popups in ie and have tried everything :(

Hi,

Please answer my question earlier regarding AVG Antivirus..

*Reboot to safe mode.

*Open notepad.
Copy and paste the text inside the Code Box below into Notepad
Choose File > Save As and under "Save as type", choose "All Files".
Type gmer.bat in the File name and save it to your desktop.

Code: 
gmer.exe -del file "C:\WINDOWS\system32\ppqss.bak1"
gmer.exe -del file "C:\WINDOWS\system32\ssqpp.dll.vir"
gmer.exe -del file "C:\WINDOWS\system32\VTTC.exe"
gmer.exe -del file "C:\WINDOWS\system32\yycdd.bak1"
gmer.exe -del file "C:\WINDOWS\system32\npqss.bak1"
gmer.exe -del file "C:\WINDOWS\system32\jmllm.bak1"
gmer.exe -del file "C:\WINDOWS\system32\mllmj.dll"
gmer.exe -del file "C:\WINDOWS\system32\drivers\core.sys"

Locate gmer.bat on your Desktop and double-click on it.

*Using Windows Explorer, find and delete this folder

C:\WINDOWS\system32\micro1

Empty your recycle bin.

Reboot to normal mode.
_______________________

*Please do an online scan with Kaspersky WebScanner

Click on Kaspersky Online Scanner

You will be promted to install an ActiveX component from Kaspersky, Click Yes.
  • The program will launch and then begin downloading the latest definition files:
  • Once the files have been downloaded click on NEXT
  • Now click on Scan Settings
  • In the scan settings make that the following are selected:
    • Scan using the following Anti-Virus database:
    • Extended (if available otherwise Standard)
    • Scan Options:
    • Scan Archives
      Scan Mail Bases
  • Click OK
  • Now under select a target to scan:
    • Select My Computer
  • This will program will start and scan your system.
  • The scan will take a while so be patient and let it run.
  • Once the scan is complete it will display if your system has been infected.
    • Now click on the Save as Text button:
  • Save the file to your desktop.
  • Copy and paste that information in your next post.


*I would like you to scan a few files for me.

Please go HERE. Click browse then, navigate to this file:

C:\WINDOWS\system32\win32k.sys

Then click submit.

Do the same for these files:

C:\WINDOWS\system32\user32.dll
C:\WINDOWS\system32\mf3216.dll
C:\WINDOWS\system32\gdi32.dll

Please post the results to your next reply.

If Jotti is too busy, you can go HERE and do the same as above.


*Please run GMER again.

Please post a fresh HijackThis log, kaspersky scan log, gmer log, jotti scan results and a description on how is your machine running.
 
Last edited:
just to keep you uptodate.When i tried to go this site from safe mode,I have no internt connection,so I couldnt paste the files into gmer.batI did delete micro 1 in safe mode.when i tried to go back to normal mode the computer would barely run again.Yes,my avg is up todate.as we speak,kapersky is scanning.I tried to to the gmer.bat from normal mode,but some files it couldnt delete.anyway,when kapersky is finished,I will report the logs as well as from the other instructions,thanks again,rail
 
kapersky1

KASPERSKY ONLINE SCANNER REPORT
Wednesday, April 11, 2007 7:42:15 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.83.0
Kaspersky Anti-Virus database last update: 12/04/2007
Kaspersky Anti-Virus database records: 295995


Scan Settings
Scan using the following antivirus database extended
Scan Archives true
Scan Mail Bases true

Scan Target My Computer
A:\
C:\
D:\
E:\
F:\
G:\
H:\

Scan Statistics
Total number of scanned objects 79361
Number of viruses found 18
Number of infected objects 87 / 0
Number of suspicious objects 0
Duration of the scan process 01:43:10

Infected Object Name Virus Name Last Action
C:\Documents and Settings\All Users\Application Data\avg7\Log\emc.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Grisoft\Avg7Data\avg7log.log.lck Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\DSS\MachineKeys\877bc39ef839fa939b705b1a90e97340_4f534ae6-7184-4a90-9fcc-b855f153a5b6 Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\137cec12b57ae9730c37dee25424bf55_4f534ae6-7184-4a90-9fcc-b855f153a5b6 Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\13c939f4309675b6db5886a0995f61f7_4f534ae6-7184-4a90-9fcc-b855f153a5b6 Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\1aa3322d97f28c1a1b504d407eb72f14_4f534ae6-7184-4a90-9fcc-b855f153a5b6 Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\22029e05ff2a4f413fa748cecfac68b6_4f534ae6-7184-4a90-9fcc-b855f153a5b6 Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\35dc51a19dfa11af88c6acf979cd336f_4f534ae6-7184-4a90-9fcc-b855f153a5b6 Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\38af7ae4da520eafefc60da89ce144df_4f534ae6-7184-4a90-9fcc-b855f153a5b6 Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\5abd817771e1941fc0fa59abd1cb59ad_4f534ae6-7184-4a90-9fcc-b855f153a5b6 Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\7e5c2de6b9467d087b7182d19c20e839_4f534ae6-7184-4a90-9fcc-b855f153a5b6 Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\7fc7eb4b851d98df33a720c6121a4970_4f534ae6-7184-4a90-9fcc-b855f153a5b6 Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\91cbeb30cb4f7130e69961b45b45def8_4f534ae6-7184-4a90-9fcc-b855f153a5b6 Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\92358b8d1c853007b7ea8bd15089c0e0_4f534ae6-7184-4a90-9fcc-b855f153a5b6 Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\9bfa0870d182047a8a9e35687ea981c1_4f534ae6-7184-4a90-9fcc-b855f153a5b6 Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\bca019238ac009136d1558cd63025de6_4f534ae6-7184-4a90-9fcc-b855f153a5b6 Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\c0ac6e409347d3e1c567b186d017f59e_4f534ae6-7184-4a90-9fcc-b855f153a5b6 Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\c0ebca7c48981a3a816e55cdb9ac9cca_4f534ae6-7184-4a90-9fcc-b855f153a5b6 Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\c81e78891f42278e044f3fc8201035eb_4f534ae6-7184-4a90-9fcc-b855f153a5b6 Object is locked skipped

C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\ea6825dba9c9f7760d489e613bacfdee_4f534ae6-7184-4a90-9fcc-b855f153a5b6 Object is locked skipped

C:\Documents and Settings\LocalService\Application Data\Webroot\Spy Sweeper\Data\settings.dat Object is locked skipped

C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\LocalService\ntuser.dat Object is locked skipped

C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped

C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped

C:\Documents and Settings\warren\.housecall\Quarantine\1D9A9CAE-4322-438B-A10A-1121A3.bac_a03060 Infected: not-a-
 
kapersky2

C:\Documents and Settings\warren\.housecall\Quarantine\1D9A9CAE-4322-438B-A10A-1121A3.bac_a03060 Infected: not-a-virus:AdWare.Win32.WinAD.an skipped

C:\Documents and Settings\warren\.housecall\Quarantine\26E5C330-551F-47A8-8139-A272B6.bac_a03060 Infected: not-a-virus:AdWare.Win32.WebHancer skipped

C:\Documents and Settings\warren\.housecall\Quarantine\935C08B0-87A6-4B0B-91AD-6891BA.bac_a03060 Infected: not-a-virus:AdWare.Win32.WinAD.an skipped

C:\Documents and Settings\warren\.housecall\Quarantine\BC0EA3B0-24F2-41C3-BB8F-7BAE12.bac_a03060 Infected: not-a-virus:AdWare.Win32.WinAD.ao skipped

C:\Documents and Settings\warren\Application Data\Skype\railman81\call256.dbb Object is locked skipped

C:\Documents and Settings\warren\Application Data\Skype\railman81\callmember256.dbb Object is locked skipped

C:\Documents and Settings\warren\Application Data\Skype\railman81\contactgroup256.dbb Object is locked skipped

C:\Documents and Settings\warren\Application Data\Skype\railman81\index2.dat Object is locked skipped

C:\Documents and Settings\warren\Application Data\Skype\railman81\profile256.dbb Object is locked skipped

C:\Documents and Settings\warren\Application Data\Skype\railman81\user1024.dbb Object is locked skipped

C:\Documents and Settings\warren\Application Data\Skype\railman81\user16384.dbb Object is locked skipped

C:\Documents and Settings\warren\Application Data\Skype\railman81\user256.dbb Object is locked skipped

C:\Documents and Settings\warren\Application Data\Skype\railman81\user4096.dbb Object is locked skipped

C:\Documents and Settings\warren\Application Data\Skype\railman81\voicemail256.dbb Object is locked skipped

C:\Documents and Settings\warren\Cookies\index.dat Object is locked skipped

C:\Documents and Settings\warren\Desktop\icons\SmitfraudFix.exe/data.rar/SmitfraudFix/Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped

C:\Documents and Settings\warren\Desktop\icons\SmitfraudFix.exe/data.rar Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped

C:\Documents and Settings\warren\Desktop\icons\SmitfraudFix.exe RarSFX: infected - 2 skipped

C:\Documents and Settings\warren\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped

C:\Documents and Settings\warren\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped

C:\Documents and Settings\warren\Local Settings\History\History.IE5\index.dat Object is locked skipped

C:\Documents and Settings\warren\Local Settings\History\History.IE5\MSHist012007041120070412\index.dat Object is locked skipped

C:\Documents and Settings\warren\Local Settings\Temporary Internet Files\Content.IE5\6B3TTV98\hGFdeYYm64pUIdwQ[1].exe/data0004 Infected: Trojan-Clicker.Win32.Small.jf skipped

C:\Documents and Settings\warren\Local Settings\Temporary Internet Files\Content.IE5\6B3TTV98\hGFdeYYm64pUIdwQ[1].exe NSIS: infected - 1 skipped

C:\Documents and Settings\warren\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped

C:\Documents and Settings\warren\ntuser.dat Object is locked skipped

C:\Documents and Settings\warren\NTUSER.DAT.LOG Object is locked skipped

C:\Program Files\Common Files\quca.dll Infected: Trojan.Win32.BHO.ab skipped

C:\Program Files\hijack this\backups\backup-20070411-173520-411.dll Infected: not-a-virus:AdWare.Win32.NewDotNet.e skipped

C:\Program Files\hijack this\backups\backup-20070411-173520-852.dll Infected: Trojan.Win32.BHO.ab skipped

C:\Program Files\NewDotNet\newdotnet7_48.dll Infected: not-a-virus:AdWare.Win32.NewDotNet.e skipped

C:\Program Files\Webroot\Spy Sweeper\Masters\Masters.const Object is locked skipped

C:\Program Files\Webroot\Spy Sweeper\Masters\Masters.mst Object is locked skipped

C:\Program Files\Webroot\Spy Sweeper\Masters.base Object is locked skipped

C:\QooBox\Quarantine\WINDOWS\system32\bkd.exe.vir/InpB/DxcBho.dll Infected: not-a-virus:AdWare.Win32.SurfSide.ay skipped

C:\QooBox\Quarantine\WINDOWS\system32\bkd.exe.vir/InpB/DxcCore.dll Infected: not-a-virus:AdWare.Win32.SurfSide.ay skipped

C:\QooBox\Quarantine\WINDOWS\system32\bkd.exe.vir/InpB/Dxc.exe Infected: not-a-virus:AdWare.Win32.SurfSide.bb skipped

C:\QooBox\Quarantine\WINDOWS\system32\bkd.exe.vir/InpB/DxcRepairInstall.exe Infected: not-a-virus:AdWare.Win32.SurfSide.bb skipped

C:\QooBox\Quarantine\WINDOWS\system32\bkd.exe.vir/InpB Infected: not-a-virus:AdWare.Win32.SurfSide.bb skipped

C:\QooBox\Quarantine\WINDOWS\system32\bkd.exe.vir CAB: infected - 5 skipped

C:\QooBox\Quarantine\WINDOWS\system32\bund1\ClientBundle1.exe.vir/data0002 Infected: not-a-virus:AdWare.Win32.NewDotNet skipped

C:\QooBox\Quarantine\WINDOWS\system32\bund1\ClientBundle1.exe.vir/data0004 Infected: Trojan.Win32.BHO.ab skipped

C:\QooBox\Quarantine\WINDOWS\system32\bund1\ClientBundle1.exe.vir/data0005 Infected: not-a-virus:AdWare.Win32.SurfSide.ax skipped

C:\QooBox\Quarantine\WINDOWS\system32\bund1\ClientBundle1.exe.vir/data0006 Infected: Trojan-Dropper.Win32.Agent.bfr skipped

C:\QooBox\Quarantine\WINDOWS\system32\bund1\ClientBundle1.exe.vir NSIS: infected - 4 skipped

C:\SmitfraudFix\Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped

C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped

C:\System Volume Information\_restore{04803D7F-3F5F-4521-BDC7-38AA6EA3A213}\RP63\A0047433.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ar skipped

C:\System Volume Information\_restore{04803D7F-3F5F-4521-BDC7-38AA6EA3A213}\RP63\A0047472.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped

C:\System Volume Information\_restore{04803D7F-3F5F-4521-BDC7-38AA6EA3A213}\RP63\A0047485.exe/data.rar/wga_vista.exe/data0001 Infected: Trojan-Downloader.NSIS.Agent.ac skipped

C:\System Volume Information\_restore{04803D7F-3F5F-4521-BDC7-38AA6EA3A213}\RP63\A0047485.exe/data.rar/wga_vista.exe Infected: Trojan-Downloader.NSIS.Agent.ac skipped

C:\System Volume Information\_restore{04803D7F-3F5F-4521-BDC7-38AA6EA3A213}\RP63\A0047485.exe/data.rar/wga_xp.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.bq skipped

C:\System Volume Information\_restore{04803D7F-3F5F-4521-BDC7-38AA6EA3A213}\RP63\A0047485.exe/data.rar Infected: not-a-virus:AdWare.Win32.Virtumonde.bq skipped

C:\System Volume Information\_restore{04803D7F-3F5F-4521-BDC7-38AA6EA3A213}\RP63\A0047485.exe RarSFX: infected - 4 skipped

C:\System Volume Information\_restore{04803D7F-3F5F-4521-BDC7-38AA6EA3A213}\RP64\A0047590.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ar skipped

C:\System Volume Information\_restore{04803D7F-3F5F-4521-BDC7-38AA6EA3A213}\RP78\A0048372.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ar skipped

C:\System Volume Information\_restore{04803D7F-3F5F-4521-BDC7-38AA6EA3A213}\RP78\A0048388.exe/data0002 Infected: not-a-virus:AdWare.Win32.NewDotNet skipped

C:\System Volume Information\_restore{04803D7F-3F5F-4521-BDC7-38AA6EA3A213}\RP78\A0048388.exe/data0004 Infected: Trojan.Win32.BHO.ab skipped

C:\System Volume Information\_restore{04803D7F-3F5F-4521-BDC7-38AA6EA3A213}\RP78\A0048388.exe/data0005 Infected: not-a-virus:AdWare.Win32.SurfSide.ax skipped

C:\System Volume Information\_restore{04803D7F-3F5F-4521-BDC7-38AA6EA3A213}\RP78\A0048388.exe/data0006 Infected: Trojan-Dropper.Win32.Agent.bfr skipped

C:\System Volume Information\_restore{04803D7F-3F5F-4521-BDC7-38AA6EA3A213}\RP78\A0048388.exe NSIS: infected - 4 skipped

C:\System Volume Information\_restore{04803D7F-3F5F-4521-BDC7-38AA6EA3A213}\RP79\A0052506.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ar skipped

C:\System Volume Information\_restore{04803D7F-3F5F-4521-BDC7-38AA6EA3A213}\RP79\A0052507.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ar skipped

C:\System Volume Information\_restore{04803D7F-3F5F-4521-BDC7-38AA6EA3A213}\RP79\A0053585.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.ar skipped

C:\System Volume Information\_restore{04803D7F-3F5F-4521-BDC7-38AA6EA3A213}\RP79\A0053645.exe/data0002 Infected: not-a-virus:AdWare.Win32.NewDotNet skipped

C:\System Volume Information\_restore{04803D7F-3F5F-4521-BDC7-38AA6EA3A213}\RP79\A0053645.exe/data0004 Infected: Trojan.Win32.BHO.ab skipped

C:\System Volume Information\_restore{04803D7F-3F5F-4521-BDC7-38AA6EA3A213}\RP79\A0053645.exe/data0005 Infected: not-a-virus:AdWare.Win32.SurfSide.ax skipped

C:\System Volume Information\_restore{04803D7F-3F5F-4521-BDC7-38AA6EA3A213}\RP79\A0053645.exe/data0006 Infected: Trojan-Dropper.Win32.Agent.bfr skipped

C:\System Volume Information\_restore{04803D7F-3F5F-4521-BDC7-38AA6EA3A213}\RP79\A0053645.exe NSIS: infected - 4 skipped

C:\System Volume Information\_restore{04803D7F-3F5F-4521-BDC7-38AA6EA3A213}\RP79\A0053646.exe/InpB/DxcBho.dll Infected: not-a-virus:AdWare.Win32.SurfSide.ay skipped

C:\System Volume Information\_restore{04803D7F-3F5F-4521-BDC7-38AA6EA3A213}\RP79\A0053646.exe/InpB/DxcCore.dll Infected: not-a-virus:AdWare.Win32.SurfSide.ay skipped

C:\System Volume Information\_restore{04803D7F-3F5F-4521-BDC7-38AA6EA3A213}\RP79\A0053646.exe/InpB/Dxc.exe Infected: not-a-virus:AdWare.Win32.SurfSide.bb skipped

C:\System Volume Information\_restore{04803D7F-3F5F-4521-BDC7-38AA6EA3A213}\RP79\A0053646.exe/InpB/DxcRepairInstall.exe Infected: not-a-virus:AdWare.Win32.SurfSide.bb skipped

C:\System Volume Information\_restore{04803D7F-3F5F-4521-BDC7-38AA6EA3A213}\RP79\A0053646.exe/InpB Infected: not-a-virus:AdWare.Win32.SurfSide.bb skipped

C:\System Volume Information\_restore{04803D7F-3F5F-4521-BDC7-38AA6EA3A213}\RP79\A0053646.exe CAB: infected - 5 skipped

C:\System Volume Information\_restore{04803D7F-3F5F-4521-BDC7-38AA6EA3A213}\RP79\A0056673.sys Infected: Rootkit.Win32.Agent.eq skipped

C:\VundoFix Backups\ijjqcqqh.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.ar skipped

C:\VundoFix Backups\jsimhvwe.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.ar skipped

C:\VundoFix Backups\kapsbvbx.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.ar skipped

C:\VundoFix Backups\npbfdoxx.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.ar skipped

C:\VundoFix Backups\vamkblcy.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.ar skipped

C:\VundoFix Backups\wptwioed.dll.bad Infected: not-a-virus:AdWare.Win32.Virtumonde.ar skipped

C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped

C:\WINDOWS\Downloaded Program Files\USDR6_0001_D19M2108NetInstaller.exe Infected: not-a-virus:Downloader.Win32.WinFixer.q skipped

C:\WINDOWS\NDNuninstall6_38.exe Infected: not-a-virus:AdWare.Win32.NewDotNet skipped

C:\WINDOWS\NDNuninstall7_48.exe Infected: not-a-virus:AdWare.Win32.NewDotNet.e skipped

C:\WINDOWS\SchedLgU.Txt Object is locked skipped

C:\WINDOWS\SoftwareDistribution\EventCache\{32A00A99-E441-4C60-96FF-C17B6733B3DD}.bin Object is locked skipped

C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped

C:\WINDOWS\Sti_Trace.log Object is locked skipped

C:\WINDOWS\system32\bkd.exe/InpB/DxcBho.dll Infected: not-a-virus:AdWare.Win32.SurfSide.ay skipped

C:\WINDOWS\system32\bkd.exe/InpB/DxcCore.dll Infected: not-a-virus:AdWare.Win32.SurfSide.ay skipped

C:\WINDOWS\system32\bkd.exe/InpB/Dxc.exe Infected: not-a-virus:AdWare.Win32.SurfSide.bb skipped

C:\WINDOWS\system32\bkd.exe/InpB/DxcRepairInstall.exe Infected: not-a-virus:AdWare.Win32.SurfSide.bb skipped

C:\WINDOWS\system32\bkd.exe/InpB Infected: not-a-virus:AdWare.Win32.SurfSide.bb skipped

C:\WINDOWS\system32\bkd.exe CAB: infected - 5 skipped

C:\WINDOWS\system32\bund1\ClientBundle1.exe/data0002 Infected: not-a-virus:AdWare.Win32.NewDotNet skipped

C:\WINDOWS\system32\bund1\ClientBundle1.exe/data0004 Infected: Trojan.Win32.BHO.ab skipped

C:\WINDOWS\system32\bund1\ClientBundle1.exe/data0005 Infected: not-a-virus:AdWare.Win32.SurfSide.ax skipped

C:\WINDOWS\system32\bund1\ClientBundle1.exe/data0006 Infected: Trojan-Dropper.Win32.Agent.bfr skipped

C:\WINDOWS\system32\bund1\ClientBundle1.exe NSIS: infected - 4 skipped

C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped

C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped

C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\default Object is locked skipped

C:\WINDOWS\system32\config\default.LOG Object is locked skipped

C:\WINDOWS\system32\config\SAM Object is locked skipped

C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped

C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\SECURITY Object is locked skipped

C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped

C:\WINDOWS\system32\config\software Object is locked skipped

C:\WINDOWS\system32\config\software.LOG Object is locked skipped

C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped

C:\WINDOWS\system32\config\system Object is locked skipped

C:\WINDOWS\system32\config\system.LOG Object is locked skipped

C:\WINDOWS\system32\h323log.txt Object is locked skipped

C:\WINDOWS\system32\iifdcbc.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.bq skipped

C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped

C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped

C:\WINDOWS\system32\WgaTray.exe/data.rar/wga_vista.exe/data0001 Infected: Trojan-Downloader.NSIS.Agent.ac skipped

C:\WINDOWS\system32\WgaTray.exe/data.rar/wga_vista.exe Infected: Trojan-Downloader.NSIS.Agent.ac skipped

C:\WINDOWS\system32\WgaTray.exe/data.rar/wga_xp.exe Infected: not-a-virus:AdWare.Win32.Virtumonde.bq skipped

C:\WINDOWS\system32\WgaTray.exe/data.rar Infected: not-a-virus:AdWare.Win32.Virtumonde.bq skipped

C:\WINDOWS\system32\WgaTray.exe RarSFX: infected - 4 skipped

C:\WINDOWS\system32\__delete_on_reboot__x_x_y_v_w_v_s_._d_l_l_ Infected: not-a-virus:AdWare.Win32.Virtumonde.bq skipped

C:\WINDOWS\wiadebug.log Object is locked skipped

C:\WINDOWS\wiaservc.log Object is locked skipped

C:\WINDOWS\WindowsUpdate.log Object is locked skipped

D:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped

E:\shared\Neww\(full version) vanilla mini wheats song 55.wma Infected: Trojan-Downloader.WMA.Wimad.d skipped

E:\shared\Neww\mini wheats theme song vanilla 36.wma Infected: Trojan-Downloader.WMA.Wimad.d skipped

E:\shared\Neww\mp3\03 Track 3.wma Infected: Trojan-Downloader.WMA.Wimad.d skipped

E:\shared\Neww\[release] mini wheats commercial 32.wma Infected: Trojan-Downloader.WMA.Wimad.d skipped

E:\shared\phone stuff\++++ motorola ringtones 56.wma Infected: Trojan-Downloader.WMA.Wimad.d skipped

E:\shared\phone stuff\released motorola ringtones 34.wma Infected: Trojan-Downloader.WMA.Wimad.d skipped

E:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped

Scan process completed.
 
jotti and hijack this

jotti found nothing wrong with any of thoseLogfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 8:35:41 PM, on 4/11/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\MessengerPlus! 3\MsgPlus.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\mobile PhoneTools\WatchDog.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\AcroRd32.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\hijack this\hjt.exe.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://sympatico.msn.ca/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = dynhost.inetcam.com;register.inetcam.com
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: CCHelper Class - {0CF0B8EE-6596-11D5-A98E-0003470BB48E} - C:\Program Files\Panicware\Pop-Up Stopper Companion\CCHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: (no name) - {970F0C19-E036-42A0-ABC3-AD7E81FF593F} - C:\WINDOWS\system32\mljgf.dll
O3 - Toolbar: Pop-Up Stopper &Companion - {8F05B1A8-9D77-4B8F-AF54-6B2202066F95} - C:\Program Files\Panicware\Pop-Up Stopper Companion\popupus.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [AVG7_CC] "C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe" /STARTUP
O4 - HKLM\..\Run: [WatchDog] "C:\Program Files\mobile PhoneTools\WatchDog.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab
O16 - DPF: {3FE16C08-D6A7-4133-84FC-D5BFB4F7D886} (WebGameLoader Class) - http://www.shockwave.com/content/ricochetlostworlds/ReflexiveWebGameLoader.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1129645445375
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1129645431937
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://us-housecall.trendmicro-europe.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab
O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} (JuniperSetupSP1 Control) - https://sra.cn.ca/dana-cached/setup/JuniperSetupSP1.cab
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://www.driveragent.com/files/driveragent.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab31267.cab
O20 - Winlogon Notify: mljgf - C:\WINDOWS\system32\mljgf.dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

--
End of file - 8918 bytes
files
 
gmr1

GMER 1.0.12.12086 - http://www.gmer.net
Rootkit scan 2007-04-11 20:23:11
Windows 5.1.2600 Service Pack 2


---- System - GMER 1.0.12 ----

SSDT 84544678 ZwAllocateVirtualMemory
SSDT 845E7E00 ZwCreateKey
SSDT 84544BA0 ZwCreateProcess
SSDT 84544B28 ZwCreateProcessEx
SSDT 84544948 ZwCreateThread
SSDT 845CFC90 ZwDeleteKey
SSDT 84544C18 ZwDeleteValueKey
SSDT \??\C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.sys ZwOpenProcess
SSDT 845446F0 ZwQueueApcThread
SSDT 84544588 ZwReadVirtualMemory
SSDT 8456E3B8 ZwRenameKey
SSDT 845447E0 ZwSetContextThread
SSDT 84544D08 ZwSetInformationKey
SSDT 84544A38 ZwSetInformationProcess
SSDT 84544858 ZwSetInformationThread
SSDT 84544C90 ZwSetValueKey
SSDT 845449C0 ZwSuspendProcess
SSDT 84544768 ZwSuspendThread
SSDT \??\C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.sys ZwTerminateProcess
SSDT 845448D0 ZwTerminateThread
SSDT 84544600 ZwWriteVirtualMemory

---- User code sections - GMER 1.0.12 ----

.text C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe[1812] kernel32.dll!CreateThread + 1A 7C810651 4 Bytes [ AB, FA, C3, 83 ]
.text C:\Program Files\WinRAR\WinRAR.exe[3940] ntdll.dll!NlsMbOemCodePageTag + FFF84FE8 7C901000 23 Bytes [ A1, AC, DE, FF, FF, FF, FF, ... ]
.text C:\Program Files\WinRAR\WinRAR.exe[3940] ntdll.dll!RtlEnterCriticalSection + 13 7C901018 37 Bytes [ FF, FF, FF, FF, FF, FF, FF, ... ]
.text C:\Program Files\WinRAR\WinRAR.exe[3940] ntdll.dll!RtlEnterCriticalSection + 39 7C90103E 74 Bytes [ FF, FF, FF, FF, FF, FF, FF, ... ]
.text C:\Program Files\WinRAR\WinRAR.exe[3940] ntdll.dll!RtlEnterCriticalSection + 84 7C901089 3 Bytes [ FF, FF, FF ]
.text C:\Program Files\WinRAR\WinRAR.exe[3940] ntdll.dll!RtlEnterCriticalSection + 8B 7C901090 51 Bytes [ FF, FF, FF, FF, FF, FF, FF, ... ]
.text C:\Program Files\WinRAR\WinRAR.exe[3940] ntdll.dll!RtlEnterCriticalSection + BF 7C9010C4 2 Bytes [ FF, FF ]
.text ...
.text C:\Program Files\WinRAR\WinRAR.exe[3940] ntdll.dll!RtlLeaveCriticalSection + 7 7C9010F4 8 Bytes [ FF, FF, FF, FF, FF, FF, FF, ... ]
.text C:\Program Files\WinRAR\WinRAR.exe[3940] ntdll.dll!RtlLeaveCriticalSection + 10 7C9010FD 34 Bytes [ FF, FF, FF, FF, FF, FF, FF, ... ]
.text C:\Program Files\WinRAR\WinRAR.exe[3940] ntdll.dll!RtlLeaveCriticalSection + 33 7C901120 16 Bytes [ FF, FF, FF, FF, FF, FF, FF, ... ]
.text C:\Program Files\WinRAR\WinRAR.exe[3940] ntdll.dll!RtlTryEnterCriticalSection + 9 7C901134 55 Bytes [ FF, FF, FF, FF, FF, FF, FF, ... ]
.text C:\Program Files\WinRAR\WinRAR.exe[3940] ntdll.dll!RtlTryEnterCriticalSection + 41 7C90116C 2 Bytes [ FF, FF ]
.text C:\Program Files\WinRAR\WinRAR.exe[3940] ntdll.dll!RtlTryEnterCriticalSection + 44 7C90116F 44 Bytes [ FF, FF, FF, FF, FF, FF, FF, ... ]
.text C:\Program Files\WinRAR\WinRAR.exe[3940] ntdll.dll!LdrInitializeThunk + 1E 7C90119C 2 Bytes [ FF, FF ]
.text C:\Program Files\WinRAR\WinRAR.exe[3940] ntdll.dll!LdrInitializeThunk + 21 7C90119F 2 Bytes [ FF, FF ]
.text C:\Program Files\WinRAR\WinRAR.exe[3940] ntdll.dll!LdrInitializeThunk + 24 7C9011A2 2 Bytes [ FF, FF ]
.text C:\Program Files\WinRAR\WinRAR.exe[3940] ntdll.dll!LdrInitializeThunk + 27 7C9011A5 17 Bytes [ FF, FF, FF, FF, FF, FF, FF, ... ]
.text C:\Program Files\WinRAR\WinRAR.exe[3940] ntdll.dll!RtlActivateActivationContextUnsafeFast + 2 7C9011B7 29 Bytes [ FF, FF, FF, FF, FF, FF, FF, ... ]
.text C:\Program Files\WinRAR\WinRAR.exe[3940] ntdll.dll!RtlActivateActivationContextUnsafeFast + 20 7C9011D5 38 Bytes [ FF, FF, FF, FF, FF, FF, FF, ... ]
.text C:\Program Files\WinRAR\WinRAR.exe[3940] ntdll.dll!RtlDeactivateActivationContextUnsafeFast + 2 7C9011FC 55 Bytes [ FF, FF, FF, FF, FF, FF, FF, ... ]
.text C:\Program Files\WinRAR\WinRAR.exe[3940] ntdll.dll!DbgBreakPoint + 4 7C901234 9 Bytes [ FF, FF, FF, FF, FF, FF, FF, ... ]
.text C:\Program Files\WinRAR\WinRAR.exe[3940] ntdll.dll!DbgUserBreakPoint + 5 7C90123E 49 Bytes [ FF, FF, FF, FF, FF, FF, FF, ... ]
.text C:\Program Files\WinRAR\WinRAR.exe[3940] ntdll.dll!RtlInitString + 14 7C901270 4 Bytes [ FF, FF, FF, FF ]
.text C:\Program Files\WinRAR\WinRAR.exe[3940] ntdll.dll!RtlInitString + 19 7C901275 8 Bytes [ FF, FF, FF, FF, FF, FF, FF, ... ]
.text C:\Program Files\WinRAR\WinRAR.exe[3940] ntdll.dll!RtlInitString + 23 7C90127F 5 Bytes [ FF, FF, FF, FF, FF ]
.text C:\Program Files\WinRAR\WinRAR.exe[3940] ntdll.dll!RtlInitString + 2A 7C901286 38 Bytes [ FF, FF, FF, FF, FF, FF, FF, ... ]
.text C:\Program Files\WinRAR\WinRAR.exe[3940] ntdll.dll!RtlInitAnsiString + 14 7C9012AD 4 Bytes [ FF, FF, FF, FF ]
.text C:\Program Files\WinRAR\WinRAR.exe[3940] ntdll.dll!RtlInitAnsiString + 19 7C9012B2 8 Bytes [ FF, FF, FF, FF, FF, FF, FF, ... ]
.text C:\Program Files\WinRAR\WinRAR.exe[3940] ntdll.dll!RtlInitAnsiString + 23 7C9012BC 5 Bytes [ FF, FF, FF, FF, FF ]
.text C:\Program Files\WinRAR\WinRAR.exe[3940] ntdll.dll!RtlInitAnsiString + 2A 7C9012C3 38 Bytes [ FF, FF, FF, FF, FF, FF, FF, ... ]
.text C:\Program Files\WinRAR\WinRAR.exe[3940] ntdll.dll!RtlInitUnicodeString + 14 7C9012EA 4 Bytes [ FF, FF, FF, FF ]
.text C:\Program Files\WinRAR\WinRAR.exe[3940] ntdll.dll!RtlInitUnicodeString + 19 7C9012EF 12 Bytes [ FF, FF, FF, FF, FF, FF, FF, ... ]
.text C:\Program Files\WinRAR\WinRAR.exe[3940] ntdll.dll!RtlInitUnicodeString + 26 7C9012FC 6 Bytes [ FF, FF, FF, FF, FF, FF ]
.text C:\Program Files\WinRAR\WinRAR.exe[3940] ntdll.dll!RtlInitUnicodeString + 2D 7C901303 71 Bytes [ FF, FF, FF, FF, FF, FF, FF, ... ]
.text C:\Program Files\WinRAR\WinRAR.exe[3940] ntdll.dll!cos + 20 7C90134B 54 Bytes [ FF, FF, FF, FF, FF, FF, FF, ... ]
.text C:\Program Files\WinRAR\WinRAR.exe[3940] ntdll.dll!cos + 57 7C901382 10 Bytes [ FF, FF, FF, FF, FF, FF, FF, ... ]
.text C:\Program Files\WinRAR\WinRAR.exe[3940] ntdll.dll!cos + 63 7C90138E 63 Bytes [ FF, FF, FF, FF, FF, FF, FF, ... ]
.text C:\Program Files\WinRAR\WinRAR.exe[3940] ntdll.dll!log + 4 7C9013CE 118 Bytes [ FF, FF, FF, FF, FF, FF, FF, ... ]
.text C:\Program Files\WinRAR\WinRAR.exe[3940] ntdll.dll!_CIlog + 73 7C901446 41 Bytes [ FF, FF, FF, FF, FF, FF, FF, ... ]
.text C:\Program Files\WinRAR\WinRAR.exe[3940] ntdll.dll!_CIlog + 9E 7C901471 64 Bytes [ FF, FF, FF, FF, FF, FF, FF, ... ]
.text C:\Program Files\WinRAR\WinRAR.exe[3940] ntdll.dll!pow + 5 7C9014B2 241 Bytes [ FF, FF, FF, FF, FF, FF, FF, ... ]
.text C:\Program Files\WinRAR\WinRAR.exe[3940] ntdll.dll!_CIpow + EE 7C9015A5 30 Bytes [ FF, FF, FF, FF, FF, FF, FF, ... ]
.text C:\Program Files\WinRAR\WinRAR.exe[3940] ntdll.dll!_CIpow + 10E 7C9015C5 71 Bytes [ FF, FF, FF, FF, FF, FF, FF, ... ]
.text C:\Program Files\WinRAR\WinRAR.exe[3940] ntdll.dll!_CIpow + 158 7C90160F 5 Bytes [ FF, FF, FF, FF, FF ]
.text C:\Program Files\WinRAR\WinRAR.exe[3940] ntdll.dll!_CIpow + 15F 7C901616 10 Bytes [ FF, FF, FF, FF, FF, FF, FF, ... ]
.text C:\Program Files\WinRAR\WinRAR.exe[3940] ntdll.dll!_CIpow + 16B 7C901622 7 Bytes [ FF, FF, FF, FF, FF, FF, FF ]
.text ...
.text C:\Program Files\WinRAR\WinRAR.exe[3940] ntdll.dll!sin + 53 7C901732 122 Bytes [ F3, F0, 75, AD, CF, 1B, 74, ... ]
.text C:\Program Files\WinRAR\WinRAR.exe[3940] ntdll.dll!sqrt + 1B 7C9017AD 52 Bytes [ AF, 1C, 79, B5, 1D, 82, C0, ... ]
.text C:\Program Files\WinRAR\WinRAR.exe[3940] ntdll.dll!sqrt + 51 7C9017E3 40 Bytes [ FF, FF, FF, FF, FF, FF, FF, ... ]
.text C:\Program Files\WinRAR\WinRAR.exe[3940] ntdll.dll!sqrt + 7A 7C90180C 813 Bytes [ 74, D1, 91, 55, BC, 7E, 46, ... ]
.text C:\Program Files\WinRAR\WinRAR.exe[3940] ntdll.dll!_allshr + 14 7C901B3A 262 Bytes [ BC, 78, E0, A0, 60, CA, 8A, ... ]
.text C:\Program Files\WinRAR\WinRAR.exe[3940] ntdll.dll!_aulldvrm + 88 7C901C41 276 Bytes [ 54, 27, 93, 5A, 2A, A0, 64, ... ]
.text C:\Program Files\WinRAR\WinRAR.exe[3940] ntdll.dll!_memccpy + 39 7C901D56 35 Bytes [ FF, FF, FF, FF, D0, 86, FF, ... ]
.text C:\Program Files\WinRAR\WinRAR.exe[3940] ntdll.dll!atan + 5 7C901D7A 33 Bytes [ 45, 96, FF, 57, A7, FF, 69, ... ]
.text C:\Program Files\WinRAR\WinRAR.exe[3940] ntdll.dll!atan + 27 7C901D9C 57 Bytes [ 86, 51, 25, 8B, 55, 28, 95, ... ]
.text C:\Program Files\WinRAR\WinRAR.exe[3940] ntdll.dll!atan + 62 7C901DD7 237 Bytes [ FF, FF, FF, FF, FF, FF, FF, ... ]
.text C:\Program Files\WinRAR\WinRAR.exe[3940] ntdll.dll!ceil + A7 7C901EC5 38 Bytes [ FF, FF, FF, FF, FF, FF, FF, ... ]
.text C:\Program Files\WinRAR\WinRAR.exe[3940] ntdll.dll!ceil + CE 7C901EEC 84 Bytes [ 54, F2, 1C, 4E, E4, 63, 7E, ... ]
.text C:\Program Files\WinRAR\WinRAR.exe[3940] ntdll.dll!ceil + 123 7C901F41 99 Bytes [ FF, FF, FF, 7B, 9F, F6, 42, ... ]
.text C:\Program Files\WinRAR\WinRAR.exe[3940] ntdll.dll!floor + 48 7C901FA5 30 Bytes [ FF, FF, FF, FF, FF, FF, FF, ... ]
.text C:\Program Files\WinRAR\WinRAR.exe[3940] ntdll.dll!floor + 67 7C901FC4 204 Bytes [ 45, 94, FF, 4B, 98, FF, 44, ... ]
.text C:\Program Files\WinRAR\WinRAR.exe[3940] ntdll.dll!floor + 134 7C902091 115 Bytes [ FF, FF, FF, FF, FF, FF, FF, ... ]
.text C:\Program Files\WinRAR\WinRAR.exe[3940] ntdll.dll!memchr + 60 7C902105 7 Bytes [ FF, FF, FF, FF, FF, FF, FF ]
.text C:\Program Files\WinRAR\WinRAR.exe[3940] ntdll.dll!memchr + 68 7C90210D 193 Bytes [ FF, FF, FF, FF, FF, FF, FF, ... ]
.text C:\Program Files\WinRAR\WinRAR.exe[3940] ntdll.dll!memcmp + 80 7C9021CF 28 Bytes [ FF, FF, FF, FF, FF, FF, FF, ... ]
.text C:\Program Files\WinRAR\WinRAR.exe[3940] ntdll.dll!memcmp + 9D 7C9021EC 5 Bytes [ FF, FF, FF, FF, FF ]
.text C:\Program Files\WinRAR\WinRAR.exe[3940] ntdll.dll!memcmp + A3 7C9021F2 67 Bytes [ FF, FF, FF, FF, FF, FF, FF, ... ]
.text C:\Program Files\WinRAR\WinRAR.exe[3940] ntdll.dll!memcpy + 36 7C902236 23 Bytes [ FF, FF, FF, FF, FF, FF, FF, ... ]
.text C:\Program Files\WinRAR\WinRAR.exe[3940] ntdll.dll!memcpy + 4E 7C90224E 6 Bytes [ FF, FF, FF, FF, FF, FF ]
.text C:\Program Files\WinRAR\WinRAR.exe[3940] ntdll.dll!memcpy + 55 7C902255 7 Bytes [ FF, FF, FF, FF, FF, FF, FF ]
.text C:\Program Files\WinRAR\WinRAR.exe[3940] ntdll.dll!memcpy + 5D 7C90225D 53 Bytes [ FF, FF, FF, FF, FF, FF, FF, ... ]
.text C:\Program Files\WinRAR\WinRAR.exe[3940] ntdll.dll!memcpy + 93 7C902293 37 Bytes [ FF, FF, FF, FF, FF, FF, FF, ... ]
.text ...
 
Hi, you don't need to post the rest of the Gmer log anymore, the other entries will probably be the same. The entry that I want to check seems gone anyway..

I tried to to the gmer.bat from normal mode,but some files it couldnt delete
Click to expand...

Can you tell me which of those it wouldn't delete?


Get ready we'll attack that nasty in one shot..


*Please download the OTMoveIt by OldTimer.

Do not use it yet.


*Pls. download LSP FIX from Here

In the event that you lose connection after removing NewDotNet, just run the tool then click "Finish" and it will restore your internet connection.

Do not mess with this tool or do anything with it besides the instructions above.

Go to Control Panel > Add or Remove Programs > uninstall the items in bold if found.

NewdotNet or New.Net <<and all their variants

If you didn't find NewDotNet in the Add/Remove list, please go Here and proceed to Procedure #4 and download the Uninstaller there then run it.

Reboot


*Starting this point I want you to do all the instructions while disconnected from the internet. It will help a lot if you print these instructions or save them in notepad for reference.

*VundoFix
  • Double-click VundoFix.exe to run it.
  • Click the Scan for Vundo button.
  • Once the scan is complete, Right Click inside the listbox (white box) and click add more files.
  • Copy&Paste the 2 entries below into the top 2 boxes.
    • C:\WINDOWS\system32\mljgf.dll
    • C:\WINDOWS\SYSTEM32\fgjlm.*
  • Click Add Files and click Close Window.
  • Click the Remove Vundo button.
  • You will receive a prompt asking if you want to remove the files, click YES.
  • Once you click yes, your desktop will go blank as it starts removing Vundo.
  • When completed, it will prompt that it will shutdown your computer, click OK.
  • Turn your computer back on.
  • Please post the contents of C:\vundofix.txt

*Open HijackThis > choose Scan Only > Place a checkmark in the boxes beside these entries in bold.

O2 - BHO: (no name) - {970F0C19-E036-42A0-ABC3-AD7E81FF593F} - C:\WINDOWS\system32\mljgf.dll
O20 - Winlogon Notify: mljgf - C:\WINDOWS\system32\mljgf.dll

Close your browsers and all open windows except for HijackThis, then click "Fix checked". Exit HijackThis.


*Run OTMoveiT
  • Please double-click OTMoveIt.exe to run it.
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

    C:\Documents and Settings\warren\.housecall
    C:\Documents and Settings\warren\Local Settings\Temporary Internet Files\Content.IE5\6B3TTV98
    C:\Program Files\Common Files\quca.dll
    C:\WINDOWS\Downloaded Program Files\USDR6_0001_D19M2108NetInstaller.exe
    C:\WINDOWS\NDNuninstall6_38.exe
    C:\WINDOWS\NDNuninstall7_48.exe
    C:\WINDOWS\system32\bund1
    C:\WINDOWS\system32\bkd.exe
    C:\WINDOWS\system32\iifdcbc.dll
    C:\WINDOWS\system32\WgaTray.exe
    C:\WINDOWS\system32\__delete_on_reboot__x_x_y_v_w_v_s_._d_l_l_
    E:\shared\Neww\(full version) vanilla mini wheats song 55.wma
    E:\shared\Neww\mini wheats theme song vanilla 36.wma
    E:\shared\Neww\mp3\03 Track 3.wma
    E:\shared\Neww\[release] mini wheats commercial 32.wma
    E:\shared\phone stuff\++++ motorola ringtones 56.wma
    E:\shared\phone stuff\released motorola ringtones 34.wma
    C:\WINDOWS\system32\drivers\core.sys
    C:\WINDOWS\system32\VTTC.exe
  • Return to OTMoveIt, right click on the "Paste List of Files/Folders to be moved" window and choose Paste.
  • Click the red Moveit! button.
  • Copy everything on the Results window to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it on your next reply.
  • Close OTMoveIt
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.


*Reboot to safe mode

*Empty all the contents of this folder: C:\QooBox\Quarantine

empty your recycle bin.

then run AVG Antispyware once more then post the scan log.


*Reboot to normal mode then run combofix again.

On your next reply, please include a fresh HijackThis log, combofix log, vundofix log, OTmoveit log, and AVG Antispyware log.
 
Last edited:
please disregard my previous gmr1,I foGMER 1.0.12.12086 - http://www.gmer.net
Rootkit scan 2007-04-11 23:22:38
Windows 5.1.2600 Service Pack 2


---- System - GMER 1.0.12 ----

SSDT 84544678 ZwAllocateVirtualMemory
SSDT 845E7E00 ZwCreateKey
SSDT 84544BA0 ZwCreateProcess
SSDT 84544B28 ZwCreateProcessEx
SSDT 84544948 ZwCreateThread
SSDT 845CFC90 ZwDeleteKey
SSDT 84544C18 ZwDeleteValueKey
SSDT \??\C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.sys ZwOpenProcess
SSDT 845446F0 ZwQueueApcThread
SSDT 84544588 ZwReadVirtualMemory
SSDT 8456E3B8 ZwRenameKey
SSDT 845447E0 ZwSetContextThread
SSDT 84544D08 ZwSetInformationKey
SSDT 84544A38 ZwSetInformationProcess
SSDT 84544858 ZwSetInformationThread
SSDT 84544C90 ZwSetValueKey
SSDT 845449C0 ZwSuspendProcess
SSDT 84544768 ZwSuspendThread
SSDT \??\C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.sys ZwTerminateProcess
SSDT 845448D0 ZwTerminateThread
SSDT 84544600 ZwWriteVirtualMemory

---- User code sections - GMER 1.0.12 ----

.text C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe[1760] kernel32.dll!CreateThread + 1A 7C810651 4 Bytes [ AB, FA, C3, 83 ]

---- Devices - GMER 1.0.12 ----

Device \Driver\Tcpip \Device\Ip IRP_MJ_CREATE 838D5678
Device \Driver\Tcpip \Device\Ip IRP_MJ_CREATE_NAMED_PIPE 838D5600
Device \Driver\Tcpip \Device\Ip IRP_MJ_CLOSE 838D5588
Device \Driver\Tcpip \Device\Ip IRP_MJ_READ 838D5510
Device \Driver\Tcpip \Device\Ip IRP_MJ_WRITE 838D5B10
Device \Driver\Tcpip \Device\Ip IRP_MJ_QUERY_INFORMATION 838D5A98
Device \Driver\Tcpip \Device\Ip IRP_MJ_SET_INFORMATION 838D5A20
Device \Driver\Tcpip \Device\Ip IRP_MJ_QUERY_EA 838D59A8
Device \Driver\Tcpip \Device\Ip IRP_MJ_SET_EA 838D5FA8
Device \Driver\Tcpip \Device\Ip IRP_MJ_FLUSH_BUFFERS 838D5F30
Device \Driver\Tcpip \Device\Ip IRP_MJ_QUERY_VOLUME_INFORMATION 838D5EB8
Device \Driver\Tcpip \Device\Ip IRP_MJ_SET_VOLUME_INFORMATION 838D5E40
Device \Driver\Tcpip \Device\Ip IRP_MJ_DIRECTORY_CONTROL 838D8880
Device \Driver\Tcpip \Device\Ip IRP_MJ_FILE_SYSTEM_CONTROL 838D8808
Device \Driver\Tcpip \Device\Ip IRP_MJ_DEVICE_CONTROL 838D8790
Device \Driver\Tcpip \Device\Ip IRP_MJ_INTERNAL_DEVICE_CONTROL [F7B7085A] avgtdi.sys
Device \Driver\Tcpip \Device\Ip IRP_MJ_SHUTDOWN 838D8D18
Device \Driver\Tcpip \Device\Ip IRP_MJ_LOCK_CONTROL 838D8CA0
Device \Driver\Tcpip \Device\Ip IRP_MJ_CLEANUP 838D8C28
Device \Driver\Tcpip \Device\Ip IRP_MJ_CREATE_MAILSLOT 838D8BB0
Device \Driver\Tcpip \Device\Ip IRP_MJ_QUERY_SECURITY 838D9FA8
Device \Driver\Tcpip \Device\Ip IRP_MJ_SET_SECURITY 838D9F30
Device \Driver\Tcpip \Device\Ip IRP_MJ_POWER 838D9EB8
Device \Driver\Tcpip \Device\Ip IRP_MJ_SYSTEM_CONTROL 838D9E40
Device \Driver\Tcpip \Device\Ip IRP_MJ_DEVICE_CHANGE 838DAFA8
Device \Driver\Tcpip \Device\Ip IRP_MJ_QUERY_QUOTA 838DAF30
Device \Driver\Tcpip \Device\Ip IRP_MJ_SET_QUOTA 838DAEB8
Device \Driver\Tcpip \Device\Ip IRP_MJ_PNP 838DAE40
Device \Driver\Tcpip \Device\Tcp IRP_MJ_CREATE 838D5678
Device \Driver\Tcpip \Device\Tcp IRP_MJ_CREATE_NAMED_PIPE 838D5600
Device \Driver\Tcpip \Device\Tcp IRP_MJ_CLOSE 838D5588
Device \Driver\Tcpip \Device\Tcp IRP_MJ_READ 838D5510
Device \Driver\Tcpip \Device\Tcp IRP_MJ_WRITE 838D5B10
Device \Driver\Tcpip \Device\Tcp IRP_MJ_QUERY_INFORMATION 838D5A98
Device \Driver\Tcpip \Device\Tcp IRP_MJ_SET_INFORMATION 838D5A20
Device \Driver\Tcpip \Device\Tcp IRP_MJ_QUERY_EA 838D59A8
Device \Driver\Tcpip \Device\Tcp IRP_MJ_SET_EA 838D5FA8
Device \Driver\Tcpip \Device\Tcp IRP_MJ_FLUSH_BUFFERS 838D5F30
Device \Driver\Tcpip \Device\Tcp IRP_MJ_QUERY_VOLUME_INFORMATION 838D5EB8
Device \Driver\Tcpip \Device\Tcp IRP_MJ_SET_VOLUME_INFORMATION 838D5E40
Device \Driver\Tcpip \Device\Tcp IRP_MJ_DIRECTORY_CONTROL 838D8880
Device \Driver\Tcpip \Device\Tcp IRP_MJ_FILE_SYSTEM_CONTROL 838D8808
Device \Driver\Tcpip \Device\Tcp IRP_MJ_DEVICE_CONTROL 838D8790
Device \Driver\Tcpip \Device\Tcp IRP_MJ_INTERNAL_DEVICE_CONTROL [F7B7085A] avgtdi.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_SHUTDOWN 838D8D18
Device \Driver\Tcpip \Device\Tcp IRP_MJ_LOCK_CONTROL 838D8CA0
Device \Driver\Tcpip \Device\Tcp IRP_MJ_CLEANUP 838D8C28
Device \Driver\Tcpip \Device\Tcp IRP_MJ_CREATE_MAILSLOT 838D8BB0
Device \Driver\Tcpip \Device\Tcp IRP_MJ_QUERY_SECURITY 838D9FA8
Device \Driver\Tcpip \Device\Tcp IRP_MJ_SET_SECURITY 838D9F30
Device \Driver\Tcpip \Device\Tcp IRP_MJ_POWER 838D9EB8
Device \Driver\Tcpip \Device\Tcp IRP_MJ_SYSTEM_CONTROL 838D9E40
Device \Driver\Tcpip \Device\Tcp IRP_MJ_DEVICE_CHANGE 838DAFA8
Device \Driver\Tcpip \Device\Tcp IRP_MJ_QUERY_QUOTA 838DAF30
Device \Driver\Tcpip \Device\Tcp IRP_MJ_SET_QUOTA 838DAEB8
Device \Driver\Tcpip \Device\Tcp IRP_MJ_PNP 838DAE40
Device \Driver\Tcpip \Device\Udp IRP_MJ_CREATE 838D5678
Device \Driver\Tcpip \Device\Udp IRP_MJ_CREATE_NAMED_PIPE 838D5600
Device \Driver\Tcpip \Device\Udp IRP_MJ_CLOSE 838D5588
Device \Driver\Tcpip \Device\Udp IRP_MJ_READ 838D5510
Device \Driver\Tcpip \Device\Udp IRP_MJ_WRITE 838D5B10
Device \Driver\Tcpip \Device\Udp IRP_MJ_QUERY_INFORMATION 838D5A98
Device \Driver\Tcpip \Device\Udp IRP_MJ_SET_INFORMATION 838D5A20
Device \Driver\Tcpip \Device\Udp IRP_MJ_QUERY_EA 838D59A8
Device \Driver\Tcpip \Device\Udp IRP_MJ_SET_EA 838D5FA8
Device \Driver\Tcpip \Device\Udp IRP_MJ_FLUSH_BUFFERS 838D5F30
Device \Driver\Tcpip \Device\Udp IRP_MJ_QUERY_VOLUME_INFORMATION 838D5EB8
Device \Driver\Tcpip \Device\Udp IRP_MJ_SET_VOLUME_INFORMATION 838D5E40
Device \Driver\Tcpip \Device\Udp IRP_MJ_DIRECTORY_CONTROL 838D8880
Device \Driver\Tcpip \Device\Udp IRP_MJ_FILE_SYSTEM_CONTROL 838D8808
Device \Driver\Tcpip \Device\Udp IRP_MJ_DEVICE_CONTROL 838D8790
Device \Driver\Tcpip \Device\Udp IRP_MJ_INTERNAL_DEVICE_CONTROL [F7B7085A] avgtdi.sys
Device \Driver\Tcpip \Device\Udp IRP_MJ_SHUTDOWN 838D8D18
Device \Driver\Tcpip \Device\Udp IRP_MJ_LOCK_CONTROL 838D8CA0
Device \Driver\Tcpip \Device\Udp IRP_MJ_CLEANUP 838D8C28
Device \Driver\Tcpip \Device\Udp IRP_MJ_CREATE_MAILSLOT 838D8BB0
Device \Driver\Tcpip \Device\Udp IRP_MJ_QUERY_SECURITY 838D9FA8
Device \Driver\Tcpip \Device\Udp IRP_MJ_SET_SECURITY 838D9F30
Device \Driver\Tcpip \Device\Udp IRP_MJ_POWER 838D9EB8
Device \Driver\Tcpip \Device\Udp IRP_MJ_SYSTEM_CONTROL 838D9E40
Device \Driver\Tcpip \Device\Udp IRP_MJ_DEVICE_CHANGE 838DAFA8
Device \Driver\Tcpip \Device\Udp IRP_MJ_QUERY_QUOTA 838DAF30
Device \Driver\Tcpip \Device\Udp IRP_MJ_SET_QUOTA 838DAEB8
Device \Driver\Tcpip \Device\Udp IRP_MJ_PNP 838DAE40
Device \Driver\Tcpip \Device\RawIp IRP_MJ_CREATE 838D5678
Device \Driver\Tcpip \Device\RawIp IRP_MJ_CREATE_NAMED_PIPE 838D5600
Device \Driver\Tcpip \Device\RawIp IRP_MJ_CLOSE 838D5588
Device \Driver\Tcpip \Device\RawIp IRP_MJ_READ 838D5510
Device \Driver\Tcpip \Device\RawIp IRP_MJ_WRITE 838D5B10
Device \Driver\Tcpip \Device\RawIp IRP_MJ_QUERY_INFORMATION 838D5A98
Device \Driver\Tcpip \Device\RawIp IRP_MJ_SET_INFORMATION 838D5A20
Device \Driver\Tcpip \Device\RawIp IRP_MJ_QUERY_EA 838D59A8
Device \Driver\Tcpip \Device\RawIp IRP_MJ_SET_EA 838D5FA8
Device \Driver\Tcpip \Device\RawIp IRP_MJ_FLUSH_BUFFERS 838D5F30
Device \Driver\Tcpip \Device\RawIp IRP_MJ_QUERY_VOLUME_INFORMATION 838D5EB8
Device \Driver\Tcpip \Device\RawIp IRP_MJ_SET_VOLUME_INFORMATION 838D5E40
Device \Driver\Tcpip \Device\RawIp IRP_MJ_DIRECTORY_CONTROL 838D8880
Device \Driver\Tcpip \Device\RawIp IRP_MJ_FILE_SYSTEM_CONTROL 838D8808
Device \Driver\Tcpip \Device\RawIp IRP_MJ_DEVICE_CONTROL 838D8790
Device \Driver\Tcpip \Device\RawIp IRP_MJ_INTERNAL_DEVICE_CONTROL [F7B7085A] avgtdi.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_SHUTDOWN 838D8D18
Device \Driver\Tcpip \Device\RawIp IRP_MJ_LOCK_CONTROL 838D8CA0
Device \Driver\Tcpip \Device\RawIp IRP_MJ_CLEANUP 838D8C28
Device \Driver\Tcpip \Device\RawIp IRP_MJ_CREATE_MAILSLOT 838D8BB0
Device \Driver\Tcpip \Device\RawIp IRP_MJ_QUERY_SECURITY 838D9FA8
Device \Driver\Tcpip \Device\RawIp IRP_MJ_SET_SECURITY 838D9F30
Device \Driver\Tcpip \Device\RawIp IRP_MJ_POWER 838D9EB8
Device \Driver\Tcpip \Device\RawIp IRP_MJ_SYSTEM_CONTROL 838D9E40
Device \Driver\Tcpip \Device\RawIp IRP_MJ_DEVICE_CHANGE 838DAFA8
Device \Driver\Tcpip \Device\RawIp IRP_MJ_QUERY_QUOTA 838DAF30
Device \Driver\Tcpip \Device\RawIp IRP_MJ_SET_QUOTA 838DAEB8
Device \Driver\Tcpip \Device\RawIp IRP_MJ_PNP 838DAE40
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_CREATE 838D5678
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_CREATE_NAMED_PIPE 838D5600
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_CLOSE 838D5588
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_READ 838D5510
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_WRITE 838D5B10
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_QUERY_INFORMATION 838D5A98
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_SET_INFORMATION 838D5A20
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_QUERY_EA 838D59A8
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_SET_EA 838D5FA8
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_FLUSH_BUFFERS 838D5F30
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_QUERY_VOLUME_INFORMATION 838D5EB8
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_SET_VOLUME_INFORMATION 838D5E40
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_DIRECTORY_CONTROL 838D8880
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_FILE_SYSTEM_CONTROL 838D8808
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_DEVICE_CONTROL 838D8790
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_INTERNAL_DEVICE_CONTROL [F7B7085A] avgtdi.sys
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_SHUTDOWN 838D8D18
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_LOCK_CONTROL 838D8CA0
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_CLEANUP 838D8C28
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_CREATE_MAILSLOT 838D8BB0
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_QUERY_SECURITY 838D9FA8
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_SET_SECURITY 838D9F30
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_POWER 838D9EB8
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_SYSTEM_CONTROL 838D9E40
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_DEVICE_CHANGE 838DAFA8
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_QUERY_QUOTA 838DAF30
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_SET_QUOTA 838DAEB8
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_PNP 838DAE40
---- Processes - GMER 1.0.12 ----

Library C:\WINDOWS\system32\ddcddaw.dll (*** hidden *** ) @ C:\WINDOWS\system32\winlogon.exe [612] 0x01930000

---- EOF - GMER 1.0.12 ----
rgot to kill internet connection
 
so far so good

this firstLogfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 10:57:25 AM, on 4/12/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\MessengerPlus! 3\MsgPlus.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\mobile PhoneTools\WatchDog.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\internet explorer\iexplore.exe
C:\Program Files\hijack this\hjt.exe.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://sympatico.msn.ca/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = dynhost.inetcam.com;register.inetcam.com
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: CCHelper Class - {0CF0B8EE-6596-11D5-A98E-0003470BB48E} - C:\Program Files\Panicware\Pop-Up Stopper Companion\CCHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O3 - Toolbar: Pop-Up Stopper &Companion - {8F05B1A8-9D77-4B8F-AF54-6B2202066F95} - C:\Program Files\Panicware\Pop-Up Stopper Companion\popupus.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [AVG7_CC] "C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe" /STARTUP
O4 - HKLM\..\Run: [WatchDog] "C:\Program Files\mobile PhoneTools\WatchDog.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab
O16 - DPF: {3FE16C08-D6A7-4133-84FC-D5BFB4F7D886} (WebGameLoader Class) - http://www.shockwave.com/content/ricochetlostworlds/ReflexiveWebGameLoader.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1129645445375
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1129645431937
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://us-housecall.trendmicro-europe.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {B64F4A7C-97C9-11DA-8BDE-F66BAD1E3F3A} - http://www.winantivirus.com/downloa...487_488d8a51+6D9170741ED94BE1B336BD8DCDEAEC74
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab
O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} (JuniperSetupSP1 Control) - https://sra.cn.ca/dana-cached/setup/JuniperSetupSP1.cab
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://www.driveragent.com/files/driveragent.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab31267.cab
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

--
End of file - 8982 bytes
 
combo fix

"warren" - 07-04-12 10:46:58 Service Pack 2
ComboFix 07-04-05 - Running from: "C:\Documents and Settings\warren\Desktop\icons"


(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\DOCUME~1\warren\APPLIC~1\Dxcknwrd.dll
C:\DOCUME~1\warren\APPLIC~1\Dxcuknwrd.dll
C:\WINDOWS\system32\dwdsregt.exe


((((((((((((((((((((((((((((((( Files Created from 2007-03-12 to 2007-04-12 ))))))))))))))))))))))))))))))))))


2007-04-11 22:06 774,595 ---hs---- C:\WINDOWS\system32\fgjlm.bak2
2007-04-11 22:05 778,184 ---hs---- C:\WINDOWS\system32\fgjlm.ini2
2007-04-11 17:52 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-04-11 17:37 774,314 ---hs---- C:\WINDOWS\system32\fgjlm.bak1
2007-04-11 17:36 280,676 --ah----- C:\WINDOWS\system32\mljgf.dll.vir
2007-04-11 17:18 31,844 --------- C:\WINDOWS\system32\geede.exe
2007-04-11 17:13 49,183 --a------ C:\WINDOWS\system32\nsdsrego.exe
2007-04-11 17:07 31,844 ---hs---- C:\WINDOWS\system32\sstqo.exe
2007-04-11 17:07 31,844 ---hs---- C:\WINDOWS\system32\gebcd.exe
2007-04-11 16:59 931 --a------ C:\WINDOWS\system32\winpfz32.sys
2007-04-10 11:08 <DIR> d-------- C:\Temp\tn3
2007-04-10 07:36 105,434 --a------ C:\WINDOWS\VTTC.exe
2007-04-09 21:44 <DIR> d-------- C:\Program Files\hijack this
2007-04-09 11:04 184,320 --a------ C:\WINDOWS\sys012172355371.exe
2007-04-09 11:04 184,320 --a------ C:\WINDOWS\ase.exe
2007-04-06 14:49 53,248 --a------ C:\WINDOWS\111uninst.exe
2007-04-05 13:41 <DIR> d-------- C:\!KillBox
2007-04-05 10:24 <DIR> d-------- C:\SmitfraudFix
2007-04-05 08:36 3,064 --a------ C:\WINDOWS\system32\tmp.reg
2007-04-05 08:34 79,360 --a------ C:\WINDOWS\system32\swxcacls.exe
2007-04-05 08:34 53,248 --a------ C:\WINDOWS\system32\Process.exe
2007-04-05 08:34 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2007-04-05 08:34 40,960 --a------ C:\WINDOWS\system32\swsc.exe
2007-04-05 08:34 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2007-04-05 08:34 135,168 --a------ C:\WINDOWS\system32\swreg.exe
2007-04-03 14:34 3,968 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-04-03 11:40 <DIR> d-------- C:\DOCUME~1\LOCALS~1\APPLIC~1\Webroot
2007-04-03 11:38 22,080 --a------ C:\WINDOWS\system32\drivers\sshrmd.sys
2007-04-03 11:38 21,056 --a------ C:\WINDOWS\system32\drivers\sskbfd.sys
2007-04-03 11:38 20,544 --a------ C:\WINDOWS\system32\drivers\SSFS0509.sys
2007-04-03 11:38 144,448 --a------ C:\WINDOWS\system32\drivers\ssidrv.sys
2007-04-03 11:38 <DIR> d-------- C:\DOCUME~1\NETWOR~1\APPLIC~1\Webroot
2007-04-03 11:38 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Webroot
2007-04-03 11:36 <DIR> d-------- C:\DOCUME~1\warren\APPLIC~1\Webroot
2007-04-03 09:22 385,024 --a------ C:\WINDOWS\system32\IKAutoUp.exe
2007-04-03 09:22 385,024 --a------ C:\WINDOWS\system32\IkAutoUp.dat
2007-04-02 21:48 <DIR> d-------- C:\Program Files\Enigma Software Group
2007-04-02 19:47 <DIR> d-------- C:\Program Files\STOPzilla!
2007-04-02 19:47 <DIR> d-------- C:\Program Files\Common Files\iS3
2007-04-02 19:47 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\STOPzilla!
2007-04-02 15:45 <DIR> d-------- C:\WINDOWS\pss
2007-03-18 19:54 <DIR> d-------- C:\Program Files\iTunes
2007-03-15 11:23 497,496 --a------ C:\WINDOWS\system32\XceedZip.dll
2007-03-15 11:19 526,184 --a------ C:\WINDOWS\system32\XceedCry.dll
2007-03-15 08:46 57,344 --a------ C:\WINDOWS\uni_eh10.exe
2007-03-14 17:06 <DIR> d-------- C:\My Games
2007-03-14 17:05 <DIR> d-------- C:\My Download Files
2007-03-14 17:04 774,144 --a------ C:\Program Files\RngInterstitial.dll
2007-03-14 17:04 <DIR> d-------- C:\Program Files\Real


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2007-04-12 10:45 -------- d-------- C:\DOCUME~1\warren\APPLIC~1\skype
2007-04-11 17:31 484 --a------ C:\Program Files\Common Files\quca
2007-04-10 11:04 -------- d-------- C:\Program Files\tweak-xp pro 4
2007-04-09 18:25 -------- d-------- C:\Program Files\replay7
2007-04-09 13:32 -------- d-------- C:\Program Files\google
2007-04-09 10:55 -------- d-------- C:\Program Files\java
2007-04-05 13:16 2951 --a------ C:\WINDOWS\mozver.dat
2007-04-05 11:28 -------- d-------- C:\Program Files\super internet tv
2007-04-03 12:30 -------- d-------- C:\DOCUME~1\warren\APPLIC~1\verbatim software
2007-04-03 11:38 -------- d-------- C:\Program Files\webroot
2007-03-28 19:09 -------- d-------- C:\DOCUME~1\warren\APPLIC~1\vso_hwe
2007-03-18 20:55 -------- d-------- C:\Program Files\dvdfab platinum 3
2007-03-18 20:55 -------- d-------- C:\DOCUME~1\warren\APPLIC~1\vso
2007-03-18 19:54 -------- d-------- C:\Program Files\ipod
2007-03-18 19:52 -------- d-------- C:\Program Files\quicktime
2007-03-17 07:43 292864 --a------ C:\WINDOWS\system32\winsrv.dll
2007-03-14 17:04 -------- d-------- C:\Program Files\Common Files\real
2007-03-08 09:36 577536 --a------ C:\WINDOWS\system32\user32.dll
2007-03-08 09:36 40960 --a------ C:\WINDOWS\system32\mf3216.dll
2007-03-08 09:36 281600 --a------ C:\WINDOWS\system32\gdi32.dll
2007-03-08 07:47 1843584 --a------ C:\WINDOWS\system32\win32k.sys
2007-03-07 09:32 -------- d-------- C:\Program Files\divx
2007-03-05 19:16 -------- d-------- C:\Program Files\yahoo! games
2007-03-05 18:21 -------- d-------- C:\DOCUME~1\warren\APPLIC~1\juniper networks
2007-03-01 08:53 142 --a------ C:\Program Files\Common Files\rtele.html
2007-02-22 22:29 524288 --a------ C:\WINDOWS\system32\divxsm.exe
2007-02-22 22:29 3596288 --a------ C:\WINDOWS\system32\qt-dx331.dll
2007-02-22 22:29 200704 --a------ C:\WINDOWS\system32\ssldivx.dll
2007-02-22 22:29 1044480 --a------ C:\WINDOWS\system32\libdivx.dll
2007-02-22 22:25 823296 --a------ C:\WINDOWS\system32\divx_xx0c.dll
2007-02-22 22:25 823296 --a------ C:\WINDOWS\system32\divx_xx07.dll
2007-02-22 22:25 802816 --a------ C:\WINDOWS\system32\divx_xx11.dll
2007-02-22 22:25 73728 --a------ C:\WINDOWS\system32\dpl100.dll
2007-02-22 22:25 639066 --a------ C:\WINDOWS\system32\divx.dll
2007-02-22 22:25 593920 --a------ C:\WINDOWS\system32\dpugui11.dll
2007-02-22 22:25 57344 --a------ C:\WINDOWS\system32\dpv11.dll
2007-02-22 22:25 53248 --a------ C:\WINDOWS\system32\dpugui10.dll
2007-02-22 22:25 344064 --a------ C:\WINDOWS\system32\dpus11.dll
2007-02-22 22:25 294912 --a------ C:\WINDOWS\system32\dpu11.dll
2007-02-22 22:25 294912 --a------ C:\WINDOWS\system32\dpu10.dll
2007-02-22 22:25 196608 --a------ C:\WINDOWS\system32\dtu100.dll
2007-02-15 19:40 124472 --a------ C:\WINDOWS\system32\divxcodecupdatechecker.exe
2007-02-11 17:53 0 --a------ C:\WINDOWS\nsreg.dat
2007-02-05 14:17 185344 --a------ C:\WINDOWS\system32\upnphost.dll
2007-01-29 23:03 129784 --------- C:\WINDOWS\system32\pxafs.dll
2007-01-29 23:03 118520 --------- C:\WINDOWS\system32\pxinsi64.exe
2007-01-29 23:03 116472 --------- C:\WINDOWS\system32\pxcpyi64.exe
2007-01-22 19:24 23392 --a--c--- C:\WINDOWS\system32\emptyregdb.dat


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries & legit default entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"Skype"="\"C:\\Program Files\\Skype\\Phone\\Skype.exe\" /nosplash /minimized"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"SiSUSBRG"="C:\\WINDOWS\\SiSUSBrg.exe"
"RemoteControl"="\"C:\\Program Files\\CyberLink\\PowerDVD\\PDVDServ.exe\""
"RegistryMechanic"=""
"MessengerPlus3"="\"C:\\Program Files\\MessengerPlus! 3\\MsgPlus.exe\""
"NeroFilterCheck"="C:\\WINDOWS\\system32\\NeroCheck.exe"
"AVG7_CC"="\"C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgcc.exe\" /STARTUP"
"WatchDog"="\"C:\\Program Files\\mobile PhoneTools\\WatchDog.exe\""
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"iTunesHelper"="\"C:\\Program Files\\iTunes\\iTunesHelper.exe\""
"!AVG Anti-Spyware"="\"C:\\Program Files\\Grisoft\\AVG Anti-Spyware 7.5\\avgas.exe\" /minimized"
"SunJavaUpdateSched"="\"C:\\Program Files\\Java\\jre1.6.0_01\\bin\\jusched.exe\""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"


[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"
"{D2A0728D-AB2F-4B91-9EEF-590C70EA075D}"=""
"{E44527F6-1296-4A84-B67D-A6CEA6ED4B69}"=""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"WPDShServiceObj"="{AAA288BA-9A4C-45B0-95D7-94D524869DB5}"

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"AVG7_Run"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgw.exe /RUNONCE"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoWinKeys"=dword:00000001
"NoRecentDocsMenu"=dword:00000001
"NoLowDiskSpaceChecks"=dword:00000001

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\run]

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ddcdcba

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa
Authentication Packages REG_MULTI_SZ msv1_0\0\0
Security Packages REG_MULTI_SZ kerberos\0msv1_0\0schannel\0wdigest\0\0
Notification Packages REG_MULTI_SZ scecli\0\0

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\WebrootSpySweeperService

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0
WudfServiceGroup REG_MULTI_SZ WUDFSvc\0\0



Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\AppleSoftwareUpdate.job


********************************************************************

catchme 0.2 W2K/XP/Vista - userland rootkit detector by Gmer, 17 October 2006
http://www.gmer.net

scanning hidden processes ...

scanning hidden services ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden processes: 0
hidden services: 0
hidden files: 0

********************************************************************

Completion time: 07-04-12 10:51:27
C:\ComboFix-quarantined-files.txt ... 07-04-12 10:51
 
vundo fix

C:\WINDOWS\system32\awvtq.dll
C:\WINDOWS\system32\fosdieqt.dll
C:\WINDOWS\system32\gvpitbem.dll
C:\WINDOWS\system32\jkkkhig.dll
C:\WINDOWS\system32\khfdefd.dll
C:\WINDOWS\system32\opnlkji.dll
C:\WINDOWS\system32\opnnnoo.dll
C:\WINDOWS\system32\opnonol.dll
C:\WINDOWS\system32\qtvwa.bak1
C:\WINDOWS\system32\qtvwa.ini
C:\WINDOWS\system32\rovkclwc.dll
C:\WINDOWS\system32\ssqrrpn.dll
C:\WINDOWS\system32\tvgajgrm.dll
C:\WINDOWS\system32\vesdmeed.dll
C:\WINDOWS\system32\wgcipjuh.dll

Beginning removal...

Attempting to delete C:\WINDOWS\system32\awvtq.dll
C:\WINDOWS\system32\awvtq.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\fosdieqt.dll
C:\WINDOWS\system32\fosdieqt.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\gvpitbem.dll
C:\WINDOWS\system32\gvpitbem.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\jkkkhig.dll
C:\WINDOWS\system32\jkkkhig.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\khfdefd.dll
C:\WINDOWS\system32\khfdefd.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\opnlkji.dll
C:\WINDOWS\system32\opnlkji.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\opnnnoo.dll
C:\WINDOWS\system32\opnnnoo.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\opnonol.dll
C:\WINDOWS\system32\opnonol.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\qtvwa.bak1
C:\WINDOWS\system32\qtvwa.bak1 Has been deleted!

Attempting to delete C:\WINDOWS\system32\qtvwa.ini
C:\WINDOWS\system32\qtvwa.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\rovkclwc.dll
C:\WINDOWS\system32\rovkclwc.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\ssqrrpn.dll
C:\WINDOWS\system32\ssqrrpn.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\tvgajgrm.dll
C:\WINDOWS\system32\tvgajgrm.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\vesdmeed.dll
C:\WINDOWS\system32\vesdmeed.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\wgcipjuh.dll
C:\WINDOWS\system32\wgcipjuh.dll Has been deleted!

Performing Repairs to the registry.
Done!

VundoFix V6.3.19

Checking Java version...

Java version is 1.5.0.3
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.11

Scan started at 8:46:42 AM 4/12/2007

Listing files found while scanning....

C:\WINDOWS\system32\wvuvwwx.dll

Beginning removal...

Attempting to delete C:\WINDOWS\system32\wvuvwwx.dll
C:\WINDOWS\system32\wvuvwwx.dll Has been deleted!

Performing Repairs to the registry.
Done!
 
ot move it(this is the log from a second scan)

File/Folder :\Documents and Settings\warren\.housecall not found.
File/Folder C:\Documents and Settings\warren\Local Settings\Temporary Internet Files\Content.IE5\6B3TTV98 not found.
File/Folder C:\Program Files\Common Files\quca.dll not found.
File/Folder C:\WINDOWS\Downloaded Program Files\USDR6_0001_D19M2108NetInstaller.exe not found.
File/Folder C:\WINDOWS\NDNuninstall6_38.exe not found.
File/Folder C:\WINDOWS\NDNuninstall7_48.exe not found.
File/Folder C:\WINDOWS\system32\bund1 not found.
File/Folder C:\WINDOWS\system32\bkd.exe not found.
File/Folder C:\WINDOWS\system32\iifdcbc.dll not found.
File/Folder C:\WINDOWS\system32\WgaTray.exe not found.
File/Folder C:\WINDOWS\system32\__delete_on_reboot__x_x_y_v_w_v_s_._d_l_l_ not found.
File/Folder E:\shared\Neww\(full version) vanilla mini wheats song 55.wma not found.
File/Folder E:\shared\Neww\mini wheats theme song vanilla 36.wma not found.
File/Folder E:\shared\Neww\mp3\03 Track 3.wma not found.
File/Folder E:\shared\Neww\[release] mini wheats commercial 32.wma not found.
File/Folder E:\shared\phone stuff\++++ motorola ringtones 56.wma not found.
File/Folder E:\shared\phone stuff\released motorola ringtones 34.wma not found.
File/Folder C:\WINDOWS\system32\drivers\core.sys not found.
File/Folder C:\WINDOWS\system32\VTTC.exe not found.

Created on 04/12/2007 09:03:08 this was the log after the second time i ran it,for some reason i couldnt copy the first log
 
avg

---------------------------------------------------------
AVG Anti-Spyware - Scan Report
---------------------------------------------------------

+ Created at: 10:42:40 AM 4/12/2007

+ Scan result:



HKLM\SOFTWARE\Classes\CLSID\{A8BD6820-6ED7-423E-9558-2D1486B0FEEA} -> Adware.DeluxeCommunications : Cleaned with backup (quarantined).
HKLM\SOFTWARE\DeluxeCommunications -> Adware.DeluxeCommunications : Cleaned with backup (quarantined).
HKLM\SOFTWARE\DeluxeCommunications\Internet Explorer -> Adware.DeluxeCommunications : Cleaned with backup (quarantined).
HKU\S-1-5-21-606747145-1500820517-725345543-1006\Software\DeluxeCommunications -> Adware.DeluxeCommunications : Cleaned with backup (quarantined).
HKU\S-1-5-21-606747145-1500820517-725345543-1006\Software\DeluxeCommunications\Internet Explorer -> Adware.DeluxeCommunications : Cleaned with backup (quarantined).
C:\Documents and Settings\warren\Local Settings\Temporary Internet Files\Content.IE5\G3YNA7GJ\NNuninstall[1].exe -> Adware.NewDotNet : Cleaned with backup (quarantined).
C:\Program Files\hijack this\backups\backup-20070411-173520-411.dll -> Adware.NewDotNet : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{04803D7F-3F5F-4521-BDC7-38AA6EA3A213}\RP80\A0059711.exe -> Adware.NewDotNet : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{04803D7F-3F5F-4521-BDC7-38AA6EA3A213}\RP80\A0059712.exe -> Adware.NewDotNet : Cleaned with backup (quarantined).
HKU\S-1-5-21-606747145-1500820517-725345543-1006\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{4A2AACF3-ADF6-11D5-98A9-00E018981B9E} -> Adware.NewDotNet : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{04803D7F-3F5F-4521-BDC7-38AA6EA3A213}\RP80\A0059713.dll -> Adware.Virtumonde : Cleaned with backup (quarantined).
C:\VundoFix Backups\wvuvwwx.dll.bad -> Adware.Virtumonde : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{04803D7F-3F5F-4521-BDC7-38AA6EA3A213}\RP79\A0053623.exe -> Adware.WebBuying : Cleaned with backup (quarantined).
C:\Program Files\hijack this\backups\backup-20070411-173520-852.dll -> Adware.ZQuest : Cleaned with backup (quarantined).
C:\_OTMoveIt\MovedFiles\Program Files\Common Files\quca.dll -> Adware.ZQuest : Cleaned with backup (quarantined).
C:\Documents and Settings\warren\Local Settings\Temp\ICD3.tmp\UDC6_0001_D21M0303NetInstaller.exe -> Downloader.Small : Cleaned with backup (quarantined).
C:\Documents and Settings\warren\Local Settings\Temp\ICD2.tmp\UERT_0001_D19M2109NetInstaller.exe -> Not-A-Virus.Downloader.Win32.WinFixer.l : Cleaned with backup (quarantined).
C:\Documents and Settings\warren\Local Settings\Temp\ICD1.tmp\USDR6_0001_D19M2108NetInstaller.exe -> Not-A-Virus.Downloader.Win32.WinFixer.q : Cleaned with backup (quarantined).
C:\Documents and Settings\warren\Local Settings\Temp\ICD4.tmp\USDR6_0001_D19M2108NetInstaller.exe -> Not-A-Virus.Downloader.Win32.WinFixer.q : Cleaned with backup (quarantined).
C:\Documents and Settings\gaynette.USER-52FBA29A54\Cookies\gaynette@msnportal.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\warren\Cookies\warren@2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\warren\Cookies\warren@buzznet.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\warren\Cookies\warren@msnportal.112.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\warren\Cookies\warren@partygaming.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\warren\Cookies\warren@pch.122.2o7[1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\warren\Cookies\warren@adrevolver[1].txt -> TrackingCookie.Adrevolver : Cleaned.
C:\Documents and Settings\warren\Cookies\warren@advertising[1].txt -> TrackingCookie.Advertising : Cleaned.
C:\Documents and Settings\gaynette.USER-52FBA29A54\Cookies\gaynette@atdmt[2].txt -> TrackingCookie.Atdmt : Cleaned.
C:\Documents and Settings\gaynette.USER-52FBA29A54\Cookies\gaynette@casalemedia[2].txt -> TrackingCookie.Casalemedia : Cleaned.
C:\Documents and Settings\gaynette.USER-52FBA29A54\Cookies\gaynette@cpvfeed[2].txt -> TrackingCookie.Cpvfeed : Cleaned.
C:\Documents and Settings\warren\Cookies\warren@cpvfeed[2].txt -> TrackingCookie.Cpvfeed : Cleaned.
C:\Documents and Settings\gaynette.USER-52FBA29A54\Cookies\gaynette@doubleclick[1].txt -> TrackingCookie.Doubleclick : Cleaned.
C:\Documents and Settings\warren\Cookies\warren@fastclick[1].txt -> TrackingCookie.Fastclick : Cleaned.
C:\Documents and Settings\gaynette.USER-52FBA29A54\Cookies\gaynette@searchportal.information[1].txt -> TrackingCookie.Information : Cleaned.
C:\Documents and Settings\gaynette.USER-52FBA29A54\Cookies\gaynette@mediaplex[1].txt -> TrackingCookie.Mediaplex : Cleaned.
C:\Documents and Settings\warren\Cookies\warren@mediaplex[1].txt -> TrackingCookie.Mediaplex : Cleaned.
C:\Documents and Settings\warren\Cookies\warren@stats1.reliablestats[1].txt -> TrackingCookie.Reliablestats : Cleaned.
C:\Documents and Settings\gaynette.USER-52FBA29A54\Cookies\gaynette@revenue[2].txt -> TrackingCookie.Revenue : Cleaned.
C:\Documents and Settings\gaynette.USER-52FBA29A54\Cookies\gaynette@ad.yieldmanager[1].txt -> TrackingCookie.Yieldmanager : Cleaned.


::Report end
 
cant tell you what files

I cant tell you what files gmr could delete,but now it says problem moving any of those files.I assume they all have been deleted.Since perforning these actions the computer is working great,and I havent seen a popup.I sure hope it doesnt replicate when rebooting,but I will keep you posted.thanks again for all your help,and putting up with my computer ignorance.......rail
 
latest hijack after reboot

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 12:02:02 PM, on 4/12/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\savedump.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
C:\Program Files\MessengerPlus! 3\MsgPlus.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\Program Files\mobile PhoneTools\WatchDog.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\internet explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\hijack this\hjt.exe.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://sympatico.msn.ca/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = dynhost.inetcam.com;register.inetcam.com
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: CCHelper Class - {0CF0B8EE-6596-11D5-A98E-0003470BB48E} - C:\Program Files\Panicware\Pop-Up Stopper Companion\CCHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O3 - Toolbar: Pop-Up Stopper &Companion - {8F05B1A8-9D77-4B8F-AF54-6B2202066F95} - C:\Program Files\Panicware\Pop-Up Stopper Companion\popupus.dll
O3 - Toolbar: Easy-WebPrint - {327C2873-E90D-4c37-AA9D-10AC9BABA46C} - C:\Program Files\Canon\Easy-WebPrint\Toolband.dll
O4 - HKLM\..\Run: [SiSUSBRG] C:\WINDOWS\SiSUSBrg.exe
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [AVG7_CC] "C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe" /STARTUP
O4 - HKLM\..\Run: [WatchDog] "C:\Program Files\mobile PhoneTools\WatchDog.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [!AVG Anti-Spyware] "C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe" /minimized
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe"
O4 - HKCU\..\Run: [Skype] "C:\Program Files\Skype\Phone\Skype.exe" /nosplash /minimized
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVGFRE~1\avgw.exe /RUNONCE (User 'Default user')
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Easy-WebPrint Add To Print List - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_AddToList.html
O8 - Extra context menu item: Easy-WebPrint High Speed Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_HSPrint.html
O8 - Extra context menu item: Easy-WebPrint Preview - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Preview.html
O8 - Extra context menu item: Easy-WebPrint Print - res://C:\Program Files\Canon\Easy-WebPrint\Resource.dll/RC_Print.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab31267.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab31267.cab
O16 - DPF: {3FE16C08-D6A7-4133-84FC-D5BFB4F7D886} (WebGameLoader Class) - http://www.shockwave.com/content/ricochetlostworlds/ReflexiveWebGameLoader.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.com//PhotoUpload/MsnPUpld.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1129645445375
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1129645431937
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} (Housecall ActiveX 6.5) - http://us-housecall.trendmicro-europe.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsClient.cab31267.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMessengerSetupDownloader.cab
O16 - DPF: {B64F4A7C-97C9-11DA-8BDE-F66BAD1E3F3A} - http://www.winantivirus.com/downloa...487_488d8a51+6D9170741ED94BE1B336BD8DCDEAEC74
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (ZoneIntro Class) - http://messenger.zone.msn.com/binary/ZIntro.cab32846.cab
O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} (JuniperSetupSP1 Control) - https://sra.cn.ca/dana-cached/setup/JuniperSetupSP1.cab
O16 - DPF: {E8F628B5-259A-4734-97EE-BA914D7BE941} (Driver Agent ActiveX Control) - http://www.driveragent.com/files/driveragent.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/SolitaireShowdown.cab31267.cab
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINDOWS\system32\drivers\KodakCCS.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe

--
End of file - 9073 bytes
 
Hi,

The stubborn one is now gone but there are a lot of crap that appeared again.. Please avoid downloading anything as of now..I want you to stay offline with that computer as long as possible until this infections stop regenerating..


*Open Spy Sweeper.
  • Click the Options button on the left hand side.
  • Select the Update Tab.
  • Click Update Spy Sweeper.
  • Once the updates have all been downloaded, exit spysweeper.

*Although Windows Xp comes with a firewall, you should not rely on it because the Windows Firewall can only filter incoming data; outgoing traffic is not controlled, meaning that malware/viruses that are present in your computer can access the internet with no restrictions. There are several other Firewall that can protect you better by filtering incoming and outgoing data. Make sure you get only one of these...

» ZoneAlarm
» Kerio


After installing the firewall and the Spysweeper updates, reboot first then you may print these instructions or copy them in notepad since you need to do all of these instructions while offline.


*Run a new rootkit scan with GMER.

When you see the following process on the list:

C:\WINDOWS\system32\ddcddaw.dll

Rigthclick it with your mouse and a menu will open. Choose Kill Process from the list.

Then close GMER.


*Open HijackThis > choose Scan Only > Place a checkmark in the boxes beside these entries in bold.

O16 - DPF: {B64F4A7C-97C9-11DA-8BDE-F66BAD1E3F3A} - http://www.winantivirus.com/download...36BD8DCDEAEC74

Close your browsers and all open windows except for HijackThis, then click "Fix checked". Exit HijackThis.



*Run OTMoveiT
  • Please double-click OTMoveIt.exe to run it.
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

    C:\WINDOWS\system32\fgjlm.bak2
    C:\WINDOWS\system32\fgjlm.ini2
    C:\WINDOWS\system32\fgjlm.bak1
    C:\WINDOWS\system32\mljgf.dll.vir
    C:\WINDOWS\system32\geede.exe
    C:\WINDOWS\system32\nsdsrego.exe
    C:\WINDOWS\system32\sstqo.exe
    C:\WINDOWS\system32\gebcd.exe
    C:\WINDOWS\system32\winpfz32.sys
    C:\WINDOWS\VTTC.exe
    C:\WINDOWS\sys012172355371.exe
    C:\WINDOWS\ase.exe
    C:\WINDOWS\uni_eh10.exe
    C:\WINDOWS\111uninst.exe
    C:\Program Files\Common Files\quca
    C:\Program Files\Common Files\rtele.html
    C:\WINDOWS\system32\ddcddaw.dll

  • Return to OTMoveIt, right click on the "Paste List of Files/Folders to be moved" window and choose Paste.
  • Click the red Moveit! button.
  • Copy everything on the Results window to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it on your next reply.
  • Close OTMoveIt
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.


*Click start > run > copy and paste the following command in the box:

reg delete "HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ddcdcba"


*Now open Spy Sweeper again
  • Select the Sweep Tab.
  • Ensure that the Full Sweep (recommended) option is selected.
  • Click the Start Sweep button.
  • Once the scan has completed, Spy Sweeper will display the results of the scan.
  • If anything has been found, click Quarantine Selected.
    If you are asked to allow a reboot, do so - if not, manually reboot your PC instead.

    Once the PC has rebooted, open Spy Sweeper:
  • Click the Options button on the left.
  • Select the Sweep Tab again.
  • Click the View Session Log link in the bottom left hand corner.
  • Click the Save to File button - by default the log will be saved as Spy Sweeper Sessions Log.txt in My Documents.

*After reboot, please do a rootkit scan with GMER again.

On your next replym please include a fresh HijackThis log, OTMoveiT log, spysweeper scan log and a the new gmer log and a description on how is your machine running.
 
gmer1

MER 1.0.12.12086 - http://www.gmer.net
Rootkit scan 2007-04-12 18:51:37
Windows 5.1.2600 Service Pack 2


---- System - GMER 1.0.12 ----

SSDT 84548B70 ZwAllocateVirtualMemory
SSDT \??\C:\WINDOWS\system32\ZoneLabs\avsys\KLIF.SYS ZwClose
SSDT \SystemRoot\System32\vsdatant.sys ZwConnectPort
SSDT \SystemRoot\System32\vsdatant.sys ZwCreateFile
SSDT \SystemRoot\System32\vsdatant.sys ZwCreateKey
SSDT \SystemRoot\System32\vsdatant.sys ZwCreatePort
SSDT \??\C:\WINDOWS\system32\ZoneLabs\avsys\KLIF.SYS ZwCreateProcess
SSDT \??\C:\WINDOWS\system32\ZoneLabs\avsys\KLIF.SYS ZwCreateProcessEx
SSDT \??\C:\WINDOWS\system32\ZoneLabs\avsys\KLIF.SYS ZwCreateSection
SSDT \??\C:\WINDOWS\system32\ZoneLabs\avsys\KLIF.SYS ZwCreateSymbolicLinkObject
SSDT \??\C:\WINDOWS\system32\ZoneLabs\avsys\KLIF.SYS ZwCreateThread
SSDT \SystemRoot\System32\vsdatant.sys ZwCreateWaitablePort
SSDT \SystemRoot\System32\vsdatant.sys ZwDeleteFile
SSDT \SystemRoot\System32\vsdatant.sys ZwDeleteKey
SSDT \SystemRoot\System32\vsdatant.sys ZwDeleteValueKey
SSDT \??\C:\WINDOWS\system32\ZoneLabs\avsys\KLIF.SYS ZwDuplicateObject
SSDT \SystemRoot\System32\vsdatant.sys ZwLoadDriver
SSDT \SystemRoot\System32\vsdatant.sys ZwLoadKey
SSDT \SystemRoot\System32\vsdatant.sys ZwMapViewOfSection
SSDT \SystemRoot\System32\vsdatant.sys ZwOpenFile
SSDT \??\C:\WINDOWS\system32\ZoneLabs\avsys\KLIF.SYS ZwOpenProcess
SSDT \??\C:\WINDOWS\system32\ZoneLabs\avsys\KLIF.SYS ZwOpenSection
SSDT \SystemRoot\System32\vsdatant.sys ZwOpenThread
SSDT \??\C:\WINDOWS\system32\ZoneLabs\avsys\KLIF.SYS ZwQuerySystemInformation
SSDT 84548BE8 ZwQueueApcThread
SSDT 84548A80 ZwReadVirtualMemory
SSDT 84549318 ZwRenameKey
SSDT \SystemRoot\System32\vsdatant.sys ZwReplaceKey
SSDT \SystemRoot\System32\vsdatant.sys ZwRequestWaitReplyPort
SSDT \SystemRoot\System32\vsdatant.sys ZwRestoreKey
SSDT \??\C:\WINDOWS\system32\ZoneLabs\avsys\KLIF.SYS ZwResumeThread
SSDT \SystemRoot\System32\vsdatant.sys ZwSecureConnectPort
SSDT \??\C:\WINDOWS\system32\ZoneLabs\avsys\KLIF.SYS ZwSetContextThread
SSDT \??\C:\WINDOWS\system32\ZoneLabs\avsys\KLIF.SYS ZwSetInformationFile
SSDT 845492A0 ZwSetInformationKey
SSDT \??\C:\WINDOWS\system32\ZoneLabs\avsys\KLIF.SYS ZwSetInformationProcess
SSDT 84548D50 ZwSetInformationThread
SSDT \??\C:\WINDOWS\system32\ZoneLabs\avsys\KLIF.SYS ZwSetSecurityObject
SSDT \SystemRoot\System32\vsdatant.sys ZwSetSystemInformation
SSDT \SystemRoot\System32\vsdatant.sys ZwSetValueKey
SSDT 84548EB8 ZwSuspendProcess
SSDT \??\C:\WINDOWS\system32\ZoneLabs\avsys\KLIF.SYS ZwSuspendThread
SSDT \??\C:\WINDOWS\system32\ZoneLabs\avsys\KLIF.SYS ZwTerminateProcess
 
You must log in or register to reply here.
Back
Top