Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

win32:vundo@dll trouble [RESOLVED]

Started by bentzilmer , May 21 2008 01:35 PM

This topic is locked

#1
bentzilmer

Posted 21 May 2008 - 01:35 PM

Member

Member
13 posts

My avast scanner keeps finding this virus, please help me remove it. Heres my log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 21:22:48, on 21-05-2008
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal

Running processes:
C:\Windows\System32\smss.exe
C:\Windows\system32\csrss.exe
C:\Windows\system32\wininit.exe
C:\Windows\system32\services.exe
C:\Windows\system32\lsass.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\DigitalPersona\Bin\DpHostW.exe
C:\Windows\system32\svchost.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Windows\system32\PnkBstrA.exe
C:\Windows\system32\svchost.exe
C:\Program Files\HP\QuickPlay\Kernel\TV\QPCapSvc.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\DRIVERS\xaudio.exe
C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
C:\Program Files\HP\QuickPlay\Kernel\TV\QPSched.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\wbem\wmiprvse.exe
c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
C:\Windows\system32\csrss.exe
C:\Windows\system32\winlogon.exe
C:\Program Files\DigitalPersona\Bin\DpAgent.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPStart.exe
C:\Program Files\HP\QuickPlay\QPService.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe
C:\Program Files\Hewlett-Packard\HP QuickTouch\HPKBDAPP.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Program Files\Alwil Software\Avast4\ashDisp.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Windows\ehome\ehtray.exe
C:\ProgramData\Macrovision\FLEXnet Connect\6\ISUSPM.exe
C:\Windows\System32\rundll32.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Hewlett-Packard\Shared\HpqToaster.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter3.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\wbem\wmiprvse.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://jp.dk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://dk.msn.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://dk.msn.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Hjælp til tilmelding til Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {CDB00C98-D467-4B3D-A735-433EECF0BD1C} - C:\Windows\system32\vtuVPjHw.dll (file missing)
O2 - BHO: {d923e1ae-144e-7a8b-7534-389213d11b5d} - {d5b11d31-2983-4357-b8a7-e441ea1e329d} - C:\Windows\system32\dabdxfpk.dll (file missing)
O3 - Toolbar: (no name) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - (no file)
O4 - HKLM\..\Run: [SynTPStart] C:\Program Files\Synaptics\SynTP\SynTPStart.exe
O4 - HKLM\..\Run: [QPService] "C:\Program Files\HP\QuickPlay\QPService.exe"
O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [OnScreenDisplay] C:\Program Files\Hewlett-Packard\HP QuickTouch\HPKBDAPP.exe
O4 - HKLM\..\Run: [UCam_Menu] "C:\Program Files\CyberLink\YouCam\MUITransfer\MUIStartMenu.exe" "C:\Program Files\CyberLink\YouCam" update "Software\CyberLink\YouCam\1.0"
O4 - HKLM\..\Run: [DpAgent] C:\Program Files\DigitalPersona\Bin\dpagent.exe
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
O4 - HKLM\..\Run: [WAWifiMessage] C:\Program Files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [MSServer] rundll32.exe C:\Windows\system32\yayyAsrr.dll,#1
O4 - HKLM\..\Run: [BM38bbed8b] Rundll32.exe "C:\Windows\system32\pgimdwhy.dll",s
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [ISUSPM] "C:\ProgramData\Macrovision\FLEXnet Connect\6\ISUSPM.exe" -scheduler
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOKAL TJENESTE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOKAL TJENESTE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETVÆRKSTJENESTE')
O8 - Extra context menu item: E&ksporter til Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Send til OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end til OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MIC273~1\Office12\REFIEBAR.DLL
O13 - Gopher Prefix:
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Plugin Control) - http://appldnld.appl...ex/qtplugin.cab
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.nvidia.co.../sysreqlab2.cab
O16 - DPF: {D6E7CFB5-C074-4D1C-B647-663D1A8D96BF} (Facebook Photo Uploader 4) - http://upload.facebo...Uploader4_5.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Com4Qlb - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4Qlb.exe
O23 - Service: Biometric Authentication Service (DpHost) - DigitalPersona, Inc. - C:\Program Files\DigitalPersona\Bin\DpHostW.exe
O23 - Service: HP Health Check Service - Hewlett-Packard - c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: PnkBstrA - Unknown owner - C:\Windows\system32\PnkBstrA.exe
O23 - Service: QuickPlay Background Capture Service (QBCS) (QPCapSvc) - Unknown owner - C:\Program Files\HP\QuickPlay\Kernel\TV\QPCapSvc.exe
O23 - Service: QuickPlay Task Scheduler (QTS) (QPSched) - Unknown owner - C:\Program Files\HP\QuickPlay\Kernel\TV\QPSched.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 9921 bytes

#2
Essexboy

Posted 21 May 2008 - 02:32 PM

GeekU Moderator

Retired Staff
69,964 posts

Hi there let me see if I can help

As a Vista user I will require that all the programmes I ask you to run, be run by right clicking the icon and selecting Run as Administrator. Otherwise some programmes may fail to do their job properly

Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.

O2 - BHO: (no name) - {CDB00C98-D467-4B3D-A735-433EECF0BD1C} - C:\Windows\system32\vtuVPjHw.dll (file missing)
O2 - BHO: {d923e1ae-144e-7a8b-7534-389213d11b5d} - {d5b11d31-2983-4357-b8a7-e441ea1e329d} - C:\Windows\system32\dabdxfpk.dll (file missing)
O4 - HKLM\..\Run: [MSServer] rundll32.exe C:\Windows\system32\yayyAsrr.dll,#1
O4 - HKLM\..\Run: [BM38bbed8b] Rundll32.exe "C:\Windows\system32\pgimdwhy.dll",s

Now close all windows other than HiJackThis, then click Fix Checked. Close HiJackThis.

THEN

Please download the OTMoveIt2 by OldTimer.

Save it to your desktop.
Please double-click OTMoveIt2.exe to run it.
Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):
```
C:\Windows\system32\vtuVPjHw.dll 
C:\Windows\system32\dabdxfpk.dll 
C:\Windows\system32\yayyAsrr.dll
C:\Windows\system32\pgimdwhy.dll
Purity
```
Return to OTMoveIt2, right click in the "Paste List of Files/Folders to be Moved" window (under the yellow bar) and choose Paste.
Click the red Moveit! button.
Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
Close OTMoveIt2

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

AND FINALLY FOR NOW

If you have Avast 4.8 then you will need to disable the self protection and stop the providers before running Combofix..

Right click the Avast icon and select Program settings
Select Troubleshooting
Tick Disable Avast self defence Module
Click OK
Right click the Avast icon again and select Stop on access protection Prior to running Combofix

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**

Please, never rename Combofix unless instructed.
Close any open browsers.
Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

-----------------------------------------------------------
- Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
- Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
  
  -----------------------------------------------------------
- Close any open browsers.
- WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
- Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
- If there is no internet connection after running Combofix, then restart your computer to restore back your connection.
-----------------------------------------------------------
Double click on combofix.exe & follow the prompts.
When finished, it will produce a report for you.
Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.

**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

Logs required : OTMoveit and Combofix

#3
bentzilmer

Posted 22 May 2008 - 05:17 AM

Member

Topic Starter
Member
13 posts

I've followed your advice. Here's my logs:

ComboFix 08-05-21.2 - Bent 2008-05-22 11:26:37.1 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1030.18.2082 [GMT 2:00]
Running from: C:\Users\Bent\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Windows\System32\defedccf.ini
C:\Windows\System32\defedccf.ini2
C:\Windows\system32\iyhhngqu.ini
C:\Windows\system32\KBL.LOG
C:\Windows\system32\mcrh.tmp
C:\Windows\system32\nxbodbtm.ini
C:\Windows\system32\rjscscws.ini
C:\Windows\System32\tngsifnh.ini
C:\Windows\System32\vhyjfiar.ini
C:\Windows\System32\vuhpkaoa.ini
C:\Windows\System32\wHjPVutv.ini
C:\Windows\System32\wHjPVutv.ini2
C:\Windows\System32\wuclxhbd.ini
C:\Windows\system32\xmnrryvu.ini
C:\Windows\System32\yitmdqnk.ini

.
((((((((((((((((((((((((( Files Created from 2008-04-22 to 2008-05-22 )))))))))))))))))))))))))))))))
.

2008-05-22 11:16 . 2008-05-22 11:16 <DIR> d-------- C:\_OTMoveIt
2008-05-22 09:37 . 2008-05-16 12:48 58,368 --a------ C:\Windows\System32\geBqRjKB.dll
2008-05-21 22:47 . 2008-05-21 22:47 244 --ah----- C:\sqmnoopt04.sqm
2008-05-21 22:47 . 2008-05-21 22:47 232 --ah----- C:\sqmdata04.sqm
2008-05-21 21:37 . 2008-05-21 21:37 <DIR> d-------- C:\VundoFix Backups
2008-05-21 21:22 . 2008-05-21 21:22 <DIR> d-------- C:\Program Files\Trend Micro
2008-05-21 21:08 . 2008-05-21 21:08 <DIR> d-------- C:\Program Files\Enigma Software Group
2008-05-20 22:17 . 2008-05-20 22:17 244 --ah----- C:\sqmnoopt03.sqm
2008-05-20 22:17 . 2008-05-20 22:17 232 --ah----- C:\sqmdata03.sqm
2008-05-18 19:37 . 2008-05-18 19:37 <DIR> d-------- C:\Windows\LastGood
2008-05-18 19:36 . 2008-05-18 19:36 <DIR> d-------- C:\Windows\System32\AGEIA
2008-05-18 19:36 . 2008-05-18 19:36 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-05-18 19:36 . 2008-05-18 19:36 <DIR> d-------- C:\Program Files\AGEIA Technologies
2008-05-18 19:35 . 2008-05-18 19:35 <DIR> d-------- C:\Users\All Users\THQ
2008-05-18 19:35 . 2008-05-18 19:35 <DIR> d-------- C:\ProgramData\THQ
2008-05-18 19:04 . 2008-05-18 19:04 <DIR> d-------- C:\Program Files\THQ
2008-05-18 17:50 . 2008-05-18 17:52 <DIR> d-------- C:\Users\Bent\Frontlines_Fuel_Of_War-Razor1911
2008-05-18 15:06 . 2008-05-18 15:08 103,736 --a------ C:\Windows\System32\PnkBstrB.exe
2008-05-18 15:06 . 2008-05-18 15:06 66,872 --a------ C:\Windows\System32\PnkBstrA.exe
2008-05-18 15:06 . 2008-05-18 15:08 22,328 --a------ C:\Windows\System32\drivers\PnkBstrK.sys
2008-05-16 20:55 . 2008-05-16 20:55 <DIR> d-------- C:\Program Files\Electronic Arts
2008-05-16 20:37 . 2008-05-16 20:37 <DIR> d-------- C:\Users\Bent\NFS-Prostrett
2008-05-16 19:56 . 2008-05-16 19:56 27,335 --a------ C:\Users\Maria\AppData\Roaming\nvModes.dat
2008-05-16 13:58 . 2008-05-16 13:58 <DIR> d-------- C:\Program Files\Microsoft Visual Studio 8
2008-05-16 13:54 . 2008-05-16 13:58 <DIR> d-------- C:\Program Files\Microsoft Expression
2008-05-16 13:25 . 2008-05-16 13:25 58,368 --a------ C:\Windows\System32\tuvvUOec.dll
2008-05-16 12:52 . 2008-05-16 12:52 58,368 --a------ C:\Windows\System32\geBSjJyA.dll
2008-05-16 12:51 . 2008-05-16 12:51 58,368 --a------ C:\Windows\System32\rQHwVPjj.dll
2008-05-16 12:49 . 2008-05-16 12:49 58,368 --a------ C:\Windows\System32\pmnkKaYS.dll
2008-05-06 10:47 . 2008-05-06 10:47 244 --ah----- C:\sqmnoopt02.sqm
2008-05-06 10:47 . 2008-05-06 10:47 232 --ah----- C:\sqmdata02.sqm
2008-05-06 10:05 . 2008-05-06 10:05 244 --ah----- C:\sqmnoopt01.sqm
2008-05-06 10:05 . 2008-05-06 10:05 232 --ah----- C:\sqmdata01.sqm
2008-05-01 19:42 . 2008-05-01 19:42 <DIR> d-------- C:\Program Files\Sydbank
2008-04-27 20:53 . 2008-04-27 21:04 <DIR> d-------- C:\Users\Bent\AppData\Roaming\Uniblue
2008-04-27 19:44 . 2008-04-27 19:58 <DIR> d-------- C:\Users\Bent\Redder
2008-04-27 19:38 . 2008-04-27 19:38 <DIR> d-------- C:\Program Files\unisecur
2008-04-27 14:48 . 2008-04-27 14:48 <DIR> d-------- C:\Program Files\Yamicsoft
2008-04-27 14:39 . 2008-04-27 14:39 <DIR> d-------- C:\Users\Bent\AppData\Roaming\SeriousBit
2008-04-27 14:38 . 2008-04-27 14:38 <DIR> d-------- C:\Program Files\VistaCodecPack
2008-04-27 14:33 . 2008-04-27 14:33 <DIR> d-------- C:\Program Files\SystemRequirementsLab
2008-04-27 14:30 . 2008-04-27 14:30 <DIR> d-------- C:\NVIDIA
2008-04-25 20:22 . 2008-04-25 20:25 <DIR> d-------- C:\Users\Bent\AppData\Roaming\dvdcss
2008-04-23 19:13 . 2008-04-23 19:13 0 --ah----- C:\Windows\System32\drivers\Msft_User_WpdFs_01_00_00.Wdf
2008-04-23 11:04 . 2008-04-23 11:04 <DIR> d-------- C:\PerfLogs
2008-04-23 11:00 . 2008-04-23 11:00 0 --ah----- C:\Windows\System32\drivers\Msft_Kernel_HpqKbFiltr_01005.Wdf
2008-04-23 10:30 . 2008-01-19 09:35 4,875,776 --a------ C:\Windows\System32\NlsData0009.dll
2008-04-23 10:29 . 2008-01-19 09:35 9,847,296 --a------ C:\Windows\System32\NlsData000a.dll
2008-04-23 10:28 . 2008-01-19 08:06 8,147,456 --a------ C:\Windows\System32\wmploc.DLL
2008-04-23 10:27 . 2008-01-19 09:36 357,888 --a------ C:\Windows\System32\wbemcomn.dll
2008-04-23 10:26 . 2008-01-19 09:36 704,512 --a------ C:\Windows\System32\SmiEngine.dll
2008-04-23 10:26 . 2008-01-19 09:36 218,624 --a------ C:\Windows\System32\wdscore.dll
2008-04-23 10:26 . 2008-01-19 09:36 139,264 --a------ C:\Windows\System32\SmiInstaller.dll
2008-04-23 10:26 . 2008-01-19 09:33 130,560 --a------ C:\Windows\System32\PkgMgr.exe
2008-04-23 10:25 . 2008-01-19 09:34 246,784 --a------ C:\Windows\System32\drvstore.dll
2008-04-23 10:24 . 2008-01-19 09:34 305,152 --a------ C:\Windows\System32\msdelta.dll
2008-04-23 10:24 . 2008-01-19 09:34 258,560 --a------ C:\Windows\System32\dpx.dll
2008-04-23 10:24 . 2008-01-19 09:35 35,328 --a------ C:\Windows\System32\mspatcha.dll
2008-04-22 10:14 . 2008-04-22 10:14 <DIR> d-------- C:\Windows\Sun

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-22 09:25 --------- d-----w C:\Users\Bent\AppData\Roaming\Azureus
2008-05-20 20:08 --------- d-----w C:\ProgramData\Microsoft Help
2008-05-19 19:09 194,788 ----a-w C:\Users\Bent\AppData\Roaming\nvModes.dat
2008-05-18 17:04 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-05-13 18:51 --------- d-----w C:\Program Files\Windows Mail
2008-04-27 12:37 --------- d-----w C:\Program Files\DivX
2008-04-25 18:22 --------- d-----w C:\ProgramData\CyberLink
2008-04-23 09:25 --------- d-----w C:\ProgramData\NVIDIA
2008-04-23 09:13 174 --sha-w C:\Program Files\desktop.ini
2008-04-23 09:05 --------- d-----w C:\Program Files\Windows Sidebar
2008-04-23 09:05 --------- d-----w C:\Program Files\Windows Photo Gallery
2008-04-23 09:05 --------- d-----w C:\Program Files\Windows Journal
2008-04-23 09:05 --------- d-----w C:\Program Files\Windows Defender
2008-04-23 09:05 --------- d-----w C:\Program Files\Windows Collaboration
2008-04-23 09:05 --------- d-----w C:\Program Files\Windows Calendar
2008-04-22 19:58 --------- d-----w C:\Users\Bent\AppData\Roaming\Skype
2008-04-22 19:31 --------- d-----w C:\Users\Bent\AppData\Roaming\skypePM
2008-04-20 15:38 --------- d-----w C:\Program Files\QuickTime
2008-04-20 11:14 --------- d-----w C:\Program Files\FLV Player
2008-04-20 11:12 --------- d-----w C:\Users\Bent\AppData\Roaming\vlc
2008-04-20 11:12 --------- d-----w C:\Program Files\VideoLAN
2008-04-18 09:43 --------- d-----w C:\Program Files\Common Files\Real
2008-04-18 09:03 --------- d-----w C:\Program Files\Azureus
2008-04-17 17:37 32 ----a-w C:\Users\All Users\ezsid.dat
2008-04-17 17:37 32 ----a-w C:\ProgramData\ezsid.dat
2008-04-17 17:34 --------- d-----w C:\ProgramData\Skype
2008-04-17 17:34 --------- d-----w C:\Program Files\Skype
2008-04-17 17:34 --------- d-----w C:\Program Files\Common Files\Skype
2008-04-17 06:11 --------- d-----w C:\Program Files\Microsoft Silverlight
2008-04-16 18:29 --------- d-----w C:\Users\Maria\AppData\Roaming\Macrovision
2008-04-16 18:29 --------- d-----w C:\Users\Maria\AppData\Roaming\DigitalPersona
2008-04-14 06:23 --------- d-----w C:\Program Files\Java
2008-04-13 08:44 --------- d-----w C:\Program Files\Windows Live Toolbar
2008-04-09 13:12 0 ---ha-w C:\Windows\system32\drivers\Msft_Kernel_NuidFltr_01005.Wdf
2008-04-09 07:28 --------- d-----w C:\Users\Bent\AppData\Roaming\Ubisoft
2008-04-09 07:28 --------- d-----w C:\ProgramData\Ubisoft
2008-04-09 07:10 --------- d-----w C:\Users\Bent\AppData\Roaming\InstallShield
2008-04-09 07:10 --------- d-----w C:\Program Files\Ubisoft
2008-04-08 21:17 --------- d-----w C:\Program Files\Alwil Software
2008-04-08 21:13 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-04-08 21:12 --------- d-----w C:\ProgramData\Symantec
2008-04-08 18:30 --------- d-----w C:\Program Files\MegaSpoof
2008-04-08 10:56 --------- d-----w C:\Users\Bent\AppData\Roaming\CyberLink
2008-04-08 10:21 --------- d-----w C:\Users\Bent\AppData\Roaming\HP
2008-04-08 10:21 --------- d-----w C:\ProgramData\HP
2008-04-07 17:57 --------- d-----w C:\Program Files\Common Files\Adobe
2008-04-07 17:46 --------- d-----w C:\Program Files\Windows Live
2008-04-07 17:45 --------- dcsh--w C:\Program Files\Common Files\WindowsLiveInstaller
2008-04-07 17:44 --------- d-----w C:\ProgramData\WLInstaller
2008-04-07 15:19 --------- d-----w C:\Program Files\Microsoft Works
2008-04-06 20:17 --------- d-----w C:\Users\Bent\AppData\Roaming\DivX
2008-04-06 19:02 278,984 ----a-w C:\Windows\system32\drivers\atksgt.sys
2008-04-06 19:02 25,416 ----a-w C:\Windows\system32\drivers\lirsgt.sys
2008-04-06 18:26 --------- d-----w C:\Program Files\DAEMON Tools Pro
2008-04-06 17:10 --------- d-----w C:\Program Files\CONEXANT
2008-04-06 15:59 --------- d-----w C:\Users\Bent\AppData\Roaming\DAEMON Tools Pro
2008-04-06 15:59 --------- d-----w C:\ProgramData\DAEMON Tools Pro
2008-04-06 15:48 --------- d-----w C:\ProgramData\Azureus
2008-04-06 15:13 --------- d-----w C:\Program Files\Microsoft.NET
2008-04-06 14:53 685,816 ----a-w C:\Windows\system32\drivers\sptd.sys
2008-04-06 14:53 --------- d-----w C:\Program Files\Gabest
2008-04-06 14:37 --------- d-----w C:\Users\Bent\AppData\Roaming\Symantec
2008-04-06 14:36 --------- d-----w C:\Users\Bent\AppData\Roaming\DigitalPersona
2008-04-06 14:33 --------- d-----w C:\Users\Bent\AppData\Roaming\Hewlett-Packard
2008-04-06 14:28 --------- d-----w C:\Program Files\HPQ
2008-04-06 14:28 --------- d-----w C:\Program Files\Common Files\LightScribe
2008-04-06 14:27 --------- d-----w C:\Program Files\HP
2008-04-06 14:26 0 --sha-r C:\Windows\system32\drivers\103C_HP_cNB_Pavilion dv6700 Notebook PC_Y5335KV_0U_QCNF80766NZ_E459053-DH1_4A_I30D0_SQuanta_V85.24_F.28_T080121_WV3-0_L406_M3071_J250_7AMD_8F82_92.00_#071108_N10DE0450;168C001C_(KN038EA#UUW)_XMOBI
LE_CN10_Z.MRK
2008-04-06 14:26 --------- d-----w C:\Users\Bent\AppData\Roaming\Macrovision
2008-03-29 17:32 50,768 ----a-w C:\Windows\system32\drivers\aswMonFlt.sys
.

------- Sigcheck -------

.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [2007-10-18 11:34 5724184]
"ehTray.exe"="C:\Windows\ehome\ehTray.exe" [2008-01-19 09:33 125952]
"ISUSPM"="C:\ProgramData\Macrovision\FLEXnet Connect\6\ISUSPM.exe" [2007-03-30 01:41 222128]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPStart"="C:\Program Files\Synaptics\SynTP\SynTPStart.exe" [2007-09-15 10:29 102400]
"QPService"="C:\Program Files\HP\QuickPlay\QPService.exe" [2007-10-01 05:34 181544]
"QlbCtrl"="C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2007-09-20 00:31 202032]
"OnScreenDisplay"="C:\Program Files\Hewlett-Packard\HP QuickTouch\HPKBDAPP.exe" [2007-09-04 23:54 554320]
"UCam_Menu"="C:\Program Files\CyberLink\YouCam\MUITransfer\MUIStartMenu.exe" [2007-08-17 09:13 218408]
"DpAgent"="C:\Program Files\DigitalPersona\Bin\dpagent.exe" [2007-09-20 21:12 671744]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2008-01-19 09:38 1008184]
"hpWirelessAssistant"="C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [2007-09-13 18:47 480560]
"WAWifiMessage"="C:\Program Files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe" [2007-01-09 01:53 311296]
"HP Software Update"="C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe" [2005-02-16 23:11 49152]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2008-03-29 19:37 79224]
"NvSvc"="C:\Windows\system32\nvsvc.dll" [2007-09-19 22:05 86016]
"NvCplDaemon"="C:\Windows\system32\NvCpl.dll" [2007-09-19 22:05 8497696]
"NvMediaCenter"="C:\Windows\system32\NvMcTray.dll" [2007-09-19 22:05 81920]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2008-01-18 19:31 1033512]
"MSServer"="C:\Windows\system32\ssqOhIYS.dll" [2008-05-16 12:48 58368]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
"SynchronousMachineGroupPolicy"= 0 (0x0)
"SynchronousUserGroupPolicy"= 0 (0x0)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{81AA6A16-B8CA-43C4-A347-A487764FF528}"= C:\Windows\system32\ssqOhIYS.dll [2008-05-16 12:48 58368]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.l3codecp"= l3codecp.acm
"msacm.divxa32"= divxa32.acm

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools Pro Agent]
--a------ 2007-09-06 15:08 136136 C:\Program Files\DAEMON Tools Pro\DTProAgent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LightScribe Control Panel]
--a------ 2007-08-23 17:36 455968 C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"HP Health Check Scheduler"=[ProgramFilesFolder]Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-2610512430-812213940-561383249-1000]
"EnableNotificationsRef"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{561D6B36-CA40-4E50-B060-E822986DBEB2}"= C:\Program Files\Cyberlink\PowerDirector\PDR.EXE:CyberLink PowerDirector
"{F3EEB7F7-E00F-404C-A817-3B86FC1B5C98}"= C:\Program Files\HP\QuickPlay\QP.exe:Quick Play
"{F178163E-00A1-44D0-B115-38E86841B1B0}"= C:\Program Files\HP\QuickPlay\QPService.exe:Quick Play Resident Program
"{C3C14E46-07D0-4999-8B8F-3707E4DEAABC}"= UDP:C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{F046B709-DE42-4923-B47F-EF01E14544EE}"= TCP:C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{7B5DEB10-55E2-4602-9587-2E1E2E510624}"= C:\Program Files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)
"{85FEDECE-BAAE-41F7-ADF2-FDB0B9AA2038}"= UDP:C:\Program Files\Ubisoft\Assassin's Creed\AssassinsCreed_Dx9.exe:Assassin's Creed Dx9
"{2C3744A2-113E-40BB-8919-67BF40E9AB27}"= TCP:C:\Program Files\Ubisoft\Assassin's Creed\AssassinsCreed_Dx9.exe:Assassin's Creed Dx9
"{0AE92CC8-6B98-416C-AB07-A80AC3A2EF8B}"= UDP:C:\Program Files\Ubisoft\Assassin's Creed\AssassinsCreed_Dx10.exe:Assassin's Creed Dx10
"{797F8C5B-7D1A-4ED3-A6D6-5AE8B4890453}"= TCP:C:\Program Files\Ubisoft\Assassin's Creed\AssassinsCreed_Dx10.exe:Assassin's Creed Dx10
"{A9A07864-BDAC-49EA-BC1D-E12151DA8FA4}"= UDP:C:\Program Files\Ubisoft\Assassin's Creed\AssassinsCreed_Launcher.exe:Assassin's Creed Update
"{639AC0D0-4310-47B7-96AB-A2F81E5C5267}"= TCP:C:\Program Files\Ubisoft\Assassin's Creed\AssassinsCreed_Launcher.exe:Assassin's Creed Update
"TCP Query User{F0402D6B-D497-4804-BDA0-3C8201C32233}C:\\program files\\azureus\\azureus.exe"= UDP:C:\program files\azureus\azureus.exe:Azureus
"UDP Query User{1C9863F7-6E09-4B3C-9C57-AC4BD6EC5AD6}C:\\program files\\azureus\\azureus.exe"= TCP:C:\program files\azureus\azureus.exe:Azureus
"TCP Query User{CCAA5015-3165-4C29-A9A1-8113BDC630C9}C:\\program files\\internet explorer\\iexplore.exe"= UDP:C:\program files\internet explorer\iexplore.exe:Internet Explorer
"UDP Query User{1D50106B-34EB-4B06-9690-75A80E6A2157}C:\\program files\\internet explorer\\iexplore.exe"= TCP:C:\program files\internet explorer\iexplore.exe:Internet Explorer
"{2682E024-61C1-491B-BB31-72689AD3FD18}"= Disabled:UDP:C:\Program Files\Skype\Phone\Skype.exe:Skype
"{0AE219C6-2A5E-470E-83EA-6E90EF3E0460}"= Disabled:TCP:C:\Program Files\Skype\Phone\Skype.exe:Skype
"{BF9E0E2A-E96D-4FAE-98E3-5C4042C2354B}"= C:\Program Files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)
"TCP Query User{A99F668D-0AD6-4549-BC38-4E60A7C2E25B}C:\\program files\\azureus\\azureus.exe"= UDP:C:\program files\azureus\azureus.exe:Azureus
"UDP Query User{4DBA4DE8-CB69-4E30-9269-D74B4A3F0597}C:\\program files\\azureus\\azureus.exe"= TCP:C:\program files\azureus\azureus.exe:Azureus
"TCP Query User{4267B149-BD6F-4799-86DB-CA16EE4BA334}C:\\program files\\zattoo\\zattood.exe"= UDP:C:\program files\zattoo\zattood.exe:zattood
"UDP Query User{D2AC037F-419A-40A0-8561-878F26765FC3}C:\\program files\\zattoo\\zattood.exe"= TCP:C:\program files\zattoo\zattood.exe:zattood
"TCP Query User{D24079FA-0A44-4010-8752-99A6ACF795CC}C:\\program files\\zattoo\\zattoo.exe"= UDP:C:\program files\zattoo\zattoo.exe:
"UDP Query User{960907CE-A705-4BE7-AC10-3A20AC4E0DDE}C:\\program files\\zattoo\\zattoo.exe"= TCP:C:\program files\zattoo\zattoo.exe:
"{F2826490-7501-47F2-9ECA-5E082EA23485}"= UDP:C:\Program Files\THQ\Frontlines-Fuel of War\Binaries\FFOW.exe:Frontlines Game
"{3B881398-C899-4F00-AE19-08536FCA373A}"= TCP:C:\Program Files\THQ\Frontlines-Fuel of War\Binaries\FFOW.exe:Frontlines Game

R1 aswSP;avast! Self Protection;C:\Windows\system32\drivers\aswSP.sys [2008-03-29 19:31]
R2 aswFsBlk;aswFsBlk;C:\Windows\system32\DRIVERS\aswFsBlk.sys [2008-03-29 19:35]
R2 aswMonFlt;aswMonFlt;C:\Windows\system32\DRIVERS\aswMonFlt.sys [2008-03-29 19:32]
R2 QPCapSvc;QuickPlay Background Capture Service (QBCS);"C:\Program Files\HP\QuickPlay\Kernel\TV\QPCapSvc.exe" [2007-10-01 05:34]
R2 QPSched;QuickPlay Task Scheduler (QTS);"C:\Program Files\HP\QuickPlay\Kernel\TV\QPSched.exe" [2007-10-01 05:34]
R2 XAudio;XAudio;C:\Windows\system32\DRIVERS\xaudio.sys [2007-10-18 06:36]
R3 athr;Atheros Extensible Wireless LAN device driver;C:\Windows\system32\DRIVERS\athr.sys [2007-05-31 01:40]
R3 CnxtHdAudService;Conexant UAA Function Driver for High Definition Audio Service;C:\Windows\system32\drivers\CHDRT32.sys [2008-03-04 02:32]
R3 HpqRemHid;HP Remote Control HID Device;C:\Windows\system32\DRIVERS\HpqRemHid.sys [2007-07-11 20:30]
R3 nvsmu;nvsmu;C:\Windows\system32\DRIVERS\nvsmu.sys [2007-02-16 23:50]
S3 BCM43XV;Broadcom Extensible 802.11 Network Adapter Driver;C:\Windows\system32\DRIVERS\bcmwl6.sys [2006-11-02 09:30]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{5a6a441f-03ef-11dd-8337-001e681dc1b9}]
\shell\AutoRun\command - H:\Autorun.exe

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
"C:\Program Files\Common Files\LightScribe\LSRunOnce.exe"
.
Contents of the 'Scheduled Tasks' folder
"2008-05-17 18:59:00 C:\Windows\Tasks\Uniblue SpeedUpMyPC Nag.job"
- C:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe
"2008-04-27 18:53:45 C:\Windows\Tasks\Uniblue SpeedUpMyPC.job"
- C:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe
"2008-05-22 08:59:28 C:\Windows\Tasks\User_Feed_Synchronization-{B414613E-EE91-4E26-84CD-7395231C5DBE}.job"
- C:\Windows\system32\msfeedssync.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-22 11:32:42
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\Windows\system32\winlogon.exe
-> C:\Windows\system32\ssqOhIYS.dll
.
------------------------ Other Running Processes ------------------------
.
C:\Windows\System32\audiodg.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\DigitalPersona\Bin\DpHostW.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Windows\System32\PnkBstrA.exe
C:\Program Files\CyberLink\Shared Files\RichVideo.exe
C:\Windows\System32\drivers\XAudio.exe
C:\Program Files\Hewlett-Packard\Shared\hpqWmiEx.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Windows\System32\conime.exe
C:\Program Files\Alwil Software\Avast4\ashDisp.exe
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Program Files\Hewlett-Packard\HP Health Check\HPHC_Service.exe
C:\Program Files\Hewlett-Packard\Shared\HpqToaster.exe
C:\Windows\System32\dllhost.exe
.
**************************************************************************
.
Completion time: 2008-05-22 11:35:39 - machine was rebooted
ComboFix-quarantined-files.txt 2008-05-22 09:35:30

Pre-Run: 83,513,344,000 byte ledig
Post-Run: 83,653,922,816 byte ledig

310 --- E O F --- 2008-05-20 20:08:58

File/Folder C:\Windows\system32\vtuVPjHw.dll not found.
File/Folder C:\Windows\system32\dabdxfpk.dll not found.
File/Folder C:\Windows\system32\yayyAsrr.dll not found.
File/Folder C:\Windows\system32\pgimdwhy.dll not found.
< Purity >

OTMoveIt2 by OldTimer - Version 1.0.4.2 log created on 05222008_111637

#4
Essexboy

Posted 22 May 2008 - 01:19 PM

GeekU Moderator

Retired Staff
69,964 posts

Hi again we will now run combofix in a special mode so follow the instructions re Avast as previously

1. Please open Notepad

Click Start , then Run
Type notepad .exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

KillAll::

File::
C:\Windows\System32\geBqRjKB.dll
C:\Windows\System32\tuvvUOec.dll
C:\Windows\System32\geBSjJyA.dll
C:\Windows\System32\rQHwVPjj.dll
C:\Windows\System32\pmnkKaYS.dll
C:\Windows\system32\ssqOhIYS.dll

Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSServer"=-
[-hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks\{81AA6A16-B8CA-43C4-A347-A487764FF528}]

3. Then in the text file go to FILE > SAVE AS and in the dropdown box select SAVE AS TYPE to ALL FILES

4. Save the above as CFScript.txt

5. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image

5. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:

Combofix.txt
A new HijackThis log.

#5
bentzilmer

Posted 22 May 2008 - 01:50 PM

Member

Topic Starter
Member
13 posts

My computer crashed with a blue screen when I tried running combofix with the txt file. After a reboot i ran it without the txt file, here's the log:

ComboFix 08-05-21.2 - Bent 2008-05-22 21:44:38.2 - NTFSx86
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.1.1030.18.2229 [GMT 2:00]
Running from: C:\Users\Bent\Desktop\ComboFix.exe
.

((((((((((((((((((((((((( Files Created from 2008-04-22 to 2008-05-22 )))))))))))))))))))))))))))))))
.

2008-05-22 21:42 . 2008-05-16 12:48 58,368 --a------ C:\Windows\System32\ssqPHayy.dll
2008-05-22 21:32 . 2008-05-22 21:41 282,171,548 --a------ C:\Windows\MEMORY.DMP
2008-05-22 20:27 . 2008-05-22 20:27 107,888 --a------ C:\Windows\System32\CmdLineExt.dll
2008-05-22 20:12 . 2008-05-22 20:12 215,144 --a------ C:\Windows\patchw32.dll
2008-05-22 15:13 . 2008-05-22 15:13 244 --ah----- C:\sqmnoopt08.sqm
2008-05-22 15:13 . 2008-05-22 15:13 232 --ah----- C:\sqmdata08.sqm
2008-05-22 14:18 . 2008-05-22 14:18 244 --ah----- C:\sqmnoopt07.sqm
2008-05-22 14:18 . 2008-05-22 14:18 232 --ah----- C:\sqmdata07.sqm
2008-05-22 13:22 . 2008-05-22 13:22 244 --ah----- C:\sqmnoopt06.sqm
2008-05-22 13:22 . 2008-05-22 13:22 232 --ah----- C:\sqmdata06.sqm
2008-05-22 11:16 . 2008-05-22 11:16 <DIR> d-------- C:\_OTMoveIt
2008-05-21 22:47 . 2008-05-21 22:47 244 --ah----- C:\sqmnoopt04.sqm
2008-05-21 22:47 . 2008-05-21 22:47 232 --ah----- C:\sqmdata04.sqm
2008-05-21 21:37 . 2008-05-21 21:37 <DIR> d-------- C:\VundoFix Backups
2008-05-21 21:22 . 2008-05-21 21:22 <DIR> d-------- C:\Program Files\Trend Micro
2008-05-21 21:08 . 2008-05-21 21:08 <DIR> d-------- C:\Program Files\Enigma Software Group
2008-05-20 22:17 . 2008-05-20 22:17 244 --ah----- C:\sqmnoopt03.sqm
2008-05-20 22:17 . 2008-05-20 22:17 232 --ah----- C:\sqmdata03.sqm
2008-05-18 19:36 . 2008-05-18 19:36 <DIR> d-------- C:\Windows\System32\AGEIA
2008-05-18 19:36 . 2008-05-22 20:45 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-05-18 19:36 . 2008-05-22 20:45 <DIR> d-------- C:\Program Files\AGEIA Technologies
2008-05-18 19:35 . 2008-05-18 19:35 <DIR> d-------- C:\Users\All Users\THQ
2008-05-18 19:35 . 2008-05-18 19:35 <DIR> d-------- C:\ProgramData\THQ
2008-05-18 19:04 . 2008-05-18 19:04 <DIR> d-------- C:\Program Files\THQ
2008-05-18 17:50 . 2008-05-18 17:52 <DIR> d-------- C:\Users\Bent\Frontlines_Fuel_Of_War-Razor1911
2008-05-18 15:06 . 2008-05-18 15:08 103,736 --a------ C:\Windows\System32\PnkBstrB.exe
2008-05-18 15:06 . 2008-05-18 15:06 66,872 --a------ C:\Windows\System32\PnkBstrA.exe
2008-05-18 15:06 . 2008-05-18 15:08 22,328 --a------ C:\Windows\System32\drivers\PnkBstrK.sys
2008-05-16 20:55 . 2008-05-16 20:55 <DIR> d-------- C:\Program Files\Electronic Arts
2008-05-16 20:37 . 2008-05-16 20:37 <DIR> d-------- C:\Users\Bent\NFS-Prostrett
2008-05-16 19:56 . 2008-05-16 19:56 27,335 --a------ C:\Users\Maria\AppData\Roaming\nvModes.dat
2008-05-16 13:25 . 2008-05-16 13:25 58,368 --a------ C:\Windows\System32\tuvvUOec.dll
2008-05-16 12:52 . 2008-05-16 12:52 58,368 --a------ C:\Windows\System32\geBSjJyA.dll
2008-05-16 12:51 . 2008-05-16 12:51 58,368 --a------ C:\Windows\System32\rQHwVPjj.dll
2008-05-16 12:49 . 2008-05-16 12:49 58,368 --a------ C:\Windows\System32\pmnkKaYS.dll
2008-05-06 16:54 . 2008-05-06 16:54 390,432 --a------ C:\Windows\System32\PhysX.cpl
2008-05-06 10:47 . 2008-05-06 10:47 244 --ah----- C:\sqmnoopt02.sqm
2008-05-06 10:47 . 2008-05-06 10:47 232 --ah----- C:\sqmdata02.sqm
2008-05-06 10:05 . 2008-05-06 10:05 244 --ah----- C:\sqmnoopt01.sqm
2008-05-06 10:05 . 2008-05-06 10:05 232 --ah----- C:\sqmdata01.sqm
2008-05-01 19:42 . 2008-05-01 19:42 <DIR> d-------- C:\Program Files\Sydbank
2008-04-30 13:55 . 2008-04-30 13:55 70,944 --a------ C:\Windows\System32\PhysXLoader.dll
2008-04-27 20:53 . 2008-04-27 21:04 <DIR> d-------- C:\Users\Bent\AppData\Roaming\Uniblue
2008-04-27 19:44 . 2008-04-27 19:58 <DIR> d-------- C:\Users\Bent\Redder
2008-04-27 19:38 . 2008-04-27 19:38 <DIR> d-------- C:\Program Files\unisecur
2008-04-27 14:48 . 2008-04-27 14:48 <DIR> d-------- C:\Program Files\Yamicsoft
2008-04-27 14:39 . 2008-04-27 14:39 <DIR> d-------- C:\Users\Bent\AppData\Roaming\SeriousBit
2008-04-27 14:38 . 2008-04-27 14:38 <DIR> d-------- C:\Program Files\VistaCodecPack
2008-04-27 14:33 . 2008-04-27 14:33 <DIR> d-------- C:\Program Files\SystemRequirementsLab
2008-04-27 14:30 . 2008-04-27 14:30 <DIR> d-------- C:\NVIDIA
2008-04-25 20:22 . 2008-04-25 20:25 <DIR> d-------- C:\Users\Bent\AppData\Roaming\dvdcss
2008-04-23 19:13 . 2008-04-23 19:13 0 --ah----- C:\Windows\System32\drivers\Msft_User_WpdFs_01_00_00.Wdf
2008-04-23 11:04 . 2008-04-23 11:04 <DIR> d-------- C:\PerfLogs
2008-04-23 11:00 . 2008-04-23 11:00 0 --ah----- C:\Windows\System32\drivers\Msft_Kernel_HpqKbFiltr_01005.Wdf
2008-04-23 10:30 . 2008-01-19 09:35 4,875,776 --a------ C:\Windows\System32\NlsData0009.dll
2008-04-23 10:29 . 2008-01-19 09:35 9,847,296 --a------ C:\Windows\System32\NlsData000a.dll
2008-04-23 10:28 . 2008-01-19 08:06 8,147,456 --a------ C:\Windows\System32\wmploc.DLL
2008-04-23 10:27 . 2008-01-19 09:36 357,888 --a------ C:\Windows\System32\wbemcomn.dll
2008-04-23 10:26 . 2008-01-19 09:36 704,512 --a------ C:\Windows\System32\SmiEngine.dll
2008-04-23 10:26 . 2008-01-19 09:36 218,624 --a------ C:\Windows\System32\wdscore.dll
2008-04-23 10:26 . 2008-01-19 09:36 139,264 --a------ C:\Windows\System32\SmiInstaller.dll
2008-04-23 10:26 . 2008-01-19 09:33 130,560 --a------ C:\Windows\System32\PkgMgr.exe
2008-04-23 10:25 . 2008-01-19 09:34 246,784 --a------ C:\Windows\System32\drvstore.dll
2008-04-23 10:24 . 2008-01-19 09:34 305,152 --a------ C:\Windows\System32\msdelta.dll
2008-04-23 10:24 . 2008-01-19 09:34 258,560 --a------ C:\Windows\System32\dpx.dll
2008-04-23 10:24 . 2008-01-19 09:35 35,328 --a------ C:\Windows\System32\mspatcha.dll
2008-04-22 10:14 . 2008-04-22 10:14 <DIR> d-------- C:\Windows\Sun

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-22 19:17 194,788 ----a-w C:\Users\Bent\AppData\Roaming\nvModes.dat
2008-05-22 16:35 --------- d-----w C:\ProgramData\Microsoft Help
2008-05-22 12:09 --------- d-----w C:\Users\Bent\AppData\Roaming\Azureus
2008-05-18 17:04 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-05-15 23:18 50,768 ----a-w C:\Windows\system32\drivers\aswMonFlt.sys
2008-05-13 18:51 --------- d-----w C:\Program Files\Windows Mail
2008-04-27 12:37 --------- d-----w C:\Program Files\DivX
2008-04-25 18:22 --------- d-----w C:\ProgramData\CyberLink
2008-04-23 09:25 --------- d-----w C:\ProgramData\NVIDIA
2008-04-23 09:13 174 --sha-w C:\Program Files\desktop.ini
2008-04-23 09:05 --------- d-----w C:\Program Files\Windows Sidebar
2008-04-23 09:05 --------- d-----w C:\Program Files\Windows Photo Gallery
2008-04-23 09:05 --------- d-----w C:\Program Files\Windows Journal
2008-04-23 09:05 --------- d-----w C:\Program Files\Windows Defender
2008-04-23 09:05 --------- d-----w C:\Program Files\Windows Collaboration
2008-04-23 09:05 --------- d-----w C:\Program Files\Windows Calendar
2008-04-23 08:47 82,432 ----a-w C:\Windows\System32\axaltocm.dll
2008-04-23 08:47 101,888 ----a-w C:\Windows\System32\ifxcardm.dll
2008-04-22 19:58 --------- d-----w C:\Users\Bent\AppData\Roaming\Skype
2008-04-22 19:31 --------- d-----w C:\Users\Bent\AppData\Roaming\skypePM
2008-04-20 15:38 --------- d-----w C:\Program Files\QuickTime
2008-04-20 11:14 --------- d-----w C:\Program Files\FLV Player
2008-04-20 11:12 --------- d-----w C:\Users\Bent\AppData\Roaming\vlc
2008-04-20 11:12 --------- d-----w C:\Program Files\VideoLAN
2008-04-18 09:43 --------- d-----w C:\Program Files\Common Files\Real
2008-04-18 09:03 --------- d-----w C:\Program Files\Azureus
2008-04-17 17:37 32 ----a-w C:\Users\All Users\ezsid.dat
2008-04-17 17:37 32 ----a-w C:\ProgramData\ezsid.dat
2008-04-17 17:34 --------- d-----w C:\ProgramData\Skype
2008-04-17 17:34 --------- d-----w C:\Program Files\Skype
2008-04-17 17:34 --------- d-----w C:\Program Files\Common Files\Skype
2008-04-17 06:11 --------- d-----w C:\Program Files\Microsoft Silverlight
2008-04-16 18:29 --------- d-----w C:\Users\Maria\AppData\Roaming\Macrovision
2008-04-16 18:29 --------- d-----w C:\Users\Maria\AppData\Roaming\DigitalPersona
2008-04-14 06:23 --------- d-----w C:\Program Files\Java
2008-04-13 08:44 --------- d-----w C:\Program Files\Windows Live Toolbar
2008-04-09 13:12 0 ---ha-w C:\Windows\system32\drivers\Msft_Kernel_NuidFltr_01005.Wdf
2008-04-09 07:28 --------- d-----w C:\Users\Bent\AppData\Roaming\Ubisoft
2008-04-09 07:28 --------- d-----w C:\ProgramData\Ubisoft
2008-04-09 07:10 --------- d-----w C:\Users\Bent\AppData\Roaming\InstallShield
2008-04-09 07:10 --------- d-----w C:\Program Files\Ubisoft
2008-04-08 21:17 --------- d-----w C:\Program Files\Alwil Software
2008-04-08 21:13 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-04-08 21:12 --------- d-----w C:\ProgramData\Symantec
2008-04-08 18:30 --------- d-----w C:\Program Files\MegaSpoof
2008-04-08 10:56 --------- d-----w C:\Users\Bent\AppData\Roaming\CyberLink
2008-04-08 10:21 --------- d-----w C:\Users\Bent\AppData\Roaming\HP
2008-04-08 10:21 --------- d-----w C:\ProgramData\HP
2008-04-07 17:57 --------- d-----w C:\Program Files\Common Files\Adobe
2008-04-07 17:46 --------- d-----w C:\Program Files\Windows Live
2008-04-07 17:45 --------- dcsh--w C:\Program Files\Common Files\WindowsLiveInstaller
2008-04-07 17:44 --------- d-----w C:\ProgramData\WLInstaller
2008-04-07 15:19 --------- d-----w C:\Program Files\Microsoft Works
2008-04-06 20:17 --------- d-----w C:\Users\Bent\AppData\Roaming\DivX
2008-04-06 19:02 278,984 ----a-w C:\Windows\system32\drivers\atksgt.sys
2008-04-06 19:02 25,416 ----a-w C:\Windows\system32\drivers\lirsgt.sys
2008-04-06 18:26 --------- d-----w C:\Program Files\DAEMON Tools Pro
2008-04-06 17:10 --------- d-----w C:\Program Files\CONEXANT
2008-04-06 15:59 --------- d-----w C:\Users\Bent\AppData\Roaming\DAEMON Tools Pro
2008-04-06 15:59 --------- d-----w C:\ProgramData\DAEMON Tools Pro
2008-04-06 15:48 --------- d-----w C:\ProgramData\Azureus
2008-04-06 15:13 --------- d-----w C:\Program Files\Microsoft.NET
2008-04-06 14:53 685,816 ----a-w C:\Windows\system32\drivers\sptd.sys
2008-04-06 14:53 --------- d-----w C:\Program Files\Gabest
2008-04-06 14:37 --------- d-----w C:\Users\Bent\AppData\Roaming\Symantec
2008-04-06 14:36 --------- d-----w C:\Users\Bent\AppData\Roaming\DigitalPersona
2008-04-06 14:33 --------- d-----w C:\Users\Bent\AppData\Roaming\Hewlett-Packard
2008-04-06 14:28 --------- d-----w C:\Program Files\HPQ
2008-04-06 14:28 --------- d-----w C:\Program Files\Common Files\LightScribe
2008-04-06 14:27 --------- d-----w C:\Program Files\HP
2008-04-06 14:26 0 --sha-r C:\Windows\system32\drivers\103C_HP_cNB_Pavilion dv6700 Notebook PC_Y5335KV_0U_QCNF80766NZ_E459053-DH1_4A_I30D0_SQuanta_V85.24_F.28_T080121_WV3-0_L406_M3071_J250_7AMD_8F82_92.00_#071108_N10DE0450;168C001C_(KN038EA#UUW)_XMOBI
LE_CN10_Z.MRK
2008-04-06 14:26 --------- d-----w C:\Users\Bent\AppData\Roaming\Macrovision
2008-03-31 21:25 161,096 ----a-w C:\Windows\System32\DivXCodecVersionChecker.exe
2008-03-28 23:41 7,680 ----a-w C:\Windows\System32\ff_vfw.dll
2008-03-06 22:29 966,656 ----a-w C:\Windows\System32\VSFilter.dll
2008-03-05 14:03 479,752 ----a-w C:\Windows\System32\XAudio2_0.dll
2008-03-05 14:03 238,088 ----a-w C:\Windows\System32\xactengine3_0.dll
2008-03-05 14:00 25,608 ----a-w C:\Windows\System32\X3DAudio1_3.dll
2008-03-05 13:56 3,786,760 ----a-w C:\Windows\System32\D3DX9_37.dll
2008-03-05 13:56 1,420,824 ----a-w C:\Windows\System32\D3DCompiler_37.dll
2008-03-04 00:34 2,125,312 ----a-w C:\Windows\System32\CnxtAp32.dll
2008-02-29 07:14 19,000 ----a-w C:\Windows\System32\kd1394.dll
2008-02-29 07:11 988,216 ----a-w C:\Windows\System32\winload.exe
2008-02-29 07:11 927,288 ----a-w C:\Windows\System32\winresume.exe
2008-02-29 06:53 46,592 ----a-w C:\Windows\System32\setbcdlocale.dll
2008-02-29 06:53 40,960 ----a-w C:\Windows\System32\srclient.dll
2008-02-29 06:53 378,368 ----a-w C:\Windows\System32\srcore.dll
2008-02-29 06:35 6,656 ----a-w C:\Windows\System32\kbd106n.dll
2008-02-29 04:21 2,032,128 ----a-w C:\Windows\System32\win32k.sys
2008-02-29 04:12 318,464 ----a-w C:\Windows\System32\rstrui.exe
2008-02-29 04:12 14,848 ----a-w C:\Windows\System32\srdelayed.exe
2008-02-22 05:05 615,992 ----a-w C:\Windows\System32\ci.dll
2008-02-22 05:01 826,880 ----a-w C:\Windows\System32\wininet.dll
2008-02-22 04:57 295,936 ----a-w C:\Windows\System32\gdi32.dll
.

------- Sigcheck -------

.
((((((((((((((((((((((((((((( snapshot@2008-05-22_11.35.07.56 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-05-22 09:30:05 67,584 --s-a-w C:\Windows\bootstat.dat
+ 2008-05-22 19:41:33 67,584 --s-a-w C:\Windows\bootstat.dat
- 2008-05-18 17:37:24 51,200 ----a-w C:\Windows\inf\infpub.dat
+ 2008-05-22 18:45:06 51,200 ----a-w C:\Windows\inf\infpub.dat
- 2008-05-18 17:37:21 86,016 ----a-w C:\Windows\inf\infstor.dat
+ 2008-05-22 18:45:04 86,016 ----a-w C:\Windows\inf\infstor.dat
- 2008-05-18 17:37:24 143,360 ----a-w C:\Windows\inf\infstrng.dat
+ 2008-05-22 18:45:06 143,360 ----a-w C:\Windows\inf\infstrng.dat
+ 2008-05-22 19:41:33 2,048 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.dat
+ 2008-05-22 19:41:33 2,048 --sha-w C:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.dat
- 2008-05-22 09:30:50 155,648 ----a-w C:\Windows\ServiceProfiles\LocalService\NTUSER.DAT
+ 2008-05-22 19:43:09 155,648 ----a-w C:\Windows\ServiceProfiles\LocalService\NTUSER.DAT
- 2008-05-22 09:30:50 155,648 ----a-w C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT
+ 2008-05-22 19:43:04 155,648 ----a-w C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT
- 2007-07-24 06:20:06 207,405 ----a-w C:\Windows\System32\AGEIA\AG1011\app.bin
+ 2008-04-28 09:11:16 199,885 ----a-w C:\Windows\System32\AGEIA\AG1011\app.bin
- 2007-05-16 06:42:42 122,249 ----a-w C:\Windows\System32\AGEIA\AG1011\diag.bin
+ 2008-04-28 09:11:16 119,473 ----a-w C:\Windows\System32\AGEIA\AG1011\diag.bin
- 2007-07-25 06:30:38 214,141 ----a-w C:\Windows\System32\AGEIA\AG1021\app.bin
+ 2008-04-28 09:11:16 214,629 ----a-w C:\Windows\System32\AGEIA\AG1021\app.bin
- 2007-10-25 06:29:50 114,505 ----a-w C:\Windows\System32\AGEIA\AG1021\diag.bin
+ 2008-04-28 09:11:16 116,977 ----a-w C:\Windows\System32\AGEIA\AG1021\diag.bin
- 2008-03-29 17:45:49 1,146,232 ----a-w C:\Windows\System32\aswBoot.exe
+ 2008-05-15 23:24:43 1,152,888 ----a-w C:\Windows\System32\aswBoot.exe
- 2008-03-29 17:23:22 95,608 ----a-w C:\Windows\System32\AvastSS.scr
+ 2008-05-15 23:12:36 95,608 ----a-w C:\Windows\System32\AvastSS.scr
- 2008-05-22 09:31:27 16,384 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
+ 2008-05-22 19:42:44 16,384 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5\index.dat
- 2008-05-22 09:31:27 32,768 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
+ 2008-05-22 19:42:44 32,768 --sha-w C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\index.dat
- 2008-05-22 09:31:27 16,384 --sha-w C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
+ 2008-05-22 19:42:44 16,384 --sha-w C:\Windows\System32\config\systemprofile\AppData\Roaming\Microsoft\Windows\Cookies\index.dat
- 2008-03-29 17:35:49 20,560 ----a-w C:\Windows\System32\drivers\aswFsBlk.sys
+ 2008-05-15 23:16:06 20,560 ----a-w C:\Windows\System32\drivers\aswFsBlk.sys
- 2008-03-29 17:29:08 23,152 ----a-w C:\Windows\System32\drivers\aswRdr.sys
+ 2008-05-15 23:15:29 23,152 ----a-w C:\Windows\System32\drivers\aswRdr.sys
- 2008-03-29 17:31:34 75,856 ----a-w C:\Windows\System32\drivers\aswSP.sys
+ 2008-05-15 23:20:32 78,416 ----a-w C:\Windows\System32\drivers\aswSP.sys
- 2008-03-29 17:27:33 42,912 ----a-w C:\Windows\System32\drivers\aswTdi.sys
+ 2008-05-15 23:14:11 42,912 ----a-w C:\Windows\System32\drivers\aswTdi.sys
+ 2008-04-28 09:11:28 120,960 ----a-w C:\Windows\System32\DriverStore\FileRepository\physx32.inf_2f893986\physX32.sys
- 2008-05-22 07:38:21 6,904 ----a-w C:\Windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-2610512430-812213940-561383249-1000_UserData.bin
+ 2008-05-22 19:43:37 7,394 ----a-w C:\Windows\System32\WDI\{86432a0b-3c7d-4ddf-a89c-172faa90485d}\S-1-5-21-2610512430-812213940-561383249-1000_UserData.bin
- 2008-05-22 07:38:20 78,102 ----a-w C:\Windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
+ 2008-05-22 19:43:37 78,654 ----a-w C:\Windows\System32\WDI\BootPerformanceDiagnostics_SystemData.bin
- 2008-05-22 07:38:19 39,942 ----a-w C:\Windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
+ 2008-05-22 15:19:59 39,982 ----a-w C:\Windows\System32\WDI\ShutdownPerformanceDiagnostics_SystemData.bin
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\MsnMsgr.exe" [2007-10-18 11:34 5724184]
"ehTray.exe"="C:\Windows\ehome\ehTray.exe" [2008-01-19 09:33 125952]
"ISUSPM"="C:\ProgramData\Macrovision\FLEXnet Connect\6\ISUSPM.exe" [2007-03-30 01:41 222128]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SynTPStart"="C:\Program Files\Synaptics\SynTP\SynTPStart.exe" [2007-09-15 10:29 102400]
"QPService"="C:\Program Files\HP\QuickPlay\QPService.exe" [2007-10-01 05:34 181544]
"QlbCtrl"="C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe" [2007-09-20 00:31 202032]
"OnScreenDisplay"="C:\Program Files\Hewlett-Packard\HP QuickTouch\HPKBDAPP.exe" [2007-09-04 23:54 554320]
"UCam_Menu"="C:\Program Files\CyberLink\YouCam\MUITransfer\MUIStartMenu.exe" [2007-08-17 09:13 218408]
"DpAgent"="C:\Program Files\DigitalPersona\Bin\dpagent.exe" [2007-09-20 21:12 671744]
"Windows Defender"="C:\Program Files\Windows Defender\MSASCui.exe" [2008-01-19 09:38 1008184]
"hpWirelessAssistant"="C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe" [2007-09-13 18:47 480560]
"WAWifiMessage"="C:\Program Files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe" [2007-01-09 01:53 311296]
"HP Software Update"="C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe" [2005-02-16 23:11 49152]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2008-05-16 01:19 79224]
"NvSvc"="C:\Windows\system32\nvsvc.dll" [2007-09-19 22:05 86016]
"NvCplDaemon"="C:\Windows\system32\NvCpl.dll" [2007-09-19 22:05 8497696]
"NvMediaCenter"="C:\Windows\system32\NvMcTray.dll" [2007-09-19 22:05 81920]
"SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [2008-01-18 19:31 1033512]
"MSServer"="C:\Windows\system32\ssqPHayy.dll" [2008-05-16 12:48 58368]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"EnableLUA"= 0 (0x0)
"PromptOnSecureDesktop"= 0 (0x0)
"EnableUIADesktopToggle"= 0 (0x0)
"SynchronousMachineGroupPolicy"= 0 (0x0)
"SynchronousUserGroupPolicy"= 0 (0x0)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{81AA6A16-B8CA-43C4-A347-A487764FF528}"= C:\Windows\system32\ssqPHayy.dll [2008-05-16 12:48 58368]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.l3codecp"= l3codecp.acm
"msacm.divxa32"= divxa32.acm

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools Pro Agent]
--a------ 2007-09-06 15:08 136136 C:\Program Files\DAEMON Tools Pro\DTProAgent.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LightScribe Control Panel]
--a------ 2007-08-23 17:36 455968 C:\Program Files\Common Files\LightScribe\LightScribeControlPanel.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"HP Health Check Scheduler"=[ProgramFilesFolder]Hewlett-Packard\HP Health Check\HPHC_Scheduler.exe
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Svc\S-1-5-21-2610512430-812213940-561383249-1000]
"EnableNotificationsRef"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\FirewallRules]
"{561D6B36-CA40-4E50-B060-E822986DBEB2}"= C:\Program Files\Cyberlink\PowerDirector\PDR.EXE:CyberLink PowerDirector
"{F3EEB7F7-E00F-404C-A817-3B86FC1B5C98}"= C:\Program Files\HP\QuickPlay\QP.exe:Quick Play
"{F178163E-00A1-44D0-B115-38E86841B1B0}"= C:\Program Files\HP\QuickPlay\QPService.exe:Quick Play Resident Program
"{C3C14E46-07D0-4999-8B8F-3707E4DEAABC}"= UDP:C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{F046B709-DE42-4923-B47F-EF01E14544EE}"= TCP:C:\Program Files\Microsoft Office\Office12\ONENOTE.EXE:Microsoft Office OneNote
"{7B5DEB10-55E2-4602-9587-2E1E2E510624}"= C:\Program Files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)
"{85FEDECE-BAAE-41F7-ADF2-FDB0B9AA2038}"= UDP:C:\Program Files\Ubisoft\Assassin's Creed\AssassinsCreed_Dx9.exe:Assassin's Creed Dx9
"{2C3744A2-113E-40BB-8919-67BF40E9AB27}"= TCP:C:\Program Files\Ubisoft\Assassin's Creed\AssassinsCreed_Dx9.exe:Assassin's Creed Dx9
"{0AE92CC8-6B98-416C-AB07-A80AC3A2EF8B}"= UDP:C:\Program Files\Ubisoft\Assassin's Creed\AssassinsCreed_Dx10.exe:Assassin's Creed Dx10
"{797F8C5B-7D1A-4ED3-A6D6-5AE8B4890453}"= TCP:C:\Program Files\Ubisoft\Assassin's Creed\AssassinsCreed_Dx10.exe:Assassin's Creed Dx10
"{A9A07864-BDAC-49EA-BC1D-E12151DA8FA4}"= UDP:C:\Program Files\Ubisoft\Assassin's Creed\AssassinsCreed_Launcher.exe:Assassin's Creed Update
"{639AC0D0-4310-47B7-96AB-A2F81E5C5267}"= TCP:C:\Program Files\Ubisoft\Assassin's Creed\AssassinsCreed_Launcher.exe:Assassin's Creed Update
"TCP Query User{F0402D6B-D497-4804-BDA0-3C8201C32233}C:\\program files\\azureus\\azureus.exe"= UDP:C:\program files\azureus\azureus.exe:Azureus
"UDP Query User{1C9863F7-6E09-4B3C-9C57-AC4BD6EC5AD6}C:\\program files\\azureus\\azureus.exe"= TCP:C:\program files\azureus\azureus.exe:Azureus
"TCP Query User{CCAA5015-3165-4C29-A9A1-8113BDC630C9}C:\\program files\\internet explorer\\iexplore.exe"= UDP:C:\program files\internet explorer\iexplore.exe:Internet Explorer
"UDP Query User{1D50106B-34EB-4B06-9690-75A80E6A2157}C:\\program files\\internet explorer\\iexplore.exe"= TCP:C:\program files\internet explorer\iexplore.exe:Internet Explorer
"{2682E024-61C1-491B-BB31-72689AD3FD18}"= Disabled:UDP:C:\Program Files\Skype\Phone\Skype.exe:Skype
"{0AE219C6-2A5E-470E-83EA-6E90EF3E0460}"= Disabled:TCP:C:\Program Files\Skype\Phone\Skype.exe:Skype
"{BF9E0E2A-E96D-4FAE-98E3-5C4042C2354B}"= C:\Program Files\Windows Live\Messenger\livecall.exe:Windows Live Messenger (Phone)
"TCP Query User{A99F668D-0AD6-4549-BC38-4E60A7C2E25B}C:\\program files\\azureus\\azureus.exe"= UDP:C:\program files\azureus\azureus.exe:Azureus
"UDP Query User{4DBA4DE8-CB69-4E30-9269-D74B4A3F0597}C:\\program files\\azureus\\azureus.exe"= TCP:C:\program files\azureus\azureus.exe:Azureus
"TCP Query User{4267B149-BD6F-4799-86DB-CA16EE4BA334}C:\\program files\\zattoo\\zattood.exe"= UDP:C:\program files\zattoo\zattood.exe:zattood
"UDP Query User{D2AC037F-419A-40A0-8561-878F26765FC3}C:\\program files\\zattoo\\zattood.exe"= TCP:C:\program files\zattoo\zattood.exe:zattood
"TCP Query User{D24079FA-0A44-4010-8752-99A6ACF795CC}C:\\program files\\zattoo\\zattoo.exe"= UDP:C:\program files\zattoo\zattoo.exe:
"UDP Query User{960907CE-A705-4BE7-AC10-3A20AC4E0DDE}C:\\program files\\zattoo\\zattoo.exe"= TCP:C:\program files\zattoo\zattoo.exe:
"{F2826490-7501-47F2-9ECA-5E082EA23485}"= UDP:C:\Program Files\THQ\Frontlines-Fuel of War\Binaries\FFOW.exe:Frontlines Game
"{3B881398-C899-4F00-AE19-08536FCA373A}"= TCP:C:\Program Files\THQ\Frontlines-Fuel of War\Binaries\FFOW.exe:Frontlines Game

R1 aswSP;avast! Self Protection;C:\Windows\system32\drivers\aswSP.sys [2008-05-16 01:20]
R2 aswFsBlk;aswFsBlk;C:\Windows\system32\DRIVERS\aswFsBlk.sys [2008-05-16 01:16]
R2 aswMonFlt;aswMonFlt;C:\Windows\system32\DRIVERS\aswMonFlt.sys [2008-05-16 01:18]
R2 QPCapSvc;QuickPlay Background Capture Service (QBCS);"C:\Program Files\HP\QuickPlay\Kernel\TV\QPCapSvc.exe" [2007-10-01 05:34]
R2 QPSched;QuickPlay Task Scheduler (QTS);"C:\Program Files\HP\QuickPlay\Kernel\TV\QPSched.exe" [2007-10-01 05:34]
R2 XAudio;XAudio;C:\Windows\system32\DRIVERS\xaudio.sys [2007-10-18 06:36]
R3 athr;Atheros Extensible Wireless LAN device driver;C:\Windows\system32\DRIVERS\athr.sys [2007-05-31 01:40]
R3 CnxtHdAudService;Conexant UAA Function Driver for High Definition Audio Service;C:\Windows\system32\drivers\CHDRT32.sys [2008-03-04 02:32]
R3 HpqRemHid;HP Remote Control HID Device;C:\Windows\system32\DRIVERS\HpqRemHid.sys [2007-07-11 20:30]
R3 nvsmu;nvsmu;C:\Windows\system32\DRIVERS\nvsmu.sys [2007-02-16 23:50]
S3 BCM43XV;Broadcom Extensible 802.11 Network Adapter Driver;C:\Windows\system32\DRIVERS\bcmwl6.sys [2006-11-02 09:30]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{5a6a441f-03ef-11dd-8337-001e681dc1b9}]
\shell\AutoRun\command - H:\Autorun.exe

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{10880D85-AAD9-4558-ABDC-2AB1552D831F}]
"C:\Program Files\Common Files\LightScribe\LSRunOnce.exe"
.
Contents of the 'Scheduled Tasks' folder
"2008-05-17 18:59:00 C:\Windows\Tasks\Uniblue SpeedUpMyPC Nag.job"
- C:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe
"2008-04-27 18:53:45 C:\Windows\Tasks\Uniblue SpeedUpMyPC.job"
- C:\Program Files\Uniblue\SpeedUpMyPC 3\SpeedUpMyPC.exe
"2008-05-22 19:39:26 C:\Windows\Tasks\User_Feed_Synchronization-{B414613E-EE91-4E26-84CD-7395231C5DBE}.job"
- C:\Windows\system32\msfeedssync.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-22 21:47:38
Windows 6.0.6001 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\Windows\system32\winlogon.exe
-> C:\Windows\system32\ssqPHayy.dll
.
Completion time: 2008-05-22 21:48:34
ComboFix-quarantined-files.txt 2008-05-22 19:48:30
ComboFix2.txt 2008-05-22 09:35:40

Pre-Run: 77,893,341,184 byte ledig
Post-Run: 77,875,433,472 byte ledig

350 --- E O F --- 2008-05-20 20:08:58

Log from Hijackthis:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 21:43, on 2008-05-22
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal

Running processes:
C:\Program Files\DigitalPersona\Bin\DpAgent.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPStart.exe
C:\Program Files\HP\QuickPlay\QPService.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe
C:\Program Files\Hewlett-Packard\HP QuickTouch\HPKBDAPP.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Program Files\Alwil Software\Avast4\ashDisp.exe
C:\Program Files\Hewlett-Packard\Shared\HpqToaster.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Windows\ehome\ehtray.exe
C:\ProgramData\Macrovision\FLEXnet Connect\6\ISUSPM.exe
C:\Windows\ehome\ehmsas.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://jp.dk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://dk.msn.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Hjælp til tilmelding til Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: (no name) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - (no file)
O4 - HKLM\..\Run: [SynTPStart] C:\Program Files\Synaptics\SynTP\SynTPStart.exe
O4 - HKLM\..\Run: [QPService] "C:\Program Files\HP\QuickPlay\QPService.exe"
O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [OnScreenDisplay] C:\Program Files\Hewlett-Packard\HP QuickTouch\HPKBDAPP.exe
O4 - HKLM\..\Run: [UCam_Menu] "C:\Program Files\CyberLink\YouCam\MUITransfer\MUIStartMenu.exe" "C:\Program Files\CyberLink\YouCam" update "Software\CyberLink\YouCam\1.0"
O4 - HKLM\..\Run: [DpAgent] C:\Program Files\DigitalPersona\Bin\dpagent.exe
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
O4 - HKLM\..\Run: [WAWifiMessage] C:\Program Files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [MSServer] rundll32.exe C:\Windows\system32\ssqPHayy.dll,#1
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [ISUSPM] "C:\ProgramData\Macrovision\FLEXnet Connect\6\ISUSPM.exe" -scheduler
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOKAL TJENESTE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOKAL TJENESTE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETVÆRKSTJENESTE')
O8 - Extra context menu item: E&ksporter til Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Send til OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end til OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MIC273~1\Office12\REFIEBAR.DLL (file missing)
O13 - Gopher Prefix:
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Plugin Control) - http://appldnld.appl...ex/qtplugin.cab
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.nvidia.co.../sysreqlab2.cab
O16 - DPF: {D6E7CFB5-C074-4D1C-B647-663D1A8D96BF} (Facebook Photo Uploader 4) - http://upload.facebo...Uploader4_5.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Com4Qlb - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4Qlb.exe
O23 - Service: Biometric Authentication Service (DpHost) - DigitalPersona, Inc. - C:\Program Files\DigitalPersona\Bin\DpHostW.exe
O23 - Service: HP Health Check Service - Hewlett-Packard - c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: PnkBstrA - Unknown owner - C:\Windows\system32\PnkBstrA.exe
O23 - Service: QuickPlay Background Capture Service (QBCS) (QPCapSvc) - Unknown owner - C:\Program Files\HP\QuickPlay\Kernel\TV\QPCapSvc.exe
O23 - Service: QuickPlay Task Scheduler (QTS) (QPSched) - Unknown owner - C:\Program Files\HP\QuickPlay\Kernel\TV\QPSched.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 7795 bytes

#6
Essexboy

Posted 22 May 2008 - 01:59 PM

GeekU Moderator

Retired Staff
69,964 posts

Did you disable the Avast self protection and stop the providers before running the cfscript ?

OK I will use OTMoveit

Save it to your desktop.
Please double-click OTMoveIt2.exe to run it.

Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

C:\Windows\System32\geBqRjKB.dll
C:\Windows\System32\tuvvUOec.dll
C:\Windows\System32\geBSjJyA.dll
C:\Windows\System32\rQHwVPjj.dll
C:\Windows\System32\pmnkKaYS.dll
C:\Windows\system32\ssqOhIYS.dll
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\MSServer
hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks\{81AA6A16-B8CA-43C4-A347-A487764FF528}
Purity

Return to OTMoveIt2, right click in the "Paste List of Files/Folders to be Moved" window (under the yellow bar) and choose Paste.
Click the red Moveit! button.
Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
Close OTMoveIt2

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

#7
bentzilmer

Posted 22 May 2008 - 02:08 PM

Member

Topic Starter
Member
13 posts

I'v stopped avast an disabled self defence. Heres the result from OT

File/Folder C:\Windows\System32\geBqRjKB.dll not found.
DllUnregisterServer procedure not found in C:\Windows\System32\tuvvUOec.dll
C:\Windows\System32\tuvvUOec.dll NOT unregistered.
C:\Windows\System32\tuvvUOec.dll moved successfully.
DllUnregisterServer procedure not found in C:\Windows\System32\geBSjJyA.dll
C:\Windows\System32\geBSjJyA.dll NOT unregistered.
C:\Windows\System32\geBSjJyA.dll moved successfully.
DllUnregisterServer procedure not found in C:\Windows\System32\rQHwVPjj.dll
C:\Windows\System32\rQHwVPjj.dll NOT unregistered.
C:\Windows\System32\rQHwVPjj.dll moved successfully.
DllUnregisterServer procedure not found in C:\Windows\System32\pmnkKaYS.dll
C:\Windows\System32\pmnkKaYS.dll NOT unregistered.
C:\Windows\System32\pmnkKaYS.dll moved successfully.
File/Folder C:\Windows\system32\ssqOhIYS.dll not found.
< HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\MSServer >
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\MSServer deleted successfully.
< hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks\{81AA6A16-B8CA-43C4-A347-A487764FF528} >
Registry key hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks\{81AA6A16-B8CA-43C4-A347-A487764FF528}\\ not found.
< Purity >

OTMoveIt2 by OldTimer - Version 1.0.4.2 log created on 05222008_220738

#8
Essexboy

Posted 22 May 2008 - 03:19 PM

GeekU Moderator

Retired Staff
69,964 posts

OK I will now do a deep scan to ensure I have it all. How is your computer ruunning now ?

Download OTScanit to your Desktop and double-click on it to extract the files. It will create a folder named OTScanIt on your desktop.

Close ALL OTHER PROGRAMS.
Open the OTScanit folder and double-click on OTScanit.exe to start the program.
Check the box that says Scan All User Accounts
Check the Radio buttons for Files/Folders Created Within 90 Days and Files/Folders Modified Within 90 Days
Under Additional Scans check the following:
- Reg - Desktop Components
- File - Additional Folder Scans
- File - Purity Scan
Now click the Run Scan button on the toolbar.
Let it run unhindered until it finishes.
When the scan is complete Notepad will open with the report file loaded in it.
Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.

Please attach the log in your next post.

To attach a file, do the following:

Click Add Reply
Under the reply panel is the Attachments Panel
Browse for the attachment file you want to upload, then click the green Upload button
Once it has uploaded, click the Manage Current Attachments drop down box
Click on to insert the attachment into your post

#9
bentzilmer

Posted 23 May 2008 - 04:26 AM

Member

Topic Starter
Member
13 posts

My computer is working better now, but avast still warns me about vundo virus. I've attached the log from OTScanIt.

OTScanIt.Txt 250.97KB 94 downloads

Edited by bentzilmer, 23 May 2008 - 04:26 AM.

#10
Essexboy

Posted 23 May 2008 - 09:13 AM

GeekU Moderator

Retired Staff
69,964 posts

This run should fix it

Start OTScanit. Copy/Paste the information in the quotebox below into the pane where it says "Paste fix here" and then click the Run Fix button.

[Kill Explorer]
[Unregister Dlls]
[Registry - Non-Microsoft Only]
< Run [HKEY_LOCAL_MACHINE\] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
YY -> MSServer -> %SystemRoot%\System32\yaywvTnM.dll [rundll32.exe C:\Windows\system32\yaywvTnM.dll,#1]
< ShellExecuteHooks [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks
YY -> {81AA6A16-B8CA-43C4-A347-A487764FF528} [HKEY_LOCAL_MACHINE] -> %SystemRoot%\System32\yaywvTnM.dll []
< Protocol Handlers [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\
YN -> ms-help:{314111c7-a502-11d2-bbca-00c04f8ec294} [HKEY_LOCAL_MACHINE] -> hxds.dll[HxProtocol Class]
[Files/Folders - Created Within 90 days]
NY -> 327882R2FWJFW -> %SystemDrive%\327882R2FWJFW
NY -> yaywvTnM.dll -> %SystemRoot%\System32\yaywvTnM.dll
[Files/Folders - Modified Within 90 days]
NY -> 327882R2FWJFW -> %SystemDrive%\327882R2FWJFW
NY -> yaywvTnM.dll -> %SystemRoot%\System32\yaywvTnM.dll
[Empty Temp Folders]
[Start Explorer]

The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. Click the Ok button and Notepad will open with a log of actions taken during the fix. Post that information back here along with a new Hijackthis log.

I will review the information when it comes back in.

Also let me know of any problems you encountered performing the steps above or any continuing problems you are still having with the computer.

THEN

Please download Malwarebytes' Anti-Malware from Here or Here

Double Click mbam-setup.exe to install the application.

Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
If an update is found, it will download and install the latest version.
Once the program has loaded, select "Perform Quick Scan", then click Scan.
The scan may take some time to finish,so please be patient.
When the scan is complete, click OK, then Show Results to view the results.
Make sure that everything is checked, and click Remove Selected.
When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
Copy&Paste the entire report in your next reply.

Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

#11
bentzilmer

Posted 23 May 2008 - 02:25 PM

Member

Topic Starter
Member
13 posts

I ran your fix, but I get some errors when I start up vista. A message box tells me: "Error in reading c:\windows\system32\ucnlguvi.dll acces denied" and another one wit the file dryicjlf.dll also acces denied (this has been translated from danish)

Avast on acces still gives me warnings about the virus in ...system32\cbxnmfgh.dll I can't move it to the virus chest, acces denied. I moved ...system32\pmnhefca.dll to the chest.

This is my logs:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 22:18:15, on 23-05-2008
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal

Running processes:
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\DigitalPersona\Bin\DpAgent.exe
C:\Windows\Explorer.EXE
C:\Program Files\Synaptics\SynTP\SynTPStart.exe
C:\Program Files\HP\QuickPlay\QPService.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe
C:\Program Files\Hewlett-Packard\HP QuickTouch\HPKBDAPP.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Program Files\Alwil Software\Avast4\ashDisp.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Windows\ehome\ehtray.exe
C:\Windows\System32\rundll32.exe
C:\ProgramData\Macrovision\FLEXnet Connect\6\ISUSPM.exe
C:\Windows\ehome\ehmsas.exe
C:\Program Files\Hewlett-Packard\Shared\HpqToaster.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://jp.dk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://dk.msn.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: (no name) - {847DCBAC-E621-4266-AD5D-9763FAFD3585} - C:\Windows\system32\cbXnMfgH.dll
O2 - BHO: Hjælp til tilmelding til Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: (no name) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - (no file)
O4 - HKLM\..\Run: [SynTPStart] C:\Program Files\Synaptics\SynTP\SynTPStart.exe
O4 - HKLM\..\Run: [QPService] "C:\Program Files\HP\QuickPlay\QPService.exe"
O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [OnScreenDisplay] C:\Program Files\Hewlett-Packard\HP QuickTouch\HPKBDAPP.exe
O4 - HKLM\..\Run: [UCam_Menu] "C:\Program Files\CyberLink\YouCam\MUITransfer\MUIStartMenu.exe" "C:\Program Files\CyberLink\YouCam" update "Software\CyberLink\YouCam\1.0"
O4 - HKLM\..\Run: [DpAgent] C:\Program Files\DigitalPersona\Bin\dpagent.exe
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
O4 - HKLM\..\Run: [WAWifiMessage] C:\Program Files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKLM\..\Run: [BM38bbed8b] Rundll32.exe "C:\Windows\system32\ucnlguvi.dll",s
O4 - HKLM\..\Run: [3b88de17] rundll32.exe "C:\Windows\system32\dryicjlf.dll",b
O4 - HKLM\..\Run: [MSServer] rundll32.exe C:\Windows\system32\opNhExwW.dll,#1
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [ISUSPM] "C:\ProgramData\Macrovision\FLEXnet Connect\6\ISUSPM.exe" -scheduler
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOKAL TJENESTE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOKAL TJENESTE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETVÆRKSTJENESTE')
O8 - Extra context menu item: E&ksporter til Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Send til OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end til OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MIC273~1\Office12\REFIEBAR.DLL (file missing)
O13 - Gopher Prefix:
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Plugin Control) - http://appldnld.appl...ex/qtplugin.cab
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.nvidia.co.../sysreqlab2.cab
O16 - DPF: {D6E7CFB5-C074-4D1C-B647-663D1A8D96BF} (Facebook Photo Uploader 4) - http://upload.facebo...Uploader4_5.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Com4Qlb - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4Qlb.exe
O23 - Service: Biometric Authentication Service (DpHost) - DigitalPersona, Inc. - C:\Program Files\DigitalPersona\Bin\DpHostW.exe
O23 - Service: HP Health Check Service - Hewlett-Packard - c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: PnkBstrA - Unknown owner - C:\Windows\system32\PnkBstrA.exe
O23 - Service: QuickPlay Background Capture Service (QBCS) (QPCapSvc) - Unknown owner - C:\Program Files\HP\QuickPlay\Kernel\TV\QPCapSvc.exe
O23 - Service: QuickPlay Task Scheduler (QTS) (QPSched) - Unknown owner - C:\Program Files\HP\QuickPlay\Kernel\TV\QPSched.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 8234 bytes

And from OT:

Explorer killed successfully
[Registry - Non-Microsoft Only]
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\\MSServer deleted successfully.
File C:\Windows\System32\yaywvTnM.dll not found.
Registry value HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\\{81AA6A16-B8CA-43C4-A347-A487764FF528} deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{81AA6A16-B8CA-43C4-A347-A487764FF528}\ deleted successfully.
File C:\Windows\System32\yaywvTnM.dll not found.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\ms-help\ deleted successfully.
Registry key HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{314111c7-a502-11d2-bbca-00c04f8ec294}\ deleted successfully.
[Files/Folders - Created Within 90 days]
C:\327882R2FWJFW folder moved successfully.
File C:\Windows\System32\yaywvTnM.dll not found!
[Files/Folders - Modified Within 90 days]
File C:\327882R2FWJFW not found!
File C:\Windows\System32\yaywvTnM.dll not found!
[Empty Temp Folders]
User's Temp folder emptied.
User's Temporary Internet Files folder emptied.
User's Internet Explorer cache folder emptied.
Local Service Temp folder emptied.
Local Service Temporary Internet Files folder emptied.
File delete failed. C:\Windows\temp\_avast4_\Webshlock.txt scheduled to be deleted on reboot.
Windows Temp folder emptied.
RecycleBin -> emptied.
Explorer started successfully
< End of fix log >
OTScanIt by OldTimer - Version 1.0.14.2 fix logfile created on 05232008_221157

Files moved on Reboot...
File move failed. C:\Windows\temp\_avast4_\Webshlock.txt scheduled to be moved on reboot.

I hope you can figure it out, thanks for trying anyway...

I will now run the malwarbyte program.

#12
bentzilmer

Posted 23 May 2008 - 02:40 PM

Member

Topic Starter
Member
13 posts

I ran the malwarebyte program. It found and deleted some infected files. After a reboot i get an error message from windows: Error "reading ...system32\opnhexww.dll This is not a valid win32-program" the other error messages didn't pop up. Here's the log from malwarebyte:

Malwarebytes' Anti-Malware 1.12
Database version: 782

Skan type: Hurtig skanning
Objekter skannet: 36199
Tid tilbagelagt: 3 minute(s), 25 second(s)

Inficerede Hukommelses Processer: 0
Inficerede Hukommelses Moduler: 2
Inficerede Registeringsdatabase Nøgler: 10
Inficerede Registeringsdatabase Værdier: 4
Inficerede Registeringsdatabase Filer: 2
Inficerede Mapper: 0
Inficerede Filer: 7

Inficerede Hukommelses Processer:
(Ingen mistænkelige filer fundet)

Inficerede Hukommelses Moduler:
C:\Windows\System32\cbXnMfgH.dll (Trojan.Vundo) -> Unloaded module successfully.
C:\Windows\System32\opNhExwW.dll (Trojan.Vundo) -> Unloaded module successfully.

Inficerede Registeringsdatabase Nøgler:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{847dcbac-e621-4266-ad5d-9763fafd3585} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{847dcbac-e621-4266-ad5d-9763fafd3585} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\aoprndtws (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\Software\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{81aa6a16-b8ca-43c4-a347-a487764ff528} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.

Inficerede Registeringsdatabase Værdier:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\3b88de17 (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSServer (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\BM38bbed8b (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{81aa6a16-b8ca-43c4-a347-a487764ff528} (Trojan.Vundo) -> Quarantined and deleted successfully.

Inficerede Registeringsdatabase Filer:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Authentication Packages (Trojan.Vundo) -> Data: c:\windows\system32\cbxnmfgh -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\Authentication Packages (Trojan.Vundo) -> Data: c:\windows\system32\cbxnmfgh -> Quarantined and deleted successfully.

Inficerede Mapper:
(Ingen mistænkelige filer fundet)

Inficerede Filer:
C:\Windows\System32\cbXnMfgH.dll (Trojan.Vundo) -> Delete on reboot.
C:\Windows\System32\HgfMnXbc.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Windows\System32\HgfMnXbc.ini2 (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Windows\System32\dryicjlf.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Windows\System32\fljciyrd.ini (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Windows\System32\opNhExwW.dll (Trojan.Agent) -> Delete on reboot.
C:\Windows\System32\ucnlguvi.dll (Trojan.Agent) -> Quarantined and deleted successfully.

#13
Essexboy

Posted 23 May 2008 - 02:53 PM

GeekU Moderator

Retired Staff
69,964 posts

Could I have a new Hijackthis log after the MBAM run please as I feel I may have to use a bigger hammer

In fact I will use the hammer first, hopefully most of these will be file not found

1. Please download The Avenger2 by Swandog46 to your Desktop.

Right click on the Avenger.zip folder and select "Extract All..."
Follow the prompts and extract the avenger folder to your desktop

2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):

Begin copying here:

Files to delete:
C:\Windows\System32\ssqPHayy.dll
C:\Windows\System32\tuvvUOec.dll
C:\Windows\System32\geBSjJyA.dll
C:\Windows\System32\rQHwVPjj.dll
C:\Windows\System32\pmnkKaYS.dll
C:\Windows\system32\ucnlguvi.dll
C:\Windows\system32\dryicjlf.dll
C:\Windows\system32\opNhExwW.dll
C:\Windows\system32\cbxnmfgh.dll 

Registry keys to delete:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{847DCBAC-E621-4266-AD5D-9763FAFD3585}
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{81aa6a16-b8ca-43c4-a347-a487764ff528}

Registry values to delete:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|MSServer
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|BM38bbed8b
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|3b88de17

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

3. Now, open the avenger folder and start The Avenger program by clicking on its icon.

Right click on the window under Input script here:, and select Paste.
You can also Paste the text copied to the clipboard into this window by pressing (Ctrl+V), or click on the third button under the menu to paste it from the clipboard.
Click on Execute
Answer "Yes" twice when prompted.

4. The Avenger will automatically do the following:

It will Restart your computer. ( In cases where the code to execute contains "Drivers to Delete" or "Drivers to Disable", The Avenger will actually restart your system twice.)
After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.

5. Please copy/paste the content of c:\avenger.txt into your reply along with a fresh Hijackthis log .

#14
bentzilmer

Posted 24 May 2008 - 02:11 AM

Member

Topic Starter
Member
13 posts

I don't get any error messages when vista starts up. Heres my avenger and hijack log:

Logfile of The Avenger Version 2.0, © by Swandog46
http://swandog46.geekstogo.com

Platform: Windows Vista

*******************

Script file opened successfully.
Script file read successfully.

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

Rootkit scan active.
No rootkits found!

Error: file "C:\Windows\System32\ssqPHayy.dll" not found!
Deletion of file "C:\Windows\System32\ssqPHayy.dll" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

Error: file "C:\Windows\System32\tuvvUOec.dll" not found!
Deletion of file "C:\Windows\System32\tuvvUOec.dll" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

Error: file "C:\Windows\System32\geBSjJyA.dll" not found!
Deletion of file "C:\Windows\System32\geBSjJyA.dll" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

Error: file "C:\Windows\System32\rQHwVPjj.dll" not found!
Deletion of file "C:\Windows\System32\rQHwVPjj.dll" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

Error: file "C:\Windows\System32\pmnkKaYS.dll" not found!
Deletion of file "C:\Windows\System32\pmnkKaYS.dll" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

Error: file "C:\Windows\system32\ucnlguvi.dll" not found!
Deletion of file "C:\Windows\system32\ucnlguvi.dll" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

Error: file "C:\Windows\system32\dryicjlf.dll" not found!
Deletion of file "C:\Windows\system32\dryicjlf.dll" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

File "C:\Windows\system32\opNhExwW.dll" deleted successfully.
File "C:\Windows\system32\cbxnmfgh.dll" deleted successfully.

Error: registry key "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{847DCBAC-E621-4266-AD5D-9763FAFD3585}" not found!
Deletion of registry key "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{847DCBAC-E621-4266-AD5D-9763FAFD3585}" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

Error: registry key "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{81aa6a16-b8ca-43c4-a347-a487764ff528}" not found!
Deletion of registry key "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{81aa6a16-b8ca-43c4-a347-a487764ff528}" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

Error: could not delete registry value "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|MSServer"
Deletion of registry value "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|MSServer" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

Error: could not delete registry value "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|BM38bbed8b"
Deletion of registry value "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|BM38bbed8b" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

Error: could not delete registry value "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|3b88de17"
Deletion of registry value "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run|3b88de17" failed!
Status: 0xc0000034 (STATUS_OBJECT_NAME_NOT_FOUND)
--> the object does not exist

Completed script processing.

*******************

Finished! Terminate.

Hijackthis log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:10:42, on 24-05-2008
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal

Running processes:
C:\Program Files\DigitalPersona\Bin\DpAgent.exe
C:\Windows\system32\Dwm.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\conime.exe
C:\Program Files\Synaptics\SynTP\SynTPStart.exe
C:\Program Files\HP\QuickPlay\QPService.exe
C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QLBCTRL.exe
C:\Program Files\Hewlett-Packard\HP QuickTouch\HPKBDAPP.exe
C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
C:\Program Files\Windows Defender\MSASCui.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
C:\Program Files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe
C:\Program Files\HP\HP Software Update\hpwuSchd2.exe
C:\Program Files\Alwil Software\Avast4\ashDisp.exe
C:\Windows\System32\rundll32.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Windows\ehome\ehtray.exe
C:\ProgramData\Macrovision\FLEXnet Connect\6\ISUSPM.exe
C:\Windows\System32\rundll32.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\ehome\ehmsas.exe
C:\ProgramData\Macrovision\FLEXnet Connect\6\agent.exe
C:\Program Files\Hewlett-Packard\Shared\HpqToaster.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Synaptics\SynTP\SynTPHelper.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://jp.dk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://dk.msn.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Hjælp til tilmelding til Windows Live - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O3 - Toolbar: (no name) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - (no file)
O4 - HKLM\..\Run: [SynTPStart] C:\Program Files\Synaptics\SynTP\SynTPStart.exe
O4 - HKLM\..\Run: [QPService] "C:\Program Files\HP\QuickPlay\QPService.exe"
O4 - HKLM\..\Run: [QlbCtrl] %ProgramFiles%\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe /Start
O4 - HKLM\..\Run: [OnScreenDisplay] C:\Program Files\Hewlett-Packard\HP QuickTouch\HPKBDAPP.exe
O4 - HKLM\..\Run: [UCam_Menu] "C:\Program Files\CyberLink\YouCam\MUITransfer\MUIStartMenu.exe" "C:\Program Files\CyberLink\YouCam" update "Software\CyberLink\YouCam\1.0"
O4 - HKLM\..\Run: [DpAgent] C:\Program Files\DigitalPersona\Bin\dpagent.exe
O4 - HKLM\..\Run: [Windows Defender] %ProgramFiles%\Windows Defender\MSASCui.exe -hide
O4 - HKLM\..\Run: [hpWirelessAssistant] C:\Program Files\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe
O4 - HKLM\..\Run: [WAWifiMessage] C:\Program Files\Hewlett-Packard\HP Wireless Assistant\WiFiMsg.exe
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [NvSvc] RUNDLL32.EXE C:\Windows\system32\nvsvc.dll,nvsvcStart
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\Windows\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\Windows\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [ehTray.exe] C:\Windows\ehome\ehTray.exe
O4 - HKCU\..\Run: [ISUSPM] "C:\ProgramData\Macrovision\FLEXnet Connect\6\ISUSPM.exe" -scheduler
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOKAL TJENESTE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOKAL TJENESTE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETVÆRKSTJENESTE')
O8 - Extra context menu item: E&ksporter til Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Send til OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end til OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MIC273~1\Office12\REFIEBAR.DLL (file missing)
O13 - Gopher Prefix:
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Plugin Control) - http://appldnld.appl...ex/qtplugin.cab
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.nvidia.co.../sysreqlab2.cab
O16 - DPF: {D6E7CFB5-C074-4D1C-B647-663D1A8D96BF} (Facebook Photo Uploader 4) - http://upload.facebo...Uploader4_5.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Com4Qlb - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\Com4Qlb.exe
O23 - Service: Biometric Authentication Service (DpHost) - DigitalPersona, Inc. - C:\Program Files\DigitalPersona\Bin\DpHostW.exe
O23 - Service: HP Health Check Service - Hewlett-Packard - c:\Program Files\Hewlett-Packard\HP Health Check\hphc_service.exe
O23 - Service: hpqwmiex - Hewlett-Packard Development Company, L.P. - C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: PnkBstrA - Unknown owner - C:\Windows\system32\PnkBstrA.exe
O23 - Service: QuickPlay Background Capture Service (QBCS) (QPCapSvc) - Unknown owner - C:\Program Files\HP\QuickPlay\Kernel\TV\QPCapSvc.exe
O23 - Service: QuickPlay Task Scheduler (QTS) (QPSched) - Unknown owner - C:\Program Files\HP\QuickPlay\Kernel\TV\QPSched.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared Files\RichVideo.exe
O23 - Service: XAudioService - Conexant Systems, Inc. - C:\Windows\system32\DRIVERS\xaudio.exe

--
End of file - 7857 bytes