C:\WINDOWS\system32\ΑppPatch\msdtc.exe
[DETECTION] Is the Trojan horse TR/Dldr.PurityScan.FJ.2
[NOTE] The file was deleted!
C:\WINDOWS\Temp\121194.tmp
[DETECTION] Is the Trojan horse TR/Agent.fwi
[NOTE] The file was deleted!
C:\WINDOWS\Temp\139410.tmp
[DETECTION] Is the Trojan horse TR/Agent.fwi
[NOTE] The file was deleted!
C:\WINDOWS\Temp\1766.tmp
[DETECTION] Is the Trojan horse TR/Dldr.Delf.dke.9
[NOTE] The file was deleted!
C:\WINDOWS\Temp\2461264640.exe
[DETECTION] Is the Trojan horse TR/Downloader.Gen
[NOTE] The file was deleted!
C:\WINDOWS\Temp\454F.tmp
[DETECTION] Is the Trojan horse TR/Dldr.FraudLoad.IK
[NOTE] The file was deleted!
C:\WINDOWS\Temp\4DF0.tmp
[DETECTION] Is the Trojan horse TR/Dldr.Peregar.F
[NOTE] The file was deleted!
C:\WINDOWS\Temp\4F17.tmp
[DETECTION] Is the Trojan horse TR/Dldr.Peregar.AI
[NOTE] The file was deleted!
C:\WINDOWS\Temp\5067.tmp
[DETECTION] Contains detection pattern of the dropper DR/Dldr.DNSChanger.Gen
[NOTE] The file was deleted!
C:\WINDOWS\Temp\530D.tmp
--> Object
[1] Archive type: RSRC
--> Object
[DETECTION] Is the Trojan horse TR/Dldr.Delf.gie.1
[NOTE] The file was deleted!
C:\WINDOWS\Temp\5680.tmp
[DETECTION] Is the Trojan horse TR/Dldr.Delf.dke.12
[NOTE] The file was deleted!
C:\WINDOWS\Temp\615B.tmp
[DETECTION] Is the Trojan horse TR/Dldr.Delf.gji.7
[NOTE] The file was deleted!
C:\WINDOWS\Temp\67BF.tmp
[DETECTION] Is the Trojan horse TR/Dldr.Agent.kfb.1
[NOTE] The file was deleted!
C:\WINDOWS\Temp\6B2D.tmp
[DETECTION] Contains detection pattern of the dropper DR/Zlob.Gen
[NOTE] The file was deleted!
C:\WINDOWS\Temp\A2-tmpa-setup.exe
[DETECTION] Is the Trojan horse TR/Dldr.Delf.gif
[NOTE] The file was deleted!
C:\WINDOWS\Temp\A4-tmpaoi.exe
[DETECTION] Is the Trojan horse TR/Dldr.Peregar.W
[NOTE] The file was deleted!
C:\WINDOWS\Temp\A50-tmpa-setup.exe
[DETECTION] Is the Trojan horse TR/Dldr.Peregar.C
[NOTE] The file was deleted!
C:\WINDOWS\Temp\A6-tmpaoi.exe
[DETECTION] Is the Trojan horse TR/Dldr.Peregar.AA
[NOTE] The file was deleted!
C:\WINDOWS\Temp\A8-tmpaoi.exe
[DETECTION] Is the Trojan horse TR/Dldr.Peregar.AH
[NOTE] The file was deleted!
C:\WINDOWS\Temp\AA-tmpaoi.exe
[DETECTION] Is the Trojan horse TR/Dldr.Delf.DBZ.1
[NOTE] The file was deleted!
C:\WINDOWS\Temp\AC-tmpaoi.exe
[DETECTION] Is the Trojan horse TR/Dldr.Delf.DBZ.1
[NOTE] The file was deleted!
C:\WINDOWS\Temp\br4.exe
[DETECTION] Contains detection pattern of the dropper DR/FraudTool.SpyHeal.L.1
[NOTE] The file was deleted!
C:\WINDOWS\Temp\F47.tmp
[DETECTION] Contains detection pattern of the dropper DR/Dldr.DNSChanger.Gen
[NOTE] The file was deleted!
C:\WINDOWS\Temp\notepad.exe
[DETECTION] Is the Trojan horse TR/Crypt.XPACK.Gen
[NOTE] The file was deleted!
C:\WINDOWS\Temp\zfe2.exe
--> Object
[1] Archive type: RSRC
--> Object
[DETECTION] Is the Trojan horse TR/Zlob.JW
[NOTE] The file was deleted!
C:\WINDOWS\Temp\EACDownload\defscan_install-r.exe
[DETECTION] Contains suspicious code HEUR/Malware
[NOTE] The fund was classified as suspicious.
[NOTE] The file was moved to '486c2564.qua'!
C:\WINDOWS\Temp\EACDownload\eanth_setup.exe
[DETECTION] Is the Trojan horse TR/Dloader.BI.1
[NOTE] The file was deleted!
C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\GXUBW5UR\cd[1].htm
[0] Archive type: HIDDEN
--> FIL\\\?\C:\WINDOWS\Temp\Temporary Internet Files\Content.IE5\GXUBW5UR\cd[1].htm
[DETECTION] The file contains an executable. This, however, is disguised by a harmless file extension (HIDDENEXT/Crypted)
[NOTE] The file was deleted!


End of the scan: Wednesday, April 16, 2008 09:10
Used time: 1:16:24 min

The scan has been done completely.

8885 Scanning directories
295099 Files were scanned
121 viruses and/or unwanted programs were found
4 Files were classified as suspicious:
110 files were deleted
0 files were repaired
1 files were moved to quarantine
0 files were renamed
3 Files cannot be scanned
294978 Files not concerned
2291 Archives were scanned
15 Warnings
111 Notes
============================

and here is hijack log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:03:38 AM, on 4/17/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\System32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\DOCUME~1\Owner\LOCALS~1\Temp\csrssc.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Owner\Desktop\HiJackThis.exe

O3 - Toolbar: stfngdvw - {CE27F2E4-ED57-4453-8997-27C9E6F49AD9} - C:\WINDOWS\stfngdvw.dll
O3 - Toolbar: vnbptxlf - {3AB99368-48AF-4A01-B845-2904204948B5} - C:\WINDOWS\vnbptxlf.dll
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [quicktime task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\RunServices: [Microsoft Updates] wkssvrs.exe
O4 - HKCU\..\Run: [Jnskdfmf9eldfd] C:\DOCUME~1\Owner\LOCALS~1\Temp\csrssc.exe
O4 - HKLM\..\Policies\Explorer\Run: [Zj48TX8VTP] C:\Documents and Settings\All Users\Application Data\huhqjazw\hafivgdk.exe
O4 - HKUS\.DEFAULT\..\Run: [Microsoft Updates] wkssvr.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\Run: [Spyware Doctor] (User 'Default user')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - HKUS\.DEFAULT\..\Run: [ntuser] C:\WINDOWS\system32\drivers\svchost.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\Run: [Jnskdfmf9eldfd] C:\WINDOWS\TEMP\csrssc.exe (User 'Default user')
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll (file missing)
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.nvidia.co.../sysreqlab2.cab
O16 - DPF: {74DBCB52-F298-4110-951D-AD2FF67BC8AB} (NVIDIA Smart Scan) - http://www.nvidia.co...iaSmartScan.cab
O21 - SSODL: AlrtService - {6881b700-7bca-4c7c-8b9a-a81b8c878862} - C:\WINDOWS\Installer\{6881b700-7bca-4c7c-8b9a-a81b8c878862}\AlrtService.dll (file missing)
O21 - SSODL: RamRam - {a95810c3-0735-45b6-a15d-a1c161f5c81b} - C:\WINDOWS\Installer\{a95810c3-0735-45b6-a15d-a1c161f5c81b}\RamRam.dll
O21 - SSODL: sxfnewqb - {1C556045-7C30-4E3D-BF1D-C2B05D1449C3} - C:\WINDOWS\sxfnewqb.dll
O21 - SSODL: RomSetup - {dc2ad0dd-1e54-48c3-8c22-09ec3f5cc80e} - C:\WINDOWS\Resources\RomSetup.dll
O21 - SSODL: zip - {be64ee06-8d80-42ea-b9e3-0efb5c62ed63} - C:\WINDOWS\Installer\{be64ee06-8d80-42ea-b9e3-0efb5c62ed63}\zip.dll
O22 - SharedTaskScheduler: jhsf8d984jief8dsfus98jkefn - {C5AF49A2-94F3-42BD-F434-2604812C897D} - C:\WINDOWS\system32\jfiehayd.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Avira AntiVir Personal – Free Antivirus Scheduler (antivirscheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal – Free Antivirus Guard (antivirservice) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 5087 bytes
  • 0

#4
miekiemoes

miekiemoes

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 5,503 posts
  • MVP
Hi,

We are not finished yet... We still have a LOT to clean here, so extra scans will be needed..

* Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform Quick Scan", then click Scan.
  • The scan may take some time to finish,so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked, and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy&Paste the entire report in your next reply along with a fresh HijackThis log.
Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.
  • 0

#5
whitewlf930

whitewlf930

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
Malwarebytes' Anti-Malware 1.11
Database version: 639

Scan type: Quick Scan
Objects scanned: 35358
Time elapsed: 17 minute(s), 48 second(s)

Memory Processes Infected: 1
Memory Modules Infected: 9
Registry Keys Infected: 141
Registry Values Infected: 13
Registry Data Items Infected: 2
Folders Infected: 37
Files Infected: 216

Memory Processes Infected:
c:\Documents and Settings\Owner\Local Settings\Temp\csrssc.exe (Trojan.Downloader) -> Unloaded process successfully.

Memory Modules Infected:
C:\WINDOWS\Installer\{be64ee06-8d80-42ea-b9e3-0efb5c62ed63}\zip.dll (Trojan.Alphabet) -> Unloaded module successfully.
c:\WINDOWS\system32\ljjkhhf.dll (Trojan.Vundo) -> Unloaded module successfully.
C:\WINDOWS\Resources\RomSetup.dll (Trojan.Clicker) -> Unloaded module successfully.
c:\WINDOWS\system32\byXRjkJA.dll (Trojan.Vundo) -> Unloaded module successfully.
C:\WINDOWS\system32\byXQIAro.dll (Trojan.Vundo) -> Unloaded module successfully.
C:\WINDOWS\system32\sghjgewn.dll (Trojan.Vundo) -> Unloaded module successfully.
C:\WINDOWS\Installer\{a95810c3-0735-45b6-a15d-a1c161f5c81b}\RamRam.dll (Trojan.Alphabet) -> Unloaded module successfully.
C:\WINDOWS\sxfnewqb.dll (Trojan.FakeAlert) -> Unloaded module successfully.
c:\program files\mozilla firefox\components\srff.dll (Adware.SurfAccuracy) -> Unloaded module successfully.

Registry Keys Infected:
HKEY_CLASSES_ROOT\Interface\{575e8879-d6cf-4992-a7fe-651da9277bcb} (Rogue.VirusHeat) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{b667f141-171c-4ac6-bd2b-8e0c646fb920} (Rogue.VirusHeat) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{b5a1ce7f-011d-4475-98db-076aaf3b1d18} (Rogue.VirusHeat) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\AppID\{f663b917-591f-4172-8d87-3d7d729007ca} (Adware.Batco) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{ae119e11-cf86-43cb-91aa-1acf2bbf9ec6} (Rogue.VirusHeat) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{495349a3-3a35-465f-88df-6ccfc1348246} (Rogue.VirusHeat) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{a86bed71-2b56-4778-9c48-829a3d01c687} (Rogue.VirusHeat) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{a95810c3-0735-45b6-a15d-a1c161f5c81b} (Trojan.Alphabet) -> Delete on reboot.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\speedrunner (Adware.SurfAccuracy) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\Twain (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{da4f8351-05ef-4956-b9ab-1093b732436f} (Rogue.VirusHeat) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{8dc7e656-ffbc-4ba2-af81-1c6c4fe04407} (Rogue.VirusHeat) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{83b0cadc-ea64-4ac6-822a-3ece95f44da6} (Rogue.VirusHeat) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\MyWebSearch (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{1e33f406-ab8f-4153-a5c8-089aeff5cc87} (Rogue.SpyMaxx) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{3c2d2a1e-031f-4397-9614-87c932a848e0} (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{be64ee06-8d80-42ea-b9e3-0efb5c62ed63} (Trojan.Alphabet) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{f4f41439-82fc-4681-acb0-7d3798f685c0} (Rogue.SpyMaxx) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{8c763414-3a7d-4a75-86c1-ae43757344c7} (Trojan.Vundo) -> Delete on reboot.
HKEY_CLASSES_ROOT\minibugtransporter.minibugtransporterx.1 (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\affltid (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\XP antivirus (Rogue.XPantivirus) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\mdreg.clsreg (Rogue.SpyMaxx) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{819a1c55-735f-4696-8727-3772ec87ad26} (Rogue.VirusHeat) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{01a33d85-4706-452a-b71a-99510ada8c0c} (Trojan.Vundo) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{01a33d85-4706-452a-b71a-99510ada8c0c} (Trojan.Vundo) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\E404.e404mgr (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{04a38f6b-006f-4247-ba4c-02a139d5531c} (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\SpeedRunner (Adware.SurfAccuracy) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\minibugtransporter.minibugtransporterx (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{e1e4e46d-53b8-45dc-abf0-3e7adef79012} (Rogue.VirusHeat) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{2b96d5cc-c5b5-49a5-a69d-cc0a30f9028c} (Adware.Minibug) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{71493218-e553-4fa8-85e2-e6d18fa75509} (Rogue.SpyMaxx) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\AppID\dsaip32b.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\dsaip32b.Video (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{76a15001-ff88-47ee-9e34-9f68e34246af} (Rogue.VirusHeat) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\bat.batbho (Adware.Batco) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{9afb8248-617f-460d-9366-d71cdeda3179} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\bat.batbho.1 (Adware.Batco) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{d279bc2b-a85b-4559-8fd9-ddc55f5d402d} (Adware.Batco) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\byxrjkja (Trojan.Vundo) -> Delete on reboot.
HKEY_CLASSES_ROOT\Typelib\{b80a3586-caa5-41c8-89bf-e617f0b6cfbf} (Adware.Batco) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{56256a51-b582-467e-b8d4-7786eda79ae0} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{060bb0ab-4b09-4c51-9ecb-9580a6d08d7f} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{dc2ad0dd-1e54-48c3-8c22-09ec3f5cc80e} (Trojan.Clicker) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{a394e835-c8d6-4b4b-884b-d2709059f3be} (Trojan.Network.Monitor) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\SearchScopes\{daed9266-8c28-4c1c-8b58-5c66eff1d302} (Search.Hijack) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{48d78be5-cfb9-4b66-9ac4-96d4cf21de06} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{74d46bba-5638-473a-83b6-97e7804a7411} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{38e4618f-e3e4-42e9-925f-6b02c798bd94} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\AppID\{38e4618f-e3e4-42e9-925f-6b02c798bd94} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{6edcaa62-21a4-421d-a1ed-298f480c3050} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{6efb1cab-d26f-4255-b8f9-8fcef22d7c1e} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{230fab55-749b-485d-9b09-9179e022591f} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{0e2ee7ba-47ef-4d35-a1c3-45ca4762c7cc} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\cndr32a.video (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{2b53c730-8a79-4e13-a35f-3e41ca13e12f} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{2242513c-f5e9-41b3-bc89-4d9daf487450} (Rogue.VirusHeat) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{c3aba952-3f9e-43a7-99f8-20be97bba96a} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{e5bd6642-494a-4326-9803-f2ba07b73d3d} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\stfngdvw.bbvf (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\ljjkhhf (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{ce27f2e4-ed57-4453-8997-27c9e6f49ad9} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{badc33d7-a06c-e090-1197-d78f72792c92} (Adware.ClickSpring) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\stfngdvw.toolbar.1 (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{65b2fe4d-2fff-4874-8f85-f16ffb5333bc} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{b7963fed-fd53-4581-964b-6f4bd365e44c} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{9b5a5068-82b1-4ba8-b2ae-08cce500ab81} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{b9ef0cda-86a1-4705-ae62-91686a84a41b} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\ekvgsnw.bsoq (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\AppID\{2b53c730-8a79-4e13-a35f-3e41ca13e12f} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{ba3faea0-987d-4921-bd8d-847ebae453d0} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Typelib\{e81cf50e-1210-4eb8-aa3b-1b507919acb1} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{de50b320-d8d5-46c3-92cc-fc3cc17619f9} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{9dd4258a-7138-49c4-8d34-587879a5c7a4} (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\mwc (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{3877c2cd-f137-4144-bdb2-0a811492f920} (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{147a976f-eee1-4377-8ea7-4716e4cdd239} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{63f7460b-c831-4142-a4aa-5ec303ec4343} (Adware.Batco) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Uninstall\CPV (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\BO1jiZmwnF2zhi (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{56256a51-b582-467e-b8d4-7786eda79ae0} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{1c556045-7c30-4e3d-bf1d-c2b05d1449c3} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{14e6d991-db22-4661-981d-20c168d6847b} (Rogue.VirusHeat) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\vnbptxlf.bspe (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{3b489b37-fc1b-45c8-b1ce-78d9aef5b336} (Rogue.VirusHeat) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{3d6a6e24-fdff-418e-a93d-9fbdcba377af} (Rogue.VirusHeat) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{3e318e44-0c35-4292-af91-18dd17795636} (Rogue.VirusHeat) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Trymedia Systems (Adware.Trymedia) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Batco (Adware.Batco) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\AppID\bat.DLL (Adware.Batco) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\Bat (Adware.Batco) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Bat (Adware.Batco) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\aoprndtws (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\jkwslist (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\aldd (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\TSA (Adware.TargetSaver) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\xInsiDERexe (Adware.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\IQSoftware (Rogue.Multiple) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\msram.tchongabho (Spyware.Banker) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\WR (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affltid (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{8c763414-3a7d-4a75-86c1-ae43757344c7} (Trojan.Vundo) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Juan (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\ekvgsnw.toolbar.1 (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\testcpv6.bho.1 (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\AppID\cndr32a.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\AppID\{de50b320-d8d5-46c3-92cc-fc3cc17619f9} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{c3bcc488-1ae7-11d4-ab82-0010a4ec2338} (Fake.Dropped.Malware) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{3ab99368-48af-4a01-b845-2904204948b5} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\The Weather Channel (Adware.Hotbar) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\wintouch (Adware.WinPop) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{2e9937fc-cf2f-4f56-af54-5a6a3dd375cc} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\Interface\{741de825-a6f0-4497-9aa6-8023cf9b0fff} (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\vnbptxlf.toolbar.1 (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\WinTouch (Adware.WinPop) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Multimedia\WMPlayer\Schemes\f3pss (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Fun Web Products (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\kiasys.video (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{c5af49a2-94f3-42bd-f434-2604812c897d} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\MediaEldoradoCodec (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\AppID\kiasys.dll (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\cmdService (Adware.CommAd) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\MyWebSearch (Adware.MyWebSearch) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Outerinfo (Adware.PurityScan) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\spyaway (Rogue.SpyAway) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{c5af49a2-94f3-42bd-f434-2604812c897d} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{15421b84-3488-49a7-ad18-cbf84a3efaf6} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\testcpv6.bho (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Network Monitor (Trojan.Service) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Screensavers.com (Adware.Comet) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\qtalk.tchongabho (Spyware.Banker) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{cf26fac0-7d4e-46d8-ae64-b277b11443ac} (Spyware.Banker) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Extensions\CmdMapping\{9034a523-d068-4be8-a284-9df278be776e} (Trojan.Zlob) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\zip (Trojan.Alphabet) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\RamRam (Trojan.Alphabet) -> Delete on reboot.
HKEY_CURRENT_USER\Software\Mozilla\Firefox\Extensions\{59a40ac9-e67d-4155-b31d-4b7330fcd2d6} (Adware.PurityScan) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar\{3ab99368-48af-4a01-b845-2904204948b5} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar\{ce27f2e4-ed57-4453-8997-27c9e6f49ad9} (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\{c5af49a2-94f3-42bd-f434-2604812c897d} (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\sxfnewqb (Trojan.FakeAlert) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{060bb0ab-4b09-4c51-9ecb-9580a6d08d7f} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{01a33d85-4706-452a-b71a-99510ada8c0c} (Trojan.Vundo) -> Delete on reboot.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Jnskdfmf9eldfd (Trojan.Downloader) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\RomSetup (Trojan.Clicker) -> Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Authentication Packages (Trojan.Vundo) -> Data: c:\windows\system32\byxqiaro -> Delete on reboot.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Authentication Packages (Trojan.Vundo) -> Data: c:\windows\system32\byxqiaro

=======================================

and the hijack log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:18:50 AM, on 4/17/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\System32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Owner\Desktop\HiJackThis.exe

O2 - BHO: {9977f22b-e3f1-b3db-edc4-9d86d1489ddf} - {fdd9841d-68d9-4cde-bd3b-1f3eb22f7799} - C:\WINDOWS\system32\doqubgtk.dll
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [quicktime task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [0455b9ed] rundll32.exe "C:\WINDOWS\system32\sghjgewn.dll",b
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\RunServices: [Microsoft Updates] wkssvrs.exe
O4 - HKLM\..\Policies\Explorer\Run: [Zj48TX8VTP] C:\Documents and Settings\All Users\Application Data\huhqjazw\hafivgdk.exe
O4 - HKUS\.DEFAULT\..\Run: [Microsoft Updates] wkssvr.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\Run: [ntuser] C:\WINDOWS\system32\drivers\svchost.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\Run: [Jnskdfmf9eldfd] C:\WINDOWS\TEMP\csrssc.exe (User 'Default user')
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.nvidia.co.../sysreqlab2.cab
O16 - DPF: {74DBCB52-F298-4110-951D-AD2FF67BC8AB} (NVIDIA Smart Scan) - http://www.nvidia.co...iaSmartScan.cab
O20 - Winlogon Notify: vtUmJAsR - vtUmJAsR.dll (file missing)
O21 - SSODL: AlrtService - {6881b700-7bca-4c7c-8b9a-a81b8c878862} - C:\WINDOWS\Installer\{6881b700-7bca-4c7c-8b9a-a81b8c878862}\AlrtService.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Avira AntiVir Personal – Free Antivirus Scheduler (antivirscheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal – Free Antivirus Guard (antivirservice) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 4204 bytes
  • 0

#6
miekiemoes

miekiemoes

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 5,503 posts
  • MVP
What a mess :)

Now step 3 & 4...

Please perform my steps in the right order...

* Start HijackThis, close all open windows leaving only HijackThis running. Place a check against each of the following:

O2 - BHO: {9977f22b-e3f1-b3db-edc4-9d86d1489ddf} - {fdd9841d-68d9-4cde-bd3b-1f3eb22f7799} - C:\WINDOWS\system32\doqubgtk.dll
O4 - HKLM\..\Run: [0455b9ed] rundll32.exe "C:\WINDOWS\system32\sghjgewn.dll",b
O4 - HKLM\..\RunServices: [Microsoft Updates] wkssvrs.exe
O4 - HKLM\..\Policies\Explorer\Run: [Zj48TX8VTP] C:\Documents and Settings\All Users\Application Data\huhqjazw\hafivgdk.exe
O4 - HKUS\.DEFAULT\..\Run: [Microsoft Updates] wkssvr.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\Run: [ntuser] C:\WINDOWS\system32\drivers\svchost.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\Run: [Jnskdfmf9eldfd] C:\WINDOWS\TEMP\csrssc.exe (User 'Default user')
O20 - Winlogon Notify: vtUmJAsR - vtUmJAsR.dll (file missing)
O21 - SSODL: AlrtService - {6881b700-7bca-4c7c-8b9a-a81b8c878862} - C:\WINDOWS\Installer\{6881b700-7bca-4c7c-8b9a-a81b8c878862}\AlrtService.dll (file missing)


* Click on Fix Checked when finished and exit HijackThis.
Make sure your Internet Explorer is closed when you click Fix Checked!

Then, * Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingc...to-use-combofix

This includes installing the Windows XP Recovery Console in case you have not installed it yet.

Post the log from ComboFix when you've accomplished that, along with a new HijackThis log.
  • 0

#7
whitewlf930

whitewlf930

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
combo fix log attatched and here is hijack:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 06:48, on 2008-04-18
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Owner\Desktop\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [quicktime task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.nvidia.co.../sysreqlab2.cab
O16 - DPF: {74DBCB52-F298-4110-951D-AD2FF67BC8AB} (NVIDIA Smart Scan) - http://www.nvidia.co...iaSmartScan.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Avira AntiVir Personal – Free Antivirus Scheduler (antivirscheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal – Free Antivirus Guard (antivirservice) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 3518 bytes

Attached Files


  • 0

#8
miekiemoes

miekiemoes

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 5,503 posts
  • MVP
Hi,

* Open notepad - don't use any other texteditor than notepad or the script will fail.
Copy/paste the text in the quotebox below into notepad:

File::
C:\WINDOWS\system32\nwegjhgs.ini
C:\WINDOWS\system32\ecgcmgtk.ini
C:\WINDOWS\system32\xkftijyy.tmp
C:\WINDOWS\BM07668a71.xml
C:\WINDOWS\system32\pyrfrhpi.tmp
C:\smp.bat
C:\72726850
Suspect::[8]
C:\Documents and Settings\Owner\updata.exe
Folder::
C:\WINDOWS\uzkf
C:\Program Files\Common Files\uzkf
C:\Documents and Settings\All Users\Application Data\huhqjazw
C:\Documents and Settings\All Users\Application Data\mnutgpsx
C:\WINDOWS\dXNlcg
Driver::
pnujvtcmsl
kbxmnrsfg
bbvdirnsay
Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\0455b9ed]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\aaoo]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\aip]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\autoload]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BM07668a71]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctxfireg]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\jdgf894jrghoiiskd]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\jnskdfmf9eldfd]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\jwiqmvdl]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ntuser]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\psocwecy]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\sfkg6w]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\sfkg6wip]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\speedrunner]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\uzkf]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\wintouch]
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"network monitor"=-
"cmdservice"=-
"6to4"=-


Save this as txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image

This will start ComboFix again.
* it will create a zipped file on your Desktop - [8]-Submit_Date_Time.zip
* another file will be present on your desktop: CF-Submit.htm which will open after you ran Combofix.
* Where it says: "Submit files for further analysis", click OK and a browser Window will open. There you'll see: "copy/paste filepath into the box & click OK". You'll find the filepath below, so copy and paste this in the above field and click OK.

After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThislog.
  • 0

#9
whitewlf930

whitewlf930

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:20:02 AM, on 4/18/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Owner\Desktop\HiJackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [quicktime task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.nvidia.co.../sysreqlab2.cab
O16 - DPF: {74DBCB52-F298-4110-951D-AD2FF67BC8AB} (NVIDIA Smart Scan) - http://www.nvidia.co...iaSmartScan.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Avira AntiVir Personal – Free Antivirus Scheduler (antivirscheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal – Free Antivirus Guard (antivirservice) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 3525 bytes

Attached Files

  • Attached File  log.txt   24.37KB   166 downloads

  • 0

#10
miekiemoes

miekiemoes

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 5,503 posts
  • MVP
Hi,

* Go to start > run and copy and paste next command in the field:

ComboFix /u

Make sure there's a space between Combofix and /
Then hit enter.

This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

Let me know in your next reply how things are now.
  • 0

#11
miekiemoes

miekiemoes

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 5,503 posts
  • MVP

Let me know in your next reply how things are now.

Still with us?
  • 0

#12
whitewlf930

whitewlf930

    New Member

  • Topic Starter
  • Member
  • Pip
  • 7 posts
sorry for the long reply lol. just im not always on the comp and only go on in spare time so i actually just recently did all those things.

the comp runs perfect thank you very much for the help. ima post 1 more hijack log.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:06:15 PM, on 4/26/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
O4 - HKLM\..\Run: [CTSysVol] C:\Program Files\Creative\SBAudigy\Surround Mixer\CTSysVol.exe /r
O4 - HKLM\..\Run: [quicktime task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_06\bin\ssv.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.nvidia.co.../sysreqlab2.cab
O16 - DPF: {74DBCB52-F298-4110-951D-AD2FF67BC8AB} (NVIDIA Smart Scan) - http://www.nvidia.co...iaSmartScan.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Avira AntiVir Personal – Free Antivirus Scheduler (antivirscheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal – Free Antivirus Guard (antivirservice) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 3522 bytes
  • 0

#13
miekiemoes

miekiemoes

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 5,503 posts
  • MVP
This looks OK again.

Your version of Java is outdated and needs to be updated to take advantage of fixes that have eliminated security vulnerabilities.
Updating Java:
  • Download the latest version of Java Runtime Environment (JRE) 6 Update 6.
  • Scroll down to where it says "Java Runtime Environment (JRE) 6 Update 6".
  • Click the "Download" button to the right.
  • For Platform, select "Windows"
  • For language, select your language
  • Read the License agreement and then Check the box that says: "I agree to the Java SE Runtime Environment 6 License Agreement".
  • Click Continue
  • Click on the link to download Windows Offline Installation and save to your desktop.
  • Close any programs you may have running - especially your web browser.
  • Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java.
  • Check any item with Java Runtime Environment (JRE or J2SE) in the name.
    - Examples of older versions in Add or Remove Programs:
    • Java 2 Runtime Environment, SE v1.4.2
    • J2SE Runtime Environment 5.0
    • J2SE Runtime Environment 5.0 Update 6
  • Click the Remove or Change/Remove button.
  • Repeat as many times as necessary to remove each Java versions.
  • Reboot your computer once all Java components are removed.
  • Then from your desktop double-click on jre-6u6-windows-i586-p.exe to install the newest version.

Please read my Prevention page with lots of info and tips how to prevent this in the future.
And if you want to improve speed/system performance after malware removal, take a look here.
Extra note: Make sure your programs are up to date - because older versions may contain Security Leaks. To find out what programs need to be updated, please run the Secunia Software Inspector Scan.

Happy Surfing again!
  • 0

#14
miekiemoes

miekiemoes

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 5,503 posts
  • MVP
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :)

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0






Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP