problems with Smitfraud-C and Virtumonde

A

anaphylaxis

New member
I updated and ran Spybot. I asked it to auto-run on boot. I ran it in safe mode (with the browsers closed). I rebooted (rebat) and ran Ad-Aware and Avast Antivirus.

Firefox won't let me use Kapersky, (not even with the MSIE emulator). Internet Explorer crashed both times I tried Kapersky's site, each after over an hour.

My Spybot is v1.4 and the latest detection update was 11-07-2007.

I run XP pro.

Here is a log from HJT v2.0.2. Thanks!

-------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:15:04 AM, on 11/13/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Unable to get Internet Explorer version!
Boot mode: Normal

Running processes:
C:\WIN\System32\smss.exe
C:\WIN\system32\csrss.exe
C:\WIN\system32\winlogon.exe
C:\WIN\system32\services.exe
C:\WIN\system32\lsass.exe
C:\WIN\system32\svchost.exe
C:\WIN\system32\svchost.exe
C:\WIN\System32\svchost.exe
C:\WIN\System32\svchost.exe
C:\WIN\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WIN\system32\spoolsv.exe
C:\WIN\Explorer.EXE
C:\WIN\System32\svchost.exe
C:\WIN\system32\wdfmgr.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Google\Web Accelerator\GoogleWebAccWarden.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\WIN\System32\alg.exe
C:\Program Files\Google\Web Accelerator\googlewebaccclient.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\uTorrent\utorrent.exe
C:\WIN\system32\rundll32.exe
C:\WIN\Explorer.EXE
\?\C:\WIN\system32\WBEM\WMIADAP.EXE
C:\WIN\system32\wuauclt.exe
C:\WIN\system32\NOTEPAD.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WIN\system32\NOTEPAD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HijackThis\HijackThis.exe
C:\WIN\System32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://localhost:9100/proxy.pac
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: Google Web Accelerator - {DB87BFA2-A2E3-451E-8E5A-C89982D87CBF} - C:\Program Files\Google\Web Accelerator\GoogleWebAccToolbar.dll
O3 - Toolbar: Security Toolbar - {11A69AE4-FBED-4832-A2BF-45AF82825583} - C:\WIN\system32\vciqynlk.dll
O4 - HKUS\S-1-5-18\..\Run: [Spyware Doctor] (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Spyware Doctor] (User 'Default user')
O4 - Global Startup: Run Google Web Accelerator.lnk = C:\Program Files\Google\Web Accelerator\GoogleWebAccWarden.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WIN\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WIN\system32\msjava.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Share in Hello - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - C:\Program Files\Hello\PicasaCapture.dll
O9 - Extra 'Tools' menuitem: Share in H&ello - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - C:\Program Files\Hello\PicasaCapture.dll
O9 - Extra button: Run IMVU - {d9288080-1baa-4bc4-9cf8-a92d743db949} - C:\Documents and Settings\mjk\Start Menu\Programs\IMVU\Run IMVU.lnk (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://www.walgreens.com
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.com/download/cult.cab
O20 - AppInit_DLLs: c:\win\system32\ldcore.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: DomainService - Unknown owner - C:\WIN\system32\icunffvw.exe (file missing)
O23 - Service: iPod Service - Unknown owner - C:\Program Files\iPod\bin\iPodService.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WIN\system32\nvsvc32.exe
O23 - Service: O&O Defrag (OODefrag) - O&O Software GmbH - C:\WIN\system32\oodag.exe
O23 - Service: SiSoftware Database Agent Service (SandraDataSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite XIb\Win32\RpcDataSrv.exe
O23 - Service: SiSoftware Sandra Agent Service (SandraTheSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite XIb\RpcSandraSrv.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O24 - Desktop Component 0: (no name) - C:\Documents and Settings\mjk\My Documents\My Pictures\lol17.gif
O24 - Desktop Component 1: (no name) - C:\Documents and Settings\mjk\Desktop\manatee2.jpg

--
End of file - 5955 bytes
 
Hi anaphylaxis

"My Spybot is v1.4 and the latest detection update was 11-07-2007."

Latest version is 1.5, please install that.

After that, rename HijackThis.exe to anaphylaxis.exe and post back a fresh HijackThis log, please :)
 
Oh god, thank you. This has been driving me nuts. It opens a new MSIE window every ten seconds or so. :(

-------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:53:08 AM, on 11/15/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Unable to get Internet Explorer version!
Boot mode: Normal

Running processes:
C:\WIN\System32\smss.exe
C:\WIN\system32\winlogon.exe
C:\WIN\system32\services.exe
C:\WIN\system32\lsass.exe
C:\WIN\system32\svchost.exe
C:\WIN\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WIN\system32\spoolsv.exe
C:\WIN\System32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WIN\Explorer.EXE
C:\Program Files\Google\Web Accelerator\GoogleWebAccWarden.exe
C:\Program Files\Google\Web Accelerator\googlewebaccclient.exe
C:\Program Files\HijackThis\anaphylaxis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://localhost:9100/proxy.pac
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {4CB8F4B4-5F66-4D9E-BC3B-184596A58824} - C:\WIN\system32\wvuuvss.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: Google Web Accelerator Helper - {69A87B7D-DE56-4136-9655-716BA50C19C7} - C:\Program Files\Google\Web Accelerator\GoogleWebAccToolbar.dll
O2 - BHO: (no name) - {6D6B70D3-E65A-47ED-AE9D-06539CFD957F} - (no file)
O2 - BHO: (no name) - {A95B2816-1D7E-4561-A202-68C0DE02353A} - C:\WIN\system32\vciqynlk.dll
O2 - BHO: (no name) - {A9D24B42-E5A5-4E68-B02B-4CD6DCCF3881} - C:\WIN\system32\ddayw.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: Google Web Accelerator - {DB87BFA2-A2E3-451E-8E5A-C89982D87CBF} - C:\Program Files\Google\Web Accelerator\GoogleWebAccToolbar.dll
O3 - Toolbar: Security Toolbar - {11A69AE4-FBED-4832-A2BF-45AF82825583} - C:\WIN\system32\vciqynlk.dll
O4 - HKLM\..\Run: [d4715b2f] rundll32.exe "C:\WIN\system32\ymohcywc.dll",b
O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\WinPatrol\winpatrol.exe
O4 - HKLM\..\RunOnce: [Spybot - Search & Destroy] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKLM\..\RunOnce: [SpybotDeletingA6301] command /c del "C:\WIN\system32\ldcore.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingC1646] cmd /c del "C:\WIN\system32\ldcore.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingA8967] command /c del "C:\WIN\system32\ldcore.dll"
O4 - HKLM\..\RunOnce: [SpybotDeletingC5319] cmd /c del "C:\WIN\system32\ldcore.dll"
O4 - HKLM\..\RunOnce: [SpybotDeletingA4112] command /c del "C:\WIN\system32\vciqynlk.dllbox"
O4 - HKLM\..\RunOnce: [SpybotDeletingC2018] cmd /c del "C:\WIN\system32\vciqynlk.dllbox"
O4 - HKLM\..\RunOnce: [SpybotDeletingA4664] command /c del "C:\WIN\system32\vciqynlk.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingC1658] cmd /c del "C:\WIN\system32\vciqynlk.dll_old"
O4 - HKLM\..\RunOnce: [SpybotDeletingA1962] command /c del "C:\WIN\system32\vciqynlk.dll"
O4 - HKLM\..\RunOnce: [SpybotDeletingC2930] cmd /c del "C:\WIN\system32\vciqynlk.dll"
O4 - HKLM\..\RunOnce: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKCU\..\RunOnce: [SpybotDeletingB4656] command /c del "C:\WIN\system32\ldcore.dll_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingD2037] cmd /c del "C:\WIN\system32\ldcore.dll_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingB3566] command /c del "C:\WIN\system32\ldcore.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingD2157] cmd /c del "C:\WIN\system32\ldcore.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingB2849] command /c del "C:\WIN\system32\vciqynlk.dllbox"
O4 - HKCU\..\RunOnce: [SpybotDeletingD4504] cmd /c del "C:\WIN\system32\vciqynlk.dllbox"
O4 - HKCU\..\RunOnce: [SpybotDeletingB5590] command /c del "C:\WIN\system32\vciqynlk.dll_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingD7534] cmd /c del "C:\WIN\system32\vciqynlk.dll_old"
O4 - HKCU\..\RunOnce: [SpybotDeletingB6332] command /c del "C:\WIN\system32\vciqynlk.dll"
O4 - HKCU\..\RunOnce: [SpybotDeletingD734] cmd /c del "C:\WIN\system32\vciqynlk.dll"
O4 - HKUS\S-1-5-18\..\Run: [Spyware Doctor] (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Spyware Doctor] (User 'Default user')
O4 - Global Startup: Run Google Web Accelerator.lnk = C:\Program Files\Google\Web Accelerator\GoogleWebAccWarden.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WIN\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WIN\system32\msjava.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Share in Hello - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - C:\Program Files\Hello\PicasaCapture.dll
O9 - Extra 'Tools' menuitem: Share in H&ello - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - C:\Program Files\Hello\PicasaCapture.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://www.walgreens.com
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.com/download/cult.cab
O20 - AppInit_DLLs: c:\win\system32\ldcore.dll
O20 - Winlogon Notify: vciqynlk - C:\WIN\SYSTEM32\vciqynlk.dll
O20 - Winlogon Notify: wvuuvss - C:\WIN\SYSTEM32\wvuuvss.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: DomainService - Unknown owner - C:\WIN\system32\icunffvw.exe (file missing)
O23 - Service: iPod Service - Unknown owner - C:\Program Files\iPod\bin\iPodService.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WIN\system32\nvsvc32.exe
O23 - Service: O&O Defrag (OODefrag) - O&O Software GmbH - C:\WIN\system32\oodag.exe
O23 - Service: SiSoftware Database Agent Service (SandraDataSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite XIb\Win32\RpcDataSrv.exe
O23 - Service: SiSoftware Sandra Agent Service (SandraTheSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite XIb\RpcSandraSrv.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 9058 bytes
 
Hi

1. Download combofix from one of these links and save it to Desktop:
Link1
Link2
2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Post:

- a fresh HijackThis log
- combofix report
 
Here's my combofix log. It's pretty long, but I'm not sure how to include it as an attachment without having my own hosting. Hope that's okay.
----------------------


ComboFix 07-11-08.1 - mjk 2007-11-15 11:29:25.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.695 [GMT -6:00]
Running from: C:\Documents and Settings\mjk\Desktop\ComboFix.exe
* Created a new restore point
.

Unable to gain System Privileges

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users.WIN\Start Menu\Live Safety Center.lnk
C:\Documents and Settings\All Users.WIN\Start Menu\Online Security Guide.lnk
C:\Documents and Settings\mjk\Application Data\inst.exe
C:\Documents and Settings\mjk\Desktop\Live Safety Center.lnk
C:\Documents and Settings\mjk\Desktop\Online Security Guide.lnk
C:\Documents and Settings\mjk\Favorites\Online Security Guide.lnk
C:\WIN\b122.exe
C:\WIN\cookies.ini
C:\WIN\system32\ddayw.dll
C:\WIN\system32\h12
C:\WIN\system32\ldcore.dll
C:\WIN\system32\ldinfo.ldr
C:\WIN\system32\neyibbkp.ini
C:\WIN\system32\neyibbkp.ini2
C:\WIN\system32\pac.txt
C:\WIN\system32\s21
C:\WIN\system32\s21\revdrive33b.exe
C:\WIN\system32\vciqynlk.dllbox
C:\WIN\system32\wyadd.bak2
C:\WIN\system32\wyadd.ini
C:\WIN\system32\x24
C:\WIN\system32\x24\jumper83122.exe
C:\WIN\winshow.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_DOMAINSERVICE
-------\DomainService


((((((((((((((((((((((((( Files Created from 2007-10-15 to 2007-11-15 )))))))))))))))))))))))))))))))
.

2007-11-15 11:26 51,200 --a------ C:\WIN\NirCmd.exe
2007-11-14 13:13 <DIR> d-------- C:\Program Files\WinPatrol
2007-11-14 13:13 <DIR> d-------- C:\Documents and Settings\mjk\Application Data\WinPatrol
2007-11-14 10:57 85,056 --a------ C:\WIN\system32\ymohcywc.dll
2007-11-14 10:57 79,424 --a------ C:\WIN\system32\jnvsifew.dll
2007-11-14 10:57 71,232 --a------ C:\WIN\system32\qaobnojv.exe
2007-11-13 22:41 1,270 --a------ C:\WIN\system32\tmp.reg
2007-11-13 22:40 289,144 --a------ C:\WIN\system32\VCCLSID.exe
2007-11-13 22:40 288,417 --a------ C:\WIN\system32\SrchSTS.exe
2007-11-13 22:40 53,248 --a------ C:\WIN\system32\Process.exe
2007-11-13 22:40 51,200 --a------ C:\WIN\system32\dumphive.exe
2007-11-13 22:40 25,600 --a------ C:\WIN\system32\WS2Fix.exe
2007-11-13 22:25 71,232 --a------ C:\WIN\system32\wqdiinst.exe
2007-11-13 22:17 71,232 --a------ C:\WIN\system32\sjfurcxx.exe
2007-11-12 17:37 <DIR> d--hs---- C:\WIN\ftpcache
2007-11-12 17:24 <DIR> d-------- C:\Program Files\UltraISO
2007-11-12 17:23 <DIR> d-------- C:\Program Files\UltraCopy 9 Professional
2007-11-12 17:23 1,129,232 --a------ C:\WIN\system32\FM20.DLL
2007-11-12 17:23 53,760 --a------ C:\WIN\system32\zlib.dll
2007-11-12 17:23 40,960 --a------ C:\WIN\system32\SSubTmr6.dll
2007-11-12 14:14 89,664 --a------ C:\WIN\system32\pkbbiyen.dll
2007-11-12 14:14 81,472 --a------ C:\WIN\system32\jrcdwaft.dll
2007-11-12 14:11 71,232 --a------ C:\WIN\system32\nkxjwsbs.exe
2007-11-11 14:08 79,936 --a------ C:\WIN\system32\eygqqnfj.dll
2007-11-11 14:08 71,232 --a------ C:\WIN\system32\pqygbarr.exe
2007-11-11 12:17 79,936 --a------ C:\WIN\system32\axqicbid.dll
2007-11-11 12:08 71,232 --a------ C:\WIN\system32\xnndwjpy.exe
2007-11-10 12:41 <DIR> d-------- C:\WIN\system32\Kaspersky Lab
2007-11-10 12:41 <DIR> d-------- C:\Documents and Settings\All Users.WIN\Application Data\Kaspersky Lab
2007-11-09 16:19 77,888 --a------ C:\WIN\system32\fgafialb.dll
2007-11-09 16:18 88,128 --a------ C:\WIN\system32\hcbmmhjj.dll
2007-11-09 16:13 145,984 --a------ C:\WIN\system32\lkccefnw.dll
2007-11-09 16:06 36,352 --a------ C:\WIN\system32\wvuuvss.dll
2007-11-09 16:06 35,840 --a------ C:\WIN\mrofinu77.exe
2007-11-09 16:05 <DIR> d-------- C:\WIN\system32\rMa02yy
2007-11-08 14:20 <DIR> d--h----- C:\WIN\PIF
2007-11-08 13:39 <DIR> d-------- C:\WIN\SxsCaPendDel
2007-11-06 18:47 <DIR> d-------- C:\Documents and Settings\mjk\Application Data\Command & Conquer 3 Tiberium Wars
2007-11-06 18:27 3,426,072 --a------ C:\WIN\system32\d3dx9_32.dll
2007-10-29 16:39 <DIR> d-------- C:\Program Files\River Past
2007-10-29 16:39 <DIR> d-------- C:\Program Files\Common Files\River Past
2007-10-29 16:39 <DIR> d-------- C:\Documents and Settings\mjk\Application Data\River Past G5
2007-10-29 16:39 <DIR> d-------- C:\Documents and Settings\All Users.WIN\Application Data\River Past G5
2007-10-29 16:39 165,039 --a------ C:\WIN\Video Cleaner Uninstaller.exe
2007-10-29 12:14 <DIR> d-------- C:\Program Files\ffdshow
2007-10-29 12:13 <DIR> d-------- C:\WIN\system32\windows media
2007-10-29 12:13 <DIR> d--h----- C:\WIN\msdownld.tmp
2007-10-29 12:13 <DIR> d-------- C:\Program Files\Windows Media Components
2007-10-29 12:12 <DIR> d-------- C:\Program Files\MMConvert
2007-10-29 12:12 440,320 --a------ C:\WIN\system32\x264vfw.dll
2007-10-29 12:12 180,224 --a------ C:\WIN\system32\xvidvfw.dll
2007-10-26 16:48 <DIR> d-------- C:\Documents and Settings\mjk\Application Data\Vso
2007-10-26 16:48 47,360 --a------ C:\Documents and Settings\mjk\Application Data\pcouffin.sys
2007-10-26 16:47 <DIR> d-------- C:\Program Files\VSO
2007-10-26 16:47 217,127 --a------ C:\WIN\system32\drv43260.dll
2007-10-26 16:47 208,935 --a------ C:\WIN\system32\drv33260.dll
2007-10-26 16:47 176,165 --a------ C:\WIN\system32\drv23260.dll
2007-10-26 15:43 <DIR> d-------- C:\Documents and Settings\mjk\Application Data\Move Networks
2007-10-20 13:57 584,192 -----c--- C:\WIN\system32\dllcache\rpcrt4.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-15 17:37 --------- d-----w C:\Documents and Settings\mjk\Application Data\uTorrent
2007-11-15 07:52 --------- d-----w C:\Documents and Settings\All Users.WIN\Application Data\Spybot - Search & Destroy
2007-11-13 09:08 --------- d-----w C:\Documents and Settings\mjk\Application Data\wsInspector
2007-11-13 09:05 --------- d-----w C:\Program Files\Ahead
2007-11-10 14:23 --------- d-----w C:\Program Files\MagicISO
2007-11-09 22:15 --------- d--h--r C:\Documents and Settings\mjk\Application Data\yahoo!
2007-11-09 22:15 --------- d-----w C:\Documents and Settings\All Users.WIN\Application Data\Yahoo! Companion
2007-11-04 02:09 --------- d-----w C:\Program Files\AIM6
2007-11-04 02:05 --------- d-----w C:\Program Files\Viewpoint
2007-11-04 02:05 --------- d-----w C:\Documents and Settings\All Users.WIN\Application Data\Viewpoint
2007-10-26 22:48 47,360 ----a-w C:\WIN\system32\drivers\pcouffin.sys
2007-10-20 19:59 --------- d-----w C:\Program Files\Worms Armageddon
2007-10-11 23:22 --------- d-----w C:\Program Files\ISO Commander
2007-10-11 22:49 --------- d-----w C:\Program Files\Common Files\AVSMedia
2007-10-11 07:50 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-10-11 07:36 --------- d-----w C:\Program Files\DVD Shrink
2007-10-11 07:36 --------- d-----w C:\Documents and Settings\All Users.WIN\Application Data\DVD Shrink
2007-10-11 07:33 --------- d-----w C:\Program Files\Avi2Dvd
2007-10-11 07:32 --------- d-----w C:\Program Files\AviSynth 2.5
2007-10-07 01:31 --------- d-----w C:\Program Files\Trillian
2007-10-07 01:29 --------- d-----w C:\Program Files\EA GAMES
2007-10-06 17:23 --------- d-----w C:\Program Files\OGM to AVI
2007-10-03 01:00 --------- d-----w C:\Program Files\MySpace
2007-10-03 01:00 --------- d-----w C:\Documents and Settings\mjk\Application Data\MySpace
2007-09-27 02:34 --------- d-----w C:\Program Files\WinAce
2007-09-27 02:34 --------- d-----w C:\Program Files\Power Japanese
2007-09-27 02:34 --------- d-----w C:\Program Files\Palm
2007-09-27 02:34 --------- d-----w C:\Program Files\NJStar Japanese WP
2007-09-27 02:34 --------- d-----w C:\Program Files\mIRC
2007-09-27 02:34 --------- d-----w C:\Program Files\AIM
2007-09-27 00:40 --------- d-----w C:\Program Files\Common Files\Adobe
2007-09-27 00:38 --------- d-----w C:\Program Files\Red Chair Software
2007-09-27 00:38 --------- d-----w C:\Documents and Settings\mjk\Application Data\Red Chair Software
2007-09-26 22:58 --------- d-----w C:\Program Files\UOAM
2007-09-26 22:58 --------- d-----w C:\Program Files\Kaneva
2007-09-26 22:56 --------- d-----w C:\Program Files\Furcadia
2007-09-26 22:56 --------- d-----w C:\Documents and Settings\All Users.WIN\Application Data\Dragon's Eye Productions
2005-09-30 22:25 2,723,840 ----a-w C:\Program Files\Foxit Reader.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4CB8F4B4-5F66-4D9E-BC3B-184596A58824}]
2007-11-09 16:06 36352 --a------ C:\WIN\system32\wvuuvss.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6D6B70D3-E65A-47ED-AE9D-06539CFD957F}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"d4715b2f"="C:\WIN\system32\ymohcywc.dll" [2007-11-14 10:57]
"WinPatrol"="C:\Program Files\WinPatrol\winpatrol.exe" [2007-10-26 10:06]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\runonce]
"SpybotDeletingB4656"=command /c del "C:\WIN\system32\ldcore.dll_old"
"SpybotDeletingD2037"=cmd /c del "C:\WIN\system32\ldcore.dll_old"
"SpybotDeletingB3566"=command /c del "C:\WIN\system32\ldcore.dll"
"SpybotDeletingD2157"=cmd /c del "C:\WIN\system32\ldcore.dll"
"SpybotDeletingB2849"=command /c del "C:\WIN\system32\vciqynlk.dllbox"
"SpybotDeletingD4504"=cmd /c del "C:\WIN\system32\vciqynlk.dllbox"
"SpybotDeletingB5590"=command /c del "C:\WIN\system32\vciqynlk.dll_old"
"SpybotDeletingD7534"=cmd /c del "C:\WIN\system32\vciqynlk.dll_old"
"SpybotDeletingB6332"=command /c del "C:\WIN\system32\vciqynlk.dll"
"SpybotDeletingD734"=cmd /c del "C:\WIN\system32\vciqynlk.dll"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonce]
"SpybotDeletingA6301"=command /c del "C:\WIN\system32\ldcore.dll_old"
"SpybotDeletingC1646"=cmd /c del "C:\WIN\system32\ldcore.dll_old"
"SpybotDeletingA8967"=command /c del "C:\WIN\system32\ldcore.dll"
"SpybotDeletingC5319"=cmd /c del "C:\WIN\system32\ldcore.dll"
"SpybotDeletingA4112"=command /c del "C:\WIN\system32\vciqynlk.dllbox"
"SpybotDeletingC2018"=cmd /c del "C:\WIN\system32\vciqynlk.dllbox"
"SpybotDeletingA4664"=command /c del "C:\WIN\system32\vciqynlk.dll_old"
"SpybotDeletingC1658"=cmd /c del "C:\WIN\system32\vciqynlk.dll_old"
"SpybotDeletingA1962"=command /c del "C:\WIN\system32\vciqynlk.dll"
"SpybotDeletingC2930"=cmd /c del "C:\WIN\system32\vciqynlk.dll"
"SpybotSnD"="C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"Spyware Doctor"=
"MySpaceIM"=C:\Program Files\MySpace\IM\MySpaceIM.exe

C:\Documents and Settings\All Users.WIN\Start Menu\Programs\Startup\
Run Google Web Accelerator.lnk - C:\Program Files\Google\Web Accelerator\GoogleWebAccWarden.exe [2007-07-09 21:24:38]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSMMyDocs"=1 (0x1)
"NoRecentDocsMenu"=1 (0x1)
"NoSMMyPictures"=1 (0x1)
"NoStartMenuMyMusic"=1 (0x1)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{4CB8F4B4-5F66-4D9E-BC3B-184596A58824}"= C:\WIN\system32\wvuuvss.dll [2007-11-09 16:06 36352]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\vciqynlk]
vciqynlk.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\wvuuvss]
wvuuvss.dll 2007-11-09 16:06 36352 C:\WIN\system32\wvuuvss.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WIN\system32\ddayw.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^mjk^Start Menu^Programs^Startup^Adobe Gamma Loader.exe]
path=C:\Documents and Settings\mjk\Start Menu\Programs\Startup\Adobe Gamma Loader.exe
backup=C:\WIN\pss\Adobe Gamma Loader.exeStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\avast!]
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"avast! Antivirus"=2 (0x2)
"aswUpdSv"=2 (0x2)
"MPService"=2 (0x2)
"avast! Web Scanner"=3 (0x3)
"avast! Mail Scanner"=3 (0x3)
"SDhelper"=2 (0x2)

R2 Ndismeetro;Meetro NDIS Protocol Driver;C:\WIN\system32\DRIVERS\ndismeetro.sys
R2 nxsIO32;NextSensor Kernel I/O Driver;\??\C:\WIN\System32\DRIVERS\nxsIO32.sys
S2 OODefrag;O&O Defrag;C:\WIN\system32\oodag.exe

.
Contents of the 'Scheduled Tasks' folder
"2007-11-09 02:30:00 C:\WIN\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1250 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-15 11:43:46
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

**************************************************************************
.
Completion time: 2007-11-15 11:47:33 - machine was rebooted
.
--- E O F ---
 
Aaaand here's my new HJT log. Thank you so much. =P
----------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:51:52 AM, on 11/15/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Unable to get Internet Explorer version!
Boot mode: Normal

Running processes:
C:\WIN\System32\smss.exe
C:\WIN\system32\winlogon.exe
C:\WIN\system32\services.exe
C:\WIN\system32\lsass.exe
C:\WIN\system32\svchost.exe
C:\WIN\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WIN\system32\spoolsv.exe
C:\WIN\Explorer.EXE
C:\WIN\system32\oodag.exe
C:\WIN\System32\svchost.exe
C:\Program Files\Google\Web Accelerator\GoogleWebAccWarden.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Google\Web Accelerator\googlewebaccclient.exe
C:\Program Files\HijackThis\anaphylaxis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,AutoConfigURL = http://localhost:9100/proxy.pac
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {4CB8F4B4-5F66-4D9E-BC3B-184596A58824} - C:\WIN\system32\wvuuvss.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: Google Web Accelerator Helper - {69A87B7D-DE56-4136-9655-716BA50C19C7} - C:\Program Files\Google\Web Accelerator\GoogleWebAccToolbar.dll
O2 - BHO: (no name) - {6D6B70D3-E65A-47ED-AE9D-06539CFD957F} - (no file)
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O2 - BHO: (no name) - {CF59020C-8C34-4A33-9A8A-470624E2B9FF} - C:\WIN\system32\ursqr.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: Google Web Accelerator - {DB87BFA2-A2E3-451E-8E5A-C89982D87CBF} - C:\Program Files\Google\Web Accelerator\GoogleWebAccToolbar.dll
O4 - HKLM\..\Run: [d4715b2f] rundll32.exe "C:\WIN\system32\ymohcywc.dll",b
O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\WinPatrol\winpatrol.exe
O4 - HKUS\S-1-5-18\..\Run: [Spyware Doctor] (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Spyware Doctor] (User 'Default user')
O4 - Global Startup: Run Google Web Accelerator.lnk = C:\Program Files\Google\Web Accelerator\GoogleWebAccWarden.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WIN\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WIN\system32\msjava.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Share in Hello - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - C:\Program Files\Hello\PicasaCapture.dll
O9 - Extra 'Tools' menuitem: Share in H&ello - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - C:\Program Files\Hello\PicasaCapture.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://www.walgreens.com
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.com/download/cult.cab
O20 - Winlogon Notify: vciqynlk - vciqynlk.dll (file missing)
O20 - Winlogon Notify: wvuuvss - C:\WIN\SYSTEM32\wvuuvss.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: iPod Service - Unknown owner - C:\Program Files\iPod\bin\iPodService.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WIN\system32\nvsvc32.exe
O23 - Service: O&O Defrag (OODefrag) - O&O Software GmbH - C:\WIN\system32\oodag.exe
O23 - Service: SiSoftware Database Agent Service (SandraDataSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite XIb\Win32\RpcDataSrv.exe
O23 - Service: SiSoftware Sandra Agent Service (SandraTheSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite XIb\RpcSandraSrv.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 6658 bytes
 
Hi

Open notepad and copy/paste the text in the quotebox below into it:

Code: 
File::
C:\WIN\system32\ymohcywc.dll
C:\WIN\system32\jnvsifew.dll
C:\WIN\system32\qaobnojv.exe
C:\WIN\system32\wqdiinst.exe
C:\WIN\system32\sjfurcxx.exe
C:\WIN\system32\pkbbiyen.dll
C:\WIN\system32\jrcdwaft.dll
C:\WIN\system32\nkxjwsbs.exe
C:\WIN\system32\eygqqnfj.dll
C:\WIN\system32\pqygbarr.exe
C:\WIN\system32\axqicbid.dll
C:\WIN\system32\xnndwjpy.exe
C:\WIN\system32\fgafialb.dll
C:\WIN\system32\hcbmmhjj.dll
C:\WIN\system32\lkccefnw.dll
C:\WIN\system32\wvuuvss.dll
C:\WIN\mrofinu77.exe

Folder::
C:\WIN\system32\rMa02yy

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{4CB8F4B4-5F66-4D9E-BC3B-184596A58824}]

[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6D6B70D3-E65A-47ED-AE9D-06539CFD957F}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"d4715b2f"=-

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{4CB8F4B4-5F66-4D9E-BC3B-184596A58824}"=- 

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\vciqynlk]

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\wvuuvss]

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa]
"Authentication Packages"=hex(7):6d,73,76,31,5f,30,00,00

Save this as "CFScript"

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

CFScript.gif


This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.
 
Hi again. I don't know what did it, but the MSIE windows have stopped popping up. That in itself is freaking great. Can you tell me if this smitfraud/virtumonde thing is related to Firefox running like crap? Thanks again.

Combofix log:
--------------

ComboFix 07-11-08.1 - mjk 2007-11-15 16:30:51.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.874 [GMT -6:00]
Running from: C:\Documents and Settings\mjk\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\mjk\Desktop\CFscript
* Created a new restore point

FILE
C:\WIN\mrofinu77.exe
C:\WIN\system32\axqicbid.dll
C:\WIN\system32\eygqqnfj.dll
C:\WIN\system32\fgafialb.dll
C:\WIN\system32\hcbmmhjj.dll
C:\WIN\system32\jnvsifew.dll
C:\WIN\system32\jrcdwaft.dll
C:\WIN\system32\lkccefnw.dll
C:\WIN\system32\nkxjwsbs.exe
C:\WIN\system32\pkbbiyen.dll
C:\WIN\system32\pqygbarr.exe
C:\WIN\system32\qaobnojv.exe
C:\WIN\system32\sjfurcxx.exe
C:\WIN\system32\wqdiinst.exe
C:\WIN\system32\wvuuvss.dll
C:\WIN\system32\xnndwjpy.exe
C:\WIN\system32\ymohcywc.dll
.

Unable to gain System Privileges

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WIN\mrofinu77.exe
C:\WIN\system32\axqicbid.dll
C:\WIN\system32\eygqqnfj.dll
C:\WIN\system32\fgafialb.dll
C:\WIN\system32\hcbmmhjj.dll
C:\WIN\system32\jnvsifew.dll
C:\WIN\system32\jrcdwaft.dll
C:\WIN\system32\lkccefnw.dll
C:\WIN\system32\nkxjwsbs.exe
C:\WIN\system32\pkbbiyen.dll
C:\WIN\system32\pqygbarr.exe
C:\WIN\system32\qaobnojv.exe
C:\WIN\system32\rMa02yy
C:\WIN\system32\rMa02yy\rMa02yy1099.exe
C:\WIN\system32\rqsru.ini
C:\WIN\system32\rqsru.ini2
C:\WIN\system32\sjfurcxx.exe
C:\WIN\system32\ursqr.dll
C:\WIN\system32\wqdiinst.exe
C:\WIN\system32\wvuuvss.dll
C:\WIN\system32\xnndwjpy.exe
C:\WIN\system32\ymohcywc.dll

.
((((((((((((((((((((((((( Files Created from 2007-10-15 to 2007-11-15 )))))))))))))))))))))))))))))))
.

2007-11-15 11:26 51,200 --a------ C:\WIN\NirCmd.exe
2007-11-14 13:13 <DIR> d-------- C:\Program Files\WinPatrol
2007-11-14 13:13 <DIR> d-------- C:\Documents and Settings\mjk\Application Data\WinPatrol
2007-11-13 22:41 1,270 --a------ C:\WIN\system32\tmp.reg
2007-11-13 22:40 289,144 --a------ C:\WIN\system32\VCCLSID.exe
2007-11-13 22:40 288,417 --a------ C:\WIN\system32\SrchSTS.exe
2007-11-13 22:40 53,248 --a------ C:\WIN\system32\Process.exe
2007-11-13 22:40 51,200 --a------ C:\WIN\system32\dumphive.exe
2007-11-13 22:40 25,600 --a------ C:\WIN\system32\WS2Fix.exe
2007-11-12 17:37 <DIR> d--hs---- C:\WIN\ftpcache
2007-11-12 17:24 <DIR> d-------- C:\Program Files\UltraISO
2007-11-12 17:23 <DIR> d-------- C:\Program Files\UltraCopy 9 Professional
2007-11-12 17:23 1,129,232 --a------ C:\WIN\system32\FM20.DLL
2007-11-12 17:23 53,760 --a------ C:\WIN\system32\zlib.dll
2007-11-12 17:23 40,960 --a------ C:\WIN\system32\SSubTmr6.dll
2007-11-10 12:41 <DIR> d-------- C:\WIN\system32\Kaspersky Lab
2007-11-10 12:41 <DIR> d-------- C:\Documents and Settings\All Users.WIN\Application Data\Kaspersky Lab
2007-11-08 14:20 <DIR> d--h----- C:\WIN\PIF
2007-11-08 13:39 <DIR> d-------- C:\WIN\SxsCaPendDel
2007-11-06 18:47 <DIR> d-------- C:\Documents and Settings\mjk\Application Data\Command & Conquer 3 Tiberium Wars
2007-11-06 18:27 3,426,072 --a------ C:\WIN\system32\d3dx9_32.dll
2007-10-29 16:39 <DIR> d-------- C:\Program Files\River Past
2007-10-29 16:39 <DIR> d-------- C:\Program Files\Common Files\River Past
2007-10-29 16:39 <DIR> d-------- C:\Documents and Settings\mjk\Application Data\River Past G5
2007-10-29 16:39 <DIR> d-------- C:\Documents and Settings\All Users.WIN\Application Data\River Past G5
2007-10-29 16:39 165,039 --a------ C:\WIN\Video Cleaner Uninstaller.exe
2007-10-29 12:14 <DIR> d-------- C:\Program Files\ffdshow
2007-10-29 12:13 <DIR> d-------- C:\WIN\system32\windows media
2007-10-29 12:13 <DIR> d--h----- C:\WIN\msdownld.tmp
2007-10-29 12:13 <DIR> d-------- C:\Program Files\Windows Media Components
2007-10-29 12:12 <DIR> d-------- C:\Program Files\MMConvert
2007-10-29 12:12 440,320 --a------ C:\WIN\system32\x264vfw.dll
2007-10-29 12:12 180,224 --a------ C:\WIN\system32\xvidvfw.dll
2007-10-26 16:48 <DIR> d-------- C:\Documents and Settings\mjk\Application Data\Vso
2007-10-26 16:48 47,360 --a------ C:\Documents and Settings\mjk\Application Data\pcouffin.sys
2007-10-26 16:47 <DIR> d-------- C:\Program Files\VSO
2007-10-26 16:47 217,127 --a------ C:\WIN\system32\drv43260.dll
2007-10-26 16:47 208,935 --a------ C:\WIN\system32\drv33260.dll
2007-10-26 16:47 176,165 --a------ C:\WIN\system32\drv23260.dll
2007-10-26 15:43 <DIR> d-------- C:\Documents and Settings\mjk\Application Data\Move Networks
2007-10-20 13:57 584,192 -----c--- C:\WIN\system32\dllcache\rpcrt4.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-15 22:37 --------- d-----w C:\Documents and Settings\mjk\Application Data\uTorrent
2007-11-15 07:52 --------- d-----w C:\Documents and Settings\All Users.WIN\Application Data\Spybot - Search & Destroy
2007-11-13 09:08 --------- d-----w C:\Documents and Settings\mjk\Application Data\wsInspector
2007-11-13 09:05 --------- d-----w C:\Program Files\Ahead
2007-11-10 14:23 --------- d-----w C:\Program Files\MagicISO
2007-11-09 22:15 --------- d--h--r C:\Documents and Settings\mjk\Application Data\yahoo!
2007-11-09 22:15 --------- d-----w C:\Documents and Settings\All Users.WIN\Application Data\Yahoo! Companion
2007-11-04 02:09 --------- d-----w C:\Program Files\AIM6
2007-11-04 02:05 --------- d-----w C:\Program Files\Viewpoint
2007-11-04 02:05 --------- d-----w C:\Documents and Settings\All Users.WIN\Application Data\Viewpoint
2007-10-26 22:48 47,360 ----a-w C:\WIN\system32\drivers\pcouffin.sys
2007-10-20 19:59 --------- d-----w C:\Program Files\Worms Armageddon
2007-10-11 23:22 --------- d-----w C:\Program Files\ISO Commander
2007-10-11 22:49 --------- d-----w C:\Program Files\Common Files\AVSMedia
2007-10-11 07:50 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-10-11 07:36 --------- d-----w C:\Program Files\DVD Shrink
2007-10-11 07:36 --------- d-----w C:\Documents and Settings\All Users.WIN\Application Data\DVD Shrink
2007-10-11 07:33 --------- d-----w C:\Program Files\Avi2Dvd
2007-10-11 07:32 --------- d-----w C:\Program Files\AviSynth 2.5
2007-10-07 01:31 --------- d-----w C:\Program Files\Trillian
2007-10-07 01:29 --------- d-----w C:\Program Files\EA GAMES
2007-10-06 17:23 --------- d-----w C:\Program Files\OGM to AVI
2007-10-03 01:00 --------- d-----w C:\Program Files\MySpace
2007-10-03 01:00 --------- d-----w C:\Documents and Settings\mjk\Application Data\MySpace
2007-09-27 02:34 --------- d-----w C:\Program Files\WinAce
2007-09-27 02:34 --------- d-----w C:\Program Files\Power Japanese
2007-09-27 02:34 --------- d-----w C:\Program Files\Palm
2007-09-27 02:34 --------- d-----w C:\Program Files\NJStar Japanese WP
2007-09-27 02:34 --------- d-----w C:\Program Files\mIRC
2007-09-27 02:34 --------- d-----w C:\Program Files\AIM
2007-09-27 00:40 --------- d-----w C:\Program Files\Common Files\Adobe
2007-09-27 00:38 --------- d-----w C:\Program Files\Red Chair Software
2007-09-27 00:38 --------- d-----w C:\Documents and Settings\mjk\Application Data\Red Chair Software
2007-09-26 22:58 --------- d-----w C:\Program Files\UOAM
2007-09-26 22:58 --------- d-----w C:\Program Files\Kaneva
2007-09-26 22:56 --------- d-----w C:\Program Files\Furcadia
2007-09-26 22:56 --------- d-----w C:\Documents and Settings\All Users.WIN\Application Data\Dragon's Eye Productions
2005-09-30 22:25 2,723,840 ----a-w C:\Program Files\Foxit Reader.exe
.

((((((((((((((((((((((((((((( snapshot@2007-11-15_11.44.44.09 )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-11-15 22:40:51 16,384 ----atw C:\WIN\Temp\Perflib_Perfdata_514.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WinPatrol"="C:\Program Files\WinPatrol\winpatrol.exe" [2007-10-26 10:06]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"Spyware Doctor"=
"MySpaceIM"=C:\Program Files\MySpace\IM\MySpaceIM.exe

C:\Documents and Settings\All Users.WIN\Start Menu\Programs\Startup\
Run Google Web Accelerator.lnk - C:\Program Files\Google\Web Accelerator\GoogleWebAccWarden.exe [2007-07-09 21:24:38]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoSMMyDocs"=1 (0x1)
"NoRecentDocsMenu"=1 (0x1)
"NoSMMyPictures"=1 (0x1)
"NoStartMenuMyMusic"=1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^mjk^Start Menu^Programs^Startup^Adobe Gamma Loader.exe]
path=C:\Documents and Settings\mjk\Start Menu\Programs\Startup\Adobe Gamma Loader.exe
backup=C:\WIN\pss\Adobe Gamma Loader.exeStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\avast!]
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"avast! Antivirus"=2 (0x2)
"aswUpdSv"=2 (0x2)
"MPService"=2 (0x2)
"avast! Web Scanner"=3 (0x3)
"avast! Mail Scanner"=3 (0x3)
"SDhelper"=2 (0x2)

R2 Ndismeetro;Meetro NDIS Protocol Driver;C:\WIN\system32\DRIVERS\ndismeetro.sys
R2 nxsIO32;NextSensor Kernel I/O Driver;\??\C:\WIN\System32\DRIVERS\nxsIO32.sys
R2 OODefrag;O&O Defrag;C:\WIN\system32\oodag.exe

.
Contents of the 'Scheduled Tasks' folder
"2007-11-09 02:30:00 C:\WIN\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1250 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-15 16:42:01
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-11-15 16:42:59 - machine was rebooted
C:\ComboFix2.txt ... 2007-11-15 11:47
.
--- E O F ---
 
HijackThis log (thank you thank you thank you):
------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:43:49 PM, on 11/15/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Unable to get Internet Explorer version!
Boot mode: Normal

Running processes:
C:\WIN\System32\smss.exe
C:\WIN\system32\winlogon.exe
C:\WIN\system32\services.exe
C:\WIN\system32\lsass.exe
C:\WIN\system32\svchost.exe
C:\WIN\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WIN\system32\spoolsv.exe
C:\WIN\System32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WIN\system32\wuauclt.exe
C:\WIN\Explorer.EXE
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WIN\system32\wuauclt.exe
C:\Program Files\HijackThis\anaphylaxis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = C:\windows\system32\blank.htm
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: Google Web Accelerator Helper - {69A87B7D-DE56-4136-9655-716BA50C19C7} - C:\Program Files\Google\Web Accelerator\GoogleWebAccToolbar.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn0\yt.dll
O3 - Toolbar: Google Web Accelerator - {DB87BFA2-A2E3-451E-8E5A-C89982D87CBF} - C:\Program Files\Google\Web Accelerator\GoogleWebAccToolbar.dll
O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\WinPatrol\winpatrol.exe
O4 - HKUS\S-1-5-18\..\Run: [Spyware Doctor] (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Spyware Doctor] (User 'Default user')
O4 - Global Startup: Run Google Web Accelerator.lnk = C:\Program Files\Google\Web Accelerator\GoogleWebAccWarden.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WIN\system32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WIN\system32\msjava.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Share in Hello - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - C:\Program Files\Hello\PicasaCapture.dll
O9 - Extra 'Tools' menuitem: Share in H&ello - {B13B4423-2647-4cfc-A4B3-C7D56CB83487} - C:\Program Files\Hello\PicasaCapture.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://www.walgreens.com
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {31B7EB4E-8B4B-11D1-A789-00A0CC6651A8} (Cult3D ActiveX Player) - http://www.cult3d.com/download/cult.cab
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: iPod Service - Unknown owner - C:\Program Files\iPod\bin\iPodService.exe (file missing)
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WIN\system32\nvsvc32.exe
O23 - Service: O&O Defrag (OODefrag) - O&O Software GmbH - C:\WIN\system32\oodag.exe
O23 - Service: SiSoftware Database Agent Service (SandraDataSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite XIb\Win32\RpcDataSrv.exe
O23 - Service: SiSoftware Sandra Agent Service (SandraTheSrv) - SiSoftware - C:\Program Files\SiSoftware\SiSoftware Sandra Lite XIb\RpcSandraSrv.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe

--
End of file - 6042 bytes
 
Hi

"Can you tell me if this smitfraud/virtumonde thing is related to Firefox running like crap?"

It can be but I don't think so.

Please print these instructions out, or write them down, as you can't read them during the fix.

Please download MWav:
  • Unzip it to its predetermined directory (C:\Kaspersky)
  • Locate kavupd.exe in the new folder and double-click to Update.
  • If your firewall gives any messages about this program accessing to internet, allow it.
  • If it says the signatures are more than 30 days old, keep trying, until you get the actual definition updates.
  • When you see Updates Downloaded Successfully, hit Enter to continue.
  • Restart onto Safe Mode and locate the Kaspersky folder.
  • Locate mwavscan.com and double-click on it to launch the MWAV Scanner.
Now lets do the settings:
  • Leave the Default Settings checked.
  • Add a check to Drives
  • This will light up All Drives
  • Add a check to Scan all Files
  • Click Scan Clean to begin.
This scan might take around 3+ hours to finish when set to scan everything.
  • Please be sure it has finished before proceeding.
  • Once the Scan has finished, all entries identified as Infected, will be displayed in the lower panel.
  • Highlight everything that is inside the lower panel and hit Ctrl+C at the same time to copy.
  • Open an empty notepad file and paste the results (Ctrl+V) to it. Save the notepad to your desktop, name it as you want (e.g; MWav Results).
Reboot into normal Windows and post the results here along with a fresh HijackThis log.
 
I downloaded Mwav from the link you gave me. It unzipped fine. (It did give me that message about being over 30 days old.) I ran kavupd.exe, and it said everything was fine and installed. I rebooted into safe mode, ran mwavscan.com, and still got the 30 days old message.

I deleted the Kapersky folder, and downloaded Mwav again. I did everything again, making sure it said the update had gone right. I still got the 30 days old message, which said to download the update from mwti.net.

I got the new Mwav, and did everything again. I changed the settings to match the instructions, and it ran fine. It found LOTS of stuff. I came back after a couple of hours and the program closed right in front of me. I had no other programs running, and hadn't pressed anything. There was no error message, and it wasn't running in the processes or anything.

I did it all again with the new copy of Mwav, and came back in a couple of hours to find it had closed while I was gone.

I'm sorry that took so long for me to explain. Now what do I do?
 
anaphylaxis said:
I ran kavupd.exe, and it said everything was fine and installed. I rebooted into safe mode, ran mwavscan.com, and still got the 30 days old message.
Click to expand...

I neglected to mention that the program would show the error message and then close. I did try to run the program without updating as well. Thanks again.
 
I'm back. I just (updated and) ran Spybot, and it didn't find a thing this time. Firefox's stupidity seems to have been caused by a cookie manager add-on I installed.

Did things somehow get fixed? That Mwav program sure was finding a lot of stuff, so I don't know if Spybot is just being crazy, or what.
 
Hi

Please try if Kaspersky online scan works now.

If not, we'll use another scanner.
 
Due to the lack of feedback this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team
a PM with the address of the thread. This applies only to the original topic starter.

Everyone else please begin a New Topic.
 
Due to the lack of feedback this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team
a PM with the address of the thread. This applies only to the original topic starter.

If it had been 10 days or more since your last post, and especially if the helper assisting you posted a response to that post to which you did not reply, the topic will not be reopened.

In that situation, if you still require help, it would be best to start a new topic and include a fresh HijackThis log with a link to your original thread.

Everyone else please begin a New Topic.
 
You must log in or register to reply here.
Back
Top