Dropper.Agent.dgo and other viruses

**SLRHCristy** · 2008-01-31, 05:34

Hello,

I was on myspace (first mistake I suppose) using Mozilla and IE windows began popping up, and now my computer is infected wiith all sorts of viruses/spyware. I downloaded and ran AVG anti-virus and spyware, but each time I restart, the infections are back. I have followed all instructions in "before you post" section. Had to work hard to get the Kaspersky log-viruses seemed to infect it and could not run. Same with avg anti-virus. I have previously used Norton and AdAware, though I probably have not updated as I should. Please help! I will be heading to bed soon as it took all night last night to get Kaspersky to work, but will log in tomorrow morning (around 7am MST).

HJT Log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:18:09 PM, on 1/30/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 SOS\avp .exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\PROGRA~1\NORTON~2\NORTON~1\SPEEDD~1\NOPDB.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 SOS\avp .exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 SOS\avp .exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 SOS\avp .exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 SOS\avp .exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\mHotkey.exe
C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 SOS\avp .exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Aegon\Updater\Updater.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas .exe
C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
F3 - REG:win.ini: load=C:\WINDOWS\system32\jkkjk.exe
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: (no name) - {F5735C15-1FB2-41FE-BA12-242757E69DDE} - (no file)
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [CHotkey] mHotkey.exe
O4 - HKLM\..\Run: [Launcher] F:\setup.exe
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [aca01c91] rundll32.exe "C:\WINDOWS\system32\ytdtdwrt.dll",b
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 SOS\avp .exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas .exe" /minimized
O4 - HKLM\..\RunOnce: [Spybot - Search & Destroy] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKLM\..\RunOnce: [SpybotDeletingA2999] command /c del "C:\WINDOWS\system32\jkkjk.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingC1060] cmd /c del "C:\WINDOWS\system32\jkkjk.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingA3803] command /c del "C:\WINDOWS\system32\jkkjk.dll"
O4 - HKLM\..\RunOnce: [SpybotDeletingC6672] cmd /c del "C:\WINDOWS\system32\jkkjk.dll"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [PiXPO] "C:\Program Files\ProPix Share\1.5\Pixpo.exe" /startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-21-448539723-1801674531-682003330-1005\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe (User 'Anastasia')
O4 - HKUS\S-1-5-21-448539723-1801674531-682003330-1005\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9 (User 'Anastasia')
O4 - HKUS\S-1-5-21-448539723-1801674531-682003330-1005\..\Run: [Ooba] "C:\PROGRA~1\YSTEM~1\userinit.exe" -vt ndrv (User 'Anastasia')
O4 - HKUS\S-1-5-21-448539723-1801674531-682003330-1005\..\Run: [Mxdbxgsi] "C:\Documents and Settings\Anastasia N\My Documents\?icrosoft\?ti2evxx.exe" (User 'Anastasia')
O4 - HKUS\S-1-5-21-448539723-1801674531-682003330-1005\..\Run: [Dot1XCfg] C:\Program Files\Dot1XCfg\Dot1XCfg.exe (User 'Anastasia')
O4 - HKUS\S-1-5-21-448539723-1801674531-682003330-1005\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe (User 'Anastasia')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O4 - Global Startup: Toolbox Updater.lnk = C:\Program Files\Aegon\Updater\Updater.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\npjpi160_03.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\npjpi160_03.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.macromedia.com/pub/...sh/swflash.cab
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: Kaspersky Anti-Virus 6.0 (AVP) - Unknown owner - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 SOS\avp.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~1\AdvTools\NPROTECT.EXE
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~2\NORTON~1\SPEEDD~1\NOPDB.EXE
O23 - Service: StyleXPService - Unknown owner - C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

--
End of file - 8748 bytes

Kaspersky Log:

Scan My Computer
----------------
Scanned: 258856
Detected: 48
Untreated: 48
Start time: 1/29/2008 10:01:37 PM
Duration: 08:03:13
Finish time: 1/30/2008 6:04:50 AM
Signatures published: 1/29/2008 6:40:34 PM

Detected
--------
Status Object
------ ------
detected: Trojan program Trojan-Dropper.Win32.Agent.dgo File: c:\windows\system32\jkkjk.exe
detected: adware not-a-virus:AdWare.Win32.PurityScan.gv File: c:\windows\system32\tup.dll//PE_Patch.PECompact//PecBundle//PECompact
detected: adware not-a-virus:AdWare.Win32.PurityScan.gt File: C:\System Volume Information\_restore{818EB6AD-84C3-45E2-882E-A48453649B62}\RP731\A0082729.dll//PE_Patch.PECompact//PecBundle//PECompact
detected: adware not-a-virus:AdWare.Win32.ZenoSearch.ad File: C:\System Volume Information\_restore{818EB6AD-84C3-45E2-882E-A48453649B62}\RP731\A0083872.dll
detected: Trojan program Trojan-Dropper.Win32.Agent.dgo File: C:\System Volume Information\_restore{818EB6AD-84C3-45E2-882E-A48453649B62}\RP731\A0084885.exe
detected: Trojan program Trojan-Dropper.Win32.Agent.dgo File: C:\System Volume Information\_restore{818EB6AD-84C3-45E2-882E-A48453649B62}\RP731\A0084886.exe
detected: Trojan program Trojan-Downloader.Win32.PurityScan.fn File: C:\System Volume Information\_restore{818EB6AD-84C3-45E2-882E-A48453649B62}\RP731\A0084890.exe//PE_Patch.UPX//UPX
detected: Trojan program Trojan-Dropper.Win32.Agent.dgo File: C:\System Volume Information\_restore{818EB6AD-84C3-45E2-882E-A48453649B62}\RP731\A0084894.exe
detected: Trojan program Trojan-Downloader.Win32.Agent.gwe File: C:\System Volume Information\_restore{818EB6AD-84C3-45E2-882E-A48453649B62}\RP731\A0084902.exe
detected: Trojan program Trojan-Dropper.Win32.Agent.dgo File: C:\System Volume Information\_restore{818EB6AD-84C3-45E2-882E-A48453649B62}\RP731\A0084913.exe
detected: Trojan program Trojan-Dropper.Win32.Agent.dgo File: C:\System Volume Information\_restore{818EB6AD-84C3-45E2-882E-A48453649B62}\RP731\A0084920.exe
detected: Trojan program Trojan-Downloader.Win32.PurityScan.fk File: C:\System Volume Information\_restore{818EB6AD-84C3-45E2-882E-A48453649B62}\RP731\A0085907.exe//PE_Patch.UPX//UPX
detected: Trojan program Trojan-Downloader.Win32.PurityScan.fn File: C:\System Volume Information\_restore{818EB6AD-84C3-45E2-882E-A48453649B62}\RP731\A0085910.exe//PE_Patch.UPX//UPX
detected: Trojan program Trojan-Dropper.Win32.Agent.dgo File: C:\System Volume Information\_restore{818EB6AD-84C3-45E2-882E-A48453649B62}\RP731\A0085914.exe
detected: Trojan program Trojan-Dropper.Win32.Agent.dgo File: C:\System Volume Information\_restore{818EB6AD-84C3-45E2-882E-A48453649B62}\RP731\A0085929.exe
detected: Trojan program Trojan-Dropper.Win32.Agent.dgo File: C:\System Volume Information\_restore{818EB6AD-84C3-45E2-882E-A48453649B62}\RP731\A0085932.exe
detected: Trojan program Trojan-Downloader.Win32.PurityScan.fk File: C:\System Volume Information\_restore{818EB6AD-84C3-45E2-882E-A48453649B62}\RP732\A0085947.exe//PE_Patch.UPX//UPX
detected: Trojan program Trojan-Dropper.Win32.Agent.dgo File: C:\System Volume Information\_restore{818EB6AD-84C3-45E2-882E-A48453649B62}\RP732\A0085952.exe
detected: Trojan program Trojan-Downloader.Win32.PurityScan.fk File: C:\System Volume Information\_restore{818EB6AD-84C3-45E2-882E-A48453649B62}\RP732\A0085954.exe//PE_Patch.UPX//UPX
detected: Trojan program Trojan-Downloader.Win32.PurityScan.fk File: C:\System Volume Information\_restore{818EB6AD-84C3-45E2-882E-A48453649B62}\RP733\A0086015.exe//PE_Patch.UPX//UPX
detected: Trojan program Trojan-Downloader.Win32.PurityScan.fk File: C:\System Volume Information\_restore{818EB6AD-84C3-45E2-882E-A48453649B62}\RP733\A0086018.exe//PE_Patch.UPX//UPX
detected: Trojan program Trojan-Dropper.Win32.Agent.dgo File: C:\System Volume Information\_restore{818EB6AD-84C3-45E2-882E-A48453649B62}\RP734\A0086133.exe
detected: Trojan program Trojan-Dropper.Win32.Agent.dgo File: C:\System Volume Information\_restore{818EB6AD-84C3-45E2-882E-A48453649B62}\RP734\A0086135.exe
detected: Trojan program Trojan-Dropper.Win32.Agent.dgo File: C:\System Volume Information\_restore{818EB6AD-84C3-45E2-882E-A48453649B62}\RP734\A0086136.exe
detected: Trojan program Trojan-Dropper.Win32.Agent.dgo File: C:\System Volume Information\_restore{818EB6AD-84C3-45E2-882E-A48453649B62}\RP734\A0086159.exe
detected: Trojan program Trojan-Dropper.Win32.Agent.dgo File: C:\System Volume Information\_restore{818EB6AD-84C3-45E2-882E-A48453649B62}\RP734\A0086162.exe
detected: Trojan program Trojan-Downloader.Win32.PurityScan.fk File: C:\System Volume Information\_restore{818EB6AD-84C3-45E2-882E-A48453649B62}\RP734\A0086164.exe//PE_Patch.UPX//UPX
detected: Trojan program Trojan-Dropper.Win32.Agent.dgo File: C:\System Volume Information\_restore{818EB6AD-84C3-45E2-882E-A48453649B62}\RP734\A0086167.exe
detected: Trojan program Trojan-Downloader.Win32.PurityScan.fk File: C:\System Volume Information\_restore{818EB6AD-84C3-45E2-882E-A48453649B62}\RP734\A0086179.exe//PE_Patch.UPX//UPX
detected: Trojan program Trojan-Downloader.Win32.PurityScan.fk File: C:\System Volume Information\_restore{818EB6AD-84C3-45E2-882E-A48453649B62}\RP734\A0086183.exe//PE_Patch.UPX//UPX
detected: Trojan program Trojan-Dropper.Win32.Agent.dgo File: C:\System Volume Information\_restore{818EB6AD-84C3-45E2-882E-A48453649B62}\RP735\A0086208.exe
detected: adware not-a-virus:AdWare.Win32.PurityScan.gv File: C:\System Volume Information\_restore{818EB6AD-84C3-45E2-882E-A48453649B62}\RP735\A0086212.dll//PE_Patch.PECompact//PecBundle//PECompact
detected: Trojan program Trojan-Dropper.Win32.Agent.dgo File: C:\System Volume Information\_restore{818EB6AD-84C3-45E2-882E-A48453649B62}\RP736\A0086307.exe
detected: Trojan program Trojan-Dropper.Win32.Agent.dgo File: C:\System Volume Information\_restore{818EB6AD-84C3-45E2-882E-A48453649B62}\RP737\A0086320.exe
detected: adware not-a-virus:AdWare.Win32.PurityScan.gv File: C:\System Volume Information\_restore{818EB6AD-84C3-45E2-882E-A48453649B62}\RP737\A0086321.dll//PE_Patch.PECompact//PecBundle//PECompact
detected: Trojan program Trojan.Win32.Scapur.k File: C:\Program Files\Common Files\Yazzle1552OinAdmin.exe//PE_Patch.PECompact//PecBundle//PECompact
detected: adware not-a-virus:AdWare.Win32.PurityScan.gp File: C:\Program Files\Common Files\Yazzle1552OinUninstaller.exe//data0001
detected: Trojan program Trojan-Downloader.Win32.Adload.pr File: C:\Program Files\Dot1XCfg\Dot1XCfg .exe
detected: Trojan program Trojan.Java.ClassLoader.Dummy.a File: C:\Program Files\Norton AntiVirus\Quarantine\122C23D7.class//CryptFF
detected: Trojan program Trojan.Java.ClassLoader.c File: C:\Program Files\Norton AntiVirus\Quarantine\12304DD4.class//CryptFF
detected: malware Exploit.Java.ByteVerify File: C:\Program Files\Norton AntiVirus\Quarantine\59E31CF4.class//CryptFF
detected: Trojan program Trojan-Downloader.Java.OpenConnection.v File: C:\Program Files\Norton AntiVirus\Quarantine\7177607C.class//CryptFF
detected: adware not-a-virus:AdWare.Win32.ZenoSearch.ad File: C:\Program Files\Outerinfo\FF\components\FF.dll
detected: Trojan program Trojan.Win32.Agent.edq File: C:\Program Files\Temporary\kernInst.exe
detected: Trojan program Trojan-Downloader.Win32.PurityScan.fk File: C:\Program Files\?ystem\userinit .exe//PE_Patch.UPX//UPX
detected: Trojan program Trojan-Downloader.Win32.Agent.hvj File: C:\WINDOWS\b122.exe
detected: Trojan program Trojan-Dropper.Win32.Agent.dgo File: C:\WINDOWS\system32\ctfmon.exe.tmp
detected: Trojan program Trojan.Win32.Scapur.k File: C:\WINDOWS\system32\LDBC0.tmp//data0002//PE_Patch.PECompact//PecBundle//PECompact

Events
------
Time Name Status Reason
---- ---- ------ ------
1/29/2008 10:01:37 PM Running module: smss.exe\smss.exe ok scanned

Statistics
----------
Object Scanned Detected Untreated Deleted Moved to Quarantine Archives Packed files Password protected Corrupted
------ ------- -------- --------- ------- ------------------- -------- ------------ ------------------ ---------

Settings
--------
Parameter Value
--------- -----
Security Level Recommended
Action Prompt for action when the scan is complete
Run mode Manually
File types Scan all files
Scan only new and changed files No
Scan archives All
Scan embedded OLE objects All
Skip if object is larger than No
Skip if scan takes longer than No
Parse email formats No
Scan password-protected archives No
Enable iChecker technology Yes
Enable iSwift technology Yes
Record information about dangerous objects to program statistics Yes

**Shaba** · 2008-02-02, 11:21

Hi SLRHCristy

Rename HijackThis.exe to SLRHCristy.exe and post back a fresh HijackThis log, please

**SLRHCristy** · 2008-02-03, 01:11

Shaba,

Thanks in advance for all your help. Virtumonde is really nasty. Here is my new HJT log.

Thanks!

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:00:28 PM, on 2/2/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\PROGRA~1\NORTON~2\NORTON~1\SPEEDD~1\NOPDB.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\mHotkey.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\Anastasia N\My Documents\?icrosoft\?ti2evxx.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas .exe
C:\Program Files\Aegon\Updater\Updater.exe
C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE
C:\PROGRA~1\YSTEM~1\userinit.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\NORTON~2\NORTON~1\sysdoc32.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.myspace.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http://proxy.utah.edu:8080
F3 - REG:win.ini: load=C:\WINDOWS\system32\jkkjk.exe
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: (no name) - {F5735C15-1FB2-41FE-BA12-242757E69DDE} - (no file)
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [CHotkey] mHotkey.exe
O4 - HKLM\..\Run: [Launcher] F:\setup.exe
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [aca01c91] rundll32.exe "C:\WINDOWS\system32\ytdtdwrt.dll",b
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 SOS\avp .exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas .exe" /minimized
O4 - HKLM\..\RunOnce: [Spybot - Search & Destroy] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKLM\..\RunOnce: [SpybotDeletingA802] command /c del "C:\WINDOWS\system32\jkkjk.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingC372] cmd /c del "C:\WINDOWS\system32\jkkjk.dll_old"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [STYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide
O4 - HKCU\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9
O4 - HKCU\..\Run: [Ooba] "C:\PROGRA~1\YSTEM~1\userinit.exe" -vt ndrv
O4 - HKCU\..\Run: [Mxdbxgsi] "C:\Documents and Settings\Anastasia N\My Documents\?icrosoft\?ti2evxx.exe"
O4 - HKCU\..\Run: [Dot1XCfg] C:\Program Files\Dot1XCfg\Dot1XCfg.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O4 - Global Startup: Toolbox Updater.lnk = C:\Program Files\Aegon\Updater\Updater.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.macromedia.com/pub/...sh/swflash.cab
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: Kaspersky Anti-Virus 6.0 (AVP) - Unknown owner - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 SOS\avp.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~1\AdvTools\NPROTECT.EXE
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~2\NORTON~1\SPEEDD~1\NOPDB.EXE
O23 - Service: StyleXPService - Unknown owner - C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

--
End of file - 7956 bytes

**Shaba** · 2008-02-03, 11:26

Hi

That didn't go right.

Rename HijackThis.exe to SLRHCristy.exe by doing the following;

Navigate here using Windows Explorer (windows button + E) or My Computer -> Local Disk C: -> C:\Program Files\Trend Micro\HijackThis
Right-click on the HijackThis.exe
Choose from the pull-down menu; "Rename"
And now Rename HijackThis.exe to SLRHCristy.exe
When you've renamed HijackThis, open HijackThis again.
Take a fresh HijackThis log (click Do a system scan and save a log file)
Post the fresh HijackThis log here.

**SLRHCristy** · 2008-02-03, 17:51

Sorry about that, lets try that again. Here's the new log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:44:26 AM, on 2/3/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\PROGRA~1\NORTON~2\NORTON~1\SPEEDD~1\NOPDB.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\mHotkey.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\Anastasia N\My Documents\?icrosoft\?ti2evxx.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas .exe
C:\Program Files\Aegon\Updater\Updater.exe
C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\NORTON~2\NORTON~1\sysdoc32.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\SLRHCristy.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.myspace.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http://proxy.utah.edu:8080
F3 - REG:win.ini: load=C:\WINDOWS\system32\jkkjk.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {3BF08679-7C59-40FE-B23D-05EF777A5177} - C:\WINDOWS\system32\jkkjk.dll
O2 - BHO: (no name) - {426BD246-4EDA-3653-FCB8-69A3E6FCF8BA} - C:\WINDOWS\system32\agn.dll (file missing)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {6643BAB7-7672-0CA6-5117-5300CCCE8BBE} - C:\WINDOWS\system32\tup.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: {affb4f65-2e02-ad09-f764-ecb7680fa8fe} - {ef8af086-7bce-467f-90da-20e256f4bffa} - C:\WINDOWS\system32\imcflkci.dll (file missing)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: (no name) - {F5735C15-1FB2-41FE-BA12-242757E69DDE} - (no file)
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [CHotkey] mHotkey.exe
O4 - HKLM\..\Run: [Launcher] F:\setup.exe
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [aca01c91] rundll32.exe "C:\WINDOWS\system32\ytdtdwrt.dll",b
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 SOS\avp .exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas .exe" /minimized
O4 - HKLM\..\RunOnce: [Spybot - Search & Destroy] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKLM\..\RunOnce: [SpybotDeletingA802] command /c del "C:\WINDOWS\system32\jkkjk.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingC372] cmd /c del "C:\WINDOWS\system32\jkkjk.dll_old"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [STYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide
O4 - HKCU\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9
O4 - HKCU\..\Run: [Ooba] "C:\PROGRA~1\YSTEM~1\userinit.exe" -vt ndrv
O4 - HKCU\..\Run: [Mxdbxgsi] "C:\Documents and Settings\Anastasia N\My Documents\?icrosoft\?ti2evxx.exe"
O4 - HKCU\..\Run: [Dot1XCfg] C:\Program Files\Dot1XCfg\Dot1XCfg.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O4 - Global Startup: Toolbox Updater.lnk = C:\Program Files\Aegon\Updater\Updater.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.macromedia.com/pub/...sh/swflash.cab
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: Kaspersky Anti-Virus 6.0 (AVP) - Unknown owner - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 SOS\avp.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~1\AdvTools\NPROTECT.EXE
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~2\NORTON~1\SPEEDD~1\NOPDB.EXE
O23 - Service: StyleXPService - Unknown owner - C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

--
End of file - 8840 bytes

**Shaba** · 2008-02-03, 18:40

Hi

Are all AVG, Norton and Kaspersky up-to-date?

We need first to disable TeaTimer that it doesn't interfere with fixes. You can re-enable it when you're clean again:

1. Run Spybot-S&D in Advanced Mode.
2. If it is not already set to do this Go to the Mode menu select "Advanced Mode"
3. On the left hand side, Click on Tools
4. Then click on the Resident Icon in the List
5. Uncheck "Resident TeaTimer" and OK any prompts.
6. Restart your computer.

1. Download combofix from any of these links and save it to Desktop:
Link 1
Link 2
Link 3

**Note: It is important that it is saved directly to your desktop**

2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you (C:\ComboFix.txt). Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.

If you have problems with Combofix usage, see here

Post:

- a fresh HijackThis log
- combofix report

**SLRHCristy** · 2008-02-03, 21:30

I believe AVG and Kaspersky are up-to-date as I just downloaded them when reading your "before you post" thread, though I am unable to open any of them to run them-it took hours to get kaspersky to work the first time. Also, Norton is not up to date, and seems to have been infected as well (or is not working properly because of the infection-not sure-don't know much about software or computers). Should I remove all of these and re-download?

Also, upon startup, three win32 command windows keep popping up, along with an error message stating that WINDOWS/system32/ytdtdwrt.dll cannot be found...is this related to the virus?

Here are my new logs. Thanks so much for your help, Shaba!!

ComboFix 08-02.03.1 - Anastasia 2008-02-03 12:58:20.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.208 [GMT -7:00]
Running from: C:\Documents and Settings\Anastasia N\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Anastasia N\Application Data\YSTEM~1
C:\Documents and Settings\Anastasia N\My Documents\ICROSO~1
C:\Documents and Settings\Anastasia N\My Documents\ICROSO~1\?ti2evxx.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas .exe
C:\Program Files\outerinfo
C:\Program Files\QdrDrive
C:\Program Files\Temporary
C:\Program Files\Temporary\kernInst.exe
C:\Program Files\ystem~1
C:\Program Files\ystem~1\s?stem\
C:\Program Files\ystem~1\userinit .exe
C:\Program Files\ystem~1\userinit.exe
C:\WINDOWS\b122.exe
C:\WINDOWS\system32\ctfmon.exe.tmp
C:\WINDOWS\system32\diacooxh.ini
C:\WINDOWS\system32\jkkjk.exe
C:\WINDOWS\system32\kjkkj.ini
C:\WINDOWS\system32\kjkkj.ini2
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\system
C:\WINDOWS\system32\system\msxml4.dll
C:\WINDOWS\system32\system\msxml4r.dll
C:\WINDOWS\system32\trwdtdty.ini
C:\WINDOWS\system32\tup.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_DOMAINSERVICE
-------\nm

((((((((((((((((((((((((( Files Created from 2008-01-03 to 2008-02-03 )))))))))))))))))))))))))))))))
.

2008-01-30 21:17 . 2008-01-30 21:17 <DIR> d-------- C:\Program Files\Trend Micro
2008-01-29 21:55 . 2008-01-29 21:55 <DIR> d-------- C:\Program Files\Kaspersky Lab
2008-01-29 21:55 . 2008-01-30 21:08 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-01-29 21:00 . 2008-01-30 21:53 2,155,808 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2008-01-29 21:00 . 2008-01-30 21:53 62,496 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.dat
2008-01-29 21:00 . 2008-01-30 21:53 30,992 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx
2008-01-29 21:00 . 2008-01-30 21:53 7,952 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.idx
2008-01-29 20:49 . 2008-01-29 20:49 <DIR> d-------- C:\KAV
2008-01-29 20:17 . 2008-02-02 10:56 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-01-29 20:17 . 2008-01-29 20:38 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-01-28 21:51 . 2008-01-28 21:51 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2008-01-28 21:51 . 2008-01-29 18:47 <DIR> d-------- C:\Documents and Settings\Anastasia N\Application Data\AVG7
2008-01-28 21:50 . 2008-01-28 21:53 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg7
2008-01-28 19:11 . 2008-01-29 21:05 15,360 --a------ C:\WINDOWS\system32\ctfmon .exe
2008-01-28 17:43 . 2008-01-28 17:43 <DIR> d-------- C:\Documents and Settings\Anastasia N\Application Data\Grisoft
2008-01-28 17:43 . 2007-05-30 05:10 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2008-01-28 17:42 . 2008-01-28 21:50 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-01-28 17:09 . 2008-01-28 17:09 155,648 --a------ C:\WINDOWS\system32\igfxtray .exe
2008-01-28 17:09 . 2008-01-28 17:09 114,688 --a------ C:\WINDOWS\system32\hkcmd .exe
2008-01-27 19:10 . 2008-01-27 19:10 230 --a------ C:\WINDOWS\system32\spupdsvc.inf
2008-01-27 18:41 . 2008-01-28 18:14 <DIR> d-------- C:\Program Files\Dot1XCfg
2008-01-27 18:36 . 2008-01-27 18:36 270,698 --a------ C:\WINDOWS\system32\LE91E.tmp
2008-01-27 18:36 . 2008-01-30 21:10 181,965 --a------ C:\WINDOWS\system32\LDBC0.tmp
2008-01-19 18:48 . 2008-01-27 18:36 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-01-19 18:48 . 2008-01-19 18:48 1,409 --a------ C:\WINDOWS\QTFont.for

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-30 01:18 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-01-30 01:17 --------- d-----w C:\Program Files\Norton AntiVirus
2008-01-29 23:57 --------- d-----w C:\Program Files\Lavasoft
2008-01-29 14:15 --------- d-----w C:\Program Files\Norton SystemWorks
2008-01-29 13:46 --------- d-----w C:\Program Files\QuickTime
2008-01-29 01:58 --------- d-----w C:\Program Files\SymNetDrv
2008-01-29 01:58 --------- d-----w C:\Program Files\PopUp Killer
2008-01-29 00:10 --------- d-----w C:\Program Files\iTunes
2008-01-29 00:09 --------- d-----w C:\Program Files\Lexmark X1100 Series
2007-12-16 19:59 --------- d-----w C:\Program Files\Java
2005-01-27 18:17 513 ----a-w C:\Program Files\INSTALL.LOG
2004-08-22 13:19 168 ----a-w C:\Program Files\setupfax.log
2004-08-19 08:28 1,599 ----a-w C:\Program Files\Remote Assistance.lnk
2004-08-18 20:10 2,002 ----a-w C:\Program Files\Open Office Document.lnk
2004-08-18 11:07 738 ----a-w C:\Program Files\Outlook Express.lnk
2004-08-18 09:58 398 ----a-w C:\Program Files\Windows Catalog.lnk
2004-08-18 09:58 1,507 ----a-w C:\Program Files\Windows Update.lnk
2004-08-18 09:55 786 ----a-w C:\Program Files\Windows Movie Maker.lnk
2004-08-18 09:52 1,986 ----a-w C:\Program Files\MSN.lnk
2001-09-29 00:00 164,864 ----a-w C:\Program Files\UNWISE.EXE
.

Code:

<pre>
----a-w           313,472 2008-01-29 00:10:28  C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager .exe
----a-w            71,280 2008-01-29 00:09:55  C:\Program Files\Common Files\Symantec Shared\ccApp .exe
----a-w            61,440 2008-01-31 04:10:36  C:\Program Files\Dot1XCfg\Dot1XCfg .exe
----a-w           579,072 2008-01-29 13:43:24  C:\Program Files\Grisoft\AVG7\avgcc .exe
----a-w           278,528 2008-01-29 00:10:11  C:\Program Files\iTunes\iTunesHelper .exe
----a-w           132,496 2008-01-29 00:10:03  C:\Program Files\Java\jre1.6.0_03\bin\jusched .exe
----a-w           572,416 2008-01-31 04:08:05  C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 SOS\avp .exe
----a-w            57,344 2008-01-29 00:09:59  C:\Program Files\Lexmark X1100 Series\lxbkbmgr .exe
----a-w            53,248 2008-01-29 00:10:06  C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask .exe
----a-w            74,920 2008-01-29 00:10:06  C:\Program Files\Norton AntiVirus\AdvTools\ADVCHK .EXE
----a-w           100,056 2008-01-29 00:10:04  C:\Program Files\SymNetDrv\SNDMon .exe
----a-w         1,126,400 2008-01-29 00:10:30  C:\Program Files\TGTSoft\StyleXP\StyleXP .exe
----a-w            15,360 2008-01-30 04:05:19  C:\WINDOWS\system32\ctfmon .exe
----a-w           114,688 2008-01-29 00:09:52  C:\WINDOWS\system32\hkcmd .exe
----a-w           155,648 2008-01-29 00:09:51  C:\WINDOWS\system32\igfxtray .exe
</pre>

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{12561D4D-7C56-4B41-9A08-E3F52F346476}]
C:\WINDOWS\system32\jkkjk.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{426BD246-4EDA-3653-FCB8-69A3E6FCF8BA}]
C:\WINDOWS\system32\agn.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{ef8af086-7bce-467f-90da-20e256f4bffa}]
C:\WINDOWS\system32\imcflkci.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 17:56 15360]
"STYLEXP"="C:\Program Files\TGTSoft\StyleXP\StyleXP.exe" [ ]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [ ]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [ ]
"Ooba"="C:\PROGRA~1\YSTEM~1\userinit.exe" [ ]
"Mxdbxgsi"="C:\Documents and Settings\Anastasia N\My Documents\?icrosoft\?ti2evxx.exe" [ ]
"Dot1XCfg"="C:\Program Files\Dot1XCfg\Dot1XCfg.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE" [2002-06-28 23:05 46592 C:\WINDOWS\SOUNDMAN.EXE]
"CHotkey"="mHotkey.exe" [2002-07-23 10:09 477184 C:\WINDOWS\mHotkey.exe]
"Launcher"="F:\setup.exe" [ ]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [2006-01-20 17:46 28160 C:\WINDOWS\KHALMNPR.Exe]
"aca01c91"="C:\WINDOWS\system32\ytdtdwrt.dll" [ ]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [ ]
"AVP"="C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 SOS\avp .exe" [2008-01-30 21:08 572416]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas .exe" [ ]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2008-01-30 21:10 633344]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26 29696]
Logitech SetPoint.lnk - C:\Program Files\Logitech\SetPoint\SetPoint.exe [2006-10-31 16:58:50 532480]
Toolbox Updater.lnk - C:\Program Files\Aegon\Updater\Updater.exe [2003-01-31 17:08:36 258048]

S3 NPDriver;Norton Unerase Protection Driver;C:\WINDOWS\system32\Drivers\NPDRIVER.SYS [2003-09-10 04:12]
S3 SDdriver;SDdriver;C:\WINDOWS\system32\Drivers\sddriver.sys [2003-09-10 03:58]

.
Contents of the 'Scheduled Tasks' folder
"2008-02-03 19:44:38 C:\WINDOWS\Tasks\Ad-aware.job"
- C:\Program Files\Lavasoft\Ad-aware 6\Ad-aware.exe
"2008-02-02 16:35:00 C:\WINDOWS\Tasks\Checkup Scheduled.job"
- C:\Program Files\Norton SystemWorks\OBC.exe
"2007-12-06 15:09:26 C:\WINDOWS\Tasks\Disk Cleanup.job"
- C:\WINDOWS\system32\cleanmgr.exe
"2008-02-03 08:17:49 C:\WINDOWS\Tasks\Norton AntiVirus - Scan my computer - Anastasia.job"
- C:\PROGRA~1\NORTON~1\NAVW32.EXEh/task:
"2008-02-03 17:25:01 C:\WINDOWS\Tasks\Norton System Doctor.job"
- C:\PROGRA~1\NORTON~2\NORTON~1\sysdoc32.exe
"2007-12-06 15:09:24 C:\WINDOWS\Tasks\Norton SystemWorks One Button Checkup.job"
- C:\Program Files\Norton SystemWorks\OBC.exe
"2008-01-24 14:00:23 C:\WINDOWS\Tasks\Speed Disk.job"
- C:\PROGRA~1\NORTON~2\NORTON~1\SPEEDD~1\sdntc.exe
"2008-02-03 07:00:03 C:\WINDOWS\Tasks\Symantec Drmc.job"
- C:\Program Files\Common Files\Symantec Shared\SymDrmc.exe
"2008-02-03 12:20:01 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-03 13:06:27
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\PROGRA~1\NORTON~2\NORTON~1\SPEEDD~1\NOPDB.EXE
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE
.
**************************************************************************
.
Completion time: 2008-02-03 13:13:25 - machine was rebooted
ComboFix-quarantined-files.txt 2008-02-03 20:13:16
.
2008-01-30 10:01:48 --- E O F ---

**SLRHCristy** · 2008-02-03, 21:31

And here is the new HJT:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:17:17 PM, on 2/3/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\Explorer.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\PROGRA~1\NORTON~2\NORTON~1\SPEEDD~1\NOPDB.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\mHotkey.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\HijackThis\SLRHCristy.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.myspace.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http://proxy.utah.edu:8080
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {12561D4D-7C56-4B41-9A08-E3F52F346476} - C:\WINDOWS\system32\jkkjk.dll (file missing)
O2 - BHO: (no name) - {426BD246-4EDA-3653-FCB8-69A3E6FCF8BA} - C:\WINDOWS\system32\agn.dll (file missing)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: {affb4f65-2e02-ad09-f764-ecb7680fa8fe} - {ef8af086-7bce-467f-90da-20e256f4bffa} - C:\WINDOWS\system32\imcflkci.dll (file missing)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: (no name) - {F5735C15-1FB2-41FE-BA12-242757E69DDE} - (no file)
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [CHotkey] mHotkey.exe
O4 - HKLM\..\Run: [Launcher] F:\setup.exe
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [aca01c91] rundll32.exe "C:\WINDOWS\system32\ytdtdwrt.dll",b
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 SOS\avp .exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas .exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [STYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide
O4 - HKCU\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9
O4 - HKCU\..\Run: [Ooba] "C:\PROGRA~1\YSTEM~1\userinit.exe" -vt ndrv
O4 - HKCU\..\Run: [Mxdbxgsi] "C:\Documents and Settings\Anastasia N\My Documents\?icrosoft\?ti2evxx.exe"
O4 - HKCU\..\Run: [Dot1XCfg] C:\Program Files\Dot1XCfg\Dot1XCfg.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O4 - Global Startup: Toolbox Updater.lnk = C:\Program Files\Aegon\Updater\Updater.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.macromedia.com/pub/...sh/swflash.cab
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: Kaspersky Anti-Virus 6.0 (AVP) - Unknown owner - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 SOS\avp.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~1\AdvTools\NPROTECT.EXE
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~2\NORTON~1\SPEEDD~1\NOPDB.EXE
O23 - Service: StyleXPService - Unknown owner - C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

--
End of file - 8117 bytes

**Shaba** · 2008-02-04, 10:36

Hi

Yes you should but not now as you are infected.

Open notepad and copy/paste the text in the quotebox below into it:

Code:

RenV::
----a-w           313,472 2008-01-29 00:10:28  C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager .exe
----a-w            71,280 2008-01-29 00:09:55  C:\Program Files\Common Files\Symantec Shared\ccApp .exe
----a-w            61,440 2008-01-31 04:10:36  C:\Program Files\Dot1XCfg\Dot1XCfg .exe
----a-w           579,072 2008-01-29 13:43:24  C:\Program Files\Grisoft\AVG7\avgcc .exe
----a-w           278,528 2008-01-29 00:10:11  C:\Program Files\iTunes\iTunesHelper .exe
----a-w           132,496 2008-01-29 00:10:03  C:\Program Files\Java\jre1.6.0_03\bin\jusched .exe
----a-w           572,416 2008-01-31 04:08:05  C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 SOS\avp .exe
----a-w            57,344 2008-01-29 00:09:59  C:\Program Files\Lexmark X1100 Series\lxbkbmgr .exe
----a-w            53,248 2008-01-29 00:10:06  C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask .exe
----a-w            74,920 2008-01-29 00:10:06  C:\Program Files\Norton AntiVirus\AdvTools\ADVCHK .EXE
----a-w           100,056 2008-01-29 00:10:04  C:\Program Files\SymNetDrv\SNDMon .exe
----a-w         1,126,400 2008-01-29 00:10:30  C:\Program Files\TGTSoft\StyleXP\StyleXP .exe
----a-w            15,360 2008-01-30 04:05:19  C:\WINDOWS\system32\ctfmon .exe
----a-w           114,688 2008-01-29 00:09:52  C:\WINDOWS\system32\hkcmd .exe
----a-w           155,648 2008-01-29 00:09:51  C:\WINDOWS\system32\igfxtray .exe

File::
C:\WINDOWS\system32\LE91E.tmp
C:\WINDOWS\system32\LDBC0.tmp

Folder::
C:\Program Files\Dot1XCfg

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{12561D4D-7C56-4B41-9A08-E3F52F346476}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{426BD246-4EDA-3653-FCB8-69A3E6FCF8BA}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{ef8af086-7bce-467f-90da-20e256f4bffa}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Ooba"=-
"Mxdbxgsi"=-
"Dot1XCfg"=-

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"aca01c91"=-

Save this as "CFScript"

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

[img]]http://users.pandora.be/bluepatchy/miekiemoes/images/CFScript.gif[/img]

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.

Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.

**SLRHCristy** · 2008-02-05, 02:56

Here's the new combofix:

ComboFix 08-02.03.1 - Anastasia 2008-02-04 18:29:28.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.214 [GMT -7:00]
Running from: C:\Documents and Settings\Anastasia N\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Anastasia N\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE
C:\WINDOWS\system32\LDBC0.tmp
C:\WINDOWS\system32\LE91E.tmp
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\Dot1XCfg
C:\Program Files\Dot1XCfg\Dot1XCfg.exe
C:\WINDOWS\system32\LDBC0.tmp
C:\WINDOWS\system32\LE91E.tmp

.
((((((((((((((((((((((((( Files Created from 2008-01-05 to 2008-02-05 )))))))))))))))))))))))))))))))
.

2008-01-30 21:17 . 2008-01-30 21:17 <DIR> d-------- C:\Program Files\Trend Micro
2008-01-29 21:55 . 2008-01-29 21:55 <DIR> d-------- C:\Program Files\Kaspersky Lab
2008-01-29 21:55 . 2008-01-30 21:08 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-01-29 21:00 . 2008-01-30 21:53 2,155,808 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2008-01-29 21:00 . 2008-01-30 21:53 62,496 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.dat
2008-01-29 21:00 . 2008-01-30 21:53 30,992 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx
2008-01-29 21:00 . 2008-01-30 21:53 7,952 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.idx
2008-01-29 20:49 . 2008-01-29 20:49 <DIR> d-------- C:\KAV
2008-01-29 20:17 . 2008-02-02 10:56 <DIR> d-------- C:\Program Files\Spybot - Search & Destroy
2008-01-29 20:17 . 2008-01-29 20:38 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-01-28 21:51 . 2008-01-28 21:51 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\AVG7
2008-01-28 21:51 . 2008-02-04 18:37 <DIR> d-------- C:\Documents and Settings\Anastasia N\Application Data\AVG7
2008-01-28 21:50 . 2008-01-28 21:53 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\avg7
2008-01-28 17:43 . 2008-01-28 17:43 <DIR> d-------- C:\Documents and Settings\Anastasia N\Application Data\Grisoft
2008-01-28 17:43 . 2007-05-30 05:10 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2008-01-28 17:42 . 2008-01-28 21:50 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-01-28 17:09 . 2008-01-28 17:09 155,648 --a------ C:\WINDOWS\system32\igfxtray.exe
2008-01-28 17:09 . 2008-01-28 17:09 114,688 --a------ C:\WINDOWS\system32\hkcmd.exe
2008-01-27 19:10 . 2008-01-27 19:10 230 --a------ C:\WINDOWS\system32\spupdsvc.inf
2008-01-19 18:48 . 2008-01-27 18:36 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-01-19 18:48 . 2008-01-19 18:48 1,409 --a------ C:\WINDOWS\QTFont.for

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-05 01:37 347,648 ----a-w C:\WINDOWS\system32\ctfmon.exe
2008-02-05 01:37 330,752 ----a-w C:\WINDOWS\system32\jkkjk.exe
2008-02-05 01:36 327,168 ----a-w C:\WINDOWS\system32\jkkjk.dll
2008-02-05 01:29 --------- d-----w C:\Program Files\SymNetDrv
2008-02-05 01:29 --------- d-----w C:\Program Files\Lexmark X1100 Series
2008-02-05 01:29 --------- d-----w C:\Program Files\iTunes
2008-02-05 01:29 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-01-30 01:17 --------- d-----w C:\Program Files\Norton AntiVirus
2008-01-29 23:57 --------- d-----w C:\Program Files\Lavasoft
2008-01-29 14:15 --------- d-----w C:\Program Files\Norton SystemWorks
2008-01-29 13:46 --------- d-----w C:\Program Files\QuickTime
2008-01-29 01:58 --------- d-----w C:\Program Files\PopUp Killer
2007-12-16 19:59 --------- d-----w C:\Program Files\Java
2007-11-07 09:26 721,920 ----a-w C:\WINDOWS\system32\lsasrv.dll
2005-01-27 18:17 513 ----a-w C:\Program Files\INSTALL.LOG
2004-08-22 13:19 168 ----a-w C:\Program Files\setupfax.log
2004-08-19 08:28 1,599 ----a-w C:\Program Files\Remote Assistance.lnk
2004-08-18 20:10 2,002 ----a-w C:\Program Files\Open Office Document.lnk
2004-08-18 11:07 738 ----a-w C:\Program Files\Outlook Express.lnk
2004-08-18 09:58 398 ----a-w C:\Program Files\Windows Catalog.lnk
2004-08-18 09:58 1,507 ----a-w C:\Program Files\Windows Update.lnk
2004-08-18 09:55 786 ----a-w C:\Program Files\Windows Movie Maker.lnk
2004-08-18 09:52 1,986 ----a-w C:\Program Files\MSN.lnk
2001-09-29 00:00 164,864 ----a-w C:\Program Files\UNWISE.EXE
.

Code:

<pre>
----a-w           219,136 2008-02-05 01:36:27  C:\Program Files\Grisoft\AVG7\avgw .exe
----a-w           572,416 2008-01-31 04:08:05  C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 SOS\avp .exe
</pre>

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{FC2DD60D-6E06-4D4B-8AC6-0D43527A30FB}]
2008-02-04 18:36 327168 --a------ C:\WINDOWS\system32\jkkjk.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 17:56 15360]
"STYLEXP"="C:\Program Files\TGTSoft\StyleXP\StyleXP.exe" [2008-02-04 18:37 1488384]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [ ]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" [2008-02-04 18:37 737280]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SoundMan"="SOUNDMAN.EXE" [2002-06-28 23:05 46592 C:\WINDOWS\SOUNDMAN.EXE]
"CHotkey"="mHotkey.exe" [2002-07-23 10:09 477184 C:\WINDOWS\mHotkey.exe]
"Launcher"="F:\setup.exe" [ ]
"Logitech Hardware Abstraction Layer"="KHALMNPR.EXE" [2006-01-20 17:46 28160 C:\WINDOWS\KHALMNPR.Exe]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2008-02-04 18:42 579072]
"AVP"="C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 SOS\avp .exe" [2008-01-30 21:08 572416]
"!AVG Anti-Spyware"="C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas .exe" [ ]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2008-01-30 21:10 633344]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26 29696]
Logitech SetPoint.lnk - C:\Program Files\Logitech\SetPoint\SetPoint.exe [2006-10-31 16:58:50 532480]
Toolbox Updater.lnk - C:\Program Files\Aegon\Updater\Updater.exe [2003-01-31 17:08:36 258048]

[HKEY_CURRENT_USER\software\microsoft\windows nt\currentversion\windows]
"load"=C:\WINDOWS\system32\jkkjk.exe

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 C:\WINDOWS\system32\jkkjk

S3 NPDriver;Norton Unerase Protection Driver;C:\WINDOWS\system32\Drivers\NPDRIVER.SYS [2003-09-10 04:12]
S3 SDdriver;SDdriver;C:\WINDOWS\system32\Drivers\sddriver.sys [2003-09-10 03:58]

.
Contents of the 'Scheduled Tasks' folder
"2008-02-05 01:43:00 C:\WINDOWS\Tasks\Ad-aware.job"
- C:\Program Files\Lavasoft\Ad-aware 6\Ad-aware.exe
"2008-02-02 16:35:00 C:\WINDOWS\Tasks\Checkup Scheduled.job"
- C:\Program Files\Norton SystemWorks\OBC.exe
"2007-12-06 15:09:26 C:\WINDOWS\Tasks\Disk Cleanup.job"
- C:\WINDOWS\system32\cleanmgr.exe
"2008-02-03 08:17:49 C:\WINDOWS\Tasks\Norton AntiVirus - Scan my computer - Anastasia.job"
- C:\PROGRA~1\NORTON~1\NAVW32.EXEh/task:
"2008-02-03 17:25:01 C:\WINDOWS\Tasks\Norton System Doctor.job"
- C:\PROGRA~1\NORTON~2\NORTON~1\sysdoc32.exe
"2007-12-06 15:09:24 C:\WINDOWS\Tasks\Norton SystemWorks One Button Checkup.job"
- C:\Program Files\Norton SystemWorks\OBC.exe
"2008-01-24 14:00:23 C:\WINDOWS\Tasks\Speed Disk.job"
- C:\PROGRA~1\NORTON~2\NORTON~1\SPEEDD~1\sdntc.exe
"2008-02-03 07:00:03 C:\WINDOWS\Tasks\Symantec Drmc.job"
- C:\Program Files\Common Files\Symantec Shared\SymDrmc.exe
"2008-02-04 04:20:20 C:\WINDOWS\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-04 18:36:22
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\Explorer.EXE [6.00.2900.3156]
-> C:\WINDOWS\system32\jkkjk.dll
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\PROGRA~1\NORTON~2\NORTON~1\SPEEDD~1\NOPDB.EXE
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE
C:\WINDOWS\system32\rundll32.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\Program Files\Grisoft\AVG7\avgcc.exe
.
**************************************************************************
.
Completion time: 2008-02-04 18:45:45 - machine was rebooted
ComboFix-quarantined-files.txt 2008-02-05 01:45:34
ComboFix2.txt 2008-02-03 20:13:26
.
2008-01-30 10:01:48 --- E O F ---

And HJT:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:50:34 PM, on 2/4/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\NORTON~2\NORTON~1\SPEEDD~1\NOPDB.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\WINDOWS\mHotkey.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\TGTSoft\StyleXP\StyleXP.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Aegon\Updater\Updater.exe
C:\Program Files\Common Files\Logitech\KHAL\KHALMNPR.EXE
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\wuauclt.exe
C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
C:\Program Files\Grisoft\AVG7\avgcc.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Trend Micro\HijackThis\SLRHCristy.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.myspace.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http://proxy.utah.edu:8080
F3 - REG:win.ini: load=C:\WINDOWS\system32\jkkjk.exe
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {FC2DD60D-6E06-4D4B-8AC6-0D43527A30FB} - C:\WINDOWS\system32\jkkjk.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: (no name) - {F5735C15-1FB2-41FE-BA12-242757E69DDE} - (no file)
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [CHotkey] mHotkey.exe
O4 - HKLM\..\Run: [Launcher] F:\setup.exe
O4 - HKLM\..\Run: [Logitech Hardware Abstraction Layer] KHALMNPR.EXE
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 SOS\avp .exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas .exe" /minimized
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [STYLEXP] C:\Program Files\TGTSoft\StyleXP\StyleXP.exe -Hide
O4 - HKCU\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe AcRdB7_0_9
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O4 - Global Startup: Toolbox Updater.lnk = C:\Program Files\Aegon\Updater\Updater.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://download.macromedia.com/pub/...sh/swflash.cab
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: Kaspersky Anti-Virus 6.0 (AVP) - Unknown owner - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 6.0 SOS\avp.exe (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton Unerase Protection (NProtectService) - Symantec Corporation - C:\PROGRA~1\NORTON~1\AdvTools\NPROTECT.EXE
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Speed Disk service - Symantec Corporation - C:\PROGRA~1\NORTON~2\NORTON~1\SPEEDD~1\NOPDB.EXE
O23 - Service: StyleXPService - Unknown owner - C:\Program Files\TGTSoft\StyleXP\StyleXPService.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

--
End of file - 7715 bytes

Thread: Dropper.Agent.dgo and other viruses

Thread Tools

Display

Dropper.Agent.dgo and other viruses

New HJT log

New HJT Log

New Combofix log and HJT Log

New HJT

New Combofix log

Posting Permissions