Virus/Spyware infected

benjamin_harris · #1 (**permalink**) 29-08-2007, 07:14 PM

Hi,

I think i have 2 viruses. The first is causing random popups with both FF and IE the usually go to winantiviruspro.com on FF, and cant recall the IE ones, but when you exit the IE ones, another one pops up, only way to stop it seems to end iexplore.exe in task manager.

Nortan Internet Security 2007 keeps finding and deleting Trojan.Vundo. but they it comes back.

The second appeared today, and has an icon at the bottom (yellow triangle with an exclamation mark) when you hover on it, it says 'Security Center Balloon'

Clicking it pops up 'Personal Security Center' there are 4 kind of tab things when you open it these are
Ultimate Fixer (says Install now)
Ultimate Defender (says Install now)
Ultimate Cleaner (says Install now)
Security Monitor (which says On, i think this is that sys tray icon)

The icon periodically pops up balloons saying stuff like 'integrity threats detected' and then a few lines of text. (ahh just popped up. The few lines are

Some system files or hard drive structure may be corrupted. It may lead to crashed, reboots, slowdowns and freezes of operating system.

Click here to...)

HijackThisLog

Code:

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 19:11:16, on 29/08/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\SecCenter\scprot4.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Benjamin New\Desktop\HiJackThis_v2.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\NppBho.dll
O2 - BHO: (no name) - {2004652A-4CCE-4EA5-A49E-FEEBF2A2BA8B} - C:\WINDOWS\system32\qomkihi.dll
O2 - BHO: (no name) - {2DA8327F-277A-4112-8615-05CBB1C51C9C} - C:\WINDOWS\system32\jkkjh.dll (file missing)
O2 - BHO: GetRight IE Download Helper - {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - C:\Program Files\GetRight\xx2gr.dll
O2 - BHO: (no name) - {55EDB93B-6FCC-2A25-DA97-095A187E5D18} - C:\Program Files\Dnonezsy\rlzoyrvd.dll
O2 - BHO: (no name) - {66CAB10F-77BA-48F8-98BC-09B9F717E840} - C:\WINDOWS\system32\awvts.dll (file missing)
O2 - BHO: Google Web Accelerator Helper - {69A87B7D-DE56-4136-9655-716BA50C19C7} - C:\Program Files\Google\Web Accelerator\GoogleWebAccToolbar.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O2 - BHO: (no name) - {7BAC7AC8-F276-4202-A83B-BD841314D4CF} - C:\WINDOWS\system32\jkhfd.dll (file missing)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {91B4DDA9-F6CC-4000-90BC-68CD9E5BF6A5} - C:\WINDOWS\system32\vtutu.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: (no name) - {C6039E6C-BDE9-4de5-BB40-768CAA584FDC} - C:\WINDOWS\system32\gqcimibq.dll
O2 - BHO: (no name) - {FD2A7D3A-3DA1-4CA5-AD39-B4C3A72B567F} - C:\WINDOWS\system32\vtutqpm.dll (file missing)
O3 - Toolbar: Google Web Accelerator - {DB87BFA2-A2E3-451E-8E5A-C89982D87CBF} - C:\Program Files\Google\Web Accelerator\GoogleWebAccToolbar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\UIBHO.dll
O4 - HKLM\..\Run: [j2211830] rundll32 C:\WINDOWS\system32\j2211830.dll sook
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [srglqnqt] rundll32.exe "C:\Program Files\nmxcvgta\pybunslm.dll",Init
O4 - HKLM\..\Run: [CTDrive] rundll32.exe C:\WINDOWS\system32\drvzas.dll,startup
O4 - HKLM\..\Run: [SystemOptimizer] rundll32.exe "C:\WINDOWS\system32\ukwuayns.dll",forkonce
O4 - HKLM\..\Run: [ahahslar] regsvr32 /u "C:\Documents and Settings\All Users\Application Data\ahahslar.dll"
O4 - HKLM\..\Run: [SC2] C:\Program Files\SecCenter\scprot4.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - HKCU\..\Run: [RamBooster] C:\Program Files\RamBooster 2.0\Rambooster.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [ZoiPPE] "C:\Program Files\ZoiPPE\ZoiPPE.exe"
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-18\..\Run: []  (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: []  (User 'Default user')
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Broken Internet access because of LSP provider 'c:\program files\newdotnet\newdotnet3_88.dll' missing
O14 - IERESET.INF: START_PAGE_URL=http://www.evesham.com/
O16 - DPF: {2250C29C-C5E9-4F55-BE4E-01E45A40FCF1} (CMediaMix Object) - http://musicmix.messenger.msn.com/Medialogic.CAB
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-US/a-UNO1/GAME_UNO1.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {AF2E62B6-F9E1-4D4F-A10A-9DC8E6DCBCC0} (VideoEgg ActiveX Loader) - http://update.videoegg.com/Install/Windows/Initial/VideoEggPublisher.exe
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/autocomplete.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {FB90BA05-66E6-4C56-BCD3-D65B0F7EBA39} (Foto.com SpeedUploader 1.0 Control) - http://express.foto.com/ActiveX/SpeedUploader.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{7FA7A03C-EDAA-4F17-91E1-832F108AF4FA}: NameServer = 62.241.162.200,62.241.163.200
O20 - Winlogon Notify: jkhfd - C:\WINDOWS\system32\jkhfd.dll (file missing)
O20 - Winlogon Notify: jkkjh - C:\WINDOWS\system32\jkkjh.dll (file missing)
O20 - Winlogon Notify: qomkihi - C:\WINDOWS\SYSTEM32\qomkihi.dll
O20 - Winlogon Notify: vtutu - C:\WINDOWS\system32\vtutu.dll
O20 - Winlogon Notify: winexy32 - C:\WINDOWS\SYSTEM32\winexy32.dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: InterBase InterClient Server (InterServer) - InterBase - C:\Program Files\Borland\InterBase\InterClient\bin\interserver.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: STI Simulator - Unknown owner - C:\WINDOWS\System32\PAStiSvc.exe (file missing)
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
O23 - Service: wampmysqld - Unknown owner - C:\Program Files\wamp\mysql\bin\mysqld-nt.exe

--
End of file - 11706 bytes

Just ended scprot4.exe (that seems to be the sys tray one, but dont know how to remove it)

One more catch is that my nortan internet security 2007 subscription runs out in 3 days

Kind Regards and thanks in advance

Ben

VopThis · #2 (**permalink**) 30-08-2007, 07:10 AM

You are not running HijackThis (HJT) from a desired location. You really need to setup a dedicated folder for HJT items to avoid horrible clutter and/or potential lost backup issues.

It's best that the HijackThis tool NOT be located in its current location (particularly on your Desktop or in a TEMP folder). This way you can more easily undo any changes if something goes wrong.

Create a new folder in your C: Drive.
Name the FOLDER HijackThis (or HJT) such as C:\Program Files\HijackThis or C:\HJT and
Move the HijackThis.exe file into the newly created FOLDER.
Run HJT from there (and revise your shortcut accordingly).

Please download VundoFix.exe to your desktop.

Double-click VundoFix.exe to run it.
Click the Scan for Vundo button.
Once it's done scanning, click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will reboot your computer, click OK.
Please post the contents of C:\vundofix.txt.

Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.

Download ComboFix from Here or Here to your Desktop.

Double click combofix.exe and follow the prompts.
When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply

Note: Do not mouseclick combofix's window while it’s running. That may cause it to stall

benjamin_harris · #3 (**permalink**) 30-08-2007, 11:39 AM

Hijack This Log

Code:

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 11:36:06, on 30/08/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\regsvr32.exe
C:\Program Files\SecCenter\scprot4.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\HiJackThis\HiJackThis_v2.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\NppBho.dll
O2 - BHO: (no name) - {2004652A-4CCE-4EA5-A49E-FEEBF2A2BA8B} - C:\WINDOWS\system32\qomkihi.dll
O2 - BHO: (no name) - {2DA8327F-277A-4112-8615-05CBB1C51C9C} - C:\WINDOWS\system32\jkkjh.dll (file missing)
O2 - BHO: GetRight IE Download Helper - {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - C:\Program Files\GetRight\xx2gr.dll
O2 - BHO: (no name) - {55EDB93B-6FCC-2A25-DA97-095A187E5D18} - C:\Program Files\Dnonezsy\rlzoyrvd.dll
O2 - BHO: (no name) - {66CAB10F-77BA-48F8-98BC-09B9F717E840} - C:\WINDOWS\system32\awvts.dll (file missing)
O2 - BHO: Google Web Accelerator Helper - {69A87B7D-DE56-4136-9655-716BA50C19C7} - C:\Program Files\Google\Web Accelerator\GoogleWebAccToolbar.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O2 - BHO: (no name) - {7BAC7AC8-F276-4202-A83B-BD841314D4CF} - C:\WINDOWS\system32\jkhfd.dll (file missing)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {91B4DDA9-F6CC-4000-90BC-68CD9E5BF6A5} - C:\WINDOWS\system32\vtutu.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: Google Web Accelerator - {DB87BFA2-A2E3-451E-8E5A-C89982D87CBF} - C:\Program Files\Google\Web Accelerator\GoogleWebAccToolbar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\UIBHO.dll
O4 - HKLM\..\Run: [j2211830] rundll32 C:\WINDOWS\system32\j2211830.dll sook
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [srglqnqt] rundll32.exe "C:\Program Files\nmxcvgta\pybunslm.dll",Init
O4 - HKLM\..\Run: [CTDrive] rundll32.exe C:\WINDOWS\system32\drvzas.dll,startup
O4 - HKLM\..\Run: [ahahslar] regsvr32 /u "C:\Documents and Settings\All Users\Application Data\ahahslar.dll"
O4 - HKLM\..\Run: [SC2] C:\Program Files\SecCenter\scprot4.exe
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - HKCU\..\Run: [RamBooster] C:\Program Files\RamBooster 2.0\Rambooster.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [ZoiPPE] "C:\Program Files\ZoiPPE\ZoiPPE.exe"
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-18\..\Run: []  (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: []  (User 'Default user')
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O10 - Broken Internet access because of LSP provider 'c:\program files\newdotnet\newdotnet3_88.dll' missing
O14 - IERESET.INF: START_PAGE_URL=http://www.evesham.com/
O16 - DPF: {2250C29C-C5E9-4F55-BE4E-01E45A40FCF1} (CMediaMix Object) - http://musicmix.messenger.msn.com/Medialogic.CAB
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-US/a-UNO1/GAME_UNO1.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {AF2E62B6-F9E1-4D4F-A10A-9DC8E6DCBCC0} (VideoEgg ActiveX Loader) - http://update.videoegg.com/Install/Windows/Initial/VideoEggPublisher.exe
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yahoo.com/dl/installs/suite/autocomplete.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O16 - DPF: {FB90BA05-66E6-4C56-BCD3-D65B0F7EBA39} (Foto.com SpeedUploader 1.0 Control) - http://express.foto.com/ActiveX/SpeedUploader.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{7FA7A03C-EDAA-4F17-91E1-832F108AF4FA}: NameServer = 62.241.162.200,62.241.163.200
O20 - Winlogon Notify: jkhfd - C:\WINDOWS\system32\jkhfd.dll (file missing)
O20 - Winlogon Notify: jkkjh - C:\WINDOWS\system32\jkkjh.dll (file missing)
O20 - Winlogon Notify: qomkihi - C:\WINDOWS\SYSTEM32\qomkihi.dll
O20 - Winlogon Notify: winexy32 - C:\WINDOWS\SYSTEM32\winexy32.dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: InterBase InterClient Server (InterServer) - InterBase - C:\Program Files\Borland\InterBase\InterClient\bin\interserver.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: STI Simulator - Unknown owner - C:\WINDOWS\System32\PAStiSvc.exe (file missing)
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
O23 - Service: wampmysqld - Unknown owner - C:\Program Files\wamp\mysql\bin\mysqld-nt.exe

--
End of file - 11336 bytes

VundoFix.txt Log

Code:

VundoFix V6.5.7

Checking Java version...

Java version is 1.5.0.2
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.6
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.8
Old versions of java are exploitable and should be removed.

Scan started at 11:07:38 30/08/2007

Listing files found while scanning....

C:\windows\system32\aoptavkv.dll
C:\WINDOWS\system32\dfhkj.bak1
C:\WINDOWS\system32\dfhkj.bak2
C:\WINDOWS\system32\dfhkj.ini
C:\WINDOWS\system32\dfhkj.ini2
C:\WINDOWS\system32\dfhkj.tmp
C:\windows\system32\eiwnwija.dll
C:\WINDOWS\system32\eogskjff.dll
C:\WINDOWS\system32\gqcimibq.dll
C:\windows\system32\hffsvfmd.dll
C:\WINDOWS\system32\hrhdobtd.dll
C:\WINDOWS\system32\jkhfd.dll
C:\WINDOWS\system32\jkkjh.dll
C:\windows\system32\jqalbwcl.dll
C:\windows\system32\qcctiotu.dll
C:\windows\system32\snyauwku.ini
C:\WINDOWS\system32\ukwuayns.dll
C:\WINDOWS\system32\vtutqpm.dll
C:\WINDOWS\system32\vtutu.dll

Beginning removal...

 Attempting to delete C:\windows\system32\aoptavkv.dll
C:\windows\system32\aoptavkv.dll Has been deleted!

 Attempting to delete C:\WINDOWS\system32\dfhkj.bak1
C:\WINDOWS\system32\dfhkj.bak1 Has been deleted!

 Attempting to delete C:\WINDOWS\system32\dfhkj.bak2
C:\WINDOWS\system32\dfhkj.bak2 Has been deleted!

 Attempting to delete C:\WINDOWS\system32\dfhkj.ini
C:\WINDOWS\system32\dfhkj.ini Has been deleted!

 Attempting to delete C:\WINDOWS\system32\dfhkj.ini2
C:\WINDOWS\system32\dfhkj.ini2 Has been deleted!

 Attempting to delete C:\WINDOWS\system32\dfhkj.tmp
C:\WINDOWS\system32\dfhkj.tmp Has been deleted!

 Attempting to delete C:\windows\system32\eiwnwija.dll
C:\windows\system32\eiwnwija.dll Has been deleted!

 Attempting to delete C:\WINDOWS\system32\gqcimibq.dll
C:\WINDOWS\system32\gqcimibq.dll Has been deleted!

 Attempting to delete C:\windows\system32\hffsvfmd.dll
C:\windows\system32\hffsvfmd.dll Has been deleted!

 Attempting to delete C:\windows\system32\jqalbwcl.dll
C:\windows\system32\jqalbwcl.dll Has been deleted!

 Attempting to delete C:\windows\system32\qcctiotu.dll
C:\windows\system32\qcctiotu.dll Has been deleted!

 Attempting to delete C:\windows\system32\snyauwku.ini
C:\windows\system32\snyauwku.ini Has been deleted!

 Attempting to delete C:\WINDOWS\system32\ukwuayns.dll
C:\WINDOWS\system32\ukwuayns.dll Has been deleted!

 Attempting to delete C:\WINDOWS\system32\vtutu.dll
C:\WINDOWS\system32\vtutu.dll Could not be deleted.

Performing Repairs to the registry.
Done!

VundoFix V6.5.7

Checking Java version...

Java version is 1.5.0.2
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.6
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.8
Old versions of java are exploitable and should be removed.

Scan started at 11:19:05 30/08/2007

Listing files found while scanning....

C:\WINDOWS\system32\hjkkj.bak1
C:\WINDOWS\system32\hjkkj.ini
C:\WINDOWS\system32\jkhfd.dll
C:\WINDOWS\system32\jkkjh.dll

Beginning removal...

 Attempting to delete C:\WINDOWS\system32\hjkkj.bak1
C:\WINDOWS\system32\hjkkj.bak1 Has been deleted!

 Attempting to delete C:\WINDOWS\system32\hjkkj.ini
C:\WINDOWS\system32\hjkkj.ini Has been deleted!

Performing Repairs to the registry.
Done!

Also a little more info...
After Restarting after the VundoFix thing Nortan popped up and said it had the virus MisLeadApp [edit: another one just popped up, MagicAntiSpy]

Also when the computer starts up a windows pop up comes up saying

RUNDLL (<--thats the title)
Error loading C:\WINDOWS\system32\j2211830.dll

The specified module could not be found

Just going to run that combofix thingy now, will post when it is done

Thanks for your support

Ben

EDIT: ComboFix Logs

Code:

ComboFix 07-08-30.3 - "Benjamin" 2007-08-30 11:43:33.1 - NTFSx86 
Microsoft Windows XP Professional  5.1.2600.2.1252.1.1033.18.486 [GMT 1:00]


(((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))


C:\Program Files\newdotnet
C:\Program Files\newdotnet\readme.txt
C:\Program Files\SecCenter
C:\Program Files\SecCenter\scprot4.exe
C:\WINDOWS\cookies.ini
C:\WINDOWS\system32\bbeeg.bak1
C:\WINDOWS\system32\bbeeg.bak2
C:\WINDOWS\system32\bbeeg.ini
C:\WINDOWS\system32\bbeeg.ini2
C:\WINDOWS\system32\bbeeg.tmp
C:\WINDOWS\system32\byxuspq.dll
C:\WINDOWS\system32\Cfx32.lic
C:\WINDOWS\system32\cfx32.ocx
C:\WINDOWS\system32\drivers\npf.sys
C:\WINDOWS\system32\khfgecb.dll
C:\WINDOWS\system32\packet.dll
C:\WINDOWS\system32\pthreadVC.dll
C:\WINDOWS\system32\qomkihi.dll
C:\WINDOWS\system32\stvwa.bak1
C:\WINDOWS\system32\stvwa.ini
C:\WINDOWS\system32\stvwa.ini2
C:\WINDOWS\system32\stvwa.tmp
C:\WINDOWS\system32\ututv.bak1
C:\WINDOWS\system32\ututv.bak2
C:\WINDOWS\system32\ututv.ini
C:\WINDOWS\system32\vtusnrvb.dll
C:\WINDOWS\system32\vtutu.dll
C:\WINDOWS\system32\winexy32.dll
C:\WINDOWS\system32\wpcap.dll
C:\WINDOWS\system32\ybadd.bak1
C:\WINDOWS\system32\ybadd.bak2
C:\WINDOWS\system32\ybadd.ini
C:\WINDOWS\system32\ybadd.ini2
C:\WINDOWS\system32\ybadd.tmp
I:\Autorun.inf
J:\Autorun.inf
K:\Autorun.inf


(((((((((((((((((((((((((((((((((((((((   Drivers/Services   )))))))))))))))))))))))))))))))))))))))))))))))))


-------\LEGACY_NPF
-------\nm
-------\NPF


(((((((((((((((((((((((((   Files Created from 2007-07-28 to 2007-08-30  )))))))))))))))))))))))))))))))


2007-08-30 11:42	51,200	--a------	C:\WINDOWS\nircmd.exe
2007-08-30 11:07	<DIR>	d--------	C:\VundoFix Backups
2007-08-30 11:01	<DIR>	d--------	C:\HiJackThis
2007-08-29 16:45	122,880	--a------	C:\DOCUME~1\ALLUSE~1\APPLIC~1\ahahslar.dll
2007-08-29 16:45	<DIR>	d--------	C:\WINDOWS\system32\ogvhbfee
2007-08-29 16:45	<DIR>	d--------	C:\Program Files\Dnonezsy
2007-08-25 16:17	<DIR>	d--------	C:\Program Files\MSXML 6.0
2007-08-25 16:11	93,184	--a------	C:\WINDOWS\system32\drvzas.dll
2007-08-10 13:29	<DIR>	d--------	C:\Program Files\nmxcvgta
2007-08-06 13:27	<DIR>	d--------	C:\Program Files\Driving Test Success 2007-2008
2007-08-06 13:27	<DIR>	d--------	C:\DOCUME~1\ALLUSE~1\APPLIC~1\Driving Test Success
2007-08-03 21:28	<DIR>	d--------	C:\TempDVD
2007-08-03 21:27	<DIR>	d--------	C:\Program Files\dvdSanta
2007-08-03 11:13	<DIR>	d--------	C:\Program Files\GetRight
2007-07-31 17:28	<DIR>	d--------	C:\DOCUME~1\BENJAM~1\.zone1511
2007-07-31 17:20	<DIR>	d--------	C:\Program Files\ZoiPPE
2007-07-31 00:33	22,112	-ra------	C:\WINDOWS\system32\drivers\COH_Mon.sys
2007-07-30 22:33	<DIR>	d--------	C:\Program Files\Enigma Software Group
2007-07-22 10:27	<DIR>	d--------	C:\Program Files\Siber Systems
2007-07-13 10:11	<DIR>	d--------	C:\DOCUME~1\ALLUSE~1\APPLIC~1\GlobalSCAPE
2007-07-08 21:01	<DIR>	d--------	C:\Program Files\IMVU
2007-07-08 16:19	<DIR>	d--------	C:\Program Files\DIFX
2007-07-08 16:19	<DIR>	d--------	C:\Program Files\Common Files\ComponentOne
2007-07-08 16:10	<DIR>	d--------	C:\Program Files\Fomine NetSend
2007-07-05 20:55	<DIR>	d--------	C:\DOCUME~1\BENJAM~1\APPLIC~1\CoreFTP
2007-07-03 21:18	<DIR>	d--------	C:\Program Files\Vextractor Demo 3.80


((((((((((((((((((((((((((((((((((((((((   Find3M Report   ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-08-30 11:52	---------	d--------	C:\DOCUME~1\ALLUSE~1\APPLIC~1\Symantec
2007-08-29 20:51	---------	d--------	C:\Program Files\Common Files\Symantec Shared
2007-08-27 23:42	---------	d--------	C:\DOCUME~1\BENJAM~1\APPLIC~1\uTorrent
2007-08-04 10:39	---------	d--------	C:\Program Files\Cheat Engine
2007-08-03 11:13	---------	d--------	C:\DOCUME~1\BENJAM~1\APPLIC~1\GetRightToGo
2007-07-31 19:53	---------	d--------	C:\DOCUME~1\BENJAM~1\APPLIC~1\LimeWire
2007-07-30 19:19	92504	--a------	C:\WINDOWS\system32\cdm.dll
2007-07-30 19:19	549720	--a------	C:\WINDOWS\system32\wuapi.dll
2007-07-30 19:19	53080	--a------	C:\WINDOWS\system32\wuauclt.exe
2007-07-30 19:19	43352	--a------	C:\WINDOWS\system32\wups2.dll
2007-07-30 19:19	325976	--a------	C:\WINDOWS\system32\wucltui.dll
2007-07-30 19:19	271224	--a------	C:\WINDOWS\system32\mucltui.dll
2007-07-30 19:19	207736	--a------	C:\WINDOWS\system32\muweb.dll
2007-07-30 19:19	203096	--a------	C:\WINDOWS\system32\wuweb.dll
2007-07-30 19:19	1712984	--a------	C:\WINDOWS\system32\wuaueng.dll
2007-07-30 19:18	33624	--a------	C:\WINDOWS\system32\wups.dll
2007-07-13 10:38	---------	d--h-----	C:\Program Files\InstallShield Installation Information
2007-07-13 10:38	---------	d--------	C:\Program Files\GlobalSCAPE
2007-06-29 22:52	---------	d--------	C:\DOCUME~1\BENJAM~1\APPLIC~1\SmartFTP
2007-06-29 19:51	---------	d--------	C:\Program Files\Scriptocean
2007-06-26 07:08	1104896	--a------	C:\WINDOWS\system32\msxml3.dll
2007-06-19 14:31	282112	--a------	C:\WINDOWS\system32\gdi32.dll
2007-06-13 11:23	1033216	--a------	C:\WINDOWS\explorer.exe
2007-06-03 14:08	48776	--a------	C:\WINDOWS\system32\S32EVNT1.DLL
2004-08-04 12:00:00	94,784	-csh--w	C:\WINDOWS\twain.dll
2004-08-04 12:00:00	50,688	--sh--w	C:\WINDOWS\twain_32.dll
2004-08-04 12:00:00	1,028,096	--sh--w	C:\WINDOWS\system32\mfc42.dll
2004-08-04 12:00:00	54,784	--sh--w	C:\WINDOWS\system32\msvcirt.dll
2004-08-04 12:00:00	11,776	--sh--w	C:\WINDOWS\system32\regsvr32.exe


(((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))))
 
 
*Note* empty entries & legit default entries are not shown 

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2DA8327F-277A-4112-8615-05CBB1C51C9C}]
			C:\WINDOWS\system32\jkkjh.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{55EDB93B-6FCC-2A25-DA97-095A187E5D18}]
2007-08-29 16:45	122880	--a------	C:\Program Files\Dnonezsy\rlzoyrvd.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{66CAB10F-77BA-48F8-98BC-09B9F717E840}]
			C:\WINDOWS\system32\awvts.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7BAC7AC8-F276-4202-A83B-BD841314D4CF}]
			C:\WINDOWS\system32\jkhfd.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2007-01-10 05:59]
"osCheck"="C:\Program Files\Norton Internet Security\osCheck.exe" [2007-02-07 23:39]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-04-27 09:41]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-05-26 12:45]
"srglqnqt"="C:\Program Files\nmxcvgta\pybunslm.dll" [2007-08-10 13:29]
"ahahslar"="regsvr32 /u C:\Documents and Settings\All Users\Application Data\ahahslar.dll" []

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"msnmsgr"="C:\Program Files\MSN Messenger\msnmsgr.exe" [2007-01-19 13:54]
"NBJ"="C:\Program Files\Ahead\Nero BackItUp\NBJ.exe" [2004-09-24 17:22]
"RamBooster"="C:\Program Files\RamBooster 2.0\Rambooster.exe" []
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-08-03 11:29]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 13:00]
"ZoiPPE"="C:\Program Files\ZoiPPE\ZoiPPE.exe" []
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 21:05]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"ATICCC"="C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\jkhfd] 
C:\WINDOWS\system32\jkhfd.dll 

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\jkkjh] 
C:\WINDOWS\system32\jkkjh.dll 

R0 isdnlink;isdnlink;C:\WINDOWS\system32\DRIVERS\linkisdn.sys
R0 SLyxFltr;TI StorageLynx Device Alignment Filter;C:\WINDOWS\system32\DRIVERS\SLyxFltr.sys
R1 vobiw;vobiw;C:\WINDOWS\system32\drivers\vobiw.sys
R3 cdrdrv;Cdrdrv;C:\WINDOWS\system32\Drivers\Cdrdrv.sys
R3 Point32;Microsoft IntelliPoint Filter Driver;C:\WINDOWS\system32\DRIVERS\point32.sys
R3 PRISM_USB;D-Link Air Wireless USB Adapter Driver;C:\WINDOWS\system32\DRIVERS\PRISMUSB.sys
R3 tbhsd;Tunebite High-Speed Dubbing;C:\WINDOWS\system32\drivers\tbhsd.sys
S3 CEDRIVER52;CEDRIVER52;\??\C:\Program Files\Cheat Engine\dbk32.sys
S3 ctlsb16;Creative SB16/AWE32/AWE64 Driver (WDM);C:\WINDOWS\system32\drivers\ctlsb16.sys
S3 FTLUND;Lundinova Filter Driver;C:\WINDOWS\system32\drivers\ftlund.sys
S3 InterServer;InterBase InterClient Server;C:\Program Files\Borland\InterBase\InterClient\bin\interserver.exe
S3 kqemu;KQEMU virtualisation module for QEMU;C:\WINDOWS\system32\DRIVERS\kqemu.sys
S3 PAC207;CamMaestro 3.01 DU PC Camera;C:\WINDOWS\system32\DRIVERS\pfc027.sys
S3 wampmysqld;wampmysqld;"C:\Program Files\wamp\mysql\bin\mysqld-nt.exe" "--defaults-file=C:\Program Files\wamp\mysql\my.ini" wampmysqld
S3 wanlink;wanlink;C:\WINDOWS\system32\DRIVERS\wanlink.sys

*Newly Created Service* - COMHOST

Contents of the 'Scheduled Tasks' folder
2007-08-27 22:42:51 C:\WINDOWS\Tasks\Norton Internet Security - Run Full System Scan - Benjamin.job - C:\Program Files\Norton Internet Security\Norton AntiVirus\Navw32.exe

**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-08-30 12:04:51
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************

Completion time: 2007-08-30 12:08:10 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-08-30 12:07

	--- E O F ---

ComboFix-quarantined-files.txt

Code:

1995-12-22 19:16      432    --a------    C:\Qoobox\Quarantine\C\WINDOWS\system32\CFX32.LIC.vir
1996-06-10 23:24      307200    --a------    C:\Qoobox\Quarantine\C\WINDOWS\system32\CFX32.OCX.vir
2002-03-02 05:10      53299    --a------    C:\Qoobox\Quarantine\C\WINDOWS\system32\pthreadVC.dll.vir
2003-04-04 15:54      208896    --a------    C:\Qoobox\Quarantine\C\WINDOWS\system32\wpcap.dll.vir
2003-04-04 16:03      57344    --a------    C:\Qoobox\Quarantine\C\WINDOWS\system32\packet.dll.vir
2003-04-04 16:07      30336    --a------    C:\Qoobox\Quarantine\C\WINDOWS\system32\drivers\npf.sys.vir
2006-11-16 11:33      3522    --a--c---    C:\Qoobox\Quarantine\C\Program Files\NewDotNet\readme.txt.vir
2007-02-09 22:25      27    --a------    C:\Qoobox\Quarantine\J\autorun.inf.vir
2007-02-09 23:25      27    --a------    C:\Qoobox\Quarantine\K\autorun.inf.vir
2007-02-19 21:21      30    --a------    C:\Qoobox\Quarantine\I\autorun.inf.vir
2007-06-02 09:28      1093836    --a------    C:\Qoobox\Quarantine\C\WINDOWS\system32\stvwa.bak1.vir
2007-06-03 00:13      1095054    --a------    C:\Qoobox\Quarantine\C\WINDOWS\system32\stvwa.tmp.vir
2007-06-03 10:33      1095250    --a------    C:\Qoobox\Quarantine\C\WINDOWS\system32\stvwa.ini.vir
2007-06-03 11:01      1095526    --a------    C:\Qoobox\Quarantine\C\WINDOWS\system32\stvwa.ini2.vir
2007-07-08 21:23      15399    --a------    C:\Qoobox\Quarantine\C\ComboFix\FProps.vbs.vir
2007-07-13 10:22      20992    --a------    C:\Qoobox\Quarantine\C\WINDOWS\system32\winexy32.dll.vir
2007-07-13 10:27      6369    --a------    C:\Qoobox\Quarantine\C\WINDOWS\system32\bbeeg.bak1.vir
2007-07-13 20:58      48947    --a------    C:\Qoobox\Quarantine\C\WINDOWS\system32\bbeeg.tmp.vir
2007-07-13 22:11      52938    --a------    C:\Qoobox\Quarantine\C\WINDOWS\system32\bbeeg.ini.vir
2007-07-14 19:01      1363574    --a------    C:\Qoobox\Quarantine\C\WINDOWS\system32\bbeeg.bak2.vir
2007-07-14 19:27      1364355    --a------    C:\Qoobox\Quarantine\C\WINDOWS\system32\bbeeg.ini2.vir
2007-07-15 19:27      1364800    --a------    C:\Qoobox\Quarantine\C\WINDOWS\system32\ybadd.tmp.vir
2007-07-15 23:13      1364800    --a------    C:\Qoobox\Quarantine\C\WINDOWS\system32\ybadd.ini.vir
2007-07-30 15:49      69184    --a------    C:\Qoobox\Quarantine\C\WINDOWS\system32\vtusnrvb.dll.vir
2007-08-01 17:12      1076520    --a------    C:\Qoobox\Quarantine\C\WINDOWS\system32\ybadd.bak2.vir
2007-08-01 17:12      1076537    --a------    C:\Qoobox\Quarantine\C\WINDOWS\system32\ybadd.bak1.vir
2007-08-01 20:56      1130404    --a------    C:\Qoobox\Quarantine\C\WINDOWS\system32\ybadd.ini2.vir
2007-08-25 16:11      43542    --a------    C:\Qoobox\Quarantine\C\WINDOWS\system32\qomkihi.dll.vir
2007-08-25 16:16      298080    --a------    C:\Qoobox\Quarantine\C\WINDOWS\system32\vtutu.dll.vir
2007-08-28 11:56      1006650    --a------    C:\Qoobox\Quarantine\C\WINDOWS\system32\ututv.bak2.vir
2007-08-29 11:56      1004923    --a------    C:\Qoobox\Quarantine\C\WINDOWS\system32\ututv.bak1.vir
2007-08-29 12:00      156    --a------    C:\Qoobox\Quarantine\C\WINDOWS\cookies.ini.vir
2007-08-29 15:24      43542    --a------    C:\Qoobox\Quarantine\C\WINDOWS\system32\byxuspq.dll.vir
2007-08-29 16:45      262144    --a------    C:\Qoobox\Quarantine\C\Program Files\SecCenter\scprot4.exe.vir
2007-08-30 11:12      1057468    --a------    C:\Qoobox\Quarantine\C\WINDOWS\system32\ututv.ini.vir
2007-08-30 11:44      43542    --a------    C:\Qoobox\Quarantine\C\WINDOWS\system32\khfgecb.dll.vir
2007-08-30 11:58      1326    --a------    C:\Qoobox\Quarantine\Registry_backups\LEGACY_NPF.reg.cf
2007-08-30 11:58      2354    --a------    C:\Qoobox\Quarantine\Registry_backups\services_NPF.reg.cf
2007-08-30 11:58      352    --a------    C:\Qoobox\Quarantine\Registry_backups\services_nm.reg.cf
2007-08-30 11:59      157    --a------    C:\Qoobox\Quarantine\catchme.log
2007-08-30 11:59      23512    --a------    C:\Qoobox\Quarantine\catchme2007-08-30_120432.54.zip
2007-08-30 12:07      816162    --a------    C:\Qoobox\snapshot_2007-08-30_120713.46.cf


Folder PATH listing
Volume serial number is 7CA0-C620
C:\QOOBOX
|   snapshot_2007-08-30_120713.46.cf
|   
\---Quarantine
    |   catchme.log
    |   catchme2007-08-30_120432.54.zip
    |   
    +---C
    |   +---ComboFix
    |   |       FProps.vbs.vir
    |   |       
    |   +---Program Files
    |   |   +---NewDotNet
    |   |   |       readme.txt.vir
    |   |   |       
    |   |   \---SecCenter
    |   |           scprot4.exe.vir
    |   |           
    |   \---WINDOWS
    |       |   cookies.ini.vir
    |       |   
    |       \---system32
    |           |   bbeeg.bak1.vir
    |           |   bbeeg.bak2.vir
    |           |   bbeeg.ini.vir
    |           |   bbeeg.ini2.vir
    |           |   bbeeg.tmp.vir
    |           |   byxuspq.dll.vir
    |           |   CFX32.LIC.vir
    |           |   CFX32.OCX.vir
    |           |   khfgecb.dll.vir
    |           |   packet.dll.vir
    |           |   pthreadVC.dll.vir
    |           |   qomkihi.dll.vir
    |           |   stvwa.bak1.vir
    |           |   stvwa.ini.vir
    |           |   stvwa.ini2.vir
    |           |   stvwa.tmp.vir
    |           |   ututv.bak1.vir
    |           |   ututv.bak2.vir
    |           |   ututv.ini.vir
    |           |   vtusnrvb.dll.vir
    |           |   vtutu.dll.vir
    |           |   winexy32.dll.vir
    |           |   wpcap.dll.vir
    |           |   ybadd.bak1.vir
    |           |   ybadd.bak2.vir
    |           |   ybadd.ini.vir
    |           |   ybadd.ini2.vir
    |           |   ybadd.tmp.vir
    |           |   
    |           \---drivers
    |                   npf.sys.vir
    |                   
    +---I
    |       autorun.inf.vir
    |       
    +---J
    |       autorun.inf.vir
    |       
    +---K
    |       autorun.inf.vir
    |       
    \---Registry_backups
            LEGACY_NPF.reg.cf
            services_nm.reg.cf
            services_NPF.reg.cf

VopThis · #4 (**permalink**) 30-08-2007, 12:56 PM

Please do not use 'Code Boxes' - it makes it very hard to review and directly address the content listing.

Please download SmitfraudFix (by S!Ri)
Extract the content (a folder named SmitfraudFix) to your Desktop.

Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.

DO NOT RUN ANY OTHER OPTIONS UNTIL REQUESTED TO. This is very important to get an optimal and comprehensive fix. Warning : running option #2 on a non infected computer will remove your Desktop background.

Note : process.exe is detected by some antivirus programs (AntiVir, Dr.Web, Kaspersky) as a "RiskTool"; it is not a virus, but a program used to stop system processes. Antivirus programs cannot distinguish between "good" and "malicious" use of such programs, therefore they may alert the user.
http://www.beyondlogic.org/consulting/proc...processutil.htm

SELECT HijackThis FIX ITEMS: Scan with HijackThis and place a check next to these items:

O2 - BHO: (no name) - {2DA8327F-277A-4112-8615-05CBB1C51C9C} - C:\WINDOWS\system32\jkkjh.dll (file missing)
O2 - BHO: (no name) - {55EDB93B-6FCC-2A25-DA97-095A187E5D18} - C:\Program Files\Dnonezsy\rlzoyrvd.dll
O2 - BHO: (no name) - {66CAB10F-77BA-48F8-98BC-09B9F717E840} - C:\WINDOWS\system32\awvts.dll (file missing)
O2 - BHO: (no name) - {7BAC7AC8-F276-4202-A83B-BD841314D4CF} - C:\WINDOWS\system32\jkhfd.dll (file missing)

O4 - HKLM\..\Run: [J2211830] rundll32 C:\WINDOWS\system32\j2211830.dll sook

O20 - Winlogon Notify: jkhfd - C:\WINDOWS\system32\jkhfd.dll (file missing)
O20 - Winlogon Notify: jkkjh - C:\WINDOWS\system32\jkkjh.dll (file missing)

Make sure that all browser windows and internet links are closed, even this one!
CLICK ’FIX CHECKED’ with HijackThis.

Run Vundo again using slightly different instructions:

Double-click VundoFix.exe to run it.
Click the Scan for Vundo button.
Once the scan is complete, Right Click inside the listbox (white box) and click add more files
Copy&Paste the 2 entries below into the top 2 boxes
Quote:
C:\WINDOWS\system32\qomkihi.dll

C:\WINDOWS\system32\vtutu.dll
Click Add Files and Click Close Window
Click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will shutdown your computer, click OK.
Turn your computer back on.
Please post the contents of C:\vundofix.txt and a new HiJackThis log.

benjamin_harris · #5 (**permalink**) 30-08-2007, 01:11 PM

This is the Report log (sorry about the previous code boxes)

SmitFraudFix v2.217

Scan done at 13:08:38.04, 30/08/2007
Run from C:\Documents and Settings\Benjamin New\Desktop\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
The filesystem type is NTFS
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» Process

C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\regsvr32.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNo tifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\cmd.exe

»»»»»»»»»»»»»»»»»»»»»»»» hosts

»»»»»»»»»»»»»»»»»»»»»»»» C:\

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32

»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32\LogFiles

»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Benjamin New

»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Benjamin New\Application Data

»»»»»»»»»»»»»»»»»»»»»»»» Start Menu

»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\BENJAM~1\FAVORI~1

»»»»»»»»»»»»»»»»»»»»»»»» Desktop

»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files

»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys

»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Desktop\Components\0]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"

»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll

»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]

»»»»»»»»»»»»»»»»»»»»»»»» Winlogon.System
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
"System"=""

»»»»»»»»»»»»»»»»»»»»»»»» Rustock

»»»»»»»»»»»»»»»»»»»»»»»» DNS

Description: NVIDIA nForce Networking Controller - Packet Scheduler Miniport
DNS Server Search Order: 62.241.162.200
DNS Server Search Order: 62.241.163.200

Description: D-Link Air DWL-122 Wireless USB Adapter - Packet Scheduler Miniport
DNS Server Search Order: 62.241.162.200
DNS Server Search Order: 62.241.163.200

HKLM\SYSTEM\CCS\Services\Tcpip\..\{08C6C888-7D23-4835-892E-7EC4CC3C2E7E}: DhcpNameServer=62.241.162.200 62.241.163.200
HKLM\SYSTEM\CCS\Services\Tcpip\..\{7FA7A03C-EDAA-4F17-91E1-832F108AF4FA}: NameServer=62.241.162.200,62.241.163.200
HKLM\SYSTEM\CS1\Services\Tcpip\..\{08C6C888-7D23-4835-892E-7EC4CC3C2E7E}: DhcpNameServer=62.241.162.200 62.241.163.200
HKLM\SYSTEM\CS1\Services\Tcpip\..\{7FA7A03C-EDAA-4F17-91E1-832F108AF4FA}: NameServer=62.241.162.200,62.241.163.200
HKLM\SYSTEM\CS3\Services\Tcpip\..\{08C6C888-7D23-4835-892E-7EC4CC3C2E7E}: DhcpNameServer=62.241.162.200 62.241.163.200
HKLM\SYSTEM\CS3\Services\Tcpip\..\{7FA7A03C-EDAA-4F17-91E1-832F108AF4FA}: NameServer=62.241.162.200,62.241.163.200
HKLM\SYSTEM\CCS\Services\Tcpip\Parameters: DhcpNameServer=62.241.162.200 62.241.163.200
HKLM\SYSTEM\CS1\Services\Tcpip\Parameters: DhcpNameServer=62.241.162.200 62.241.163.200
HKLM\SYSTEM\CS3\Services\Tcpip\Parameters: DhcpNameServer=62.241.162.200 62.241.163.200

»»»»»»»»»»»»»»»»»»»»»»»» Scanning for wininet.dll infection

»»»»»»»»»»»»»»»»»»»»»»»» End

benjamin_harris · #6 (**permalink**) 30-08-2007, 01:29 PM

VundoFix Log
VundoFix V6.5.7

Checking Java version...

Java version is 1.5.0.2
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.6
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.8
Old versions of java are exploitable and should be removed.

Scan started at 11:07:38 30/08/2007

Listing files found while scanning....

C:\windows\system32\aoptavkv.dll
C:\WINDOWS\system32\dfhkj.bak1
C:\WINDOWS\system32\dfhkj.bak2
C:\WINDOWS\system32\dfhkj.ini
C:\WINDOWS\system32\dfhkj.ini2
C:\WINDOWS\system32\dfhkj.tmp
C:\windows\system32\eiwnwija.dll
C:\WINDOWS\system32\eogskjff.dll
C:\WINDOWS\system32\gqcimibq.dll
C:\windows\system32\hffsvfmd.dll
C:\WINDOWS\system32\hrhdobtd.dll
C:\WINDOWS\system32\jkhfd.dll
C:\WINDOWS\system32\jkkjh.dll
C:\windows\system32\jqalbwcl.dll
C:\windows\system32\qcctiotu.dll
C:\windows\system32\snyauwku.ini
C:\WINDOWS\system32\ukwuayns.dll
C:\WINDOWS\system32\vtutqpm.dll
C:\WINDOWS\system32\vtutu.dll

Beginning removal...

Attempting to delete C:\windows\system32\aoptavkv.dll
C:\windows\system32\aoptavkv.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\dfhkj.bak1
C:\WINDOWS\system32\dfhkj.bak1 Has been deleted!

Attempting to delete C:\WINDOWS\system32\dfhkj.bak2
C:\WINDOWS\system32\dfhkj.bak2 Has been deleted!

Attempting to delete C:\WINDOWS\system32\dfhkj.ini
C:\WINDOWS\system32\dfhkj.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\dfhkj.ini2
C:\WINDOWS\system32\dfhkj.ini2 Has been deleted!

Attempting to delete C:\WINDOWS\system32\dfhkj.tmp
C:\WINDOWS\system32\dfhkj.tmp Has been deleted!

Attempting to delete C:\windows\system32\eiwnwija.dll
C:\windows\system32\eiwnwija.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\gqcimibq.dll
C:\WINDOWS\system32\gqcimibq.dll Has been deleted!

Attempting to delete C:\windows\system32\hffsvfmd.dll
C:\windows\system32\hffsvfmd.dll Has been deleted!

Attempting to delete C:\windows\system32\jqalbwcl.dll
C:\windows\system32\jqalbwcl.dll Has been deleted!

Attempting to delete C:\windows\system32\qcctiotu.dll
C:\windows\system32\qcctiotu.dll Has been deleted!

Attempting to delete C:\windows\system32\snyauwku.ini
C:\windows\system32\snyauwku.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\ukwuayns.dll
C:\WINDOWS\system32\ukwuayns.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\vtutu.dll
C:\WINDOWS\system32\vtutu.dll Could not be deleted.

Performing Repairs to the registry.
Done!

VundoFix V6.5.7

Checking Java version...

Java version is 1.5.0.2
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.6
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.8
Old versions of java are exploitable and should be removed.

Scan started at 11:19:05 30/08/2007

Listing files found while scanning....

C:\WINDOWS\system32\hjkkj.bak1
C:\WINDOWS\system32\hjkkj.ini
C:\WINDOWS\system32\jkhfd.dll
C:\WINDOWS\system32\jkkjh.dll

Beginning removal...

Attempting to delete C:\WINDOWS\system32\hjkkj.bak1
C:\WINDOWS\system32\hjkkj.bak1 Has been deleted!

Attempting to delete C:\WINDOWS\system32\hjkkj.ini
C:\WINDOWS\system32\hjkkj.ini Has been deleted!

Performing Repairs to the registry.
Done!

VundoFix V6.5.7

Checking Java version...

Java version is 1.5.0.2
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.6
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.8
Old versions of java are exploitable and should be removed.

Scan started at 13:16:25 30/08/2007

Listing files found while scanning....

No infected files were found.

Beginning removal...

Performing Repairs to the registry.
Done!

New HiJackThis Log
Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 13:29:25, on 30/08/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\regsvr32.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\HiJackThis\HiJackThis_v2.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\NppBho.dll
O2 - BHO: GetRight IE Download Helper - {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - C:\Program Files\GetRight\xx2gr.dll
O2 - BHO: Google Web Accelerator Helper - {69A87B7D-DE56-4136-9655-716BA50C19C7} - C:\Program Files\Google\Web Accelerator\GoogleWebAccToolbar.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\sw g.dll
O3 - Toolbar: Google Web Accelerator - {DB87BFA2-A2E3-451E-8E5A-C89982D87CBF} - C:\Program Files\Google\Web Accelerator\GoogleWebAccToolbar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\UIBHO.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKLM\..\Run: [srglqnqt] rundll32.exe "C:\Program Files\nmxcvgta\pybunslm.dll",Init
O4 - HKLM\..\Run: [ahahslar] regsvr32 /u "C:\Documents and Settings\All Users\Application Data\ahahslar.dll"
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-18\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime (User 'Default user')
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.evesham.com/
O16 - DPF: {2250C29C-C5E9-4F55-BE4E-01E45A40FCF1} (CMediaMix Object) - http://musicmix.messenger.msn.com/Medialogic.CAB
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-US/.../GAME_UNO1.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab
O16 - DPF: {AF2E62B6-F9E1-4D4F-A10A-9DC8E6DCBCC0} (VideoEgg ActiveX Loader) - http://update.videoegg.com/Install/W...gPublisher.exe
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yaho...tocomplete.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab
O16 - DPF: {FB90BA05-66E6-4C56-BCD3-D65B0F7EBA39} (Foto.com SpeedUploader 1.0 Control) - http://express.foto.com/ActiveX/SpeedUploader.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{7FA7A03C-EDAA-4F17-91E1-832F108AF4FA}: NameServer = 62.241.162.200,62.241.163.200
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: InterBase InterClient Server (InterServer) - InterBase - C:\Program Files\Borland\InterBase\InterClient\bin\interserve r.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: STI Simulator - Unknown owner - C:\WINDOWS\System32\PAStiSvc.exe (file missing)
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
O23 - Service: wampmysqld - Unknown owner - C:\Program Files\wamp\mysql\bin\mysqld-nt.exe

--
End of file - 9184 bytes

Thanks Very Much, No more errors at startup and I have not had a popup yet (I have had vundo like 3 times, i remove it them it somehow comes back)

Kind Regards

Ben

VopThis · #7 (**permalink**) 30-08-2007, 02:25 PM

HIDDEN FILES: To make sure you can see any and all hidden files, please follow the directions here

Submit the following file(s) to VirusTotal for their immediate evaluation and feedback. Use any of the following methods, as appropriate:

Locate FULL FILE PATH if not apparent. Use Start (BUTTON)>Search, [WINDOWS+F] keys, or F3 key (from desktop).
Copy & Paste the FULL FILE PATH into the input BOX
-- OR --
Navigate to the file in question.

Post those results in your next reply (if malware findings were indicated) for:

C:\Program Files\nmxcvgta\pybunslm.dll
C:\Documents and Settings\All Users\APPLICATION DATA\ahahslar.dll

Let us see/review what is loaded on your PC:

Run HijackThis and Click Open the Misc Tools section button.
Then click the Open Uninstall Manager… button.
Click the Save list… button. Save uninstall_list to your desktop.
Open the Uninstall list file and post in your next reply, please.

Quote:

Java version is 1.5.0.2
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.6
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.8
Old versions of java are exploitable and should be removed.

Your system has an outdated version(s) of Sun Java that could create serious security exposure issues for your PC.

Update your Java.

Older JAVA versions have vulnerabilities that malware can and are using to infect systems.

Please follow these steps to remove older version Java components.

Close any programs you may have running, ESPECIALLY your web browser
Click Start > Control Panel.
Click Add/Remove Programs.
Check any item with Java Runtime Environment (JRE) in the name.
Click the Remove or Change/Remove button.
Repeat as many times as necessary to remove all versions of Java.
Reboot your computer once all Java components are removed.

Download the latest version of Java Runtime Environment (JRE) 6.0 Update 2 or higher, and install it to your computer.

New Version should show as (HijackThis log):

C:\Program Files\Java\jre1.6.0_02\… or higher

benjamin_harris · #8 (**permalink**) 30-08-2007, 03:20 PM

C:\Program Files\nmxcvgta\pybunslm.dll
AntiVir 7.4.1.66 2007.08.30 HEUR/Crypted
Webwasher-Gateway 6.0.1 2007.08.30 Heuristic.Crypted
Result: 2/32 (6.25%)

C:\Documents and Settings\All Users\APPLICATION DATA\ahahslar.dll
AntiVir 7.4.1.66 2007.08.30 HEUR/Crypted
Webwasher-Gateway 6.0.1 2007.08.30 Heuristic.Crypted
Result: 2/32 (6.25%)

Installed stuff
$MY_NAME
Acoustica MP3 Audio Mixer
Adobe Bridge 1.0
Adobe Common File Installer
Adobe Flash Player 9 ActiveX
Adobe Help Center 1.0
Adobe Photoshop CS2
Adobe Reader 7.0
Adobe Shockwave Player
Adobe Stock Photos 1.0
Adobe Stock Photos 1.0
Advanced Site Submitter 1.0
Age of Empires III
AppCore
Apple Software Update
ArcSoft WebCam Companion
ATI - Software Uninstall Utility
ATI Catalyst Control Center
ATI Display Driver
AutoHotkey 1.0.46.05
AutoIt v2.64
AutoIt v3.2.2.0
AV
Borland Delphi 7
CamMaestro 3.01 DU PC Camera
ccCommon
Cheat Engine 5.3
CNXT V92 Data Fax Voice
CuteFTP 6 Professional
CuteFTP 8 Professional
DivX
DivX Web Player
Drag Racer v3
Driving Test Success 2007/8
DVD7
dvdSanta 4.00
Empire Earth
Fish Tycoon
Fomine NetSend (remove only)
Free Natural text to speech reader
FreeUndelete
GetRight
GetRight Pro
Google Earth
Google SketchUp 6
Google SketchUp 6
Google Toolbar for Internet Explorer
Google Web Accelerator
Guild Wars
Guild Wars Manager
Hex Workshop v4.23
High Definition Audio Driver Package - KB835221
HijackThis 2.0.0
Hits Generator
Hotfix for Windows Media Format 11 SDK (KB929399)
Hotfix for Windows Media Player 11 (KB939683)
Hotfix for Windows XP (KB914440)
Hotfix for Windows XP (KB915865)
Hotfix for Windows XP (KB926239)
hp psc 900 series
Hutchinson Educational Encyclopedia 2000
InterVideo WinDVD 4
iPod for Windows 2005-01-11
iPod for Windows 2005-06-26
iPod for Windows 2006-01-10
iTunes
Java(TM) SE Development Kit 6
KQEMU virtualisation module for QEMU
LimeWire PRO 4.12.6
LiveUpdate 3.2 (Symantec Corporation)
Lizardtech DjVu Control (autoinstall)
Macromedia Dreamweaver 8
Macromedia Extension Manager
Macromedia Fireworks 8
Macromedia Flash 8
Macromedia Flash 8 Video Encoder
Macromedia Flash Player 8
Macromedia Flash Player 8 Plugin
Macromedia FlashPaper 2
Match-Up!
Media Library Management Wizard
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0
Microsoft Age of Empires II
Microsoft Age of Empires II: The Conquerors Expansion
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Halo
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office Professional Edition 2003
Microsoft Reader Text-to-Speech for English
Microsoft User-Mode Driver Framework Feature Pack 1.0
Microsoft Windows Journal Viewer
mobile PhoneTools
Movie Maker Background Music Files
Movie Maker Sound Effects
Movie Maker Title Images
Mozilla Firefox (2.0.0.6)
MSRedist
MSXML 4.0 SP2 (KB925672)
MSXML 4.0 SP2 (KB927978)
MSXML 4.0 SP2 (KB936181)
MSXML 4.0 SP2 Parser and SDK
MSXML 6.0 Parser (KB933579)
Nero 6 Ultra Edition
Norton AntiVirus
Norton Confidential Browser Component
Norton Confidential Web Protection Component
Norton Internet Security
Norton Internet Security
Norton Internet Security
Norton Internet Security
Norton Internet Security (Symantec Corporation)
Norton Protection Center
NVIDIA Drivers
Perfect Macro Recorder 1.50
Personal License Update Wizard for Windows Media Player
Pinnacle Hollywood FX for Studio
Pinnacle InstantCD/DVD Suite
Pizza Connection 2
QuickTime
Rally Championship Xtreme
RealPlayer
Realtek AC'97 Audio
Rome - Total War(TM)
SBP2 Filter
Screen Movie Studio
Security Update for CAPICOM (KB931906)
Security Update for CAPICOM (KB931906)
Security Update for Microsoft .NET Framework 2.0 (KB928365)
Security Update for Windows Internet Explorer 7 (KB928090)
Security Update for Windows Internet Explorer 7 (KB929969)
Security Update for Windows Internet Explorer 7 (KB931768)
Security Update for Windows Internet Explorer 7 (KB933566)
Security Update for Windows Internet Explorer 7 (KB937143)
Security Update for Windows Internet Explorer 7 (KB938127)
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 10 (KB917734)
Security Update for Windows Media Player 11 (KB936782)
Security Update for Windows Media Player 6.4 (KB925398)
Security Update for Windows Media Player 9 (KB911565)
Security Update for Windows Media Player 9 (KB917734)
Security Update for Windows XP (KB883939)
Security Update for Windows XP (KB890046)
Security Update for Windows XP (KB893756)
Security Update for Windows XP (KB896358)
Security Update for Windows XP (KB896422)
Security Update for Windows XP (KB896423)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896428)
Security Update for Windows XP (KB896688)
Security Update for Windows XP (KB899587)
Security Update for Windows XP (KB899588)
Security Update for Windows XP (KB899589)
Security Update for Windows XP (KB899591)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901190)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB903235)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB905915)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB908531)
Security Update for Windows XP (KB911280)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911567)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912812)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913446)
Security Update for Windows XP (KB913580)
Security Update for Windows XP (KB914388)
Security Update for Windows XP (KB914389)
Security Update for Windows XP (KB916281)
Security Update for Windows XP (KB917159)
Security Update for Windows XP (KB917344)
Security Update for Windows XP (KB917422)
Security Update for Windows XP (KB917953)
Security Update for Windows XP (KB918118)
Security Update for Windows XP (KB918439)
Security Update for Windows XP (KB919007)
Security Update for Windows XP (KB920213)
Security Update for Windows XP (KB920214)
Security Update for Windows XP (KB920670)
Security Update for Windows XP (KB920683)
Security Update for Windows XP (KB920685)
Security Update for Windows XP (KB921398)
Security Update for Windows XP (KB921503)
Security Update for Windows XP (KB921883)
Security Update for Windows XP (KB922616)
Security Update for Windows XP (KB922819)
Security Update for Windows XP (KB923191)
Security Update for Windows XP (KB923414)
Security Update for Windows XP (KB923689)
Security Update for Windows XP (KB923694)
Security Update for Windows XP (KB923980)
Security Update for Windows XP (KB924191)
Security Update for Windows XP (KB924270)
Security Update for Windows XP (KB924496)
Security Update for Windows XP (KB924667)
Security Update for Windows XP (KB925486)
Security Update for Windows XP (KB925902)
Security Update for Windows XP (KB926255)
Security Update for Windows XP (KB926436)
Security Update for Windows XP (KB927779)
Security Update for Windows XP (KB927802)
Security Update for Windows XP (KB928255)
Security Update for Windows XP (KB928843)
Security Update for Windows XP (KB929123)
Security Update for Windows XP (KB930178)
Security Update for Windows XP (KB931261)
Security Update for Windows XP (KB931784)
Security Update for Windows XP (KB932168)
Security Update for Windows XP (KB935839)
Security Update for Windows XP (KB935840)
Security Update for Windows XP (KB936021)
Security Update for Windows XP (KB938829)
SEGA RALLY 2
SEMC DSS SyncStation Driver
Shockwave
SimCity 3000
Ski Park Manager
Skype 2.5
SPBBC 32bit
SpeechRedist
SpeedFan (remove only)
Studio 9
SymNet
System Requirements Lab
TeamSpeak 2 RC2
tunebite 2.2.0.3
Unreal Tournament 2004
Unreal Tournament G.O.T.Y. Edition
Update for Windows XP (KB894391)
Update for Windows XP (KB896727)
Update for Windows XP (KB898461)
Update for Windows XP (KB900485)
Update for Windows XP (KB904942)
Update for Windows XP (KB910437)
Update for Windows XP (KB916595)
Update for Windows XP (KB920872)
Update for Windows XP (KB922582)
Update for Windows XP (KB927891)
Update for Windows XP (KB929338)
Update for Windows XP (KB930916)
Update for Windows XP (KB931836)
Update for Windows XP (KB933360)
Update for Windows XP (KB938828)
USB Dual-mode Camera v200 Installation Files
Video Converter 3
VideoEgg Publisher
V-Rally version 1.0 Installer
Windows Installer 3.1 (KB893803)
Windows Installer 3.1 (KB893803)
Windows Internet Explorer 7
Windows Live Messenger
Windows Live Sign-in Assistant
Windows Media Bonus Pack for Windows XP
Windows Media Connect
Windows Media Format 11 runtime
Windows Media Format 11 runtime
Windows Media Player 11
Windows Media Player 11
Windows Media Player Playlist Import to Excel Wizard
Windows Media Player Skin Importer
Windows Media Player Tray Control
Windows XP Hotfix - KB834707
Windows XP Hotfix - KB867282
Windows XP Hotfix - KB873333
Windows XP Hotfix - KB873339
Windows XP Hotfix - KB885250
Windows XP Hotfix - KB885835
Windows XP Hotfix - KB885836
Windows XP Hotfix - KB885884
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB887742
Windows XP Hotfix - KB888113
Windows XP Hotfix - KB888302
Windows XP Hotfix - KB890047
Windows XP Hotfix - KB890175
Windows XP Hotfix - KB890859
Windows XP Hotfix - KB890923
Windows XP Hotfix - KB891781
Windows XP Hotfix - KB893066
Windows XP Hotfix - KB893086
WinPcap 3.0
WinRAR archiver
Xfire (remove only)
XviD 1.1 final uninstall

I remved most java, but i got an error when trying to uninstall Java(TM) SE Development Kit 6

Also im not sure which new Java to get.

Thanks Very Much

Ben

VopThis · #9 (**permalink**) 30-08-2007, 03:36 PM

Quote:

Also im not sure which new Java to get.

Download the latest version of Java Runtime Environment (JRE) 6.0 Update 2 or higher, and install it to your computer.

Quote:

C:\Program Files\nmxcvgta\pybunslm.dll
AntiVir 7.4.1.66 2007.08.30 HEUR/Crypted
Webwasher-Gateway 6.0.1 2007.08.30 Heuristic.Crypted
Result: 2/32 (6.25%)

C:\Documents and Settings\All Users\APPLICATION DATA\ahahslar.dll
AntiVir 7.4.1.66 2007.08.30 HEUR/Crypted
Webwasher-Gateway 6.0.1 2007.08.30 Heuristic.Crypted
Result: 2/32 (6.25%)

There is probably no likely useful purpose that you require from those apps. Suggest you fix:

Read over the following directions. Ask if anything appears unclear to you.

Clean out TEMPORARY FILES procedures:
To clean your temp folder, recycle bin, etc..please download this free tool:

CCleaner http://www.ccleaner.com/downloadbuilds.asp

Install Options:

Don't install any Toolbars, or other programs, should it ask you!
Just uncheck the option of installing the Yahoo toolbar.

It will put a shortcut on your Desktop.

Do not run CCleaner until requested later.

We will be restarting into Safe Mode later on in the fix and you might not be able to access the Internet. Accordingly, it is probably a good idea to print out the following directions or copy them to a text file on your desktop using NOTEPAD. Read these instructions carefully and feel free to ask if you're unsure about anything.

SELECT HijackThis FIX ITEMS: Scan with HijackThis and place a check next to these items:

O4 - HKLM\..\Run: [SRGLQNQT] rundll32.exe "C:\Program Files\nmxcvgta\pybunslm.dll",Init
O4 - HKLM\..\Run: [ahahslar] regsvr32 /u "C:\Documents and Settings\All Users\APPLICATION DATA\ahahslar.dll"

Make sure that all browser windows and internet links are closed, even this one!
CLICK ’FIX CHECKED’ with HijackThis.

HIDDEN FILES: To make sure you can see all hidden files, please follow the directions here

SAFEMODE: Boot into safe mode by tapping the F8 key at restart and choosing 'safe mode' menu option (explained here if needed).

Delete TEMPORARY FILES: Now, use CCleaner to hunt down the most common temporary file locations and the temporary file clutter contained therein (and of possible malware hiding places):

Run CCleaner.

FIRST-TIME USE:
Select the ”Options” BUTTON option (top LEFT), ”Advanced” BUTTON, and then UNCHECK the ”Only delete files in Windows Temp Folders older than 48 hours”. Set back to default afterwards.

Select the ”Cleaner” BUTTON option (top LEFT), if not already selected. Use the ”Windows” TAB up front by default.

Uncheck ”Cookies” option (advisable)
Optionally, Uncheck ”Recently Typed URLs” option (potentially still useful)
Click the ”Analyse” button.
Thereafter, click ”Run Cleaner” after you have reviewed what it proposes to clean.

***** Clean out the Recycle Bin for items removed below, ONLY once you have regained the full functional use of your PC.

Navigate to these files or folders using Windows Explorer (OR Start -> Search) and delete (if present):

DELETE FILES:

C:\Documents and Settings\All Users\APPLICATION DATA\ahahslar.dll

DELETE FOLDERS:

C:\Program Files\nmxcvgta

POST A REVISED HIJACKTHIS LOG for review:
Reboot and post a new HijackThis log with any feedback as appropriate - how things are now behaving: any new or remaining apparent issues.

benjamin_harris · #10 (**permalink**) 30-08-2007, 04:45 PM

Quote:

Originally Posted by VopTHis

POST A REVISED HIJACKTHIS LOG for review:
Reboot and post a new HijackThis log with any feedback as appropriate - how things are now behaving: any new or remaining apparent issues.

Revised HiJackThis Log
Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 16:39:55, on 30/08/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\MSN Messenger\msnmsgr.exe

C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\HiJackThis\HiJackThis_v2.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.co.uk/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1E8A6170-7264-4D0F-BEAE-D42A53123C75} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\NppBho.dll
O2 - BHO: GetRight IE Download Helper - {31FF080D-12A3-439A-A2EF-4BA95A3148E8} - C:\Program Files\GetRight\xx2gr.dll
O2 - BHO: Google Web Accelerator Helper - {69A87B7D-DE56-4136-9655-716BA50C19C7} - C:\Program Files\Google\Web Accelerator\GoogleWebAccToolbar.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar3.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\sw g.dll
O3 - Toolbar: Google Web Accelerator - {DB87BFA2-A2E3-451E-8E5A-C89982D87CBF} - C:\Program Files\Google\Web Accelerator\GoogleWebAccToolbar.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar3.dll
O3 - Toolbar: Show Norton Toolbar - {90222687-F593-4738-B738-FBEE9C7B26DF} - C:\Program Files\Common Files\Symantec Shared\coShared\Browser\1.5\UIBHO.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [osCheck] "C:\Program Files\Norton Internet Security\osCheck.exe"
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-18\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ATICCC] "C:\Program Files\ATI Technologies\ATI.ACE\cli.exe" runtime (User 'Default user')
O8 - Extra context menu item: Download with GetRight - C:\Program Files\GetRight\GRdownload.htm
O8 - Extra context menu item: Open with GetRight Browser - C:\Program Files\GetRight\GRbrowse.htm
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://www.evesham.com/
O16 - DPF: {2250C29C-C5E9-4F55-BE4E-01E45A40FCF1} (CMediaMix Object) - http://musicmix.messenger.msn.com/Medialogic.CAB
O16 - DPF: {5D6F45B3-9043-443D-A792-115447494D24} (UnoCtrl Class) - http://messenger.zone.msn.com/EN-US/.../GAME_UNO1.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary...t.cab31267.cab
O16 - DPF: {AF2E62B6-F9E1-4D4F-A10A-9DC8E6DCBCC0} (VideoEgg ActiveX Loader) - http://update.videoegg.com/Install/W...gPublisher.exe
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yaho...tocomplete.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/ge...sh/swflash.cab
O16 - DPF: {FB90BA05-66E6-4C56-BCD3-D65B0F7EBA39} (Foto.com SpeedUploader 1.0 Control) - http://express.foto.com/ActiveX/SpeedUploader.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{7FA7A03C-EDAA-4F17-91E1-832F108AF4FA}: NameServer = 62.241.162.200,62.241.163.200
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: Symantec Lic NetConnect service (CLTNetCnService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSvcHst.exe
O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\VAScanner\comHost.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: InterBase InterClient Server (InterServer) - InterBase - C:\Program Files\Borland\InterBase\InterClient\bin\interserve r.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec IS Password Validation (ISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\isPwdSvc.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: Macromedia Licensing Service - Macromedia - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - C:\Program Files\WinPcap\rpcapd.exe
O23 - Service: STI Simulator - Unknown owner - C:\WINDOWS\System32\PAStiSvc.exe (file missing)
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Symantec AppCore Service (SymAppCore) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe
O23 - Service: wampmysqld - Unknown owner - C:\Program Files\wamp\mysql\bin\mysqld-nt.exe

--
End of file - 8476 bytes

Feedback / Issues
All seems fine, no pop ups recently, and no unwanted rubbish in system tray. There was a problem (which i have had for a while now) which means when you startup, it runs the BIOS, then goes to a black screen for about 3mins, then starts up normally, im not sure if it is still doing this after all this work. I will test and report back.

My C:\ drive is full of lots of files and folders, and i don't think i need them all, can i send you a list of them and you tell me which ones i can delete. (image list at following link, sorry about the large file, 260kb)
http://xe1.biz/FILES/C_Drive_file_list.jpg

Many thanks

Ben