PDA

View Full Version : i think i have been affected by virtumonde



joakim900
2008-02-24, 16:21
I have followed the steps in the "before you post" thread, and the spybot S&D scan showed that i was infected by virtumonde.

Here are the reports to provide:

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Sunday, February 24, 2008 12:35:53 AM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 23/02/2008
Kaspersky Anti-Virus database records: 577049
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\
G:\

Scan Statistics:
Total number of scanned objects: 43865
Number of viruses found: 5
Number of infected objects: 37
Number of suspicious objects: 2
Duration of the scan process: 00:33:58

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Programdata\Spybot - Search & Destroy\Recovery\Virtumondeddc2.zip/ukwoqies.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Programdata\Spybot - Search & Destroy\Recovery\Virtumondeddc2.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\Joakim H. Johansen\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Joakim H. Johansen\Lokale innstillinger\Logg\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Joakim H. Johansen\Lokale innstillinger\Logg\History.IE5\MSHist012008022320080224\index.dat Object is locked skipped
C:\Documents and Settings\Joakim H. Johansen\Lokale innstillinger\Programdata\Microsoft\Feeds Cache\index.dat Object is locked skipped
C:\Documents and Settings\Joakim H. Johansen\Lokale innstillinger\Programdata\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Joakim H. Johansen\Lokale innstillinger\Programdata\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Joakim H. Johansen\Lokale innstillinger\Temp\~DF8D2E.tmp Object is locked skipped
C:\Documents and Settings\Joakim H. Johansen\Lokale innstillinger\Temp\~DFD88.tmp Object is locked skipped
C:\Documents and Settings\Joakim H. Johansen\Lokale innstillinger\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Documents and Settings\Joakim H. Johansen\Lokale innstillinger\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Joakim H. Johansen\ntuser.dat Object is locked skipped
C:\Documents and Settings\Joakim H. Johansen\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\Joakim H. Johansen\UserData\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Lokale innstillinger\Programdata\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Lokale innstillinger\Programdata\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Lokale innstillinger\Temp\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Lokale innstillinger\Temp\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Lokale innstillinger\Temp\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Lokale innstillinger\Logg\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Lokale innstillinger\Programdata\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Lokale innstillinger\Programdata\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Lokale innstillinger\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Programfiler\Alwil Software\Avast4\DATA\aswResp.dat Object is locked skipped
C:\Programfiler\Alwil Software\Avast4\DATA\Avast4.db Object is locked skipped
C:\Programfiler\Alwil Software\Avast4\DATA\integ\avast.int Object is locked skipped
C:\Programfiler\Alwil Software\Avast4\DATA\log\nshield.log Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{8E8168BC-A6D7-4493-AF87-718C033549DD}\RP1\A0000009.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{8E8168BC-A6D7-4493-AF87-718C033549DD}\RP1\A0000022.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{8E8168BC-A6D7-4493-AF87-718C033549DD}\RP1\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{5FD28F56-2A85-4F18-80A4-FABC0F41AD7D}.bin Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\system32\amdpbiwj.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\ckcxjmja.dll Infected: Backdoor.Win32.Agent.dlj skipped
C:\WINDOWS\system32\config\Antivirus.Evt Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\dcmgsdvk.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\WINDOWS\system32\dntgkwoh.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\WINDOWS\system32\drivers\sptd.sys Object is locked skipped
C:\WINDOWS\system32\dxlldqlc.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\WINDOWS\system32\eagqjggl.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\WINDOWS\system32\edsrsyoc.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\WINDOWS\system32\fahbcfqp.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\WINDOWS\system32\fiipvjch.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\WINDOWS\system32\gaushxyi.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\WINDOWS\system32\ggemdgve.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\WINDOWS\system32\gkmegtyk.dll Infected: Trojan.Win32.Pakes.bwd skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\joxeknld.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\WINDOWS\system32\khsqpuam.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\WINDOWS\system32\llaunkml.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\WINDOWS\system32\lnnhvtby.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\WINDOWS\system32\muvqddtb.dll Infected: Backdoor.Win32.Agent.dlj skipped
C:\WINDOWS\system32\niifberr.dll Infected: Backdoor.Win32.Agent.dlj skipped
C:\WINDOWS\system32\niirjdmy.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\WINDOWS\system32\omgrcgny.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\WINDOWS\system32\ppaomgfd.dll Infected: Backdoor.Win32.Agent.dlj skipped
C:\WINDOWS\system32\qcmakfsu.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\WINDOWS\system32\qosbnbme.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\WINDOWS\system32\rtjbwjwl.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\WINDOWS\system32\srsqersx.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\WINDOWS\system32\tehudvcn.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\WINDOWS\system32\tgftoykb.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\WINDOWS\system32\ujrjcumf.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\WINDOWS\system32\uotvtuuu.dll Infected: not-a-virus:AdWare.Win32.SuperJuan.is skipped
C:\WINDOWS\system32\vreefoxm.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\system32\wopctfdj.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\WINDOWS\system32\wxfdypgr.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\WINDOWS\system32\xlrkqhkv.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\WINDOWS\system32\xqlxbjvo.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\WINDOWS\system32\xrvuyusl.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\WINDOWS\Temp\Perflib_Perfdata_5fc.dat Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
E:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
E:\System Volume Information\_restore{8E8168BC-A6D7-4493-AF87-718C033549DD}\RP1\change.log Object is locked skipped
G:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
G:\System Volume Information\_restore{8E8168BC-A6D7-4493-AF87-718C033549DD}\RP1\change.log Object is locked skipped

Scan process completed.




Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 15:08, on 24.02.08
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
E:\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Programfiler\Alwil Software\Avast4\aswUpdSv.exe
C:\Programfiler\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
E:\Giant antispy\gcasServ.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Programfiler\Java\jre1.6.0_03\bin\jusched.exe
E:\Giant antispy\gcasDtServ.exe
C:\Programfiler\Browser Mouse\moffice.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Programfiler\Alwil Software\Avast4\ashMaiSv.exe
C:\Programfiler\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\ctfmon.exe
E:\Spybot - Search & Destroy\TeaTimer.exe
C:\Programfiler\Office Keyboard Driver\PS2USBKbdDrv.exe
C:\Programfiler\Browser Mouse\MOUSE32A.EXE
C:\WINDOWS\System32\svchost.exe
C:\Programfiler\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
E:\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.no/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://wow.allakhazam.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koblinger
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programfiler\Fellesfiler\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {2A69FE53-2B35-43A7-BF08-03B3849B40DF} - (no file)
O2 - BHO: (no name) - {4D20D365-D9E0-41E4-9BDD-12080E786759} - (no file)
O2 - BHO: (no name) - {4E6A322E-532A-4488-92E7-AC1257DEAED1} - (no file)
O2 - BHO: (no name) - {531ED65A-6873-4FCB-8A0A-8D1C53FC9D54} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - E:\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {7575957D-83F9-4868-9A8E-1D5A8524C3D1} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programfiler\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {81CC4ECE-306B-4ED3-AD8E-D15A88363CDF} - (no file)
O2 - BHO: (no name) - {86DDEDC0-C785-4FCE-A22D-8522B0958833} - (no file)
O2 - BHO: (no name) - {8F2D8267-F42C-4181-9B67-4BE15C231FE7} - (no file)
O2 - BHO: (no name) - {94E8765A-096C-4E38-8801-74F7F128B1A1} - (no file)
O2 - BHO: (no name) - {A87CAFD0-AC7B-4F7D-A595-211D7F27AFED} - (no file)
O2 - BHO: (no name) - {AA2441E1-C226-4DC4-B111-E5A3A4A57A00} - (no file)
O2 - BHO: (no name) - {ABB68206-5154-47D3-ABC5-611C1658ABA0} - (no file)
O2 - BHO: (no name) - {AFCB72CA-ABB0-43FF-8872-810B5986F1F7} - (no file)
O2 - BHO: (no name) - {B50F955F-59D2-45A6-A769-FD4F1F13D2F8} - (no file)
O2 - BHO: (no name) - {B7CE528B-7EA6-4491-B29A-873DE0C11337} - (no file)
O2 - BHO: (no name) - {BACB9817-1907-42A6-85C8-1EB1F7DF2A3F} - (no file)
O2 - BHO: (no name) - {BD330411-8998-45CD-A4E5-0818D646643C} - (no file)
O2 - BHO: (no name) - {DC5FDA44-0419-427C-A001-1F4CA204A424} - (no file)
O2 - BHO: (no name) - {E3D818EC-EBA8-4002-B605-7BFB41703CA1} - C:\WINDOWS\system32\mllji.dll (file missing)
O2 - BHO: (no name) - {F99B5340-D4ED-46FE-8A6E-8451217F88E6} - (no file)
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [gcasServ] "E:\Giant antispy\gcasServ.exe"
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programfiler\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [WireLessKeyboard] C:\Programfiler\Office Keyboard Driver\StartAutorun.exe PS2USBKbdDrv.exe
O4 - HKLM\..\Run: [MEDIAMOUSE] C:\Programfiler\Browser Mouse\moffice.exe
O4 - HKLM\..\Run: [bcc21b4a] rundll32.exe "C:\WINDOWS\system32\atremghi.dll",b
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] E:\Spybot - Search & Destroy\TeaTimer.exe
O8 - Extra context menu item: E&ksporter til Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programfiler\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programfiler\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Oppslag - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - E:\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - E:\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase4009.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O20 - Winlogon Notify: iifdaax - iifdaax.dll (file missing)
O20 - Winlogon Notify: winzzd32 - winzzd32.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - E:\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Programfiler\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Programfiler\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Programfiler\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Programfiler\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 6918 bytes

pskelley
2008-02-24, 23:18
Welcome to Safer Networking, I wish to be sure you have viewed and understand this information.
"BEFORE you POST" (READ this Procedure before Requesting Assistance)
http://forums.spybot.info/showthread.php?t=288
All advice given is taken at your own risk.
Please make sure you have read this information so we are on the same page.

You are infected, I suggest you keep this computer offline except when troubleshooting, the junk may download more. If you have any tool I use, delete it and download it new from the link I provide. Read and follow the directions carefully, the tools will not work unless you do.

Looks like you have been fighting this infection for a bit, please read and follow the directions I am posting.

1) E:\Giant antispy\ <<< uninstall this program, it has been obsolete for a good while.

2) Follow these instructions, install in the default location:
Download Trend Micro Hijack This™
http://download.bleepingcomputer.com/hijackthis/HJTInstall.exe
Doubleclick the HJTInstall.exe to start it.
By default it will install HijackThis in the Program Files\Trendmicro folder and create a desktop shortcut.
HijackThis will open after install. Press the Scan button below.
This will start the scan and open a log.
Copy and paste the contents of the log in your next reply.

3) We need first to disable TeaTimer that it doesn't interfere with fixes. You can re-enable it when you're clean again:
* Run Spybot-S&D in Advanced Mode.
* If it is not already set to do this Go to the Mode menu select "Advanced Mode"
* On the left hand side, Click on Tools
* Then click on the Resident Icon in the List
* Uncheck "Resident TeaTimer" and OK any prompts.
* Restart your computer.
(leave TT disabled until we finish)

3) C:\Documents and Settings\All Users\Programdata\Spybot - Search & Destroy\Recovery\ <<< delete the contents of the folder in red
http://ict.cas.psu.edu/training/howto/util/removespybot.htm#1

4) Thanks to Atribune and any others who helped with this fix.

http://vundofix.atribune.org/ <<< tutorial

"Download VundoFix" to your Desktop

http://www.atribune.org/ccount/click.php?id=4

Double-click VundoFix.exe to run it.
When VundoFix opens, click the Scan for Vundo button.
Once it's done scanning, click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will reboot your computer, click OK.
Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will attempt run on reboot, simply follow the above instructions starting from "Click
the Scan for Vundo button." when VundoFix appears at reboot. Vundofix.txt will be on the C:\

(wait until you finish to post reports and logs)

5) Tutorial if needed:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Thanks to sUBs and anyone else who helped with this fix.

It is important that it is saved directly to your Desktop

Download ComboFix from Here (http://download.bleepingcomputer.com/sUBs/ComboFix.exe) to your Desktop

Double click combofix.exe and follow the prompts.
When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply

Note: Do not mouseclick combofix's window while its running. That may cause it to stall

Post the Vundofix.txt, combofix log and a new HJT log.

Thanks
Thanks

joakim900
2008-02-25, 23:48
I think i have followed the steps pretty carefull.

and here are the logs:



ComboFix 08-02-25.3 - Joakim H. Johansen 2008-02-25 22:31:31.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1044.18.686 [GMT 1:00]
Running from: C:\Documents and Settings\Joakim H. Johansen\Skrivebord\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\cookies.ini
C:\WINDOWS\system32\ijllm.ini
C:\WINDOWS\system32\ijllm.ini2
C:\WINDOWS\system32\qcmakfsu.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_DOMAINSERVICE
-------\nm


((((((((((((((((((((((((( Files Created from 2008-01-25 to 2008-02-25 )))))))))))))))))))))))))))))))
.

2008-02-25 21:59 . 2008-02-25 21:59 <DIR> d-------- C:\VundoFix Backups
2008-02-24 15:36 . 2008-02-24 15:36 <DIR> d-------- C:\Programfiler\Fellesfiler\Blizzard Entertainment
2008-02-24 14:39 . 2003-01-04 14:19 <DIR> dr------- C:\Documents and Settings\Administrator\Start-meny
2008-02-24 14:39 . 2003-01-04 14:19 <DIR> d--h----- C:\Documents and Settings\Administrator\Skrivere
2008-02-24 14:39 . 2003-01-04 14:19 <DIR> d-------- C:\Documents and Settings\Administrator\Skrivebord
2008-02-24 14:39 . 2003-01-04 14:19 <DIR> d--h----- C:\Documents and Settings\Administrator\Siste
2008-02-24 14:39 . 2003-01-04 14:19 <DIR> dr-h----- C:\Documents and Settings\Administrator\Programdata
2008-02-24 14:39 . 2003-01-04 14:19 <DIR> d-------- C:\Documents and Settings\Administrator\Mine dokumenter
2008-02-24 14:39 . 2007-07-02 16:29 <DIR> d--h----- C:\Documents and Settings\Administrator\Maler
2008-02-24 14:39 . 2008-01-05 13:24 <DIR> d--h----- C:\Documents and Settings\Administrator\Lokale innstillinger
2008-02-24 14:39 . 2003-01-04 14:19 <DIR> d-------- C:\Documents and Settings\Administrator\Favoritter
2008-02-24 14:39 . 2003-01-04 14:19 <DIR> d--h----- C:\Documents and Settings\Administrator\AndrMask
2008-02-23 23:35 . 2008-02-23 23:35 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-02-23 23:35 . 2008-02-23 23:35 <DIR> d-------- C:\Documents and Settings\All Users\Programdata\Kaspersky Lab
2008-02-23 23:17 . 2008-02-23 23:17 294 ---hs---- C:\WINDOWS\system32\ywrnaudq.ini
2008-02-23 23:03 . 2008-02-23 23:02 691,545 --a------ C:\WINDOWS\unins000.exe
2008-02-19 01:21 . 2008-02-23 23:03 5,566 --a------ C:\WINDOWS\unins000.dat
2008-02-18 17:54 . 2008-02-23 22:54 <DIR> d-------- C:\WINDOWS\NV40524056.TMP
2008-02-18 17:52 . 2008-02-18 17:52 <DIR> d-------- C:\NVIDIA

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-25 21:15 --------- d-----w C:\Documents and Settings\All Users\Programdata\Spybot - Search & Destroy
2008-02-23 21:53 --------- d-----w C:\Documents and Settings\Joakim H. Johansen\Programdata\dvdcss
2008-01-06 23:02 --------- d-----w C:\Programfiler\MSXML 6.0
2008-01-05 12:08 --------- d-----w C:\Programfiler\MSBuild
2008-01-05 12:02 --------- d-----w C:\Programfiler\Reference Assemblies
2007-12-29 20:55 --------- d-----w C:\Documents and Settings\Joakim H. Johansen\Programdata\Hamachi
2007-12-12 17:23 180,224 ----a-w C:\WINDOWS\UninstallWSST.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E3D818EC-EBA8-4002-B605-7BFB41703CA1}]
C:\WINDOWS\system32\mllji.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 13:00 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-12-04 14:00 79224]
"SoundMan"="SOUNDMAN.EXE" [2005-10-24 07:45 90112 C:\WINDOWS\soundman.exe]
"SunJavaUpdateSched"="C:\Programfiler\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11 132496]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-03-27 08:26 8425472]
"WireLessKeyboard"="C:\Programfiler\Office Keyboard Driver\StartAutorun.exe" [2005-11-30 11:48 94208]
"MEDIAMOUSE"="C:\Programfiler\Browser Mouse\moffice.exe" [2007-07-02 17:07 806912]
"bcc21b4a"="C:\WINDOWS\system32\atremghi.dll" [ ]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\iifdaax]
iifdaax.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winzzd32]
winzzd32.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Programfiler\\MSN Messenger\\msnmsgr.exe"=
"C:\\Programfiler\\MSN Messenger\\livecall.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"E:\\Bit Lord\\BitLord.exe"=
"E:\\World of Warcraft\\BackgroundDownloader.exe"=
"E:\\Counter-Strike 1.6\\hl.exe"=
"E:\\Hamachi\\hamachi.exe"=
"E:\\Diablo 2\\Loader 1.11b.exe"=
"E:\\Counter-Strike 1.6\\hlds.exe"=
"E:\\Heroes of Might and Magic III Complete\\Heroes3.exe"=
"C:\\WINDOWS\\system32\\dplaysvr.exe"=

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"8584:TCP"= 8584:TCP:BitComet 8584 TCP
"8584:UDP"= 8584:UDP:BitComet 8584 UDP
"3724:TCP"= 3724:TCP:Blizzard Downloader: 3724
"17771:UDP"= 17771:UDP:Hamachi
"6112:TCP"= 6112:TCP:Blizzard Downloader
"6881:TCP"= 6881:TCP:Blizzard Downloader
"6999:TCP"= 6999:TCP:Blizzard downloader

R3 KEYBOARDWDFilter;KEYBOARDWDFilter;C:\WINDOWS\System32\Drivers\KEYBOARDWD.SYS [2006-08-08 19:57]
R3 moufiltr;Mouse Filter Driver;C:\WINDOWS\system32\DRIVERS\moufiltr.sys [2007-07-02 17:07]

.
Contents of the 'Scheduled Tasks' folder
"2007-12-12 20:13:45 C:\WINDOWS\Tasks\RegSweep Scheduled Scan.job"
- C:\Programfiler\RegSweep\RegSweep.ex
- C:\Programfiler\RegSweep
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-25 22:34:09
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
E:\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Programfiler\Alwil Software\Avast4\aswUpdSv.exe
C:\Programfiler\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Programfiler\Office Keyboard Driver\PS2USBKbdDrv.exe
C:\Programfiler\Browser Mouse\MOUSE32A.EXE
C:\Programfiler\Alwil Software\Avast4\ashMaiSv.exe
C:\Programfiler\Alwil Software\Avast4\ashWebSv.exe
.
**************************************************************************
.
Completion time: 2008-02-25 22:34:50 - machine was rebooted
ComboFix-quarantined-files.txt 2008-02-25 21:34:47
.
2008-02-23 22:14:23 --- E O F ---






VundoFix V6.7.9

Checking Java version...

Sun Java not detected
Scan started at 21:59:56 25.02.08

Listing files found while scanning....

C:\WINDOWS\system32\ajmjxckc.ini
C:\WINDOWS\system32\amdpbiwj.dll
C:\WINDOWS\system32\ckcxjmja.dll
C:\WINDOWS\system32\dcmgsdvk.dll
C:\WINDOWS\system32\dntgkwoh.dll
C:\WINDOWS\system32\dxlldqlc.dll
C:\WINDOWS\system32\eagqjggl.dll
C:\WINDOWS\system32\edsrsyoc.dll
C:\WINDOWS\system32\fahbcfqp.dll
C:\WINDOWS\system32\fiipvjch.dll
C:\WINDOWS\system32\gaushxyi.dll
C:\WINDOWS\system32\ggemdgve.dll
C:\WINDOWS\system32\gkmegtyk.dll
C:\WINDOWS\system32\joxeknld.dll
C:\WINDOWS\system32\khsqpuam.dll
C:\WINDOWS\system32\llaunkml.dll
C:\WINDOWS\system32\lnnhvtby.dll
C:\WINDOWS\system32\muvqddtb.dll
C:\WINDOWS\system32\niifberr.dll
C:\WINDOWS\system32\niirjdmy.dll
C:\WINDOWS\system32\omgrcgny.dll
C:\WINDOWS\system32\ppaomgfd.dll
C:\WINDOWS\system32\qduanrwy.dll
C:\WINDOWS\system32\qosbnbme.dll
C:\WINDOWS\system32\rtjbwjwl.dll
C:\WINDOWS\system32\srsqersx.dll
C:\WINDOWS\system32\tehudvcn.dll
C:\WINDOWS\system32\tgftoykb.dll
C:\WINDOWS\system32\ujrjcumf.dll
C:\WINDOWS\system32\uotvtuuu.dll
C:\WINDOWS\system32\vqlyrxnp.dll
C:\WINDOWS\system32\vreefoxm.dll
C:\WINDOWS\system32\wopctfdj.dll
C:\WINDOWS\system32\wxfdypgr.dll
C:\WINDOWS\system32\xlrkqhkv.dll
C:\WINDOWS\system32\xqlxbjvo.dll
C:\WINDOWS\system32\xrvuyusl.dll

Beginning removal...

Attempting to delete C:\WINDOWS\system32\ajmjxckc.ini
C:\WINDOWS\system32\ajmjxckc.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\amdpbiwj.dll
C:\WINDOWS\system32\amdpbiwj.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\ckcxjmja.dll
C:\WINDOWS\system32\ckcxjmja.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\dcmgsdvk.dll
C:\WINDOWS\system32\dcmgsdvk.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\dntgkwoh.dll
C:\WINDOWS\system32\dntgkwoh.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\dxlldqlc.dll
C:\WINDOWS\system32\dxlldqlc.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\eagqjggl.dll
C:\WINDOWS\system32\eagqjggl.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\edsrsyoc.dll
C:\WINDOWS\system32\edsrsyoc.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\fahbcfqp.dll
C:\WINDOWS\system32\fahbcfqp.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\fiipvjch.dll
C:\WINDOWS\system32\fiipvjch.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\gaushxyi.dll
C:\WINDOWS\system32\gaushxyi.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\ggemdgve.dll
C:\WINDOWS\system32\ggemdgve.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\gkmegtyk.dll
C:\WINDOWS\system32\gkmegtyk.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\joxeknld.dll
C:\WINDOWS\system32\joxeknld.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\khsqpuam.dll
C:\WINDOWS\system32\khsqpuam.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\llaunkml.dll
C:\WINDOWS\system32\llaunkml.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\lnnhvtby.dll
C:\WINDOWS\system32\lnnhvtby.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\muvqddtb.dll
C:\WINDOWS\system32\muvqddtb.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\niifberr.dll
C:\WINDOWS\system32\niifberr.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\niirjdmy.dll
C:\WINDOWS\system32\niirjdmy.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\omgrcgny.dll
C:\WINDOWS\system32\omgrcgny.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\ppaomgfd.dll
C:\WINDOWS\system32\ppaomgfd.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\qduanrwy.dll
C:\WINDOWS\system32\qduanrwy.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\qosbnbme.dll
C:\WINDOWS\system32\qosbnbme.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\rtjbwjwl.dll
C:\WINDOWS\system32\rtjbwjwl.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\srsqersx.dll
C:\WINDOWS\system32\srsqersx.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\tehudvcn.dll
C:\WINDOWS\system32\tehudvcn.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\tgftoykb.dll
C:\WINDOWS\system32\tgftoykb.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\ujrjcumf.dll
C:\WINDOWS\system32\ujrjcumf.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\uotvtuuu.dll
C:\WINDOWS\system32\uotvtuuu.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\vqlyrxnp.dll
C:\WINDOWS\system32\vqlyrxnp.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\vreefoxm.dll
C:\WINDOWS\system32\vreefoxm.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\wopctfdj.dll
C:\WINDOWS\system32\wopctfdj.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\wxfdypgr.dll
C:\WINDOWS\system32\wxfdypgr.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\xlrkqhkv.dll
C:\WINDOWS\system32\xlrkqhkv.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\xqlxbjvo.dll
C:\WINDOWS\system32\xqlxbjvo.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\xrvuyusl.dll
C:\WINDOWS\system32\xrvuyusl.dll Has been deleted!

Performing Repairs to the registry.
Done!





Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 21:57, on 25.02.08
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
E:\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Programfiler\Alwil Software\Avast4\aswUpdSv.exe
C:\Programfiler\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Programfiler\Java\jre1.6.0_03\bin\jusched.exe
C:\Programfiler\Browser Mouse\moffice.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programfiler\Office Keyboard Driver\PS2USBKbdDrv.exe
C:\Programfiler\Browser Mouse\MOUSE32A.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Programfiler\Alwil Software\Avast4\ashMaiSv.exe
C:\Programfiler\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\System32\svchost.exe
C:\Programfiler\Internet Explorer\iexplore.exe
E:\Spybot - Search & Destroy\SpybotSD.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\wuauclt.exe
E:\Hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.no/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://wow.allakhazam.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koblinger
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programfiler\Fellesfiler\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {2A69FE53-2B35-43A7-BF08-03B3849B40DF} - (no file)
O2 - BHO: (no name) - {4D20D365-D9E0-41E4-9BDD-12080E786759} - (no file)
O2 - BHO: (no name) - {4E6A322E-532A-4488-92E7-AC1257DEAED1} - (no file)
O2 - BHO: (no name) - {531ED65A-6873-4FCB-8A0A-8D1C53FC9D54} - (no file)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - E:\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {7575957D-83F9-4868-9A8E-1D5A8524C3D1} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programfiler\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {81CC4ECE-306B-4ED3-AD8E-D15A88363CDF} - (no file)
O2 - BHO: (no name) - {86DDEDC0-C785-4FCE-A22D-8522B0958833} - (no file)
O2 - BHO: (no name) - {8F2D8267-F42C-4181-9B67-4BE15C231FE7} - (no file)
O2 - BHO: (no name) - {94E8765A-096C-4E38-8801-74F7F128B1A1} - (no file)
O2 - BHO: (no name) - {A87CAFD0-AC7B-4F7D-A595-211D7F27AFED} - (no file)
O2 - BHO: (no name) - {AA2441E1-C226-4DC4-B111-E5A3A4A57A00} - (no file)
O2 - BHO: (no name) - {ABB68206-5154-47D3-ABC5-611C1658ABA0} - (no file)
O2 - BHO: (no name) - {AFCB72CA-ABB0-43FF-8872-810B5986F1F7} - (no file)
O2 - BHO: (no name) - {B50F955F-59D2-45A6-A769-FD4F1F13D2F8} - (no file)
O2 - BHO: (no name) - {B7CE528B-7EA6-4491-B29A-873DE0C11337} - (no file)
O2 - BHO: (no name) - {BACB9817-1907-42A6-85C8-1EB1F7DF2A3F} - (no file)
O2 - BHO: (no name) - {BD330411-8998-45CD-A4E5-0818D646643C} - (no file)
O2 - BHO: (no name) - {DC5FDA44-0419-427C-A001-1F4CA204A424} - (no file)
O2 - BHO: (no name) - {E3D818EC-EBA8-4002-B605-7BFB41703CA1} - C:\WINDOWS\system32\mllji.dll (file missing)
O2 - BHO: (no name) - {F99B5340-D4ED-46FE-8A6E-8451217F88E6} - (no file)
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programfiler\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [WireLessKeyboard] C:\Programfiler\Office Keyboard Driver\StartAutorun.exe PS2USBKbdDrv.exe
O4 - HKLM\..\Run: [MEDIAMOUSE] C:\Programfiler\Browser Mouse\moffice.exe
O4 - HKLM\..\Run: [bcc21b4a] rundll32.exe "C:\WINDOWS\system32\atremghi.dll",b
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: E&ksporter til Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programfiler\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programfiler\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Oppslag - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - E:\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - E:\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase4009.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O20 - Winlogon Notify: iifdaax - iifdaax.dll (file missing)
O20 - Winlogon Notify: winzzd32 - winzzd32.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - E:\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Programfiler\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Programfiler\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Programfiler\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Programfiler\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 6745 bytes


thanks for the help so far.
im also in wonder of a warning that pops up on startup saying error in loading C:\WINDOWS\system32\atremghi.dll. Should i just ignore that?

from joakim

pskelley
2008-02-26, 00:51
Thanks for returning your information, from the looks of the log it looks like TeaTimer is keeping junk in the log, so we will run a bat file to clean the TT memory, proceed like this:

Before we start, the directions to download HJT to the default location have not been followed? I want you to read those directions in my post #2 and follow them.
This is where HJT will be placed:


By default it will install HijackThis in the C:\Program Files\Trendmicro folder and create a desktop shortcut.
You are still running HJT from here: E:\Hijackthis\HijackThis.exe
Place follow those directions to fix this first.


1) How to make files and folders visible:
Click Start > Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
Uncheck: Hide file extensions for known file types
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm. Click OK.
You may reverse this for safety when we are finished.

2) Please download ATF Cleaner by Atribune
http://www.atribune.org/content/view/25/2/
Save it to your Desktop. We will use this later.

3) Make sure TeaTimer is still disabled and do this:
In some cases it's sometimes quite usefull to reset TeaTimer, once you've had it disabled to remove HijackThis entries :
Download ResetTeaTimer.bat.

http://downloads.subratam.org/ResetTeaTimer.bat

Double click ResetTeaTimer.bat to remove all entries set by TeaTimer (and preventing TeaTimer to restore them upon reactivation).

4) Open Vundofix by Doubleclicking on it, then point your mouse to the white box above
the buttons and right click, then click on Add More Files. When the next window opens,
copy and paste the files into the boxes and click on Add File(s), then click on Close Window.
Then click Remove Vundo.

(files to add)

C:\WINDOWS\system32\ywrnaudq.ini
C:\WINDOWS\system32\atremghi.dll


5) Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:
O2 - BHO: (no name) - {2A69FE53-2B35-43A7-BF08-03B3849B40DF} - (no file)
O2 - BHO: (no name) - {4D20D365-D9E0-41E4-9BDD-12080E786759} - (no file)
O2 - BHO: (no name) - {4E6A322E-532A-4488-92E7-AC1257DEAED1} - (no file)
O2 - BHO: (no name) - {531ED65A-6873-4FCB-8A0A-8D1C53FC9D54} - (no file)
O2 - BHO: (no name) - {7575957D-83F9-4868-9A8E-1D5A8524C3D1} - (no file)
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: (no name) - {81CC4ECE-306B-4ED3-AD8E-D15A88363CDF} - (no file)
O2 - BHO: (no name) - {86DDEDC0-C785-4FCE-A22D-8522B0958833} - (no file)
O2 - BHO: (no name) - {8F2D8267-F42C-4181-9B67-4BE15C231FE7} - (no file)
O2 - BHO: (no name) - {94E8765A-096C-4E38-8801-74F7F128B1A1} - (no file)
O2 - BHO: (no name) - {A87CAFD0-AC7B-4F7D-A595-211D7F27AFED} - (no file)
O2 - BHO: (no name) - {AA2441E1-C226-4DC4-B111-E5A3A4A57A00} - (no file)
O2 - BHO: (no name) - {ABB68206-5154-47D3-ABC5-611C1658ABA0} - (no file)
O2 - BHO: (no name) - {AFCB72CA-ABB0-43FF-8872-810B5986F1F7} - (no file)
O2 - BHO: (no name) - {B50F955F-59D2-45A6-A769-FD4F1F13D2F8} - (no file)
O2 - BHO: (no name) - {B7CE528B-7EA6-4491-B29A-873DE0C11337} - (no file)
O2 - BHO: (no name) - {BACB9817-1907-42A6-85C8-1EB1F7DF2A3F} - (no file)
O2 - BHO: (no name) - {BD330411-8998-45CD-A4E5-0818D646643C} - (no file)
O2 - BHO: (no name) - {DC5FDA44-0419-427C-A001-1F4CA204A424} - (no file)
O2 - BHO: (no name) - {E3D818EC-EBA8-4002-B605-7BFB41703CA1} - C:\WINDOWS\system32\mllji.dll (file missing)
O2 - BHO: (no name) - {F99B5340-D4ED-46FE-8A6E-8451217F88E6} - (no file)
O4 - HKLM\..\Run: [bcc21b4a] rundll32.exe "C:\WINDOWS\system32\atremghi.dll",b
O20 - Winlogon Notify: iifdaax - iifdaax.dll (file missing)
O20 - Winlogon Notify: winzzd32 - winzzd32.dll (file missing)

Close all programs but HJT and all browser windows, then click on "Fix Checked"

6) Right click Start > Explore and navigate to these files/folders and delete them if there.

C:\WINDOWS\system32\atremghi.dll <<< make sure that file is gone

7) Run ATF Cleaner
Double-click ATF-Cleaner.exe to run the program.
Click Select All found at the bottom of the list.
Click the Empty Selected button.
Click Exit on the Main menu to close the program.

Restart and post the Vundofix report, a new HJT log and some feedback, how is the computer running.

Thanks

joakim900
2008-02-26, 22:16
hey again.

I did not get any new log report from a new Vundofix scan, there was no files to be deleted.




here is the fresh HJT log:


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 21:08, on 26.02.08
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
E:\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Programfiler\Alwil Software\Avast4\aswUpdSv.exe
C:\Programfiler\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Programfiler\Java\jre1.6.0_03\bin\jusched.exe
C:\Programfiler\Browser Mouse\moffice.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Programfiler\Office Keyboard Driver\PS2USBKbdDrv.exe
C:\Programfiler\Browser Mouse\MOUSE32A.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Programfiler\Alwil Software\Avast4\ashMaiSv.exe
C:\Programfiler\Alwil Software\Avast4\ashWebSv.exe
C:\Programfiler\Internet Explorer\iexplore.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trendmicro\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.no/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://wow.allakhazam.com/
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Koblinger
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Programfiler\Fellesfiler\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - E:\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Programfiler\Java\jre1.6.0_03\bin\ssv.dll
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Programfiler\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [WireLessKeyboard] C:\Programfiler\Office Keyboard Driver\StartAutorun.exe PS2USBKbdDrv.exe
O4 - HKLM\..\Run: [MEDIAMOUSE] C:\Programfiler\Browser Mouse\moffice.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: E&ksporter til Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programfiler\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Programfiler\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Oppslag - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - E:\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - E:\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Programfiler\Messenger\msmsgs.exe
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {5ED80217-570B-4DA9-BF44-BE107C0EC166} (Windows Live Safety Center Base Module) - http://cdn.scan.onecare.live.com/resource/download/scanner/wlscbase4009.cab
O16 - DPF: {67DABFBF-D0AB-41FA-9C46-CC0F21721616} (DivXBrowserPlugin Object) - http://download.divx.com/player/DivXBrowserPlugin.cab
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - E:\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Programfiler\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Programfiler\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Programfiler\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Programfiler\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe

--
End of file - 4889 bytes




The computer seem to be running a lot more smoother and faster, and the warning at startup is also gone now.
And some of the BHO: (no name) items seemed to be gone, before i removed anything from HJT program.

I also thanks for the help.

pskelley
2008-02-26, 22:27
Thanks for returning your information, and the feedback. The Vundofix always creates a report at C:\Vundofix.txt but I can do without seeing it this time. Your HJT log appears clean of malware:bigthumb:

Please remove (delete) Vundofix, C:\Vundofix Backups\, combofix and the C:\qoobox\quarantine\ folder from your computer and then run a last Kaspersky online scan using these setting:

* The program will launch and then begin downloading the latest definition files:
* Once the files have been downloaded click on NEXT
* Now click on Scan Settings
* In the scan settings make that the following are selected:
* Scan using the following Anti-Virus database:
* Standard
* Scan Options:
* Scan Archives
* Scan Mail Bases
* Click OK
* Now under select a target to scan:
* Select My Computer
* This will program will start and scan your system.
* The scan will take a while so be patient and let it run.
* Once the scan is complete it will display if your system has been infected.
* Now click on the Save as Text button:
* Save the file to your desktop.

Then post it here.

Gracias

joakim900
2008-02-26, 23:23
here is the Kasperspy online scanner report:




-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Tuesday, February 26, 2008 10:21:28 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 26/02/2008
Kaspersky Anti-Virus database records: 536375
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: standard
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\

Scan Statistics:
Total number of scanned objects: 42107
Number of viruses found: 2
Number of infected objects: 5
Number of suspicious objects: 0
Duration of the scan process: 00:36:49

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\Joakim H. Johansen\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Joakim H. Johansen\Lokale innstillinger\Logg\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Joakim H. Johansen\Lokale innstillinger\Logg\History.IE5\MSHist012008022620080227\index.dat Object is locked skipped
C:\Documents and Settings\Joakim H. Johansen\Lokale innstillinger\Programdata\Microsoft\Feeds Cache\index.dat Object is locked skipped
C:\Documents and Settings\Joakim H. Johansen\Lokale innstillinger\Programdata\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Joakim H. Johansen\Lokale innstillinger\Programdata\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Joakim H. Johansen\Lokale innstillinger\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Joakim H. Johansen\ntuser.dat Object is locked skipped
C:\Documents and Settings\Joakim H. Johansen\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Lokale innstillinger\Logg\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Lokale innstillinger\Programdata\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Lokale innstillinger\Programdata\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Lokale innstillinger\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Lokale innstillinger\Logg\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Lokale innstillinger\Programdata\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Lokale innstillinger\Programdata\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Lokale innstillinger\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Programfiler\Alwil Software\Avast4\DATA\aswResp.dat Object is locked skipped
C:\Programfiler\Alwil Software\Avast4\DATA\Avast4.db Object is locked skipped
C:\Programfiler\Alwil Software\Avast4\DATA\integ\avast.int Object is locked skipped
C:\Programfiler\Alwil Software\Avast4\DATA\log\AshWebSv.ws Object is locked skipped
C:\Programfiler\Alwil Software\Avast4\DATA\log\aswMaiSv.log Object is locked skipped
C:\Programfiler\Alwil Software\Avast4\DATA\log\nshield.log Object is locked skipped
C:\Programfiler\Alwil Software\Avast4\DATA\report\Resident protection.txt Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{8E8168BC-A6D7-4493-AF87-718C033549DD}\RP2\A0000182.dll Infected: Backdoor.Win32.Agent.dlj skipped
C:\System Volume Information\_restore{8E8168BC-A6D7-4493-AF87-718C033549DD}\RP2\A0000192.dll Infected: Trojan.Win32.Pakes.bwd skipped
C:\System Volume Information\_restore{8E8168BC-A6D7-4493-AF87-718C033549DD}\RP2\A0000197.dll Infected: Backdoor.Win32.Agent.dlj skipped
C:\System Volume Information\_restore{8E8168BC-A6D7-4493-AF87-718C033549DD}\RP2\A0000198.dll Infected: Backdoor.Win32.Agent.dlj skipped
C:\System Volume Information\_restore{8E8168BC-A6D7-4493-AF87-718C033549DD}\RP2\A0000201.dll Infected: Backdoor.Win32.Agent.dlj skipped
C:\System Volume Information\_restore{8E8168BC-A6D7-4493-AF87-718C033549DD}\RP3\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{55DF3EEE-C320-49E2-9536-2C0CC9DADE85}.bin Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\system32\config\Antivirus.Evt Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\Internet.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\drivers\sptd.sys Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\Temp\Perflib_Perfdata_608.dat Object is locked skipped
C:\WINDOWS\Temp\_avast4_\Webshlock.txt Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
E:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
E:\System Volume Information\_restore{8E8168BC-A6D7-4493-AF87-718C033549DD}\RP3\change.log Object is locked skipped

Scan process completed.

pskelley
2008-02-26, 23:34
Thanks for returning your scan report, those are all infected System Restore files, follow these directions:

Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

Reboot

Turn ON System Restore,
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK.

Some good information for you:
http://users.telenet.be/bluepatchy/miekiemoes/slowcomputer.html
http://www.microsoft.com/windowsxp/using/helpandsupport/learnmore/tips/mcgill1.mspx

Here is some great information from experts in this field that will help you stay clean and safe online.
http://users.telenet.be/bluepatchy/miekiemoes/prevention.html
http://forums.spybot.info/showthread.php?t=279
http://russelltexas.com/malware/allclear.htm
http://forum.malwareremoval.com/viewtopic.php?t=14
http://www.bleepingcomputer.com/forums/topict2520.html
http://cybercoyote.org/security/not-admin.shtml

http://www.malwarecomplaints.info/

Thanks...pskelley
Safer Networking Forums
http://www.spybot.info/en/donate/index.html
If you are reading this information...thank a teacher,
If you are reading it in English...thank a soldier.

joakim900
2008-02-27, 00:00
thanks yet again for the awsome help.:D:
The links u provided seems to be a lot of help against further attacks.
let's hope i wont need to ask for more asistance from here, but in another situation i will look forward to posting on this forums again .