So i have tried to do all the things that is suggested on the forum before posting this HJT log.
So far i have downloaded and run ERUNT. It worked the first time and everytime i have tried to run it since it has com up with an error message stating that it is unable to create the log file.
I have downloaded Malwarebytes Anti malware and also Adaware. Everytime i run either one of these programs it will get about an hour in and the whole computer will shut itself down.
I get the usual pop ups with internet explorer. I have started using mozilla and it seems to be less frequent. The keyboard went weird for a week (some keys wouldnt work...the computer is brand new). but that seems to have resolved itself.
I have error messages sometimes sayign the hard drive has been corrupted.
Everytime i start the computer it says windows has blocked some startup programs....i think they are something along the lines of vundo.dll and vundo.exe

I have also tried the vundo destroyer that one of the forums suggested but that doesnt seem to pick anything up
Can you help me?


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:50:02 PM, on 18/11/2008
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Program Files\ASUS Security Center\ASUS Security Protect Manager\Bin\AsGHost.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Program Files\ASUS\ASUS Live Update\ALU.exe
C:\Program Files\ASUS\SmartLogon\sensorsrv.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\Internet Explorer\IEUser.exe
C:\Windows\system32\conime.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Windows\system32\Macromed\Flash\FlashUtil9f.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.asus.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\NppBho.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: ASUS Security Protect Manager - {DF21F1DB-80C6-11D3-9483-B03D0EC10000} - C:\Program Files\ASUS Security Center\ASUS Security Protect Manager\Bin\ItIEAddIn.dll
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\UIBHO.dll
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Global Startup: QUT Secure Access Service Client.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRA~1\Java\JRE16~2.0_0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRA~1\Java\JRE16~2.0_0\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O13 - Gopher Prefix:
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5) - http://upload.facebook.com/controls/Facebo...toUploader5.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w3/pr01/resou...NPUplden-au.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: APSHook.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: ASLDR Service (ASLDRService) - Unknown owner - C:\Program Files\ATK Hotkey\ASLDRSrv.exe
O23 - Service: ATKGFNEX Service (ATKGFNEXSrv) - Unknown owner - C:\Program Files\ATKGFNEX\GFNEXSrv.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\QUT VPN Client\cvpnd.exe
O23 - Service: Security Platform Management Service (IFXSpMgtSrv) - Infineon Technologies AG - C:\Windows\system32\ifxspmgt.exe
O23 - Service: Trusted Platform Core Service (IFXTCS) - Infineon Technologies AG - C:\Windows\system32\ifxtcs.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: Personal Secure Drive Service (PersonalSecureDriveService) - Infineon Technologies AG - C:\Windows\system32\IfxPsdSv.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: spmgr - Unknown owner - C:\Program Files\ASUS\NB Probe\SPM\spmgr.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe

--
End of file - 8150 bytes

Hi, and Welcome to WhatTheTech

My name is jpshortstuff. I would be glad to take a look at your log and help you with solving any malware problems. HijackThis logs can take a while to research, so please be patient and I'd be grateful if you would note the following:

• I will be working on your Malware issues, this may or may not, solve other issues you have with your machine.
• The fixes are specific to your problem and should only be used for the issues on this machine.
• Please continue to review my answers until I tell you your machine appears to be clear. Absence of symptoms does not mean that everything is clear.
• It's often worth reading through these instructions and printing them for ease of reference.
• If you don't know or understand something, please don't hesitate to say or ask!! It's better to be sure and safe than sorry.
• Please reply to this thread. Do not start a new topic.

Please download ATF Cleaner by Atribune.
Download - ATF Cleaner»
Double-click ATF-Cleaner.exe to run the program.
Under Main choose: Select All
Click the Empty Selected button.

(If you use FireFox or the Opera browser
To keep saved passwords, click No at the prompt.)

It's normal after running ATF cleaner that the PC will be slower to boot the first time or two.


Please try MalwareByte's AntiMalware again after this, but try doing a "Quick Scan".


Please download DDS and save it to your desktop.

• Disable any script blocking protection
• Double click dds.scr to run the tool.
• When done, DDS.txt will open.
• Click Yes at the next prompt for Optional Scan.
• Save both reports to your desktop.

---------------------------------------------------

• Post the contents of the DDS.txt report in your next reply
• Attach the Attach.txt report to your post by scroling down to the Attachments area and then clicking Browse. Browse to where you saved the file, and click Open and the click UPLOAD.

Thanks.

DDS (Version 1.0) - NTFSx86
Run by Brad at 18:07:52.69 on Wed 19/11/2008
Microsoft® Windows Vista™ Home Premium 6.0.6001.1.1252.61.1033.18.2046.920 [GMT 10:00]

============== Running Processes ===============

C:\Windows\system32\wininit.exe
C:\Windows\system32\lsm.exe
C:\Windows\system32\svchost.exe -k DcomLaunch
C:\Windows\System32\svchost.exe -k Cognizance
C:\Windows\system32\svchost.exe -k rpcss
C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
C:\Windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\svchost.exe -k GPSvcGroup
C:\Windows\system32\SLsvc.exe
C:\Windows\system32\svchost.exe -k LocalService
C:\Windows\system32\svchost.exe -k NetworkService
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\Program Files\ATK Hotkey\ASLDRSrv.exe
C:\Program Files\ATKGFNEX\GFNEXSrv.exe
C:\Windows\System32\spoolsv.exe
C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Windows\system32\svchost.exe -k bthsvcs
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\QUT VPN Client\cvpnd.exe
C:\Windows\system32\ifxspmgt.exe
C:\Windows\system32\ifxtcs.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\Windows\system32\IfxPsdSv.exe
C:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted
C:\Program Files\ASUS\NB Probe\SPM\spmgr.exe
C:\Windows\system32\svchost.exe -k imgsvc
C:\Windows\System32\svchost.exe -k WerSvcGroup
C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\taskeng.exe
C:\Windows\system32\Dwm.exe
C:\Program Files\ASUS Security Center\ASUS Security Protect Manager\Bin\AsGHost.exe
C:\Windows\system32\taskeng.exe
C:\Windows\Explorer.EXE
C:\Windows\system32\taskeng.exe
C:\Program Files\ASUS\ASUS Live Update\ALU.exe
C:\Program Files\ASUS\SmartLogon\sensorsrv.exe
C:\Program Files\ATK Hotkey\Hcontrol.exe
C:\Program Files\ASUS\ASUS CopyProtect\aspg.exe
C:\Program Files\Wireless Console 2\wcourier.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\ASUS\Splendid\ACMON.exe
C:\Program Files\P4G\BatteryLife.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Windows\System32\ACEngSvr.exe
C:\Program Files\ATK Hotkey\ATKOSD.exe
C:\Windows\system32\wbem\unsecapp.exe
C:\Program Files\ATK Hotkey\KBFiltr.exe
C:\Program Files\ATK Hotkey\WDC.exe
C:\Program Files\Windows Media Player\wmpnetwk.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\Windows\ehome\ehsched.exe
C:\Windows\ehome\ehRecvr.exe
C:\Program Files\Internet Explorer\IEUser.exe
C:\Windows\system32\conime.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\ASUS\SmartLogon\smartlogon.exe
C:\Windows\system32\wuauclt.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\SearchProtocolHost.exe
C:\Windows\system32\SearchFilterHost.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe
C:\Users\Brad\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\W07K7166\dds[2].scr

============== Psuedo HJT Report ===============

uStart Page = hxxp://www.google.com.au/
mDefault_Page_URL = hxxp://www.asus.com
BHO: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - c:\program files\common files\adobe\acrobat\activex\AcroIEHelper.dll
BHO: {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - c:\program files\common files\symantec shared\coshared\browser\1.5\NppBho.dll
BHO: {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
BHO: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - c:\program files\java\jre1.6.0_07\bin\ssv.dll
BHO: {9030D464-4C02-4ABF-8ECC-5164760863C6} - c:\program files\common files\microsoft shared\windows live\WindowsLiveLogin.dll
BHO: {DF21F1DB-80C6-11D3-9483-B03D0EC10000} - c:\program files\asus security center\asus security protect manager\bin\ItIEAddIn.dll
TB: {90222687-F593-4738-B738-FBEE9C7B26DF} - c:\program files\common files\symantec shared\coshared\browser\1.5\UIBHO.dll
uRun: [msnmsgr] "c:\program files\windows live\messenger\msnmsgr.exe" /background
uRun: [WMPNSCFG] c:\program files\windows media player\WMPNSCFG.exe
mRun: [Malwarebytes Anti-Malware (reboot)] "c:\program files\malwarebytes' anti-malware\mbam.exe" /runcleanupscript
mRun: [Adobe Reader Speed Launcher] "c:\program files\adobe\reader 8.0\reader\Reader_sl.exe"
StartupFolder: c:\progra~2\micros~1\windows\startm~1\programs\startup\qutsec~1.lnk - c:\windows\installer\{871df2be-41d2-4334-ac33-839af16fc8fe}\Icon3E5562ED7.ico
mPolicies-system: EnableUIADesktopToggle = 0 (0x0)
IE: E&xport to Microsoft Excel - c:\progra~1\micros~2\office12\EXCEL.EXE/3000
IE: {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - {CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC} - c:\progra~1\java\jre16~2.0_0\bin\ssv.dll
IE: {2670000A-7350-4f3c-8081-5663EE0C6C49} - {48E73304-E1D6-4330-914C-F5F514E3486C} - c:\progra~1\micros~2\office12\ONBttnIE.dll
IE: {77BF5300-1474-4EC7-9980-D32B190E9B07} - {77BF5300-1474-4EC7-9980-D32B190E9B07} - c:\program files\skype\toolbars\internet explorer\SkypeIEPlugin.dll
IE: {92780B25-18CC-41C8-B9BE-3C9C571A8263} - {FF059E31-CC5A-4E2E-BF3B-96E929D65503} - c:\progra~1\micros~2\office12\REFIEBAR.DLL
Handler: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - c:\progra~1\common~1\skype\SKYPE4~1.DLL
AppInit_DLLs: APSHook.dll
LSA: Notification Packages = scecli ASWLNPkg

============= SERVICES / DRIVERS ===============

R0 lullaby;lullaby;c:\windows\system32\drivers\lullaby.sys [2008-4-17 15416]
R1 IDSvix86;Symantec Intrusion Prevention Driver;\??\c:\progra~2\symantec\defini~1\symcdata\idsdefs\20080829.001\IDSvix86.sys [2008-8-31 261680]
R1 ItSDisk;ItSDisk;c:\windows\system32\drivers\ItSDisk.sys [2006-5-17 23232]
R1 PersonalSecureDrive;PersonalSecureDrive;c:\windows\system32\drivers\psd.sys [2007-1-23 39080]
R2 ASBroker;Logon Session Broker;c:\windows\system32\svchost.exe -k Cognizance [2008-6-13 21504]
R2 ASChannel;Local Communication Channel;c:\windows\system32\svchost.exe -k Cognizance [2008-6-13 21504]
R3 AtcL001;NDIS Miniport Driver for Atheros L1 Gigabit Ethernet Controller;c:\windows\system32\drivers\l160x86.sys [2007-10-31 46592]
R3 BthAvrcp;Bluetooth AVRCP Profile;c:\windows\system32\drivers\BthAvrcp.sys [2008-4-18 12800]
R3 MBAMSwissArmy;MBAMSwissArmy;\??\c:\windows\system32\drivers\mbamswissarmy.sys [2008-11-5 38496]
R3 SYMNDISV;SYMNDISV;c:\windows\system32\drivers\SYMNDISV.SYS [2008-10-3 37936]

=============== Created Last 30 ================

2008-11-18 18:09 23,888 a------- c:\windows\system32\drivers\COH_Mon.sys
2008-11-18 18:09 10,537 a------- c:\windows\system32\drivers\COH_Mon.cat
2008-11-18 18:09 706 a------- c:\windows\system32\drivers\COH_Mon.inf
2008-11-16 15:52 212,480 a------- c:\windows\system32\drivers\mrxsmb10.sys
2008-11-16 15:52 1,191,936 a------- c:\windows\system32\msxml3.dll
2008-11-16 15:52 1,334,272 a------- c:\windows\system32\msxml6.dll
2008-11-10 05:27 127,376 a------- c:\windows\system32\drivers\dne2000.sys
2008-11-10 05:27 101,904 a------- c:\windows\system32\dneinobj.dll
2008-11-10 05:26 <DIR> --d----- c:\program files\common files\Deterministic Networks
2008-11-10 05:26 <DIR> --d----- c:\program files\QUT VPN Client
2008-11-10 05:26 1,593 a------- c:\windows\VPNInstall.MIF
2008-11-10 05:25 <DIR> --d----- c:\windows\system32\QUTCACHE
2008-11-07 19:48 <DIR> --d----- C:\VundoFix Backups
2008-11-06 19:10 <DIR> --d----- c:\windows\pss
2008-11-05 21:02 <DIR> --d----- c:\users\brad\appdata\roaming\Malwarebytes
2008-11-05 21:02 15,504 a------- c:\windows\system32\drivers\mbam.sys
2008-11-05 21:02 38,496 a------- c:\windows\system32\drivers\mbamswissarmy.sys
2008-11-05 21:02 <DIR> --d----- c:\programdata\Malwarebytes
2008-11-05 21:02 <DIR> --d----- c:\program files\Malwarebytes' Anti-Malware
2008-11-05 21:02 <DIR> --d----- c:\progra~2\Malwarebytes
2008-11-05 17:48 <DIR> --d----- c:\program files\Lavasoft
2008-11-05 17:48 <DIR> --d----- c:\programdata\Lavasoft
2008-11-05 17:48 <DIR> --d----- c:\progra~2\Lavasoft
2008-11-05 17:47 <DIR> --d----- c:\program files\common files\Wise Installation Wizard
2008-11-05 17:26 <DIR> --d----- c:\program files\Trend Micro
2008-11-01 08:14 428,544 a------- c:\windows\system32\EncDec.dll
2008-11-01 08:14 217,088 a------- c:\windows\system32\psisrndr.ax
2008-11-01 08:14 293,376 a------- c:\windows\system32\psisdecd.dll
2008-11-01 08:14 177,664 a------- c:\windows\system32\mpg2splt.ax
2008-11-01 08:14 80,896 a------- c:\windows\system32\MSNP.ax
2008-10-29 18:08 147,456 a------- c:\windows\system32\Faultrep.dll
2008-10-29 18:08 125,952 a------- c:\windows\system32\wersvc.dll
2008-10-29 18:07 443,392 a------- c:\windows\system32\win32spl.dll
2008-10-22 01:50 343,170,228 a------- c:\windows\MEMORY.DMP

==================== Find3M ====================

2008-11-18 21:35 2,303 a------- c:\windows\bthservsdp.dat
2008-11-18 18:09 <DIR> --d----- c:\progra~2\Symantec
2008-11-18 18:09 <DIR> --d----- c:\program files\common files\Symantec Shared
2008-11-06 21:34 45,056 a------- c:\windows\system32\acovcnt.exe
2008-11-01 14:01 <DIR> --d----- c:\users\brad\appdata\roaming\uTorrent
2008-10-02 13:49 827,392 a------- c:\windows\system32\wininet.dll
2008-09-30 16:43 1,286,152 a------- c:\windows\system32\msxml4.dll
2008-09-23 17:45 <DIR> --d----- c:\program files\FormatFactory
2008-09-18 15:09 3,601,464 a------- c:\windows\system32\ntkrnlpa.exe
2008-09-18 15:09 3,549,240 a------- c:\windows\system32\ntoskrnl.exe
2008-09-18 12:16 2,032,640 a------- c:\windows\system32\win32k.sys
2008-09-06 10:43 <DIR> --d----- c:\progra~2\Installations
2008-08-23 13:51 107,888 a------- c:\windows\system32\CmdLineExt.dll
2008-08-23 13:50 413,696 a------- c:\windows\system32\wrap_oal.dll
2008-08-23 13:50 110,592 a------- c:\windows\system32\OpenAL32.dll
2008-08-13 09:08 <DIR> --d----- c:\progra~2\ASUS
2008-07-03 18:16 <DIR> --d----- c:\progra~2\LightScribe
2008-06-27 18:02 <DIR> --d----- c:\users\brad\appdata\roaming\Nokia
2008-06-24 21:27 <DIR> --d----- c:\users\brad\appdata\roaming\PC Suite
2008-06-24 21:27 <DIR> --d----- c:\progra~2\PC Suite
2008-06-04 18:17 <DIR> --d----- c:\users\brad\appdata\roaming\Infineon
2008-06-04 18:16 <DIR> --d----- c:\progra~2\Ahead
2008-06-04 18:16 <DIR> --d----- c:\progra~2\Nero
2008-04-18 00:15 <DIR> --d----- c:\progra~2\Infineon
2008-04-18 00:02 <DIR> --d----- c:\progra~2\P4G

============= FINISH: 18:08:13.77 ===============

Hi

We need to upload a file to Jotti

1. Click HERE to get to Jotti's site.

2. At the top of the Jotti window, use the Browse button to locate the following file on your system:

c:\windows\system32\acovcnt.exe

3. Once you have located the file, click SUBMIT and the content of the file will be uploaded by the site and analysed.

4. Please provide me with the results of the analysis.


Click Start >> Control Panel >> Uninstall Programs and remove the following:
Java™ 6 Update 6


Please right click Internet Explorer on your desktop and then select "Run As Administrator". Next, go to Kaspersky website and perform an online antivirus scan.

NOTE: Internet Explorer will temporarily have administrator privileges, this is required for the scan but dangerous for normal surfing so do NOT open any other websites in IE until after the scan has finished and this window has been closed.

1. Read through the requirements and privacy statement and click on Accept button.
2. It will start downloading and installing the scanner and virus definitions. You will be prompted to install an application from Kaspersky. Click Run.
3. When the downloads have finished, click on Settings.
4. Make sure these boxes are checked (ticked). If they are not, please tick them and click on the Save button:
   Spyware, Adware, Dialers, and other potentially dangerous programs
   Archives
   Mail databases
5. Click on My Computer under Scan.
6. Once the scan is complete, it will display the results. Click on View Scan Report.
7. You will see a list of infected items there. Click on Save Report As....
8. Save this report to a convenient place. Change the Files of type to Text file (.txt) before clicking on the Save button.
9. Please post this log in your next reply, along with a fresh HijackThis log.

Thanks.

So i have run the DDS program and there is a copy of the page results below and i have deleted the Java program. When i try and run the Kapersky website it will run for a few hours and then get to about 80-90% of the scan limit and the computer will either shut down or completely freeze. I have tried to do this a few times and it is always the same result even when i just try to scan the critical areas.


There were two sections that came as a result of the DDS prgram so i have included both here.

The HJT log is also below

Thanks Brad

Scan taken on 21 Nov 2008 07:27:46 (GMT)
A-Squared Found nothing
AntiVir Found nothing
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
CPsecure Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
F-Secure Anti-Virus Found nothing
G DATA Found nothing
Ikarus Found nothing
Kaspersky Anti-Virus Found nothing
NOD32 Found nothing
Norman Virus Control Found nothing
Panda Antivirus Found nothing
Sophos Antivirus Found nothing
VirusBuster Found nothing
VBA32 Found nothing


Scanner Malware name
A-Squared Trojan-Downloader.Win32.Reipym!IK
AntiVir TR/Crypt.ULPM.Gen
ArcaVir X
Avast X
AVG Antivirus X
BitDefender GenPack:Generic.Malware.Yddld.CB139D8C
ClamAV X
CPsecure X
Dr.Web X
F-Prot Antivirus X
F-Secure Anti-Virus X
G DATA GenPack:Generic.Malware.Yddld.CB139D8C
Ikarus X
Kaspersky Anti-Virus X
NOD32 X
Norman Virus Control X
Panda Antivirus X
Sophos Antivirus Mal/EncPk-CO
VirusBuster X
VBA32 Malware-Cryptor.Win32.General.2






Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:26:47 PM, on 21/11/2008
Platform: Windows Vista SP1 (WinNT 6.00.1905)
MSIE: Internet Explorer v7.00 (7.00.6001.18000)
Boot mode: Normal

Running processes:
C:\Windows\system32\taskeng.exe
C:\Windows\system32\taskeng.exe
C:\Program Files\ASUS\ASUS Live Update\ALU.exe
C:\Program Files\ASUS Security Center\ASUS Security Protect Manager\Bin\AsGHost.exe
C:\Program Files\ASUS\SmartLogon\sensorsrv.exe
C:\Windows\system32\Dwm.exe
C:\Windows\Explorer.EXE
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Windows Media Player\wmpnscfg.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\Windows\system32\DllHost.exe
C:\Windows\system32\sdclt.exe
C:\Program Files\Internet Explorer\IEUser.exe
C:\Windows\system32\conime.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.asus.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O1 - Hosts: ::1 localhost
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\NppBho.dll
O2 - BHO: Skype add-on (mastermind) - {22BF413B-C6D2-4d91-82A9-A0F997BA588C} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: ASUS Security Protect Manager - {DF21F1DB-80C6-11D3-9483-B03D0EC10000} - C:\Program Files\ASUS Security Center\ASUS Security Protect Manager\Bin\ItIEAddIn.dll
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\UIBHO.dll
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-19\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-19\..\Run: [WindowsWelcomeCenter] rundll32.exe oobefldr.dll,ShowWelcomeCenter (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [Sidebar] %ProgramFiles%\Windows Sidebar\Sidebar.exe /detectMem (User 'NETWORK SERVICE')
O4 - Global Startup: QUT Secure Access Service Client.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRA~1\Java\JRE16~2.0_0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\PROGRA~1\Java\JRE16~2.0_0\bin\ssv.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~2\Office12\ONBttnIE.dll
O9 - Extra button: Skype - {77BF5300-1474-4EC7-9980-D32B190E9B07} - C:\Program Files\Skype\Toolbars\Internet Explorer\SkypeIEPlugin.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O13 - Gopher Prefix:
O16 - DPF: {0CCA191D-13A6-4E29-B746-314DEE697D83} (Facebook Photo Uploader 5) - http://upload.facebook.com/controls/Facebo...toUploader5.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://gfx1.hotmail.com/mail/w3/pr01/resou...NPUplden-au.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shoc...ash/swflash.cab
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - AppInit_DLLs: APSHook.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: ASLDR Service (ASLDRService) - Unknown owner - C:\Program Files\ATK Hotkey\ASLDRSrv.exe
O23 - Service: ATKGFNEX Service (ATKGFNEXSrv) - Unknown owner - C:\Program Files\ATKGFNEX\GFNEXSrv.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\QUT VPN Client\cvpnd.exe
O23 - Service: Security Platform Management Service (IFXSpMgtSrv) - Infineon Technologies AG - C:\Windows\system32\ifxspmgt.exe
O23 - Service: Trusted Platform Core Service (IFXTCS) - Infineon Technologies AG - C:\Windows\system32\ifxtcs.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: LiveUpdate Notice Service Ex (LiveUpdate Notice Ex) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: Personal Secure Drive Service (PersonalSecureDriveService) - Infineon Technologies AG - C:\Windows\system32\IfxPsdSv.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
O23 - Service: spmgr - Unknown owner - C:\Program Files\ASUS\NB Probe\SPM\spmgr.exe
O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe

--
End of file - 8266 bytes

Hi.

Did you try this?


Let's do this online scan instead of Kaspersky.

Run Eset NOD32 Online AntiVirus
http://www.eset.eu/online-scanner
Note: You will need to use Internet Explorer for this scan.

• Tick the box next to YES, I accept the Terms of Use.
• Click Start
• When asked, allow the activex control to install
• Disable your current Antivirus software. You can usually do this with its Notfication Tray icon near the clock.
• Click Start
• Make sure that the option "Remove found threats" is Un-checked, and the option "Scan unwanted applications" is checked
• Click Scan
• Wait for the scan to finish
• Re-enable your Anvirisus software.
• A logfile is created and located at C:\Program Files\EsetOnlineScanner\log.txt. Please include this on your post.

Thanks.

Hey i have tried to run the ESET online scanner and it is the same result. The computer will get to a certain stage and then completely freeze or just shout down. I did try and run the quick scan on malware bytes and it came up clean?? Is there any hope for me yet?? I have tried the ESET with IE as administrator privelages as well and no joy.
Brad

Hi

These scans are a bit dodgy with Vista sometimes. Good to hear MBAM came back clean though. Here's another scan to try:

Open Internet Explorer with Admin priviledges, then try the below:

Panda Activescan

• Once you are on the Panda site, click the Scan now button
• When prompted to install ActiveX control click Install
• On the update page, click on the security warning at the top of the page and select "Run ActiveX control..."
• Panda should now start scanning your system.
• When the scan completes, if anything malicious is detected, click the Export To...(with a little notepad icon) button, then Save the report to a convenient location.

Post the contents of the Panda scan report, along with a new HijackThis Log.

How's the computer running at the moment?

Thanks.

Hi there sorry that is has taken so long to reply but there have been a few issues since my last post.
I did try the panda scan and there was the same result i,.e the computer shut down about three quaters the way through the scan. Since then the computer has crashed competely. When i turn it on it comes up with the screen saying that the computer has recovered from a serious error and would i like to start in normal mode or in safe mode.. i have tried all the options at this screen but the computer will always just restart back to the same screen. So i am typing this from the work computer and i am really not too sure what i can do with the laptop at home. Any suggestions.
Brad

Hi.

That was unexpected, have you made any changes to your system recently (other than what we have been doing)?

Do you have a Vista Installation Disk?

Please try this:

• Restart your computer.
• When the computer starts you will see your computer's hardware being listed. When you see this information start to gently tap the F8 key repeatedly until you are presented with the Windows Vista Advanced Boot Options.
• Select the Last Known Good Configuration option using the arrow keys and press Enter.

This may allow your computer to start normally, if so, let me know.

Thanks.

Yeah i have tried this and it just keeps restarting when i pick any of the options....like its in some kind of a repetitive loop or something. I have just taken it in to a shop and they are trying to fix it as well but they said i would probably lose all my data which is dissapointing. I will most likely have the vista installation disc at home as i got it included in a package so it should all be included with it,

Hi.

If you have got your Vista Disk, then I hope that the below may help you.

Restart you computer, and you should be presented briefly with a screen from your computer's manufacturer (Dell, ACER etc), that also has some text somewhere along the lines of "To enter setup press XXX". This is usually F2 or DEL or similar, as soon as you see it, press it to get into the setup mode. Once in setup, we need to look for the "boot" options, there's usually a tab for "Boot". It may look something like this:

Once you're here, we need to make sure that your CD-ROM drive is at the top of the list, so please use the + key (or whatever your computer specifies) to move the CD-ROM (or similar) option to the top of the list.

Next, please put your Windows Vista Installation Disk into your disk drive. Move onto the exit tab and "Exit saving changes". Your computer should now boot from your windows disk (if it doesn't the first time try rebooting once).

Once you have booted from your Vista Disk, select your Vista Installation when prompted. Some files should be loaded, and then you will be prompted to select a language. When presented with the "Vista Installation Screen", look down towards the bottom left of the screen and select "Repair your Computer".

You will then be presented with some system recovery options. Here are a few things to try (you will need to exit the Vista Recovery mode and restart your computer between each one to check if they have worked).

1. Try 1. “Startup Repair”.

2. Try 2. “System Restore”.

3. Select 5. “Command Prompt”. (This method will only work if you backed up your registry with ERUNT to the default location before we started cleaning your computer)

You should be brought to a prompt that says:
C:\WINDOWS> (or similar)

Please type the following commands, one by one, pressing Enter after each one and allowing time for each to finish (you will be presented with a new prompt when they finish):
cd %systemroot%\ERDNT
dir /ad /b
You should now see a list folders. Please identify the folder that you backed up your registry to (the default is a date), then type:
cd FOLDER (replacing FOLDER with the folder containing your backup. If the folder name has spaces in it you must enclose it in "s, e.g. cd "my backup").
ERDNT.EXE
(Please follow any following prompts to restore the backup)
EXIT


I hope one of these can help you, or that the repair shop can help you in some way. Even if it comes down to formatting there may be a couple of ways of rescuing your data.

Let me know how it goes.

Thanks.