Virus

Status
Not open for further replies.
W

wolkster27

New member
Ok I read the virus scan stuff before posting and did all that. By the way, hi all and I'm glad your here.
Attached is my Karpansky scan and hjt file.

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Saturday, March 15, 2008 2:47:47 PM
Operating System: Microsoft Windows XP Professional, Service Pack 1 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 15/03/2008
Kaspersky Anti-Virus database records: 631660
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\
G:\

Scan Statistics:
Total number of scanned objects: 128348
Number of viruses found: 14
Number of infected objects: 103
Number of suspicious objects: 8
Duration of the scan process: 01:25:21

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\Administrator\Desktop\SmitfraudFix\Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\10693fc17333284bbbe5af437c565ccd_40734c29-153f-4343-a744-d2a513ce9872 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\1b8df03006e647858a59bd2bc3053a85_40734c29-153f-4343-a744-d2a513ce9872 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\32552108887cb842bdc5e761f30c2bfc_40734c29-153f-4343-a744-d2a513ce9872 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\4ab40a0919d612766b8102fe86ab6555_40734c29-153f-4343-a744-d2a513ce9872 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\900d6ab8cd4183252b91189de0d691f5_40734c29-153f-4343-a744-d2a513ce9872 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys\aa302ea1dafe8d4789fd58241e382bea_40734c29-153f-4343-a744-d2a513ce9872 Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Dr Watson\user.dmp Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\sbkzudmn.dll Infected: Trojan.Win32.Obfuscated.gx skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SecondThoughtSTCLoader1.zip/stcloader.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SecondThoughtSTCLoader1.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC11.zip/updatetc.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SmitfraudC11.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SolutionsSearchAssistant3.zip/saap.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SolutionsSearchAssistant3.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SolutionsSearchAssistant7.zip/saap.exe Suspicious: Password-protected-EXE skipped
C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy\Recovery\SolutionsSearchAssistant7.zip ZIP: suspicious - 1 skipped
C:\Documents and Settings\janice @ home\Local Settings\Temporary Internet Files\Content.IE5\EPSNQ9Y9\iddqd[1] Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\Documents and Settings\janice @ home\Local Settings\Temporary Internet Files\Content.IE5\ST8W260G\hctp[1] Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\Documents and Settings\janice @ home\Local Settings\Temporary Internet Files\Content.IE5\T8PP32NO\CA1WU557 Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\Documents and Settings\Kristina\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Kristina\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Kristina\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Kristina\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Kristina\Local Settings\History\History.IE5\MSHist012008031520080316\index.dat Object is locked skipped
C:\Documents and Settings\Kristina\Local Settings\Temporary Internet Files\Content.IE5\45URWP27\iddqd[2] Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\Documents and Settings\Kristina\Local Settings\Temporary Internet Files\Content.IE5\45URWP27\Installer2[1].exe Infected: not-a-virus:FraudTool.Win32.Reanimator.a skipped
C:\Documents and Settings\Kristina\Local Settings\Temporary Internet Files\Content.IE5\45URWP27\in[1].htm Infected: Trojan-Downloader.JS.Zapchast.f skipped
C:\Documents and Settings\Kristina\Local Settings\Temporary Internet Files\Content.IE5\CDM34P2V\in[1].htm Infected: Trojan-Downloader.JS.Zapchast.f skipped
C:\Documents and Settings\Kristina\Local Settings\Temporary Internet Files\Content.IE5\CDM34P2V\ptch[1] Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\Documents and Settings\Kristina\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Kristina\Local Settings\Temporary Internet Files\Content.IE5\K30T252B\hctp[1] Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\Documents and Settings\Kristina\Local Settings\Temporary Internet Files\Content.IE5\K30T252B\in[1] Infected: Trojan.Win32.Obfuscated.gx skipped
C:\Documents and Settings\Kristina\Local Settings\Temporary Internet Files\Content.IE5\OHQ7SHUJ\install[1].exe Infected: not-virus:Hoax.Win32.Renos.bcz skipped
C:\Documents and Settings\Kristina\ntuser.dat Object is locked skipped
C:\Documents and Settings\Kristina\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{4C5CE0F5-92D1-4DA1-9FC2-9ADBA5DE5947}\RP1404\A0112293.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{4C5CE0F5-92D1-4DA1-9FC2-9ADBA5DE5947}\RP1405\A0112324.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{4C5CE0F5-92D1-4DA1-9FC2-9ADBA5DE5947}\RP1405\A0112325.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{4C5CE0F5-92D1-4DA1-9FC2-9ADBA5DE5947}\RP1409\A0112377.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{4C5CE0F5-92D1-4DA1-9FC2-9ADBA5DE5947}\RP1410\A0112389.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{4C5CE0F5-92D1-4DA1-9FC2-9ADBA5DE5947}\RP1411\A0113265.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{4C5CE0F5-92D1-4DA1-9FC2-9ADBA5DE5947}\RP1411\A0113293.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{4C5CE0F5-92D1-4DA1-9FC2-9ADBA5DE5947}\RP1412\A0114293.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{4C5CE0F5-92D1-4DA1-9FC2-9ADBA5DE5947}\RP1413\A0116293.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{4C5CE0F5-92D1-4DA1-9FC2-9ADBA5DE5947}\RP1416\A0117408.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{4C5CE0F5-92D1-4DA1-9FC2-9ADBA5DE5947}\RP1416\A0117426.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{4C5CE0F5-92D1-4DA1-9FC2-9ADBA5DE5947}\RP1416\A0117427.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{4C5CE0F5-92D1-4DA1-9FC2-9ADBA5DE5947}\RP1416\A0117433.exe/data0001 Infected: not-a-virus:AdWare.Win32.PurityScan.gp skipped
C:\System Volume Information\_restore{4C5CE0F5-92D1-4DA1-9FC2-9ADBA5DE5947}\RP1416\A0117433.exe NSIS: infected - 1 skipped
C:\System Volume Information\_restore{4C5CE0F5-92D1-4DA1-9FC2-9ADBA5DE5947}\RP1416\A0117434.exe Infected: Trojan.Win32.Scapur.k skipped
C:\System Volume Information\_restore{4C5CE0F5-92D1-4DA1-9FC2-9ADBA5DE5947}\RP1416\A0118408.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{4C5CE0F5-92D1-4DA1-9FC2-9ADBA5DE5947}\RP1418\A0118491.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{4C5CE0F5-92D1-4DA1-9FC2-9ADBA5DE5947}\RP1418\A0118493.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{4C5CE0F5-92D1-4DA1-9FC2-9ADBA5DE5947}\RP1418\A0118495.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{4C5CE0F5-92D1-4DA1-9FC2-9ADBA5DE5947}\RP1418\A0118519.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{4C5CE0F5-92D1-4DA1-9FC2-9ADBA5DE5947}\RP1418\A0118520.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.jxa skipped
C:\System Volume Information\_restore{4C5CE0F5-92D1-4DA1-9FC2-9ADBA5DE5947}\RP1418\A0118521.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{4C5CE0F5-92D1-4DA1-9FC2-9ADBA5DE5947}\RP1418\A0118634.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.jxa skipped
C:\System Volume Information\_restore{4C5CE0F5-92D1-4DA1-9FC2-9ADBA5DE5947}\RP1418\A0118647.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{4C5CE0F5-92D1-4DA1-9FC2-9ADBA5DE5947}\RP1418\A0118676.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{4C5CE0F5-92D1-4DA1-9FC2-9ADBA5DE5947}\RP1419\A0125125.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{4C5CE0F5-92D1-4DA1-9FC2-9ADBA5DE5947}\RP1419\A0125154.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{4C5CE0F5-92D1-4DA1-9FC2-9ADBA5DE5947}\RP1419\A0125155.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{4C5CE0F5-92D1-4DA1-9FC2-9ADBA5DE5947}\RP1419\A0125158.exe/data0001 Infected: not-a-virus:AdWare.Win32.PurityScan.gp skipped
C:\System Volume Information\_restore{4C5CE0F5-92D1-4DA1-9FC2-9ADBA5DE5947}\RP1419\A0125158.exe NSIS: infected - 1 skipped
C:\System Volume Information\_restore{4C5CE0F5-92D1-4DA1-9FC2-9ADBA5DE5947}\RP1419\A0125159.exe Infected: Trojan.Win32.Scapur.k skipped
C:\System Volume Information\_restore{4C5CE0F5-92D1-4DA1-9FC2-9ADBA5DE5947}\RP1420\A0127598.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{4C5CE0F5-92D1-4DA1-9FC2-9ADBA5DE5947}\RP1420\A0127649.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{4C5CE0F5-92D1-4DA1-9FC2-9ADBA5DE5947}\RP1420\A0127650.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{4C5CE0F5-92D1-4DA1-9FC2-9ADBA5DE5947}\RP1420\A0127656.exe/data0001 Infected: not-a-virus:AdWare.Win32.PurityScan.gp skipped
C:\System Volume Information\_restore{4C5CE0F5-92D1-4DA1-9FC2-9ADBA5DE5947}\RP1420\A0127656.exe NSIS: infected - 1 skipped
C:\System Volume Information\_restore{4C5CE0F5-92D1-4DA1-9FC2-9ADBA5DE5947}\RP1420\A0127657.exe Infected: Trojan.Win32.Scapur.k skipped
C:\System Volume Information\_restore{4C5CE0F5-92D1-4DA1-9FC2-9ADBA5DE5947}\RP1420\A0127889.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{4C5CE0F5-92D1-4DA1-9FC2-9ADBA5DE5947}\RP1420\A0127891.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{4C5CE0F5-92D1-4DA1-9FC2-9ADBA5DE5947}\RP1420\A0127908.exe/data0001 Infected: not-a-virus:AdWare.Win32.PurityScan.gp skipped
C:\System Volume Information\_restore{4C5CE0F5-92D1-4DA1-9FC2-9ADBA5DE5947}\RP1420\A0127908.exe NSIS: infected - 1 skipped
C:\System Volume Information\_restore{4C5CE0F5-92D1-4DA1-9FC2-9ADBA5DE5947}\RP1420\A0127909.exe Infected: Trojan.Win32.Scapur.k skipped
C:\System Volume Information\_restore{4C5CE0F5-92D1-4DA1-9FC2-9ADBA5DE5947}\RP1420\A0130520.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{4C5CE0F5-92D1-4DA1-9FC2-9ADBA5DE5947}\RP1420\A0130521.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{4C5CE0F5-92D1-4DA1-9FC2-9ADBA5DE5947}\RP1420\A0130523.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{4C5CE0F5-92D1-4DA1-9FC2-9ADBA5DE5947}\RP1420\A0130562.exe Infected: not-virus:Hoax.Win32.Renos.bcz skipped
C:\System Volume Information\_restore{4C5CE0F5-92D1-4DA1-9FC2-9ADBA5DE5947}\RP1420\A0130579.exe Infected: not-virus:Hoax.Win32.Renos.bcs skipped
C:\System Volume Information\_restore{4C5CE0F5-92D1-4DA1-9FC2-9ADBA5DE5947}\RP1421\A0131968.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{4C5CE0F5-92D1-4DA1-9FC2-9ADBA5DE5947}\RP1421\A0131969.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{4C5CE0F5-92D1-4DA1-9FC2-9ADBA5DE5947}\RP1423\change.log Object is locked skipped
C:\System Volume Information\_restore{DAD694DE-40A4-4C14-9FD8-83C57F9D5227}\RP909\A0037686.exe Infected: Trojan-Downloader.Win32.Small.ayl skipped
C:\System Volume Information\_restore{DAD694DE-40A4-4C14-9FD8-83C57F9D5227}\RP909\A0037687.exe Infected: Trojan-Downloader.Win32.Small.ayl skipped
C:\System Volume Information\_restore{DAD694DE-40A4-4C14-9FD8-83C57F9D5227}\RP909\A0037688.dll Infected: not-a-virus:AdWare.Win32.AccessMedia.a skipped
C:\System Volume Information\_restore{DAD694DE-40A4-4C14-9FD8-83C57F9D5227}\RP909\A0037689.exe Infected: Trojan-Downloader.Win32.Small.ayl skipped
C:\System Volume Information\_restore{DAD694DE-40A4-4C14-9FD8-83C57F9D5227}\RP909\A0037690.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{DAD694DE-40A4-4C14-9FD8-83C57F9D5227}\RP909\A0037691.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{DAD694DE-40A4-4C14-9FD8-83C57F9D5227}\RP909\A0037692.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{DAD694DE-40A4-4C14-9FD8-83C57F9D5227}\RP909\A0037693.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{DAD694DE-40A4-4C14-9FD8-83C57F9D5227}\RP909\A0037694.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{DAD694DE-40A4-4C14-9FD8-83C57F9D5227}\RP909\A0037695.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{DAD694DE-40A4-4C14-9FD8-83C57F9D5227}\RP909\A0037696.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\System Volume Information\_restore{DAD694DE-40A4-4C14-9FD8-83C57F9D5227}\RP909\A0037697.exe Infected: not-a-virus:FraudTool.Win32.Reanimator.a skipped
C:\System Volume Information\_restore{DAD694DE-40A4-4C14-9FD8-83C57F9D5227}\RP909\A0037698.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
 
more code

C:\WINDOWS\$NtUninstallKB824141$\user32.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB824141$\win32k.sys Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\accwiz.exe Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\crypt32.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\cryptsvc.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\hh.exe Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\hhctrl.ocx Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\hhsetup.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\html32.cnv Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\itss.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\locator.exe Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\magnify.exe Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\migwiz.exe Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\mrxsmb.sys Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\msconv97.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\narrator.exe Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\newdev.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\ntdll.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\ntkrnlpa.exe Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\ntoskrnl.exe Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\ole32.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\osk.exe Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\pchshell.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\raspptp.sys Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\rpcrt4.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\rpcss.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\shell32.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\shmedia.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\srrstr.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\srv.sys Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\sysmain.sdb Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\user32.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\win32k.sys Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\winsrv.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB826939$\zipfldr.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB826942$\dhcpcsvc.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB826942$\ndis.sys Object is locked skipped
C:\WINDOWS\$NtUninstallKB826942$\ndisuio.sys Object is locked skipped
C:\WINDOWS\$NtUninstallKB826942$\netshell.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB826942$\wzcdlg.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB826942$\wzcsapi.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB826942$\wzcsvc.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828035$\msgsvc.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB828035$\wkssvc.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB829558$\dao360.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB829558$\expsrv.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB829558$\msexch40.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB829558$\msexcl40.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB829558$\msjet40.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB829558$\msjetoledb40.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB829558$\msjint40.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB829558$\msjter40.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB829558$\msjtes40.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB829558$\msltus40.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB829558$\mspbde40.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB829558$\msrd2x40.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB829558$\msrd3x40.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB829558$\msrepl40.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB829558$\mstext40.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB829558$\mswdat10.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB829558$\mswstr10.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB829558$\msxbde40.dll Object is locked skipped
C:\WINDOWS\$NtUninstallKB829558$\vbajet32.dll Object is locked skipped
C:\WINDOWS\$NtUninstallQ828026$\msdxm.ocx Object is locked skipped
C:\WINDOWS\$NtUninstallQ828026$\wmpcore.dll Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\dojwxoti.exe Infected: Trojan.Win32.Obfuscated.gx skipped
C:\WINDOWS\nyfovcnu.exe Infected: not-virus:Hoax.Win32.Renos.bcs skipped
C:\WINDOWS\ozavexud.dll Infected: Trojan.Win32.Obfuscated.gx skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{3D7EE21D-53B9-47B2-9DAF-280ACBAF6605}.bin Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\adhnplpa.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\WINDOWS\system32\braviax.exe Infected: not-virus:Hoax.Win32.Renos.bcz skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\system Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\cpgytvlb.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\WINDOWS\system32\dpcqnbdd.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\WINDOWS\system32\gebcb.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\WINDOWS\system32\gebyx.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\WINDOWS\system32\gkbpnsnt.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\iqjjfmmj.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\WINDOWS\system32\jypsxbcu.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\WINDOWS\system32\kqqfwlnk.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\WINDOWS\system32\lxiktynj.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\WINDOWS\system32\makwhhtl.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\WINDOWS\system32\mwmvifno.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\WINDOWS\system32\nvcmbphs.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\WINDOWS\system32\pdujrrkv.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\WINDOWS\system32\pmkjj.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\WINDOWS\system32\qesfskae.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\WINDOWS\system32\rdijtste.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\WINDOWS\system32\urqqqpo.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\WINDOWS\system32\users32.dat Infected: not-a-virus:AdWare.Win32.Agent.zo skipped
C:\WINDOWS\system32\vlegwgps.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wlmfycnb.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\WINDOWS\system32\xupiihpp.dll Infected: not-a-virus:AdWare.Win32.Virtumonde.gen skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
C:\WINDOWS\yjwnclsp.dll Infected: Trojan.Win32.Obfuscated.gx skipped
G:\SmitfraudFix\Reboot.exe Infected: not-a-virus:RiskTool.Win32.Reboot.f skipped

Scan process completed.
 
Welcome to Safer Networking, I wish to be sure you have viewed and understand this information.
"BEFORE you POST" (READ this Procedure before Requesting Assistance)
http://forums.spybot.info/showthread.php?t=288
All advice given is taken at your own risk.
Please make sure you have read this information so we are on the same page.

You are infected, I suggest you keep this computer offline except when troubleshooting, the junk may download more. If you have any tool I use, delete it and download it new from the link I provide. Read and follow the directions carefully, the tools will not work unless you do. This is a tough infection to remove so do not expect fast or easy.

You have posted the second 1/2 of of the Kaspersky Online Scan twice and no HJT log. Post a HJT log using these directions if you have not done so:
Download Trend Micro Hijack This™
http://download.bleepingcomputer.com/hijackthis/HJTInstall.exe
Doubleclick the HJTInstall.exe to start it.
By default it will install HijackThis in the Program Files\Trendmicro folder and create a desktop shortcut.
HijackThis will open after install. Press the Scan button below.
This will start the scan and open a log.
Copy and paste the contents of the log in your next reply.

I will delete the extra KOS information once you post the HJT log and post the first instructions as soon as I have had time to review the log.

Thanks
 
oops

sorry about that. I am runnning the s & d in safe mode right now on the infected computer.
I will post the hjt file as soon as it is done.
Thank you in advance for your help.
Dave
 
hjt file

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2:10:36 PM, on 3/16/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\sstray.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe
C:\WINDOWS\System32\hphmon04.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\WINDOWS\System32\regsvr32.exe
C:\WINDOWS\System32\braviax.exe
C:\WINDOWS\System32\Rundll32.exe
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http://proxy/:8080
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [nForce Tray Options] sstray.exe /r
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe
O4 - HKLM\..\Run: [Winsock32driver] svchhost.exe
O4 - HKLM\..\Run: [hpfsched] C:\WINDOWS\hpfsched.exe
O4 - HKLM\..\Run: [HPHmon04] C:\WINDOWS\System32\hphmon04.exe
O4 - HKLM\..\Run: [HPHUPD04] "C:\Program Files\HP Photosmart 11\hphinstall\UniPatch\hphupd04.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [sbkzudmn] regsvr32 /u "C:\Documents and Settings\All Users\Application Data\sbkzudmn.dll"
O4 - HKLM\..\Run: [braviax] C:\WINDOWS\System32\braviax.exe
O4 - HKLM\..\Run: [WinPerformance] C:\Program Files\WinPerformance\WinPerformance.lnk
O4 - HKLM\..\Run: [64793b9d] rundll32.exe "C:\WINDOWS\System32\ermvtqsq.dll",b
O4 - HKLM\..\Run: [BM674a0801] Rundll32.exe "C:\WINDOWS\System32\gvqkedbi.dll",s
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\PC Tools Internet Security\pctsTray.exe"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {25365FF3-2746-4230-9DA7-163CCA318309} (Automatic Driver Installation Control) - http://inst.c-wss.com/n035p/EN/install/gtdownlr.cab
O16 - DPF: {2F003D51-39FD-4D18-9016-95CF70B92ABE} - http://download.movienetworks.com/install/US/altpmtscab.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1005.cab
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/FacebookPhotoUploader3.cab
O16 - DPF: {B49C4597-8721-4789-9250-315DFBD9F525} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/radio/ampx/ampx2.6.1.11_en_dl.cab
O16 - DPF: {BCBC9371-9827-11DA-A72B-0800200C9A66} (View22RTEv4 Class) - http://sc.scenecaster.com/release_3_10_41/View22RTEv4.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{503CCF47-C5B3-4B59-BDDE-83B7AC154900}: NameServer = 4.2.2.2,4.2.2.1
O17 - HKLM\System\CS1\Services\Tcpip\..\{503CCF47-C5B3-4B59-BDDE-83B7AC154900}: NameServer = 4.2.2.2,4.2.2.1
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPH11 - HP - C:\WINDOWS\System32\HPHipm11.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\PC Tools Internet Security\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\PC Tools Internet Security\pctsSvc.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

--
End of file - 6524 bytes
 
Thanks for returning your information, you have some nasty trojans onboard, like this one:
O4 - HKLM\..\Run: [Winsock32driver] svchhost.exe
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=BKDR_HACKARMY.I&VSect=P

Because this trojan has had access to your computer, you may want to read this information:
http://www.dslreports.com/faq/10451

This new HJT log tells me you have a very infected computer, if you wish to clean it we will start now.

1) We need first to disable TeaTimer that it doesn't interfere with fixes. You can re-enable it when you're clean again:
* Run Spybot-S&D in Advanced Mode.
* If it is not already set to do this Go to the Mode menu select "Advanced Mode"
* On the left hand side, Click on Tools
* Then click on the Resident Icon in the List
* Uncheck "Resident TeaTimer" and OK any prompts.
* Restart your computer.
(leave TT disabled until we finish)

2) Thanks to Atribune and any others who helped with this fix.

http://vundofix.atribune.org/ <<< tutorial

"Download VundoFix" to your Desktop

http://www.atribune.org/ccount/click.php?id=4

Double-click VundoFix.exe to run it.
When VundoFix opens, click the Scan for Vundo button.
Once it's done scanning, click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will reboot your computer, click OK.
Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will attempt run on reboot, simply follow the above instructions starting from "Click
the Scan for Vundo button." when VundoFix appears at reboot. Vundofix.txt will be on the C:\

(wait until you finish to post reports and logs)

3) Tutorial if needed:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Thanks to sUBs and anyone else who helped with this fix.

It is important that it is saved directly to your Desktop

Download ComboFix from Here to your Desktop
  • Double click combofix.exe and follow the prompts.
  • When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply
Note: Do not mouseclick combofix's window while its running. That may cause it to stall

Post the Vundofix.txt, combofix log and a new HJT log.

Thanks

*** System Restore is infected, we will clean that towards the end of the cleanup, DO NOT use System Restore.
 
scans

thank you for the reply.
here is the vundoscan:


VundoFix V7.0.3

Scan started at 5:30:31 PM 3/17/2008

Listing files found while scanning....

C:\WINDOWS\System32\urqqqpo.dll

Beginning removal...

Attempting to delete C:\WINDOWS\System32\urqqqpo.dll
C:\WINDOWS\System32\urqqqpo.dll Has been deleted!

Performing Repairs to the registry.
Done!

VundoFix V7.0.3

Scan started at 5:51:12 PM 3/17/2008

Listing files found while scanning....

No infected files were found.
 
and the combofix scan

ComboFix 08-03-14.4 - janice @ home 2008-03-17 17:58:23.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.1.1252.1.1033.18.732 [GMT -5:00]
Running from: C:\Documents and Settings\janice @ home\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Application Data.\sbkzudmn.dll
C:\Documents and Settings\Kristina\Start Menu\Programs\Internet Speed Monitor
C:\Documents and Settings\Kristina\Start Menu\Programs\Internet Speed Monitor\Check Now.lnk
C:\Documents and Settings\Kristina\Start Menu\Programs\Internet Speed Monitor\Uninstall.lnk
C:\WINDOWS\180ax.exe
C:\WINDOWS\bjam.dll
C:\WINDOWS\BM674a0801.xml
C:\WINDOWS\bokja.exe
C:\WINDOWS\cdsm32.dll
C:\WINDOWS\mspphe.dll
C:\WINDOWS\mssvr.exe
C:\WINDOWS\ozavexud.dll
C:\WINDOWS\PerfInfo
C:\WINDOWS\PerfInfo\SRmZrktZzHwp.exe
C:\WINDOWS\pskt.ini
C:\WINDOWS\saiemod.dll
C:\WINDOWS\swin32.dll
C:\WINDOWS\system32\aagsrgaf.ini
C:\WINDOWS\system32\adhnplpa.dll
C:\WINDOWS\system32\aonbyghc.dll
C:\WINDOWS\system32\aplpnhda.ini
C:\WINDOWS\system32\braviax.exe
C:\WINDOWS\system32\cpgytvlb.dll
C:\WINDOWS\system32\dpcqnbdd.dll
C:\WINDOWS\system32\gebcb.dll
C:\WINDOWS\system32\gebyx.dll
C:\WINDOWS\system32\gkbpnsnt.dll
C:\WINDOWS\system32\gvqkedbi.dll
C:\WINDOWS\system32\iqjjfmmj.dll
C:\WINDOWS\system32\jjkmp.ini
C:\WINDOWS\system32\jjkmp.ini2
C:\WINDOWS\system32\jypsxbcu.dll
C:\WINDOWS\system32\kqqfwlnk.dll
C:\WINDOWS\system32\lxiktynj.dll
C:\WINDOWS\system32\makwhhtl.dll
C:\WINDOWS\system32\mwmvifno.dll
C:\WINDOWS\system32\nvcmbphs.dll
C:\WINDOWS\system32\onfivmwm.ini
C:\WINDOWS\system32\pdujrrkv.dll
C:\WINDOWS\System32\pmkjj.dll
C:\WINDOWS\system32\qesfskae.dll
C:\WINDOWS\system32\qpaettpx.dll
C:\WINDOWS\system32\ucbxspyj.ini
C:\WINDOWS\system32\users32.dat
C:\WINDOWS\system32\wer8274.dll
C:\WINDOWS\system32\winivstr.exe
C:\WINDOWS\system32\wlmfycnb.dll
C:\WINDOWS\system32\xptteapq.ini
C:\WINDOWS\system32\xupiihpp.dll
C:\WINDOWS\voiceip.dll

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\LEGACY_NPF


((((((((((((((((((((((((( Files Created from 2008-02-17 to 2008-03-17 )))))))))))))))))))))))))))))))
.

2008-03-17 17:30 . 2008-03-17 17:51 <DIR> d----c--- C:\VundoFix Backups
2008-03-15 16:42 . 2008-03-15 16:42 <DIR> d-------- C:\Program Files\Trend Micro
2008-03-15 10:21 . 2008-03-15 16:26 474 ---hs---- C:\WINDOWS\system32\spgwgelv.ini
2008-03-15 09:18 . 2008-03-15 09:18 294 ---hs---- C:\WINDOWS\system32\etstjidr.ini
2008-03-15 08:43 . 2008-03-15 08:43 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-03-15 08:43 . 2008-03-15 08:43 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-03-15 07:25 . 2008-03-15 07:25 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\PCToolsSpamMonitorPlus
2008-03-15 07:25 . 2008-03-15 07:25 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\PCToolsFirewallPlus
2008-03-14 16:56 . 2008-03-14 16:56 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\PCToolsSpamMonitorPlus
2008-03-14 16:56 . 2008-03-14 16:56 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\PCToolsFirewallPlus
2008-03-14 16:53 . 2008-03-15 08:31 <DIR> d-------- C:\Program Files\PC Tools Internet Security
2008-03-14 16:53 . 2008-03-14 16:53 <DIR> d-------- C:\Program Files\Common Files\PC Tools
2008-03-14 16:53 . 2008-03-14 16:53 <DIR> d-------- C:\Documents and Settings\janice @ home\Application Data\PC Tools
2008-03-14 16:53 . 2008-03-17 18:05 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-03-14 16:53 . 2008-03-14 16:53 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\PC Tools
2008-03-14 16:53 . 2007-11-30 17:17 218,536 --a------ C:\WINDOWS\system32\drivers\pctfw2.sys
2008-03-14 16:53 . 2007-11-30 07:28 123,904 --a------ C:\WINDOWS\system32\drivers\pctfw.sys
2008-03-14 16:53 . 2007-12-05 14:32 81,320 --a------ C:\WINDOWS\system32\drivers\iksyssec.sys
2008-03-14 16:53 . 2007-12-05 14:32 66,984 --a------ C:\WINDOWS\system32\drivers\iksysflt.sys
2008-03-14 16:53 . 2008-02-01 12:58 42,408 --a------ C:\WINDOWS\system32\drivers\ikfilesec.sys
2008-03-14 16:53 . 2007-11-30 17:17 40,872 --a------ C:\WINDOWS\system32\drivers\pctmp.sys
2008-03-14 16:53 . 2007-11-30 17:17 29,608 --a------ C:\WINDOWS\system32\drivers\kcom.sys
2008-03-14 16:53 . 2007-11-30 17:17 18,344 --a------ C:\WINDOWS\system32\drivers\pctssipc.sys
2008-03-14 16:52 . 2008-03-14 16:52 33,506,072 --a------ C:\Program Files\issetup.exe
2008-03-12 18:51 . 2008-03-15 07:16 3,420 --a------ C:\WINDOWS\system32\tmp.reg
2008-03-12 18:47 . 2004-05-15 07:24 0 --ah----- C:\Documents and Settings\Administrator\hpothb07.dat
2008-03-11 20:14 . 2008-03-11 20:14 <DIR> d-------- C:\Program Files\stc
2008-03-11 20:14 . 2008-03-11 20:14 <DIR> d-------- C:\Program Files\180search assistant
2008-03-11 20:13 . 2008-03-11 20:13 <DIR> d-------- C:\Program Files\Sysmnt
2008-03-11 20:02 . 2008-03-11 20:02 3,805,830 --a------ C:\WINDOWS\SRmZrktZzH.exe
2008-03-11 20:02 . 2008-03-11 20:02 90,550 --a------ C:\WINDOWS\nyfovcnu.exe
2008-03-11 20:02 . 2008-03-11 20:02 37,888 --a------ C:\WINDOWS\dojwxoti.exe
2008-03-11 20:01 . 2008-03-11 20:02 <DIR> d-------- C:\WINDOWS\wmoawwqv
2008-03-11 20:01 . 2008-03-11 20:01 188,928 --a------ C:\WINDOWS\yjwnclsp.dll
2008-03-11 19:31 . 2008-03-11 19:31 95 --a------ C:\WINDOWS\wininit.ini
2008-03-11 18:59 . 2008-03-11 18:58 691,545 --a------ C:\WINDOWS\unins000.exe
2008-03-11 18:59 . 2008-03-11 18:59 2,550 --a------ C:\WINDOWS\unins000.dat
2008-03-10 18:34 . 2008-03-10 18:34 <DIR> d-------- C:\Program Files\Lavasoft
2008-03-10 17:20 . 2008-03-10 20:35 1,303,498 ---hs---- C:\WINDOWS\system32\qsqtvmre.ini2
2008-03-04 18:10 . 2008-03-11 19:31 2,618,336 ---hs---- C:\WINDOWS\system32\qsqtvmre.ini
2008-03-02 17:07 . 2008-03-04 18:09 1,303,378 ---hs---- C:\WINDOWS\system32\lwmbixok.ini
2008-03-01 12:51 . 2008-03-17 12:21 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Google Updater
2008-02-25 03:01 . 2008-02-25 03:01 118 --a------ C:\WINDOWS\system32\MRT.INI
2008-02-17 18:08 . 2008-02-17 18:08 168 --a------ C:\WINDOWS\system32\pmnnk.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-12 00:06 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-03-12 00:01 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-03-11 23:24 --------- d-----w C:\Program Files\Common Files\aolshare
2008-03-11 23:24 --------- d-----w C:\Program Files\Broderbund
2008-03-11 02:09 --------- d-----w C:\Program Files\Winamp
2008-03-10 23:32 --------- d-----w C:\Program Files\Google
2008-03-10 23:31 --------- d-----w C:\Program Files\Common Files\Intuit
2008-03-10 22:07 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-03-10 22:07 --------- d-----w C:\Program Files\Ahead
2008-03-08 00:43 --------- d-----w C:\Documents and Settings\janice @ home\Application Data\Lavasoft
2008-03-02 21:48 --------- d-----w C:\Documents and Settings\janice @ home\Application Data\Canon
2008-02-23 22:13 --------- d-----w C:\Documents and Settings\janice @ home\Application Data\IMVU
2008-02-11 19:51 --------- d-----w C:\Program Files\Kap.ACTr
2008-02-10 22:56 --------- d-----w C:\Program Files\ItsDeductible7
2008-02-10 22:55 --------- d-----w C:\Program Files\ACAD2000
2008-01-24 20:53 --------- d-----w C:\Program Files\EA GAMES
2005-12-18 15:51 87,376 ----a-w C:\Documents and Settings\janice @ home\Application Data\GDIPFONTCACHEV1.DAT
2004-05-15 12:24 0 ---ha-w C:\Documents and Settings\janice @ home\hpothb07.dat
2004-05-15 12:24 0 ---ha-w C:\Documents and Settings\Default User\hpothb07.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2008-03-01 12:52 68856]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [2007-09-17 00:07 8491008]
"nwiz"="nwiz.exe" [2007-09-17 00:07 1626112 C:\WINDOWS\system32\nwiz.exe]
"nForce Tray Options"="sstray.exe" [2003-09-02 17:25 73728 C:\WINDOWS\system32\sstray.exe]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 10:50 155648]
"HPDJ Taskbar Utility"="C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe" [2002-11-22 11:49 188416]
"Winsock32driver"="svchhost.exe" []
"hpfsched"="C:\WINDOWS\hpfsched.exe" [2002-11-22 11:49 36864]
"HPHmon04"="C:\WINDOWS\System32\hphmon04.exe" [2002-11-22 11:48 348160]
"HPHUPD04"="C:\Program Files\HP Photosmart 11\hphinstall\UniPatch\hphupd04.exe" [ ]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-06-29 05:24 286720]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-09-07 15:55 267064]
"NvMediaCenter"="C:\WINDOWS\System32\NvMcTray.dll" [2007-09-17 00:07 81920]
"braviax"="C:\WINDOWS\System32\braviax.exe" [ ]
"64793b9d"="C:\WINDOWS\System32\ermvtqsq.dll" [ ]
"ISTray"="C:\Program Files\PC Tools Internet Security\pctsTray.exe" [2008-02-01 12:59 1103272]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26 29696]
Google Updater.lnk - C:\Program Files\Google\Google Updater\GoogleUpdater.exe [2008-03-01 12:51:59 125624]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [2003-10-15 02:58:38 65588]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\urqqqpo]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

R1 pctfw2;pctfw2;C:\WINDOWS\system32\drivers\pctfw2.sys [2007-11-30 17:17]
R1 pctmp;PC Tools Firewall Memory Protection Driver;C:\WINDOWS\System32\drivers\pctmp.sys [2007-11-30 17:17]
R1 pctssipc;PC Tools Security Suite IPC Driver;C:\WINDOWS\System32\drivers\pctssipc.sys [2007-11-30 17:17]
R2 SocketLock;Raw Socket Lock Driver;C:\WINDOWS\System32\socketlock.sys [2005-06-17 19:37]
S3 Ip6FwHlp;IPv6 Internet Connection Firewall;C:\WINDOWS\System32\svchost.exe [2001-08-23 10:00]
S4 mrtRate;mrtRate;C:\WINDOWS\System32\drivers\mrtRate.sys [1999-08-10 13:51]

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-17 18:05:19
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\wdfmgr.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\iPod\bin\iPodService.exe
.
**************************************************************************
.
Completion time: 2008-03-17 18:11:20 - machine was rebooted
ComboFix-quarantined-files.txt 2008-03-17 23:11:17
.
2008-03-15 13:18:24 --- E O F ---
 
and the hjt log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:18:59 PM, on 3/17/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\sstray.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe
C:\WINDOWS\System32\hphmon04.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\PC Tools Internet Security\pctsTray.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http://proxy/:8080
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [nForce Tray Options] sstray.exe /r
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe
O4 - HKLM\..\Run: [Winsock32driver] svchhost.exe
O4 - HKLM\..\Run: [hpfsched] C:\WINDOWS\hpfsched.exe
O4 - HKLM\..\Run: [HPHmon04] C:\WINDOWS\System32\hphmon04.exe
O4 - HKLM\..\Run: [HPHUPD04] "C:\Program Files\HP Photosmart 11\hphinstall\UniPatch\hphupd04.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [braviax] C:\WINDOWS\System32\braviax.exe
O4 - HKLM\..\Run: [64793b9d] rundll32.exe "C:\WINDOWS\System32\ermvtqsq.dll",b
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\PC Tools Internet Security\pctsTray.exe"
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {25365FF3-2746-4230-9DA7-163CCA318309} (Automatic Driver Installation Control) - http://inst.c-wss.com/n035p/EN/install/gtdownlr.cab
O16 - DPF: {2F003D51-39FD-4D18-9016-95CF70B92ABE} - http://download.movienetworks.com/install/US/altpmtscab.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1005.cab
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/FacebookPhotoUploader3.cab
O16 - DPF: {B49C4597-8721-4789-9250-315DFBD9F525} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/radio/ampx/ampx2.6.1.11_en_dl.cab
O16 - DPF: {BCBC9371-9827-11DA-A72B-0800200C9A66} (View22RTEv4 Class) - http://sc.scenecaster.com/release_3_10_41/View22RTEv4.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{503CCF47-C5B3-4B59-BDDE-83B7AC154900}: NameServer = 4.2.2.2,4.2.2.1
O17 - HKLM\System\CS1\Services\Tcpip\..\{503CCF47-C5B3-4B59-BDDE-83B7AC154900}: NameServer = 4.2.2.2,4.2.2.1
O20 - Winlogon Notify: urqqqpo - C:\WINDOWS\
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPH11 - HP - C:\WINDOWS\System32\HPHipm11.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\PC Tools Internet Security\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\PC Tools Internet Security\pctsSvc.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

--
End of file - 6256 bytes


thank you for your help
Dave
 
Please read and follow the directions carefully.

Open notepad and copy/paste the text in the codebox below into it:

Code: 
File::
C:\WINDOWS\dojwxoti.exe
C:\WINDOWS\yjwnclsp.dll
C:\Windows\System32\svchhost.exe
C:\WINDOWS\System32\braviax.exe
C:\WINDOWS\System32\ermvtqsq.dll
C:\WINDOWS\system32\qsqtvmre.ini2
C:\WINDOWS\system32\qsqtvmre.ini
C:\WINDOWS\system32\lwmbixok.ini
C:\WINDOWS\system32\pmnnk.dll
C:\WINDOWS\system32\spgwgelv.ini
C:\WINDOWS\system32\etstjidr.ini

Folder::
C:\VundoFix Backups  
G:\SmitfraudFix

Save this as CFScript

CFScript.gif


Refering to the picture above, drag CFScript into ComboFix.exe.

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.

Thanks
 
OK........her is the combofix

ComboFix 08-03-14.4 - janice @ home 2008-03-18 17:02:11.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.1.1252.1.1033.18.748 [GMT -5:00]
Running from: C:\Documents and Settings\janice @ home\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\janice @ home\Desktop\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE ::
C:\WINDOWS\dojwxoti.exe
C:\WINDOWS\System32\braviax.exe
C:\WINDOWS\System32\ermvtqsq.dll
C:\WINDOWS\system32\etstjidr.ini
C:\WINDOWS\system32\lwmbixok.ini
C:\WINDOWS\system32\pmnnk.dll
C:\WINDOWS\system32\qsqtvmre.ini
C:\WINDOWS\system32\qsqtvmre.ini2
C:\WINDOWS\system32\spgwgelv.ini
C:\Windows\System32\svchhost.exe
C:\WINDOWS\yjwnclsp.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\VundoFix Backups
C:\VundoFix Backups\urqqqpo.dll.bad
C:\WINDOWS\dojwxoti.exe
C:\WINDOWS\system32\etstjidr.ini
C:\WINDOWS\system32\lwmbixok.ini
C:\WINDOWS\system32\pmnnk.dll
C:\WINDOWS\system32\qsqtvmre.ini
C:\WINDOWS\system32\qsqtvmre.ini2
C:\WINDOWS\system32\spgwgelv.ini
C:\WINDOWS\yjwnclsp.dll
G:\SmitfraudFix
G:\SmitfraudFix\dumphive.exe
G:\SmitfraudFix\exit.exe
G:\SmitfraudFix\GenericRenosFix.exe
G:\SmitfraudFix\HostsChk.exe
G:\SmitfraudFix\IEDFix.exe
G:\SmitfraudFix\Process.exe
G:\SmitfraudFix\Reboot.exe
G:\SmitfraudFix\restart.exe
G:\SmitfraudFix\SmitfraudFix.cmd
G:\SmitfraudFix\SmiUpdate.exe
G:\SmitfraudFix\SrchSTS.exe
G:\SmitfraudFix\swreg.exe
G:\SmitfraudFix\swsc.exe
G:\SmitfraudFix\swxcacls.exe
G:\SmitfraudFix\UIFix.exe
G:\SmitfraudFix\unzip.exe
G:\SmitfraudFix\VACFix.exe
G:\SmitfraudFix\VCCLSID.exe
G:\SmitfraudFix\WS2Fix.exe

.
((((((((((((((((((((((((( Files Created from 2008-02-18 to 2008-03-18 )))))))))))))))))))))))))))))))
.

2008-03-15 16:42 . 2008-03-15 16:42 <DIR> d-------- C:\Program Files\Trend Micro
2008-03-15 08:43 . 2008-03-15 08:43 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-03-15 08:43 . 2008-03-15 08:43 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-03-15 07:25 . 2008-03-15 07:25 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\PCToolsSpamMonitorPlus
2008-03-15 07:25 . 2008-03-15 07:25 <DIR> d-------- C:\Documents and Settings\Administrator\Application Data\PCToolsFirewallPlus
2008-03-14 16:56 . 2008-03-14 16:56 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\PCToolsSpamMonitorPlus
2008-03-14 16:56 . 2008-03-14 16:56 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\PCToolsFirewallPlus
2008-03-14 16:53 . 2008-03-15 08:31 <DIR> d-------- C:\Program Files\PC Tools Internet Security
2008-03-14 16:53 . 2008-03-14 16:53 <DIR> d-------- C:\Program Files\Common Files\PC Tools
2008-03-14 16:53 . 2008-03-14 16:53 <DIR> d-------- C:\Documents and Settings\janice @ home\Application Data\PC Tools
2008-03-14 16:53 . 2008-03-17 18:05 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-03-14 16:53 . 2008-03-14 16:53 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\PC Tools
2008-03-14 16:53 . 2007-11-30 17:17 218,536 --a------ C:\WINDOWS\system32\drivers\pctfw2.sys
2008-03-14 16:53 . 2007-11-30 07:28 123,904 --a------ C:\WINDOWS\system32\drivers\pctfw.sys
2008-03-14 16:53 . 2007-12-05 14:32 81,320 --a------ C:\WINDOWS\system32\drivers\iksyssec.sys
2008-03-14 16:53 . 2007-12-05 14:32 66,984 --a------ C:\WINDOWS\system32\drivers\iksysflt.sys
2008-03-14 16:53 . 2008-02-01 12:58 42,408 --a------ C:\WINDOWS\system32\drivers\ikfilesec.sys
2008-03-14 16:53 . 2007-11-30 17:17 40,872 --a------ C:\WINDOWS\system32\drivers\pctmp.sys
2008-03-14 16:53 . 2007-11-30 17:17 29,608 --a------ C:\WINDOWS\system32\drivers\kcom.sys
2008-03-14 16:53 . 2007-11-30 17:17 18,344 --a------ C:\WINDOWS\system32\drivers\pctssipc.sys
2008-03-14 16:52 . 2008-03-14 16:52 33,506,072 --a------ C:\Program Files\issetup.exe
2008-03-12 18:51 . 2008-03-15 07:16 3,420 --a------ C:\WINDOWS\system32\tmp.reg
2008-03-12 18:47 . 2004-05-15 07:24 0 --ah----- C:\Documents and Settings\Administrator\hpothb07.dat
2008-03-11 20:14 . 2008-03-11 20:14 <DIR> d-------- C:\Program Files\stc
2008-03-11 20:14 . 2008-03-11 20:14 <DIR> d-------- C:\Program Files\180search assistant
2008-03-11 20:13 . 2008-03-11 20:13 <DIR> d-------- C:\Program Files\Sysmnt
2008-03-11 20:02 . 2008-03-11 20:02 3,805,830 --a------ C:\WINDOWS\SRmZrktZzH.exe
2008-03-11 20:02 . 2008-03-11 20:02 90,550 --a------ C:\WINDOWS\nyfovcnu.exe
2008-03-11 20:01 . 2008-03-11 20:02 <DIR> d-------- C:\WINDOWS\wmoawwqv
2008-03-11 19:31 . 2008-03-11 19:31 95 --a------ C:\WINDOWS\wininit.ini
2008-03-11 18:59 . 2008-03-11 18:58 691,545 --a------ C:\WINDOWS\unins000.exe
2008-03-11 18:59 . 2008-03-11 18:59 2,550 --a------ C:\WINDOWS\unins000.dat
2008-03-10 18:34 . 2008-03-10 18:34 <DIR> d-------- C:\Program Files\Lavasoft
2008-03-01 12:51 . 2008-03-18 13:14 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Google Updater
2008-02-25 03:01 . 2008-02-25 03:01 118 --a------ C:\WINDOWS\system32\MRT.INI

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-12 00:06 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-03-12 00:01 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-03-11 23:52 54,532 ----a-w C:\WINDOWS\Internet Logs\vsmon_2nd_2008_03_11_18_48_05_small.dmp.zip
2008-03-11 23:47 65,927 ----a-w C:\WINDOWS\Internet Logs\vsmon_2nd_2008_03_11_18_46_54_small.dmp.zip
2008-03-11 23:47 63,304 ----a-w C:\WINDOWS\Internet Logs\vsmon_2nd_2008_03_11_18_41_49_small.dmp.zip
2008-03-11 23:47 61,320 ----a-w C:\WINDOWS\Internet Logs\vsmon_2nd_2008_03_11_18_43_21_small.dmp.zip
2008-03-11 23:41 62,953 ----a-w C:\WINDOWS\Internet Logs\vsmon_2nd_2008_03_11_18_37_04_small.dmp.zip
2008-03-11 23:36 5,988 ----a-w C:\WINDOWS\Internet Logs\vsmon_2nd_2008_03_11_18_32_27_small.dmp.zip
2008-03-11 23:36 5,676 ----a-w C:\WINDOWS\Internet Logs\vsmon_2nd_2008_03_11_18_33_04_small.dmp.zip
2008-03-11 23:36 46,755 ----a-w C:\WINDOWS\Internet Logs\vsmon_2nd_2008_03_11_18_32_15_small.dmp.zip
2008-03-11 23:36 45,654 ----a-w C:\WINDOWS\Internet Logs\vsmon_2nd_2008_03_11_18_32_58_small.dmp.zip
2008-03-11 23:29 13,496,461 ----a-w C:\WINDOWS\Internet Logs\vsmon_2nd_2008_03_11_18_19_17_full.dmp.zip
2008-03-11 23:24 --------- d-----w C:\Program Files\Common Files\aolshare
2008-03-11 23:24 --------- d-----w C:\Program Files\Broderbund
2008-03-11 02:09 --------- d-----w C:\Program Files\Winamp
2008-03-10 23:32 --------- d-----w C:\Program Files\Google
2008-03-10 23:31 --------- d-----w C:\Program Files\Common Files\Intuit
2008-03-10 22:07 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-03-10 22:07 --------- d-----w C:\Program Files\Ahead
2008-03-08 00:43 --------- d-----w C:\Documents and Settings\janice @ home\Application Data\Lavasoft
2008-03-02 21:48 --------- d-----w C:\Documents and Settings\janice @ home\Application Data\Canon
2008-02-23 22:13 --------- d-----w C:\Documents and Settings\janice @ home\Application Data\IMVU
2008-02-11 19:51 --------- d-----w C:\Program Files\Kap.ACTr
2008-02-10 22:56 --------- d-----w C:\Program Files\ItsDeductible7
2008-02-10 22:55 --------- d-----w C:\Program Files\ACAD2000
2008-01-24 20:53 --------- d-----w C:\Program Files\EA GAMES
2005-12-18 15:51 87,376 ----a-w C:\Documents and Settings\janice @ home\Application Data\GDIPFONTCACHEV1.DAT
2004-05-15 12:24 0 ---ha-w C:\Documents and Settings\janice @ home\hpothb07.dat
2004-05-15 12:24 0 ---ha-w C:\Documents and Settings\Default User\hpothb07.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [2007-09-17 00:07 8491008]
"nwiz"="nwiz.exe" [2007-09-17 00:07 1626112 C:\WINDOWS\system32\nwiz.exe]
"nForce Tray Options"="sstray.exe" [2003-09-02 17:25 73728 C:\WINDOWS\system32\sstray.exe]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 10:50 155648]
"HPDJ Taskbar Utility"="C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe" [2002-11-22 11:49 188416]
"Winsock32driver"="svchhost.exe" []
"hpfsched"="C:\WINDOWS\hpfsched.exe" [2002-11-22 11:49 36864]
"HPHmon04"="C:\WINDOWS\System32\hphmon04.exe" [2002-11-22 11:48 348160]
"HPHUPD04"="C:\Program Files\HP Photosmart 11\hphinstall\UniPatch\hphupd04.exe" [ ]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-06-29 05:24 286720]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-09-07 15:55 267064]
"NvMediaCenter"="C:\WINDOWS\System32\NvMcTray.dll" [2007-09-17 00:07 81920]
"braviax"="C:\WINDOWS\System32\braviax.exe" [ ]
"64793b9d"="C:\WINDOWS\System32\ermvtqsq.dll" [ ]
"ISTray"="C:\Program Files\PC Tools Internet Security\pctsTray.exe" [2008-02-01 12:59 1103272]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Adobe Reader Speed Launch.lnk - C:\Program Files\adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 22:05:26 29696]
Google Updater.lnk - C:\Program Files\Google\Google Updater\GoogleUpdater.exe [2008-03-01 12:51:59 125624]
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [2003-10-15 02:58:38 65588]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\urqqqpo]

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

R1 pctfw2;pctfw2;C:\WINDOWS\system32\drivers\pctfw2.sys [2007-11-30 17:17]
R1 pctmp;PC Tools Firewall Memory Protection Driver;C:\WINDOWS\System32\drivers\pctmp.sys [2007-11-30 17:17]
R1 pctssipc;PC Tools Security Suite IPC Driver;C:\WINDOWS\System32\drivers\pctssipc.sys [2007-11-30 17:17]
R2 SocketLock;Raw Socket Lock Driver;C:\WINDOWS\System32\socketlock.sys [2005-06-17 19:37]
S3 Ip6FwHlp;IPv6 Internet Connection Firewall;C:\WINDOWS\System32\svchost.exe [2001-08-23 10:00]
S4 mrtRate;mrtRate;C:\WINDOWS\System32\drivers\mrtRate.sys [1999-08-10 13:51]

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-18 17:03:30
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-03-18 17:04:48
ComboFix-quarantined-files.txt 2008-03-18 22:04:16
ComboFix2.txt 2008-03-17 23:11:21
.
2008-03-15 13:18:24 --- E O F ---
 
and the new hjt file-again thanks

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:12:22 PM, on 3/18/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\sstray.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe
C:\WINDOWS\System32\hphmon04.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\PC Tools Internet Security\pctsTray.exe
C:\Program Files\adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http://proxy/:8080
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [nForce Tray Options] sstray.exe /r
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe
O4 - HKLM\..\Run: [Winsock32driver] svchhost.exe
O4 - HKLM\..\Run: [hpfsched] C:\WINDOWS\hpfsched.exe
O4 - HKLM\..\Run: [HPHmon04] C:\WINDOWS\System32\hphmon04.exe
O4 - HKLM\..\Run: [HPHUPD04] "C:\Program Files\HP Photosmart 11\hphinstall\UniPatch\hphupd04.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [braviax] C:\WINDOWS\System32\braviax.exe
O4 - HKLM\..\Run: [64793b9d] rundll32.exe "C:\WINDOWS\System32\ermvtqsq.dll",b
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\PC Tools Internet Security\pctsTray.exe"
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {25365FF3-2746-4230-9DA7-163CCA318309} (Automatic Driver Installation Control) - http://inst.c-wss.com/n035p/EN/install/gtdownlr.cab
O16 - DPF: {2F003D51-39FD-4D18-9016-95CF70B92ABE} - http://download.movienetworks.com/install/US/altpmtscab.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1005.cab
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/FacebookPhotoUploader3.cab
O16 - DPF: {B49C4597-8721-4789-9250-315DFBD9F525} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/radio/ampx/ampx2.6.1.11_en_dl.cab
O16 - DPF: {BCBC9371-9827-11DA-A72B-0800200C9A66} (View22RTEv4 Class) - http://sc.scenecaster.com/release_3_10_41/View22RTEv4.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{503CCF47-C5B3-4B59-BDDE-83B7AC154900}: NameServer = 4.2.2.2,4.2.2.1
O17 - HKLM\System\CS1\Services\Tcpip\..\{503CCF47-C5B3-4B59-BDDE-83B7AC154900}: NameServer = 4.2.2.2,4.2.2.1
O20 - Winlogon Notify: urqqqpo - C:\WINDOWS\
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPH11 - HP - C:\WINDOWS\System32\HPHipm11.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\PC Tools Internet Security\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\PC Tools Internet Security\pctsSvc.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

--
End of file - 6313 bytes
 
additional information

on reboot, i also get an error message stating:
error loading
c:/windows/system32/ermvtqsq.dll
file could not be found

Is this a problem that was caused bt the virus or did I delete something that shouldnt have been?

Again thank you for your support.
Dave
 
Hi Dave, thanks for returning your information and the feedback. Please remember what I said about this infection in the beginning. You have junk I have never dealt with and the Vundo infection constantly changes making it HARD to kill.

Let's see what HJT can do for us.

1) TeaTimer must be disabled as instructed.

2) Download ResetTeaTimer.bat.
http://downloads.subratam.org/ResetTeaTimer.bat
Double click ResetTeaTimer.bat
to remove all entries set by TeaTimer (and preventing TeaTimer to restore them upon reactivation).

3) How to make files and folders visible:
Click Start > Open My Computer.
Select the Tools menu and click Folder Options.
Select the View Tab. Under the Hidden files and folders heading, select Show hidden files and folders.
Uncheck: Hide file extensions for known file types
Uncheck the Hide protected operating system files (recommended) option.
Click Yes to confirm. Click OK.
You may reverse this for safety when we are finished.

4) Please download ATF Cleaner by Atribune
http://www.atribune.org/public-beta/ATF-Cleaner.exe
Save it to your Desktop. We will use this later.

5) Open HijackThis and choose "Do a system scan only" then check the box in front of these line items:

O4 - HKLM\..\Run: [Winsock32driver] svchhost.exe
O4 - HKLM\..\Run: [braviax] C:\WINDOWS\System32\braviax.exe
O4 - HKLM\..\Run: [64793b9d] rundll32.exe "C:\WINDOWS\System32\ermvtqsq.dll",b
O20 - Winlogon Notify: urqqqpo - C:\WINDOWS\

Close all programs but HJT and all browser windows, then click on "Fix Checked"

6) Right click Start > Explore and navigate to these files/folders and delete them if there.

(we have unhidden files and folders so we can see these. I believe svchhost.exe would be in the System32 folder if it still exists, check carefully to be sure these files do not exist, if they do delete them)

C:\WINDOWS\System32\braviax.exe
C:\WINDOWS\System32\ermvtqsq.dll
C:\WINDOWS\System32\svchhost.exe

7) Run ATF Cleaner
Double-click ATF-Cleaner.exe to run the program.
Click Select All found at the bottom of the list.
Click the Empty Selected button.
Click Exit on the Main menu to close the program.

Restart and post a new HJT log and tell me how the computer is running.

Thanks
 
Last edited:
got it done earlier

PSKELLY,Found some time this morning and got it done.
The machine is running better but I am still disconnected from the internet.
The "file not found" message went away.
I found the :windows/system32/scvhost.exe" file but could not delete it. It said it was in use. Also, it was time stamped in 2001.
Ran the ATF cleaner and is freed up a big portion of the HD space.
Let me know what to do from here and if you think this is way to infected, I will do a clean install.
Thanks again,
Dave

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:12:53 AM, on 3/19/2008
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\hphmon04.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\PC Tools Internet Security\pctsTray.exe
C:\Program Files\adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Google\Google Updater\GoogleUpdater.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = http://proxy/:8080
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [nForce Tray Options] sstray.exe /r
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb07.exe
O4 - HKLM\..\Run: [hpfsched] C:\WINDOWS\hpfsched.exe
O4 - HKLM\..\Run: [HPHmon04] C:\WINDOWS\System32\hphmon04.exe
O4 - HKLM\..\Run: [HPHUPD04] "C:\Program Files\HP Photosmart 11\hphinstall\UniPatch\hphupd04.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [ISTray] "C:\Program Files\PC Tools Internet Security\pctsTray.exe"
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Google Updater.lnk = C:\Program Files\Google\Google Updater\GoogleUpdater.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {25365FF3-2746-4230-9DA7-163CCA318309} (Automatic Driver Installation Control) - http://inst.c-wss.com/n035p/EN/install/gtdownlr.cab
O16 - DPF: {2F003D51-39FD-4D18-9016-95CF70B92ABE} - http://download.movienetworks.com/install/US/altpmtscab.cab
O16 - DPF: {48DD0448-9209-4F81-9F6D-D83562940134} (MySpace Uploader Control) - http://lads.myspace.com/upload/MySpaceUploader1005.cab
O16 - DPF: {5C6698D9-7BE4-4122-8EC5-291D84DBD4A0} (Facebook Photo Uploader 4 Control) - http://upload.facebook.com/controls/FacebookPhotoUploader3.cab
O16 - DPF: {B49C4597-8721-4789-9250-315DFBD9F525} (IWinAmpActiveX Class) - http://cdn.digitalcity.com/radio/ampx/ampx2.6.1.11_en_dl.cab
O16 - DPF: {BCBC9371-9827-11DA-A72B-0800200C9A66} (View22RTEv4 Class) - http://sc.scenecaster.com/release_3_10_41/View22RTEv4.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - https://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{503CCF47-C5B3-4B59-BDDE-83B7AC154900}: NameServer = 4.2.2.2,4.2.2.1
O17 - HKLM\System\CS1\Services\Tcpip\..\{503CCF47-C5B3-4B59-BDDE-83B7AC154900}: NameServer = 4.2.2.2,4.2.2.1
O20 - Winlogon Notify: urqqqpo - C:\WINDOWS\
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\acsd.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Pml Driver HPH11 - HP - C:\WINDOWS\System32\HPHipm11.exe
O23 - Service: PC Tools Auxiliary Service (sdAuxService) - PC Tools - C:\Program Files\PC Tools Internet Security\pctsAuxs.exe
O23 - Service: PC Tools Security Service (sdCoreService) - PC Tools - C:\Program Files\PC Tools Internet Security\pctsSvc.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

--
End of file - 6033 bytes
 
SCVhost

I just realized that you wanted me to delete the SCVHHost(2 h's)
I think HJT did this for us.
Just an update.
Thanks
 
Understand the hackers use a lot of tricks to hide their files and they are hidden among valid files, like this is a VALID file:
C:\WINDOWS\system32\svchost.exe <<< note the spelling, that your computer will not run without.

The file in question looks like this: C:\Windows\System32\svchhost.exe <<< look closely at the spelling because you typed this:
I found the :windows/system32/scvhost.exe" file but could not delete it. It said it was in use. Also, it was time stamped in 2001.
Click to expand...
You must be very careful, it looks still to me like you mixed the c & v and you were probably trying to remove the file responsible for hosting all of your NT services and Windows probably stopped you.
The machine is running better but I am still disconnected from the internet.
The "file not found" message went away.
Click to expand...
This may or may not have anything to do with malware and you may have to ask your Internet Service Provider for help with the connection issues, we will see. Looking at the HJT log now.

The only thing I see in the HJT log is this: O20 - Winlogon Notify: urqqqpo - C:\WINDOWS
and it is a dead item, did you miss it?

We need to run a last KOS but before we do that, please read this:

I am sure you saw this:
WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
http://www.bleepingcomputer.com/combofix/how-to-use-combofix
Review that information to understand Recovery Console. Installation is optional but if you do not have the CD's needed, as is explained, it can be installed before we remove combofix.
If you do not wish to install RC, let me know so I can continue with the cleanup.

Thanks
 
got it

Yeah I typed it wrong. I believe I deleted the correct one and will check again.
Also I missed the 020 line on the HJT fix.
I will fix this and install the RC tonight Is system restore the
same thing or different?
Anyway, I will do as instructed and post another HJT log tonight.
Thanks again,
Dave
 
Status
Not open for further replies.
Back
Top