OVPQUVLX.DLL
TFXMTQPO.DLL
it appears they attach to the runndll32.exe and no matter what i can not get them to go away
I have ran Spybot Search and Destory and AVG 8.0 the box
i am in the process of running vundofix as well
thanks
richie
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:29:07 PM, on 5/7/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\pcAnywhere\awhost32.exe
C:\WINDOWS\System32\DkLog.exe
C:\WINDOWS\system32\dkvcm.exe
C:\Program Files\CommVault Systems\Galaxy\Base\cvd.exe
C:\Program Files\McAfee\Common Framework\FrameworkService.exe
C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
C:\Program Files\UltraVNC\WinVNC.exe
C:\WINDOWS\System32\dkcktkn.exe
C:\Program Files\CommVault Systems\Galaxy\Base\evmgrc.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\PROGRA~1\AVG\AVG8\avgrsx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Datakey\Crypt32\DkAutoReg.exe
C:\Program Files\Datakey\Crypt32\DkMonitor.exe
C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE
C:\Program Files\McAfee\Common Framework\UdaterUI.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\Program Files\McAfee\Common Framework\McTray.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\AVG\AVG8\avgui.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.dell4me.com/mywaybiz
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://172.16.32.88
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://172.16.32.88
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.dell4me.com/mywaybiz
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http=10.5.1.200:8080;https=10.5.1.200:8080;gopher=10.5.1.200:8080;socks=10.5.1.2
00:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 170.209.0.2;170.209.0.3;kirchman2;10.5.0.88;10.5.0.245;10.5.0.195;172.16.32.88;1
0.5.0.192;<local>
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {26504DD1-4576-4CFC-B646-D8B227700496} - (no file)
O2 - BHO: (no name) - {2833ADCA-43B6-4702-9D8B-C64CEEDDF361} - (no file)
O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
O2 - BHO: (no name) - {42469102-6E6C-41F4-97C0-F83C3AB1E6B5} - C:\WINDOWS\system32\mllmk.dll (file missing)
O2 - BHO: (no name) - {44FC10FE-45D0-4221-800E-171533E3C19B} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5993FE19-FED1-412F-A5AB-3DBB1395EBE7} - C:\WINDOWS\system32\geede.dll (file missing)
O2 - BHO: WsftpBrowserHelper Class - {601ED020-FB6C-11D3-87D8-0050DA59922B} - C:\Program Files\Ipswitch\WS_FTP Pro\wsbho2k0.dll
O2 - BHO: (no name) - {6A0AB1AC-75C0-4869-A98C-E8B46F122BB5} - (no file)
O2 - BHO: (no name) - {7DB2D5A0-7241-4E79-B68D-6309F01C5231} - (no file)
O2 - BHO: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [DkAutoReg.exe] C:\Program Files\Datakey\Crypt32\DkAutoReg.exe
O4 - HKLM\..\Run: [DkMonitor.exe] C:\Program Files\Datakey\Crypt32\DkMonitor.exe
O4 - HKLM\..\Run: [DkStartup] C:\Program Files\Datakey\Crypt32\DkStartup.exe
O4 - HKLM\..\Run: [Synchronization Manager] %SystemRoot%\system32\mobsync.exe /logon
O4 - HKLM\..\Run: [ShStatEXE] "C:\Program Files\McAfee\VirusScan Enterprise\SHSTAT.EXE" /STANDALONE
O4 - HKLM\..\Run: [McAfeeUpdaterUI] "C:\Program Files\McAfee\Common Framework\UdaterUI.exe" /StartedFromRunKey
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - HKLM\..\Run: [acad5a50] rundll32.exe "C:\WINDOWS\system32\ovpquvlx.dll",b
O4 - HKLM\..\Run: [BMaf9e69cc] Rundll32.exe "C:\WINDOWS\system32\tfxmtqpo.dll",s
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: e.bat
O4 - Global Startup: fedline.bat
O4 - Global Startup: k.bat
O4 - Global Startup: nwdrive.bat
O4 - Global Startup: tumbleweed.bat
O4 - Global Startup: v.bat
O4 - Global Startup: WinZip Quick Pick.lnk.disabled
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2\bin\npjpi142.dll
O9 - Extra button: MUSICMATCH MX Web Player - {d81ca86b-ef63-42af-bee3-4502d9a03c2d} - http://wwws.musicmat...enWebRadio.html (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://172.16.32.88
O16 - DPF: {DA2AA6CF-5C7A-4B71-BC3B-C771BB369937} -
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://bankway.webe...ort/ieatgpc.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = ddcmd.com
O17 - HKLM\Software\..\Telephony: DomainName = ddcmd.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{34A6914D-D273-46F8-B29E-FC3807C10331}: NameServer = 10.5.0.191,10.5.0.131
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = ddcmd.com
O17 - HKLM\System\CS1\Services\Tcpip\..\{34A6914D-D273-46F8-B29E-FC3807C10331}: NameServer = 10.5.0.191,10.5.0.131
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O20 - Winlogon Notify: DkWLNP - C:\WINDOWS\SYSTEM32\DkWLNP.dll
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: Datakey's Log Service (DkLogger) - Datakey, Inc. - C:\WINDOWS\System32\DkLog.exe
O23 - Service: Datakey's Token Service (DkTknSrv) - Datakey, Inc. - C:\WINDOWS\System32\dkcktkn.exe
O23 - Service: Datakey's Virtual Channel Monitor (DkVcm) - Datakey, Inc. - C:\WINDOWS\system32\dkvcm.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: Galaxy Communications Service (ControlSet001) (GxCVD(ControlSet001)) - CommVault Systems - C:\Program Files\CommVault Systems\Galaxy\Base\cvd.exe
O23 - Service: Galaxy Client Event Manager (ControlSet001) (GxEvMgrC(ControlSet001)) - CommVault Systems - C:\Program Files\CommVault Systems\Galaxy\Base\evmgrc.exe
O23 - Service: McAfee Framework Service (McAfeeFramework) - McAfee, Inc. - C:\Program Files\McAfee\Common Framework\FrameworkService.exe
O23 - Service: McAfee McShield (McShield) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\Mcshield.exe
O23 - Service: McAfee Task Manager (McTaskManager) - McAfee, Inc. - C:\Program Files\McAfee\VirusScan Enterprise\VsTskMgr.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - CACE Technologies - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: VNC Server (winvnc) - UltraVNC - C:\Program Files\UltraVNC\WinVNC.exe
--
End of file - 8270 bytes