0

This is one of my older computers. I had it about for three years now. I get lots of pop ups and viruses. Most programs i can't even start up.
Here is the hjt log only shows up to 22 for some reason:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:33:32 PM, on 1/28/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Research In Motion\BlackBerry\DesktopMgr.exe
C:\Program Files\Common Files\Research In Motion\RIMDeviceManager\RIMDeviceManager.exe
C:\Program Files\Common Files\Research In Motion\USB Drivers\BbDevMgr.exe
C:\Program Files\AT&T\Communication Manager\ATTCM.exe
C:\Program Files\AT&T\Communication Manager\bmctl.exe
C:\WINDOWS\System32\svchost.exe
C:\DOCUME~1\user\LOCALS~1\Temp\csrssc.exe
C:\Program Files\Adobe\Reader 8.0\Reader\AcroRd32.exe
C:\Program Files\AT&T\Communication Manager\bmop.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\wbem\wmiprvse.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\twex.exe,
O2 - BHO: (no name) - {026DD580-84D3-4C0C-AB35-B0DAC5669154} - C:\WINDOWS\system32\urqQhFvt.dll
O2 - BHO: (no name) - {12699d45-3f0f-4c85-9d9b-10ce65a60c2f} - C:\WINDOWS\system32\hilivoze.dll (file missing)
O2 - BHO: C:\WINDOWS\system32\tyshb36rfjdf.dll - {D5BF49A2-94F1-42BD-F434-3604812C807D} - C:\WINDOWS\system32\tyshb36rfjdf.dll
O3 - Toolbar: Veoh Browser Plug-in - {D0943516-5076-4020-A3B5-AEFAF26AB263} - C:\Program Files\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dll
O4 - HKLM\..\Run: [bihomivabu] Rundll32.exe "C:\WINDOWS\system32\dunulaju.dll",s
O4 - HKCU\..\Run: [gadcom] "C:\Documents and Settings\user\Application Data\gadcom\gadcom.exe" 61A847B5BBF72813329B385772FF01F0B3E35B6638993F4661AA4EBD86D67C56389B284534F310
O4 - HKCU\..\Run: [Jnskdfmf9eldfd] C:\DOCUME~1\user\LOCALS~1\Temp\csrssc.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [tezrtsjhfr84iusjfo84f] C:\DOCUME~1\user\LOCALS~1\Temp\csrssc.exe
O4 - HKCU\..\Run: [VnrPack22] "C:\Program Files\VnrPack\VnrPack22.exe"
O4 - HKCU\..\Run: [GetModule35] C:\Program Files\GetModule\GetModule35.exe
O4 - HKCU\..\Run: [GetPack28] "C:\Program Files\GetPack\GetPack28.exe"
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [bihomivabu] Rundll32.exe "C:\WINDOWS\system32\dunulaju.dll",s (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\ssv.dll
O10 - Unknown file in Winsock LSP: bmnet.dll
O10 - Unknown file in Winsock LSP: bmnet.dll
O10 - Unknown file in Winsock LSP: bmnet.dll
O15 - Trusted Zone: *.amaena.com
O15 - Trusted Zone: *.avsystemcare.com
O15 - Trusted Zone: *.onerateld.com
O15 - Trusted Zone: *.safetydownload.com
O15 - Trusted Zone: *.trustedantivirus.com
O15 - Trusted Zone: *.virusremover2008.com
O15 - Trusted Zone: *.virusschlacht.com
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/betapit/PCPitStop.CAB
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
O16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab56986.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-US/a-UNO1/GAME_UNO1.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1191099616095
O16 - DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} (MJLauncherCtrl Class) - http://messenger.zone.msn.com/EN-US/a-LUXR/mjolauncher.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15030/CTPID.cab
O16 - DPF: {FFB3A759-98B1-446F-BDA9-909C6EB18CC7} (PCPitstop Exam) - http://utilities.pcpitstop.com/optimize2/pcpitstop2.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{2351A425-A26B-40A4-ADBB-99450D8C5E4A}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\..\{5155EB13-C52B-4965-8EE3-C18B2E198951}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\..\{6C7B25F9-A3B1-462D-B6F0-6C4C8B6B2C57}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\..\{CB840167-8C0B-459E-9407-8A46C8A271F9}: NameServer = 209.183.54.151
O17 - HKLM\System\CCS\Services\Tcpip\..\{E7CD77B1-4D33-47F9-BE3F-852B1695B32E}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS1\Services\Tcpip\..\{2351A425-A26B-40A4-ADBB-99450D8C5E4A}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS2\Services\Tcpip\..\{2351A425-A26B-40A4-ADBB-99450D8C5E4A}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS3\Services\Tcpip\..\{2351A425-A26B-40A4-ADBB-99450D8C5E4A}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O20 - AppInit_DLLs: mzwcza.dll uwoowg.dll olqoee.dll xojlqy.dll fjqkdv.dll uspbhd.dll zodpnq.dll djrdvx.dll kqtbda.dll fahoeb.dll phzyog.dll uyzvki.dll aanlvn.dll dixzql.dll amdlbr.dll ynpgdu.dll vigbrk.dll yxhigj.dll olytwt.dll uvhwlu.dll kxczoi.dll yzxdtd.dll piugbj.dll fdanmf.dll cuvlfy.dll kbczhe.dll,C:\WINDOWS\system32\guzapamu.dll
O20 - Winlogon Notify: crypt - C:\WINDOWS\SYSTEM32\crypts.dll
O20 - Winlogon Notify: nnnnNDtQ - C:\WINDOWS\SYSTEM32\nnnnNDtQ.dll
O20 - Winlogon Notify: WinCtrl32 - C:\WINDOWS\SYSTEM32\WinCtrl32.dll
O22 - SharedTaskScheduler: FGYbf743iujndsfAfsdfd - {D5BF49A2-94F1-42BD-F434-3604812C807D} - C:\WINDOWS\system32\tyshb36rfjdf.dll

--
End of file - 8096 bytes


Thanks for helping

3
Contributors
26
Replies
27
Views
8 Years
Discussion Span
Last Post by crunchie
0

Hi and welcome to the Daniweb forums :).

==========

Download Malwarebytes' Anti-Malware (http://www.majorgeeks.com/Malwarebytes_Anti-Malware_d5756.html) to your desktop.

* Double-click mbam-setup.exe and follow the prompts to install the program.
* At the end, be sure to checkmark the Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
* If an update is found, it will download and install the latest version.
* Once the program has loaded, select Perform full scan, then click Scan.
* When the scan is complete, click OK, then Show Results to view the results.
* Be sure that everything is checked, and click Remove Selected.
* When completed, a log will open in Notepad.
* Post the log back here.

Make sure that you restart the computer.

The log can also be found here:
C:\Documents and Settings\Username\Application Data\Malwarebytes\Malwarebytes' Anti-Malware\Logs\log-date.txt
Or at C:\Program Files\Malwarebytes' Anti-Malware\Logs\log-date.txt

Post new HJT log.

0

i have that program on my computer, but when i start it, it doesn't load up. I tried redownloading it from that site, but i cant access that site for some reason. I had my friend send me the exe file, but when i click run on the exe file it doesn't load up at all. This is very troublesome and thank you for going through the trouble to help me. So what do i do now :( here is another hjt log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:58:57 PM, on 1/28/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\AT&T\Communication Manager\ATTCM.exe
C:\Program Files\AT&T\Communication Manager\bmctl.exe
C:\Program Files\Common Files\Research In Motion\USB Drivers\BbDevMgr.exe
C:\Program Files\AT&T\Communication Manager\bmop.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\twex.exe,
O2 - BHO: (no name) - {12699d45-3f0f-4c85-9d9b-10ce65a60c2f} - C:\WINDOWS\system32\hilivoze.dll (file missing)
O2 - BHO: (no name) - {6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C} - C:\WINDOWS\system32\nnnnNDtQ.dll
O2 - BHO: (no name) - {C55FDCBA-5EA6-4D92-929B-11593CDCCFF0} - C:\WINDOWS\system32\urqQhFvt.dll
O2 - BHO: C:\WINDOWS\system32\tyshb36rfjdf.dll - {D5BF49A2-94F1-42BD-F434-3604812C807D} - C:\WINDOWS\system32\tyshb36rfjdf.dll
O3 - Toolbar: Veoh Browser Plug-in - {D0943516-5076-4020-A3B5-AEFAF26AB263} - C:\Program Files\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dll
O4 - HKLM\..\Run: [bihomivabu] Rundll32.exe "C:\WINDOWS\system32\dunulaju.dll",s
O4 - HKCU\..\Run: [gadcom] "C:\Documents and Settings\user\Application Data\gadcom\gadcom.exe" 61A847B5BBF72813329B385772FF01F0B3E35B6638993F4661AA4EBD86D67C56389B284534F310
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [bihomivabu] Rundll32.exe "C:\WINDOWS\system32\dunulaju.dll",s (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O7 - HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\ssv.dll
O10 - Unknown file in Winsock LSP: bmnet.dll
O10 - Unknown file in Winsock LSP: bmnet.dll
O10 - Unknown file in Winsock LSP: bmnet.dll
O15 - Trusted Zone: *.amaena.com
O15 - Trusted Zone: *.avsystemcare.com
O15 - Trusted Zone: *.onerateld.com
O15 - Trusted Zone: *.safetydownload.com
O15 - Trusted Zone: *.trustedantivirus.com
O15 - Trusted Zone: *.virusremover2008.com
O15 - Trusted Zone: *.virusschlacht.com
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/betapit/PCPitStop.CAB
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
O16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab56986.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-US/a-UNO1/GAME_UNO1.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1191099616095
O16 - DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} (MJLauncherCtrl Class) - http://messenger.zone.msn.com/EN-US/a-LUXR/mjolauncher.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15030/CTPID.cab
O16 - DPF: {FFB3A759-98B1-446F-BDA9-909C6EB18CC7} (PCPitstop Exam) - http://utilities.pcpitstop.com/optimize2/pcpitstop2.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{2351A425-A26B-40A4-ADBB-99450D8C5E4A}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\..\{5155EB13-C52B-4965-8EE3-C18B2E198951}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\..\{6C7B25F9-A3B1-462D-B6F0-6C4C8B6B2C57}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\..\{CB840167-8C0B-459E-9407-8A46C8A271F9}: NameServer = 209.183.54.151
O17 - HKLM\System\CCS\Services\Tcpip\..\{E7CD77B1-4D33-47F9-BE3F-852B1695B32E}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS1\Services\Tcpip\..\{2351A425-A26B-40A4-ADBB-99450D8C5E4A}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS2\Services\Tcpip\..\{2351A425-A26B-40A4-ADBB-99450D8C5E4A}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS3\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS3\Services\Tcpip\..\{2351A425-A26B-40A4-ADBB-99450D8C5E4A}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O20 - AppInit_DLLs: mzwcza.dll uwoowg.dll olqoee.dll xojlqy.dll fjqkdv.dll uspbhd.dll zodpnq.dll djrdvx.dll kqtbda.dll fahoeb.dll phzyog.dll uyzvki.dll aanlvn.dll dixzql.dll amdlbr.dll ynpgdu.dll vigbrk.dll yxhigj.dll olytwt.dll uvhwlu.dll kxczoi.dll yzxdtd.dll piugbj.dll fdanmf.dll cuvlfy.dll kbczhe.dll,C:\WINDOWS\system32\guzapamu.dll
O20 - Winlogon Notify: crypt - C:\WINDOWS\SYSTEM32\crypts.dll
O20 - Winlogon Notify: nnnnNDtQ - C:\WINDOWS\SYSTEM32\nnnnNDtQ.dll
O20 - Winlogon Notify: WinCtrl32 - C:\WINDOWS\SYSTEM32\WinCtrl32.dll
O22 - SharedTaskScheduler: FGYbf743iujndsfAfsdfd - {D5BF49A2-94F1-42BD-F434-3604812C807D} - C:\WINDOWS\system32\tyshb36rfjdf.dll

--
End of file - 7287 bytes

0

If I may comment here, I believe that your log shows no entries after O22 because you don't seem to have any XP services running.
Several other things I note, your O4 entries, which are the auto starting programs that start when the computer starts shows AVG7 antivirus but it is not running on the machine which certainly would explain this log showing multiple infections. The computer is grossly infected.
Your Trusted Zone section shows multiple BAD entries:
O15 - Trusted Zone: *.amaena.com
O15 - Trusted Zone: *.avsystemcare.com
O15 - Trusted Zone: *.onerateld.com
O15 - Trusted Zone: *.safetydownload.com
O15 - Trusted Zone: *.trustedantivirus.com
O15 - Trusted Zone: *.virusremover2008.com
O15 - Trusted Zone: *.virusschlacht.com

I see multiple Trojans, password stealers, hijackers.
You might try SDFix and see if this works to remove some of them.

Download SDFix and save it to the desktop.
double-click on the SDFix icon that should be residing on your desktop. If a Open File - Security Warning box opens, click on the Run button.

A window will now open showing SDFix being extracted into the C:\SDFix folder. Once the installation program has finished extracting SDFix, it will open a Notepad with further instructions
# Next, please reboot your computer into Safe Mode by doing the following:

1. Restart your computer

2. After hearing your computer beep once during startup, but before the Windows icon appears, press F8.

3. Instead of Windows loading as normal, a menu should appear

4. Select the first option, to run Windows in Safe Mode.

5. When you are at the logon prompt, log in as the same user that you had performed the previous steps as.

When your computer has started in safe mode, and you see the desktop, close all open Windows.

Click on the Start button, click on the Run menu option, and type the following into the Open: field:

C:\SDFix\RunThis.bat
Then press the OK button.
The SDFix window will open containing some brief info and a disclaimer on the use of the tool.
please press the Y key on your keyboard and then press enter.
SDFix will now start scanning your computer for known infections
This process can take a while so be prepared to just sit and wait until it is complete.
When the scanning process has finished you will see a new screen stating that you need to restart your computer in order to continue.

At this point you should press any key on your computer's keyboard in order to restart the computer.
After your computer reboots SDFix will automatically start and perform a last check.
You will now be presented with a screen stating that SDFix has finished.
At this point you should press any key on your computer's keyboard in order to continue to your desktop.

When you are back at your Windows desktop, the SDFix log will automatically be opened in notepad.
Please post back here with that log.

0

Sorry for the full reply and thank you for helping me. Here is the report from SDFIX:


SDFix: Version 1.240
Run by user on Thu 01/29/2009 at 09:12 AM

Microsoft Windows XP [Version 5.1.2600]
Running From: C:\DOCUME~1\user\Desktop\SDFix

Checking Services :

Rootkit Found :
C:\WINDOWS\system32\drivers\WINAF40.sys - Rootkit Pandex/Cutwail - Runtime.sys
C:\WINDOWS\system32\drivers\WINAF84.sys - Rootkit Pandex/Cutwail - Runtime.sys
C:\WINDOWS\system32\drivers\WINBG73.sys - Rootkit Pandex/Cutwail - Runtime.sys
C:\WINDOWS\system32\drivers\WINCH84.sys - Rootkit Pandex/Cutwail - Runtime.sys
C:\WINDOWS\system32\drivers\WINGL62.sys - Rootkit Pandex/Cutwail - Runtime.sys
C:\WINDOWS\system32\drivers\WINJO27.sys - Rootkit Pandex/Cutwail - Runtime.sys
C:\WINDOWS\system32\drivers\WINLQ27.sys - Rootkit Pandex/Cutwail - Runtime.sys
C:\WINDOWS\system32\drivers\WINOT84.sys - Rootkit Pandex/Cutwail - Runtime.sys
C:\WINDOWS\system32\drivers\WINUA16.sys - Rootkit Pandex/Cutwail - Runtime.sys
C:\WINDOWS\system32\drivers\WINVB62.sys - Rootkit Pandex/Cutwail - Runtime.sys
C:\WINDOWS\system32\drivers\WINWC05.sys - Rootkit Pandex/Cutwail - Runtime.sys
C:\WINDOWS\system32\drivers\WINWC16.sys - Rootkit Pandex/Cutwail - Runtime.sys
C:\WINDOWS\system32\drivers\WINXD16.sys - Rootkit Pandex/Cutwail - Runtime.sys
C:\WINDOWS\system32\drivers\WINXD84.sys - Rootkit Pandex/Cutwail - Runtime.sys

Name :
tdssserv
WINAF40
WINAF84
WINBG73
WINCH84
WINGL62
WINJO27
WINLQ27
WINOT84
WINUA16
WINVB62
WINWC05
WINWC16
WINXD16
WINXD84

Path :
\systemroot\system32\drivers\TDSSserv.sys
\??\C:\WINDOWS\System32\drivers\Winaf40.sys
\??\C:\WINDOWS\System32\drivers\Winaf84.sys
\??\C:\WINDOWS\System32\drivers\Winbg73.sys
\??\C:\WINDOWS\System32\drivers\Winch84.sys
\??\C:\WINDOWS\System32\drivers\Wingl62.sys
\??\C:\WINDOWS\System32\drivers\Winjo27.sys
\??\C:\WINDOWS\System32\drivers\Winlq27.sys
\??\C:\WINDOWS\System32\drivers\Winot84.sys
\??\C:\WINDOWS\System32\drivers\Winua16.sys
\??\C:\WINDOWS\System32\drivers\Winvb62.sys
\??\C:\WINDOWS\System32\drivers\Winwc05.sys
\??\C:\WINDOWS\System32\drivers\Winwc16.sys
\??\C:\WINDOWS\System32\drivers\Winxd16.sys
\??\C:\WINDOWS\System32\drivers\Winxd84.sys

tdssserv - Deleted
WINAF40 - Deleted
WINAF84 - Deleted
WINBG73 - Deleted
WINCH84 - Deleted
WINGL62 - Deleted
WINJO27 - Deleted
WINLQ27 - Deleted
WINOT84 - Deleted
WINUA16 - Deleted
WINVB62 - Deleted
WINWC05 - Deleted
WINWC16 - Deleted
WINXD16 - Deleted
WINXD84 - Deleted

Restoring Default Security Values
Restoring Default Hosts File
Restoring Default Schedule Service Path

Rebooting


Checking Files :

Trojan Files Found:

C:\WINDOWS\system32\nnnnNDtQ.dll - Deleted
C:\Documents and Settings\user\Application Data\gadcom\gadcom.exe - Deleted
C:\Documents and Settings\user\Application Data\SpeedRunner\config.cfg - Deleted
C:\Temp\1cb\syscheck.log - Deleted
C:\Program Files\GetModule\GetModule35.exe - Deleted
C:\Program Files\GetPack\dictame.gz - Deleted
C:\Program Files\GetPack\GetPack27.exe - Deleted
C:\Program Files\GetPack\GetPack28.exe - Deleted
C:\Program Files\GetPack\trgtame.gz - Deleted
C:\Program Files\iCheck\Uninstall.exe - Deleted
C:\Program Files\Mjcore\Mjcore.dll - Deleted
C:\Program Files\VnrPack\dicts.gz - Deleted
C:\Program Files\VnrPack\trgts.gz - Deleted
C:\Program Files\VnrPack\VnrPack22.exe - Deleted
C:\Program Files\Webtools\webtools.dll - Deleted
C:\DOCUME~1\user\LOCALS~1\Temp\gettpa135.exe - Deleted
C:\DOCUME~1\user\LOCALS~1\Temp\gettpa227.exe - Deleted
C:\DOCUME~1\user\LOCALS~1\Temp\gettpa228.exe - Deleted
C:\DOCUME~1\user\LOCALS~1\Temp\TMP43.tmp - Deleted
C:\DOCUME~1\user\LOCALS~1\Temp\Csrssc.exe - Deleted
C:\WINDOWS\system32\crypts.dll - Deleted
C:\WINDOWS\system32\WinCtrl32.dll - Deleted
C:\WINDOWS\system32\windows_update.exe - Deleted
C:\WINDOWS\system32\drivers\TDSSserv.sys - Deleted
C:\WINDOWS\system32\TDSSoiqn.dll - Deleted
C:\WINDOWS\system32\TDSShlxr.dll - Deleted
C:\WINDOWS\system32\TDSSrtqp.dll - Deleted
C:\WINDOWS\system32\TDSSxfum.dll - Deleted
C:\WINDOWS\system32\TDSSlxwp.dll - Deleted
C:\WINDOWS\system32\TDSSorvd.dat - Deleted
C:\WINDOWS\system32\TDSSrhyp.log - Deleted
C:\WINDOWS\system32\TDSSkkbi.log - Deleted
C:\WINDOWS\system32\drivers\WINAF40.sys - Deleted
C:\WINDOWS\system32\drivers\WINAF84.sys - Deleted
C:\WINDOWS\system32\drivers\WINBG73.sys - Deleted
C:\WINDOWS\system32\drivers\WINCH84.sys - Deleted
C:\WINDOWS\system32\drivers\WINGL62.sys - Deleted
C:\WINDOWS\system32\drivers\WINJO27.sys - Deleted
C:\WINDOWS\system32\drivers\WINLQ27.sys - Deleted
C:\WINDOWS\system32\drivers\WINOT84.sys - Deleted
C:\WINDOWS\system32\drivers\WINUA16.sys - Deleted
C:\WINDOWS\system32\drivers\WINVB62.sys - Deleted
C:\WINDOWS\system32\drivers\WINWC05.sys - Deleted
C:\WINDOWS\system32\drivers\WINWC16.sys - Deleted
C:\WINDOWS\system32\drivers\WINXD16.sys - Deleted
C:\WINDOWS\system32\drivers\WINXD84.sys - Deleted

Folder C:\Documents and Settings\user\Application Data\gadcom - Removed
Folder C:\Documents and Settings\user\Application Data\SpeedRunner - Removed
Folder C:\Program Files\GetModule - Removed
Folder C:\Program Files\GetPack - Removed
Folder C:\Program Files\iCheck - Removed
Folder C:\Program Files\InetGet2 - Removed
Folder C:\Program Files\Mjcore - Removed
Folder C:\Program Files\VnrPack - Removed
Folder C:\Program Files\Webtools - Removed
Folder C:\Temp\1cb - Removed


Removing Temp Files

ADS Check :

Final Check :

catchme 0.3.1361.2 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-29 12:42:00
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden services & system hive ...

[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\TDSSserv.sys]
@="driver"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Network\TDSSserv.sys]
@="driver"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\TDSSserv]
"start"=dword:00000001
"type"=dword:00000001
"imagepath"=str(2):"\systemroot\system32\drivers\TDSSserv.sys"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\TDSSserv.sys]
"start"=dword:00000001
"type"=dword:00000001
"imagepath"=str(2):"\systemroot\system32\drivers\TDSSpqlt.sys"
"group"="file system"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\TDSSserv]
"start"=dword:00000004
"type"=dword:00000001
"imagepath"=str(2):"\systemroot\system32\drivers\TDSSserv.sys"
[HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\TDSSserv.sys]
"start"=dword:00000001
"type"=dword:00000001
"imagepath"=str(2):"\systemroot\system32\drivers\TDSSpqlt.sys"
"group"="file system"
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TDSSserv.sys]
"start"=dword:00000001
"type"=dword:00000001
"imagepath"=str(2):"\systemroot\system32\drivers\TDSSpqlt.sys"
"group"="file system"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TDSSserv.sys\modules]
"TDSSserv"="\systemroot\system32\drivers\TDSSpqlt.sys"
"TDSSl"="\systemroot\system32\TDSSoiqn.dll"
"tdssservers"="\systemroot\system32\TDSSorvd.dat"
"tdssmain"="\systemroot\system32\TDSShlxr.dll"
"tdsslog"="\systemroot\system32\TDSSrtqp.dll"
"tdssadw"="\systemroot\system32\TDSSxfum.dll"
"tdssinit"="\systemroot\system32\TDSSlxwp.dll"
"tdssurls"="\systemroot\system32\TDSSnmxh.log"
"tdsspanels"="\systemroot\system32\TDSSsihc.dll"
"tdsserrors"="\systemroot\system32\TDSSrhyp.log"
"TDSSproc"="\systemroot\system32\TDSSkkbi.log"

scanning hidden registry entries ...

scanning hidden files ...

C:\WINDOWS\system32\dunulaju.dll 69120 bytes executable
C:\WINDOWS\system32\drivers\TDSSpqlt.sys 60416 bytes executable
C:\WINDOWS\system32\guzapamu.dll 69120 bytes executable
C:\WINDOWS\system32\hilivoze.dll 69120 bytes executable
C:\WINDOWS\system32\gaheduwe 6456 bytes
C:\Documents and Settings\user\Desktop\SDFix\backups\tdssserv.reg 1268 bytes
C:\Documents and Settings\user\Local Settings\Temp\TDSS48e0.tmp 102400 bytes executable
C:\Documents and Settings\user\Local Settings\Temp\TDSS4a3f.tmp 617472 bytes executable

scan completed successfully
hidden processes: 0
hidden services: 1
hidden files: 8


Remaining Services :


Authorized Application Key Export:

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\standardprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\Mozilla Firefox\\firefox.exe"="C:\\Program Files\\Mozilla Firefox\\firefox.exe:*:Disabled:Firefox"
"C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe:*:Enabled:Yahoo! Messenger"
"C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"="C:\\Program Files\\Yahoo!\\Messenger\\YServer.exe:*:Enabled:Yahoo! FT Server"
"C:\\Program Files\\Veoh Networks\\Veoh\\VeohClient.exe"="C:\\Program Files\\Veoh Networks\\Veoh\\VeohClient.exe:*:Enabled:Veoh Client"
"C:\\Program Files\\Trillian\\trillian.exe"="C:\\Program Files\\Trillian\\trillian.exe:*:Enabled:Trillian"
"C:\\WINDOWS\\system32\\a.exe"="C:\\WINDOWS\\system32\\a.exe:*:Disabled:a"
"C:\\Program Files\\Grisoft\\AVG7\\avginet.exe"="C:\\Program Files\\Grisoft\\AVG7\\avginet.exe:*:Enabled:avginet.exe"
"C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"="C:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe:*:Enabled:avgamsvr.exe"
"C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"="C:\\Program Files\\Grisoft\\AVG7\\avgcc.exe:*:Enabled:avgcc.exe"
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"="C:\\Program Files\\Windows Live\\Messenger\\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"
"C:\\Program Files\\uTorrent\\uTorrent.exe"="C:\\Program Files\\uTorrent\\uTorrent.exe:*:Enabled:æTorrent"
"C:\\Program Files\\Paltalk Messenger\\paltalk.exe"="C:\\Program Files\\Paltalk Messenger\\paltalk.exe:*:Disabled:PaltalkScene"
"C:\\WINDOWS\\explorer.exe"="C:\\WINDOWS\\explorer.exe:*:Enabled:Explorer"
"C:\\WINDOWS\\system32\\winlogon.exe"="C:\\WINDOWS\\system32\\winlogon.exe:*:Enabled:winlogon"

[HKEY_LOCAL_MACHINE\system\currentcontrolset\services\sharedaccess\parameters\firewallpolicy\domainprofile\authorizedapplications\list]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabled:@xpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabled:@xpsp3res.dll,-20000"
"C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"="C:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe:*:Enabled:Windows Live Messenger"
"C:\\Program Files\\Windows Live\\Messenger\\livecall.exe"="C:\\Program Files\\Windows Live\\Messenger\\livecall.exe:*:Enabled:Windows Live Messenger (Phone)"

Remaining Files :


File Backups: - C:\DOCUME~1\user\Desktop\SDFix\backups\backups.zip

Files with Hidden Attributes :

Sun 13 Apr 2008 4,639 A.SH. --- "C:\Program Files\Windows Media Player\mplayer2.exe"
Wed 18 Oct 2006 64,000 A.SH. --- "C:\Program Files\Windows Media Player\wmplayer.exe"
--- 69,120 A.SH. --- "C:\WINDOWS\system32\dunulaju.dll"
--- 69,120 A.SH. --- "C:\WINDOWS\system32\guzapamu.dll"
--- 69,120 A.SH. --- "C:\WINDOWS\system32\hilivoze.dll"
Mon 25 Feb 2008 4,348 ..SH. --- "C:\Documents and Settings\All Users\DRM\DRMv1.bak"
Mon 10 Dec 2007 0 A.SH. --- "C:\Documents and Settings\All Users\DRM\Cache\Indiv01.tmp"

Finished!

0

Download ComboFix
Click on the Save button and then when it asks you where to save it, make sure you save it directly to your Windows Desktop.
Once the download is complete you will see the Combofix on the desktop.

* Close all open Windows including this one.
* Close or disable all running Antivirus, Antispyware, and Firewall programs as they may interfere with the proper running of ComboFix.

Doubleclick the combofix icon on the desktop to run the program.


Windows will issue a prompt asking whether you wish to run the program, click Run
You will then see a Disclaimer screen asking you to agree to the disclaimer. Press the number 1 key to accept the disclaimer.

Now just sit back and allow the program to run

Please note, that once you start ComboFix you should not click anywhere on the ComboFix window as it can cause the program to stall. In fact, when ComboFix is running, do not touch your computer at all and just take a break as it may take a while for it to complete.

When ComboFix has finished running, you will see a screen stating that it is preparing the log report.
This can take a while, so please be patient. If you see your Windows desktop disappear, do not worry. This is normal and ComboFix will restore your desktop before it is finished. Eventually you will see a new screen that states the program is almost finished and telling you the programs log file, or report, will be located at C:\ComboFix.txt.

When all is complete then please post back here with that log.

0

I am having problems running combofix.exe, When i open up task manager i can see combofix in the back ground but when i run combofix nothing pops up. Other exe files do the same. I tried running in safe mode and ran combofix but the same thing happened.

0

Open Device Manager and on the VIEW Tab, select the Show hidden devices option.
Go down to non plug and play drivers and see if there is one called TDSSserv and disable it.

==

Reboot and try again to run combofix if you found it.

==

If that does not work, Click START then RUN
Now type Combofix /u in the runbox and click OK. Note the space between the X and the /, it needs to be there.


Now, download ComboFix by sUBs from HERE or HERE You must rename combofix BEFORE saving it to your pc.


You must download it to and run it from your Desktop
Physically disconnect from the internet.
Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.
Double click combofix.exe & follow the prompts.
When finished, it will produce a log. Please save that log to post in your next reply along with a fresh HJT log
Re-enable all the programs that were disabled during the running of ComboFix..
Note:
Do not mouse-click combofix's window while it is running. That may cause it to stall.

CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

Attachments CF_cleanup.png 6.73 KB CF_download_rename.gif 19.12 KB
0

Wow that really worked Thanks. okay here is the Combofix log:

ComboFix 09-02-01.01 - user 2009-02-01 13:34:49.1 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1791.1439 [GMT -8:00]
Running from: c:\documents and settings\user\Desktop\ComboFix.exe
AV: AVG 7.5.549 *On-access scanning enabled* (Updated)
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\user\Application Data\GetModule
c:\documents and settings\user\Application Data\GetModule\dicik.gz
c:\documents and settings\user\Application Data\GetModule\kwdik.gz
c:\documents and settings\user\Application Data\GetModule\ofadik.gz
c:\documents and settings\user\Application Data\shca35j0ejdn
c:\documents and settings\user\Local Settings\Temporary Internet Files\fbk.sts
c:\windows\BM2feafb14.txt
c:\windows\system32\aanlvn.dll
c:\windows\system32\aecbcewa.dll
c:\windows\system32\amdlbr.dll
c:\windows\system32\anmkrpm.dll
c:\windows\system32\anmkrpmp.dll
c:\windows\system32\awtrRHYQ.dll
c:\windows\system32\bxmdlspe.ini
c:\windows\system32\cbXNFurp.dll
c:\windows\system32\ccaideuk.dll
c:\windows\system32\coecxsph.ini
c:\windows\system32\crypts.dll
c:\windows\system32\cuvlfy.dll
c:\windows\system32\cvrapgul.ini
c:\windows\system32\dbyefacd.ini
c:\windows\system32\dcafeybd.dll
c:\windows\system32\dixzql.dll
c:\windows\system32\djrdvx.dll
c:\windows\system32\drivers\seneka.sys
c:\windows\system32\Drivers\TDSSpqlt.sys
c:\windows\system32\dunulaju.dll
c:\windows\system32\dwopoxfk.ini
c:\windows\system32\efcCspOh.dll
c:\windows\system32\eqyttkhj.ini
c:\windows\system32\fahoeb.dll
c:\windows\system32\fakeskyr.ini
c:\windows\system32\favdxjtr.dll
c:\windows\system32\fbgdikjj.ini
c:\windows\system32\fdanmf.dll
c:\windows\system32\fhtpnyim.ini
c:\windows\system32\geBspmnl.dll
c:\windows\system32\gusvynkf.dll
c:\windows\system32\guzapamu.dll
c:\windows\system32\gwgdbeef.ini
c:\windows\system32\hilivoze.dll
c:\windows\system32\hpsxceoc.dll
c:\windows\system32\iehelper.dll
c:\windows\system32\ihsocl.dll
c:\windows\system32\ilkfcdix.ini
c:\windows\system32\iqjyfdhj.dll
c:\windows\system32\iukbpfik.dll
c:\windows\system32\jjkidgbf.dll
c:\windows\system32\jolvtpqf.dll
c:\windows\system32\jvopeuho.dll
c:\windows\system32\jyhyfawl.ini
c:\windows\system32\kbczhe.dll
c:\windows\system32\kehmhwve.dll
c:\windows\system32\kfpuyjkq.dll
c:\windows\system32\kfxopowd.dll
c:\windows\system32\khfFXrQI.dll
c:\windows\system32\kifpbkui.ini
c:\windows\system32\klemfxud.ini
c:\windows\system32\kqgqwolr.ini
c:\windows\system32\kqtbda.dll
c:\windows\system32\kxczoi.dll
c:\windows\system32\kxotruvb.ini
c:\windows\system32\L5
c:\windows\system32\ljJYQGvT.dll
c:\windows\system32\lugparvc.dll
c:\windows\system32\mcrh.tmp
c:\windows\system32\mfmcsonf.ini
c:\windows\system32\mgicmcoh.dll
c:\windows\system32\mjmwelui.dll
c:\windows\system32\nbwoxnbq.ini
c:\windows\system32\obqdwosy.dll
c:\windows\system32\olytwt.dll
c:\windows\system32\pawpbxsw.dll
c:\windows\system32\phzyog.dll
c:\windows\system32\piugbj.dll
c:\windows\system32\pkboofff.dll
c:\windows\system32\pkxmqdua.ini
c:\windows\system32\prunnet.exe
c:\windows\system32\qbnxowbn.dll
c:\windows\system32\qorsjxbn.dll
c:\windows\system32\ratkqfir.dll
c:\windows\system32\rpguwr.dll
c:\windows\system32\rqRJAttQ.dll
c:\windows\system32\rtjxdvaf.ini
c:\windows\system32\ssjbarhc.ini
c:\windows\system32\ssqQjIAp.dll
c:\windows\system32\ssqRLeeE.dll
c:\windows\system32\TDSShlxr.dll
c:\windows\system32\TDSSoiqn.dll
c:\windows\system32\TDSSorvd.dat
c:\windows\system32\TDSSrtqp.dll
c:\windows\system32\TDSSxfum.dll
c:\windows\system32\tncdxxlh.dll
c:\windows\system32\tnprfkdx.dll
c:\windows\system32\tvFhQqru.ini
c:\windows\system32\tvFhQqru.ini2
c:\windows\system32\twex.exe
c:\windows\system32\tyshb36rfjdf.dll
c:\windows\system32\udpvbuig.ini
c:\windows\system32\uerdoilh.dll
c:\windows\system32\urqQhFvt.dll
c:\windows\system32\uvhwlu.dll
c:\windows\system32\uyzvki.dll
c:\windows\system32\vgpflmag.ini
c:\windows\system32\vigbrk.dll
c:\windows\system32\vpvvtyny.ini
c:\windows\system32\vuugnyla.ini
c:\windows\system32\wcapmact.dll
c:\windows\system32\wsxbpwap.ini
c:\windows\system32\xidcfkli.dll
c:\windows\system32\xoyjwlvt.dll
c:\windows\system32\xshfrpft.ini
c:\windows\system32\xxyvusrR.dll
c:\windows\system32\xxywUKdE.dll
c:\windows\system32\yedmomaa.ini
c:\windows\system32\yhenqlcx.dll
c:\windows\system32\ynpgdu.dll
c:\windows\system32\ypcstnlw.ini
c:\windows\system32\yppppiru.dll
c:\windows\system32\yxhigj.dll
c:\windows\system32\yzxdtd.dll
c:\windows\system32\zodpnq.dll
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat . . . . failed to delete
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat . . . . failed to delete

----- BITS: Possible infected sites -----

hxxp://77.74.48.101
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_TDSSSERV.SYS
-------\Service_TDSSserv.sys


((((((((((((((((((((((((( Files Created from 2009-01-01 to 2009-02-01 )))))))))))))))))))))))))))))))
.

2009-01-30 02:09 . 2009-02-01 11:51 2,190 --a------ c:\windows\system32\TDSSlxwp.dll
2009-01-29 22:42 . 2009-01-29 22:42 2,713 --ahs---- c:\windows\system32\lazogiya.exe
2009-01-29 09:02 . 2009-01-29 09:02 578,560 --a--c--- c:\windows\system32\dllcache\user32.dll
2009-01-29 08:29 . 2009-01-29 08:29 <DIR> d-------- c:\windows\ERUNT
2009-01-29 08:26 . 2009-01-29 08:26 <DIR> d-------- c:\documents and settings\Administrator.UNKNOW-91070FE2
2009-01-24 20:45 . 2009-02-01 09:41 <DIR> d--hs---- c:\windows\system32\twain32
2009-01-24 20:45 . 2009-01-24 20:45 266,248 --a------ c:\windows\sysguard.exe
2009-01-18 06:16 . 2009-01-18 06:16 <DIR> d-------- c:\documents and settings\user\Application Data\Sierra Wireless
2009-01-18 06:16 . 2009-01-18 06:16 <DIR> d-------- c:\documents and settings\user\Application Data\DBUpdater
2009-01-18 06:16 . 2009-01-18 06:16 <DIR> d-------- c:\documents and settings\user\Application Data\AT&T
2009-01-18 06:16 . 2008-11-20 21:59 27,072 --a------ c:\windows\system32\drivers\PCASp50.sys
2009-01-18 06:16 . 2008-08-22 10:05 26,760 -ra------ c:\windows\system32\drivers\swmsflt.sys
2009-01-18 06:11 . 2009-01-18 06:11 <DIR> d-------- c:\program files\Sierra Wireless Inc
2009-01-18 06:11 . 2009-01-18 06:11 <DIR> d-------- c:\program files\Common Files\Motorola Shared
2009-01-18 06:11 . 2009-01-18 06:11 <DIR> d-------- c:\program files\AT&T
2009-01-18 06:11 . 2009-01-18 06:11 <DIR> d-------- c:\documents and settings\All Users\Application Data\AT&T
2009-01-18 06:10 . 2009-01-18 06:10 <DIR> d-------- c:\program files\Option
2009-01-18 06:09 . 2009-01-18 06:09 <DIR> d-------- c:\documents and settings\user\Application Data\Research In Motion
2009-01-18 06:09 . 2009-01-29 06:42 256 --a------ c:\windows\system32\pool.bin
2009-01-18 06:08 . 2007-01-18 10:24 26,496 -ra------ c:\windows\system32\drivers\RimSerial.sys
2009-01-18 06:07 . 2009-01-18 06:07 <DIR> d-------- c:\program files\Research In Motion
2009-01-18 06:07 . 2009-01-28 15:34 <DIR> d-------- c:\program files\Common Files\Research In Motion
2009-01-18 06:04 . 2009-01-18 06:04 <DIR> d--hs---- c:\windows\ftpcache
2009-01-10 08:20 . 2009-01-10 08:20 <DIR> d-------- c:\documents and settings\user\Application Data\TeamViewer

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-21 16:00 --------- d-----w c:\documents and settings\user\Application Data\AVG7
2008-12-20 22:55 --------- d-----w c:\program files\AllToAVI
2008-12-19 23:48 --------- d-----w c:\program files\PartyGaming
2008-12-13 01:11 69,632 ----a-w c:\windows\system32\drivers\zqgyhlq6pgg.sys
2007-12-10 11:46 47,360 ----a-w c:\documents and settings\user\Application Data\pcouffin.sys
2004-05-07 22:31 348,160 ----a-w c:\program files\mozilla firefox\components\MSVCR71.DLL
2006-11-07 19:58 139,264 ------w c:\program files\mozilla firefox\components\SABFF20.DLL
2008-10-20 15:13 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008102020081021\index.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Yahoo! Pager"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2007-08-30 4670704]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSConfig"="c:\windows\pchealth\helpctr\Binaries\MSCONFIG.EXE" [2008-04-13 169984]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="c:\progra~1\Grisoft\AVG7\avgw.exe" [2008-10-04 219136]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.X264"= x264vfw.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2007-10-10 19:51 39792 c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeUpdater]
--a------ 2008-12-20 07:57 2356088 c:\program files\Common Files\Adobe\Updater5\AdobeUpdater.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AT&T Communication Manager]
--a------ 2008-12-01 14:23 33280 c:\program files\AT&T\Communication Manager\ATTCM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG7_CC]
--a------ 2008-10-19 07:14 590848 c:\progra~1\Grisoft\AVG7\avgcc.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2008-04-13 16:12 15360 c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--------- 2008-04-13 16:12 1695232 c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
--a------ 2007-10-18 10:34 5724184 c:\program files\Windows Live\Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
--a------ 2007-05-18 12:20 7700480 c:\windows\system32\nvcpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
--a------ 2007-05-18 12:21 86016 c:\windows\system32\nvmctray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2008-06-29 07:05 136600 c:\program files\Java\jre6\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Veoh]
--a------ 2008-08-28 09:18 3660848 c:\program files\Veoh Networks\Veoh\VeohClient.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
--a------ 2007-08-30 16:43 4670704 c:\program files\Yahoo!\Messenger\YahooMessenger.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
--a------ 2007-05-18 12:21 1622016 c:\windows\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"NMIndexingService"=3 (0x3)
"Nero BackItUp Scheduler 3"=2 (0x2)
"Avg7UpdSvc"=2 (0x2)
"Avg7Alrt"=2 (0x2)
"aawservice"=2 (0x2)
"a2AntiMalware"=2 (0x2)
"WLSetupSvc"=3 (0x3)
"usnjsvc"=3 (0x3)
"Schedule"=2 (0x2)
"NVSvc"=2 (0x2)
"ATTRcAppSvc"=3 (0x3)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\Veoh Networks\\Veoh\\VeohClient.exe"=
"c:\\Program Files\\Trillian\\trillian.exe"=
"c:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=
"c:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
"c:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"1723:TCP"= 1723:TCP:@xpsp2res.dll,-22015
"1701:UDP"= 1701:UDP:@xpsp2res.dll,-22016
"500:UDP"= 500:UDP:@xpsp2res.dll,-22017

R0 si3112r;Silicon Image SiI 3112 SATARaid Controller;c:\windows\system32\drivers\SI3112r.sys [2006-06-24 89749]
R0 SiWinAcc;SiWinAcc;c:\windows\system32\drivers\SiWinAcc.sys [2006-06-24 9600]
S1 SABKUTIL;SABKUTIL;\??\c:\program files\SuperAdBlocker.com\Super Ad Blocker\SABKUTIL.sys --> c:\program files\SuperAdBlocker.com\Super Ad Blocker\SABKUTIL.sys [?]
S3 A3AB;D-Link AirPro 802.11a/b Wireless Adapter Service(A3AB);c:\windows\system32\drivers\A3AB.sys [2005-08-25 466880]
S3 ASNDIS5;ASNDIS5 Protocol Driver;c:\windows\system32\ASNDIS5.sys [2008-04-02 16269]
S3 genmcmnUSB;USB Scroll Mouse Driver;c:\windows\system32\drivers\gflmouhid.sys [2004-04-19 6656]
S3 NtApm;NT Apm/Legacy Interface Driver;c:\windows\system32\drivers\NtApm.sys [2007-09-29 9344]
S3 u2kg54;BUFFALO WLI-U2-KG54 Wireless LAN Adapter Service;c:\windows\system32\drivers\rt2500usb.sys [2008-04-02 104320]
S3 USBAU;USB Audio Device Interface;c:\windows\system32\drivers\CM102.sys [2008-11-09 1312768]
S3 XDva031;XDva031;\??\c:\windows\system32\XDva031.sys --> c:\windows\system32\XDva031.sys [?]
S4 ATTRcAppSvc;AT&T RcAppSvc;c:\program files\AT&T\Communication Manager\RcAppSvc.exe [2008-11-20 113152]
.
- - - - ORPHANS REMOVED - - - -

BHO-{12699d45-3f0f-4c85-9d9b-10ce65a60c2f} - c:\windows\system32\hilivoze.dll
BHO-{4CE528E2-58C1-4256-9567-7DC19D3C4886} - c:\windows\system32\urqQhFvt.dll
BHO-{D5BF49A2-94F1-42BD-F434-3604812C807D} - c:\windows\system32\tyshb36rfjdf.dll
SharedTaskScheduler-{D5BF49A2-94F1-42BD-F434-3604812C807D} - c:\windows\system32\tyshb36rfjdf.dll
MSConfigStartUp-2ef07 - c:\program files\rhedelzvdocyw\nfvsrsz.exe
MSConfigStartUp-AACKWin - c:\progra~1\KSYSCO~1\smss.exe
MSConfigStartUp-BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA} - c:\program files\Common Files\Nero\Lib\NMBgMonitor.exe
MSConfigStartUp-bihomivabu - c:\windows\system32\dunulaju.dll
MSConfigStartUp-BlackBerryAutoUpdate - c:\program files\Common Files\Research In Motion\Auto Update\RIMAutoUpdate.exe
MSConfigStartUp-Control Center - c:\program files\ASUS\WLAN Card Utilities\Center.exe
MSConfigStartUp-GetModule35 - c:\program files\GetModule\GetModule35.exe
MSConfigStartUp-GetPack28 - c:\program files\GetPack\GetPack28.exe
MSConfigStartUp-Jnskdfmf9eldfd - c:\docume~1\user\LOCALS~1\Temp\csrssc.exe
MSConfigStartUp-jsf8j34rgfght - c:\docume~1\user\LOCALS~1\Temp\winloggn.exe
MSConfigStartUp-lphcc35j0ejdn - c:\windows\system32\lphcc35j0ejdn.exe
MSConfigStartUp-NBKeyScan - c:\program files\Nero\Nero8\Nero BackItUp\NBKeyScan.exe
MSConfigStartUp-NeroFilterCheck - c:\program files\Common Files\Nero\Lib\NeroCheck.exe
MSConfigStartUp-prunnet - c:\windows\system32\prunnet.exe
MSConfigStartUp-runner1 - c:\windows\mrofinu1535.exe
MSConfigStartUp-SpeedX - c:\progra~1\MyPortal\Speed-X\SpeedX.exe
MSConfigStartUp-SpybotSD TeaTimer - c:\program files\Spybot - Search & Destroy\TeaTimer.exe
MSConfigStartUp-sysrest32 - c:\windows\system32\sysrest32.exe
MSConfigStartUp-tezrtsjhfr84iusjfo84f - c:\docume~1\user\LOCALS~1\Temp\csrssc.exe
MSConfigStartUp-VnrPack22 - c:\program files\VnrPack\VnrPack22.exe
MSConfigStartUp-winlogon - c:\documents and settings\user\svchost.exe
MSConfigStartUp-[system] - c:\windows\system32\drivers\services.exe
MSConfigStartUp-Cm102Sound - cm102.cpl
MSConfigStartUp-CTHelper - CTHELPER.EXE
MSConfigStartUp-CTxfiHlp - CTXFIHLP.EXE


.
------- Supplementary Scan -------
.
LSP: bmnet.dll
Trusted Zone: amaena.com
Trusted Zone: avsystemcare.com
Trusted Zone: onerateld.com
Trusted Zone: safetydownload.com
Trusted Zone: trustedantivirus.com
Trusted Zone: virusremover2008.com
Trusted Zone: virusschlacht.com
TCP: {2351A425-A26B-40A4-ADBB-99450D8C5E4A} = 208.67.220.220,208.67.222.222
TCP: {5155EB13-C52B-4965-8EE3-C18B2E198951} = 208.67.220.220,208.67.222.222
TCP: {6C7B25F9-A3B1-462D-B6F0-6C4C8B6B2C57} = 208.67.220.220,208.67.222.222
TCP: {E7CD77B1-4D33-47F9-BE3F-852B1695B32E} = 208.67.220.220,208.67.222.222
FF - ProfilePath - c:\documents and settings\user\Application Data\Mozilla\Firefox\Profiles\7805yqbd.default\
FF - component: c:\program files\Mozilla Firefox\components\SABFF20.DLL
FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nppl3260.dll
FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nprpjplug.dll
FF - plugin: c:\program files\Veoh Networks\Veoh\Plugins\noreg\NPVeohVersion.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-01 13:48:10
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(728)
c:\windows\system32\bmnet.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\wscntfy.exe
c:\program files\Yahoo!\Messenger\Ymsgr_tray.exe
.
**************************************************************************
.
Completion time: 2009-02-01 13:50:21 - machine was rebooted
ComboFix-quarantined-files.txt 2009-02-01 21:50:14

Pre-Run: 67,190,714,368 bytes free
Post-Run: 67,343,056,896 bytes free

340 --- E O F --- 2008-12-12 11:02:28

0

Please go to Jotti's or to virustotal and have these files scanned. Post the results back here.

c:\windows\system32\drivers\zqgyhlq6pgg.sys
c:\windows\sysguard.exe
c:\windows\system32\twain32
c:\windows\system32\lazogiya.exe

0

I don't know if this is the right way to post the result but for :

c:\windows\system32\drivers\zqgyhlq6pgg.sys

Scan taken on 03 Feb 2009 03:40:49 (GMT)
A-Squared
Found nothing
AntiVir
Found TR/Dropper.Gen
ArcaVir
Found nothing
Avast
Found nothing
AVG Antivirus
Found nothing
BitDefender
Found Rootkit.Agent.AITB
ClamAV
Found nothing
CPsecure
Found nothing
Dr.Web
Found nothing
F-Prot Antivirus
Found nothing
F-Secure Anti-Virus
Found nothing
G DATA
Found Rootkit.Agent.AITB
Ikarus
Found nothing
Kaspersky Anti-Virus
Found nothing
NOD32
Found nothing
Norman Virus Control
Found nothing
Panda Antivirus
Found nothing
Sophos Antivirus
Found nothing
VirusBuster
Found nothing
VBA32
Found Rootkit.Win32.Agent.fry

c:\windows\sysguard.exe

Scan taken on 03 Feb 2009 03:43:54 (GMT)
A-Squared
Found Virus.Win32.Rootkit!IK
AntiVir
Found nothing
ArcaVir
Found nothing
Avast
Found Win32:Rootkit-gen
AVG Antivirus
Found nothing
BitDefender
Found Trojan.Generic.1405877
ClamAV
Found nothing
CPsecure
Found FraudTool.W32.WinSpywareProtect.dw
Dr.Web
Found Trojan.Fakealert.3908
F-Prot Antivirus
Found nothing
F-Secure Anti-Virus
Found not-a-virus:FraudTool.Win32.WinSpywareProtect.dw
G DATA
Found Win32:Rootkit-gen
Ikarus
Found nothing
Kaspersky Anti-Virus
Found not-a-virus:FraudTool.Win32.WinSpywareProtect.dw
NOD32
Found Win32/Adware.SpywareProtect2009 application
Norman Virus Control
Found W32/Malware.FIIJ
Panda Antivirus
Found nothing
Sophos Antivirus
Found Troj/FakeVir-JX, Troj/SWProt-Gen
VirusBuster
Found nothing
VBA32
Found nothing

c:\windows\system32\twain32
this turned out to be a folder and two files were inside it :
local.ds and user.ds i scanned local.ds and nothing was found and it wouldn't let me scan user.ds due to being 0kb or malware?

c:\windows\system32\lazogiya.exe


Scan taken on 03 Feb 2009 03:51:15 (GMT)
A-Squared
Found nothing
AntiVir
Found nothing
ArcaVir
Found nothing
Avast
Found nothing
AVG Antivirus
Found nothing
BitDefender
Found nothing
ClamAV
Found nothing
CPsecure
Found nothing
Dr.Web
Found nothing
F-Prot Antivirus
Found nothing
F-Secure Anti-Virus
Found nothing
G DATA
Found nothing
Ikarus
Found nothing
Kaspersky Anti-Virus
Found nothing
NOD32
Found nothing
Norman Virus Control
Found nothing
Panda Antivirus
Found nothing
Sophos Antivirus
Found nothing
VirusBuster
Found nothing
VBA32
Found nothing

0

1. Please open Notepad

  • Click Start , then Run
  • Type notepad.exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

Driver::
zqgyhlq6pgg
File::
c:\windows\sysguard.exe
FileLook::
c:\windows\system32\twain32\user.ds
c:\windows\system32\twain32\local.ds
c:\windows\system32\lazogiya.exe

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

3. Save the above as CFScript.txt

4. Physically disconnect from the internet.

5. Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.

6. Then drag the CFScript.txt into ComboFix.exe. This will start ComboFix again.

7. After reboot, (in case it asks to reboot), please post the following reports/logs into your next replyafter you re-enable all the programs that were disabled during the running of ComboFix:

  • Combofix.txt
  • A new HijackThis log.

Please take note:

CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

0

Thank you once again and here is the logs:

Combofix:

ComboFix 09-02-01.01 - user 2009-02-03 7:05:58.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1791.1383 [GMT -8:00]
Running from: c:\documents and settings\user\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\user\Desktop\CFScript.txt
AV: AVG 7.5.549 *On-access scanning enabled* (Updated)
* Created a new restore point

FILE ::
c:\windows\sysguard.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\sysguard.exe

.
((((((((((((((((((((((((( Files Created from 2009-01-03 to 2009-02-03 )))))))))))))))))))))))))))))))
.

2009-02-02 03:09 . 2009-02-02 03:09 118 --a------ c:\windows\system32\MRT.INI
2009-01-30 02:09 . 2009-02-01 11:51 2,190 --a------ c:\windows\system32\TDSSlxwp.dll
2009-01-29 22:42 . 2009-01-29 22:42 2,713 --ahs---- c:\windows\system32\lazogiya.exe
2009-01-29 09:02 . 2009-01-29 09:02 578,560 --a--c--- c:\windows\system32\dllcache\user32.dll
2009-01-29 08:29 . 2009-01-29 08:29 <DIR> d-------- c:\windows\ERUNT
2009-01-29 08:26 . 2009-01-29 08:26 <DIR> d-------- c:\documents and settings\Administrator.UNKNOW-91070FE2
2009-01-24 20:45 . 2009-02-01 09:41 <DIR> d--hs---- c:\windows\system32\twain32
2009-01-18 06:16 . 2009-01-18 06:16 <DIR> d-------- c:\documents and settings\user\Application Data\Sierra Wireless
2009-01-18 06:16 . 2009-01-18 06:16 <DIR> d-------- c:\documents and settings\user\Application Data\DBUpdater
2009-01-18 06:16 . 2009-01-18 06:16 <DIR> d-------- c:\documents and settings\user\Application Data\AT&T
2009-01-18 06:16 . 2008-11-20 21:59 27,072 --a------ c:\windows\system32\drivers\PCASp50.sys
2009-01-18 06:16 . 2008-08-22 10:05 26,760 -ra------ c:\windows\system32\drivers\swmsflt.sys
2009-01-18 06:11 . 2009-01-18 06:11 <DIR> d-------- c:\program files\Sierra Wireless Inc
2009-01-18 06:11 . 2009-01-18 06:11 <DIR> d-------- c:\program files\Common Files\Motorola Shared
2009-01-18 06:11 . 2009-01-18 06:11 <DIR> d-------- c:\program files\AT&T
2009-01-18 06:11 . 2009-01-18 06:11 <DIR> d-------- c:\documents and settings\All Users\Application Data\AT&T
2009-01-18 06:10 . 2009-01-18 06:10 <DIR> d-------- c:\program files\Option
2009-01-18 06:09 . 2009-01-18 06:09 <DIR> d-------- c:\documents and settings\user\Application Data\Research In Motion
2009-01-18 06:09 . 2009-01-29 06:42 256 --a------ c:\windows\system32\pool.bin
2009-01-18 06:08 . 2007-01-18 10:24 26,496 -ra------ c:\windows\system32\drivers\RimSerial.sys
2009-01-18 06:07 . 2009-01-18 06:07 <DIR> d-------- c:\program files\Research In Motion
2009-01-18 06:07 . 2009-01-28 15:34 <DIR> d-------- c:\program files\Common Files\Research In Motion
2009-01-18 06:04 . 2009-01-18 06:04 <DIR> d--hs---- c:\windows\ftpcache
2009-01-10 08:20 . 2009-01-10 08:20 <DIR> d-------- c:\documents and settings\user\Application Data\TeamViewer

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-03 15:03 --------- d-----w c:\documents and settings\user\Application Data\AVG7
2008-12-22 23:28 129,024 ----a-w c:\windows\system32\uspbhd.dll
2008-12-22 23:28 129,024 ----a-w c:\windows\system32\agijdoim.dll
2008-12-22 14:03 72,704 ----a-w c:\windows\system32\jhkttyqe.dll
2008-12-22 13:54 129,024 ----a-w c:\windows\system32\evleqpvm.dll
2008-12-21 14:00 72,704 ----a-w c:\windows\system32\gamlfpgv.dll
2008-12-21 13:51 129,024 ----a-w c:\windows\system32\xojlqy.dll
2008-12-21 13:51 129,024 ----a-w c:\windows\system32\sjrycsnt.dll
2008-12-20 22:55 --------- d-----w c:\program files\AllToAVI
2008-12-20 13:49 129,024 ----a-w c:\windows\system32\reowgxid.dll
2008-12-19 23:48 --------- d-----w c:\program files\PartyGaming
2008-12-19 03:33 129,024 ----a-w c:\windows\system32\uwoowg.dll
2008-12-19 03:33 129,024 ----a-w c:\windows\system32\lwhwmhsp.dll
2008-12-18 03:21 34,816 ----a-w c:\windows\system32\vtUmNDVo.dll
2008-12-18 03:15 72,704 ----a-w c:\windows\system32\epsldmxb.dll
2008-12-18 03:14 34,816 ----a-w c:\windows\system32\khfEVOig.dll
2008-12-18 03:12 129,024 ----a-w c:\windows\system32\pyfmnkyh.dll
2008-12-13 01:11 69,632 ----a-w c:\windows\system32\drivers\zqgyhlq6pgg.sys
2008-12-11 10:57 333,952 ----a-w c:\windows\system32\drivers\srv.sys
2008-11-21 06:02 8,464 ----a-w c:\windows\system32\SpOrder.Dll
2008-11-21 06:02 719,360 ----a-w c:\windows\system32\bmutil.dll
2008-11-21 06:02 475,136 ----a-w c:\windows\system32\bmnet.dll
2008-11-21 06:02 126,976 ----a-w c:\windows\system32\bmdumpd.bin
2008-11-21 06:02 118,784 ----a-w c:\windows\system32\bmwebcfg.exe
2008-11-21 05:59 32,408 ----a-w c:\windows\system32\PCTINDIS5.sys
2008-11-21 05:59 137,752 ----a-w c:\windows\system32\PCTIN50.dll
2008-11-15 02:25 61,440 ----a-w c:\windows\system32\pthswmcp.dll
2008-11-15 02:25 6,144 ----a-w c:\windows\system32\mot_ci.dll
2007-12-10 11:46 47,360 ----a-w c:\documents and settings\user\Application Data\pcouffin.sys
2004-05-07 22:31 348,160 ----a-w c:\program files\mozilla firefox\components\MSVCR71.DLL
2006-11-07 19:58 139,264 ------w c:\program files\mozilla firefox\components\SABFF20.DLL
2008-10-20 15:13 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008102020081021\index.dat
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\lazogiya.exe -- Not a PE file.
MD5: 4bcfe9f8db04948cddb5e31fe6a7f984

c:\windows\system32\twain32\local.ds -- Not a PE file.
MD5: c50a713fdee9b00a620d50dac1889292

c:\windows\system32\twain32\user.ds -- Not a PE file.
MD5: d41d8cd98f00b204e9800998ecf8427e


((((((((((((((((((((((((((((( snapshot@2009-02-01_13.48.57.30 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-10-17 10:08:40 3,593,216 -c----w c:\windows\ie7updates\KB960714-IE7\mshtml.dll
+ 2007-03-06 01:22:39 213,216 -c----w c:\windows\ie7updates\KB960714-IE7\spuninst\spuninst.exe
+ 2007-03-06 01:23:47 371,424 -c----w c:\windows\ie7updates\KB960714-IE7\spuninst\updspapi.dll
- 2008-10-17 10:08:40 3,593,216 -c----w c:\windows\system32\dllcache\mshtml.dll
+ 2008-12-13 06:40:02 3,593,216 -c----w c:\windows\system32\dllcache\mshtml.dll
- 2008-09-08 10:41:42 333,824 -c----w c:\windows\system32\dllcache\srv.sys
+ 2008-12-11 10:57:09 333,952 -c----w c:\windows\system32\dllcache\srv.sys
+ 2009-01-10 01:35:30 20,853,704 ----a-w c:\windows\system32\MRT.exe
- 2008-10-17 10:08:40 3,593,216 ----a-w c:\windows\system32\mshtml.dll
+ 2008-12-13 06:40:02 3,593,216 ----a-w c:\windows\system32\mshtml.dll
- 2007-07-27 17:41:40 16,760 ----a-w c:\windows\system32\spmsg.dll
+ 2007-11-30 12:39:22 17,272 ------w c:\windows\system32\spmsg.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Yahoo! Pager"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2007-08-30 4670704]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSConfig"="c:\windows\pchealth\helpctr\Binaries\MSCONFIG.EXE" [2008-04-13 169984]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="c:\progra~1\Grisoft\AVG7\avgw.exe" [2008-10-04 219136]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.X264"= x264vfw.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2007-10-10 19:51 39792 c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeUpdater]
--a------ 2008-12-20 07:57 2356088 c:\program files\Common Files\Adobe\Updater5\AdobeUpdater.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AT&T Communication Manager]
--a------ 2008-12-01 14:23 33280 c:\program files\AT&T\Communication Manager\ATTCM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG7_CC]
--a------ 2008-10-19 07:14 590848 c:\progra~1\Grisoft\AVG7\avgcc.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2008-04-13 16:12 15360 c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--------- 2008-04-13 16:12 1695232 c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
--a------ 2007-10-18 10:34 5724184 c:\program files\Windows Live\Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
--a------ 2007-05-18 12:20 7700480 c:\windows\system32\nvcpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
--a------ 2007-05-18 12:21 86016 c:\windows\system32\nvmctray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2008-06-29 07:05 136600 c:\program files\Java\jre6\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Veoh]
--a------ 2008-08-28 09:18 3660848 c:\program files\Veoh Networks\Veoh\VeohClient.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
--a------ 2007-08-30 16:43 4670704 c:\program files\Yahoo!\Messenger\YahooMessenger.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
--a------ 2007-05-18 12:21 1622016 c:\windows\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"NMIndexingService"=3 (0x3)
"Nero BackItUp Scheduler 3"=2 (0x2)
"Avg7UpdSvc"=2 (0x2)
"Avg7Alrt"=2 (0x2)
"aawservice"=2 (0x2)
"a2AntiMalware"=2 (0x2)
"WLSetupSvc"=3 (0x3)
"usnjsvc"=3 (0x3)
"Schedule"=2 (0x2)
"NVSvc"=2 (0x2)
"ATTRcAppSvc"=3 (0x3)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\Veoh Networks\\Veoh\\VeohClient.exe"=
"c:\\Program Files\\Trillian\\trillian.exe"=
"c:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=
"c:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
"c:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"1723:TCP"= 1723:TCP:@xpsp2res.dll,-22015
"1701:UDP"= 1701:UDP:@xpsp2res.dll,-22016
"500:UDP"= 500:UDP:@xpsp2res.dll,-22017

R0 si3112r;Silicon Image SiI 3112 SATARaid Controller;c:\windows\system32\drivers\SI3112r.sys [2006-06-24 89749]
R0 SiWinAcc;SiWinAcc;c:\windows\system32\drivers\SiWinAcc.sys [2006-06-24 9600]
S1 SABKUTIL;SABKUTIL;\??\c:\program files\SuperAdBlocker.com\Super Ad Blocker\SABKUTIL.sys --> c:\program files\SuperAdBlocker.com\Super Ad Blocker\SABKUTIL.sys [?]
S3 A3AB;D-Link AirPro 802.11a/b Wireless Adapter Service(A3AB);c:\windows\system32\drivers\A3AB.sys [2005-08-25 466880]
S3 ASNDIS5;ASNDIS5 Protocol Driver;c:\windows\system32\ASNDIS5.sys [2008-04-02 16269]
S3 genmcmnUSB;USB Scroll Mouse Driver;c:\windows\system32\drivers\gflmouhid.sys [2004-04-19 6656]
S3 NtApm;NT Apm/Legacy Interface Driver;c:\windows\system32\drivers\NtApm.sys [2007-09-29 9344]
S3 u2kg54;BUFFALO WLI-U2-KG54 Wireless LAN Adapter Service;c:\windows\system32\drivers\rt2500usb.sys [2008-04-02 104320]
S3 USBAU;USB Audio Device Interface;c:\windows\system32\drivers\CM102.sys [2008-11-09 1312768]
S3 XDva031;XDva031;\??\c:\windows\system32\XDva031.sys --> c:\windows\system32\XDva031.sys [?]
S4 ATTRcAppSvc;AT&T RcAppSvc;c:\program files\AT&T\Communication Manager\RcAppSvc.exe [2008-11-20 113152]

--- Other Services/Drivers In Memory ---

*Deregistered* - dump_wmimmc
.
.
------- Supplementary Scan -------
.
LSP: bmnet.dll
Trusted Zone: amaena.com
Trusted Zone: avsystemcare.com
Trusted Zone: onerateld.com
Trusted Zone: safetydownload.com
Trusted Zone: trustedantivirus.com
Trusted Zone: virusremover2008.com
Trusted Zone: virusschlacht.com
TCP: {2351A425-A26B-40A4-ADBB-99450D8C5E4A} = 208.67.220.220,208.67.222.222
TCP: {5155EB13-C52B-4965-8EE3-C18B2E198951} = 208.67.220.220,208.67.222.222
TCP: {6C7B25F9-A3B1-462D-B6F0-6C4C8B6B2C57} = 208.67.220.220,208.67.222.222
TCP: {E7CD77B1-4D33-47F9-BE3F-852B1695B32E} = 208.67.220.220,208.67.222.222
FF - ProfilePath - c:\documents and settings\user\Application Data\Mozilla\Firefox\Profiles\7805yqbd.default\
FF - component: c:\program files\Mozilla Firefox\components\SABFF20.DLL
FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nppl3260.dll
FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nprpjplug.dll
FF - plugin: c:\program files\Veoh Networks\Veoh\Plugins\noreg\NPVeohVersion.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-03 07:07:36
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(716)
c:\windows\system32\bmnet.dll
.
Completion time: 2009-02-03 7:09:23
ComboFix-quarantined-files.txt 2009-02-03 15:09:17
ComboFix2.txt 2009-02-01 21:50:24

Pre-Run: 67,239,387,136 bytes free
Post-Run: 67,237,728,256 bytes free

227 --- E O F --- 2009-02-02 11:10:02


HJT:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:09:49 AM, on 2/3/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\imapi.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O3 - Toolbar: Veoh Browser Plug-in - {D0943516-5076-4020-A3B5-AEFAF26AB263} - C:\Program Files\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dll
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\pchealth\helpctr\Binaries\MSCONFIG.EXE /auto
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\ssv.dll
O10 - Unknown file in Winsock LSP: bmnet.dll
O10 - Unknown file in Winsock LSP: bmnet.dll
O10 - Unknown file in Winsock LSP: bmnet.dll
O15 - Trusted Zone: *.amaena.com
O15 - Trusted Zone: *.avsystemcare.com
O15 - Trusted Zone: *.onerateld.com
O15 - Trusted Zone: *.safetydownload.com
O15 - Trusted Zone: *.trustedantivirus.com
O15 - Trusted Zone: *.virusremover2008.com
O15 - Trusted Zone: *.virusschlacht.com
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/betapit/PCPitStop.CAB
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
O16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab56986.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-US/a-UNO1/GAME_UNO1.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1191099616095
O16 - DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} (MJLauncherCtrl Class) - http://messenger.zone.msn.com/EN-US/a-LUXR/mjolauncher.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15030/CTPID.cab
O16 - DPF: {FFB3A759-98B1-446F-BDA9-909C6EB18CC7} (PCPitstop Exam) - http://utilities.pcpitstop.com/optimize2/pcpitstop2.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{2351A425-A26B-40A4-ADBB-99450D8C5E4A}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\..\{5155EB13-C52B-4965-8EE3-C18B2E198951}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\..\{6C7B25F9-A3B1-462D-B6F0-6C4C8B6B2C57}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\..\{E7CD77B1-4D33-47F9-BE3F-852B1695B32E}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS1\Services\Tcpip\..\{2351A425-A26B-40A4-ADBB-99450D8C5E4A}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS2\Services\Tcpip\..\{2351A425-A26B-40A4-ADBB-99450D8C5E4A}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS3\Services\Tcpip\..\{2351A425-A26B-40A4-ADBB-99450D8C5E4A}: NameServer = 208.67.220.220,208.67.222.222

--
End of file - 4769 bytes

0

I have more for you for Jotti now :);

c:\windows\system32\pyfmnkyh.dll
c:\windows\system32\lwhwmhsp.dll
c:\windows\system32\uwoowg.dll
c:\windows\system32\reowgxid.dll
c:\windows\system32\sjrycsnt.dll
c:\windows\system32\xojlqy.dll
c:\windows\system32\evleqpvm.dll
c:\windows\system32\uspbhd.dll
c:\windows\system32\agijdoim.dll
c:\windows\system32\jhkttyqe.dll

Post the results back please.

0

Yay more fun :),

c:\windows\system32\pyfmnkyh.dll

Scan taken on 04 Feb 2009 02:42:18 (GMT)
A-Squared
Found Trojan.Vundo!IK
AntiVir
Found TR/Pakes.mfm
ArcaVir
Found Trojan.Agent.Asib
Avast
Found Win32:Trojan-gen {Other}
AVG Antivirus
Found nothing
BitDefender
Found Trojan.Generic.1244680
ClamAV
Found Trojan.Vundo-10267
CPsecure
Found Troj.W32.Pakes.mfm
Dr.Web
Found nothing
F-Prot Antivirus
Found W32/Trojan2.FUQB
F-Secure Anti-Virus
Found Trojan:W32/ConHook.GK, Trojan.Win32.Pakes.mfm
G DATA
Found Win32:Trojan-gen
Ikarus
Found nothing
Kaspersky Anti-Virus
Found Trojan.Win32.Pakes.mfm
NOD32
Found nothing
Norman Virus Control
Found W32/Vundo.FTT
Panda Antivirus
Found nothing
Sophos Antivirus
Found Troj/Virtum-Gen
VirusBuster
Found nothing
VBA32
Found Trojan.Win32.Pakes.mfm


c:\windows\system32\lwhwmhsp.dll

Scan taken on 04 Feb 2009 02:46:48 (GMT)
A-Squared
Found Trojan.Vundo!IK
AntiVir
Found TR/Monder.adyt
ArcaVir
Found nothing
Avast
Found Win32:Trojan-gen {Other}
AVG Antivirus
Found nothing
BitDefender
Found Trojan.Generic.1248348
ClamAV
Found nothing
CPsecure
Found nothing
Dr.Web
Found nothing
F-Prot Antivirus
Found W32/Trojan2.FWFV
F-Secure Anti-Virus
Found Trojan.Win32.Monder.adyt
G DATA
Found Win32:Trojan-gen
Ikarus
Found nothing
Kaspersky Anti-Virus
Found Trojan.Win32.Monder.adyt
NOD32
Found nothing
Norman Virus Control
Found W32/DLoader.LWCM
Panda Antivirus
Found nothing
Sophos Antivirus
Found Troj/Virtum-Gen
VirusBuster
Found nothing
VBA32
Found nothing


c:\windows\system32\uwoowg.dll

Scan taken on 04 Feb 2009 02:49:34 (GMT)
A-Squared
Found Trojan.Vundo!IK
AntiVir
Found TR/Monder.adyt
ArcaVir
Found nothing
Avast
Found Win32:Trojan-gen {Other}
AVG Antivirus
Found nothing
BitDefender
Found Trojan.Generic.1248348
ClamAV
Found nothing
CPsecure
Found nothing
Dr.Web
Found nothing
F-Prot Antivirus
Found W32/Trojan2.FWFV
F-Secure Anti-Virus
Found Trojan.Win32.Monder.adyt
G DATA
Found Win32:Trojan-gen
Ikarus
Found nothing
Kaspersky Anti-Virus
Found Trojan.Win32.Monder.adyt
NOD32
Found nothing
Norman Virus Control
Found W32/DLoader.LWCM
Panda Antivirus
Found nothing
Sophos Antivirus
Found Troj/Virtum-Gen
VirusBuster
Found nothing
VBA32
Found nothing

c:\windows\system32\reowgxid.dll

Scan taken on 04 Feb 2009 02:53:08 (GMT)
A-Squared
Found Trojan.Vundo!IK
AntiVir
Found TR/ConHook.D.6
ArcaVir
Found nothing
Avast
Found Win32:Trojan-gen {Other}
AVG Antivirus
Found nothing
BitDefender
Found Trojan.Generic.1256911
ClamAV
Found nothing
CPsecure
Found Troj.W32.Monder.aiig
Dr.Web
Found nothing
F-Prot Antivirus
Found nothing
F-Secure Anti-Virus
Found Trojan:W32/ConHook.GU, Trojan.Win32.Monder.aiig
G DATA
Found Win32:Trojan-gen
Ikarus
Found nothing
Kaspersky Anti-Virus
Found Trojan.Win32.Monder.aiig
NOD32
Found nothing
Norman Virus Control
Found W32/DLoader.LWCN
Panda Antivirus
Found Generic
Sophos Antivirus
Found Troj/Virtum-Gen
VirusBuster
Found nothing
VBA32
Found nothing

c:\windows\system32\sjrycsnt.dll

Scan taken on 04 Feb 2009 02:58:58 (GMT)
A-Squared
Found Trojan.Vundo!IK
AntiVir
Found TR/Monder.aiir
ArcaVir
Found nothing
Avast
Found Win32:Trojan-gen {Other}
AVG Antivirus
Found nothing
BitDefender
Found Trojan.Generic.1258231
ClamAV
Found nothing
CPsecure
Found nothing
Dr.Web
Found nothing
F-Prot Antivirus
Found nothing
F-Secure Anti-Virus
Found Trojan:W32/ConHook.GS, Trojan.Win32.Monder.aiir
G DATA
Found Win32:Trojan-gen
Ikarus
Found nothing
Kaspersky Anti-Virus
Found Trojan.Win32.Monder.aiir
NOD32
Found nothing
Norman Virus Control
Found W32/DLoader.LXCU
Panda Antivirus
Found Generic
Sophos Antivirus
Found Troj/Virtum-Gen
VirusBuster
Found nothing
VBA32
Found nothing

c:\windows\system32\xojlqy.dll

Scan taken on 04 Feb 2009 03:03:47 (GMT)
A-Squared
Found Trojan.Vundo!IK
AntiVir
Found TR/Monder.aiir
ArcaVir
Found nothing
Avast
Found Win32:Trojan-gen {Other}
AVG Antivirus
Found nothing
BitDefender
Found Trojan.Generic.1258231
ClamAV
Found nothing
CPsecure
Found nothing
Dr.Web
Found nothing
F-Prot Antivirus
Found nothing
F-Secure Anti-Virus
Found Trojan:W32/ConHook.GS, Trojan.Win32.Monder.aiir
G DATA
Found Win32:Trojan-gen
Ikarus
Found nothing
Kaspersky Anti-Virus
Found Trojan.Win32.Monder.aiir
NOD32
Found nothing
Norman Virus Control
Found W32/DLoader.LXCU
Panda Antivirus
Found Generic
Sophos Antivirus
Found Troj/Virtum-Gen
VirusBuster
Found nothing
VBA32
Found nothing


c:\windows\system32\evleqpvm.dll

Scan taken on 04 Feb 2009 03:07:35 (GMT)
A-Squared
Found Trojan.Win32.Conhook!IK
AntiVir
Found TR/ConHook.D.4
ArcaVir
Found nothing
Avast
Found Win32:Trojan-gen {Other}
AVG Antivirus
Found nothing
BitDefender
Found Trojan.Vundo.GGE
ClamAV
Found nothing
CPsecure
Found nothing
Dr.Web
Found nothing
F-Prot Antivirus
Found nothing
F-Secure Anti-Virus
Found Trojan:W32/ConHook.GQ
G DATA
Found Win32:Trojan-gen
Ikarus
Found nothing
Kaspersky Anti-Virus
Found nothing
NOD32
Found nothing
Norman Virus Control
Found W32/Vundo.FTV
Panda Antivirus
Found Generic
Sophos Antivirus
Found Troj/Virtum-Gen
VirusBuster
Found nothing
VBA32
Found nothing


c:\windows\system32\uspbhd.dll

Scan taken on 04 Feb 2009 03:12:49 (GMT)
A-Squared
Found Trojan.Vundo!IK
AntiVir
Found TR/ConHook.D.3
ArcaVir
Found nothing
Avast
Found Win32:Trojan-gen {Other}
AVG Antivirus
Found nothing
BitDefender
Found Trojan.Generic.1267491
ClamAV
Found nothing
CPsecure
Found Troj.W32.Monder.aiiq
Dr.Web
Found nothing
F-Prot Antivirus
Found W32/Trojan3.WK
F-Secure Anti-Virus
Found Trojan:W32/ConHook.GT, Trojan.Win32.Monder.aiiq
G DATA
Found Win32:Trojan-gen
Ikarus
Found nothing
Kaspersky Anti-Virus
Found Trojan.Win32.Monder.aiiq
NOD32
Found nothing
Norman Virus Control
Found nothing
Panda Antivirus
Found nothing
Sophos Antivirus
Found Troj/Virtum-Gen
VirusBuster
Found nothing
VBA32
Found Trojan.Win32.Monder.aiiq


c:\windows\system32\agijdoim.dll

Scan taken on 04 Feb 2009 03:15:32 (GMT)
A-Squared
Found Trojan.Vundo!IK
AntiVir
Found TR/ConHook.D.3
ArcaVir
Found nothing
Avast
Found Win32:Trojan-gen {Other}
AVG Antivirus
Found nothing
BitDefender
Found Trojan.Generic.1267491
ClamAV
Found nothing
CPsecure
Found Troj.W32.Monder.aiiq
Dr.Web
Found nothing
F-Prot Antivirus
Found W32/Trojan3.WK
F-Secure Anti-Virus
Found Trojan:W32/ConHook.GT, Trojan.Win32.Monder.aiiq
G DATA
Found Win32:Trojan-gen
Ikarus
Found nothing
Kaspersky Anti-Virus
Found Trojan.Win32.Monder.aiiq
NOD32
Found nothing
Norman Virus Control
Found W32/Virtumonde.AIMK
Panda Antivirus
Found nothing
Sophos Antivirus
Found Troj/Virtum-Gen
Viruhttp://www.daniweb.com/forums/newreply.php?do=newreply&noquote=1&p=790475sBuster
Found nothing
VBA32
Found Trojan.Win32.Monder.aiiq


c:\windows\system32\jhkttyqe.dll


Scan taken on 04 Feb 2009 03:17:57 (GMT)
A-Squared
Found Trojan.Vundo!IK
AntiVir
Found TR/Vundo.72704Y
ArcaVir
Found nothing
Avast
Found Win32:Trojan-gen {Other}
AVG Antivirus
Found nothing
BitDefender
Found Trojan.Generic.1265340
ClamAV
Found nothing
CPsecure
Found nothing
Dr.Web
Found nothing
F-Prot Antivirus
Found nothing
F-Secure Anti-Virus
Found nothing
G DATA
Found Win32:Trojan-gen
Ikarus
Found nothing
Kaspersky Anti-Virus
Found nothing
NOD32
Found nothing
Norman Virus Control
Found W32/Vundo.FTW
Panda Antivirus
Found Generic
Sophos Antivirus
Found Troj/Virtum-Gen
VirusBuster
Found nothing
VBA32
Found nothing

0

1. Please open Notepad

  • Click Start , then Run
  • Type notepad.exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

KillAll::

File::
c:\windows\system32\pyfmnkyh.dll
c:\windows\system32\lwhwmhsp.dll
c:\windows\system32\uwoowg.dll
c:\windows\system32\reowgxid.dll
c:\windows\system32\sjrycsnt.dll
c:\windows\system32\xojlqy.dll
c:\windows\system32\evleqpvm.dll
c:\windows\system32\uspbhd.dll
c:\windows\system32\agijdoim.dll
c:\windows\system32\jhkttyqe.dll

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

3. Save the above as CFScript.txt

4. Physically disconnect from the internet.

5. Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.

6. Then drag the CFScript.txt into ComboFix.exe. This will start ComboFix again.

7. After reboot, (in case it asks to reboot), please post the following reports/logs into your next replyafter you re-enable all the programs that were disabled during the running of ComboFix:

  • Combofix.txt
  • A new HijackThis log.

Please take note:

CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

0

Combo fix:

ComboFix 09-02-01.01 - user 2009-02-03 21:48:37.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1791.1415 [GMT -8:00]
Running from: c:\documents and settings\user\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\user\Desktop\CFScript.txt
AV: AVG 7.5.549 *On-access scanning enabled* (Updated)
* Created a new restore point

FILE ::
c:\windows\system32\agijdoim.dll
c:\windows\system32\evleqpvm.dll
c:\windows\system32\jhkttyqe.dll
c:\windows\system32\lwhwmhsp.dll
c:\windows\system32\pyfmnkyh.dll
c:\windows\system32\reowgxid.dll
c:\windows\system32\sjrycsnt.dll
c:\windows\system32\uspbhd.dll
c:\windows\system32\uwoowg.dll
c:\windows\system32\xojlqy.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\agijdoim.dll
c:\windows\system32\evleqpvm.dll
c:\windows\system32\jhkttyqe.dll
c:\windows\system32\lwhwmhsp.dll
c:\windows\system32\pyfmnkyh.dll
c:\windows\system32\reowgxid.dll
c:\windows\system32\sjrycsnt.dll
c:\windows\system32\uspbhd.dll
c:\windows\system32\uwoowg.dll
c:\windows\system32\xojlqy.dll

.
((((((((((((((((((((((((( Files Created from 2009-01-04 to 2009-02-04 )))))))))))))))))))))))))))))))
.

2009-02-02 03:09 . 2009-02-02 03:09 118 --a------ c:\windows\system32\MRT.INI
2009-01-30 02:09 . 2009-02-01 11:51 2,190 --a------ c:\windows\system32\TDSSlxwp.dll
2009-01-29 22:42 . 2009-01-29 22:42 2,713 --ahs---- c:\windows\system32\lazogiya.exe
2009-01-29 09:02 . 2009-01-29 09:02 578,560 --a--c--- c:\windows\system32\dllcache\user32.dll
2009-01-29 08:29 . 2009-01-29 08:29 <DIR> d-------- c:\windows\ERUNT
2009-01-29 08:26 . 2009-01-29 08:26 <DIR> d-------- c:\documents and settings\Administrator.UNKNOW-91070FE2
2009-01-24 20:45 . 2009-02-01 09:41 <DIR> d--hs---- c:\windows\system32\twain32
2009-01-18 06:16 . 2009-01-18 06:16 <DIR> d-------- c:\documents and settings\user\Application Data\Sierra Wireless
2009-01-18 06:16 . 2009-01-18 06:16 <DIR> d-------- c:\documents and settings\user\Application Data\DBUpdater
2009-01-18 06:16 . 2009-01-18 06:16 <DIR> d-------- c:\documents and settings\user\Application Data\AT&T
2009-01-18 06:16 . 2008-11-20 21:59 27,072 --a------ c:\windows\system32\drivers\PCASp50.sys
2009-01-18 06:16 . 2008-08-22 10:05 26,760 -ra------ c:\windows\system32\drivers\swmsflt.sys
2009-01-18 06:11 . 2009-01-18 06:11 <DIR> d-------- c:\program files\Sierra Wireless Inc
2009-01-18 06:11 . 2009-01-18 06:11 <DIR> d-------- c:\program files\Common Files\Motorola Shared
2009-01-18 06:11 . 2009-01-18 06:11 <DIR> d-------- c:\program files\AT&T
2009-01-18 06:11 . 2009-01-18 06:11 <DIR> d-------- c:\documents and settings\All Users\Application Data\AT&T
2009-01-18 06:10 . 2009-01-18 06:10 <DIR> d-------- c:\program files\Option
2009-01-18 06:09 . 2009-01-18 06:09 <DIR> d-------- c:\documents and settings\user\Application Data\Research In Motion
2009-01-18 06:09 . 2009-01-29 06:42 256 --a------ c:\windows\system32\pool.bin
2009-01-18 06:08 . 2007-01-18 10:24 26,496 -ra------ c:\windows\system32\drivers\RimSerial.sys
2009-01-18 06:07 . 2009-01-18 06:07 <DIR> d-------- c:\program files\Research In Motion
2009-01-18 06:07 . 2009-01-28 15:34 <DIR> d-------- c:\program files\Common Files\Research In Motion
2009-01-18 06:04 . 2009-01-18 06:04 <DIR> d--hs---- c:\windows\ftpcache
2009-01-10 08:20 . 2009-01-10 08:20 <DIR> d-------- c:\documents and settings\user\Application Data\TeamViewer

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-03 15:03 --------- d-----w c:\documents and settings\user\Application Data\AVG7
2008-12-20 22:55 --------- d-----w c:\program files\AllToAVI
2008-12-19 23:48 --------- d-----w c:\program files\PartyGaming
2008-12-13 01:11 69,632 ----a-w c:\windows\system32\drivers\zqgyhlq6pgg.sys
2008-12-11 10:57 333,952 ----a-w c:\windows\system32\drivers\srv.sys
2007-12-10 11:46 47,360 ----a-w c:\documents and settings\user\Application Data\pcouffin.sys
2004-05-07 22:31 348,160 ----a-w c:\program files\mozilla firefox\components\MSVCR71.DLL
2006-11-07 19:58 139,264 ------w c:\program files\mozilla firefox\components\SABFF20.DLL
2008-10-20 15:13 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008102020081021\index.dat
.

((((((((((((((((((((((((((((( snapshot@2009-02-01_13.48.57.30 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-10-17 10:08:40 3,593,216 -c----w c:\windows\ie7updates\KB960714-IE7\mshtml.dll
+ 2007-03-06 01:22:39 213,216 -c----w c:\windows\ie7updates\KB960714-IE7\spuninst\spuninst.exe
+ 2007-03-06 01:23:47 371,424 -c----w c:\windows\ie7updates\KB960714-IE7\spuninst\updspapi.dll
- 2008-10-17 10:08:40 3,593,216 -c----w c:\windows\system32\dllcache\mshtml.dll
+ 2008-12-13 06:40:02 3,593,216 -c----w c:\windows\system32\dllcache\mshtml.dll
- 2008-09-08 10:41:42 333,824 -c----w c:\windows\system32\dllcache\srv.sys
+ 2008-12-11 10:57:09 333,952 -c----w c:\windows\system32\dllcache\srv.sys
+ 2009-01-10 01:35:30 20,853,704 ----a-w c:\windows\system32\MRT.exe
- 2008-10-17 10:08:40 3,593,216 ----a-w c:\windows\system32\mshtml.dll
+ 2008-12-13 06:40:02 3,593,216 ----a-w c:\windows\system32\mshtml.dll
- 2007-07-27 17:41:40 16,760 ----a-w c:\windows\system32\spmsg.dll
+ 2007-11-30 12:39:22 17,272 ------w c:\windows\system32\spmsg.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Yahoo! Pager"="c:\program files\Yahoo!\Messenger\YahooMessenger.exe" [2007-08-30 4670704]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="c:\progra~1\Grisoft\AVG7\avgw.exe" [2008-10-04 219136]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.X264"= x264vfw.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2007-10-10 19:51 39792 c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeUpdater]
--a------ 2008-12-20 07:57 2356088 c:\program files\Common Files\Adobe\Updater5\AdobeUpdater.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AT&T Communication Manager]
--a------ 2008-12-01 14:23 33280 c:\program files\AT&T\Communication Manager\ATTCM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG7_CC]
--a------ 2008-10-19 07:14 590848 c:\progra~1\Grisoft\AVG7\avgcc.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2008-04-13 16:12 15360 c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--------- 2008-04-13 16:12 1695232 c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
--a------ 2007-10-18 10:34 5724184 c:\program files\Windows Live\Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
--a------ 2007-05-18 12:20 7700480 c:\windows\system32\nvcpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
--a------ 2007-05-18 12:21 86016 c:\windows\system32\nvmctray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2008-06-29 07:05 136600 c:\program files\Java\jre6\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Veoh]
--a------ 2008-08-28 09:18 3660848 c:\program files\Veoh Networks\Veoh\VeohClient.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
--a------ 2007-08-30 16:43 4670704 c:\program files\Yahoo!\Messenger\YahooMessenger.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
--a------ 2007-05-18 12:21 1622016 c:\windows\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"NMIndexingService"=3 (0x3)
"Nero BackItUp Scheduler 3"=2 (0x2)
"Avg7UpdSvc"=2 (0x2)
"Avg7Alrt"=2 (0x2)
"aawservice"=2 (0x2)
"a2AntiMalware"=2 (0x2)
"WLSetupSvc"=3 (0x3)
"usnjsvc"=3 (0x3)
"Schedule"=2 (0x2)
"NVSvc"=2 (0x2)
"ATTRcAppSvc"=3 (0x3)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\Veoh Networks\\Veoh\\VeohClient.exe"=
"c:\\Program Files\\Trillian\\trillian.exe"=
"c:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=
"c:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
"c:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"1723:TCP"= 1723:TCP:@xpsp2res.dll,-22015
"1701:UDP"= 1701:UDP:@xpsp2res.dll,-22016
"500:UDP"= 500:UDP:@xpsp2res.dll,-22017

R0 si3112r;Silicon Image SiI 3112 SATARaid Controller;c:\windows\system32\drivers\SI3112r.sys [2006-06-24 89749]
R0 SiWinAcc;SiWinAcc;c:\windows\system32\drivers\SiWinAcc.sys [2006-06-24 9600]
S1 SABKUTIL;SABKUTIL;\??\c:\program files\SuperAdBlocker.com\Super Ad Blocker\SABKUTIL.sys --> c:\program files\SuperAdBlocker.com\Super Ad Blocker\SABKUTIL.sys [?]
S3 A3AB;D-Link AirPro 802.11a/b Wireless Adapter Service(A3AB);c:\windows\system32\drivers\A3AB.sys [2005-08-25 466880]
S3 ASNDIS5;ASNDIS5 Protocol Driver;c:\windows\system32\ASNDIS5.sys [2008-04-02 16269]
S3 genmcmnUSB;USB Scroll Mouse Driver;c:\windows\system32\drivers\gflmouhid.sys [2004-04-19 6656]
S3 NtApm;NT Apm/Legacy Interface Driver;c:\windows\system32\drivers\NtApm.sys [2007-09-29 9344]
S3 u2kg54;BUFFALO WLI-U2-KG54 Wireless LAN Adapter Service;c:\windows\system32\drivers\rt2500usb.sys [2008-04-02 104320]
S3 USBAU;USB Audio Device Interface;c:\windows\system32\drivers\CM102.sys [2008-11-09 1312768]
S3 XDva031;XDva031;\??\c:\windows\system32\XDva031.sys --> c:\windows\system32\XDva031.sys [?]
S4 ATTRcAppSvc;AT&T RcAppSvc;c:\program files\AT&T\Communication Manager\RcAppSvc.exe [2008-11-20 113152]
.
.
------- Supplementary Scan -------
.
LSP: bmnet.dll
Trusted Zone: amaena.com
Trusted Zone: avsystemcare.com
Trusted Zone: onerateld.com
Trusted Zone: safetydownload.com
Trusted Zone: trustedantivirus.com
Trusted Zone: virusremover2008.com
Trusted Zone: virusschlacht.com
TCP: {2351A425-A26B-40A4-ADBB-99450D8C5E4A} = 208.67.220.220,208.67.222.222
TCP: {5155EB13-C52B-4965-8EE3-C18B2E198951} = 208.67.220.220,208.67.222.222
TCP: {6C7B25F9-A3B1-462D-B6F0-6C4C8B6B2C57} = 208.67.220.220,208.67.222.222
TCP: {E7CD77B1-4D33-47F9-BE3F-852B1695B32E} = 208.67.220.220,208.67.222.222
FF - ProfilePath - c:\documents and settings\user\Application Data\Mozilla\Firefox\Profiles\7805yqbd.default\
FF - component: c:\program files\Mozilla Firefox\components\SABFF20.DLL
FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nppl3260.dll
FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nprpjplug.dll
FF - plugin: c:\program files\Veoh Networks\Veoh\Plugins\noreg\NPVeohVersion.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-03 21:52:30
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(568)
c:\windows\system32\bmnet.dll
.
------------------------ Other Running Processes ------------------------
.
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-02-03 21:54:46 - machine was rebooted
ComboFix-quarantined-files.txt 2009-02-04 05:54:41
ComboFix2.txt 2009-02-03 15:09:24
ComboFix3.txt 2009-02-01 21:50:24

Pre-Run: 67,132,297,216 bytes free
Post-Run: 67,224,801,280 bytes free

217 --- E O F --- 2009-02-02 11:10:02

HJT :

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:56:34 PM, on 2/3/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\AT&T\Communication Manager\ATTCM.exe
C:\Program Files\AT&T\Communication Manager\bmctl.exe
C:\Program Files\Common Files\Research In Motion\USB Drivers\BbDevMgr.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\AT&T\Communication Manager\bmop.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O3 - Toolbar: Veoh Browser Plug-in - {D0943516-5076-4020-A3B5-AEFAF26AB263} - C:\Program Files\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dll
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\ssv.dll
O10 - Unknown file in Winsock LSP: bmnet.dll
O10 - Unknown file in Winsock LSP: bmnet.dll
O10 - Unknown file in Winsock LSP: bmnet.dll
O15 - Trusted Zone: *.amaena.com
O15 - Trusted Zone: *.avsystemcare.com
O15 - Trusted Zone: *.onerateld.com
O15 - Trusted Zone: *.safetydownload.com
O15 - Trusted Zone: *.trustedantivirus.com
O15 - Trusted Zone: *.virusremover2008.com
O15 - Trusted Zone: *.virusschlacht.com
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/betapit/PCPitStop.CAB
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
O16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab56986.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-US/a-UNO1/GAME_UNO1.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1191099616095
O16 - DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} (MJLauncherCtrl Class) - http://messenger.zone.msn.com/EN-US/a-LUXR/mjolauncher.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15030/CTPID.cab
O16 - DPF: {FFB3A759-98B1-446F-BDA9-909C6EB18CC7} (PCPitstop Exam) - http://utilities.pcpitstop.com/optimize2/pcpitstop2.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{2351A425-A26B-40A4-ADBB-99450D8C5E4A}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\..\{5155EB13-C52B-4965-8EE3-C18B2E198951}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\..\{6C7B25F9-A3B1-462D-B6F0-6C4C8B6B2C57}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\..\{E7CD77B1-4D33-47F9-BE3F-852B1695B32E}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS1\Services\Tcpip\..\{2351A425-A26B-40A4-ADBB-99450D8C5E4A}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS2\Services\Tcpip\..\{2351A425-A26B-40A4-ADBB-99450D8C5E4A}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS3\Services\Tcpip\..\{2351A425-A26B-40A4-ADBB-99450D8C5E4A}: NameServer = 208.67.220.220,208.67.222.222

--
End of file - 4970 bytes

0

Are you cutting off the bottom of the hijackthis log? there appears to be some missing.

==

I missed a file that needs to go. Also, can you rename this file; c:\windows\system32\lazogiya.exe and make it oldlazogiya please.

==

1. Please open Notepad

  • Click Start , then Run
  • Type notepad.exe in the Run Box.

2. Now copy/paste the entire content of the codebox below into the Notepad window:

KillAll::

File::
c:\windows\system32\TDSSlxwp.dll
Driver::
zqgyhlq6pgg

Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

3. Save the above as CFScript.txt

4. Physically disconnect from the internet.

5. Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.

6. Then drag the CFScript.txt into ComboFix.exe. This will start ComboFix again.

7. After reboot, (in case it asks to reboot), please post the following reports/logs into your next replyafter you re-enable all the programs that were disabled during the running of ComboFix:

  • Combofix.txt
  • A new HijackThis log.

Please take note:

CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

0

I am not cutting off any part of the logs, it only produces up to that amount for some reason. I tried to search for that file, but was unable to locate it. Here are the new logs

Combofix:

ComboFix 09-02-01.01 - user 2009-02-03 23:15:18.4 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1791.1407 [GMT -8:00]
Running from: c:\documents and settings\user\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\user\Desktop\CFScript.txt
AV: AVG 7.5.549 *On-access scanning enabled* (Updated)
* Created a new restore point

FILE ::
c:\windows\system32\TDSSlxwp.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\TDSSlxwp.dll

.
((((((((((((((((((((((((( Files Created from 2009-01-04 to 2009-02-04 )))))))))))))))))))))))))))))))
.

2009-02-03 22:17 . 2009-02-03 22:17 <DIR> d-------- c:\program files\AT&T
2009-02-03 21:59 . 2009-02-03 21:59 <DIR> d-------- c:\documents and settings\All Users\Application Data\AT&T
2009-02-02 03:09 . 2009-02-02 03:09 118 --a------ c:\windows\system32\MRT.INI
2009-01-29 22:42 . 2009-01-29 22:42 2,713 --ahs---- c:\windows\system32\lazogiya.exe
2009-01-29 09:02 . 2009-01-29 09:02 578,560 --a--c--- c:\windows\system32\dllcache\user32.dll
2009-01-29 08:29 . 2009-01-29 08:29 <DIR> d-------- c:\windows\ERUNT
2009-01-29 08:26 . 2009-01-29 08:26 <DIR> d-------- c:\documents and settings\Administrator.UNKNOW-91070FE2
2009-01-24 20:45 . 2009-02-01 09:41 <DIR> d--hs---- c:\windows\system32\twain32
2009-01-18 06:16 . 2009-01-18 06:16 <DIR> d-------- c:\documents and settings\user\Application Data\Sierra Wireless
2009-01-18 06:16 . 2009-01-18 06:16 <DIR> d-------- c:\documents and settings\user\Application Data\DBUpdater
2009-01-18 06:16 . 2009-01-18 06:16 <DIR> d-------- c:\documents and settings\user\Application Data\AT&T
2009-01-18 06:16 . 2008-11-20 21:59 27,072 --a------ c:\windows\system32\drivers\PCASp50.sys
2009-01-18 06:16 . 2008-08-22 10:05 26,760 -ra------ c:\windows\system32\drivers\swmsflt.sys
2009-01-18 06:11 . 2009-01-18 06:11 <DIR> d-------- c:\program files\Sierra Wireless Inc
2009-01-18 06:11 . 2009-01-18 06:11 <DIR> d-------- c:\program files\Common Files\Motorola Shared
2009-01-18 06:10 . 2009-01-18 06:10 <DIR> d-------- c:\program files\Option
2009-01-18 06:09 . 2009-01-29 06:42 256 --a------ c:\windows\system32\pool.bin
2009-01-18 06:08 . 2007-01-18 10:24 26,496 -ra------ c:\windows\system32\drivers\RimSerial.sys
2009-01-18 06:07 . 2009-02-03 22:17 <DIR> d-------- c:\program files\Common Files\Research In Motion
2009-01-18 06:04 . 2009-01-18 06:04 <DIR> d--hs---- c:\windows\ftpcache
2009-01-10 08:20 . 2009-01-10 08:20 <DIR> d-------- c:\documents and settings\user\Application Data\TeamViewer

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-03 15:03 --------- d-----w c:\documents and settings\user\Application Data\AVG7
2008-12-20 22:55 --------- d-----w c:\program files\AllToAVI
2008-12-19 23:48 --------- d-----w c:\program files\PartyGaming
2008-12-13 01:11 69,632 ----a-w c:\windows\system32\drivers\zqgyhlq6pgg.sys
2008-12-11 10:57 333,952 ----a-w c:\windows\system32\drivers\srv.sys
2007-12-10 11:46 47,360 ----a-w c:\documents and settings\user\Application Data\pcouffin.sys
2004-05-07 22:31 348,160 ----a-w c:\program files\mozilla firefox\components\MSVCR71.DLL
2006-11-07 19:58 139,264 ------w c:\program files\mozilla firefox\components\SABFF20.DLL
2008-10-20 15:13 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008102020081021\index.dat
.

((((((((((((((((((((((((((((( snapshot@2009-02-01_13.48.57.30 )))))))))))))))))))))))))))))))))))))))))
.
+ 2008-10-17 10:08:40 3,593,216 -c----w c:\windows\ie7updates\KB960714-IE7\mshtml.dll
+ 2007-03-06 01:22:39 213,216 -c----w c:\windows\ie7updates\KB960714-IE7\spuninst\spuninst.exe
+ 2007-03-06 01:23:47 371,424 -c----w c:\windows\ie7updates\KB960714-IE7\spuninst\updspapi.dll
- 2009-01-18 14:11:19 49,152 ----a-r c:\windows\Installer\{AF64F216-D859-43FC-9068-0005A41AEBA3}\ARPPRODUCTICON.exe
+ 2009-02-04 06:17:25 49,152 ----a-r c:\windows\Installer\{AF64F216-D859-43FC-9068-0005A41AEBA3}\ARPPRODUCTICON.exe
- 2009-01-18 14:11:19 49,152 ----a-r c:\windows\Installer\{AF64F216-D859-43FC-9068-0005A41AEBA3}\NewShortcut461_66D1EE13F16E49638A168A86E9EA186D.exe
+ 2009-02-04 06:17:25 49,152 ----a-r c:\windows\Installer\{AF64F216-D859-43FC-9068-0005A41AEBA3}\NewShortcut461_66D1EE13F16E49638A168A86E9EA186D.exe
- 2009-01-18 14:11:19 49,152 ----a-r c:\windows\Installer\{AF64F216-D859-43FC-9068-0005A41AEBA3}\NewShortcut49_66D1EE13F16E49638A168A86E9EA186D_1.exe
+ 2009-02-04 06:17:25 49,152 ----a-r c:\windows\Installer\{AF64F216-D859-43FC-9068-0005A41AEBA3}\NewShortcut49_66D1EE13F16E49638A168A86E9EA186D_1.exe
- 2009-01-18 14:11:19 9,470 ----a-r c:\windows\Installer\{AF64F216-D859-43FC-9068-0005A41AEBA3}\TRUInstShortcut.1A63B4C7_A86D_4C49_B64C_21BF146D813F.exe
+ 2009-02-04 06:17:25 9,470 ----a-r c:\windows\Installer\{AF64F216-D859-43FC-9068-0005A41AEBA3}\TRUInstShortcut.1A63B4C7_A86D_4C49_B64C_21BF146D813F.exe
- 2009-01-18 14:11:19 9,470 ----a-r c:\windows\Installer\{AF64F216-D859-43FC-9068-0005A41AEBA3}\TRUInstShtcutSB.1A63B4C7_A86D_4C49_B64C_21BF146D813F.exe
+ 2009-02-04 06:17:25 9,470 ----a-r c:\windows\Installer\{AF64F216-D859-43FC-9068-0005A41AEBA3}\TRUInstShtcutSB.1A63B4C7_A86D_4C49_B64C_21BF146D813F.exe
- 2008-10-17 10:08:40 3,593,216 -c----w c:\windows\system32\dllcache\mshtml.dll
+ 2008-12-13 06:40:02 3,593,216 -c----w c:\windows\system32\dllcache\mshtml.dll
- 2008-09-08 10:41:42 333,824 -c----w c:\windows\system32\dllcache\srv.sys
+ 2008-12-11 10:57:09 333,952 -c----w c:\windows\system32\dllcache\srv.sys
+ 2009-01-10 01:35:30 20,853,704 ----a-w c:\windows\system32\MRT.exe
- 2008-10-17 10:08:40 3,593,216 ----a-w c:\windows\system32\mshtml.dll
+ 2008-12-13 06:40:02 3,593,216 ----a-w c:\windows\system32\mshtml.dll
+ 2007-01-18 18:24:58 26,496 ----a-r c:\windows\system32\ReinstallBackups\0012\DriverFiles\RimSerial.sys
- 2007-07-27 17:41:40 16,760 ----a-w c:\windows\system32\spmsg.dll
+ 2007-11-30 12:39:22 17,272 ------w c:\windows\system32\spmsg.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Yahoo! Pager"="c:\progra~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" [2007-08-30 4670704]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AT&T Communication Manager"="c:\program files\AT&T\Communication Manager\ATTCM.exe" [2008-12-01 33280]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="c:\progra~1\Grisoft\AVG7\avgw.exe" [2008-10-04 219136]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.X264"= x264vfw.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2007-10-10 19:51 39792 c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeUpdater]
--a------ 2008-12-20 07:57 2356088 c:\program files\Common Files\Adobe\Updater5\AdobeUpdater.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AT&T Communication Manager]
--a------ 2008-12-01 14:23 33280 c:\program files\AT&T\Communication Manager\ATTCM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG7_CC]
--a------ 2008-10-19 07:14 590848 c:\progra~1\Grisoft\AVG7\avgcc.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2008-04-13 16:12 15360 c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--------- 2008-04-13 16:12 1695232 c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
--a------ 2007-10-18 10:34 5724184 c:\program files\Windows Live\Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
--a------ 2007-05-18 12:20 7700480 c:\windows\system32\nvcpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
--a------ 2007-05-18 12:21 86016 c:\windows\system32\nvmctray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2008-06-29 07:05 136600 c:\program files\Java\jre6\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Veoh]
--a------ 2008-08-28 09:18 3660848 c:\program files\Veoh Networks\Veoh\VeohClient.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
--a------ 2007-08-30 16:43 4670704 c:\program files\Yahoo!\Messenger\YahooMessenger.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
--a------ 2007-05-18 12:21 1622016 c:\windows\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"NMIndexingService"=3 (0x3)
"Nero BackItUp Scheduler 3"=2 (0x2)
"Avg7UpdSvc"=2 (0x2)
"Avg7Alrt"=2 (0x2)
"aawservice"=2 (0x2)
"a2AntiMalware"=2 (0x2)
"WLSetupSvc"=3 (0x3)
"usnjsvc"=3 (0x3)
"Schedule"=2 (0x2)
"NVSvc"=2 (0x2)
"ATTRcAppSvc"=3 (0x3)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\Veoh Networks\\Veoh\\VeohClient.exe"=
"c:\\Program Files\\Trillian\\trillian.exe"=
"c:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=
"c:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
"c:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"1723:TCP"= 1723:TCP:@xpsp2res.dll,-22015
"1701:UDP"= 1701:UDP:@xpsp2res.dll,-22016
"500:UDP"= 500:UDP:@xpsp2res.dll,-22017

R0 si3112r;Silicon Image SiI 3112 SATARaid Controller;c:\windows\system32\drivers\SI3112r.sys [2006-06-24 89749]
R0 SiWinAcc;SiWinAcc;c:\windows\system32\drivers\SiWinAcc.sys [2006-06-24 9600]
S1 SABKUTIL;SABKUTIL;\??\c:\program files\SuperAdBlocker.com\Super Ad Blocker\SABKUTIL.sys --> c:\program files\SuperAdBlocker.com\Super Ad Blocker\SABKUTIL.sys [?]
S3 A3AB;D-Link AirPro 802.11a/b Wireless Adapter Service(A3AB);c:\windows\system32\drivers\A3AB.sys [2005-08-25 466880]
S3 ASNDIS5;ASNDIS5 Protocol Driver;c:\windows\system32\ASNDIS5.sys [2008-04-02 16269]
S3 ATTRcAppSvc;AT&T RcAppSvc;c:\program files\AT&T\Communication Manager\RcAppSvc.exe [2008-11-20 113152]
S3 genmcmnUSB;USB Scroll Mouse Driver;c:\windows\system32\drivers\gflmouhid.sys [2004-04-19 6656]
S3 NtApm;NT Apm/Legacy Interface Driver;c:\windows\system32\drivers\NtApm.sys [2007-09-29 9344]
S3 u2kg54;BUFFALO WLI-U2-KG54 Wireless LAN Adapter Service;c:\windows\system32\drivers\rt2500usb.sys [2008-04-02 104320]
S3 USBAU;USB Audio Device Interface;c:\windows\system32\drivers\CM102.sys [2008-11-09 1312768]
S3 XDva031;XDva031;\??\c:\windows\system32\XDva031.sys --> c:\windows\system32\XDva031.sys [?]
.
.
------- Supplementary Scan -------
.
LSP: bmnet.dll
Trusted Zone: amaena.com
Trusted Zone: avsystemcare.com
Trusted Zone: onerateld.com
Trusted Zone: safetydownload.com
Trusted Zone: trustedantivirus.com
Trusted Zone: virusremover2008.com
Trusted Zone: virusschlacht.com
TCP: {2351A425-A26B-40A4-ADBB-99450D8C5E4A} = 208.67.220.220,208.67.222.222
TCP: {5155EB13-C52B-4965-8EE3-C18B2E198951} = 208.67.220.220,208.67.222.222
TCP: {6C7B25F9-A3B1-462D-B6F0-6C4C8B6B2C57} = 208.67.220.220,208.67.222.222
TCP: {E7CD77B1-4D33-47F9-BE3F-852B1695B32E} = 208.67.220.220,208.67.222.222
FF - ProfilePath - c:\documents and settings\user\Application Data\Mozilla\Firefox\Profiles\7805yqbd.default\
FF - component: c:\program files\Mozilla Firefox\components\SABFF20.DLL
FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nppl3260.dll
FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nprpjplug.dll
FF - plugin: c:\program files\Veoh Networks\Veoh\Plugins\noreg\NPVeohVersion.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-03 23:18:30
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(560)
c:\windows\system32\bmnet.dll
.
------------------------ Other Running Processes ------------------------
.
c:\progra~1\Yahoo!\MESSEN~1\Ymsgr_tray.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-02-03 23:21:25 - machine was rebooted
ComboFix-quarantined-files.txt 2009-02-04 07:21:20
ComboFix2.txt 2009-02-04 05:54:49
ComboFix3.txt 2009-02-03 15:09:24
ComboFix4.txt 2009-02-01 21:50:24

Pre-Run: 67,031,392,256 bytes free
Post-Run: 67,012,251,648 bytes free

211 --- E O F --- 2009-02-02 11:10:02


HJT:


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:25:37 PM, on 2/3/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\AT&T\Communication Manager\ATTCM.exe
C:\Program Files\AT&T\Communication Manager\RcAppSvc.exe
C:\Program Files\AT&T\Communication Manager\bmctl.exe
D:\Research In Motion\USB Drivers\BbDevMgr.exe
C:\Program Files\AT&T\Communication Manager\bmop.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O3 - Toolbar: Veoh Browser Plug-in - {D0943516-5076-4020-A3B5-AEFAF26AB263} - C:\Program Files\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dll
O4 - HKLM\..\Run: [AT&T Communication Manager] "C:\Program Files\AT&T\Communication Manager\ATTCM.exe" -a
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\ssv.dll
O10 - Unknown file in Winsock LSP: bmnet.dll
O10 - Unknown file in Winsock LSP: bmnet.dll
O10 - Unknown file in Winsock LSP: bmnet.dll
O15 - Trusted Zone: *.amaena.com
O15 - Trusted Zone: *.avsystemcare.com
O15 - Trusted Zone: *.onerateld.com
O15 - Trusted Zone: *.safetydownload.com
O15 - Trusted Zone: *.trustedantivirus.com
O15 - Trusted Zone: *.virusremover2008.com
O15 - Trusted Zone: *.virusschlacht.com
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/betapit/PCPitStop.CAB
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
O16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab56986.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-US/a-UNO1/GAME_UNO1.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1191099616095
O16 - DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} (MJLauncherCtrl Class) - http://messenger.zone.msn.com/EN-US/a-LUXR/mjolauncher.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15030/CTPID.cab
O16 - DPF: {FFB3A759-98B1-446F-BDA9-909C6EB18CC7} (PCPitstop Exam) - http://utilities.pcpitstop.com/optimize2/pcpitstop2.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{2351A425-A26B-40A4-ADBB-99450D8C5E4A}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\..\{5155EB13-C52B-4965-8EE3-C18B2E198951}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\..\{6C7B25F9-A3B1-462D-B6F0-6C4C8B6B2C57}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\..\{CB840167-8C0B-459E-9407-8A46C8A271F9}: NameServer = 209.183.54.151
O17 - HKLM\System\CCS\Services\Tcpip\..\{E7CD77B1-4D33-47F9-BE3F-852B1695B32E}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS1\Services\Tcpip\..\{2351A425-A26B-40A4-ADBB-99450D8C5E4A}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS2\Services\Tcpip\..\{2351A425-A26B-40A4-ADBB-99450D8C5E4A}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS3\Services\Tcpip\..\{2351A425-A26B-40A4-ADBB-99450D8C5E4A}: NameServer = 208.67.220.220,208.67.222.222
O23 - Service: AT&T RcAppSvc (ATTRcAppSvc) - SmithMicro Inc. - C:\Program Files\AT&T\Communication Manager\RcAppSvc.exe

--
End of file - 5371 bytes

0

Showing an extra entry at the bottom now in the log.

Can you please do the following.

===============

Scan with HijackThis and then place a check next to all the following, if present:

O15 - Trusted Zone: *.amaena.com


Now, close all instances of Internet Explorer and any other windows you have open except HiJackThis, click "Fix checked".

==

1. Please open Notepad Click Start , then Run
Type notepad.exe in the Run Box.
2. Now copy/paste the entire content of the codebox below into the Notepad window:



KillAll::

File::
c:\windows\system32\lazogiya.exe
c:\windows\system32\drivers\zqgyhlq6pgg.sys
Driver::
zqgyhlq6pgg


Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

3. Save the above as CFScript.txt

4. Physically disconnect from the internet.

5. Now STOP all your monitoring programs (Antivirus/Antispyware, Guards and Shields) as they could easily interfere with ComboFix.

6. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

7. After reboot, (in case it asks to reboot), please post the following reports/logs into your next replyafter youre-enable all the programs that were disabled during the running of ComboFix:Combofix.txt
A new HijackThis log.
Please take note:

CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

Attachments CFScript.gif 27.09 KB
0

oh thats good.

Combofix:


ComboFix 09-02-03.01 - user 2009-02-04 6:51:23.5 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.1791.1415 [GMT -8:00]
Running from: c:\documents and settings\user\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\user\Desktop\CFScript.txt
AV: AVG 7.5.549 *On-access scanning enabled* (Updated)
* Created a new restore point

FILE ::
c:\windows\system32\drivers\zqgyhlq6pgg.sys
c:\windows\system32\lazogiya.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\windows\system32\drivers\zqgyhlq6pgg.sys
c:\windows\system32\lazogiya.exe

.
((((((((((((((((((((((((( Files Created from 2009-01-04 to 2009-02-04 )))))))))))))))))))))))))))))))
.

2009-02-03 22:17 . 2009-02-03 22:17 <DIR> d-------- c:\program files\AT&T
2009-02-03 21:59 . 2009-02-03 21:59 <DIR> d-------- c:\documents and settings\All Users\Application Data\AT&T
2009-02-02 03:09 . 2009-02-02 03:09 118 --a------ c:\windows\system32\MRT.INI
2009-01-29 09:02 . 2009-01-29 09:02 578,560 --a--c--- c:\windows\system32\dllcache\user32.dll
2009-01-29 08:29 . 2009-01-29 08:29 <DIR> d-------- c:\windows\ERUNT
2009-01-29 08:26 . 2009-01-29 08:26 <DIR> d-------- c:\documents and settings\Administrator.UNKNOW-91070FE2
2009-01-24 20:45 . 2009-02-01 09:41 <DIR> d--hs---- c:\windows\system32\twain32
2009-01-18 06:16 . 2009-01-18 06:16 <DIR> d-------- c:\documents and settings\user\Application Data\Sierra Wireless
2009-01-18 06:16 . 2009-01-18 06:16 <DIR> d-------- c:\documents and settings\user\Application Data\DBUpdater
2009-01-18 06:16 . 2009-01-18 06:16 <DIR> d-------- c:\documents and settings\user\Application Data\AT&T
2009-01-18 06:16 . 2009-01-18 06:16 <DIR> d-------- c:\documents and settings\NetworkService\Application Data\Bytemobile
2009-01-18 06:16 . 2008-11-20 21:59 27,072 --a------ c:\windows\system32\drivers\PCASp50.sys
2009-01-18 06:16 . 2008-08-22 10:05 26,760 -ra------ c:\windows\system32\drivers\swmsflt.sys
2009-01-18 06:11 . 2009-01-18 06:11 <DIR> d-------- c:\program files\Sierra Wireless Inc
2009-01-18 06:11 . 2009-01-18 06:11 <DIR> d-------- c:\program files\Common Files\Motorola Shared
2009-01-18 06:10 . 2009-01-18 06:10 <DIR> d-------- c:\program files\Option
2009-01-18 06:09 . 2009-01-29 06:42 256 --a------ c:\windows\system32\pool.bin
2009-01-18 06:08 . 2007-01-18 10:24 26,496 -ra------ c:\windows\system32\drivers\RimSerial.sys
2009-01-18 06:07 . 2009-02-03 22:17 <DIR> d-------- c:\program files\Common Files\Research In Motion
2009-01-18 06:04 . 2009-01-18 06:04 <DIR> d--hs---- c:\windows\ftpcache
2009-01-10 08:20 . 2009-01-10 08:20 <DIR> d-------- c:\documents and settings\user\Application Data\TeamViewer

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-02-03 15:03 --------- d-----w c:\documents and settings\user\Application Data\AVG7
2008-12-20 22:55 --------- d-----w c:\program files\AllToAVI
2008-12-19 23:48 --------- d-----w c:\program files\PartyGaming
2008-12-11 10:57 333,952 ----a-w c:\windows\system32\drivers\srv.sys
2007-12-10 11:46 47,360 ----a-w c:\documents and settings\user\Application Data\pcouffin.sys
2004-05-07 22:31 348,160 ----a-w c:\program files\mozilla firefox\components\MSVCR71.DLL
2006-11-07 19:58 139,264 ------w c:\program files\mozilla firefox\components\SABFF20.DLL
2008-10-20 15:13 32,768 --sha-w c:\windows\system32\config\systemprofile\Local Settings\History\History.IE5\MSHist012008102020081021\index.dat
.

((((((((((((((((((((((((((((( snapshot@2009-02-01_13.48.57.30 )))))))))))))))))))))))))))))))))))))))))
.
- 2005-10-20 12:02:28 163,328 ----a-w c:\windows\erdnt\Hiv-backup\ERDNT.EXE
+ 2005-10-21 04:02:28 163,328 ----a-w c:\windows\erdnt\Hiv-backup\ERDNT.EXE
+ 2008-10-17 10:08:40 3,593,216 -c----w c:\windows\ie7updates\KB960714-IE7\mshtml.dll
+ 2007-03-06 01:22:39 213,216 -c----w c:\windows\ie7updates\KB960714-IE7\spuninst\spuninst.exe
+ 2007-03-06 01:23:47 371,424 -c----w c:\windows\ie7updates\KB960714-IE7\spuninst\updspapi.dll
- 2009-01-18 14:11:19 49,152 ----a-r c:\windows\Installer\{AF64F216-D859-43FC-9068-0005A41AEBA3}\ARPPRODUCTICON.exe
+ 2009-02-04 06:17:25 49,152 ----a-r c:\windows\Installer\{AF64F216-D859-43FC-9068-0005A41AEBA3}\ARPPRODUCTICON.exe
- 2009-01-18 14:11:19 49,152 ----a-r c:\windows\Installer\{AF64F216-D859-43FC-9068-0005A41AEBA3}\NewShortcut461_66D1EE13F16E49638A168A86E9EA186D.exe
+ 2009-02-04 06:17:25 49,152 ----a-r c:\windows\Installer\{AF64F216-D859-43FC-9068-0005A41AEBA3}\NewShortcut461_66D1EE13F16E49638A168A86E9EA186D.exe
- 2009-01-18 14:11:19 49,152 ----a-r c:\windows\Installer\{AF64F216-D859-43FC-9068-0005A41AEBA3}\NewShortcut49_66D1EE13F16E49638A168A86E9EA186D_1.exe
+ 2009-02-04 06:17:25 49,152 ----a-r c:\windows\Installer\{AF64F216-D859-43FC-9068-0005A41AEBA3}\NewShortcut49_66D1EE13F16E49638A168A86E9EA186D_1.exe
- 2009-01-18 14:11:19 9,470 ----a-r c:\windows\Installer\{AF64F216-D859-43FC-9068-0005A41AEBA3}\TRUInstShortcut.1A63B4C7_A86D_4C49_B64C_21BF146D813F.exe
+ 2009-02-04 06:17:25 9,470 ----a-r c:\windows\Installer\{AF64F216-D859-43FC-9068-0005A41AEBA3}\TRUInstShortcut.1A63B4C7_A86D_4C49_B64C_21BF146D813F.exe
- 2009-01-18 14:11:19 9,470 ----a-r c:\windows\Installer\{AF64F216-D859-43FC-9068-0005A41AEBA3}\TRUInstShtcutSB.1A63B4C7_A86D_4C49_B64C_21BF146D813F.exe
+ 2009-02-04 06:17:25 9,470 ----a-r c:\windows\Installer\{AF64F216-D859-43FC-9068-0005A41AEBA3}\TRUInstShtcutSB.1A63B4C7_A86D_4C49_B64C_21BF146D813F.exe
- 2000-08-31 16:00:00 286,720 ----a-w c:\windows\SWREG.exe
+ 2000-08-31 16:00:00 161,792 ----a-w c:\windows\SWREG.exe
- 2008-10-17 10:08:40 3,593,216 -c----w c:\windows\system32\dllcache\mshtml.dll
+ 2008-12-13 06:40:02 3,593,216 -c----w c:\windows\system32\dllcache\mshtml.dll
- 2008-09-08 10:41:42 333,824 -c----w c:\windows\system32\dllcache\srv.sys
+ 2008-12-11 10:57:09 333,952 -c----w c:\windows\system32\dllcache\srv.sys
+ 2009-01-10 01:35:30 20,853,704 ----a-w c:\windows\system32\MRT.exe
- 2008-10-17 10:08:40 3,593,216 ----a-w c:\windows\system32\mshtml.dll
+ 2008-12-13 06:40:02 3,593,216 ----a-w c:\windows\system32\mshtml.dll
+ 2007-01-18 18:24:58 26,496 ----a-r c:\windows\system32\ReinstallBackups\0012\DriverFiles\RimSerial.sys
- 2007-07-27 17:41:40 16,760 ----a-w c:\windows\system32\spmsg.dll
+ 2007-11-30 12:39:22 17,272 ------w c:\windows\system32\spmsg.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Yahoo! Pager"="c:\progra~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" [2007-08-30 4670704]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"AT&T Communication Manager"="c:\program files\AT&T\Communication Manager\ATTCM.exe" [2008-12-01 33280]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="c:\progra~1\Grisoft\AVG7\avgw.exe" [2008-10-04 219136]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.X264"= x264vfw.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
--a------ 2007-10-10 19:51 39792 c:\program files\Adobe\Reader 8.0\Reader\reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdobeUpdater]
--a------ 2008-12-20 07:57 2356088 c:\program files\Common Files\Adobe\Updater5\AdobeUpdater.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AT&T Communication Manager]
--a------ 2008-12-01 14:23 33280 c:\program files\AT&T\Communication Manager\ATTCM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG7_CC]
--a------ 2008-10-19 07:14 590848 c:\progra~1\Grisoft\AVG7\avgcc.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2008-04-13 16:12 15360 c:\windows\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
--------- 2008-04-13 16:12 1695232 c:\program files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
--a------ 2007-10-18 10:34 5724184 c:\program files\Windows Live\Messenger\msnmsgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
--a------ 2007-05-18 12:20 7700480 c:\windows\system32\nvcpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
--a------ 2007-05-18 12:21 86016 c:\windows\system32\nvmctray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2008-06-29 07:05 136600 c:\program files\Java\jre6\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Veoh]
--a------ 2008-08-28 09:18 3660848 c:\program files\Veoh Networks\Veoh\VeohClient.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
--a------ 2007-08-30 16:43 4670704 c:\program files\Yahoo!\Messenger\YahooMessenger.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
--a------ 2007-05-18 12:21 1622016 c:\windows\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"NMIndexingService"=3 (0x3)
"Nero BackItUp Scheduler 3"=2 (0x2)
"Avg7UpdSvc"=2 (0x2)
"Avg7Alrt"=2 (0x2)
"aawservice"=2 (0x2)
"a2AntiMalware"=2 (0x2)
"WLSetupSvc"=3 (0x3)
"usnjsvc"=3 (0x3)
"Schedule"=2 (0x2)
"NVSvc"=2 (0x2)
"ATTRcAppSvc"=3 (0x3)

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"UpdatesDisableNotify"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\Mozilla Firefox\\firefox.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YahooMessenger.exe"=
"c:\\Program Files\\Yahoo!\\Messenger\\YServer.exe"=
"c:\\Program Files\\Veoh Networks\\Veoh\\VeohClient.exe"=
"c:\\Program Files\\Trillian\\trillian.exe"=
"c:\\Program Files\\Grisoft\\AVG7\\avginet.exe"=
"c:\\Program Files\\Grisoft\\AVG7\\avgamsvr.exe"=
"c:\\Program Files\\Grisoft\\AVG7\\avgcc.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
"c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=
"c:\\Program Files\\uTorrent\\uTorrent.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"1723:TCP"= 1723:TCP:@xpsp2res.dll,-22015
"1701:UDP"= 1701:UDP:@xpsp2res.dll,-22016
"500:UDP"= 500:UDP:@xpsp2res.dll,-22017

R0 si3112r;Silicon Image SiI 3112 SATARaid Controller;c:\windows\system32\drivers\SI3112r.sys [2006-06-24 89749]
R0 SiWinAcc;SiWinAcc;c:\windows\system32\drivers\SiWinAcc.sys [2006-06-24 9600]
S1 SABKUTIL;SABKUTIL;\??\c:\program files\SuperAdBlocker.com\Super Ad Blocker\SABKUTIL.sys --> c:\program files\SuperAdBlocker.com\Super Ad Blocker\SABKUTIL.sys [?]
S3 A3AB;D-Link AirPro 802.11a/b Wireless Adapter Service(A3AB);c:\windows\system32\drivers\A3AB.sys [2005-08-25 466880]
S3 ASNDIS5;ASNDIS5 Protocol Driver;c:\windows\system32\ASNDIS5.sys [2008-04-02 16269]
S3 genmcmnUSB;USB Scroll Mouse Driver;c:\windows\system32\drivers\gflmouhid.sys [2004-04-19 6656]
S3 NtApm;NT Apm/Legacy Interface Driver;c:\windows\system32\drivers\NtApm.sys [2007-09-29 9344]
S3 u2kg54;BUFFALO WLI-U2-KG54 Wireless LAN Adapter Service;c:\windows\system32\drivers\rt2500usb.sys [2008-04-02 104320]
S3 USBAU;USB Audio Device Interface;c:\windows\system32\drivers\CM102.sys [2008-11-09 1312768]
S3 XDva031;XDva031;\??\c:\windows\system32\XDva031.sys --> c:\windows\system32\XDva031.sys [?]
S4 ATTRcAppSvc;AT&T RcAppSvc;c:\program files\AT&T\Communication Manager\RcAppSvc.exe [2008-11-20 113152]
.
.
------- Supplementary Scan -------
.
LSP: bmnet.dll
Trusted Zone: avsystemcare.com
Trusted Zone: onerateld.com
Trusted Zone: safetydownload.com
Trusted Zone: trustedantivirus.com
Trusted Zone: virusremover2008.com
Trusted Zone: virusschlacht.com
TCP: {2351A425-A26B-40A4-ADBB-99450D8C5E4A} = 208.67.220.220,208.67.222.222
TCP: {5155EB13-C52B-4965-8EE3-C18B2E198951} = 208.67.220.220,208.67.222.222
TCP: {6C7B25F9-A3B1-462D-B6F0-6C4C8B6B2C57} = 208.67.220.220,208.67.222.222
TCP: {E7CD77B1-4D33-47F9-BE3F-852B1695B32E} = 208.67.220.220,208.67.222.222
FF - ProfilePath - c:\documents and settings\user\Application Data\Mozilla\Firefox\Profiles\7805yqbd.default\
FF - component: c:\program files\Mozilla Firefox\components\SABFF20.DLL
FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nppl3260.dll
FF - plugin: c:\program files\K-Lite Codec Pack\Real\browser\plugins\nprpjplug.dll
FF - plugin: c:\program files\Veoh Networks\Veoh\Plugins\noreg\NPVeohVersion.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-02-04 06:54:43
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'lsass.exe'(720)
c:\windows\system32\bmnet.dll
.
------------------------ Other Running Processes ------------------------
.
c:\progra~1\Yahoo!\MESSEN~1\Ymsgr_tray.exe
c:\windows\system32\wscntfy.exe
.
**************************************************************************
.
Completion time: 2009-02-04 6:57:37 - machine was rebooted
ComboFix-quarantined-files.txt 2009-02-04 14:57:32
ComboFix2.txt 2009-02-04 07:21:28
ComboFix3.txt 2009-02-04 05:54:49
ComboFix4.txt 2009-02-03 15:09:24
ComboFix5.txt 2009-02-04 14:50:41

Pre-Run: 66,943,676,416 bytes free
Post-Run: 66,989,404,160 bytes free

216 --- E O F --- 2009-02-02 11:10:02

HJT:


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:58:03 AM, on 2/4/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O3 - Toolbar: Veoh Browser Plug-in - {D0943516-5076-4020-A3B5-AEFAF26AB263} - C:\Program Files\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dll
O4 - HKLM\..\Run: [AT&T Communication Manager] "C:\Program Files\AT&T\Communication Manager\ATTCM.exe" -a
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\ssv.dll
O10 - Unknown file in Winsock LSP: bmnet.dll
O10 - Unknown file in Winsock LSP: bmnet.dll
O10 - Unknown file in Winsock LSP: bmnet.dll
O15 - Trusted Zone: *.avsystemcare.com
O15 - Trusted Zone: *.onerateld.com
O15 - Trusted Zone: *.safetydownload.com
O15 - Trusted Zone: *.trustedantivirus.com
O15 - Trusted Zone: *.virusremover2008.com
O15 - Trusted Zone: *.virusschlacht.com
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/betapit/PCPitStop.CAB
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
O16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab56986.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-US/a-UNO1/GAME_UNO1.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1191099616095
O16 - DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} (MJLauncherCtrl Class) - http://messenger.zone.msn.com/EN-US/a-LUXR/mjolauncher.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15030/CTPID.cab
O16 - DPF: {FFB3A759-98B1-446F-BDA9-909C6EB18CC7} (PCPitstop Exam) - http://utilities.pcpitstop.com/optimize2/pcpitstop2.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{2351A425-A26B-40A4-ADBB-99450D8C5E4A}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\..\{5155EB13-C52B-4965-8EE3-C18B2E198951}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\..\{6C7B25F9-A3B1-462D-B6F0-6C4C8B6B2C57}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\..\{E7CD77B1-4D33-47F9-BE3F-852B1695B32E}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS1\Services\Tcpip\..\{2351A425-A26B-40A4-ADBB-99450D8C5E4A}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS2\Services\Tcpip\..\{2351A425-A26B-40A4-ADBB-99450D8C5E4A}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS3\Services\Tcpip\..\{2351A425-A26B-40A4-ADBB-99450D8C5E4A}: NameServer = 208.67.220.220,208.67.222.222

--
End of file - 4790 bytes

0

Crunchie, ALL of those Trusted zone listings are bad.

Thanks Judy. I just woke up and took another look at them, then saw your post :).
Thanks.

==

Can you please do the following.


===============

Scan with HijackThis and then place a check next to all the following, if present:


O15 - Trusted Zone: *.avsystemcare.com
O15 - Trusted Zone: *.onerateld.com
O15 - Trusted Zone: *.safetydownload.com
O15 - Trusted Zone: *.trustedantivirus.com
O15 - Trusted Zone: *.virusremover2008.com
O15 - Trusted Zone: *.virusschlacht.com


Now, close all instances of Internet Explorer and any other windows you have open except HiJackThis, click "Fix checked".

===============

Reboot.

===============

After rebooting, rescan with hijackthis and post back a new log. Please let me know how your pc is now.

0

My computer sometimes crashes, but other than that it works really well now :). I don't know if you know anything about tethering with the bold? but when i try to tether with it, it only utilizes the edge network not the 3g for some reason. On my other computer it uses 3g, but for some reason this computer only uses Edge. Do you recommend anything to keep a computer safe from viruses etc? and here is the HJT log :


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:29:51 PM, on 2/5/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16762)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\system32\wuauclt.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O3 - Toolbar: Veoh Browser Plug-in - {D0943516-5076-4020-A3B5-AEFAF26AB263} - C:\Program Files\Veoh Networks\Veoh\Plugins\reg\VeohToolbar.dll
O4 - HKLM\..\Run: [AT&T Communication Manager] "C:\Program Files\AT&T\Communication Manager\ATTCM.exe" -a
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\ssv.dll
O10 - Unknown file in Winsock LSP: bmnet.dll
O10 - Unknown file in Winsock LSP: bmnet.dll
O10 - Unknown file in Winsock LSP: bmnet.dll
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://www.pcpitstop.com/betapit/PCPitStop.CAB
O16 - DPF: {20A60F0D-9AFA-4515-A0FD-83BD84642501} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab56986.cab
O16 - DPF: {5C051655-FCD5-4969-9182-770EA5AA5565} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab56986.cab
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-US/a-UNO1/GAME_UNO1.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1191099616095
O16 - DPF: {7E980B9B-8AE5-466A-B6D6-DA8CF814E78A} (MJLauncherCtrl Class) - http://messenger.zone.msn.com/EN-US/a-LUXR/mjolauncher.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {F5A7706B-B9C0-4C89-A715-7A0C6B05DD48} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab56986.cab
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15030/CTPID.cab
O16 - DPF: {FFB3A759-98B1-446F-BDA9-909C6EB18CC7} (PCPitstop Exam) - http://utilities.pcpitstop.com/optimize2/pcpitstop2.dll
O17 - HKLM\System\CCS\Services\Tcpip\..\{2351A425-A26B-40A4-ADBB-99450D8C5E4A}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\..\{5155EB13-C52B-4965-8EE3-C18B2E198951}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\..\{6C7B25F9-A3B1-462D-B6F0-6C4C8B6B2C57}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CCS\Services\Tcpip\..\{E7CD77B1-4D33-47F9-BE3F-852B1695B32E}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS1\Services\Tcpip\..\{2351A425-A26B-40A4-ADBB-99450D8C5E4A}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS2\Services\Tcpip\..\{2351A425-A26B-40A4-ADBB-99450D8C5E4A}: NameServer = 208.67.220.220,208.67.222.222
O17 - HKLM\System\CS3\Services\Tcpip\..\{2351A425-A26B-40A4-ADBB-99450D8C5E4A}: NameServer = 208.67.220.220,208.67.222.222

--
End of file - 4444 bytes

Thank you so much Cruchie you have been a great help!

0

Yeah. Should at least be showing the AVG services. Which reminds me. AVG is not running in the processes. Make sure that it is up and running before going on-line.

Let's get rid of Combofix now that we are finished with it.


  • Click START then RUN
  • Now type Combofix /u in the runbox and click OK. Note the space between the X and the /, it needs to be there.
This topic has been dead for over six months. Start a new discussion instead.
Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.