0

I've observed and read through numerous threads where users are having identical issues to what I am dealing with. The explorer.exe just continually restarts.

I have run Avast, Kaspersky, AVG and a few other scans. AVG seemed to find quite a few things that looked malicious, but removing them did not solve the problem. I also ran VundoFix in safe mode, it found nothing.

Running ComboFix will fix the issue, but after a few minutes in the operating system it comes up again. I have output of HijackThis and ComboFix below. Thanks in advance for any assistance!

Here is my HijackThis log output:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:44:48 PM, on 6/7/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\system32\ZuneBusEnum.exe
C:\PROGRA~1\AVG\AVG8\avgemc.exe
C:\WINDOWS\CTHELPER.EXE
C:\Program Files\Glass2k\Glass2k.exe
C:\Program Files\DU Meter\DUMeter.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Zune\ZuneLauncher.exe
C:\PROGRA~1\AVG\AVG8\avgtray.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\AVG\AVG8\avgrsx.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\taskmgr.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.utorrent.com/testport.php?port=20432
O3 - Toolbar: AVG Security Toolbar - {A057A204-BACC-4D26-9990-79A187E2698E} - C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL
O4 - HKLM\..\Run: [CTHelper] CTHELPER.EXE
O4 - HKLM\..\Run: [CTxfiHlp] CTXFIHLP.EXE
O4 - HKLM\..\Run: [Glass2k] C:\Program Files\Glass2k\Glass2k.exe
O4 - HKLM\..\Run: [DU Meter] C:\Program Files\DU Meter\DUMeter.exe
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Zune Launcher] "C:\Program Files\Zune\ZuneLauncher.exe"
O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1190345764140
O17 - HKLM\System\CCS\Services\Tcpip\..\{EFC1438E-E2F6-467C-8CD4-BF60E1C7E5FF}: NameServer = 4.2.2.1,4.2.2.2
O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
O20 - AppInit_DLLs: avgrsstx.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
O23 - Service: AVG8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe

--
End of file - 4238 bytes

Here is my ComboFix output:

ComboFix 08-06-07.1 - epitaph 2008-06-07 19:29:52.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.1488 [GMT -4:00]
Running from: C:\Documents and Settings\epitaph\Desktop\malware-ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\ybaaKkkj.ini
C:\WINDOWS\system32\ybaaKkkj.ini2

.
((((((((((((((((((((((((( Files Created from 2008-05-07 to 2008-06-07 )))))))))))))))))))))))))))))))
.

2008-06-07 18:23 . 2008-06-07 18:23 <DIR> d-------- C:\VundoFix Backups
2008-06-07 18:20 . 2001-05-21 11:46 198,656 --a------ C:\WINDOWS\system32\Comdlg32.ocx
2008-06-07 16:43 . 2008-06-07 19:27 <DIR> d--h----- C:\$AVG8.VAULT$
2008-06-07 16:38 . 2008-06-07 16:39 <DIR> d-------- C:\WINDOWS\system32\drivers\Avg
2008-06-07 16:38 . 2008-06-07 16:38 <DIR> d-------- C:\Documents and Settings\epitaph\Application Data\AVGTOOLBAR
2008-06-07 16:38 . 2008-06-07 16:38 96,520 --a------ C:\WINDOWS\system32\drivers\avgldx86.sys
2008-06-07 16:38 . 2008-06-07 16:38 75,272 --a------ C:\WINDOWS\system32\drivers\avgtdix.sys
2008-06-07 16:38 . 2008-06-07 16:38 10,520 --a------ C:\WINDOWS\system32\avgrsstx.dll
2008-06-07 16:37 . 2008-06-07 16:37 <DIR> d-------- C:\Program Files\AVG
2008-06-07 16:37 . 2008-06-07 16:37 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg8
2008-06-07 16:04 . 2008-06-07 16:04 <DIR> d-------- C:\Program Files\Panda Security
2008-06-07 15:58 . 2008-06-07 15:58 <DIR> d-------- C:\Program Files\GiPo@Utilities
2008-06-07 15:58 . 2008-06-07 15:58 <DIR> d-------- C:\Program Files\Common Files\Gibinsoft Shared
2008-06-07 15:11 . 2008-06-07 15:11 <DIR> d-------- C:\Program Files\Alwil Software
2008-06-07 15:08 . 2008-06-07 15:08 <DIR> d-------- C:\Program Files\Trend Micro
2008-06-07 14:59 . 2008-06-07 19:27 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-06-07 14:51 . 2008-06-07 14:51 <DIR> d-------- C:\Program Files\Lavasoft
2008-06-07 14:51 . 2008-06-07 14:51 281,088 --a------ C:\WINDOWS\system32\jkkKaaby.dll
2008-06-07 14:44 . 2008-06-07 14:44 <DIR> d-------- C:\Documents and Settings\epitaph\Application Data\Sony
2008-06-07 14:44 . 2008-06-07 14:44 <DIR> d-------- C:\Documents and Settings\epitaph\Application Data\Publish Providers
2008-06-07 14:40 . 2008-06-07 14:40 <DIR> d-------- C:\Program Files\Reference Assemblies
2008-06-07 14:39 . 2006-06-29 13:07 14,048 --a------ C:\WINDOWS\system32\spmsg2.dll
2008-06-07 14:38 . 2008-06-07 14:38 <DIR> d-------- C:\Program Files\Sony Setup
2008-06-03 23:47 . 2008-06-03 23:47 <DIR> d-------- C:\Documents and Settings\epitaph\Application Data\Sony Setup
2008-06-02 22:04 . 2008-06-02 22:12 77 --a------ C:\WINDOWS\huffyuv.ini
2008-06-02 19:17 . 2008-06-02 19:17 <DIR> d-------- C:\Program Files\winscp
2008-06-02 15:45 . 2008-06-02 15:45 754 --a------ C:\WINDOWS\WORDPAD.INI
2008-05-31 21:29 . 2008-05-31 21:30 <DIR> d-------- C:\Documents and Settings\epitaph\Application Data\q3cpmahudeditor
2008-05-31 21:19 . 2008-05-31 21:19 <DIR> d-------- C:\Program Files\virtualdub
2008-05-25 13:37 . 2008-05-25 13:37 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\vsosdk
2008-05-25 13:12 . 2008-05-25 14:34 <DIR> d-------- C:\Documents and Settings\epitaph\Application Data\Vso
2008-05-25 13:12 . 2008-05-25 13:12 47,360 --a------ C:\WINDOWS\system32\drivers\pcouffin.sys
2008-05-25 13:12 . 2008-05-25 14:34 47,360 --a------ C:\Documents and Settings\epitaph\Application Data\pcouffin.sys
2008-05-23 20:48 . 2008-05-24 16:39 737,280 --a------ C:\WINDOWS\iun6002.exe
2008-05-21 11:48 . 2008-05-21 11:48 <DIR> d-------- C:\Documents and Settings\epitaph\Application Data\SUPERAntiSpyware.com
2008-05-21 11:48 . 2008-05-21 11:48 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-05-18 22:37 . 2008-05-18 22:43 <DIR> d-------- C:\Program Files\Mumble
2008-05-18 22:37 . 2008-05-18 22:37 <DIR> d-------- C:\Documents and Settings\epitaph\Application Data\Mumble
2008-05-17 18:56 . 2008-05-17 18:56 <DIR> d-------- C:\Program Files\Internet Explorer 6
2008-05-12 21:19 . 2008-05-12 21:19 <DIR> d-------- C:\Program Files\DVD Decrypter
2008-05-12 18:21 . 2008-04-13 14:47 25,856 --a------ C:\WINDOWS\system32\drivers\usbprint.sys
2008-05-12 18:21 . 2008-04-13 14:47 25,856 --a--c--- C:\WINDOWS\system32\dllcache\usbprint.sys
2008-05-12 17:52 . 2008-05-12 17:52 <DIR> d-------- C:\Program Files\GPLGS
2008-05-12 17:51 . 2007-07-12 22:33 87,552 --a------ C:\WINDOWS\system32\cpwmon2k.dll
2008-05-11 23:08 . 2008-03-21 13:57 14,640 --a------ C:\WINDOWS\system32\spmsgXP_2k3.dll
2008-05-11 23:08 . 2008-05-11 23:08 0 --ah----- C:\WINDOWS\system32\drivers\MsftWdf_Kernel_01007_Coinstaller_Critical.Wdf
2008-05-11 23:08 . 2008-05-11 23:08 0 --ah----- C:\WINDOWS\system32\drivers\Msft_Kernel_zumbus_01007.Wdf
2008-05-07 19:03 . 2008-05-07 19:03 <DIR> d-------- C:\WINDOWS\system32\scripting
2008-05-07 19:03 . 2008-05-07 19:03 <DIR> d-------- C:\WINDOWS\system32\en
2008-05-07 19:03 . 2008-05-07 19:03 <DIR> d-------- C:\WINDOWS\system32\bits
2008-05-07 19:03 . 2008-05-07 19:03 <DIR> d-------- C:\WINDOWS\l2schemas
2008-05-07 19:02 . 2008-05-07 19:02 <DIR> d-------- C:\WINDOWS\ServicePackFiles
2008-05-07 18:52 . 2004-08-03 22:29 701,440 --------- C:\WINDOWS\system32\drivers\ati2mtag.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-07 23:27 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-06-07 19:22 --------- d-----w C:\Documents and Settings\epitaph\Application Data\foobar2000
2008-06-07 18:58 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-06-07 18:58 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-06-07 18:48 --------- d-----w C:\Documents and Settings\epitaph\Application Data\uTorrent
2008-06-06 03:03 22,328 ----a-w C:\WINDOWS\system32\drivers\PnkBstrK.sys
2008-06-05 04:10 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-06-02 23:29 --------- d-----w C:\Program Files\FlashFXP
2008-05-12 21:51 --------- d-----w C:\Program Files\Acro Software
2008-05-12 03:10 --------- d-----w C:\Program Files\Zune
2008-05-07 23:12 --------- d-----w C:\Program Files\Google
2008-05-05 04:41 --------- d-----w C:\Documents and Settings\epitaph\Application Data\dvdcss
2008-04-29 23:39 40,704 ----a-w C:\WINDOWS\system32\drivers\zumbus.sys
2008-04-17 02:29 --------- d-----w C:\Documents and Settings\epitaph\Application Data\Amazon
2008-04-17 02:28 --------- d-----w C:\Program Files\amazonmp3
2008-04-14 00:13 40,840 ----a-w C:\WINDOWS\system32\drivers\termdd.sys
2008-04-14 00:13 21,896 ----a-w C:\WINDOWS\system32\drivers\tdtcp.sys
2008-04-14 00:13 139,656 ----a-w C:\WINDOWS\system32\drivers\rdpwd.sys
2008-04-14 00:13 12,040 ----a-w C:\WINDOWS\system32\drivers\tdpipe.sys
2008-04-14 00:12 69,120 ----a-w C:\WINDOWS\notepad.exe
2008-04-14 00:12 50,688 ----a-w C:\WINDOWS\twain_32.dll
2008-04-14 00:12 32,866 ------w C:\WINDOWS\slrundll.exe
2008-04-14 00:12 3,901 ------w C:\WINDOWS\system32\drivers\siint5.dll
2008-04-14 00:12 283,648 ----a-w C:\WINDOWS\winhlp32.exe
2008-04-14 00:12 146,432 ----a-w C:\WINDOWS\regedit.exe
2008-04-14 00:12 11,325 ------w C:\WINDOWS\system32\drivers\vchnt5.dll
2008-04-14 00:12 10,752 ----a-w C:\WINDOWS\hh.exe
2008-04-14 00:12 1,033,728 ----a-w C:\WINDOWS\explorer.exe
2008-04-13 22:58 691,545 ----a-w C:\WINDOWS\unins000.exe
2008-04-13 19:28 175,744 ----a-w C:\WINDOWS\system32\drivers\rdbss.sys
2008-04-13 19:21 162,816 ----a-w C:\WINDOWS\system32\drivers\netbt.sys
2008-04-13 19:20 91,520 ----a-w C:\WINDOWS\system32\drivers\ndiswan.sys
2008-04-13 19:20 361,344 ----a-w C:\WINDOWS\system32\drivers\tcpip.sys
2008-04-13 19:20 182,656 ----a-w C:\WINDOWS\system32\drivers\ndis.sys
2008-04-13 19:19 75,264 ----a-w C:\WINDOWS\system32\drivers\ipsec.sys
2008-04-13 19:19 51,328 ----a-w C:\WINDOWS\system32\drivers\rasl2tp.sys
2008-04-13 19:19 48,384 ----a-w C:\WINDOWS\system32\drivers\raspptp.sys
2008-04-13 19:19 146,048 ----a-w C:\WINDOWS\system32\drivers\portcls.sys
2008-04-13 19:19 138,112 ----a-w C:\WINDOWS\system32\drivers\afd.sys
2008-04-13 19:18 52,480 ----a-w C:\WINDOWS\system32\drivers\i8042prt.sys
2008-04-13 19:17 83,072 ----a-w C:\WINDOWS\system32\drivers\wdmaud.sys
2008-04-13 19:17 456,576 ----a-w C:\WINDOWS\system32\drivers\mrxsmb.sys
2008-04-13 19:17 105,344 ----a-w C:\WINDOWS\system32\drivers\mup.sys
2008-04-13 19:16 49,536 ----a-w C:\WINDOWS\system32\drivers\classpnp.sys
2008-04-13 19:16 141,056 ----a-w C:\WINDOWS\system32\drivers\ks.sys
2008-04-13 19:15 64,512 ----a-w C:\WINDOWS\system32\drivers\serial.sys
2008-04-13 19:15 60,800 ----a-w C:\WINDOWS\system32\drivers\sysaudio.sys
2008-04-13 19:15 574,976 ----a-w C:\WINDOWS\system32\drivers\ntfs.sys
2008-04-13 19:15 334,848 ----a-w C:\WINDOWS\system32\drivers\srv.sys
2008-04-13 19:14 63,744 ----a-w C:\WINDOWS\system32\drivers\cdfs.sys
2008-04-13 19:14 143,744 ----a-w C:\WINDOWS\system32\drivers\fastfat.sys
2008-04-13 19:00 30,080 ----a-w C:\WINDOWS\system32\drivers\modem.sys
2008-04-13 19:00 225,664 ----a-w C:\WINDOWS\system32\drivers\tcpip6.sys
2008-04-13 19:00 19,072 ----a-w C:\WINDOWS\system32\drivers\tdi.sys
2008-04-13 18:57 41,472 ----a-w C:\WINDOWS\system32\drivers\raspppoe.sys
2008-04-13 18:57 40,576 ----a-w C:\WINDOWS\system32\drivers\ndproxy.sys
2008-04-13 18:57 34,560 ----a-w C:\WINDOWS\system32\drivers\wanarp.sys
2008-04-13 18:57 20,864 ----a-w C:\WINDOWS\system32\drivers\ipinip.sys
2008-04-13 18:57 152,832 ----a-w C:\WINDOWS\system32\drivers\ipnat.sys
2008-04-13 18:57 14,336 ----a-w C:\WINDOWS\system32\drivers\asyncmac.sys
2008-04-13 18:57 10,112 ----a-w C:\WINDOWS\system32\drivers\ndistapi.sys
2008-04-13 18:56 88,320 ----a-w C:\WINDOWS\system32\drivers\nwlnkipx.sys
2008-04-13 18:56 69,120 ----a-w C:\WINDOWS\system32\drivers\psched.sys
2008-04-13 18:56 35,072 ----a-w C:\WINDOWS\system32\drivers\msgpc.sys
2008-04-13 18:56 34,688 ----a-w C:\WINDOWS\system32\drivers\netbios.sys
2008-04-13 18:56 30,592 ----a-w C:\WINDOWS\system32\drivers\rndismp.sys
2008-04-13 18:56 30,592 ------w C:\WINDOWS\system32\drivers\rndismpx.sys
2008-04-13 18:56 12,800 ----a-w C:\WINDOWS\system32\drivers\usb8023.sys
2008-04-13 18:56 12,800 ------w C:\WINDOWS\system32\drivers\usb8023x.sys
2008-04-13 18:56 12,288 ----a-w C:\WINDOWS\system32\drivers\tunmp.sys
2008-04-13 18:55 202,624 ----a-w C:\WINDOWS\system32\drivers\rmcast.sys
2008-04-13 18:55 14,592 ----a-w C:\WINDOWS\system32\drivers\ndisuio.sys
2008-04-13 18:54 11,264 ----a-w C:\WINDOWS\system32\drivers\irenum.sys
2008-04-13 18:53 71,552 ----a-w C:\WINDOWS\system32\drivers\bridge.sys
2008-04-13 18:53 40,320 ----a-w C:\WINDOWS\system32\drivers\nmnt.sys
2008-04-13 18:53 36,608 ----a-w C:\WINDOWS\system32\drivers\ip6fw.sys
2008-04-13 18:53 264,832 ----a-w C:\WINDOWS\system32\drivers\http.sys
2008-04-13 18:51 61,824 ----a-w C:\WINDOWS\system32\drivers\nic1394.sys
2008-04-13 18:51 60,800 ----a-w C:\WINDOWS\system32\drivers\arp1394.sys
2008-04-13 18:51 59,904 ----a-w C:\WINDOWS\system32\drivers\atmarpc.sys
2008-04-13 18:51 55,808 ----a-w C:\WINDOWS\system32\drivers\atmlane.sys
2008-04-13 18:51 101,120 ------w C:\WINDOWS\system32\drivers\bthpan.sys
2008-04-13 18:46 61,696 ----a-w C:\WINDOWS\system32\drivers\ohci1394.sys
2008-04-13 18:46 59,136 ------w C:\WINDOWS\system32\drivers\rfcomm.sys
2008-04-13 18:46 53,376 ----a-w C:\WINDOWS\system32\drivers\1394bus.sys
2008-04-13 18:46 37,888 ------w C:\WINDOWS\system32\drivers\bthmodem.sys
2008-04-13 18:46 36,480 ------w C:\WINDOWS\system32\drivers\bthprint.sys
2008-04-13 18:46 273,024 ------w C:\WINDOWS\system32\drivers\bthport.sys
2008-04-13 18:46 25,600 ------w C:\WINDOWS\system32\drivers\hidbth.sys
2008-04-13 18:46 25,344 ----a-w C:\WINDOWS\system32\drivers\sonydcam.sys
2008-04-13 18:46 18,944 ------w C:\WINDOWS\system32\drivers\bthusb.sys
2008-04-13 18:46 17,024 ------w C:\WINDOWS\system32\drivers\bthenum.sys
2008-04-13 18:46 121,984 ------w C:\WINDOWS\system32\drivers\usbvideo.sys
2008-04-13 18:44 81,664 ----a-w C:\WINDOWS\system32\drivers\videoprt.sys
2008-04-13 18:44 799,744 ----a-w C:\WINDOWS\system32\drivers\dmboot.sys
2008-04-13 18:44 20,992 ----a-w C:\WINDOWS\system32\drivers\vga.sys
2008-04-13 18:44 153,344 ----a-w C:\WINDOWS\system32\drivers\dmio.sys
2008-04-13 18:43 14,208 ------w C:\WINDOWS\system32\drivers\wacompen.sys
2008-04-13 18:43 12,672 ------w C:\WINDOWS\system32\drivers\mutohpen.sys
2008-04-13 18:41 52,352 ----a-w C:\WINDOWS\system32\drivers\volsnap.sys
.

((((((((((((((((((((((((((((( snapshot@2008-06-07_18.49.10.68 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-06-07 22:46:45 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-06-07 23:32:29 2,048 --s-a-w C:\WINDOWS\bootstat.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A057A204-BACC-4D26-9990-79A187E2698E}]
2008-06-07 16:38 2050816 --a------ C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B3C849D0-0F04-4BBD-A06E-8B1F1B4719E2}]
2008-06-07 14:51 281088 --a------ C:\WINDOWS\system32\jkkKaaby.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{A057A204-BACC-4D26-9990-79A187E2698E}"= "C:\PROGRA~1\AVG\AVG8\AVGTOO~1.DLL" [2008-06-07 16:38 2050816]

[HKEY_CLASSES_ROOT\clsid\{a057a204-bacc-4d26-9990-79a187e2698e}]
[HKEY_CLASSES_ROOT\avgtoolbar.AVGTOOLBAR]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTHelper"="CTHELPER.EXE" [2006-08-11 14:56 17920 C:\WINDOWS\CTHELPER.EXE]
"CTxfiHlp"="CTXFIHLP.EXE" [2006-08-11 14:56 18944 C:\WINDOWS\system32\CTXFIHLP.EXE]
"Glass2k"="C:\Program Files\Glass2k\Glass2k.exe" [2007-02-26 16:01 56325]
"DU Meter"="C:\Program Files\DU Meter\DUMeter.exe" [2005-02-01 19:28 1469952]
"RTHDCPL"="RTHDCPL.EXE" [2007-07-05 16:08 16380416 C:\WINDOWS\RTHDCPL.exe]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-12-05 02:41 8523776]
"Zune Launcher"="C:\Program Files\Zune\ZuneLauncher.exe" [2008-04-29 19:56 158624]
"AVG8_TRAY"="C:\PROGRA~1\AVG\AVG8\avgtray.exe" [2008-06-07 16:37 1177368]

C:\Documents and Settings\epitaph\Start Menu\Programs\Startup\
Adobe Gamma.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 19:16:50 113664]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=avgrsstx.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.I420"= i420vfw.dll
"vidc.yv12"= yv12vfw.dll
"VIDC.HFYU"= huffyuv.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\Wdf01000.sys]
@="Driver"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
-ra------ 2008-04-01 13:21 61440 C:\Program Files\Adobe\Adobe Photoshop Lightroom 1.4\apdproxy.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\utorrent\\utorrent.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\WINDOWS\\system32\\PnkBstrA.exe"=
"C:\\WINDOWS\\system32\\PnkBstrB.exe"=
"C:\\Games\\cod4\\iw3mp.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgupd.exe"=
"C:\\Program Files\\AVG\\AVG8\\avgemc.exe"=

R1 AvgLdx86;AVG AVI Loader Driver x86;C:\WINDOWS\system32\Drivers\avgldx86.sys [2008-06-07 16:38]
R2 avg8emc;AVG8 E-mail Scanner;C:\PROGRA~1\AVG\AVG8\avgemc.exe [2008-06-07 16:37]
R2 avg8wd;AVG8 WatchDog;C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe [2008-06-07 16:37]
R2 AvgTdiX;AVG8 Network Redirector;C:\WINDOWS\system32\Drivers\avgtdix.sys [2008-06-07 16:38]
R2 zumbus;Zune Bus Enumerator Driver;C:\WINDOWS\system32\DRIVERS\zumbus.sys [2008-04-29 19:39]
R2 ZuneBusEnum;Zune Bus Enumerator;C:\WINDOWS\system32\ZuneBusEnum.exe [2008-04-29 19:56]
S3 gdrv;gdrv;C:\WINDOWS\gdrv.sys [2007-09-20 21:24]
S3 tap0801;TAP-Win32 Adapter V8;C:\WINDOWS\system32\DRIVERS\tap0801.sys [2006-10-01 08:37]
S3 ZuneWlanCfgSvc;Zune Wireless Configuration Service;C:\WINDOWS\system32\ZuneWlanCfgSvc.exe [2008-04-29 19:56]
S4 msvsmon80;Visual Studio 2005 Remote Debugger;"C:\Program Files\Microsoft Visual Studio 8\Common7\IDE\Remote Debugger\x86\msvsmon.exe" /service msvsmon80 []

.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-07 19:32:55
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\Program Files\AVG\AVG8\avgrsx.exe
C:\Program Files\AVG\AVG8\avgtray.exe
C:\WINDOWS\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2008-06-07 19:35:03 - machine was rebooted
ComboFix-quarantined-files.txt 2008-06-07 23:35:00
ComboFix2.txt 2008-06-07 22:49:21

Pre-Run: 55,145,033,728 bytes free
Post-Run: 55,131,959,296 bytes free

259

1
Contributor
2
Replies
3
Views
9 Years
Discussion Span
Last Post by eluminx
0

I believe that the jkkKaaby.dll was the culprit for my woes.

I booted into the recovery console and manually deleted it, then removed the entry in HijackThis. So far so good, hopefully it won't mega-spawn and rage me again!

0

It appears that booting into the recovery console and deleting the jkkKaaby.dll followed by using HijackThis to kill the entry which now said that it was missing the same dll has solved this issue.

I will note for others who may discover this thread who have similar issues: The only program that I ran (and I ran nearly every major free anti virus/malware/spyware) that would even find the dll was ComboFix. Even then, I had to remove the file manually.

This question has already been answered. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.