PDA

View Full Version : Vundo and Virtumonde won't go away


Justmemyownself
2008-01-29, 19:58
Vundo and Virtumonde will not go away.. I even went so far as to wipe the hard drive and start over... This is my laptop that I use for work. It is very frustrating. Trend keeps popping up with the following: TROJ_VUNDO.AAH and PAK_Generic.001. S&D always finds Virtumonde.
Doesn't matter how many times I remove or what I use to remove it won't go away!!!

here are my logs:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:12:42 PM, on 1/28/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Safe mode with network support

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://fww.tc.fluke.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://fww.tc.fluke.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
O4 - HKLM\..\Run: [OfficeScanNT Monitor] "C:\Program Files\Trend Micro\OfficeScan Client\Pccntmon.exe" -HideWindow
O4 - HKLM\..\Run: [igfxtray] C:\WINNT\system32\igfxtray.exe
O4 - HKLM\..\Run: [igfxhkcmd] C:\WINNT\system32\hkcmd.exe
O4 - HKLM\..\Run: [igfxpers] C:\WINNT\system32\igfxpers.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [IntelZeroConfig] "C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
O4 - HKLM\..\Run: [PDVDDXSrv] "C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe"
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb10.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Cisco Systems VPN Client.lnk = C:\Program Files\Cisco Systems\vpngui.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://fww.tc.fluke.com
O15 - Trusted Zone: http://*.intranet.danahertm.com
O15 - Trusted Zone: http://fnetcrm.danahertm.com
O15 - Trusted Zone: http://itsupport.danahertm.com
O15 - Trusted Zone: http://trackit.danahertm.com
O15 - Trusted Zone: http://fww.tc.fluke.com
O15 - Trusted Zone: http://it.tc.fluke.com
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {54BE6B6F-3056-470B-97E1-BB92E051B6C4} (DeviceEnum Class) - http://h30155.www3.hp.com/ediags/dd/install/HPDriverDiagnosticsxp2k.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1191867429786
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1191867410446
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = danahertm.com
O17 - HKLM\Software\..\Telephony: DomainName = danahertm.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = danahertm.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = danahertm.com
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Cisco Systems, Inc. VPN Service (CVPND) - Cisco Systems, Inc. - C:\Program Files\Cisco Systems\cvpnd.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: OfficeScanNT RealTime Scan (ntrtscan) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
O23 - Service: ProtexisLicensing - Unknown owner - C:\WINNT\system32\PSIService.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: SolidWorks Licensing Service - SolidWorks - C:\Program Files\Common Files\SolidWorks Shared\Service\SolidWorksLicensing.exe
O23 - Service: OfficeScan NT Listener (tmlisten) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
O23 - Service: OfficeScan NT Proxy Service (TmProxy) - Trend Micro Inc. - C:\Program Files\Trend Micro\OfficeScan Client\TmProxy.exe
O23 - Service: VNC Server (WinVNC) - AT&T Research Labs Cambridge - C:\Program Files\ORL\VNC\WinVNC.exe
O23 - Service: Intel(R) PROSet/Wireless SSO Service (WLANKEEPER) - Intel(R) Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe

--
End of file - 6373 bytes


-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Monday, January 28, 2008 9:11:54 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 29/01/2008
Kaspersky Anti-Virus database records: 535196
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
C:\
D:\
E:\

Scan Statistics:
Total number of scanned objects: 34591
Number of viruses found: 10
Number of infected objects: 26
Number of suspicious objects: 2
Duration of the scan process: 00:43:13

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WebBuyingAssistant.zip/v1.8.6/wbuninst.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WebBuyingAssistant.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\sgroenig\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\sgroenig\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\sgroenig\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\sgroenig\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\sgroenig\Local Settings\Temp\snapsnet.exe/data0006 Infected: Trojan-Downloader.Win32.VB.ccs skipped
C:\Documents and Settings\sgroenig\Local Settings\Temp\snapsnet.exe NSIS: infected - 1 skipped
C:\Documents and Settings\sgroenig\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\sgroenig\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\sgroenig\ntuser.dat.LOG Object is locked skipped
C:\Program Files\ORL\VNC\VNCHooks.dll Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.333 skipped
C:\Program Files\ORL\VNC\vncviewer.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.333 skipped
C:\Program Files\ORL\VNC\WinVNC.exe Infected: not-a-virus:RemoteAdmin.Win32.WinVNC.333 skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{D83313CE-32DA-4846-959C-ABEE2B614266}\RP83\A0020833.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ebw skipped
C:\System Volume Information\_restore{D83313CE-32DA-4846-959C-ABEE2B614266}\RP83\change.log Object is locked skipped
C:\WINNT\Debug\Netlogon.log Object is locked skipped
C:\WINNT\Debug\PASSWD.LOG Object is locked skipped
C:\WINNT\fwloc.log Object is locked skipped
C:\WINNT\system32\afpwbtto.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.din skipped
C:\WINNT\system32\bdhatvif.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.din skipped
C:\WINNT\system32\CatRoot2\edb.log Object is locked skipped
C:\WINNT\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINNT\system32\config\AppEvent.Evt Object is locked skipped
C:\WINNT\system32\config\default Object is locked skipped
C:\WINNT\system32\config\default.LOG Object is locked skipped
C:\WINNT\system32\config\SAM Object is locked skipped
C:\WINNT\system32\config\SAM.LOG Object is locked skipped
C:\WINNT\system32\config\SecEvent.Evt Object is locked skipped
C:\WINNT\system32\config\SECURITY Object is locked skipped
C:\WINNT\system32\config\SECURITY.LOG Object is locked skipped
C:\WINNT\system32\config\software Object is locked skipped
C:\WINNT\system32\config\software.LOG Object is locked skipped
C:\WINNT\system32\config\SysEvent.Evt Object is locked skipped
C:\WINNT\system32\config\system Object is locked skipped
C:\WINNT\system32\config\system.LOG Object is locked skipped
C:\WINNT\system32\cttioksj.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.bjc skipped
C:\WINNT\system32\daSgo01\daSgo011065.exe Infected: Trojan-Downloader.Win32.VB.cho skipped
C:\WINNT\system32\dremjdef.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.din skipped
C:\WINNT\system32\gaiqoqda.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.bjc skipped
C:\WINNT\system32\gamfntny.dll Infected: not-a-virus:AdWare.Win32.SuperJuan.ao skipped
C:\WINNT\system32\gqsthaiu.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.eby skipped
C:\WINNT\system32\jtmujsqj.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.dnp skipped
C:\WINNT\system32\kjgphdhk.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.din skipped
C:\WINNT\system32\lcofqran.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.din skipped
C:\WINNT\system32\lcserhge.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.din skipped
C:\WINNT\system32\llppqaoi.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.bjc skipped
C:\WINNT\system32\lopcutpa.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.bjc skipped
C:\WINNT\system32\mewcxraq.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.din skipped
C:\WINNT\system32\selpovct.dll Infected: not-a-virus:AdWare.Win32.SuperJuan.ao skipped
C:\WINNT\system32\souxtydb.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.din skipped
C:\WINNT\system32\tmuwbtat.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.bjc skipped
C:\WINNT\system32\vgocpdyl.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.din skipped
C:\WINNT\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINNT\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINNT\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINNT\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINNT\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINNT\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINNT\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINNT\system32\xktnxlwr.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.din skipped
D:\csc\00000001 Object is locked skipped
D:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
D:\System Volume Information\_restore{D83313CE-32DA-4846-959C-ABEE2B614266}\RP83\change.log Object is locked skipped

Scan process completed.


Thanks in advance for any help you can give me.:red:
katana
2008-01-30, 15:26
Hello and welcome to the forums

My name is Katana and I will be helping you to remove any infection(s) that you may have.

Please observe these rules while we work:
1. If you don't know, stop and ask! Don't keep going on.
2. Please reply to this thread. Do not start a new topic.
3. Please continue to respond until I give you the "All Clear"
(Just because you can't see a problem doesn't mean it isn't there)

If you can do those three things, everything should go smoothly :D


Please note that all instructions given are customised for this computer only, the tools used may cause damage if used on a computer with different infections.

If you think you have similar problems, please post a log in the HJT forum and wait for help.

Unless informed of in advance, failure to post replies within 5 days will result in this thread being closed.

Is this machine used to connect to a company network ?
Do you know what these relate to
O14 - IERESET.INF: START_PAGE_URL=http://fww.tc.fluke.com
O15 - Trusted Zone: http://*.intranet.danahertm.com
O15 - Trusted Zone: http://fnetcrm.danahertm.com
O15 - Trusted Zone: http://itsupport.danahertm.com
O15 - Trusted Zone: http://trackit.danahertm.com
O15 - Trusted Zone: http://fww.tc.fluke.com
O15 - Trusted Zone: http://it.tc.fluke.com

O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = danahertm.com
O17 - HKLM\Software\..\Telephony: DomainName = danahertm.com
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = danahertm.com
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = danahertm.com


Fix With HJT
Close all other windows and then start HiJack This
Click Do A System Scan Only
When it has finished scanning put a check next to the following lines IF still present

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
- Close ALL open windows (especially Internet Explorer!)-
Now click Fix checked
Click yes to any prompts
Close HijackThis

VundoFix
Please download VundoFix.exe (http://www.atribune.org/ccount/click.php?id=4) to your desktop.
Double-click VundoFix.exe to run it.
Click the Scan for Vundo button.
Once it's done scanning, click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will reboot your computer, click OK.
Please post the contents of C:\\vundofix.txt

Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.

Download and Run ComboFix (by sUBs)
Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Post the log from ComboFix


Logs/Information to Post in Reply
Please post the following logs/Information in your reply

Company machine ?
Info on HJT lines ?
Vundo Fix log
ComboFix Log
How are things running now ?
Justmemyownself
2008-02-01, 18:51
Vundofix log:


VundoFix V6.7.7

Checking Java version...

Scan started at 8:44:53 AM 2/1/2008

Listing files found while scanning....

C:\WINNT\system32\aaufdvvi.dll
C:\WINNT\system32\aeqilopo.dll
C:\WINNT\system32\aigmnryk.dll
C:\WINNT\system32\bbixffgh.dll
C:\WINNT\system32\ivvdfuaa.ini

Beginning removal...

Attempting to delete C:\WINNT\system32\aaufdvvi.dll
C:\WINNT\system32\aaufdvvi.dll Has been deleted!

Attempting to delete C:\WINNT\system32\aeqilopo.dll
C:\WINNT\system32\aeqilopo.dll Has been deleted!

Attempting to delete C:\WINNT\system32\aigmnryk.dll
C:\WINNT\system32\aigmnryk.dll Has been deleted!

Attempting to delete C:\WINNT\system32\bbixffgh.dll
C:\WINNT\system32\bbixffgh.dll Has been deleted!

Attempting to delete C:\WINNT\system32\ivvdfuaa.ini
C:\WINNT\system32\ivvdfuaa.ini Has been deleted!

Performing Repairs to the registry.
Done!


Combofix log:

ComboFix 08-02.01.6 - sgroenig 2008-02-01 9:32:55.1 - NTFSx86 NETWORK
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.340 [GMT -8:00]
Running from: C:\Documents and Settings\sgroenig\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
C:\Temp\1cb
C:\Temp\1cb\syscheck.log
C:\Temp\bkR11
C:\Temp\bkR11\ftCa.log
C:\WINNT\system32\adqoqiag.ini
C:\WINNT\system32\aptucpol.ini
C:\WINNT\system32\bbc5
C:\WINNT\system32\bdytxuos.ini
C:\WINNT\system32\blquhtqg.dll
C:\WINNT\system32\cttioksj.dll
C:\WINNT\system32\doc4
C:\WINNT\system32\dremjdef.dll
C:\WINNT\system32\eghrescl.ini
C:\WINNT\system32\enfqjkxo.dll
C:\WINNT\system32\envhcpus.ini
C:\WINNT\system32\eondlndt.dll
C:\WINNT\system32\evukqwed.dll
C:\WINNT\system32\eywidfhu.dll
C:\WINNT\system32\faxkblkh.dll
C:\WINNT\system32\fedjmerd.ini
C:\WINNT\system32\fficdfhf.dll
C:\WINNT\system32\frtmytki.dll
C:\WINNT\system32\fvjpfbbx.dll
C:\WINNT\system32\gaiqoqda.dll
C:\WINNT\system32\gamfntny.dll
C:\WINNT\system32\gbkisfmw.dll
C:\WINNT\system32\gdbbjaho.dll
C:\WINNT\system32\gqsthaiu.dll
C:\WINNT\system32\gqthuqlb.ini
C:\WINNT\system32\grqfpdcn.dll
C:\WINNT\system32\hcysmpjp.dll
C:\WINNT\system32\hkdavscj.dll
C:\WINNT\system32\hxbjrdgu.dll
C:\WINNT\system32\ioaqppll.ini
C:\WINNT\system32\jdeihbmm.dll
C:\WINNT\system32\jkwkccug.dll
C:\WINNT\system32\joisibxb.dll
C:\WINNT\system32\jskoittc.ini
C:\WINNT\system32\jsqfbesc.dll
C:\WINNT\system32\jtmujsqj.dll
C:\WINNT\system32\kdmsgykb.dll
C:\WINNT\system32\khdhpgjk.ini
C:\WINNT\system32\kjgphdhk.dll
C:\WINNT\system32\kqowfxpx.dll
C:\WINNT\system32\kywyxwwi.dll
C:\WINNT\system32\lcofqran.dll
C:\WINNT\system32\lcserhge.dll
C:\WINNT\system32\llppqaoi.dll
C:\WINNT\system32\lopcutpa.dll
C:\WINNT\system32\lydpcogv.ini
C:\WINNT\system32\maicapqw.dll
C:\WINNT\system32\mewcxraq.dll
C:\WINNT\system32\mmbhiedj.ini
C:\WINNT\system32\mpnrejfr.dll
C:\WINNT\system32\narqfocl.ini
C:\WINNT\system32\nirpmfyo.dll
C:\WINNT\system32\nkswamtm.dll
C:\WINNT\system32\oyfmprin.ini
C:\WINNT\system32\pac.txt
C:\WINNT\system32\prutv.ini
C:\WINNT\system32\prutv.ini2
C:\WINNT\system32\ptybkrbw.dll
C:\WINNT\system32\qldwoipl.dll
C:\WINNT\system32\rex2
C:\WINNT\system32\rwlxntkx.ini
C:\WINNT\system32\selpovct.dll
C:\WINNT\system32\souxtydb.dll
C:\WINNT\system32\supchvne.dll
C:\WINNT\system32\tatbwumt.ini
C:\WINNT\system32\tmuwbtat.dll
C:\WINNT\system32\tpaxorrx.dll
C:\WINNT\system32\ugdrjbxh.ini
C:\WINNT\system32\uhfdiwye.ini
C:\WINNT\system32\uiahtsqg.ini
C:\WINNT\system32\uywndvsv.dll
C:\WINNT\system32\vgocpdyl.dll
C:\WINNT\system32\vilyjdso.dll
C:\WINNT\system32\vsvdnwyu.ini
C:\WINNT\system32\vturp.dll
C:\WINNT\system32\wlxtrsit.dll
C:\WINNT\system32\wmfsikbg.ini
C:\WINNT\system32\wqpaciam.ini
C:\WINNT\system32\xajebkbd.dll
C:\WINNT\system32\xenkvuir.dll
C:\WINNT\system32\xktnxlwr.dll
C:\WINNT\system32\xlahhpwr.dll
C:\WINNT\system32\xpxfwoqk.tmp
C:\WINNT\system32\ybmgdubw.dll
C:\WINNT\system32\yeyfwqae.dll
C:\WINNT\system32\yyymgaux.dll
C:\WINNT\wbun.exe

----- BITS: Possible infected sites -----

hxxp://dtmevtsvsm02.danahertm.com:80
.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_DOMAINSERVICE
-------\DomainService


((((((((((((((((((((((((( Files Created from 2008-01-01 to 2008-02-01 )))))))))))))))))))))))))))))))
.

2008-02-01 08:44 . 2008-02-01 08:44 <DIR> d-------- C:\VundoFix Backups
2008-01-30 13:33 . 2008-01-30 13:33 <DIR> d-------- C:\Documents and Settings\sgroenig\Application Data\Apple Computer
2008-01-28 19:12 . 2008-01-28 19:12 <DIR> d-------- C:\WINNT\system32\Kaspersky Lab
2008-01-28 19:12 . 2008-01-28 19:12 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-01-25 14:53 . 2007-09-10 13:50 204,848 --a------ C:\WINNT\system32\gswin32c.exe
2008-01-25 14:53 . 2007-09-10 13:50 51,604 --a------ C:\WINNT\system32\Adist5k.ppd
2008-01-25 14:39 . 2008-01-25 14:39 <DIR> d-------- C:\Program Files\Investintech.com Inc
2008-01-22 08:00 . 2008-01-25 11:05 44,656 --a------ C:\WINNT\system32\GDIPFONTCACHEV1.DAT
2008-01-22 07:57 . 2008-01-22 07:57 294 ---hs---- C:\WINNT\system32\htlaxnoj.ini
2008-01-21 13:28 . 2008-01-21 13:28 <DIR> d-------- C:\Documents and Settings\sgroenig\Application Data\AdobeUM
2008-01-16 09:28 . 2001-08-17 13:56 7,552 --a------ C:\WINNT\system32\drivers\SONYPVU1.SYS
2008-01-14 11:30 . 2008-01-29 13:25 4,194,308 --a------ C:\WINNT\fw.log.old
2008-01-11 08:39 . 2008-02-01 08:40 13,422 --a------ C:\WINNT\BM5f99ba9b.xml
2008-01-11 08:39 . 2008-01-11 08:39 294 --ahs---- C:\WINNT\system32\ottbwpfa.ini
2008-01-11 08:38 . 2008-02-01 08:26 22 --a------ C:\WINNT\pskt.ini
2008-01-10 11:54 . 2008-01-10 11:54 <DIR> d-------- C:\WINNT\Sun
2008-01-10 11:52 . 2007-09-24 23:31 69,632 --a------ C:\WINNT\system32\javacpl.cpl
2008-01-10 11:50 . 2008-01-10 11:50 <DIR> d-------- C:\Program Files\Common Files\Java
2008-01-08 08:36 . 2008-01-08 08:36 294 --ahs---- C:\WINNT\system32\fivtahdb.ini
2008-01-07 08:18 . 2008-01-21 07:23 10,752 --a------ C:\WINNT\DCEBoot.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-29 02:57 --------- d-----w C:\Program Files\Cisco Systems
2008-01-29 02:56 --------- d-----w C:\Program Files\Trend Micro
2008-01-22 16:30 --------- d-----w C:\Program Files\Common Files\Adobe
2008-01-21 21:06 --------- d-----w C:\Documents and Settings\All Users\Application Data\Autodesk
2008-01-14 18:15 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-01-10 19:52 --------- d-----w C:\Program Files\Java
2008-01-10 19:42 --------- d-----w C:\Program Files\Corel
2008-01-10 19:42 --------- d-----w C:\Documents and Settings\sgroenig\Application Data\Corel
2008-01-03 20:08 74,088 ----a-w C:\Documents and Settings\sgroenig\Application Data\GDIPFONTCACHEV1.DAT
2007-12-18 00:14 --------- d-----w C:\Program Files\QuickTime
2007-12-18 00:09 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer
2007-12-18 00:07 --------- d-----w C:\Program Files\Apple Software Update
2007-12-18 00:07 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple
2007-12-13 18:25 --------- d-----w C:\Documents and Settings\sgroenig\Application Data\AdwareAlert
2007-12-13 17:01 --------- d-----w C:\Program Files\CCleaner
2007-12-04 23:44 --------- d-----w C:\Program Files\Windows Imaging
2007-10-11 00:10 92,064 ----a-w C:\Documents and Settings\sgroenig\mqdmmdm.sys
2007-10-11 00:10 9,232 ----a-w C:\Documents and Settings\sgroenig\mqdmmdfl.sys
2007-10-11 00:10 79,328 ----a-w C:\Documents and Settings\sgroenig\mqdmserd.sys
2007-10-11 00:10 66,656 ----a-w C:\Documents and Settings\sgroenig\mqdmbus.sys
2007-10-11 00:10 6,208 ----a-w C:\Documents and Settings\sgroenig\mqdmcmnt.sys
2007-10-11 00:10 5,936 ----a-w C:\Documents and Settings\sgroenig\mqdmwhnt.sys
2007-10-11 00:10 4,048 ----a-w C:\Documents and Settings\sgroenig\mqdmcr.sys
2007-10-11 00:10 25,600 ----a-w C:\Documents and Settings\sgroenig\usbsermptxp.sys
2007-10-11 00:10 22,768 ----a-w C:\Documents and Settings\sgroenig\usbsermpt.sys
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{000B2BAA-FFFF-49F0-970E-DCF1915E04D6}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0694A26F-B7E6-4D6C-8F52-7F7CA433ABEC}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0c7388a2-4f01-4a83-af5a-bf592d63a857}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{11B082E0-1A39-4FFB-AFC4-861568141857}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1756ebad-cda7-4b1d-831f-e7f9cb8341b3}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1B292397-B4F9-4E42-8DB1-A05C8902E735}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2B77BE6D-EB90-4B07-9CDE-C198824EDBB4}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{34F4F42F-5949-4494-AA30-38AC6C04FB7A}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6CDFC962-44B9-4A6F-8F9B-D64E7E8C28B0}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7976CA7C-044C-4B49-994E-8D84F6BB893A}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7D4397F1-4FFF-4C2B-BB72-073DCD286CC1}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8DBAA8AD-60F2-4DF3-B872-B191E4B4F255}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A2853831-5A29-47C9-9C3C-75B1C36BFE23}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A74F3FC3-CC9A-4D4C-AFB5-B56F0CAA445D}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A7CD1CC9-1FDC-4426-AF28-7258CB5B0001}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{AEBF6926-DBA6-4100-A838-1CED0169AB78}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B735F19D-1346-482E-A957-9387F9F25D7F}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{BC5FB770-8BD8-4A39-AE88-B15B1174592D}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E680F53D-06B8-4089-8EEF-CE1FD23C6694}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F150D2F5-937F-48E9-ACC5-0BDA02BBC9D0}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F36A7D78-2B94-43A2-9880-41F2B3577225}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINNT\system32\ctfmon.exe" [2004-08-04 00:56 15360]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2007-08-31 15:46 1460560]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"OfficeScanNT Monitor"="C:\Program Files\Trend Micro\OfficeScan Client\Pccntmon.exe" [2007-09-06 19:45 710000]
"igfxtray"="C:\WINNT\system32\igfxtray.exe" [2006-09-15 16:53 94208]
"igfxhkcmd"="C:\WINNT\system32\hkcmd.exe" [2006-09-15 16:50 77824]
"igfxpers"="C:\WINNT\system32\igfxpers.exe" [2006-09-15 16:54 118784]
"Apoint"="C:\Program Files\Apoint\Apoint.exe" [2005-10-07 14:13 176128]
"IntelZeroConfig"="C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe" [2006-08-01 23:38 802816]
"IntelWireless"="C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe" [2006-08-01 23:32 696320]
"ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [2004-07-27 15:50 221184]
"ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2004-07-27 15:50 81920]
"PDVDDXSrv"="C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2006-10-20 16:23 118784]
"HP Component Manager"="C:\Program Files\HP\hpcoretech\hpcmpmgr.exe" [2003-12-22 07:38 241664]
"HPDJ Taskbar Utility"="C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb10.exe" [2006-01-13 16:38 172032]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-10-10 18:51 39792]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"Btn_Back"= 0 (0x0)
"Btn_Forward"= 0 (0x0)
"Btn_Stop"= 0 (0x0)
"Btn_Refresh"= 0 (0x0)
"Btn_Home"= 0 (0x0)
"Btn_Search"= 0 (0x0)
"Btn_History"= 0 (0x0)
"Btn_Favorites"= 0 (0x0)
"Btn_Media"= 0 (0x0)
"Btn_Folders"= 0 (0x0)
"Btn_Fullscreen"= 0 (0x0)
"Btn_Tools"= 0 (0x0)
"Btn_MailNews"= 0 (0x0)
"Btn_Size"= 0 (0x0)
"Btn_Print"= 0 (0x0)
"Btn_Edit"= 0 (0x0)
"Btn_Discussions"= 0 (0x0)
"Btn_Cut"= 0 (0x0)
"Btn_Copy"= 0 (0x0)
"Btn_Paste"= 0 (0x0)
"Btn_Encoding"= 0 (0x0)
"Btn_PrintPreview"= 0 (0x0)
"NoFavoritesMenu"= 0 (0x0)
"NoLogoff"= 0 (0x0)
"NoSetFolders"= 0 (0x0)
"NoTrayContextMenu"= 0 (0x0)
"EnforceShellExtensionSecurity"= 0 (0x0)
"NoDeletePrinter"= 0 (0x0)
"NoAddPrinter"= 0 (0x0)
"NoPrinterTabs"= 0 (0x0)

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{56F9679E-7826-4C84-81F3-532071A8BCC5}"= C:\Program Files\Windows Desktop Search\MSNLNamespaceMgr.dll [2006-03-13 13:11 233472]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\jkklllm]
jkklllm.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\urqonno]
urqonno.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\Scripts\Startup\0\0]
"Script"=renameEmergency.vbs

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\Machine\Scripts\Startup\1\0]
"Script"=AddEvtAdmin.cmd

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINNT\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Windows Desktop Search.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Windows Desktop Search.lnk
backup=C:\WINNT\pss\Windows Desktop Search.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^WinZip Quick Pick.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\WinZip Quick Pick.lnk
backup=C:\WINNT\pss\WinZip Quick Pick.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Corel Photo Downloader]
C:\Program Files\Common Files\Corel\Corel PhotoDownloader\Corel Photo Downloader.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DLA]
--a------ 2005-09-08 04:20 122940 C:\WINNT\System32\DLA\DLACTRLW.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
--a------ 2006-01-13 16:38 49152 C:\Program Files\Hewlett-Packard\HP Software Update\HPWuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2007-12-11 10:56 286720 C:\Program Files\QuickTime\QTTask.exe

R2 CcmExec;SMS Agent Host;C:\WINNT\system32\CCM\CcmExec.exe [2007-08-16 04:00]
R3 GTIPCI21;GTIPCI21;C:\WINNT\system32\DRIVERS\gtipci21.sys [2005-05-31 11:46]
R3 prepdrvr;SMS Process Event Driver;C:\WINNT\system32\CCM\prepdrv.sys [2007-08-16 04:00]
R3 smsmdd;smsmdd;C:\WINNT\system32\DRIVERS\smsmdm.sys [2007-06-26 04:00]
S3 motmodem;Motorola USB CDC ACM Driver;C:\WINNT\system32\DRIVERS\motmodem.sys [2007-02-27 13:31]
S3 smstsmgr;SMS Task Sequence Agent;C:\WINNT\system32\CCM\TSManager.exe [2007-08-16 04:00]

.
Contents of the 'Scheduled Tasks' folder
"2008-01-09 11:00:00 C:\WINNT\Tasks\AdwareAlert Scheduled Scan.job"
- C:\Program Files\AdwareAlert\AdwareAlert.ex
- C:\Program Files\AdwareAlert
"2007-12-18 00:08:12 C:\WINNT\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-01 09:38:07
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINNT\System32\SCardSvr.exe
C:\Program Files\Cisco Systems\cvpnd.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Trend Micro\OfficeScan Client\ntrtscan.exe
C:\WINNT\system32\PSIService.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\Program Files\Trend Micro\OfficeScan Client\tmlisten.exe
C:\WINNT\system32\CCM\CcmExec.exe
C:\WINNT\system32\msiexec.exe
C:\Program Files\Trend Micro\OfficeScan Client\CNTAoSMgr.exe
C:\WINNT\TEMP\TN4845.EXE
C:\Program Files\Trend Micro\OfficeScan Client\Pccntmon.exe
C:\WINNT\system32\hkcmd.exe
C:\WINNT\system32\igfxpers.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINNT\system32\spool\drivers\w32x86\3\hpztsb10.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Apoint\HidFind.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\HP\hpcoretech\comp\hptskmgr.exe
.
**************************************************************************
.
Completion time: 2008-02-01 9:43:59 - machine was rebooted
ComboFix-quarantined-files.txt 2008-02-01 17:43:33

Answers:

Yes... this is my company laptop. I have administrative rights because I do the same things on my machine that IT would do... so they just let me do it.

Anything referring to Danaher or Fluke is company related and are company settings for my internal server access.

So far, so good... the computer is running much faster now and TeaTimer is not going haywire.:eek::heart:
katana
2008-02-01, 22:07
The following program/s are regarded as either "Rogue", being bundled with "Adware" or having dubious reputations

AdwareAlert (http://www.spywarewarrior.com/rogue_anti-spyware.htm) << Used to be listed as Rogue

I recommend that you remove Via Add/Remove Programs


Disable Teatimer
First step: Right-click the Spybot Icon in the System Tray (looks like a blue/white calendar with a padlock symbol)
If you have the new version 1.5, Click once on Resident Protection, then Right click the Spybot icon again and make sure Resident Protection is now Unchecked. The Spybot icon in the System tray should now be now colorless.
If you have Version 1.4, Click on Exit Spybot S&D Resident Second step, For Either Version : Open Spybot S&D
Click Mode, choose Advanced Mode
Go To the bottom of the Vertical Panel on the Left, Click Tools
then, also in left panel, click Resident shows a red/white shield.
If your firewall raises a question, say OK
In the Resident protection status frame, Uncheck the box labeled Resident "Tea-Timer"(Protection of over-all system settings) active
OK any prompts.
Use File, Exit to terminate Spybot
Reboot your machine for the changes to take effect.


Installed Programs
Please could you give me a list of the programs that are installed.
Start HijackThis
Click on the Config button
Click on the Misc Tools button
Click on the Open Uninstall Manager button.

You will see a list with the programs installed in your computer.
Click on save list button and specify where you would like to save this file.
When you press Save button a notepad will open with the contents of that file.
Simply copy and paste the contents of that notepad into your next post.

Custom CFScript

Please open Notepad (Start -> Run -> type notepad in the Open field -> OK) and copy and paste the text present inside the code box below:



File::
C:\WINNT\system32\htlaxnoj.ini
C:\WINNT\system32\ottbwpfa.ini
C:\WINNT\pskt.ini
C:\WINNT\system32\fivtahdb.ini
C:\WINNT\system32\dremjdef.dll
C:\WINNT\system32\gaiqoqda.dll
C:\WINNT\system32\gamfntny.dll
C:\WINNT\system32\gqsthaiu.dll
C:\WINNT\system32\jtmujsqj.dll
C:\WINNT\system32\kjgphdhk.dll
C:\WINNT\system32\lcofqran.dll
C:\WINNT\system32\lcserhge.dll
C:\WINNT\system32\llppqaoi.dll
C:\WINNT\system32\lopcutpa.dll
C:\WINNT\system32\mewcxraq.dll
C:\WINNT\system32\selpovct.dll
C:\WINNT\system32\souxtydb.dll
C:\WINNT\system32\tmuwbtat.dll
C:\WINNT\system32\vgocpdyl.dll
C:\WINNT\system32\xktnxlwr.dll
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\WebBuyingAssistant.zip
C:\Documents and Settings\sgroenig\Local Settings\Temp\snapsnet.exe
C:\WINNT\system32\afpwbtto.dll
C:\WINNT\system32\bdhatvif.dll
C:\WINNT\system32\cttioksj.dll
Folder::
C:\WINNT\system32\daSgo01

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{000B2BAA-FFFF-49F0-970E-DCF1915E04D6}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0694A26F-B7E6-4D6C-8F52-7F7CA433ABEC}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0c7388a2-4f01-4a83-af5a-bf592d63a857}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{11B082E0-1A39-4FFB-AFC4-861568141857}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1756ebad-cda7-4b1d-831f-e7f9cb8341b3}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1B292397-B4F9-4E42-8DB1-A05C8902E735}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2B77BE6D-EB90-4B07-9CDE-C198824EDBB4}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{34F4F42F-5949-4494-AA30-38AC6C04FB7A}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6CDFC962-44B9-4A6F-8F9B-D64E7E8C28B0}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7976CA7C-044C-4B49-994E-8D84F6BB893A}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7D4397F1-4FFF-4C2B-BB72-073DCD286CC1}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{8DBAA8AD-60F2-4DF3-B872-B191E4B4F255}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A2853831-5A29-47C9-9C3C-75B1C36BFE23}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A74F3FC3-CC9A-4D4C-AFB5-B56F0CAA445D}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A7CD1CC9-1FDC-4426-AF28-7258CB5B0001}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{AEBF6926-DBA6-4100-A838-1CED0169AB78}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B735F19D-1346-482E-A957-9387F9F25D7F}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{BC5FB770-8BD8-4A39-AE88-B15B1174592D}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E680F53D-06B8-4089-8EEF-CE1FD23C6694}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F150D2F5-937F-48E9-ACC5-0BDA02BBC9D0}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F36A7D78-2B94-43A2-9880-41F2B3577225}]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\jkklllm]
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\urqonno]
ADS::
Save this as CFScript.txt and place it on your desktop.


http://i51.photobucket.com/albums/f387/Katana_1970/CFScript.gif


Referring to the screenshot above, drag CFScript.txt into ComboFix.exe.
ComboFix will now run a scan on your system. It may reboot your system when it finishes. This is normal.
When finished, it will produce a log for you. Copy and paste the contents of the log in your next reply.


CAUTION: Do not mouse-click ComboFix's window while it is running. That may cause it to stall.
Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

Please post a fresh HJT log along with the other logs