Jump to content

Build Theme!
  •  
  • Infected?

WE'RE SURE THAT YOU'LL LOVE US!

Hey there! :wub: Looks like you're enjoying the discussion, but you're not signed up for an account. When you create an account, we remember exactly what you've read, so you always come right back where you left off. You also get notifications, here and via email, whenever new posts are made. You can like posts to share the love. :D Join 93104 other members! Anybody can ask, anybody can answer. Consistently helpful members may be invited to become staff. Here's how it works. Virus cleanup? Start here -> Malware Removal Forum.

Try What the Tech -- It's free!


Photo

[Resolved] savetheiformation.com


  • This topic is locked This topic is locked
13 replies to this topic

#1 Denny k

Denny k

    New Member

  • New Member
  • Pip
  • 7 posts

Posted 25 November 2007 - 12:44 PM

I have the same thing many other post that I have seen on this site.
Iexplorer opeing on its own. Yellow ballons poping up from task bar.
Here is my log file of HijackThis.
Thanks with any help you can provide.
Denny



Logfile of HijackThis v1.99.1
Scan saved at 11:21:55 AM, on 11/25/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\msdtc.exe
C:\WINDOWS\system32\cisvc.exe
F:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\PROGRA~1\Yahoo!\YOP\yop.exe
C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Spyware Doctor\svcntaux.exe
C:\Program Files\Spyware Doctor\SDTrayApp.exe
C:\PROGRA~1\Yahoo!\browser\ycommon.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Spyware Doctor\swdsvc.exe
C:\Program Files\WinTV\Ir.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\Program Files\Windows Media Player\WMPNetwk.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\taskmgr.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Program Files\WinAce\WinAce.exe
C:\DOCUME~1\User\LOCALS~1\Temp\~AceTemp\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapp.../search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapp...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapp...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapp.../search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapp...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapp...//www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: IE Custom Tools - {70CC76D5-A4EE-4F25-9931-B109A63E298E} - C:\Program Files\Video Add-on\ictmdl.dll (file missing)
O3 - Toolbar: Security Toolbar - {11A69AE4-FBED-4832-A2BF-45AF82825583} - C:\WINDOWS\system32\smgypojj.dll
O4 - HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [YBrowser] C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
O4 - HKLM\..\Run: [YOP] C:\PROGRA~1\Yahoo!\YOP\yop.exe /autostart
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [winlogon] C:\DOCUME~1\User\LOCALS~1\Temp\~DPE67.exe
O4 - HKLM\..\Run: [785fbd9c] rundll32.exe "C:\WINDOWS\system32\dspjrdgu.dll",b
O4 - HKLM\..\Run: [spa_start] C:\WINDOWS\System32\Rundll32.exe "C:\WINDOWS\system32\spads.dll" DllVerify
O4 - HKLM\..\Run: [SDTray] "C:\Program Files\Spyware Doctor\SDTrayApp.exe"
O4 - HKLM\..\RunServices: [SchedulingAgent] C:\WINDOWS\system32\mstask.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - Global Startup: AutoStart IR.lnk = C:\Program Files\WinTV\Ir.exe
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: AT&T Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\common\yiesrvc.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: TVShortcutCAB - http://att.mobitv.com/TVShortcut.CAB
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://support.gatew...r/PCPitStop.CAB
O16 - DPF: {2E12FB00-546B-4EE3-9CC2-057BF02E1C17} (Webshots Multiple Media Uploader - Container) - http://community.web...wsaxcontrol.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper2007261.dll
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1147878916786
O16 - DPF: {FFFFFFFF-CACE-BABE-BABE-00AA0055595A} - http://www.trueswitc...eInstallSBC.exe
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - F:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NNServ - Unknown owner - C:\Program Files\NewDotNet\nnrun.exe" "C:\Program Files\NewDotNet\nncore.dll" ServiceStart (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\Spyware Doctor\svcntaux.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\Spyware Doctor\swdsvc.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

    Advertisements

Register to Remove


#2 MrCharlie

MrCharlie

    SuperMember

  • Malware Team
  • 2,949 posts

Posted 25 November 2007 - 08:02 PM

Welcome to the forum.

Looks like you have more then that on the system.

------------------------

1. Download RVAXO.exe to your desktop.

2. Double click on RVAXO.exe and choose unzip.
It will install to a folder called Rvaxo.

3. Now open up the Rvaxo folder and double click on RVAXO

You will see a small window pop up, and quickly some lines will run , then the window will close by itself, this is normal behavior.
Then it is possible for an uninstaller of some roque scanner to start up, do not close this but follow all prompts there, and let it run its course.

4. When it's done the computer will reboot.....press any key to reboot.

5. After reboot RVAXO will run again, let it finish

6. After it's done it will create a file called RVAXO-results.log in C:\RVAXO-results.log

7. Copy and paste it back here.

-------------------------------

Next.....

Download combofix.exe To Your Desktop from the link below:
http://download.blee...Bs/ComboFix.exe

Double click combofix.exe & follow the prompts.
A window will open with a warning.
Type "Y" (and Enter) to start the fix.
When the scan completes it will open a text window.
Please attach that log back here together with a fresh HJT log.
Caution - do not touch your mouse/keyboard until the scan has completed.
The scan will temporarily disable your desktop, and if interrupted may leave your desktop disabled. If this occurs, please reboot to restore the desktop.

Combofix will automatically save the log file to C:\combofix.txt

Copy and paste it back here.

-----------------------

Please download SUPERAntiSpyware Home Edition (free)

Install it and double-click the icon on your desktop to run it.
It will ask if you want to update the program definitions, click Yes, Let it through your firewall!
Under Configuration and Preferences, click the Preferences button.
Click the Scanning Control tab.
Under Scanner Options make sure the following are checked:
  • Close browsers before scanning
  • Scan for tracking cookies
  • Terminate memory threats before quarantining.
  • Ignore System Restore/Volume Information on ME and XP
  • Please leave the others unchecked.
  • Click the Close button to leave the control center screen.
On the main screen, under Scan for Harmful Software click Scan your computer.
On the left check C:\Fixed Drive.
On the right, under Complete Scan, choose Perform Complete Scan.
Click Next to start the scan. Please be patient while it scans your computer.
After the scan is complete a summary box will appear. Click OK.
Make sure everything in the white box has a check next to it, then click Next.
It will quarantine what it found and if it asks if you want to reboot, click
Yes.

To retrieve the removal information - please do the following:
  • After reboot, double-click the SUPERAntispyware icon on your desktop.
  • Click Preferences . Click the Statistics/Logs tab .
  • Under Scanner Logs , double-click SUPERAntiSpyware Scan Log .
  • It will open in your default text editor (such as Notepad/Wordpad).
  • Please highlight everything , then right-click and choose copy.
  • Click close and close again to exit the program.
Now please paste the removal information back here.

------------------------

Last:
Reboot and run ComboFix again
Copy and paste the log it creates and a fresh HJT log.

------------------

Items to post: (you may have to use a couple of different posts to fit them all)

RVAXO log
ComboFix log
SAS log
ComboFix log
Fresh HJT log


Good Luck.............MrC


#3 Denny k

Denny k

    New Member

  • New Member
  • Pip
  • 7 posts

Posted 25 November 2007 - 10:12 PM

Here is the RVAXA log and the comboFix log

I will now download SAS and install and run it.

--------------RVAXO.exe first run-------------

Files found:

C:\WINDOWS\system32\jooqfvqd.dllbox
C:\WINDOWS\system32\smgypojj.dllbox
C:\WINDOWS\system32\eddgh.ini2
C:\WINDOWS\system32\spads.dll
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\dcads-remove.exe
C:\WINDOWS\system32\superiorads-uninst.exe
C:\WINDOWS\system32\actskn45.ocx
C:\Documents and Settings\All Users\STARTM~1\Online Security Guide.lnk
C:\Documents and Settings\All Users\STARTM~1\Live Safety Center.lnk
C:\Documents and Settings\User\FAVORI~1\Online Security Test.url
C:\Documents and Settings\User\FAVORI~1\Online Security Guide.lnk

Uninstallers Rogue scanners:


Folders Found:

C:\Program Files\Dcads Games Collection
C:\Program Files\Outerinfo
C:\Program Files\VirusProtect 3.8

Hosts-file was reset, If you use a custom hosts file please replace it...

--------------RVAXO.exe last run---------------

Files found:

Folders Found:

--------------RVAXO.exe finished----------------


ComboFix 07-11-19.3 - User 2007-11-25 22:34:04.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.463 [GMT -5:00]
Running from: C:\Documents and Settings\User\Desktop\ComboFix.exe
* Created a new restore point
.

Unable to gain System Privileges

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Administrator\Desktop\Live Safety Center.lnk
C:\Documents and Settings\Administrator\Desktop\Online Security Guide.lnk
C:\Documents and Settings\Administrator\Favorites\Online Security Guide.lnk
C:\Documents and Settings\All Users\Start Menu\Live Safety Center.lnk
C:\Documents and Settings\All Users\Start Menu\Online Security Guide.lnk
C:\Documents and Settings\User\Desktop\Live Safety Center.lnk
C:\Documents and Settings\User\Desktop\Online Security Guide.lnk
C:\Documents and Settings\User\Favorites\Online Security Guide.lnk
C:\WINDOWS\cookies.ini
C:\WINDOWS\system32\Cache
C:\WINDOWS\system32\eddgh.ini
C:\WINDOWS\system32\eddgh.ini2
C:\WINDOWS\system32\hgdde.dll
C:\WINDOWS\system32\nsm11.dll
C:\WINDOWS\system32\nss73.dll
C:\WINDOWS\system32\rptfwttw.exe
C:\WINDOWS\system32\smgypojj.dllbox

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_DOMAINSERVICE
-------\LEGACY_IPRIP
-------\LEGACY_NNSERV
-------\Iprip
-------\NNServ


((((((((((((((((((((((((( Files Created from 2007-10-26 to 2007-11-26 )))))))))))))))))))))))))))))))
.

2007-11-25 22:24 <DIR> d-------- C:\RVAXO
2007-11-25 22:22 468,442 --a------ C:\WINDOWS\system32\RVAXO.bat
2007-11-25 22:22 69,632 --a------ C:\WINDOWS\system32\remove.exe
2007-11-25 20:31 776,192 ---hs---- C:\WINDOWS\system32\dijwalxl.ini
2007-11-25 20:31 85,056 --a------ C:\WINDOWS\system32\lxlawjid.dll
2007-11-25 20:31 79,936 --a------ C:\WINDOWS\system32\htsbkrxw.dll
2007-11-25 20:28 71,232 --a------ C:\WINDOWS\system32\oeqnwpap.exe
2007-11-25 10:33 626,688 --a------ C:\WINDOWS\system32\msvcr80.dll
2007-11-25 10:30 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Google Updater
2007-11-25 09:42 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Yahoo!
2007-11-25 09:28 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Lavasoft
2007-11-24 20:40 81,472 --a------ C:\WINDOWS\system32\ipwkqmpk.dll
2007-11-24 20:35 775,988 --ahs---- C:\WINDOWS\system32\ugdrjpsd.ini
2007-11-24 20:32 71,232 --a------ C:\WINDOWS\system32\indewldj.exe
2007-11-24 20:30 145,984 --a------ C:\WINDOWS\system32\smgypojj.dll
2007-11-24 20:29 145,984 --a------ C:\WINDOWS\system32\specpkjj.dll
2007-11-18 07:54 36,352 --a------ C:\WINDOWS\system32\nnnmkig.dll
2007-11-15 18:16 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2007-11-11 11:23 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\MailFrontier
2007-10-26 14:28 <DIR> d-------- C:\Program Files\Guitar Pro 5

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-25 18:53 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-11-25 15:30 --------- d-----w C:\Program Files\Google
2007-11-24 20:33 --------- d-----w C:\Documents and Settings\User\Application Data\MediaScout
2007-11-23 01:08 --------- d-----w C:\Documents and Settings\All Users\Application Data\MediaScout
2007-11-18 18:53 --------- d-----w C:\Documents and Settings\All Users\Application Data\DVD Shrink
2007-11-17 10:14 --------- d-----w C:\Program Files\mypoints
2007-11-14 23:53 --------- d-----w C:\Documents and Settings\User\Application Data\LimeWire
2007-10-17 17:23 10,752 ----a-w C:\WINDOWS\system32\WhoisCL.exe
2007-10-05 06:35 --------- d-----w C:\Program Files\Guitar Pro 4
2007-06-05 03:56 39 ----a-w C:\Documents and Settings\User\go.bat
2007-03-12 19:26 30,880 ----a-w C:\Documents and Settings\User\Application Data\GDIPFONTCACHEV1.DAT
2006-06-24 21:04 3,126,084 ----a-w C:\Program Files\Name Munger.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9cee91ec-d70c-4eb8-b9dc-b82ed2f780e8}]
2007-11-25 20:31 79936 --a------ C:\WINDOWS\system32\htsbkrxw.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A95B2816-1D7E-4561-A202-68C0DE02353A}]
2007-11-24 20:30 145984 --a------ C:\WINDOWS\system32\smgypojj.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{BBB05D9E-0297-404D-A6BF-D8F2876B84A6}]
2007-11-18 07:54 36352 --a------ C:\WINDOWS\system32\nnnmkig.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{11A69AE4-FBED-4832-A2BF-45AF82825583}"= C:\WINDOWS\system32\smgypojj.dll [2007-11-24 20:30 145984]

[HKEY_CLASSES_ROOT\clsid\{11a69ae4-fbed-4832-a2bf-45af82825583}]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{11A69AE4-FBED-4832-A2BF-45AF82825583}"= C:\WINDOWS\system32\smgypojj.dll [2007-11-24 20:30 145984]

[HKEY_CLASSES_ROOT\clsid\{11a69ae4-fbed-4832-a2bf-45af82825583}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 20:05]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsmqIntCert"="regsvr32 /s mqrt.dll" []
"NAV Agent"="C:\PROGRA~1\NORTON~1\navapw32.exe" [2001-10-26 06:24]
"Symantec NetDriver Monitor"="C:\PROGRA~1\SYMNET~1\SNDMon.exe" [2006-06-07 22:09]
"EM_EXEC"="C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE" [2002-03-07 09:50]
"NvCplDaemon"="RUNDLL32.exe" [2004-08-04 00:56 C:\WINDOWS\system32\rundll32.exe]
"nwiz"="nwiz.exe" [2005-07-20 21:07 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="RunDLL32.exe" [2004-08-04 00:56 C:\WINDOWS\system32\rundll32.exe]
"NWEReboot"="" []
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-06-11 10:21]
"785fbd9c"="C:\WINDOWS\system32\lxlawjid.dll" [2007-11-25 20:31]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
"SchedulingAgent"="C:\WINDOWS\system32\mstask.exe" []

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
AutoStart IR.lnk - C:\Program Files\WinTV\Ir.exe [2006-08-08 23:52:31]
Google Updater.lnk - C:\Program Files\Google\Google Updater\GoogleUpdater.exe [2007-11-25 10:30:35]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04]

[hklm\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{BBB05D9E-0297-404D-A6BF-D8F2876B84A6}"= C:\WINDOWS\system32\nnnmkig.dll [2007-11-18 07:54 36352]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\nnnmkig]
nnnmkig.dll 2007-11-18 07:54 36352 C:\WINDOWS\system32\nnnmkig.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\smgypojj]
smgypojj.dll 2007-11-24 20:30 145984 C:\WINDOWS\system32\smgypojj.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\hgdde.dll

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"Yahoo! Pager"="C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" -atboottime
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
"SunJavaUpdateSched"=C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
"YBrowser"=C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
"YOP"=C:\PROGRA~1\Yahoo!\YOP\yop.exe /autostart

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
p2psvc p2psvc p2pimsvc p2pgasvc PNRPSvc

.
Contents of the 'Scheduled Tasks' folder
"2007-11-23 09:17:44 C:\WINDOWS\Tasks\Norton AntiVirus - Scan my computer.job"
- C:\PROGRA~1\NORTON~1\NAVW32.exe
"2007-11-26 04:02:33 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
.
**************************************************************************

catchme 0.3.1262 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-25 23:02:27
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-11-25 23:05:36 - machine was rebooted
.
--- E O F ---

I let SAS run overnight
Here is the log file
SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 11/26/2007 at 01:32 AM

Application Version : 3.9.1008

Core Rules Database Version : 3350
Trace Rules Database Version: 1349

Scan type : Complete Scan
Total Scan Time : 02:10:27

Memory items scanned : 446
Memory threats detected : 5
Registry items scanned : 6434
Registry threats detected : 136
File items scanned : 57208
File threats detected : 648

Adware.Vundo-Variant
C:\WINDOWS\SYSTEM32\SMGYPOJJ.DLL
C:\WINDOWS\SYSTEM32\SMGYPOJJ.DLL
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{4BEAF1BF-8F9C-40C5-97D5-AE4D54DF8701}
HKCR\CLSID\{4BEAF1BF-8F9C-40C5-97D5-AE4D54DF8701}
HKCR\CLSID\{4BEAF1BF-8F9C-40C5-97D5-AE4D54DF8701}\InprocServer32
HKCR\CLSID\{4BEAF1BF-8F9C-40C5-97D5-AE4D54DF8701}\InprocServer32#ThreadingModel
Software\Microsoft\Windows NT\CurrentVersion\WinLogon\Notify\smgypojj
C:\WINDOWS\SYSTEM32\SPECPKJJ.DLL

Adware.Vundo Variant
C:\WINDOWS\SYSTEM32\NNNMKIG.DLL
C:\WINDOWS\SYSTEM32\NNNMKIG.DLL
HKLM\Software\Classes\CLSID\{A95B2816-1D7E-4561-A202-68C0DE02353A}
HKCR\CLSID\{A95B2816-1D7E-4561-A202-68C0DE02353A}
HKCR\CLSID\{A95B2816-1D7E-4561-A202-68C0DE02353A}\InprocServer32
HKCR\CLSID\{A95B2816-1D7E-4561-A202-68C0DE02353A}\InprocServer32#ThreadingModel
HKLM\Software\Classes\CLSID\{BBB05D9E-0297-404D-A6BF-D8F2876B84A6}
HKCR\CLSID\{BBB05D9E-0297-404D-A6BF-D8F2876B84A6}
HKCR\CLSID\{BBB05D9E-0297-404D-A6BF-D8F2876B84A6}\InprocServer32
HKCR\CLSID\{BBB05D9E-0297-404D-A6BF-D8F2876B84A6}\InprocServer32#ThreadingModel
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{A95B2816-1D7E-4561-A202-68C0DE02353A}
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{BBB05D9E-0297-404D-A6BF-D8F2876B84A6}
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks#{BBB05D9E-0297-404D-A6BF-D8F2876B84A6}
Software\Microsoft\Windows NT\CurrentVersion\WinLogon\Notify\nnnmkig
HKCR\CLSID\{A95B2816-1D7E-4561-A202-68C0DE02353A}
HKCR\CLSID\{BBB05D9E-0297-404D-A6BF-D8F2876B84A6}

Adware.Vundo-Variant/Small-A
C:\WINDOWS\SYSTEM32\LXLAWJID.DLL
C:\WINDOWS\SYSTEM32\LXLAWJID.DLL
HKLM\Software\Classes\CLSID\{9cee91ec-d70c-4eb8-b9dc-b82ed2f780e8}
HKCR\CLSID\{9CEE91EC-D70C-4EB8-B9DC-B82ED2F780E8}
HKCR\CLSID\{9CEE91EC-D70C-4EB8-B9DC-B82ED2F780E8}\InprocServer32
HKCR\CLSID\{9CEE91EC-D70C-4EB8-B9DC-B82ED2F780E8}\InprocServer32#ThreadingModel
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{9cee91ec-d70c-4eb8-b9dc-b82ed2f780e8}
C:\WINDOWS\SYSTEM32\IPWKQMPK.DLL

Adware.Vundo Variant/Resident
C:\WINDOWS\SYSTEM32\GEBXX.DLL
C:\WINDOWS\SYSTEM32\GEBXX.DLL

Trojan.Downloader-NewJuan/VM
C:\WINDOWS\SYSTEM32\HTSBKRXW.DLL
C:\WINDOWS\SYSTEM32\HTSBKRXW.DLL

Unclassified.Unknown Origin
HKLM\Software\Classes\CLSID\{11A69AE4-FBED-4832-A2BF-45AF82825583}
HKCR\CLSID\{11A69AE4-FBED-4832-A2BF-45AF82825583}
HKCR\CLSID\{11A69AE4-FBED-4832-A2BF-45AF82825583}
HKCR\CLSID\{11A69AE4-FBED-4832-A2BF-45AF82825583}\InprocServer32
HKCR\CLSID\{11A69AE4-FBED-4832-A2BF-45AF82825583}\InprocServer32#ThreadingModel
HKLM\Software\Microsoft\Internet Explorer\Toolbar#{11A69AE4-FBED-4832-A2BF-45AF82825583}
HKU\S-1-5-21-1645522239-1708537768-1060284298-1003\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser#{11A69AE4-FBED-4832-A2BF-45AF82825583}

Adware.Tracking Cookie
C:\Documents and Settings\User\Cookies\user@statcounter[1].txt
C:\Documents and Settings\User\Cookies\user@a.websponsors[2].txt
C:\Documents and Settings\User\Cookies\user@mediafire[1].txt
C:\Documents and Settings\User\Cookies\user@yadro[2].txt
C:\Documents and Settings\User\Cookies\user@crackle[2].txt
C:\Documents and Settings\User\Cookies\user@serving-sys[2].txt
C:\Documents and Settings\User\Cookies\user@buyrightjewelry[2].txt
C:\Documents and Settings\User\Cookies\user@ehg-valueclickmedia.hitbox[2].txt
C:\Documents and Settings\User\Cookies\user@fastclick[2].txt
C:\Documents and Settings\User\Cookies\user@xiti[1].txt
C:\Documents and Settings\User\Cookies\user@bidzcom.112.2o7[1].txt
C:\Documents and Settings\User\Cookies\user@www.burstbeacon[6].txt
C:\Documents and Settings\User\Cookies\user@trafficmp[3].txt
C:\Documents and Settings\User\Cookies\user@image.masterstats[2].txt
C:\Documents and Settings\User\Cookies\user@script[1].txt
C:\Documents and Settings\User\Cookies\user@ads.revsci[1].txt
C:\Documents and Settings\User\Cookies\user@adrevolver[4].txt
C:\Documents and Settings\User\Cookies\user@media.adrevolver[2].txt
C:\Documents and Settings\User\Cookies\user@48986480[1].txt
C:\Documents and Settings\User\Cookies\user@cz9.clickzs[2].txt
C:\Documents and Settings\User\Cookies\user@t4.trackalyzer[1].txt
C:\Documents and Settings\User\Cookies\user@CAIYZRAS.txt
C:\Documents and Settings\User\Cookies\user@tribalfusion[2].txt
C:\Documents and Settings\User\Cookies\user@revsci[2].txt
C:\Documents and Settings\User\Cookies\user@adopt.specificclick[4].txt
C:\Documents and Settings\User\Cookies\user@entrepreneur[1].txt
C:\Documents and Settings\User\Cookies\user@cgi[1].txt
C:\Documents and Settings\User\Cookies\user@cz6.clickzs[1].txt
C:\Documents and Settings\User\Cookies\user@questionmarket[1].txt
C:\Documents and Settings\User\Cookies\user@audit.median[1].txt
C:\Documents and Settings\User\Cookies\user@cz8.clickzs[1].txt
C:\Documents and Settings\User\Cookies\user@atdmt[2].txt
C:\Documents and Settings\User\Cookies\user@realmedia[4].txt
C:\Documents and Settings\User\Cookies\user@ads.expedia[1].txt
C:\Documents and Settings\User\Cookies\user@ads.realtechnetwork[1].txt
C:\Documents and Settings\User\Cookies\user@banner.32vegas[2].txt
C:\Documents and Settings\User\Cookies\user@tacoda[1].txt
C:\Documents and Settings\User\Cookies\user@partner2profit[2].txt
C:\Documents and Settings\User\Cookies\user@tase[2].txt
C:\Documents and Settings\User\Cookies\user@data1.perf.overture[2].txt
C:\Documents and Settings\User\Cookies\user@anad.tacoda[1].txt
C:\Documents and Settings\User\Cookies\user@ads.pointroll[1].txt
C:\Documents and Settings\User\Cookies\user@kaley[1].txt
C:\Documents and Settings\User\Cookies\user@belnk[1].txt
C:\Documents and Settings\User\Cookies\user@zedo[1].txt
C:\Documents and Settings\User\Cookies\user@doubleclick[1].txt
C:\Documents and Settings\User\Cookies\user@mediaplex[2].txt
C:\Documents and Settings\User\Cookies\user@rotator.adjuggler[1].txt
C:\Documents and Settings\User\Cookies\user@tgn.122.2o7[1].txt
C:\Documents and Settings\User\Cookies\user@tremor.adbureau[1].txt
C:\Documents and Settings\User\Cookies\user@ad[3].txt
C:\Documents and Settings\User\Cookies\user@fixionmedia[1].txt
C:\Documents and Settings\User\Cookies\user@adserver.easyad[1].txt
C:\Documents and Settings\User\Cookies\user@toplist[1].txt
C:\Documents and Settings\User\Cookies\user@cgi-bin[2].txt
C:\Documents and Settings\User\Cookies\user@serving.rpowermedia[1].txt
C:\Documents and Settings\User\Cookies\user@a-stat[1].txt
C:\Documents and Settings\User\Cookies\user@adlegend[1].txt
C:\Documents and Settings\User\Cookies\user@advertising[1].txt
C:\Documents and Settings\User\Cookies\user@statsgold[2].txt
C:\Documents and Settings\User\Cookies\user@onetruemedia[2].txt
C:\Documents and Settings\User\Cookies\user@www.drivecleaner[2].txt
C:\Documents and Settings\User\Cookies\user@ads.morpheus[1].txt
C:\Documents and Settings\User\Cookies\user@c22o7str7i9gnk5bi.usercash[1].txt
C:\Documents and Settings\User\Cookies\user@38286[2].txt
C:\Documents and Settings\User\Cookies\user@banner.rubybingo[2].txt
C:\Documents and Settings\User\Cookies\user@reunion.adbureau[2].txt
C:\Documents and Settings\User\Cookies\user@cgi-bin[3].txt
C:\Documents and Settings\User\Cookies\user@ads.addynamix[1].txt
C:\Documents and Settings\User\Cookies\user@popularmedia.directtrack[2].txt
C:\Documents and Settings\User\Cookies\user@adecn[2].txt
C:\Documents and Settings\User\Cookies\user@calc.avsystemcare[1].txt
C:\Documents and Settings\User\Cookies\user@nextag[2].txt
C:\Documents and Settings\User\Cookies\user@ad.zanox[1].txt
C:\Documents and Settings\User\Cookies\user@38266[1].txt
C:\Documents and Settings\User\Cookies\user@count.exitexchange[2].txt
C:\Documents and Settings\User\Cookies\user@login.tracking101[2].txt
C:\Documents and Settings\User\Cookies\user@cgi-bin[1].txt
C:\Documents and Settings\User\Cookies\user@ads3.blastro[2].txt
C:\Documents and Settings\User\Cookies\user@ads.fotolog[2].txt
C:\Documents and Settings\User\Cookies\user@adknowledge[2].txt
C:\Documents and Settings\User\Cookies\user@ats[2].txt
C:\Documents and Settings\User\Cookies\user@atwola[2].txt
C:\Documents and Settings\User\Cookies\user@cgi-bin[8].txt
C:\Documents and Settings\User\Cookies\user@www.macromedia[1].txt
C:\Documents and Settings\User\Cookies\user@adjuggler[1].txt
C:\Documents and Settings\User\Cookies\user@collective-media[2].txt
C:\Documents and Settings\User\Cookies\user@www2.burstnet[2].txt
C:\Documents and Settings\User\Cookies\user@ads.glispa[2].txt
C:\Documents and Settings\User\Cookies\user@vip.clickzs[2].txt
C:\Documents and Settings\User\Cookies\user@ad1.clickhype[1].txt
C:\Documents and Settings\User\Cookies\user@findwhat[1].txt
C:\Documents and Settings\User\Cookies\user@cz4.clickzs[1].txt
C:\Documents and Settings\User\Cookies\user@cgi-bin[10].txt
C:\Documents and Settings\User\Cookies\user@cz3.clickzs[1].txt
C:\Documents and Settings\User\Cookies\user@medianewsgroup[2].txt
C:\Documents and Settings\User\Cookies\user@clicktorrent[1].txt
C:\Documents and Settings\User\Cookies\user@bs.serving-sys[2].txt
C:\Documents and Settings\User\Cookies\user@banner.diamondclubcasino[2].txt
C:\Documents and Settings\User\Cookies\user@stats[4].txt
C:\Documents and Settings\User\Cookies\user@www.belstat[3].txt
C:\Documents and Settings\User\Cookies\user@www.belstat[2].txt
C:\Documents and Settings\User\Cookies\user@banner.ambercoastcasino[2].txt
C:\Documents and Settings\User\Cookies\user@stats.drivecleaner[2].txt
C:\Documents and Settings\User\Cookies\user@ads.image2share[2].txt
C:\Documents and Settings\User\Cookies\user@franceguide[2].txt
C:\Documents and Settings\User\Cookies\user@banners.decisionmark[2].txt
C:\Documents and Settings\User\Cookies\user@s50.drivecleaner[1].txt
C:\Documents and Settings\User\Cookies\user@ads.jokaroo[2].txt
C:\Documents and Settings\User\Cookies\user@ad.text.tbn[1].txt
C:\Documents and Settings\User\Cookies\user@ad.wedoo[1].txt
C:\Documents and Settings\User\Cookies\user@rapidresponse.directtrack[2].txt
C:\Documents and Settings\User\Cookies\user@banner.prestige-bingo[2].txt
C:\Documents and Settings\User\Cookies\user@38267[1].txt
C:\Documents and Settings\User\Cookies\user@www.belstat[4].txt
C:\Documents and Settings\User\Cookies\user@host.oddcast[1].txt
C:\Documents and Settings\User\Cookies\user@i[2].txt
C:\Documents and Settings\User\Cookies\user@drivecleaner[2].txt
C:\Documents and Settings\User\Cookies\user@www.adtrak[2].txt
C:\Documents and Settings\User\Cookies\user@go.drivecleaner[1].txt
C:\Documents and Settings\User\Cookies\user@cgi-bin[12].txt
C:\Documents and Settings\User\Cookies\user@try.starware[1].txt
C:\Documents and Settings\User\Cookies\user@mb[5].txt
C:\Documents and Settings\User\Cookies\user@38273[1].txt
C:\Documents and Settings\User\Cookies\user@banner.prestige-poker[2].txt
C:\Documents and Settings\User\Cookies\user@hit.stat[1].txt
C:\Documents and Settings\User\Cookies\user@38278[2].txt
C:\Documents and Settings\User\Cookies\user@specificclick[4].txt
C:\Documents and Settings\User\Cookies\user@intaclick[2].txt
C:\Documents and Settings\User\Cookies\user@adv.surinter[1].txt
C:\Documents and Settings\User\Cookies\user@track.adrevolver[2].txt
C:\Documents and Settings\User\Cookies\user@ads.gametap[2].txt
C:\Documents and Settings\User\Cookies\user@banner.rubybingo.co[2].txt
C:\Documents and Settings\User\Cookies\user@ltraffic[1].txt
C:\Documents and Settings\User\Cookies\user@free.wegcash[2].txt
C:\Documents and Settings\User\Cookies\user@richmedia.yahoo[2].txt
C:\Documents and Settings\User\Cookies\user@www.clickmanage[2].txt
C:\Documents and Settings\User\Cookies\user@ads.as4x.tmcs.ticketmaster[1].txt
C:\Documents and Settings\User\Cookies\user@banner.diamondclubpoker[2].txt
C:\Documents and Settings\User\Cookies\user@mediaservices.myspace[1].txt
C:\Documents and Settings\User\Cookies\user@ads.facebook[1].txt
C:\Documents and Settings\User\Cookies\user@linkto.mediafire[2].txt
C:\Documents and Settings\User\Cookies\user@38289[1].txt
C:\Documents and Settings\User\Cookies\user@ad.abum[1].txt
C:\Documents and Settings\User\Cookies\user@usenext[2].txt
C:\Documents and Settings\User\Cookies\user@banner.cdpoker[2].txt
C:\Documents and Settings\User\Cookies\user@trafficdashboard[2].txt
C:\Documents and Settings\User\Cookies\user@ehg-bestbuy.hitbox[2].txt
C:\Documents and Settings\User\Cookies\user@media[1].txt
C:\Documents and Settings\User\Cookies\user@stats[2].txt
C:\Documents and Settings\User\Cookies\user@onlinerewardcenter[1].txt
C:\Documents and Settings\User\Cookies\user@13045352[1].txt
C:\Documents and Settings\User\Cookies\user@www.viruslocker[1].txt
C:\Documents and Settings\User\Cookies\user@stats2.reliablestats[1].txt
C:\Documents and Settings\User\Cookies\user@apmebf[3].txt
C:\Documents and Settings\User\Cookies\user@ads.ak.facebook[2].txt
C:\Documents and Settings\User\Cookies\user@78132904[1].txt
C:\Documents and Settings\User\Cookies\user@komtrack[2].txt
C:\Documents and Settings\User\Cookies\user@entrepreneur.122.2o7[1].txt
C:\Documents and Settings\User\Cookies\user@media6degrees[1].txt
C:\Documents and Settings\User\Cookies\user@azjmp[3].txt
C:\Documents and Settings\User\Cookies\user@click.cashengines[1].txt
C:\Documents and Settings\User\Cookies\user@23326[2].txt
C:\Documents and Settings\User\Cookies\user@4stats[2].txt
C:\Documents and Settings\User\Cookies\user@rdr.hitmngr[2].txt
C:\Documents and Settings\User\Cookies\user@www.redorbit[1].txt
C:\Documents and Settings\User\Cookies\user@ads.cnn[2].txt
C:\Documents and Settings\User\Cookies\user@winspycontrol[1].txt
C:\Documents and Settings\User\Cookies\user@ads4.blastro[1].txt
C:\Documents and Settings\User\Cookies\user@ads.tarrobads[1].txt
C:\Documents and Settings\User\Cookies\user@ads.usercash[2].txt
C:\Documents and Settings\User\Cookies\user@eas.apm.emediate[1].txt
C:\Documents and Settings\User\Cookies\user@my-calorie-counter[1].txt
C:\Documents and Settings\User\Cookies\user@ad.xplusone[2].txt
C:\Documents and Settings\User\Cookies\user@st[13].txt
C:\Documents and Settings\User\Cookies\user@1[1].txt
C:\Documents and Settings\User\Cookies\user@2.marketbanker[2].txt
C:\Documents and Settings\User\Cookies\user@ads.as4x.tmcs[1].txt
C:\Documents and Settings\User\Cookies\user@edge.ru4[2].txt
C:\Documents and Settings\User\Cookies\user@winsecureav[2].txt
C:\Documents and Settings\User\Cookies\user@a[3].txt
C:\Documents and Settings\User\Cookies\user@classifiedventures1.112.2o7[1].txt
C:\Documents and Settings\User\Cookies\user@tracker.mediatracker.co[2].txt
C:\Documents and Settings\User\Cookies\user@euros4click[2].txt
C:\Documents and Settings\User\Cookies\user@freecodesource.advertserve[2].txt
C:\Documents and Settings\User\Cookies\user@www.tns-counter[1].txt
C:\Documents and Settings\User\Cookies\user@reunioncom.112.2o7[1].txt
C:\Documents and Settings\User\Cookies\user@watch[1].txt
C:\Documents and Settings\User\Cookies\user@secureorder.directtrack[2].txt
C:\Documents and Settings\User\Cookies\user@clickaider[1].txt
C:\Documents and Settings\User\Cookies\user@adsrevenue[2].txt
C:\Documents and Settings\User\Cookies\user@gostats[1].txt
C:\Documents and Settings\User\Cookies\user@directtrack[2].txt
C:\Documents and Settings\User\Cookies\user@interclick[1].txt
C:\Documents and Settings\User\Cookies\user@ads.crakmedia[1].txt
C:\Documents and Settings\User\Cookies\user@t6[2].txt
C:\Documents and Settings\User\Cookies\user@incentreward.directtrack[2].txt
C:\Documents and Settings\User\Cookies\user@ehg-aarp.hitbox[2].txt
C:\Documents and Settings\User\Cookies\user@www.avsystemcare[1].txt
C:\Documents and Settings\User\Cookies\user@atlas.entrepreneur[2].txt
C:\Documents and Settings\User\Cookies\user@ad.yieldmanager[10].txt
C:\Documents and Settings\User\Cookies\user@ad.yieldmanager[11].txt
C:\Documents and Settings\User\Cookies\user@ad.yieldmanager[12].txt
C:\Documents and Settings\User\Cookies\user@ad.yieldmanager[13].txt
C:\Documents and Settings\User\Cookies\user@ad.yieldmanager[14].txt
C:\Documents and Settings\User\Cookies\user@ad.yieldmanager[15].txt
C:\Documents and Settings\User\Cookies\user@ad.yieldmanager[16].txt
C:\Documents and Settings\User\Cookies\user@ad.yieldmanager[17].txt
C:\Documents and Settings\User\Cookies\user@ad.yieldmanager[18].txt
C:\Documents and Settings\User\Cookies\user@ad.yieldmanager[19].txt
C:\Documents and Settings\User\Cookies\user@ad.yieldmanager[1].txt
C:\Documents and Settings\User\Cookies\user@ad.yieldmanager[20].txt
C:\Documents and Settings\User\Cookies\user@ad.yieldmanager[21].txt
C:\Documents and Settings\User\Cookies\user@ad.yieldmanager[22].txt
C:\Documents and Settings\User\Cookies\user@ad.yieldmanager[23].txt
C:\Documents and Settings\User\Cookies\user@ad.yieldmanager[24].txt
C:\Documents and Settings\User\Cookies\user@ad.yieldmanager[25].txt
C:\Documents and Settings\User\Cookies\user@ad.yieldmanager[26].txt
C:\Documents and Settings\User\Cookies\user@ad.yieldmanager[27].txt
C:\Documents and Settings\User\Cookies\user@ad.yieldmanager[28].txt
C:\Documents and Settings\User\Cookies\user@ad.yieldmanager[29].txt
C:\Documents and Settings\User\Cookies\user@ad.yieldmanager[2].txt
C:\Documents and Settings\User\Cookies\user@ad.yieldmanager[30].txt
C:\Documents and Settings\User\Cookies\user@ad.yieldmanager[31].txt
C:\Documents and Settings\User\Cookies\user@ad.yieldmanager[32].txt
C:\Documents and Settings\User\Cookies\user@ad.yieldmanager[33].txt
C:\Documents and Settings\User\Cookies\user@ad.yieldmanager[34].txt
C:\Documents and Settings\User\Cookies\user@ad.yieldmanager[35].txt
C:\Documents and Settings\User\Cookies\user@ad.yieldmanager[36].txt
C:\Documents and Settings\User\Cookies\user@ad.yieldmanager[37].txt
C:\Documents and Settings\User\Cookies\user@ad.yieldmanager[38].txt
C:\Documents and Settings\User\Cookies\user@ad.yieldmanager[39].txt
C:\Documents and Settings\User\Cookies\user@ad.yieldmanager[3].txt
C:\Documents and Settings\User\Cookies\user@ad.yieldmanager[40].txt
C:\Documents and Settings\User\Cookies\user@ad.yieldmanager[41].txt
C:\Documents and Settings\User\Cookies\user@ad.yieldmanager[42].txt
C:\Documents and Settings\User\Cookies\user@ad.yieldmanager[43].txt
C:\Documents and Settings\User\Cookies\user@ad.yieldmanager[44].txt
C:\Documents and Settings\User\Cookies\user@ad.yieldmanager[45].txt
C:\Documents and Settings\User\Cookies\user@ad.yieldmanager[46].txt
C:\Documents and Settings\User\Cookies\user@ad.yieldmanager[47].txt
C:\Documents and Settings\User\Cookies\user@ad.yieldmanager[48].txt
C:\Documents and Settings\User\Cookies\user@ad.yieldmanager[49].txt
C:\Documents and Settings\User\Cookies\user@ad.yieldmanager[4].txt
C:\Documents and Settings\User\Cookies\user@ad.yieldmanager[50].txt
C:\Documents and Settings\User\Cookies\user@ad.yieldmanager[51].txt
C:\Documents and Settings\User\Cookies\user@ad.yieldmanager[52].txt
C:\Documents and Settings\User\Cookies\user@ad.yieldmanager[53].txt
C:\Documents and Settings\User\Cookies\user@ad.yieldmanager[54].txt
C:\Documents and Settings\User\Cookies\user@ad.yieldmanager[55].txt
C:\Documents and Settings\User\Cookies\user@ad.yieldmanager[56].txt
C:\Documents and Settings\User\Cookies\user@ad.yieldmanager[57].txt
C:\Documents and Settings\User\Cookies\user@ad.yieldmanager[58].txt
C:\Documents and Settings\User\Cookies\user@ad.yieldmanager[59].txt
C:\Documents and Settings\User\Cookies\user@ad.yieldmanager[5].txt
C:\Documents and Settings\User\Cookies\user@ad.yieldmanager[60].txt
C:\Documents and Settings\User\Cookies\user@ad.yieldmanager[61].txt
C:\Documents and Settings\User\Cookies\user@ad.yieldmanager[62].txt
C:\Documents and Settings\User\Cookies\user@ad.yieldmanager[63].txt
C:\Documents and Settings\User\Cookies\user@ad.yieldmanager[64].txt
C:\Documents and Settings\User\Cookies\user@ad.yieldmanager[65].txt
C:\Documents and Settings\User\Cookies\user@ad.yieldmanager[66].txt
C:\Documents and Settings\User\Cookies\user@ad.yieldmanager[67].txt
C:\Documents and Settings\User\Cookies\user@ad.yieldmanager[68].txt
C:\Documents and Settings\User\Cookies\user@ad.yieldmanager[69].txt
C:\Documents and Settings\User\Cookies\user@ad.yieldmanager[6].txt
C:\Documents and Settings\User\Cookies\user@ad.yieldmanager[70].txt
C:\Documents and Settings\User\Cookies\user@ad.yieldmanager[71].txt
C:\Documents and Settings\User\Cookies\user@ad.yieldmanager[72].txt
C:\Documents and Settings\User\Cookies\user@ad.yieldmanager[73].txt
C:\Documents and Settings\User\Cookies\user@ad.yieldmanager[74].txt
C:\Documents and Settings\User\Cookies\user@ad.yieldmanager[75].txt
C:\Documents and Settings\User\Cookies\user@ad.yieldmanager[76].txt
C:\Documents and Settings\User\Cookies\user@ad.yieldmanager[77].txt
C:\Documents and Settings\User\Cookies\user@ad.yieldmanager[78].txt
C:\Documents and Settings\User\Cookies\user@ad.yieldmanager[79].txt
C:\Documents and Settings\User\Cookies\user@ad.yieldmanager[7].txt
C:\Documents and Settings\User\Cookies\user@ad.yieldmanager[80].txt
C:\Documents and Settings\User\Cookies\user@ad.yieldmanager[81].txt
C:\Documents and Settings\User\Cookies\user@ad.yieldmanager[82].txt
C:\Documents and Settings\User\Cookies\user@ad.yieldmanager[83].txt
C:\Documents and Settings\User\Cookies\user@ad.yieldmanager[84].txt
C:\Documents and Settings\User\Cookies\user@ad.yieldmanager[85].txt
C:\Documents and Settings\User\Cookies\user@ad.yieldmanager[86].txt
C:\Documents and Settings\User\Cookies\user@ad.yieldmanager[87].txt
C:\Documents and Settings\User\Cookies\user@ad.yieldmanager[88].txt
C:\Documents and Settings\User\Cookies\user@ad.yieldmanager[89].txt
C:\Documents and Settings\User\Cookies\user@ad.yieldmanager[8].txt
C:\Documents and Settings\User\Cookies\user@ad.yieldmanager[90].txt
C:\Documents and Settings\User\Cookies\user@ad.yieldmanager[91].txt
C:\Documents and Settings\User\Cookies\user@ad.yieldmanager[92].txt
C:\Documents and Settings\User\Cookies\user@ad.yieldmanager[93].txt
C:\Documents and Settings\User\Cookies\user@ad.yieldmanager[94].txt
C:\Documents and Settings\User\Cookies\user@ad.yieldmanager[95].txt
C:\Documents and Settings\User\Cookies\user@ad.yieldmanager[96].txt
C:\Documents and Settings\User\Cookies\user@ad.yieldmanager[97].txt
C:\Documents and Settings\User\Cookies\user@ad.yieldmanager[98].txt
C:\Documents and Settings\User\Cookies\user@ad.yieldmanager[99].txt
C:\Documents and Settings\User\Cookies\user@ad.yieldmanager[9].txt
C:\Documents and Settings\User\Cookies\user@adopt.specificclick[1].txt
C:\Documents and Settings\User\Cookies\user@adopt.specificclick[2].txt
C:\Documents and Settings\User\Cookies\user@adrevolver[1].txt
C:\Documents and Settings\User\Cookies\user@adrevolver[3].txt
C:\Documents and Settings\User\Cookies\user@adrevolver[5].txt
C:\Documents and Settings\User\Cookies\user@adrevolver[6].txt
C:\Documents and Settings\User\Cookies\user@apmebf[1].txt
C:\Documents and Settings\User\Cookies\user@apmebf[2].txt
C:\Documents and Settings\User\Cookies\user@azjmp[1].txt
C:\Documents and Settings\User\Cookies\user@azjmp[2].txt
C:\Documents and Settings\User\Cookies\user@counter[1].txt
C:\Documents and Settings\User\Cookies\user@estats[1].txt
C:\Documents and Settings\User\Cookies\user@questionmarket[2].txt
C:\Documents and Settings\User\Cookies\user@realmedia[1].txt
C:\Documents and Settings\User\Cookies\user@realmedia[2].txt
C:\Documents and Settings\User\Cookies\user@specificclick[1].txt
C:\Documents and Settings\User\Cookies\user@specificclick[2].txt
C:\Documents and Settings\User\Cookies\user@trafficmp[1].txt
C:\Documents and Settings\User\Cookies\user@trafficmp[2].txt
C:\Documents and Settings\User\Cookies\user@traffic[1].txt
C:\Documents and Settings\User\Cookies\user@tribalfusion[1].txt
C:\Documents and Settings\User\Cookies\user@www.burstbeacon[1].txt
C:\Documents and Settings\User\Cookies\user@www.burstbeacon[2].txt
C:\Documents and Settings\User\Cookies\user@www.burstbeacon[3].txt
C:\Documents and Settings\User\Cookies\user@www.burstbeacon[5].txt
C:\Documents and Settings\User\Cookies\user@zedo[2].txt

Trojan.Security Toolbar
C:\Documents and Settings\User\Favorites\Antivirus Test Online.url

Trojan.Media-Codec/V4
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Audio-Video Enhance
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Audio-Video Enhance#ProductionEnvironment
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Audio-Video Enhance#DisplayName
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Audio-Video Enhance#Publisher
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Audio-Video Enhance#UninstallString
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Audio-Video Enhance#DisplayIcon
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Audio-Video Enhance#DisplayVersion
HKCR\multimediaControls.chl
HKCR\multimediaControls.chl\CLSID

Malware.VirusProtect
HKCR\CLSID\{B7C9058D-0F9C-32C0-83B6-740DFD8A6726}
HKCR\CLSID\{B7C9058D-0F9C-32C0-83B6-740DFD8A6726}\boBe
HKCR\CLSID\{B7C9058D-0F9C-32C0-83B6-740DFD8A6726}\iiaurQ
HKCR\CLSID\{B7C9058D-0F9C-32C0-83B6-740DFD8A6726}\InprocServer32
HKCR\CLSID\{B7C9058D-0F9C-32C0-83B6-740DFD8A6726}\InprocServer32#ThreadingModel
HKCR\CLSID\{B7C9058D-0F9C-32C0-83B6-740DFD8A6726}\rDqs
HKCR\CLSID\{B7C9058D-0F9C-32C0-83B6-740DFD8A6726}\rzmNnf
HKCR\CLSID\{B7C9058D-0F9C-32C0-83B6-740DFD8A6726}\StNqozWcdaK
HKCR\CLSID\{B7C9058D-0F9C-32C0-83B6-740DFD8A6726}\vmXoliSscqdEt
HKCR\CLSID\{B7C9058D-0F9C-32C0-83B6-740DFD8A6726}\xBud
HKCR\TypeLib\{3B8E549E-0C73-4AAB-8939-5EA2ED102CC6}
HKCR\TypeLib\{3B8E549E-0C73-4AAB-8939-5EA2ED102CC6}\1.0
HKCR\TypeLib\{3B8E549E-0C73-4AAB-8939-5EA2ED102CC6}\1.0\0
HKCR\TypeLib\{3B8E549E-0C73-4AAB-8939-5EA2ED102CC6}\1.0\0\win32
HKCR\TypeLib\{3B8E549E-0C73-4AAB-8939-5EA2ED102CC6}\1.0\FLAGS
HKCR\TypeLib\{3B8E549E-0C73-4AAB-8939-5EA2ED102CC6}\1.0\HELPDIR
HKCR\Interface\{21688E5D-A895-4B60-B127-B76607420334}
HKCR\Interface\{21688E5D-A895-4B60-B127-B76607420334}\ProxyStubClsid
HKCR\Interface\{21688E5D-A895-4B60-B127-B76607420334}\ProxyStubClsid32
HKCR\Interface\{21688E5D-A895-4B60-B127-B76607420334}\TypeLib
HKCR\Interface\{21688E5D-A895-4B60-B127-B76607420334}\TypeLib#Version
HKCR\Interface\{40E563B2-61B2-4215-819A-A7E24CF8AA3E}
HKCR\Interface\{40E563B2-61B2-4215-819A-A7E24CF8AA3E}\ProxyStubClsid
HKCR\Interface\{40E563B2-61B2-4215-819A-A7E24CF8AA3E}\ProxyStubClsid32
HKCR\Interface\{40E563B2-61B2-4215-819A-A7E24CF8AA3E}\TypeLib
HKCR\Interface\{40E563B2-61B2-4215-819A-A7E24CF8AA3E}\TypeLib#Version
HKCR\Interface\{45FBEFBF-E8B6-44A5-B0A1-A143E1A74816}
HKCR\Interface\{45FBEFBF-E8B6-44A5-B0A1-A143E1A74816}\ProxyStubClsid
HKCR\Interface\{45FBEFBF-E8B6-44A5-B0A1-A143E1A74816}\ProxyStubClsid32
HKCR\Interface\{45FBEFBF-E8B6-44A5-B0A1-A143E1A74816}\TypeLib
HKCR\Interface\{45FBEFBF-E8B6-44A5-B0A1-A143E1A74816}\TypeLib#Version
HKCR\Interface\{5146B43E-B36D-4A2A-B617-CC05CC500150}
HKCR\Interface\{5146B43E-B36D-4A2A-B617-CC05CC500150}\ProxyStubClsid
HKCR\Interface\{5146B43E-B36D-4A2A-B617-CC05CC500150}\ProxyStubClsid32
HKCR\Interface\{5146B43E-B36D-4A2A-B617-CC05CC500150}\TypeLib
HKCR\Interface\{5146B43E-B36D-4A2A-B617-CC05CC500150}\TypeLib#Version
HKCR\Interface\{5B8BED0F-5F18-4051-9908-C5C569A1AAE9}
HKCR\Interface\{5B8BED0F-5F18-4051-9908-C5C569A1AAE9}\ProxyStubClsid
HKCR\Interface\{5B8BED0F-5F18-4051-9908-C5C569A1AAE9}\ProxyStubClsid32
HKCR\Interface\{5B8BED0F-5F18-4051-9908-C5C569A1AAE9}\TypeLib
HKCR\Interface\{5B8BED0F-5F18-4051-9908-C5C569A1AAE9}\TypeLib#Version
HKCR\Interface\{63667718-EBF2-4CAB-B1E8-994D41589C24}
HKCR\Interface\{63667718-EBF2-4CAB-B1E8-994D41589C24}\ProxyStubClsid
HKCR\Interface\{63667718-EBF2-4CAB-B1E8-994D41589C24}\ProxyStubClsid32
HKCR\Interface\{63667718-EBF2-4CAB-B1E8-994D41589C24}\TypeLib
HKCR\Interface\{63667718-EBF2-4CAB-B1E8-994D41589C24}\TypeLib#Version
HKCR\Interface\{972F0BE3-976F-40B8-8EB4-88A25987416E}
HKCR\Interface\{972F0BE3-976F-40B8-8EB4-88A25987416E}\ProxyStubClsid
HKCR\Interface\{972F0BE3-976F-40B8-8EB4-88A25987416E}\ProxyStubClsid32
HKCR\Interface\{972F0BE3-976F-40B8-8EB4-88A25987416E}\TypeLib
HKCR\Interface\{972F0BE3-976F-40B8-8EB4-88A25987416E}\TypeLib#Version
HKCR\Interface\{9F80EA2D-53CF-4AA5-A154-F4FBF1EF6A5A}
HKCR\Interface\{9F80EA2D-53CF-4AA5-A154-F4FBF1EF6A5A}\ProxyStubClsid
HKCR\Interface\{9F80EA2D-53CF-4AA5-A154-F4FBF1EF6A5A}\ProxyStubClsid32
HKCR\Interface\{9F80EA2D-53CF-4AA5-A154-F4FBF1EF6A5A}\TypeLib
HKCR\Interface\{9F80EA2D-53CF-4AA5-A154-F4FBF1EF6A5A}\TypeLib#Version
HKCR\Interface\{A35F8FAC-755D-4F90-A5D3-F7E18D9EB100}
HKCR\Interface\{A35F8FAC-755D-4F90-A5D3-F7E18D9EB100}\ProxyStubClsid
HKCR\Interface\{A35F8FAC-755D-4F90-A5D3-F7E18D9EB100}\ProxyStubClsid32
HKCR\Interface\{A35F8FAC-755D-4F90-A5D3-F7E18D9EB100}\TypeLib
HKCR\Interface\{A35F8FAC-755D-4F90-A5D3-F7E18D9EB100}\TypeLib#Version
HKCR\Interface\{C269F4C1-7558-4DFC-9FB6-4C149B482586}
HKCR\Interface\{C269F4C1-7558-4DFC-9FB6-4C149B482586}\ProxyStubClsid
HKCR\Interface\{C269F4C1-7558-4DFC-9FB6-4C149B482586}\ProxyStubClsid32
HKCR\Interface\{C269F4C1-7558-4DFC-9FB6-4C149B482586}\TypeLib
HKCR\Interface\{C269F4C1-7558-4DFC-9FB6-4C149B482586}\TypeLib#Version
HKCR\Interface\{CE92A296-3142-493C-B64E-6ED73EAFB9AE}
HKCR\Interface\{CE92A296-3142-493C-B64E-6ED73EAFB9AE}\ProxyStubClsid
HKCR\Interface\{CE92A296-3142-493C-B64E-6ED73EAFB9AE}\ProxyStubClsid32
HKCR\Interface\{CE92A296-3142-493C-B64E-6ED73EAFB9AE}\TypeLib
HKCR\Interface\{CE92A296-3142-493C-B64E-6ED73EAFB9AE}\TypeLib#Version
HKCR\Interface\{D7C0DF6C-91FF-48BD-AD98-E35769394138}
HKCR\Interface\{D7C0DF6C-91FF-48BD-AD98-E35769394138}\ProxyStubClsid
HKCR\Interface\{D7C0DF6C-91FF-48BD-AD98-E35769394138}\ProxyStubClsid32
HKCR\Interface\{D7C0DF6C-91FF-48BD-AD98-E35769394138}\TypeLib
HKCR\Interface\{D7C0DF6C-91FF-48BD-AD98-E35769394138}\TypeLib#Version
HKCR\Interface\{D8EC2704-B249-4495-A7A4-A90857BDDF4D}
HKCR\Interface\{D8EC2704-B249-4495-A7A4-A90857BDDF4D}\ProxyStubClsid
HKCR\Interface\{D8EC2704-B249-4495-A7A4-A90857BDDF4D}\ProxyStubClsid32
HKCR\Interface\{D8EC2704-B249-4495-A7A4-A90857BDDF4D}\TypeLib
HKCR\Interface\{D8EC2704-B249-4495-A7A4-A90857BDDF4D}\TypeLib#Version
HKCR\Interface\{D91E9F36-9E44-44AB-803C-0D941FDA7988}
HKCR\Interface\{D91E9F36-9E44-44AB-803C-0D941FDA7988}\ProxyStubClsid
HKCR\Interface\{D91E9F36-9E44-44AB-803C-0D941FDA7988}\ProxyStubClsid32
HKCR\Interface\{D91E9F36-9E44-44AB-803C-0D941FDA7988}\TypeLib
HKCR\Interface\{D91E9F36-9E44-44AB-803C-0D941FDA7988}\TypeLib#Version
HKCR\Interface\{E0757BDD-69BE-4C3F-AFC6-50D6524FA9B6}
HKCR\Interface\{E0757BDD-69BE-4C3F-AFC6-50D6524FA9B6}\ProxyStubClsid
HKCR\Interface\{E0757BDD-69BE-4C3F-AFC6-50D6524FA9B6}\ProxyStubClsid32
HKCR\Interface\{E0757BDD-69BE-4C3F-AFC6-50D6524FA9B6}\TypeLib
HKCR\Interface\{E0757BDD-69BE-4C3F-AFC6-50D6524FA9B6}\TypeLib#Version
HKCR\Interface\{F2F8C877-B06C-4B5E-95E7-AACFC9E8219D}
HKCR\Interface\{F2F8C877-B06C-4B5E-95E7-AACFC9E8219D}\ProxyStubClsid
HKCR\Interface\{F2F8C877-B06C-4B5E-95E7-AACFC9E8219D}\ProxyStubClsid32
HKCR\Interface\{F2F8C877-B06C-4B5E-95E7-AACFC9E8219D}\TypeLib
HKCR\Interface\{F2F8C877-B06C-4B5E-95E7-AACFC9E8219D}\TypeLib#Version

Trojan.Unknown Origin
C:\DOCUMENTS AND SETTINGS\USER\LOCAL SETTINGS\TEMP\ICO10.TMP
C:\DOCUMENTS AND SETTINGS\USER\LOCAL SETTINGS\TEMP\ICO11.TMP
C:\DOCUMENTS AND SETTINGS\USER\LOCAL SETTINGS\TEMP\ICO12.TMP
C:\DOCUMENTS AND SETTINGS\USER\LOCAL SETTINGS\TEMP\ICO1A.TMP
C:\DOCUMENTS AND SETTINGS\USER\LOCAL SETTINGS\TEMP\ICO1B.TMP
C:\DOCUMENTS AND SETTINGS\USER\LOCAL SETTINGS\TEMP\ICO1C.TMP
C:\DOCUMENTS AND SETTINGS\USER\LOCAL SETTINGS\TEMP\ICO1D.TMP
C:\DOCUMENTS AND SETTINGS\USER\LOCAL SETTINGS\TEMP\ICO1E.TMP
C:\DOCUMENTS AND SETTINGS\USER\LOCAL SETTINGS\TEMP\ICO1F.TMP
C:\DOCUMENTS AND SETTINGS\USER\LOCAL SETTINGS\TEMP\ICO20.TMP
C:\DOCUMENTS AND SETTINGS\USER\LOCAL SETTINGS\TEMP\ICO21.TMP
C:\DOCUMENTS AND SETTINGS\USER\LOCAL SETTINGS\TEMP\ICO22.TMP
C:\DOCUMENTS AND SETTINGS\USER\LOCAL SETTINGS\TEMP\ICO23.TMP
C:\DOCUMENTS AND SETTINGS\USER\LOCAL SETTINGS\TEMP\ICOE.TMP
C:\DOCUMENTS AND SETTINGS\USER\LOCAL SETTINGS\TEMP\ICOF.TMP

Trojan.Downloader-Gen/Inst2
C:\FE4.TMP

Adware.Vundo/Traff-2
C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\RPTFWTTW.EXE.VIR

Trojan.Downloader-Gen/DDC
C:\WINDOWS\SYSTEM32\INDEWLDJ.EXE
C:\WINDOWS\SYSTEM32\OEQNWPAP.EXE
C:\WINDOWS\Prefetch\OEQNWPAP.EXE-2A02AA5F.pf

Edited by Denny k, 26 November 2007 - 05:54 AM.


#4 Denny k

Denny k

    New Member

  • New Member
  • Pip
  • 7 posts

Posted 26 November 2007 - 05:59 AM

New reply for final two logs

the last Combofix log and a fresh HJT log

ComboFix 07-11-19.4 - User 2007-11-26 6:38:35.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.488 [GMT -5:00]
Running from: C:\Documents and Settings\User\Desktop\ComboFix(2).exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Start Menu\Live Safety Center.lnk
C:\Documents and Settings\All Users\Start Menu\Online Security Guide.lnk
C:\Documents and Settings\User\Desktop\Live Safety Center.lnk
C:\Documents and Settings\User\Desktop\Online Security Guide.lnk
C:\Documents and Settings\User\Favorites\Online Security Guide.lnk
C:\WINDOWS\system32\smgypojj.dllbox

.
((((((((((((((((((((((((( Files Created from 2007-10-26 to 2007-11-26 )))))))))))))))))))))))))))))))
.

2007-11-25 23:15 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2007-11-25 23:15 <DIR> d-------- C:\Documents and Settings\User\Application Data\SUPERAntiSpyware.com
2007-11-25 23:15 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2007-11-25 23:14 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-11-25 23:06 9,227 --ahs---- C:\WINDOWS\system32\xxbeg.ini2
2007-11-25 23:06 9,227 --ahs---- C:\WINDOWS\system32\xxbeg.ini
2007-11-25 22:24 <DIR> d-------- C:\RVAXO
2007-11-25 22:22 468,442 --a------ C:\WINDOWS\system32\RVAXO.bat
2007-11-25 22:22 69,632 --a------ C:\WINDOWS\system32\remove.exe
2007-11-25 20:31 776,505 ---hs---- C:\WINDOWS\system32\dijwalxl.ini
2007-11-25 14:44 6,058,496 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll
2007-11-25 14:44 2,455,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dat
2007-11-25 14:44 991,232 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll.mui
2007-11-25 14:44 459,264 -----c--- C:\WINDOWS\system32\dllcache\msfeeds.dll
2007-11-25 14:44 383,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dll
2007-11-25 14:44 267,776 -----c--- C:\WINDOWS\system32\dllcache\iertutil.dll
2007-11-25 14:44 63,488 -----c--- C:\WINDOWS\system32\dllcache\icardie.dll
2007-11-25 14:44 52,224 -----c--- C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2007-11-25 14:44 13,824 -----c--- C:\WINDOWS\system32\dllcache\ieudinit.exe
2007-11-25 10:33 626,688 --a------ C:\WINDOWS\system32\msvcr80.dll
2007-11-25 10:30 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Google Updater
2007-11-25 09:42 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Yahoo!
2007-11-25 09:28 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Lavasoft
2007-11-24 20:35 775,988 --ahs---- C:\WINDOWS\system32\ugdrjpsd.ini
2007-11-15 18:16 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2007-11-11 11:23 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\MailFrontier
2007-10-26 14:28 <DIR> d-------- C:\Program Files\Guitar Pro 5

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-25 18:53 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-11-25 15:30 --------- d-----w C:\Program Files\Google
2007-11-24 20:33 --------- d-----w C:\Documents and Settings\User\Application Data\MediaScout
2007-11-23 01:08 --------- d-----w C:\Documents and Settings\All Users\Application Data\MediaScout
2007-11-18 18:53 --------- d-----w C:\Documents and Settings\All Users\Application Data\DVD Shrink
2007-11-17 10:14 --------- d-----w C:\Program Files\mypoints
2007-11-14 23:53 --------- d-----w C:\Documents and Settings\User\Application Data\LimeWire
2007-10-05 06:35 --------- d-----w C:\Program Files\Guitar Pro 4
2007-06-05 03:56 39 ----a-w C:\Documents and Settings\User\go.bat
2007-03-12 19:26 30,880 ----a-w C:\Documents and Settings\User\Application Data\GDIPFONTCACHEV1.DAT
2006-06-24 21:04 3,126,084 ----a-w C:\Program Files\Name Munger.exe
.

((((((((((((((((((((((((((((( snapshot@2007-11-25_23.03.35.55 )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-07-12 23:28:55 765,952 ----a-w C:\WINDOWS\$hf_mig$\KB938127-IE7\SP2QFE\vgx.dll
+ 2007-03-06 01:22:36 14,048 ----a-w C:\WINDOWS\$hf_mig$\KB938127-IE7\spmsg.dll
+ 2007-03-06 01:22:41 213,216 ----a-w C:\WINDOWS\$hf_mig$\KB938127-IE7\spuninst.exe
+ 2007-03-06 01:22:34 22,752 ----a-w C:\WINDOWS\$hf_mig$\KB938127-IE7\update\spcustom.dll
+ 2007-03-06 01:22:59 716,000 ----a-w C:\WINDOWS\$hf_mig$\KB938127-IE7\update\update.exe
+ 2007-03-06 01:23:51 371,424 ----a-w C:\WINDOWS\$hf_mig$\KB938127-IE7\update\updspapi.dll
+ 2007-03-06 01:22:41 213,216 -c----w C:\WINDOWS\ie7updates\KB938127-IE7\spuninst\spuninst.exe
+ 2007-03-06 01:23:51 371,424 -c----w C:\WINDOWS\ie7updates\KB938127-IE7\spuninst\updspapi.dll
+ 2007-08-13 23:54:10 765,952 -c----w C:\WINDOWS\ie7updates\KB938127-IE7\vgx.dll
+ 2007-11-26 04:15:34 29,696 ----a-r C:\WINDOWS\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF11.exe
+ 2007-11-26 04:15:34 18,944 ----a-r C:\WINDOWS\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF13.exe
+ 2007-11-26 04:15:34 65,024 ----a-r C:\WINDOWS\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF15.exe
- 2007-08-13 23:54:10 765,952 -c--a-w C:\WINDOWS\system32\dllcache\VGX.dll
+ 2007-07-12 23:31:54 765,952 -c--a-w C:\WINDOWS\system32\dllcache\vgx.dll
- 2007-11-26 04:00:13 230,122 ----a-w C:\WINDOWS\system32\inetsrv\MetaBase.bin
+ 2007-11-26 11:43:05 230,124 ----a-w C:\WINDOWS\system32\inetsrv\MetaBase.bin
+ 2007-11-26 11:43:06 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_1a4.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E0E68FBF-8EF3-4DEA-A10E-5A1C191D2412}]
C:\WINDOWS\system32\gebxx.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 20:05]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-06-21 14:06]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsmqIntCert"="regsvr32 /s mqrt.dll" []
"NAV Agent"="C:\PROGRA~1\NORTON~1\navapw32.exe" [2001-10-26 06:24]
"Symantec NetDriver Monitor"="C:\PROGRA~1\SYMNET~1\SNDMon.exe" [2006-06-07 22:09]
"EM_EXEC"="C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE" [2002-03-07 09:50]
"NvCplDaemon"="RUNDLL32.exe" [2004-08-04 00:56 C:\WINDOWS\system32\rundll32.exe]
"nwiz"="nwiz.exe" [2005-07-20 21:07 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="RunDLL32.exe" [2004-08-04 00:56 C:\WINDOWS\system32\rundll32.exe]
"NWEReboot"="" []
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-06-11 10:21]
"785fbd9c"="C:\WINDOWS\system32\lxlawjid.dll" []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
"SchedulingAgent"="C:\WINDOWS\system32\mstask.exe" []

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
AutoStart IR.lnk - C:\Program Files\WinTV\Ir.exe [2006-08-08 23:52:31]
Google Updater.lnk - C:\Program Files\Google\Google Updater\GoogleUpdater.exe [2007-11-25 10:30:35]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04]

[hklm\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"Yahoo! Pager"="C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" -atboottime
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
"SunJavaUpdateSched"=C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
"YBrowser"=C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
"YOP"=C:\PROGRA~1\Yahoo!\YOP\yop.exe /autostart

R2 SMTPSVC;Simple Mail Transfer Protocol (SMTP);C:\WINDOWS\system32\inetsrv\inetinfo.exe
R3 AN983;ADMtek AN983/AN985/ADM951X 10/100Mbps Fast Ethernet Adapter;C:\WINDOWS\system32\DRIVERS\AN983.sys
R3 p2driver;Hauppauge WinTV-PVR PCI II (Encoder);C:\WINDOWS\system32\DRIVERS\hcwPVRP2.sys
S3 p2pgasvc;Peer Networking Group Authentication;C:\WINDOWS\system32\svchost.exe -k p2psvc
S3 p2pimsvc;Peer Networking Identity Manager;C:\WINDOWS\system32\svchost.exe -k p2psvc
S3 p2psvc;Peer Networking;C:\WINDOWS\system32\svchost.exe -k p2psvc
S3 PNRPSvc;Peer Name Resolution Protocol;C:\WINDOWS\system32\svchost.exe -k p2psvc

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
p2psvc p2psvc p2pimsvc p2pgasvc PNRPSvc

.
Contents of the 'Scheduled Tasks' folder
"2007-11-23 09:17:44 C:\WINDOWS\Tasks\Norton AntiVirus - Scan my computer.job"
- C:\PROGRA~1\NORTON~1\NAVW32.exeG/task:C:\DOCUME~1\ALLUSE~1\APPLIC~1\Symantec\NORTON~1\Tasks\mycomp.sca
"2007-11-26 11:44:01 C:\WINDOWS\Tasks\Symantec NetDetect.job"
.
**************************************************************************

catchme 0.3.1262 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-26 06:43:52
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-11-26 6:45:49 - machine was rebooted
C:\ComboFix2.txt ... 2007-11-25 23:05
.
--- E O F ---


Logfile of HijackThis v1.99.1
Scan saved at 6:49:41 AM, on 11/26/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
F:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\WinTV\Ir.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\Program Files\WinAce\WinAce.exe
C:\DOCUME~1\User\LOCALS~1\Temp\~AceTemp\hijackthis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapp.../search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapp...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.615.5858\swg.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {E0E68FBF-8EF3-4DEA-A10E-5A1C191D2412} - C:\WINDOWS\system32\gebxx.dll (file missing)
O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [785fbd9c] rundll32.exe "C:\WINDOWS\system32\lxlawjid.dll",b
O4 - HKLM\..\RunServices: [SchedulingAgent] C:\WINDOWS\system32\mstask.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: AutoStart IR.lnk = C:\Program Files\WinTV\Ir.exe
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: AT&T Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\common\yiesrvc.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: TVShortcutCAB - http://att.mobitv.com/TVShortcut.CAB
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://support.gatew...r/PCPitStop.CAB
O16 - DPF: {2E12FB00-546B-4EE3-9CC2-057BF02E1C17} (Webshots Multiple Media Uploader - Container) - http://community.web...wsaxcontrol.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper2007261.dll
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1147878916786
O16 - DPF: {FFFFFFFF-CACE-BABE-BABE-00AA0055595A} - http://www.trueswitc...eInstallSBC.exe
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - F:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe



Appears to be clean now.

I can't thank you enough.
I will surf a little more carefully now and moniter who uses my computer.

There is one item that comes up on reboot right after the desktop loads.
It is a windows box with RUNDLL in the top blue header of the box.
The text in the box reads: Error loading C:\windows\system32\lxlawjid.dll
The specifed Module could not be found.
With a OK button. Once the buttons is clicked everything continues to load.

Is this file needed by windows? If it is not needed is there a way windows will not look for and put up the message which stops the loading?

Denny

Edited by Denny k, 26 November 2007 - 06:21 AM.


#5 MrCharlie

MrCharlie

    SuperMember

  • Malware Team
  • 2,949 posts

Posted 26 November 2007 - 05:40 PM

OK...Looks Good...we just have a little more to do.

-----------------------------

Please open Notepad (Start > Run > in the Open field type: notepad)
Click: OK

Copy/ paste the blue text below to Notepad:

Files::
C:\WINDOWS\system32\xxbeg.ini2
C:\WINDOWS\system32\xxbeg.ini
C:\WINDOWS\system32\dijwalxl.ini
C:\WINDOWS\system32\ugdrjpsd.ini

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E0E68FBF-8EF3-4DEA-A10E-5A1C191D2412}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"785fbd9c"=-


Save as CFScript.txt
Change the "Save as type" to "All Files"
Save it to the Desktop.
Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

Posted Image


CAUTION: Do not mouse-click ComboFix while it is running. It may cause it to stall.

After reboot, (in case it asks to reboot)......
Please provide the contents of the ComboFix log in your next reply and a fresh HJT log, MrC


#6 Denny k

Denny k

    New Member

  • New Member
  • Pip
  • 7 posts

Posted 26 November 2007 - 06:53 PM

Here is the Combofix log and a fresh HJT log

I rebooted after running Combofix. ( it did not ask me to but I wanted to see if the RUNDLL error was still coming up).

The error still comes up after a reboot.

After running HJT and looking at the log I see the registry entry that loads the file it cannot find. Can this be deleted?
I made the txt blue on entry that calls for the file it cannot find.

Denny



ComboFix 07-11-19.4 - User 2007-11-26 19:16:44.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.413 [GMT -5:00]
Running from: C:\Documents and Settings\User\Desktop\ComboFix(2).exe
Command switches used :: C:\Documents and Settings\User\Desktop\CFScript.txt
* Created a new restore point
.

((((((((((((((((((((((((( Files Created from 2007-10-27 to 2007-11-27 )))))))))))))))))))))))))))))))
.

2007-11-25 23:15 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2007-11-25 23:15 <DIR> d-------- C:\Documents and Settings\User\Application Data\SUPERAntiSpyware.com
2007-11-25 23:15 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2007-11-25 23:14 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-11-25 23:06 9,227 --ahs---- C:\WINDOWS\system32\xxbeg.ini2
2007-11-25 23:06 9,227 --ahs---- C:\WINDOWS\system32\xxbeg.ini
2007-11-25 22:24 <DIR> d-------- C:\RVAXO
2007-11-25 22:22 468,442 --a------ C:\WINDOWS\system32\RVAXO.bat
2007-11-25 22:22 69,632 --a------ C:\WINDOWS\system32\remove.exe
2007-11-25 20:31 776,505 ---hs---- C:\WINDOWS\system32\dijwalxl.ini
2007-11-25 14:44 6,058,496 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll
2007-11-25 14:44 2,455,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dat
2007-11-25 14:44 991,232 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll.mui
2007-11-25 14:44 459,264 -----c--- C:\WINDOWS\system32\dllcache\msfeeds.dll
2007-11-25 14:44 383,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dll
2007-11-25 14:44 267,776 -----c--- C:\WINDOWS\system32\dllcache\iertutil.dll
2007-11-25 14:44 63,488 -----c--- C:\WINDOWS\system32\dllcache\icardie.dll
2007-11-25 14:44 52,224 -----c--- C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2007-11-25 14:44 13,824 -----c--- C:\WINDOWS\system32\dllcache\ieudinit.exe
2007-11-25 10:33 626,688 --a------ C:\WINDOWS\system32\msvcr80.dll
2007-11-25 10:30 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Google Updater
2007-11-25 09:42 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Yahoo!
2007-11-25 09:28 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Lavasoft
2007-11-24 20:35 775,988 --ahs---- C:\WINDOWS\system32\ugdrjpsd.ini
2007-11-15 18:16 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2007-11-11 11:23 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\MailFrontier

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-25 18:53 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-11-25 15:30 --------- d-----w C:\Program Files\Google
2007-11-24 20:33 --------- d-----w C:\Documents and Settings\User\Application Data\MediaScout
2007-11-23 01:08 --------- d-----w C:\Documents and Settings\All Users\Application Data\MediaScout
2007-11-18 18:53 --------- d-----w C:\Documents and Settings\All Users\Application Data\DVD Shrink
2007-11-17 10:14 --------- d-----w C:\Program Files\mypoints
2007-11-14 23:53 --------- d-----w C:\Documents and Settings\User\Application Data\LimeWire
2007-10-26 19:28 --------- d-----w C:\Program Files\Guitar Pro 5
2007-10-17 17:23 10,752 ----a-w C:\WINDOWS\system32\WhoisCL.exe
2007-10-05 06:35 --------- d-----w C:\Program Files\Guitar Pro 4
2007-06-05 03:56 39 ----a-w C:\Documents and Settings\User\go.bat
2007-03-12 19:26 30,880 ----a-w C:\Documents and Settings\User\Application Data\GDIPFONTCACHEV1.DAT
2006-06-24 21:04 3,126,084 ----a-w C:\Program Files\Name Munger.exe
.

((((((((((((((((((((((((((((( snapshot@2007-11-25_23.03.35.55 )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-07-12 23:28:55 765,952 ----a-w C:\WINDOWS\$hf_mig$\KB938127-IE7\SP2QFE\vgx.dll
+ 2007-03-06 01:22:36 14,048 ----a-w C:\WINDOWS\$hf_mig$\KB938127-IE7\spmsg.dll
+ 2007-03-06 01:22:41 213,216 ----a-w C:\WINDOWS\$hf_mig$\KB938127-IE7\spuninst.exe
+ 2007-03-06 01:22:34 22,752 ----a-w C:\WINDOWS\$hf_mig$\KB938127-IE7\update\spcustom.dll
+ 2007-03-06 01:22:59 716,000 ----a-w C:\WINDOWS\$hf_mig$\KB938127-IE7\update\update.exe
+ 2007-03-06 01:23:51 371,424 ----a-w C:\WINDOWS\$hf_mig$\KB938127-IE7\update\updspapi.dll
+ 2007-03-06 01:22:41 213,216 -c----w C:\WINDOWS\ie7updates\KB938127-IE7\spuninst\spuninst.exe
+ 2007-03-06 01:23:51 371,424 -c----w C:\WINDOWS\ie7updates\KB938127-IE7\spuninst\updspapi.dll
+ 2007-08-13 23:54:10 765,952 -c----w C:\WINDOWS\ie7updates\KB938127-IE7\vgx.dll
+ 2007-11-26 04:15:34 29,696 ----a-r C:\WINDOWS\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF11.exe
+ 2007-11-26 04:15:34 18,944 ----a-r C:\WINDOWS\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF13.exe
+ 2007-11-26 04:15:34 65,024 ----a-r C:\WINDOWS\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF15.exe
- 2007-08-13 23:54:10 765,952 -c--a-w C:\WINDOWS\system32\dllcache\VGX.dll
+ 2007-07-12 23:31:54 765,952 -c--a-w C:\WINDOWS\system32\dllcache\vgx.dll
- 2007-11-26 04:00:13 230,122 ----a-w C:\WINDOWS\system32\inetsrv\MetaBase.bin
+ 2007-11-26 12:05:10 230,124 ----a-w C:\WINDOWS\system32\inetsrv\MetaBase.bin
+ 2007-11-26 12:01:20 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_558.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 20:05]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-06-21 14:06]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsmqIntCert"="regsvr32 /s mqrt.dll" []
"NAV Agent"="C:\PROGRA~1\NORTON~1\navapw32.exe" [2001-10-26 06:24]
"Symantec NetDriver Monitor"="C:\PROGRA~1\SYMNET~1\SNDMon.exe" [2006-06-07 22:09]
"EM_EXEC"="C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE" [2002-03-07 09:50]
"NvCplDaemon"="RUNDLL32.exe" [2004-08-04 00:56 C:\WINDOWS\system32\rundll32.exe]
"nwiz"="nwiz.exe" [2005-07-20 21:07 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="RunDLL32.exe" [2004-08-04 00:56 C:\WINDOWS\system32\rundll32.exe]
"NWEReboot"="" []
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-06-11 10:21]
"785fbd9c"="C:\WINDOWS\system32\lxlawjid.dll" []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
"SchedulingAgent"="C:\WINDOWS\system32\mstask.exe" []

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
AutoStart IR.lnk - C:\Program Files\WinTV\Ir.exe [2006-08-08 23:52:31]
Google Updater.lnk - C:\Program Files\Google\Google Updater\GoogleUpdater.exe [2007-11-25 10:30:35]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04]

[hklm\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"Yahoo! Pager"="C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" -atboottime
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
"SunJavaUpdateSched"=C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
"YBrowser"=C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
"YOP"=C:\PROGRA~1\Yahoo!\YOP\yop.exe /autostart

R2 SMTPSVC;Simple Mail Transfer Protocol (SMTP);C:\WINDOWS\system32\inetsrv\inetinfo.exe
R3 AN983;ADMtek AN983/AN985/ADM951X 10/100Mbps Fast Ethernet Adapter;C:\WINDOWS\system32\DRIVERS\AN983.sys
R3 p2driver;Hauppauge WinTV-PVR PCI II (Encoder);C:\WINDOWS\system32\DRIVERS\hcwPVRP2.sys
S3 p2pgasvc;Peer Networking Group Authentication;C:\WINDOWS\system32\svchost.exe -k p2psvc
S3 p2pimsvc;Peer Networking Identity Manager;C:\WINDOWS\system32\svchost.exe -k p2psvc
S3 p2psvc;Peer Networking;C:\WINDOWS\system32\svchost.exe -k p2psvc
S3 PNRPSvc;Peer Name Resolution Protocol;C:\WINDOWS\system32\svchost.exe -k p2psvc

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
p2psvc p2psvc p2pimsvc p2pgasvc PNRPSvc

.
Contents of the 'Scheduled Tasks' folder
"2007-11-23 09:17:44 C:\WINDOWS\Tasks\Norton AntiVirus - Scan my computer.job"
- C:\PROGRA~1\NORTON~1\NAVW32.exe
"2007-11-27 00:06:03 C:\WINDOWS\Tasks\Symantec NetDetect.job"
.
**************************************************************************

catchme 0.3.1262 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-26 19:19:38
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

**************************************************************************
.
Completion time: 2007-11-26 19:21:05
C:\ComboFix2.txt ... 2007-11-26 06:45
C:\ComboFix3.txt ... 2007-11-25 23:05
.
--- E O F ---
Logfile of HijackThis v1.99.1
Scan saved at 7:34:30 PM, on 11/26/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\WINDOWS\system32\ctfmon.exe
F:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\WinAce\WinAce.exe
C:\DOCUME~1\User\LOCALS~1\Temp\~AceTemp\hijackthis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapp.../search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapp...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.615.5858\swg.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [785fbd9c] rundll32.exe "C:\WINDOWS\system32\lxlawjid.dll",b
O4 - HKLM\..\RunServices: [SchedulingAgent] C:\WINDOWS\system32\mstask.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: AutoStart IR.lnk = C:\Program Files\WinTV\Ir.exe
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: AT&T Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\common\yiesrvc.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: TVShortcutCAB - http://att.mobitv.com/TVShortcut.CAB
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://support.gatew...r/PCPitStop.CAB
O16 - DPF: {2E12FB00-546B-4EE3-9CC2-057BF02E1C17} (Webshots Multiple Media Uploader - Container) - http://community.web...wsaxcontrol.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper2007261.dll
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1147878916786
O16 - DPF: {FFFFFFFF-CACE-BABE-BABE-00AA0055595A} - http://www.trueswitc...eInstallSBC.exe
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - F:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

#7 MrCharlie

MrCharlie

    SuperMember

  • Malware Team
  • 2,949 posts

Posted 26 November 2007 - 07:35 PM

OK, I made a mistake in the script, that should have been deleted and those files deleted.

---------------

Please do this......

Please disable TeaTimer and SDHelper by opening Spybot SD, click Mode>Advanced>and on the left menu choose Tools and then Resident. In the right hand pane you will see a check box for TeaTimer and for SDHelper . Please uncheck both boxes and then close Spybot. You can reinstate it later but we don't want it interfering with what we need to do. Reboot when done

-----------------------

Use this script in ComboFix as before:


File::
C:\WINDOWS\system32\xxbeg.ini2
C:\WINDOWS\system32\xxbeg.ini
C:\WINDOWS\system32\dijwalxl.ini
C:\WINDOWS\system32\ugdrjpsd.ini

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E0E68FBF-8EF3-4DEA-A10E-5A1C191D2412}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"785fbd9c"=-


Post a fresh HJT log and the log from ComboFix, MrC


#8 Denny k

Denny k

    New Member

  • New Member
  • Pip
  • 7 posts

Posted 26 November 2007 - 08:24 PM

I ran ComboFix with that script.

Here is the log and a fresh HJT log.

I rebooted after running Combofix and the RUNDLL error is still there.


Denny

ComboFix 07-11-19.4 - User 2007-11-26 21:07:59.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.423 [GMT -5:00]
Running from: C:\Documents and Settings\User\Desktop\ComboFix(2).exe
Command switches used :: C:\Documents and Settings\User\Desktop\CFScript.txt
* Created a new restore point

FILE
C:\WINDOWS\system32\dijwalxl.ini
C:\WINDOWS\system32\ugdrjpsd.ini
C:\WINDOWS\system32\xxbeg.ini
C:\WINDOWS\system32\xxbeg.ini2
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\dijwalxl.ini
C:\WINDOWS\system32\ugdrjpsd.ini
C:\WINDOWS\system32\xxbeg.ini
C:\WINDOWS\system32\xxbeg.ini2

.
((((((((((((((((((((((((( Files Created from 2007-10-27 to 2007-11-27 )))))))))))))))))))))))))))))))
.

2007-11-25 23:15 <DIR> d-------- C:\Program Files\SUPERAntiSpyware
2007-11-25 23:15 <DIR> d-------- C:\Documents and Settings\User\Application Data\SUPERAntiSpyware.com
2007-11-25 23:15 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2007-11-25 23:14 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-11-25 22:24 <DIR> d-------- C:\RVAXO
2007-11-25 22:22 468,442 --a------ C:\WINDOWS\system32\RVAXO.bat
2007-11-25 22:22 69,632 --a------ C:\WINDOWS\system32\remove.exe
2007-11-25 10:33 626,688 --a------ C:\WINDOWS\system32\msvcr80.dll
2007-11-25 10:30 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Google Updater
2007-11-25 09:42 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Yahoo!
2007-11-25 09:28 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\Lavasoft
2007-11-15 18:16 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2007-11-11 11:23 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\MailFrontier

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-25 18:53 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-11-25 15:30 --------- d-----w C:\Program Files\Google
2007-11-24 20:33 --------- d-----w C:\Documents and Settings\User\Application Data\MediaScout
2007-11-23 01:08 --------- d-----w C:\Documents and Settings\All Users\Application Data\MediaScout
2007-11-18 18:53 --------- d-----w C:\Documents and Settings\All Users\Application Data\DVD Shrink
2007-11-17 10:14 --------- d-----w C:\Program Files\mypoints
2007-11-14 23:53 --------- d-----w C:\Documents and Settings\User\Application Data\LimeWire
2007-10-26 19:28 --------- d-----w C:\Program Files\Guitar Pro 5
2007-10-17 17:23 10,752 ----a-w C:\WINDOWS\system32\WhoisCL.exe
2007-10-05 06:35 --------- d-----w C:\Program Files\Guitar Pro 4
2007-06-05 03:56 39 ----a-w C:\Documents and Settings\User\go.bat
2007-03-12 19:26 30,880 ----a-w C:\Documents and Settings\User\Application Data\GDIPFONTCACHEV1.DAT
2006-06-24 21:04 3,126,084 ----a-w C:\Program Files\Name Munger.exe
.

((((((((((((((((((((((((((((( snapshot@2007-11-25_23.03.35.55 )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-07-12 23:28:55 765,952 ----a-w C:\WINDOWS\$hf_mig$\KB938127-IE7\SP2QFE\vgx.dll
+ 2007-03-06 01:22:36 14,048 ----a-w C:\WINDOWS\$hf_mig$\KB938127-IE7\spmsg.dll
+ 2007-03-06 01:22:41 213,216 ----a-w C:\WINDOWS\$hf_mig$\KB938127-IE7\spuninst.exe
+ 2007-03-06 01:22:34 22,752 ----a-w C:\WINDOWS\$hf_mig$\KB938127-IE7\update\spcustom.dll
+ 2007-03-06 01:22:59 716,000 ----a-w C:\WINDOWS\$hf_mig$\KB938127-IE7\update\update.exe
+ 2007-03-06 01:23:51 371,424 ----a-w C:\WINDOWS\$hf_mig$\KB938127-IE7\update\updspapi.dll
+ 2007-03-06 01:22:41 213,216 -c----w C:\WINDOWS\ie7updates\KB938127-IE7\spuninst\spuninst.exe
+ 2007-03-06 01:23:51 371,424 -c----w C:\WINDOWS\ie7updates\KB938127-IE7\spuninst\updspapi.dll
+ 2007-08-13 23:54:10 765,952 -c----w C:\WINDOWS\ie7updates\KB938127-IE7\vgx.dll
+ 2007-11-26 04:15:34 29,696 ----a-r C:\WINDOWS\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF11.exe
+ 2007-11-26 04:15:34 18,944 ----a-r C:\WINDOWS\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF13.exe
+ 2007-11-26 04:15:34 65,024 ----a-r C:\WINDOWS\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF15.exe
- 2007-08-13 23:54:10 765,952 -c--a-w C:\WINDOWS\system32\dllcache\VGX.dll
+ 2007-07-12 23:31:54 765,952 -c--a-w C:\WINDOWS\system32\dllcache\vgx.dll
- 2007-11-26 04:00:13 230,122 ----a-w C:\WINDOWS\system32\inetsrv\MetaBase.bin
+ 2007-11-27 01:59:02 230,122 ----a-w C:\WINDOWS\system32\inetsrv\MetaBase.bin
+ 2007-11-27 01:58:56 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_5fc.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 20:05]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 00:56]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2007-06-21 14:06]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MsmqIntCert"="regsvr32 /s mqrt.dll" []
"NAV Agent"="C:\PROGRA~1\NORTON~1\navapw32.exe" [2001-10-26 06:24]
"Symantec NetDriver Monitor"="C:\PROGRA~1\SYMNET~1\SNDMon.exe" [2006-06-07 22:09]
"EM_EXEC"="C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE" [2002-03-07 09:50]
"NvCplDaemon"="RUNDLL32.exe" [2004-08-04 00:56 C:\WINDOWS\system32\rundll32.exe]
"nwiz"="nwiz.exe" [2005-07-20 21:07 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="RunDLL32.exe" [2004-08-04 00:56 C:\WINDOWS\system32\rundll32.exe]
"NWEReboot"="" []
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2006-06-11 10:21]
"785fbd9c"="C:\WINDOWS\system32\lxlawjid.dll" []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunServices]
"SchedulingAgent"="C:\WINDOWS\system32\mstask.exe" []

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
AutoStart IR.lnk - C:\Program Files\WinTV\Ir.exe [2006-08-08 23:52:31]
Google Updater.lnk - C:\Program Files\Google\Google Updater\GoogleUpdater.exe [2007-11-25 10:30:35]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.EXE [2001-02-13 01:01:04]

[hklm\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"Yahoo! Pager"="C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE" -quiet

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" -atboottime
"RemoteControl"="C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
"SunJavaUpdateSched"=C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe
"YBrowser"=C:\PROGRA~1\Yahoo!\browser\ybrwicon.exe
"YOP"=C:\PROGRA~1\Yahoo!\YOP\yop.exe /autostart

R2 SMTPSVC;Simple Mail Transfer Protocol (SMTP);C:\WINDOWS\system32\inetsrv\inetinfo.exe
R3 AN983;ADMtek AN983/AN985/ADM951X 10/100Mbps Fast Ethernet Adapter;C:\WINDOWS\system32\DRIVERS\AN983.sys
R3 p2driver;Hauppauge WinTV-PVR PCI II (Encoder);C:\WINDOWS\system32\DRIVERS\hcwPVRP2.sys
S3 p2pgasvc;Peer Networking Group Authentication;C:\WINDOWS\system32\svchost.exe -k p2psvc
S3 p2pimsvc;Peer Networking Identity Manager;C:\WINDOWS\system32\svchost.exe -k p2psvc
S3 p2psvc;Peer Networking;C:\WINDOWS\system32\svchost.exe -k p2psvc
S3 PNRPSvc;Peer Name Resolution Protocol;C:\WINDOWS\system32\svchost.exe -k p2psvc

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
p2psvc p2psvc p2pimsvc p2pgasvc PNRPSvc

.
Contents of the 'Scheduled Tasks' folder
"2007-11-23 09:17:44 C:\WINDOWS\Tasks\Norton AntiVirus - Scan my computer.job"
- C:\PROGRA~1\NORTON~1\NAVW32.exeG/task:C:\DOCUME~1\ALLUSE~1\APPLIC~1\Symantec\NORTON~1\Tasks\mycomp.sca
"2007-11-27 01:59:32 C:\WINDOWS\Tasks\Symantec NetDetect.job"
.
**************************************************************************

catchme 0.3.1262 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-26 21:11:38
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-11-26 21:12:42
C:\ComboFix2.txt ... 2007-11-26 19:21
C:\ComboFix3.txt ... 2007-11-26 06:45
.
--- E O F ---

Logfile of HijackThis v1.99.1
Scan saved at 9:20:21 PM, on 11/26/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
F:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\WinAce\WinAce.exe
C:\DOCUME~1\User\LOCALS~1\Temp\~AceTemp\hijackthis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapp.../search/ie.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapp...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.615.5858\swg.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [785fbd9c] rundll32.exe "C:\WINDOWS\system32\lxlawjid.dll",b
O4 - HKLM\..\RunServices: [SchedulingAgent] C:\WINDOWS\system32\mstask.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: AutoStart IR.lnk = C:\Program Files\WinTV\Ir.exe
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: AT&T Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\common\yiesrvc.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: TVShortcutCAB - http://att.mobitv.com/TVShortcut.CAB
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://support.gatew...r/PCPitStop.CAB
O16 - DPF: {2E12FB00-546B-4EE3-9CC2-057BF02E1C17} (Webshots Multiple Media Uploader - Container) - http://community.web...wsaxcontrol.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper2007261.dll
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1147878916786
O16 - DPF: {FFFFFFFF-CACE-BABE-BABE-00AA0055595A} - http://www.trueswitc...eInstallSBC.exe
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - F:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

Edited by Denny k, 26 November 2007 - 08:26 PM.


#9 MrCharlie

MrCharlie

    SuperMember

  • Malware Team
  • 2,949 posts

Posted 26 November 2007 - 08:31 PM

OK, it worked OK this time except it didn't get that one entry...we'll use HJT to delete it.

--------------------------


Close ALL programs down, leaving ONLY HijackThis running - Click Scan and.....
Place a check against the following items if found:

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapp.../search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapp...//www.yahoo.com
O4 - HKLM\..\Run: [785fbd9c] rundll32.exe "C:\WINDOWS\system32\lxlawjid.dll",b

Click on Fix Checked and exit HijackThis.

Reboot and post a fresh HijackThis log and we'll take another look. MrC


#10 Denny k

Denny k

    New Member

  • New Member
  • Pip
  • 7 posts

Posted 26 November 2007 - 09:45 PM

Ran HJT with those fixes.

The RUNDLL error didnot come up after reboot.

Here is the fresh log.

Denny

Logfile of HijackThis v1.99.1
Scan saved at 10:40:50 PM, on 11/26/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
F:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\inetsrv\inetinfo.exe
C:\Program Files\Common Files\LightScribe\LSSrvc.exe
C:\PROGRA~1\NORTON~1\navapw32.exe
C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\WinAce\WinAce.exe
C:\DOCUME~1\User\LOCALS~1\Temp\~AceTemp\hijackthis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft....k/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft....k/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft....k/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft....k/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.615.5858\swg.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: SidebarAutoLaunch Class - {F2AA9440-6328-4933-B7C9-A6CCDF9CBF6D} - C:\Program Files\Yahoo!\browser\YSidebarIEBHO.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [MsmqIntCert] regsvr32 /s mqrt.dll
O4 - HKLM\..\Run: [NAV Agent] C:\PROGRA~1\NORTON~1\navapw32.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [EM_EXEC] C:\PROGRA~1\Logitech\MOUSEW~1\SYSTEM\EM_EXEC.EXE
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\RunServices: [SchedulingAgent] C:\WINDOWS\system32\mstask.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: AutoStart IR.lnk = C:\Program Files\WinTV\Ir.exe
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_11\bin\ssv.dll
O9 - Extra button: AT&T Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\PROGRA~1\Yahoo!\common\yiesrvc.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: TVShortcutCAB - http://att.mobitv.com/TVShortcut.CAB
O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (PCPitstop Utility) - http://support.gatew...r/PCPitStop.CAB
O16 - DPF: {2E12FB00-546B-4EE3-9CC2-057BF02E1C17} (Webshots Multiple Media Uploader - Container) - http://community.web...wsaxcontrol.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper2007261.dll
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1147878916786
O16 - DPF: {FFFFFFFF-CACE-BABE-BABE-00AA0055595A} - http://www.trueswitc...eInstallSBC.exe
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - F:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LightScribeService Direct Disc Labeling Service (LightScribeService) - Hewlett-Packard Company - C:\Program Files\Common Files\LightScribe\LSSrvc.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

#11 MrCharlie

MrCharlie

    SuperMember

  • Malware Team
  • 2,949 posts

Posted 27 November 2007 - 06:46 PM

Looks Good......How's it running, MrC

#12 Denny k

Denny k

    New Member

  • New Member
  • Pip
  • 7 posts

Posted 27 November 2007 - 09:18 PM

It is running good. As good or better than before I had all th malwre. Thanks so mmmuch. I sent a donation via Paypal. Thanks again I could have not done this on my own.

Edited by Denny k, 27 November 2007 - 09:25 PM.


#13 MrCharlie

MrCharlie

    SuperMember

  • Malware Team
  • 2,949 posts

Posted 28 November 2007 - 07:30 PM

OK..That's Great!

Click START then RUN
Now type Combofix /u in the runbox and click OK.
Note the space between the X and the U, it needs to be there.

Posted Image

When shown the disclaimer, Select "2"

This is what will happen:

These will be deleted:ComboFix and its associated files and folders.
VundoFix backups, if present
The C:\Deckard folder, if present
The C:_OtMoveIt folder, if present

Then these tasks will be performed:Reset the clock settings.
Hide file extensions, if required.
Hide System/Hidden files, if required.
Reset System Restore.

--------------------------------------------------------------------


If you have any questions - please post back

I'll leave you with........

Some Preventive Maintenance:

Some of the programs you may have run create backups of what was deleted - you can safely delete them now: (delete folders in blue) You can also delete/uninstall the programs themselves.

C:\!KillBox (KillBox)
C:\VundoFix Backups (VundoFix)
C:\QooBox (ComboFix)
C:\SDFix\backups\backups.zip (SDFix)
C:\avenger\backup.zip (Avenger)
C:\_OTMOVEIT folder (OTMoveIt)

RVAXO:
You can use Uninstall.cmd to remove everything from RVAXO, it will be found in the RVAXO-folder on your desktop.

If you used AVG Anti-Spyware and/or SuperAntiSpyware...........

Open up SuperAntiSpyware > Preferences > General and Start-up > Start-up Options > Uncheck > Start SAS when Windows Starts.
"SAS free" provides no real time protection so there's no need for it to be running, I suggest you keep the program and update regularly - you can use it to scan for malware. It's an excellent program. When you want to start it - just double click on the SAS icon.

AVG Anti-Spyware will provide 30 days of real time protection and then after that you can use it to scan for malware - you'll have to manually update it first.


------------------Must have or do:-----------------

Now that you're clean: <----Important Step!!!!
Delete your system restore files and create a new restore point (XP only):

Note: This will remove all previous Restore Points!

1. Turn off System Restore:

On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.
Restart your computer,

2. Turn on System Restore:

On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UnCheck Turn off System Restore.
Click Apply, and then click OK.

Visit Windows Update and install all the lastest critical updates.

Install these two free programs, they sit in the backround and protect your system from spy and adware being installed on your system, also from your browser being hijacked.

SpywareBlaster Check for updates weekly.

SpywareGuard

IE-SPYAD
Puts over 5000 sites in your restricted zone, so you'll be protected when you visit innocent-looking sites that aren't actually innocent at all.
or try the new ZonedOut

Blocking Unwanted Parasites with a Hosts File
Direct Download - MVPS HOSTS <==> MVPS HOSTS Tutorial

Need a free anti virus?
AVG*free
Avast Free
AntiVirŪ PersonalEdition Classic
-->Check for updates - daily<---

How about a firewall? The front door to your computer.
Windows firewall is not suffient...install a better one.
Comodo Free Firewall
ZoneAlarm*free
Other free firewalls

Keep those temp files off your system use
ATF Cleaner - hit "select all" then just uncheck "cookies" (uncheck cookies is optional - leave it checked if you want to delete all cookies) then "empty selected"
or
CCleaner
Uncheck "Cookies" under "Internet Explorer".
That will clear out all the temp files on the system.

IMPORTANT!!
Keep your Sun Java up-to-date JRE Version 6 Update 3<--newest version
Delete ALL old versions from add/remove programs if listed first!
Check HERE

Keep the registry backed up - use ERUNT
Print this out and save it
ERUNT Tutorial

Starter Manage you startup programs and services.

----------Free malware removal programs:----------

AVG Anti-Spyware<---VERY GOOD! (XP and 2K only)
SUPERAntiSpyware (free edition)<---Excellent!
AVG Anti-Rootkit Free Edition Run it!!
SpyBot
AD-Aware
CW-Shredder

Please consider using FireFox instead of Internet Explorer. A more secure browser! Easy to make the change!
FireFox Tutorial


Pop-up stoppers:
GoogleToolBar
Pop-upStopperFree

Disable "Windows Messenger Service" XP - 2K (stops pop-up ads -etc):
Shoot The Messenger

Anti-Rootkit Software - Detection, Removal & Protection

Reduce Online Fraud

Slow Computer - Check Here

Don't open e-mail attachments without first scanning them with an up-to-date anti virus program, even after doing that I would be very careful. Don't click on any executables in e-mails or any other links that you're not sure of.
Don't believe e-mails from your bank, financial institution, etc asking for personal informations - they're most likely fraudulent no matter how authentic they look.
Watch your surfing habits, don't click on or download anything you're not sure of. Don't install a program that hasn't been recommended by a reputable organization.

Good luck and thanks for using the forum - MrC


#14 MrCharlie

MrCharlie

    SuperMember

  • Malware Team
  • 2,949 posts

Posted 04 December 2007 - 08:50 PM

Since this issue appears to be resolved ... this Topic has been closed. Glad we could be of assistance. If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread. Everyone else please begin a New Topic.

Related Topics



0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users