PC infected with many worms, trojans, spyware, etc.

Tigrita · Mar 20, 2008

Dear Forum members,

First of all I sincerely apologize for using the lame title to my prior posting. It was my first time using this forum, I really didn’t know it was wrong to request help on the title line. It won’t happen again ))

On to my possessed computer: All the websites I go to show an “Error on page” message at the bottom left. Most important, I cannot seem to be able to check for Microsoft updates. I have downloaded and used most spyware programs I can think of. I was able to remove quite a few worms, spyware, Trojans, etc. My antivirus is up to date but I also tried to get an on-line scan by the programs suggested on these forums and none of them work, they simply don’t allow me to get it done.

When I try to run the “Windows Defender” It gives me a message that says “Application failed to initialize: 0x800106ba A problem caused Windows Defender service stop”
I also found over 900 MB of unknown files in my “download”, “shared” and “incomplete” folders. I have done a lot of cleaning but I just can get this PC to work properly.
After reading some of the posts here I have done additional things to my computer.

I downloaded, installed and am currently running Zone Alarm.
I also run CCleaner, but only deleted things I felt confident about, so things such as in the “System” folders I did not touch.
When I try to set a system restore, I get a blank window. It seems that nothing associated with Microsoft updates is working.
Also I should mention that when I restart my computer it sets itself back to March 2007.
When I start the internet Explorer I always get a second page which opens up to random websites.
When I go to IE/ Help/About I get a window that states “An error has occurred in the script on this page", the descriptions (line, char, error, etc) are all blank; in order to close this little message window I must click on the X about 50 times.

Here is my Hijackthis log.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:09:00 AM, on 3/20/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\DNA\btdna.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\RegistrySmart\RegistrySmart.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.foxnews.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [WinSys2] C:\WINDOWS\system32\winsys2.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [BM43626ac2] Rundll32.exe "C:\WINDOWS\system32\jbshxlis.dll",s
O4 - HKLM\..\Run: [4051595e] rundll32.exe "C:\WINDOWS\system32\ummrbxoj.dll",b
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe"
O4 - HKCU\..\Policies\Explorer\Run: [Windows Printing Driver] WinSpooler.exe
O4 - HKCU\..\Policies\Explorer\Run: [WinUpdating] WinUpdating.exe
O4 - HKCU\..\Policies\Explorer\Run: [skeysw] skeysw.exe
O4 - Global Startup: AutorunsDisabled
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: http://asia.msi.com.tw
O15 - Trusted Zone: http://global.msi.com.tw
O15 - Trusted Zone: http://www.msi.com.tw
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1200211951812
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {8167C273-DF59-4416-B647-C8BB2C7EE83E} (WebSDev Control) - http://liveupdate.msi.com.tw/autobios/LOnline/install.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://sdlc-esd.sun.com/ESD39/JSCDL...-jc.cab&File=jinstall-6u5-windows-i586-jc.cab
O16 - DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} (F-Secure Online Scanner 3.3) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logitech\Bluetooth\LBTServ.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O24 - Desktop Component AutorunsDisabled: (no name) - (no file)

--
End of file - 8231 bytes

Ltangel · Mar 21, 2008

Hey Tigrita,

IMPORTANT! You have a backdoor trojan on your computer that allows an attacker to access your computer from a remote area! It then sends information such as credit card numbers, passwords, account details and other personal information back to the attacker. I would strongly advise you to alert your bank or any other organizations required IMMEDIATELY and change your private information if you have used the Internet for commercial or business matters, this is urgent, as important information may have already been leaked out!

Please download Deckard's System Scanner (DSS) and save it to your Desktop.

[*]Close all other windows before proceeding.
[*]Double-click on dss.exe and follow the prompts.
[*]When it has finished, dss will open two Notepads main.txt and extra.txt -- please copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents of main.txt and extra.txt in your next reply.

Go!

~Ltangel~

Tigrita · Mar 21, 2008

Dear Ltangel,
Thank you for taking your time to help me, I really appreciate it
Please look at the files you requested :

MAIN.TXT

Deckard's System Scanner v20071014.68
Run by Betty on 2008-03-21 11:17:37
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

-- Last 5 Restore Point(s) --
123: 2008-03-21 10:13:35 UTC - RP123 - Deckard's System Scanner Restore Point
122: 2008-03-21 09:52:50 UTC - RP122 - System Checkpoint
121: 2008-03-20 09:33:57 UTC - RP121 - System Checkpoint
120: 2007-03-19 16:58:51 UTC - RP120 - Installed Windows XP Windows Script.
119: 2008-03-19 13:46:27 UTC - RP119 - Installed Windows Defender

-- First Restore Point --
1: 2008-03-17 22:42:21 UTC - RP1 - System Checkpoint

Backed up registry hives.
Performed disk cleanup.

-- HijackThis (run as Betty.exe) -----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:17:59 AM, on 3/21/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Betty\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Betty.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.foxnews.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: {b5ba26ee-84b5-b7f9-6014-75ceb49c2427} - {7242c94b-ec57-4106-9f7b-5b48ee62ab5b} - C:\WINDOWS\system32\jhoywbcp.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: (no name) - {85A611CA-CA0F-469B-8220-B70221A545BB} - C:\WINDOWS\system32\qomlmjg.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: (no name) - {B0489F2A-DC6B-4B2F-B673-883177BB6D27} - C:\WINDOWS\system32\ssttq.dll
O2 - BHO: (no name) - {F7981234-6B88-40E7-BEA5-F6BB90E9BCBA} - C:\WINDOWS\system32\ssttt.dll (file missing)
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [WinSys2] C:\WINDOWS\system32\winsys2.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [4051595e] rundll32.exe "C:\WINDOWS\system32\qjemygns.dll",b
O4 - HKLM\..\Run: [BM43626ac2] Rundll32.exe "C:\WINDOWS\system32\queqwnqa.dll",s
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1200211951812
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {8167C273-DF59-4416-B647-C8BB2C7EE83E} (WebSDev Control) - http://liveupdate.msi.com.tw/autobios/LOnline/install.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://sdlc-esd.sun.com/ESD39/JSCDL...-jc.cab&File=jinstall-6u5-windows-i586-jc.cab
O16 - DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} (F-Secure Online Scanner 3.3) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O20 - Winlogon Notify: nnnkklj - nnnkklj.dll (file missing)
O20 - Winlogon Notify: qomlmjg - C:\WINDOWS\SYSTEM32\qomlmjg.dll
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logitech\Bluetooth\LBTServ.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O24 - Desktop Component AutorunsDisabled: (no name) - (no file)

--
End of file - 8610 bytes

-- HijackThis Fixed Entries (C:\PROGRA~1\TRENDM~1\HIJACK~1\backups\) -----------

backup-20080320-191448-121 O4 - HKLM\..\Run: [4051595e] rundll32.exe "C:\WINDOWS\system32\ettglcyy.dll",b
backup-20080320-191448-153 O4 - HKCU\..\Policies\Explorer\Run: [WinUpdating] WinUpdating.exe
backup-20080320-191448-331 O4 - HKCU\..\Policies\Explorer\Run: [Windows Printing Driver] WinSpooler.exe
backup-20080320-191448-420 O4 - HKCU\..\Policies\Explorer\Run: [skeysw] skeysw.exe
backup-20080320-191448-516 O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe"
backup-20080320-191448-619 O4 - Global Startup: AutorunsDisabled
backup-20080320-191448-873 O4 - HKLM\..\Run: [BM43626ac2] Rundll32.exe "C:\WINDOWS\system32\mloiotut.dll",s
backup-20080320-191448-956 R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = \blank.htm
backup-20080320-191452-306 O15 - Trusted Zone: http://www.msi.com.tw
backup-20080320-191452-551 O15 - Trusted Zone: http://global.msi.com.tw
backup-20080320-191452-558 O15 - Trusted Zone: http://asia.msi.com.tw
backup-20080320-191452-566 O24 - Desktop Component AutorunsDisabled: (no name) - (no file)

-- File Associations -----------------------------------------------------------

All associations okay.

-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R2 ElbyCDIO (ElbyCDIO Driver) - c:\windows\system32\drivers\elbycdio.sys <Not Verified; Elaborate Bytes AG; CDRTools>
R3 AnyDVD - c:\windows\system32\drivers\anydvd.sys <Not Verified; SlySoft, Inc.; AnyDVD>
R3 ElbyDelay - c:\windows\system32\drivers\elbydelay.sys <Not Verified; Elaborate Bytes AG; CDRTools>
R3 pcouffin (VSO Software pcouffin) - c:\windows\system32\drivers\pcouffin.sys <Not Verified; VSO Software; Patin couffin engine>

-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 Apple Mobile Device - "c:\program files\common files\apple\mobile device support\bin\applemobiledeviceservice.exe" <Not Verified; Apple, Inc.; Apple Mobile Device Service>
R2 Bonjour Service - "c:\program files\bonjour\mdnsresponder.exe" <Not Verified; Apple Inc.; Bonjour>

S3 NMIndexingService - "c:\program files\common files\ahead\lib\nmindexingservice.exe" <Not Verified; Nero AG; Nero Home>

-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.

-- Scheduled Tasks -------------------------------------------------------------

2007-03-20 03:30:05 426 --a------ C:\WINDOWS\Tasks\RegistrySmart Scheduled Scan.job

-- Files created between 2008-02-21 and 2008-03-21 -----------------------------

2008-03-20 23:37:59 92736 --a------ C:\WINDOWS\system32\jopmvjyw.dll
2008-03-20 23:31:59 91200 --a------ C:\WINDOWS\system32\srwwmsur.dll
2008-03-20 23:30:06 91200 --a------ C:\WINDOWS\system32\iugxyleu.dll
2008-03-20 23:29:59 92736 --a------ C:\WINDOWS\system32\hsohfiyr.dll
2008-03-20 22:19:59 91200 --a------ C:\WINDOWS\system32\jyxpmjqg.dll
2008-03-20 22:17:06 92736 --a------ C:\WINDOWS\system32\dlatpvwx.dll
2008-03-20 22:17:01 91200 --a------ C:\WINDOWS\system32\rkoecert.dll
2008-03-20 20:09:44 87104 --a------ C:\WINDOWS\system32\qjemygns.dll
2008-03-20 20:07:30 91712 --a------ C:\WINDOWS\system32\jhoywbcp.dll
2008-03-20 20:07:25 89664 --a------ C:\WINDOWS\system32\queqwnqa.dll
2008-03-20 20:06:43 170892 --ahs---- C:\WINDOWS\system32\qttss.ini2
2008-03-20 20:06:42 290816 --a------ C:\WINDOWS\system32\ssttq.dll
2008-03-20 19:41:50 0 d-------- C:\VundoFix Backups
2008-03-20 18:50:42 0 d-------- C:\!KillBox
2008-03-20 16:42:53 0 dr-h----- C:\Documents and Settings\Betty\Recent
2008-03-20 09:44:35 93248 -----n--- C:\WINDOWS\system32\jncixdct.dll
2008-03-19 17:11:52 93248 --a------ C:\WINDOWS\system32\tcrgeidd.dll
2008-03-19 17:11:45 90688 --a------ C:\WINDOWS\system32\ovxyjgoi.dll
2008-03-19 17:11:04 175733 --ahs---- C:\WINDOWS\system32\tttss.ini2
2008-03-19 15:11:02 0 d-------- C:\Program Files\Trend Micro
2008-03-19 15:04:00 0 d-------- C:\WINDOWS\Internet Logs
2008-03-19 14:46:29 0 d-------- C:\Program Files\Windows Defender
2008-03-19 13:37:58 0 d-------- C:\Program Files\NoAdware5.0
2008-03-19 10:22:10 0 d-------- C:\Documents and Settings\Betty\Application Data\RegistrySmart
2008-03-19 10:21:59 0 d-------- C:\Program Files\RegistrySmart
2008-03-19 09:31:05 0 d-------- C:\Documents and Settings\Betty\Application Data\Sammsoft
2008-03-19 09:31:00 0 d-------- C:\Program Files\Advanced Registry Optimizer
2008-03-19 08:58:07 92736 --a------ C:\WINDOWS\system32\gqrfbruy.dll
2008-03-19 08:57:59 91200 --a------ C:\WINDOWS\system32\qfirsehw.dll
2008-03-19 08:06:35 92736 --a------ C:\WINDOWS\system32\dbsxfits.dll
2008-03-19 08:06:29 91200 --a------ C:\WINDOWS\system32\emqmxtgy.dll
2008-03-19 07:29:44 92736 --a------ C:\WINDOWS\system32\apldkejn.dll
2008-03-19 07:26:44 91200 --a------ C:\WINDOWS\system32\kemwjfcb.dll
2008-03-18 23:49:58 91200 --a------ C:\WINDOWS\system32\bmoxpgnu.dll
2008-03-18 16:11:31 92736 --a------ C:\WINDOWS\system32\femeyuxf.dll
2008-03-18 16:06:27 91200 --a------ C:\WINDOWS\system32\kqbdtktw.dll
2008-03-18 12:00:04 92736 --a------ C:\WINDOWS\system32\tiuccqxu.dll
2008-03-18 11:58:07 91200 --a------ C:\WINDOWS\system32\omnmbqkg.dll
2008-03-18 11:45:07 92736 --a------ C:\WINDOWS\system32\xjhywfub.dll
2008-03-18 11:44:56 91200 --a------ C:\WINDOWS\system32\lqwfskhw.dll
2008-03-17 23:42:11 169561 --ahs---- C:\WINDOWS\system32\hjkmp.ini2
2008-03-17 13:29:11 0 d-------- C:\Documents and Settings\All Users\Application Data\vsosdk
2008-03-17 12:45:56 47360 --a------ C:\WINDOWS\system32\drivers\pcouffin.sys <Not Verified; VSO Software; Patin couffin engine>
2008-03-17 12:45:56 0 d-------- C:\Documents and Settings\Betty\Application Data\Vso
2008-03-17 12:45:56 47360 --a------ C:\Documents and Settings\Betty\Application Data\pcouffin.sys <Not Verified; VSO Software; Patin couffin engine>
2008-03-17 12:45:51 626688 --a------ C:\WINDOWS\system32\vp7vfw.dll <Not Verified; On2.com; On2_VP70>
2008-03-17 12:45:51 217127 --a------ C:\WINDOWS\system32\drv43260.dll <Not Verified; RealNetworks, Inc.; RealVideo 9 (32-bit)>
2008-03-17 12:45:51 208935 --a------ C:\WINDOWS\system32\drv33260.dll <Not Verified; RealNetworks, Inc.; RealVideo 8 (32-bit)>
2008-03-17 12:45:51 176165 --a------ C:\WINDOWS\system32\drv23260.dll <Not Verified; RealNetworks, Inc.; RealVideo G2 (32-bit)>
2008-03-17 12:45:51 65602 --a------ C:\WINDOWS\system32\cook3260.dll <Not Verified; RealNetworks, Inc.; RealPlayer 10>
2008-03-17 12:45:49 0 d-------- C:\Program Files\VSO
2008-03-17 12:42:29 37888 --a------ C:\WINDOWS\system32\rar.exe <Not Verified; Microsoft Corporation; Microsoft(R) Windows (R) 2000 Operating System>
2008-03-17 12:42:20 0 d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-03-17 09:07:54 0 d-------- C:\Documents and Settings\All Users\Application Data\Ahead
2008-03-17 08:36:45 0 d-------- C:\Program Files\Elaborate Bytes
2008-03-17 08:36:16 0 d-------- C:\Program Files\SlySoft
2008-03-16 13:16:08 0 d-------- C:\Documents and Settings\Betty\Application Data\BitTorrent
2008-03-16 13:16:01 0 d-------- C:\Program Files\DNA
2008-03-16 13:16:01 0 d-------- C:\Program Files\BitTorrent
2008-03-16 13:16:01 0 d-------- C:\Documents and Settings\Betty\Application Data\DNA
2008-03-13 13:40:48 0 d-------- C:\Documents and Settings\Betty\Application Data\Help
2008-03-13 13:36:47 0 d-------- C:\Program Files\mIRC
2008-03-13 13:32:13 0 d-------- C:\IRCap
2008-03-11 11:42:11 0 d-------- C:\Documents and Settings\All Users\Application Data\Office Genuine Advantage
2008-03-03 18:38:20 0 d-------- C:\Documents and Settings\Betty\Application Data\vlc
2008-03-03 18:37:16 0 d-------- C:\Program Files\VideoLAN

-- Find3M Report ---------------------------------------------------------------

2008-03-18 17:51:11 0 d-------- C:\Program Files\Java
2008-03-18 11:48:49 668 --a------ C:\Documents and Settings\Betty\Application Data\vso_ts_preview.xml
2008-03-18 06:45:04 0 d-------- C:\Documents and Settings\Betty\Application Data\LimeWire
2008-03-17 12:46:00 34 --a------ C:\Documents and Settings\Betty\Application Data\pcouffin.log
2008-03-17 12:45:56 1144 --a------ C:\Documents and Settings\Betty\Application Data\pcouffin.inf
2008-03-17 12:45:56 7887 --a------ C:\Documents and Settings\Betty\Application Data\pcouffin.cat
2008-03-17 09:55:28 0 d-------- C:\Documents and Settings\Betty\Application Data\Ahead
2008-02-18 14:29:06 0 d-------- C:\Program Files\Common Files\Logishrd
2008-02-18 14:28:58 0 d-------- C:\Program Files\Common Files\Logitech
2008-02-18 14:28:43 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-02-18 14:28:42 0 d-------- C:\Program Files\Common Files
2008-02-18 14:28:37 0 d-------- C:\Documents and Settings\Betty\Application Data\InstallShield
2008-02-18 14:25:28 0 d-------- C:\Program Files\Online Services
2008-02-18 14:25:19 0 d-------- C:\Program Files\Windows NT
2008-02-14 11:54:13 0 d-------- C:\Documents and Settings\Betty\Application Data\Apple Computer
2008-02-12 13:09:42 0 d-------- C:\Program Files\Easy Duplicate Finder
2008-02-08 15:52:19 0 d-------- C:\Program Files\iTunes
2008-02-08 15:52:12 0 d-------- C:\Program Files\iPod
2008-02-08 15:51:54 0 d-------- C:\Program Files\Bonjour
2008-02-08 15:51:50 0 d-------- C:\Program Files\QuickTime
2008-02-08 15:51:26 0 d-------- C:\Program Files\Apple Software Update
2008-02-08 15:51:12 0 d-------- C:\Program Files\Common Files\Apple
2008-02-06 13:49:00 17920 --a------ C:\WINDOWS\WebFerretUninstall.exe
2008-02-06 13:49:00 8192 --a------ C:\WINDOWS\system32\NetFerret.dll
2008-02-06 13:49:00 0 d-------- C:\Program Files\WebFerret
2008-01-31 12:22:39 0 d-------- C:\Documents and Settings\Betty\Application Data\Canon
2008-01-28 15:35:50 0 d-------- C:\Documents and Settings\Betty\Application Data\Lavasoft
2008-01-28 15:35:38 0 d-------- C:\Program Files\Lavasoft
2008-01-28 13:34:45 0 d-------- C:\Program Files\eMule
2008-01-28 12:00:42 0 d-------- C:\Documents and Settings\Betty\Application Data\Real
2008-01-28 11:37:22 0 d-------- C:\Program Files\Common Files\xing shared
2008-01-28 11:37:21 0 d-------- C:\Program Files\Real
2008-01-28 11:37:16 0 d-------- C:\Program Files\Common Files\Real
2008-01-27 03:00:31 0 d-------- C:\Program Files\Microsoft CAPICOM 2.1.0.2
2008-01-27 03:00:28 0 d-------- C:\Program Files\MSXML 4.0
2008-01-26 11:18:20 0 d-------- C:\Documents and Settings\Betty\Application Data\Jasc
2008-01-25 17:09:41 0 d-------- C:\Documents and Settings\Betty\Application Data\ScanSoft
2008-01-25 17:09:37 0 d-------- C:\Program Files\Common Files\ScanSoft Shared
2008-01-25 17:09:36 0 d-------- C:\Program Files\Common Files\InstallShield
2008-01-25 17:09:17 0 d-------- C:\Program Files\ScanSoft
2008-01-25 17:00:36 0 d-------- C:\Program Files\Canon
2008-01-25 16:59:29 0 d-------- C:\Program Files\Common Files\CANON
2008-01-25 16:56:54 0 d--h----- C:\Program Files\CanonBJ
2008-01-25 08:22:22 0 d-------- C:\Documents and Settings\Betty\Application Data\WinRAR
2008-01-23 11:31:27 0 d-------- C:\Documents and Settings\Betty\Application Data\Sun
2008-01-16 19:15:35 27210 --a------ C:\Documents and Settings\Betty\Application Data\Personal Address Book.ADR
2008-01-16 04:21:22 38439 --a------ C:\Documents and Settings\Betty\Application Data\Comma Separated Values (Windows).ADR
2007-12-21 23:53:35 315392 --a------ C:\WINDOWS\HideWin.exe <Not Verified; Realtek Semiconductor Corp.; HD Audio Hide windows program>
2007-12-21 22:24:23 21640 --a----c- C:\WINDOWS\system32\emptyregdb.dat
2007-12-21 14:14:42 62 --ahs---- C:\Documents and Settings\Betty\Application Data\desktop.ini

-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7242c94b-ec57-4106-9f7b-5b48ee62ab5b}]
03/20/2008 08:07 PM 91712 --a------ C:\WINDOWS\system32\jhoywbcp.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{85A611CA-CA0F-469B-8220-B70221A545BB}]
03/19/2007 01:01 PM 39424 --------- C:\WINDOWS\system32\qomlmjg.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B0489F2A-DC6B-4B2F-B673-883177BB6D27}]
03/20/2008 08:06 PM 290816 --a------ C:\WINDOWS\system32\ssttq.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F7981234-6B88-40E7-BEA5-F6BB90E9BCBA}]
C:\WINDOWS\system32\ssttt.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WinSys2"="C:\WINDOWS\system32\winsys2.exe" [04/29/2006 04:36 AM]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [12/04/2007 02:00 PM]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [11/07/2007 05:00 AM]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [09/06/2007 04:14 PM]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [01/28/2008 11:37 AM]
"4051595e"="C:\WINDOWS\system32\qjemygns.dll" [03/20/2008 08:09 PM]
"BM43626ac2"="C:\WINDOWS\system32\queqwnqa.dll" [03/20/2008 08:07 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [07/27/2007 01:00 PM]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Logitech SetPoint.lnk - C:\Program Files\Logitech\SetPoint\SetPoint.exe [2/18/2008 2:28:55 PM]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{85A611CA-CA0F-469B-8220-B70221A545BB}"= C:\WINDOWS\system32\qomlmjg.dll [03/19/2007 01:01 PM 39424]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
c:\program files\common files\logitech\bluetooth\LBTWlgn.dll 11/15/2007 10:10 AM 72208 c:\Program Files\Common Files\Logitech\Bluetooth\LBTWLgn.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\nnnkklj]
nnnkklj.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\qomlmjg]
qomlmjg.dll 03/19/2007 01:01 PM 39424 C:\WINDOWS\system32\qomlmjg.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\ssttq.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WdfLoadGroup]
@=""

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Acrobat Speed Launcher.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Acrobat Speed Launcher.lnk
backup=C:\WINDOWS\pss\Adobe Acrobat Speed Launcher.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\4051595e]
rundll32.exe "C:\WINDOWS\system32\aacgptld.dll",b

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 7.0]
"C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AnyDVD]
C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AROReminder]
C:\Program Files\Advanced Registry Optimizer\ARO.exe -rem

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
"C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BM43626ac2]
Rundll32.exe "C:\WINDOWS\system32\vopgebir.dll",s

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CanonMyPrinter]
C:\Program Files\Canon\MyPrinter\BJMyPrt.exe /logon

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CanonSolutionMenu]
C:\Program Files\Canon\SolutionMenu\CNSLMAIN.exe /logon

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"C:\Program Files\iTunes\iTunesHelper.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Logitech Hardware Abstraction Layer]
KHALMNPR.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RegistrySmart]
C:\Program Files\RegistrySmart\RegistrySmart.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
"C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UserFaultCheck]
%systemroot%\system32\dumprep 0 -u

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
"C:\Program Files\Windows Defender\MSASCui.exe" -hide

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Adobe LM Service"=3 (0x3)

-- End of Deckard's System Scanner: finished at 2008-03-21 11:18:34 ------------

EXTRA.TXT

Deckard's System Scanner v20071014.68
Extra logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information ----------------------------------------------------------

Microsoft Windows XP Professional (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: Intel(R) Core(TM)2 Duo CPU E6750 @ 2.66GHz
CPU 1: Intel(R) Core(TM)2 Duo CPU E6750 @ 2.66GHz
Percentage of Memory in Use: 22%
Physical Memory (total/avail): 2047.23 MiB / 1580.03 MiB
Pagefile Memory (total/avail): 3943.72 MiB / 3613.48 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1946.85 MiB

C: is Fixed (NTFS) - 147.03 GiB total, 126.44 GiB free.
D: is Fixed (NTFS) - 225.58 GiB total, 194.48 GiB free.
F: is Removable (No Media)
G: is Removable (No Media)
H: is Removable (No Media)
I: is Removable (No Media)
J: is Removable (No Media)
Y: is CDROM (No Media)

\\.\PHYSICALDRIVE0 - SAMSUNG HD403LJ - 372.61 GiB - 2 partitions
\PARTITION0 (bootable) - Installable File System - 147.03 GiB - C:
\PARTITION1 - Extended w/Extended Int 13 - 225.58 GiB - D:

\\.\PHYSICALDRIVE5 - Canon MP610 series USB Device

\\.\PHYSICALDRIVE2 - Generic USB CF Reader USB Device

\\.\PHYSICALDRIVE4 - Generic USB MS Reader USB Device

\\.\PHYSICALDRIVE1 - Generic USB SD Reader USB Device

\\.\PHYSICALDRIVE3 - Generic USB SM Reader USB Device

-- Security Center -------------------------------------------------------------

AUOptions is set to notify before download.
Windows Internal Firewall is disabled.

FirstRunDisabled is set.

FW: ZoneAlarm Firewall v7.0.408.000 (Check Point, LTD.)
AV: avast! antivirus 4.7.1098 [VPS 080321-0] v4.7.1098 (ALWIL Software)

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabledxpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabledxpsp3res.dll,-20000"
"C:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"="C:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe:*:Enabled:Logitech Desktop Messenger"

[HKLM\System\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"="%windir%\\system32\\sessmgr.exe:*:enabledxpsp2res.dll,-22019"
"%windir%\\Network Diagnostic\\xpnetdiag.exe"="%windir%\\Network Diagnostic\\xpnetdiag.exe:*:Enabledxpsp3res.dll,-20000"
"C:\\Program Files\\VoipBuster.com\\VoipBuster\\VoipBuster.exe"="C:\\Program Files\\VoipBuster.com\\VoipBuster\\VoipBuster.exe:*:Enabled:VoipBuster"
"C:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"="C:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe:*:Enabled:Logitech Desktop Messenger"
"C:\\WINDOWS\\system32\\usmt\\migwiz.exe"="C:\\WINDOWS\\system32\\usmt\\migwiz.exe:*:Enabled:Files and Settings Transfer Wizard"
"C:\\Program Files\\LimeWire\\LimeWire.exe"="C:\\Program Files\\LimeWire\\LimeWire.exe:*:Enabled:LimeWire"
"C:\\Program Files\\Internet Explorer\\iexplore.exe"="C:\\Program Files\\Internet Explorer\\iexplore.exe:*:Enabled:Internet Explorer"
"C:\\Program Files\\eMule\\emule.exe"="C:\\Program Files\\eMule\\emule.exe:*:Enabled:eMule"
"\\\\TIGRITA\\d\\Installation Programs After 09-07\\Emule-Unzipped\\eMule0.48a\\emule.exe"="\\\\TIGRITA\\d\\Installation Programs After 09-07\\Emule-Unzipped\\eMule0.48a\\emule.exe:*:Enabled:emule.exe"
"C:\\Program Files\\Real\\RealOne Player\\realplay.exe"="C:\\Program Files\\Real\\RealOne Player\\realplay.exe:*:Enabled:RealPlayer"
"C:\\Program Files\\WebFerret\\WebFerret.exe"="C:\\Program Files\\WebFerret\\WebFerret.exe:*:Enabled:WebFerret 6.0"
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"="C:\\Program Files\\Bonjour\\mDNSResponder.exe:*:Enabled:Bonjour"
"C:\\Program Files\\iTunes\\iTunes.exe"="C:\\Program Files\\iTunes\\iTunes.exe:*:Enabled:iTunes"
"C:\\Macky\\mirc32.exe"="C:\\Macky\\mirc32.exe:*:Enabled:mIRC Internet Relay Chat Client"
"C:\\Program Files\\mIRC\\mirc.exe"="C:\\Program Files\\mIRC\\mirc.exe:*:Enabled:mIRC"
"\\\\TIGRITA\\d\\Macky\\mirc.exe"="\\\\TIGRITA\\d\\Macky\\mirc.exe:*:Enabled:mirc.exe"
"C:\\Program Files\\DNA\\btdna.exe"="C:\\Program Files\\DNA\\btdna.exe:*:EnabledNA"
"C:\\Program Files\\BitTorrent\\bittorrent.exe"="C:\\Program Files\\BitTorrent\\bittorrent.exe:*:Enabled:BitTorrent"

-- Environment Variables -------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Betty\Application Data
CLASSPATH=.;C:\Program Files\Java\jre1.6.0_03\lib\ext\QTJava.zip
CLIENTNAME=Console
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=TIGRITAS-NEW-PC
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Betty
LOGONSERVER=\\TIGRITAS-NEW-PC
NUMBER_OF_PROCESSORS=2
OS=Windows_NT
Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\Program Files\QuickTime\QTSystem\
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 6 Model 15 Stepping 11, GenuineIntel
PROCESSOR_LEVEL=6
PROCESSOR_REVISION=0f0b
ProgramFiles=C:\Program Files
PROMPT=$P$G
QTJAVA=C:\Program Files\Java\jre1.6.0_03\lib\ext\QTJava.zip
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\Betty\LOCALS~1\Temp
TMP=C:\DOCUME~1\Betty\LOCALS~1\Temp
tvdumpflags=8
USERDOMAIN=TIGRITAS-NEW-PC
USERNAME=Betty
USERPROFILE=C:\Documents and Settings\Betty
windir=C:\WINDOWS

-- User Profiles ---------------------------------------------------------------

Betty (admin)
Administrator (new local, admin)

-- Add/Remove Programs ---------------------------------------------------------

--> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
--> C:\Program Files\Nero\Nero 7\nero\uninstall\UNNERO.exe /UNINSTALL
--> C:\WINDOWS\UNNeroMediaHome.exe /UNINSTALL
--> C:\WINDOWS\UNNeroShowTime.exe /UNINSTALL
--> C:\WINDOWS\UNRecode.exe /UNINSTALL
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Ad-Aware SE Professional --> C:\PROGRA~1\Lavasoft\AD-AWA~1\UNWISE.EXE C:\PROGRA~1\Lavasoft\AD-AWA~1\INSTALL.LOG
Adobe Acrobat 7.0.9 Professional --> msiexec /I {AC76BA86-1033-0000-7760-000000000002}
Adobe Flash Player ActiveX --> C:\WINDOWS\system32\Macromed\Flash\uninstall_activeX.exe
Advanced Registry Optimizer --> "C:\Program Files\Advanced Registry Optimizer\unins000.exe" /silent
AnyDVD --> "C:\Program Files\SlySoft\AnyDVD\AnyDVD-uninst.exe" /D="C:\Program Files\SlySoft\AnyDVD"
Apple Mobile Device Support --> MsiExec.exe /I{D8AB8F0C-CEEB-4A29-8EF5-219B064813F4}
Apple Software Update --> MsiExec.exe /I{B74F042E-E1B9-4A5B-8D46-387BB172F0A4}
avast! Antivirus --> rundll32 C:\PROGRA~1\ALWILS~1\Avast4\Setup\setiface.dll,RunSetup
Bonjour --> MsiExec.exe /I{47BF1BD6-DCAC-468F-A0AD-E5DECC2211C3}
Canon MP Navigator EX 1.0 --> "C:\Program Files\Canon\MP Navigator EX 1.0\Maint.exe" /UninstallRemove C:\Program Files\Canon\MP Navigator EX 1.0\uninst.ini
Canon MP610 series --> "C:\WINDOWS\system32\CanonIJ Uninstaller Information\{1199FAD5-9546-44f3-81CF-FFDB8040B7BF}_Canon_MP610_series\DelDrv.exe" /U:{1199FAD5-9546-44f3-81CF-FFDB8040B7BF}_Canon_MP610_series /L0x0009
Canon MP610 series User Registration --> C:\Program Files\Canon\IJEREG\MP610 series\UNINST.EXE
Canon My Printer --> C:\Program Files\Canon\MyPrinter\uninst.exe uninst.ini
Canon Utilities Easy-PhotoPrint EX --> C:\Program Files\Canon\Easy-PhotoPrint EX\uninst.exe uninst.ini
Canon Utilities Solution Menu --> C:\Program Files\Canon\SolutionMenu\uninst.exe uninst.ini
CCleaner (remove only) --> "C:\Program Files\CCleaner\uninst.exe"
CD-LabelPrint --> "C:\Program Files\Canon\CD-LabelPrint\Uninstal.exe" Canon.CDLabelPrint.Application
CDDRV_Installer --> MsiExec.exe /I{0C826C5B-B131-423A-A229-C71B3CACCD6A}
CloneDVD2 --> "C:\Program Files\Elaborate Bytes\CloneDVD2\CloneDVD2-uninst.exe" /D="C:\Program Files\Elaborate Bytes\CloneDVD2"
ConvertXtoDVD 3.0.0.1 --> "C:\Program Files\VSO\ConvertX\3\unins000.exe"
Easy Duplicate Finder v. 1.5.1 --> "C:\Program Files\Easy Duplicate Finder\unins000.exe"
eMule --> "C:\Program Files\eMule\Uninstall.exe"
Google Earth --> MsiExec.exe /I{1E04F83B-2AB9-4301-9EF7-E86307F79C72}
High Definition Audio Driver Package - KB888111 --> "C:\WINDOWS\$NtUninstallKB888111WXPSP2$\spuninst\spuninst.exe"
HijackThis 2.0.2 --> "C:\Program Files\Trend Micro\HijackThis\HijackThis.exe" /uninstall
Hotfix for Windows Media Format 11 SDK (KB929399) --> "C:\WINDOWS\$NtUninstallKB929399$\spuninst\spuninst.exe"
iPod for Windows 2005-03-23 --> C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{44A537A5-859C-43A6-8285-C0668142A090} /l1033
iTunes --> MsiExec.exe /I{02DFB3FD-CF52-4183-8BCA-2A127D4888F4}
J2SE Runtime Environment 5.0 Update 3 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150030}
Java(TM) 6 Update 3 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160030}
Java(TM) 6 Update 5 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0160050}
KhalInstallWrapper --> MsiExec.exe /I{3101CB58-3482-4D21-AF1A-7057FC935355}
LimeWire PRO 4.10.0 --> "C:\Program Files\LimeWire\uninstall.exe"
Logitech Desktop Messenger --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\09\01\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{900B1197-53F5-4F46-A882-2CFFFE2EEDCB}\SETUP.EXE" -l0x9 UNINSTALL
Logitech SetPoint --> C:\Program Files\InstallShield Installation Information\{F29B21BD-CAA6-445F-8EF7-A7E2B9D8B14E}\setup.exe -runfromtemp -l0x0009 -removeonly
Microsoft Base Smart Card Cryptographic Service Provider Package --> "C:\WINDOWS\$NtUninstallbasecsp$\spuninst\spuninst.exe"
Microsoft Compression Client Pack 1.0 for Windows XP --> "C:\WINDOWS\$NtUninstallMSCompPackV1$\spuninst\spuninst.exe"
Microsoft Office Professional Edition 2003 --> MsiExec.exe /I{90110409-6000-11D3-8CFE-0150048383C9}
Microsoft User-Mode Driver Framework Feature Pack 1.0 --> "C:\WINDOWS\$NtUninstallWudf01000$\spuninst\spuninst.exe"
Microsoft Visual C++ 2005 Redistributable --> MsiExec.exe /X{A49F249F-0C91-497F-86DF-B2585E8E76B7}
Microsoft Windows Script 5.7 --> "C:\WINDOWS\$NtUninstallscripten$\spuninst\spuninst.exe"
mIRC --> "C:\Documents and Settings\Betty\My Documents\Macky\mirc.exe" -uninstall
Nero 7 Essentials --> MsiExec.exe /X{B28B351F-1232-46EA-85EF-B8EA91641033}
NoAdware v5.0 --> "C:\Program Files\NoAdware5.0\unins000.exe"
NVIDIA Drivers --> C:\WINDOWS\system32\nvudisp.exe UninstallGUI
QuickTime --> MsiExec.exe /I{BFD96B89-B769-4CD6-B11E-E79FFD46F067}
RealPlayer --> C:\Program Files\Common Files\Real\Update_OB\r1puninst.exe RealNetworks|RealPlayer|6.0
Realtek High Definition Audio Driver --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\PROFES~1\RunTime\11\50\Intel32\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F132AF7F-7BCA-4EDE-8A7C-958108FE7DBC}\Setup.exe" -l0x9 -removeonly
RegistrySmart --> MsiExec.exe /X{9716B4F1-AFD8-4162-B99F-708F39009E73}
Rhapsody Player Engine --> MsiExec.exe /I{22DE1881-9D24-4981-B5CC-EC7E9F2F4D52}
ScanSoft OmniPage SE 4 --> MsiExec.exe /I{DEE88727-779B-47A9-ACEF-F87CA5F92A65}
Security Update for CAPICOM (KB931906) --> MsiExec.exe /I{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}
Security Update for CAPICOM (KB931906) --> MsiExec.exe /X{0EFDF2F9-836D-4EB7-A32D-038BD3F1FB2A}
VideoLAN VLC media player 0.8.6c --> C:\Program Files\VideoLAN\VLC\uninstall.exe
VoipBuster --> "C:\Program Files\VoipBuster.com\VoipBuster\unins000.exe"
WebFerret --> C:\WINDOWS\WebFerretUninstall.exe C:\Program Files\WebFerret
Windows Defender --> MsiExec.exe /I{CAB99E06-B92F-4AE0-89AD-D9AC5991046F}
Windows Media Format 11 runtime --> "C:\WINDOWS\$NtUninstallWMFDist11$\spuninst\spuninst.exe"
Windows Media Format SDK Hotfix - KB891122 --> "C:\WINDOWS\$NtUninstallKB891122$\spuninst\spuninst.exe"
WinRAR archiver --> C:\Program Files\WinRAR\uninstall.exe
WinZip 11.1 --> MsiExec.exe /X{CD95F661-A5C4-44F5-A6AA-ECDD91C240B5}
ZoneAlarm --> C:\Program Files\Zone Labs\ZoneAlarm\zauninst.exe

-- Application Event Log -------------------------------------------------------

Event Record #/Type2460 / Error
Event Submitted/Written: 03/21/2008 11:16:48 AM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application dss.exe, version 3.2.8.1, faulting module ntdll.dll, version 5.1.2600.2180, fault address 0x00011639.
Processing media-specific event for [dss.exe!ws!]

Event Record #/Type2459 / Error
Event Submitted/Written: 03/21/2008 11:14:46 AM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application dss.exe, version 3.2.8.1, faulting module ntdll.dll, version 5.1.2600.2180, fault address 0x00010f83.
Processing media-specific event for [dss.exe!ws!]

Event Record #/Type2457 / Error
Event Submitted/Written: 03/21/2008 07:52:31 AM
Event ID/Source: 1002 / Application Hang
Event Description:
Hanging application iexplore.exe, version 7.0.6000.16608, hang module hungapp, version 0.0.0.0, hang address 0x00000000.

Event Record #/Type2449 / Error
Event Submitted/Written: 03/20/2008 07:30:43 PM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application ahijackthis.exe, version 2.0.0.2, faulting module ssttt.dll, version 0.0.0.0, fault address 0x00061bf3.
Processing media-specific event for [ahijackthis.exe!ws!]

Event Record #/Type2448 / Error
Event Submitted/Written: 03/20/2008 07:28:13 PM
Event ID/Source: 1000 / Application Error
Event Description:
Faulting application hijackthis.exe, version 2.0.0.2, faulting module ssttt.dll, version 0.0.0.0, fault address 0x00061bf3.
Processing media-specific event for [hijackthis.exe!ws!]

-- Security Event Log ----------------------------------------------------------

No Errors/Warnings found.

-- System Event Log ------------------------------------------------------------

Event Record #/Type2956 / Warning
Event Submitted/Written: 03/21/2008 07:51:34 AM
Event ID/Source: 1007 / Dhcp
Event Description:
Your computer has automatically configured the IP address for the Network
Card with network address 0019DBB06964. The IP address being used is 169.254.213.254.

Event Record #/Type2955 / Warning
Event Submitted/Written: 03/21/2008 07:51:28 AM
Event ID/Source: 1003 / Dhcp
Event Description:
Your computer was not able to renew its address from the network (from the
DHCP Server) for the Network Card with network address 0019DBB06964. The following
error occurred:
%%121.
Your computer will continue to try and obtain an address on its own from
the network address (DHCP) server.

Event Record #/Type2954 / Warning
Event Submitted/Written: 03/21/2008 07:51:00 AM
Event ID/Source: 1003 / Dhcp
Event Description:
Your computer was not able to renew its address from the network (from the
DHCP Server) for the Network Card with network address 0019DBB06964. The following
error occurred:
%%1223.
Your computer will continue to try and obtain an address on its own from
the network address (DHCP) server.

Event Record #/Type2933 / Warning
Event Submitted/Written: 03/21/2008 07:49:08 AM
Event ID/Source: 1003 / Dhcp
Event Description:
Your computer was not able to renew its address from the network (from the
DHCP Server) for the Network Card with network address 0019DBB06964. The following
error occurred:
%%1223.
Your computer will continue to try and obtain an address on its own from
the network address (DHCP) server.

Event Record #/Type2865 / Warning
Event Submitted/Written: 03/20/2008 04:09:54 PM
Event ID/Source: 1003 / Dhcp
Event Description:
Your computer was not able to renew its address from the network (from the
DHCP Server) for the Network Card with network address 0019DBB06964. The following
error occurred:
%%1223.
Your computer will continue to try and obtain an address on its own from
the network address (DHCP) server.

-- End of Deckard's System Scanner: finished at 2008-03-21 11:18:34 ------------

Ltangel · Mar 21, 2008

Hey Tigrita,

Thanks for posting the logs required, please be patient while I review the logs. Meanwhile, please do not download anything or visit any other sites other than the forums here. Also, please do not attempt to fix anything with HijackThis.

Thanks for your understanding.

~Ltangel~

Ltangel · Mar 21, 2008

Hey Tigrita

Please download ComboFix from Here or Here to your Desktop.

**Note: In the event you already have Combofix, this is a new version that I need you to download. It is important that it is saved directly to your desktop**

[*]Please, never rename Combofix unless instructed.
[*]Close any open browsers.
[*]Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.
-----------------------------------------------------------

[*]Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with ComboFix or remove some of its embedded files which may cause "unpredictable results".
[*]Click on this link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
-----------------------------------------------------------

[*]Close any open browsers.
[*]WARNING: Combofix will disconnect your machine from the Internet as soon as it starts
[*]Please do not attempt to re-connect your machine back to the Internet until Combofix has completely finished.
[*]If there is no internet connection after running Combofix, then restart your computer to restore back your connection.

-----------------------------------------------------------
[*]Double click on combofix.exe & follow the prompts.
[*]When finished, it will produce a report for you.
[*]Please post the "C:\ComboFix.txt" along with a new HijackThis log for further review.

**Note: Do not mouseclick combofix's window while it's running. That may cause it to stall**

Go!

~Ltangel~

Tigrita · Mar 21, 2008

Dear Ltangel:
As instructed, here are the logs:

ComboFix 08-03-20.5 - Betty 2008-03-21 12:56:54.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1643 [GMT 1:00]
Running from: C:\Documents and Settings\Betty\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Betty\Application Data\inst.exe
C:\WINDOWS\cookies.ini
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\apldkejn.dll
C:\WINDOWS\system32\bmoxpgnu.dll
C:\WINDOWS\system32\dbsxfits.dll
C:\WINDOWS\system32\dlatpvwx.dll
C:\WINDOWS\system32\emqmxtgy.dll
C:\WINDOWS\system32\femeyuxf.dll
C:\WINDOWS\system32\gqrfbruy.dll
C:\WINDOWS\system32\hsohfiyr.dll
C:\WINDOWS\system32\iugxyleu.dll
C:\WINDOWS\system32\jhoywbcp.dll
C:\WINDOWS\system32\jncixdct.dll
C:\WINDOWS\system32\jopmvjyw.dll
C:\WINDOWS\system32\jyxpmjqg.dll
C:\WINDOWS\system32\kemwjfcb.dll
C:\WINDOWS\system32\kqbdtktw.dll
C:\WINDOWS\system32\ksanophs.dll
C:\WINDOWS\system32\lqwfskhw.dll
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\omnmbqkg.dll
C:\WINDOWS\system32\ovxyjgoi.dll
C:\WINDOWS\system32\qfirsehw.dll
C:\WINDOWS\system32\qjemygns.dll
C:\WINDOWS\system32\qttss.ini
C:\WINDOWS\system32\qttss.ini2
C:\WINDOWS\system32\queqwnqa.dll
C:\WINDOWS\system32\rkoecert.dll
C:\WINDOWS\system32\sngymejq.ini
C:\WINDOWS\system32\srwwmsur.dll
C:\WINDOWS\system32\ssttq.dll
C:\WINDOWS\system32\tcrgeidd.dll
C:\WINDOWS\system32\tiuccqxu.dll
C:\WINDOWS\system32\tttss.ini
C:\WINDOWS\system32\tttss.ini2
C:\WINDOWS\system32\xjhywfub.dll
C:\WINDOWS\system32\yjoqkafc.dll

.
((((((((((((((((((((((((( Files Created from 2008-02-21 to 2008-03-21 )))))))))))))))))))))))))))))))
.

2008-03-21 11:13 . 2008-03-21 11:13 <DIR> d-------- C:\Deckard
2008-03-20 23:34 . 2008-03-18 23:48 1,526,077 ---hs---- C:\WINDOWS\system32\pbptwjie.ini
2008-03-20 23:30 . 2008-03-20 23:30 354 ---hs---- C:\WINDOWS\system32\tyslcunr.ini
2008-03-20 22:23 . 2008-03-20 22:23 294 ---hs---- C:\WINDOWS\system32\vtnigbmw.ini
2008-03-20 19:41 . 2008-03-20 19:53 <DIR> d-------- C:\VundoFix Backups
2008-03-20 09:41 . 2008-03-20 17:46 1,540,176 ---hs---- C:\WINDOWS\system32\yyclgtte.ini
2008-03-19 17:12 . 2007-03-19 17:20 1,534,825 ---hs---- C:\WINDOWS\system32\fxwodjpi.ini
2008-03-19 15:11 . 2008-03-19 15:11 <DIR> d-------- C:\Program Files\Trend Micro
2008-03-19 15:04 . 2008-03-21 12:05 <DIR> d-------- C:\WINDOWS\Internet Logs
2008-03-19 15:04 . 2008-03-19 15:04 <DIR> d-------- C:\Program Files\Zone Labs
2008-03-19 14:46 . 2008-03-19 14:46 <DIR> d-------- C:\Program Files\Windows Defender
2008-03-19 13:37 . 2008-03-19 14:20 <DIR> d-------- C:\Program Files\NoAdware5.0
2008-03-19 11:05 . 2007-03-19 11:30 <DIR> d-------- C:\SDFix
2008-03-19 10:22 . 2008-03-19 10:22 <DIR> d-------- C:\Documents and Settings\Betty\Application Data\RegistrySmart
2008-03-19 10:21 . 2008-03-19 10:22 <DIR> d-------- C:\Program Files\RegistrySmart
2008-03-19 09:31 . 2008-03-19 09:31 <DIR> d-------- C:\Program Files\Advanced Registry Optimizer
2008-03-19 09:31 . 2008-03-19 09:31 <DIR> d-------- C:\Documents and Settings\Betty\Application Data\Sammsoft
2008-03-19 09:00 . 2007-03-19 11:10 1,525,531 ---hs---- C:\WINDOWS\system32\tkdulbpy.ini
2008-03-19 08:08 . 2008-03-19 08:57 1,525,099 ---hs---- C:\WINDOWS\system32\uytajghn.ini
2008-03-19 07:27 . 2008-03-19 08:05 1,524,664 ---hs---- C:\WINDOWS\system32\caabjwjs.ini
2008-03-18 23:50 . 2007-03-19 07:14 1,526,197 ---hs---- C:\WINDOWS\system32\ostcxxlp.ini
2008-03-18 16:08 . 2007-03-18 17:59 1,521,492 ---hs---- C:\WINDOWS\system32\xhartsjb.ini
2008-03-18 12:00 . 2008-03-18 12:00 1,390,596 ---hs---- C:\WINDOWS\system32\bijctraq.ini
2008-03-17 23:42 . 2007-03-19 12:29 169,561 --ahs---- C:\WINDOWS\system32\hjkmp.ini2
2008-03-17 13:29 . 2008-03-17 13:29 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\vsosdk
2008-03-17 12:45 . 2008-03-17 12:45 <DIR> d-------- C:\Program Files\VSO
2008-03-17 12:45 . 2008-03-18 11:48 <DIR> d-------- C:\Documents and Settings\Betty\Application Data\Vso
2008-03-17 12:45 . 2004-05-04 11:53 1,645,320 --a------ C:\WINDOWS\gdiplus.dll
2008-03-17 12:45 . 2006-05-20 16:16 1,184,984 --a------ C:\WINDOWS\system32\wvc1dmod.dll
2008-03-17 12:45 . 2006-05-11 19:21 626,688 --a------ C:\WINDOWS\system32\vp7vfw.dll
2008-03-17 12:45 . 2006-09-29 12:24 217,127 --a------ C:\WINDOWS\system32\drv43260.dll
2008-03-17 12:45 . 2006-09-29 12:25 208,935 --a------ C:\WINDOWS\system32\drv33260.dll
2008-03-17 12:45 . 2006-09-29 12:26 176,165 --a------ C:\WINDOWS\system32\drv23260.dll
2008-03-17 12:45 . 2007-03-18 20:37 65,602 --a------ C:\WINDOWS\system32\cook3260.dll
2008-03-17 12:45 . 2008-03-17 12:45 47,360 --a------ C:\WINDOWS\system32\drivers\pcouffin.sys
2008-03-17 12:45 . 2008-03-17 12:45 47,360 --a------ C:\Documents and Settings\Betty\Application Data\pcouffin.sys
2008-03-17 12:42 . 2008-03-19 17:19 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-03-17 12:42 . 2008-03-17 12:47 37,888 --a------ C:\WINDOWS\system32\rar.exe
2008-03-17 09:51 . 2007-03-19 12:33 69 --a------ C:\WINDOWS\NeroDigital.ini
2008-03-17 09:08 . 2001-03-08 18:30 24,064 --------- C:\WINDOWS\system32\msxml3a.dll
2008-03-17 09:07 . 2008-03-17 09:07 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Ahead
2008-03-17 08:36 . 2008-03-17 08:36 <DIR> d-------- C:\Program Files\SlySoft
2008-03-17 08:36 . 2008-03-17 08:36 <DIR> d-------- C:\Program Files\Elaborate Bytes
2008-03-16 13:16 . 2008-03-16 13:16 <DIR> d-------- C:\Program Files\DNA
2008-03-16 13:16 . 2008-03-16 13:16 <DIR> d-------- C:\Program Files\BitTorrent
2008-03-16 13:16 . 2008-03-20 19:06 <DIR> d-------- C:\Documents and Settings\Betty\Application Data\DNA
2008-03-16 13:16 . 2008-03-16 22:12 <DIR> d-------- C:\Documents and Settings\Betty\Application Data\BitTorrent
2008-03-13 13:36 . 2008-03-21 11:06 <DIR> d-------- C:\Program Files\mIRC
2008-03-13 13:32 . 2008-03-13 14:05 <DIR> d-------- C:\IRCap
2008-03-11 11:42 . 2008-03-11 11:42 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Office Genuine Advantage
2008-03-03 18:38 . 2008-03-03 18:38 <DIR> d-------- C:\Documents and Settings\Betty\Application Data\vlc
2008-03-03 18:37 . 2008-03-03 18:37 <DIR> d-------- C:\Program Files\VideoLAN

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-03-21 12:02 438,304 --sha-w C:\WINDOWS\system32\drivers\fidbox.dat
2008-03-21 12:01 7,208 --sha-w C:\WINDOWS\system32\drivers\fidbox.idx
2008-03-18 16:51 --------- d-----w C:\Program Files\Java
2008-03-18 05:45 --------- d-----w C:\Documents and Settings\Betty\Application Data\LimeWire
2008-03-17 13:42 36,624 ------w C:\WINDOWS\system32\drivers\PxHelp20.sys
2008-03-17 13:42 2,560 ------w C:\WINDOWS\system32\drivers\cdralw2k.sys
2008-03-17 13:42 2,432 ------w C:\WINDOWS\system32\drivers\cdr4_xp.sys
2008-03-17 08:55 --------- d-----w C:\Documents and Settings\Betty\Application Data\Ahead
2008-02-18 13:30 --------- d-----w C:\Documents and Settings\All Users\Application Data\LogiShrd
2008-02-18 13:29 --------- d-----w C:\Program Files\Common Files\Logishrd
2008-02-18 13:28 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-02-18 13:28 --------- d-----w C:\Program Files\Common Files\Logitech
2008-02-18 13:28 --------- d-----w C:\Documents and Settings\Betty\Application Data\InstallShield
2008-02-14 10:54 --------- d-----w C:\Documents and Settings\Betty\Application Data\Apple Computer
2008-02-12 12:09 --------- d-----w C:\Program Files\Easy Duplicate Finder
2008-02-08 14:52 --------- d-----w C:\Program Files\iTunes
2008-02-08 14:52 --------- d-----w C:\Program Files\iPod
2008-02-08 14:51 --------- d-----w C:\Program Files\QuickTime
2008-02-08 14:51 --------- d-----w C:\Program Files\Common Files\Apple
2008-02-08 14:51 --------- d-----w C:\Program Files\Bonjour
2008-02-08 14:51 --------- d-----w C:\Program Files\Apple Software Update
2008-02-08 14:51 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-02-08 14:51 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple
2008-02-08 14:16 --------- d-----w C:\Documents and Settings\All Users\Application Data\QuickTime
2008-02-06 12:49 17,920 ----a-w C:\WINDOWS\WebFerretUninstall.exe
2008-02-06 12:49 --------- d-----w C:\Program Files\WebFerret
2008-01-31 11:22 --------- d-----w C:\Documents and Settings\Betty\Application Data\Canon
2008-01-28 14:35 --------- d-----w C:\Program Files\Lavasoft
2008-01-28 14:35 --------- d-----w C:\Documents and Settings\Betty\Application Data\Lavasoft
2008-01-28 12:34 --------- d-----w C:\Program Files\eMule
2008-01-28 12:30 --------- d-----w C:\Documents and Settings\All Users\Application Data\WinZip
2008-01-28 10:37 --------- d-----w C:\Program Files\Real
2008-01-28 10:37 --------- d-----w C:\Program Files\Common Files\xing shared
2008-01-28 10:37 --------- d-----w C:\Program Files\Common Files\Real
2008-01-27 02:00 --------- d-----w C:\Program Files\MSXML 4.0
2008-01-27 02:00 --------- d-----w C:\Program Files\Microsoft CAPICOM 2.1.0.2
2008-01-26 10:18 --------- d-----w C:\Documents and Settings\Betty\Application Data\Jasc
2008-01-25 16:09 --------- d-----w C:\Program Files\ScanSoft
2008-01-25 16:09 --------- d-----w C:\Program Files\Common Files\ScanSoft Shared
2008-01-25 16:09 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-01-25 16:09 --------- d-----w C:\Documents and Settings\Betty\Application Data\ScanSoft
2008-01-25 16:09 --------- d-----w C:\Documents and Settings\All Users\Application Data\ScanSoft
2008-01-25 16:09 --------- d-----w C:\Documents and Settings\All Users\Application Data\InstallShield
2008-01-25 16:00 --------- d-----w C:\Program Files\Canon
2008-01-25 15:59 --------- d-----w C:\Program Files\Common Files\CANON
2008-01-25 15:57 --------- d--h--w C:\Documents and Settings\All Users\Application Data\CanonBJ
2008-01-25 15:56 --------- d--h--w C:\Program Files\CanonBJ
2008-01-16 02:04 127,034 ------r C:\WINDOWS\bwUnin-8.1.1.50-8876480SL.exe
2007-12-21 22:53 315,392 ----a-w C:\WINDOWS\HideWin.exe
2007-03-19 11:29 169,561 --sha-w C:\WINDOWS\system32\hjkmp.ini2
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{85A611CA-CA0F-469B-8220-B70221A545BB}]
2007-03-19 13:01 39424 --------- C:\WINDOWS\system32\qomlmjg.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F7981234-6B88-40E7-BEA5-F6BB90E9BCBA}]
C:\WINDOWS\system32\ssttt.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2007-07-27 13:00 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"WinSys2"="C:\WINDOWS\system32\winsys2.exe" [2006-04-29 04:36 208896]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-12-04 14:00 79224]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-11-07 05:00 8523776]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-09-06 16:14 919016]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2008-01-28 11:37 185896]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Logitech SetPoint.lnk - C:\Program Files\Logitech\SetPoint\SetPoint.exe [2008-02-18 14:28:55 784912]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{85A611CA-CA0F-469B-8220-B70221A545BB}"= C:\WINDOWS\system32\qomlmjg.dll [2007-03-19 13:01 39424]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\LBTWlgn]
c:\program files\common files\logitech\bluetooth\LBTWlgn.dll 2007-11-15 10:10 72208 c:\Program Files\Common Files\Logitech\Bluetooth\LBTWLgn.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\nnnkklj]
nnnkklj.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\qomlmjg]
qomlmjg.dll 2007-03-19 13:01 39424 C:\WINDOWS\system32\qomlmjg.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Acrobat Speed Launcher.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Acrobat Speed Launcher.lnk
backup=C:\WINDOWS\pss\Adobe Acrobat Speed Launcher.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\4051595e]
C:\WINDOWS\system32\aacgptld.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Acrobat Assistant 7.0]
--a------ 2006-01-12 20:52 483328 C:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AnyDVD]
--a------ 2008-03-17 08:37 454144 C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AROReminder]
--a------ 2007-07-23 09:34 2084480 C:\Program Files\Advanced Registry Optimizer\ARO.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}]
--a------ 2006-12-24 03:05 143360 C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BM43626ac2]
--a------ 2007-03-19 17:21 90688 C:\WINDOWS\system32\vopgebir.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CanonMyPrinter]
--a------ 2007-04-03 17:50 1603152 C:\Program Files\Canon\MyPrinter\BJMyPrt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CanonSolutionMenu]
--a------ 2007-05-14 17:01 644696 C:\Program Files\Canon\SolutionMenu\CNSLMAIN.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-02-04 14:18 267048 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Logitech Hardware Abstraction Layer]
--a------ 2007-09-21 03:10 55824 C:\WINDOWS\KHALMNPR.Exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
---hs---- 2004-10-13 17:24 1694208 C:\Program Files\Messenger\msmsgs.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
--a------ 2006-01-13 00:40 155648 C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
--a------ 2007-11-07 05:00 81920 C:\WINDOWS\system32\NvMcTray.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2008-01-31 23:13 385024 C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RegistrySmart]
--a------ 2008-03-14 15:09 4351216 C:\Program Files\RegistrySmart\RegistrySmart.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2008-02-22 04:25 144784 C:\Program Files\Java\jre1.6.0_05\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2008-01-28 11:37 185896 C:\Program Files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UserFaultCheck]
C:\WINDOWS\system32\dumprep 0 -u

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Windows Defender]
--a------ 2006-02-10 16:27 1420560 C:\Program Files\Windows Defender\MSASCui.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"Adobe LM Service"=3 (0x3)
"iPod Service"=3 (0x3)
"Bonjour Service"=2 (0x2)
"Apple Mobile Device"=2 (0x2)

[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\ZoneLabsFirewall]
"DisableMonitoring"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\VoipBuster.com\\VoipBuster\\VoipBuster.exe"=
"C:\\Program Files\\Logitech\\Desktop Messenger\\8876480\\Program\\LogitechDesktopMessenger.exe"=
"C:\\WINDOWS\\system32\\usmt\\migwiz.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\Internet Explorer\\iexplore.exe"=
"C:\\Program Files\\eMule\\emule.exe"=
"C:\\Program Files\\Real\\RealOne Player\\realplay.exe"=
"C:\\Program Files\\WebFerret\\WebFerret.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"C:\\Program Files\\mIRC\\mirc.exe"=
"C:\\Program Files\\DNA\\btdna.exe"=
"C:\\Program Files\\BitTorrent\\bittorrent.exe"=

.
Contents of the 'Scheduled Tasks' folder
"2007-03-20 02:30:05 C:\WINDOWS\Tasks\RegistrySmart Scheduled Scan.job"
- C:\Program Files\RegistrySmart\RegistrySmart.ex
- C:\Program Files\RegistrySmart
.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-03-21 13:02:11
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\qomlmjg.dll
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
.
**************************************************************************
.
Completion time: 2008-03-21 13:03:53 - machine was rebooted
ComboFix-quarantined-files.txt 2008-03-21 12:03:47
.
2008-03-19 08:00:28 --- E O F ---

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:04:19 PM, on 3/21/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\n-ice.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.foxnews.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: (no name) - {85A611CA-CA0F-469B-8220-B70221A545BB} - C:\WINDOWS\system32\qomlmjg.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: (no name) - {F7981234-6B88-40E7-BEA5-F6BB90E9BCBA} - C:\WINDOWS\system32\ssttt.dll (file missing)
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [WinSys2] C:\WINDOWS\system32\winsys2.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1200211951812
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {8167C273-DF59-4416-B647-C8BB2C7EE83E} (WebSDev Control) - http://liveupdate.msi.com.tw/autobios/LOnline/install.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://sdlc-esd.sun.com/ESD39/JSCDL...-jc.cab&File=jinstall-6u5-windows-i586-jc.cab
O16 - DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} (F-Secure Online Scanner 3.3) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O20 - Winlogon Notify: nnnkklj - nnnkklj.dll (file missing)
O20 - Winlogon Notify: qomlmjg - C:\WINDOWS\SYSTEM32\qomlmjg.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logitech\Bluetooth\LBTServ.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O24 - Desktop Component AutorunsDisabled: (no name) - (no file)

--
End of file - 7716 bytes

Ltangel · Mar 21, 2008

Hey Tigrita,

Please read the entire instructions before commencing and ask any questions you may have before carrying them out.

Disable Avast antivirus

We need to temporarily disable Avast as it may interfere with some of the tools we are using for the fix. To disable it, please right click on the avast! icon in system tray and choose (Stop On-Access Protection).

------------------------------------------------------------------------

Scan with VundoFix 5

Please download VundoFix.exe to your desktop
[*]Double-click VundoFix.exe to run it.
[*]Click the Scan for Vundo button.
[*]Once it's done scanning, click the Remove Vundo button.
[*]You will receive a prompt asking if you want to remove the files, click YES
[*]Once you click yes, your desktop will go blank as it starts removing Vundo.
[*]When completed, it will prompt that it will reboot your computer, click OK.
[*]Please post the contents of C:\vundofix.txt and a new HiJackThis log in a reply to this thread.

Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears upon rebooting.

--------------------------------------------------------------------

Scan with SUPERAntispyware

1. Download and install SUPERAntiSpyware and double-click the icon on your desktop to run it.
2. It will ask if you want to update the program definitions, click Yes.
3. Under Configuration and Preferences, click the Preferences button.
4. Click the Scanning Control tab.
5. Under Scanner Options make sure the following are checked:
1. Close browsers before scanning
2. Scan for tracking cookies
3. Terminate memory threats before quarantining.
4. Please leave the others unchecked.
5. Click the Close button to leave the control center screen.
6. On the main screen, under Scan for Harmful Software click Scan your computer.
7. On the left check C:\Fixed Drive.
8. On the right, under Complete Scan, choose Perform Complete Scan.
9. Click Next to start the scan. Please be patient while it scans your computer.
10. After the scan is complete a summary box will appear. Click OK.
11. Make sure everything in the white box has a check next to it, then click Next.
12. It will quarantine what it found and if it asks if you want to reboot, click Yes.
13. To retrieve the removal information for me please do the following:
1. After reboot, double-click the SUPERAntispyware icon on your desktop.
2. Click Preferences. Click the Statistics/Logs tab.
3. Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
4. It will open in your default text editor (such as Notepad/Wordpad).
5. Please highlight everything in the notepad, then right-click and choose copy.
14. Click close and close again to exit the program.
15. Save the log information on your desktop.

In your next reply (please include):

Fresh HijackThis log
Vundofix.txt
SUPERAntispyware Scan log

Go!

~Ltangel~

Tigrita · Mar 21, 2008

Dear Ltangel,

After my last reboot, I was not able to start Windows “Normally” After unsuccessfully trying for 3 times I started in “Safe mode”, and re-started once again, this time effectively.

I received an error message stating; Error loading C:\windows\system323\bufunmelle.dll does not exist.
VundoFix.exe came up with “No files to be removed”
Here are the other logs, and thanks so much for your patience:

SUPERAntiSpyware Scan Log
http://www.superantispyware.com

Generated 03/21/2008 at 02:55 PM

Application Version : 4.0.1154

Core Rules Database Version : 3422
Trace Rules Database Version: 1414

Scan type : Complete Scan
Total Scan Time : 00:27:11

Memory items scanned : 465
Memory threats detected : 3
Registry items scanned : 5272
Registry threats detected : 14
File items scanned : 61077
File threats detected : 64

Adware.Vundo Variant/Resident
C:\WINDOWS\SYSTEM32\VTUTS.DLL
C:\WINDOWS\SYSTEM32\VTUTS.DLL

Adware.Vundo-Variant/Small-A
C:\WINDOWS\SYSTEM32\BUFVNMLE.DLL
C:\WINDOWS\SYSTEM32\BUFVNMLE.DLL
HKLM\Software\Classes\CLSID\{e262ce48-ce50-42ac-8d96-69e07e8d544d}
HKCR\CLSID\{E262CE48-CE50-42AC-8D96-69E07E8D544D}
HKCR\CLSID\{E262CE48-CE50-42AC-8D96-69E07E8D544D}\InprocServer32
HKCR\CLSID\{E262CE48-CE50-42AC-8D96-69E07E8D544D}\InprocServer32#ThreadingModel
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{e262ce48-ce50-42ac-8d96-69e07e8d544d}
C:\!KILLBOX\ETTGLCYY.DLL
C:\!KILLBOX\JNCIXDCT.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{E70816ED-688C-465B-8E33-26080BD14976}\RP106\A0018402.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{E70816ED-688C-465B-8E33-26080BD14976}\RP106\A0018437.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{E70816ED-688C-465B-8E33-26080BD14976}\RP108\A0018479.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{E70816ED-688C-465B-8E33-26080BD14976}\RP108\A0018480.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{E70816ED-688C-465B-8E33-26080BD14976}\RP108\A0018481.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{E70816ED-688C-465B-8E33-26080BD14976}\RP110\A0018553.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{E70816ED-688C-465B-8E33-26080BD14976}\RP110\A0018554.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{E70816ED-688C-465B-8E33-26080BD14976}\RP114\A0018739.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{E70816ED-688C-465B-8E33-26080BD14976}\RP116\A0019739.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{E70816ED-688C-465B-8E33-26080BD14976}\RP117\A0020779.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{E70816ED-688C-465B-8E33-26080BD14976}\RP117\A0021783.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{E70816ED-688C-465B-8E33-26080BD14976}\RP117\A0022801.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{E70816ED-688C-465B-8E33-26080BD14976}\RP117\A0022806.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{E70816ED-688C-465B-8E33-26080BD14976}\RP119\A0022994.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{E70816ED-688C-465B-8E33-26080BD14976}\RP121\A0023858.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{E70816ED-688C-465B-8E33-26080BD14976}\RP121\A0023859.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{E70816ED-688C-465B-8E33-26080BD14976}\RP121\A0023876.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{E70816ED-688C-465B-8E33-26080BD14976}\RP124\A0023960.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{E70816ED-688C-465B-8E33-26080BD14976}\RP124\A0023962.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{E70816ED-688C-465B-8E33-26080BD14976}\RP124\A0023963.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{E70816ED-688C-465B-8E33-26080BD14976}\RP124\A0023965.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{E70816ED-688C-465B-8E33-26080BD14976}\RP124\A0023966.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{E70816ED-688C-465B-8E33-26080BD14976}\RP124\A0023967.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{E70816ED-688C-465B-8E33-26080BD14976}\RP124\A0023969.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{E70816ED-688C-465B-8E33-26080BD14976}\RP124\A0023970.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{E70816ED-688C-465B-8E33-26080BD14976}\RP124\A0023971.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{E70816ED-688C-465B-8E33-26080BD14976}\RP124\A0023975.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{E70816ED-688C-465B-8E33-26080BD14976}\RP124\A0023980.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{E70816ED-688C-465B-8E33-26080BD14976}\RP124\A0023984.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{E70816ED-688C-465B-8E33-26080BD14976}\RP124\A0023985.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{E70816ED-688C-465B-8E33-26080BD14976}\RP124\A0023986.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{E70816ED-688C-465B-8E33-26080BD14976}\RP124\A0023987.DLL
C:\WINDOWS\SYSTEM32\QTQLSDHP.DLL
C:\WINDOWS\SYSTEM32\SIILRIWM.DLL
C:\WINDOWS\SYSTEM32\TXYFEUFG.DLL

Trojan.Downloader-NewJuan/VM
C:\WINDOWS\SYSTEM32\PVRVJYHU.DLL
C:\WINDOWS\SYSTEM32\PVRVJYHU.DLL

Adware.Vundo Variant
HKLM\Software\Classes\CLSID\{345AC961-9B75-4772-A4B8-0036FFA0B793}
HKCR\CLSID\{345AC961-9B75-4772-A4B8-0036FFA0B793}
HKCR\CLSID\{345AC961-9B75-4772-A4B8-0036FFA0B793}\InprocServer32
HKCR\CLSID\{345AC961-9B75-4772-A4B8-0036FFA0B793}\InprocServer32#ThreadingModel
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{345AC961-9B75-4772-A4B8-0036FFA0B793}
HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{F7981234-6B88-40E7-BEA5-F6BB90E9BCBA}
HKCR\CLSID\{F7981234-6B88-40E7-BEA5-F6BB90E9BCBA}
HKCR\CLSID\{F7981234-6B88-40E7-BEA5-F6BB90E9BCBA}\InprocServer32
HKCR\CLSID\{F7981234-6B88-40E7-BEA5-F6BB90E9BCBA}\InprocServer32#ThreadingModel
C:\WINDOWS\SYSTEM32\SSTTT.DLL

Adware.Tracking Cookie
C:\Documents and Settings\Betty\Cookies\betty@atdmt[2].txt
C:\Documents and Settings\Betty\Cookies\betty@sale.antispywaresuite[1].txt
C:\Documents and Settings\Betty\Cookies\betty@affiliate.wordtracker[2].txt
C:\Documents and Settings\Betty\Cookies\betty@sale.trustedantivirus[1].txt
C:\Documents and Settings\Betty\Cookies\betty@antispywaresuite[1].txt
C:\Documents and Settings\Betty\Cookies\betty@ad.zanox[1].txt
C:\Documents and Settings\Betty\Cookies\betty@trustedantivirus[1].txt
C:\Documents and Settings\Betty\Cookies\betty@adnetserver[3].txt
C:\Documents and Settings\Betty\Cookies\betty@doubleclick[3].txt
C:\Documents and Settings\Betty\Cookies\betty@stats.1stmarketingtraffic[1].txt
C:\Documents and Settings\Betty\Cookies\betty@adnetserver[2].txt
C:\Documents and Settings\Betty\Cookies\betty@ads.digital5media[1].txt
C:\Documents and Settings\Betty\Cookies\betty@apmebf[2].txt
C:\Documents and Settings\Betty\Cookies\betty@doubleclick[2].txt
C:\Documents and Settings\Betty\Cookies\betty@komtrack[2].txt

Unclassified.Unknown Origin
C:\IRCAP\CRACK\KEYGEN.NFO
C:\SYSTEM VOLUME INFORMATION\_RESTORE{E70816ED-688C-465B-8E33-26080BD14976}\RP117\A0022819.NFO

Adware.Vundo-Variant
C:\SYSTEM VOLUME INFORMATION\_RESTORE{E70816ED-688C-465B-8E33-26080BD14976}\RP117\A0022807.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{E70816ED-688C-465B-8E33-26080BD14976}\RP121\A0023878.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{E70816ED-688C-465B-8E33-26080BD14976}\RP121\A0023879.DLL
C:\SYSTEM VOLUME INFORMATION\_RESTORE{E70816ED-688C-465B-8E33-26080BD14976}\RP121\A0023880.DLL

Adware.Vundo Variant/Rel
C:\WINDOWS\SYSTEM32\HJKMP.INI2
C:\WINDOWS\SYSTEM32\STUTV.INI

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:27:52 PM, on 3/21/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\n-ice.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.foxnews.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1752CCD6-5DF0-49FD-A05C-D10EE5E143CC} - C:\WINDOWS\system32\pmnnl.dll
O2 - BHO: (no name) - {1B0CA4CD-88F0-43B1-947B-AEB7191914C7} - C:\WINDOWS\system32\vtuts.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: (no name) - {85A611CA-CA0F-469B-8220-B70221A545BB} - C:\WINDOWS\system32\qomlmjg.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: {0741e8a5-e647-d2da-e9b4-4db83ba78a2e} - {e2a87ab3-8bd4-4b9e-ad2d-746e5a8e1470} - C:\WINDOWS\system32\iscmlxap.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [WinSys2] C:\WINDOWS\system32\winsys2.exe
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [4051595e] rundll32.exe "C:\WINDOWS\system32\bastjsio.dll",b
O4 - HKLM\..\Run: [BM43626ac2] Rundll32.exe "C:\WINDOWS\system32\bqcxkvkq.dll",s
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1200211951812
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {8167C273-DF59-4416-B647-C8BB2C7EE83E} (WebSDev Control) - http://liveupdate.msi.com.tw/autobios/LOnline/install.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://sdlc-esd.sun.com/ESD39/JSCDL...-jc.cab&File=jinstall-6u5-windows-i586-jc.cab
O16 - DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} (F-Secure Online Scanner 3.3) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: nnnkklj - nnnkklj.dll (file missing)
O20 - Winlogon Notify: qomlmjg - C:\WINDOWS\SYSTEM32\qomlmjg.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logitech\Bluetooth\LBTServ.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O24 - Desktop Component AutorunsDisabled: (no name) - (no file)

--
End of file - 8468 bytes

Tigrita · Mar 21, 2008

Sorry I misspelled the error file; it should be
C:\windows\system32\bufunmle.dll

Tigrita · Mar 21, 2008

Sorry, I did it again! should be a "v" not a "u"
C:\windows\system32\bufvnmle.dll

Ltangel · Mar 22, 2008

Hey Tigrita,

Looks like you have a very nasty vundo infection. We'll use a stronger tool to remove it. Anyway, I still see Avast in your HijackThis log, did you disable it according to my instructions? If not please disable Avast before continuing with the removal process. Also, did you rename HijackThis.exe to n-ice.exe? If you didn't, please rename it back to Betty.exe.

NB: Please read the entire instructions before commencing them. It is vital that you carry out each step with care and not miss out or misunderstand any step. Please ask if you have trouble understanding any part of the instructions.

Disable Avast antivirus

We need to temporarily disable Avast as it may interfere with some of the tools we are using for the fix. To disable it, please right click on the avast! icon in system tray and choose (Stop On-Access Protection).

---------------------------------------------------------------------

Remove vundo infection

* Download VirtumundoBegone to your desktop.
* Run VirtumundoBeGone.exe and follow the instructions. Do not worry if you see a BLUE SCREEN "Fatal Error" Message, this is normal and expected.
* When it has finished, reboot.
* It will create a log on your desktop called VBG.TXT.

---------------------------------------------------------------------

Fix entries with HijackThis

Please reopen HijackThis and put a check beside the following entries:

O2 - BHO: (no name) - {1752CCD6-5DF0-49FD-A05C-D10EE5E143CC} - C:\WINDOWS\system32\pmnnl.dll
O2 - BHO: (no name) - {1B0CA4CD-88F0-43B1-947B-AEB7191914C7} - C:\WINDOWS\system32\vtuts.dll (file missing)
O2 - BHO: (no name) - {85A611CA-CA0F-469B-8220-B70221A545BB} - C:\WINDOWS\system32\qomlmjg.dll
O2 - BHO: {0741e8a5-e647-d2da-e9b4-4db83ba78a2e} - {e2a87ab3-8bd4-4b9e-ad2d-746e5a8e1470} - C:\WINDOWS\system32\iscmlxap.dll
O4 - HKLM\..\Run: [WinSys2] C:\WINDOWS\system32\winsys2.exe
O4 - HKLM\..\Run: [BM43626ac2] Rundll32.exe "C:\WINDOWS\system32\jbshxlis.dll",s
O4 - HKLM\..\Run: [4051595e] rundll32.exe "C:\WINDOWS\system32\ummrbxoj.dll",b
O20 - Winlogon Notify: nnnkklj - nnnkklj.dll (file missing)
O20 - Winlogon Notify: qomlmjg - C:\WINDOWS\SYSTEM32\qomlmjg.dll
O24 - Desktop Component AutorunsDisabled: (no name) - (no file)

Now close all windows/browsers except HijackThis, and click on "Fix Checked". Close HijackThis and reboot into safe mode. (Tap F8 before windows starts)

In safe mode, please do the following:

1. Go to Add or Remove Programs in Control Panel, and remove the following programs (if present):

DNA
BitTorrent

Using Windows Explorer, please search and delete the following folders/files (if present):

Folders

C:\Program Files\DNA\
C:\Program Files\BitTorrent\

Files

C:\WINDOWS\system32\pmnnl.dll
C:\WINDOWS\system32\qomlmjg.dll
C:\WINDOWS\system32\iscmlxap.dll
C:\WINDOWS\system32\winsys2.exe
C:\WINDOWS\system32\jbshxlis.dll
C:\WINDOWS\system32\ummrbxoj.dll
C:\WINDOWS\system32\nnnkklj.dll

Reboot your computer, and post a fresh HijackThis log.

---------------------------------------------------------------------

In your next reply (please include):

Fresh HijackThis log
VBG.TXT
Description of how your PC is doing

Tigrita · Mar 22, 2008

Dear Ltangel,
I am so glad to see you again!! )) I was so worried because tomorrow morning I will be going away for 2 weeks and didn't want you to think I was ignoring you.

I followed your instructions, as closely as possible, there were some files I could not find and / or delete as follow:

Not found:

O2 - BHO: (no name) - {1752CCD6-5DF0-49FD-A05C-D10EE5E143CC} - C:\WINDOWS\system32\pmnnl.dll
O2 - BHO: (no name) - {85A611CA-CA0F-469B-8220-B70221A545BB} - C:\WINDOWS\system32\qomlmjg.dll
O4 - HKLM\..\Run: [4051595e] rundll32.exe "C:\WINDOWS\system32\ummrbxoj.dll",b

(There is one similar to this one but at the end it is called bastjsio.dll)

O20 - Winlogon Notify: qomlmjg - C:\WINDOWS\SYSTEM32\qomlmjg.dll

DNA and Bit torrent, not found on add/remove progs.
However I did find and deleted in windows explorer

C:\WINDOWS\system32\pmnnl.dll --->Cannot delete is being used by another person or program.

C:\WINDOWS\system32\qomlmjg.dll  this one had .vir after the dll I hope it was OK to delete.

Not found:
C:\WINDOWS\system32\ummrbxoj.dll
C:\WINDOWS\system32\nnnkklj.dll

This is how the PC is doing:

First of all before I disabled antivirus/girewall I disconnected from the internet, I hope that was OK

This is how my PC is acting now:
. When I start IE it always opens a second page to random websites, this time it was to one powered by ZEDO: http://c5.zedo.com/jsc/c5/ff2.html?n=377;c=167;s=36;d=22;w=800;h=600

. I always get the message that the page is done but with errors.

. When going into the Afterdawn website it is painfully slow.

Here are my logs:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:43:19 AM, on 3/22/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\Rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\Betty.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.foxnews.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: (no name) - {78C34FD7-2F9A-44AD-BB9B-49A2AFCE0295} - C:\WINDOWS\system32\pmnnl.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: {0741e8a5-e647-d2da-e9b4-4db83ba78a2e} - {e2a87ab3-8bd4-4b9e-ad2d-746e5a8e1470} - C:\WINDOWS\system32\iscmlxap.dll (file missing)
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [4051595e] rundll32.exe "C:\WINDOWS\system32\bastjsio.dll",b
O4 - HKLM\..\Run: [BM43626ac2] Rundll32.exe "C:\WINDOWS\system32\bqcxkvkq.dll",s
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1200211951812
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {8167C273-DF59-4416-B647-C8BB2C7EE83E} (WebSDev Control) - http://liveupdate.msi.com.tw/autobios/LOnline/install.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://sdlc-esd.sun.com/ESD39/JSCDL...-jc.cab&File=jinstall-6u5-windows-i586-jc.cab
O16 - DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} (F-Secure Online Scanner 3.3) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logitech\Bluetooth\LBTServ.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O24 - Desktop Component AutorunsDisabled: (no name) - (no file)

--
End of file - 6986 bytes

[03/22/2008, 10:15:06] - VirtumundoBeGone v1.5 ( "C:\Documents and Settings\Betty\Desktop\VirtumundoBeGone.exe" )
[03/22/2008, 10:15:14] - Detected System Information:
[03/22/2008, 10:15:14] - Windows Version: 5.1.2600, Service Pack 2
[03/22/2008, 10:15:14] - Current Username: Betty (Admin)
[03/22/2008, 10:15:14] - Windows is in NORMAL mode.
[03/22/2008, 10:15:14] - Searching for Browser Helper Objects:
[03/22/2008, 10:15:14] - BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (Adobe PDF Reader Link Helper)
[03/22/2008, 10:15:14] - BHO 2: {1B0CA4CD-88F0-43B1-947B-AEB7191914C7} ()
[03/22/2008, 10:15:14] - WARNING: BHO has no default name. Checking for Winlogon reference.
[03/22/2008, 10:15:14] - Checking for HKLM\...\Winlogon\Notify\vtuts
[03/22/2008, 10:15:14] - Key not found: HKLM\...\Winlogon\Notify\vtuts, continuing.
[03/22/2008, 10:15:14] - BHO 3: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (SSVHelper Class)
[03/22/2008, 10:15:14] - BHO 4: {85A611CA-CA0F-469B-8220-B70221A545BB} ()
[03/22/2008, 10:15:14] - WARNING: BHO has no default name. Checking for Winlogon reference.
[03/22/2008, 10:15:14] - Checking for HKLM\...\Winlogon\Notify\qomlmjg
[03/22/2008, 10:15:14] - Found: HKLM\...\Winlogon\Notify\qomlmjg - This is probably Virtumundo.
[03/22/2008, 10:15:14] - Assigning {85A611CA-CA0F-469B-8220-B70221A545BB} MSEvents Object
[03/22/2008, 10:15:14] - BHO list has been changed! Starting over...
[03/22/2008, 10:15:14] - BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (Adobe PDF Reader Link Helper)
[03/22/2008, 10:15:14] - BHO 2: {1B0CA4CD-88F0-43B1-947B-AEB7191914C7} ()
[03/22/2008, 10:15:14] - WARNING: BHO has no default name. Checking for Winlogon reference.
[03/22/2008, 10:15:14] - Checking for HKLM\...\Winlogon\Notify\vtuts
[03/22/2008, 10:15:14] - Key not found: HKLM\...\Winlogon\Notify\vtuts, continuing.
[03/22/2008, 10:15:14] - BHO 3: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (SSVHelper Class)
[03/22/2008, 10:15:14] - BHO 4: {85A611CA-CA0F-469B-8220-B70221A545BB} (MSEvents Object)
[03/22/2008, 10:15:14] - ALERT: Found MSEvents Object!
[03/22/2008, 10:15:14] - BHO 5: {94D41164-3095-4A82-8AC4-4F62EA83C2F8} ()
[03/22/2008, 10:15:14] - WARNING: BHO has no default name. Checking for Winlogon reference.
[03/22/2008, 10:15:14] - Checking for HKLM\...\Winlogon\Notify\pmnnl
[03/22/2008, 10:15:14] - Key not found: HKLM\...\Winlogon\Notify\pmnnl, continuing.
[03/22/2008, 10:15:14] - BHO 6: {AE7CD045-E861-484f-8273-0445EE161910} (Adobe PDF Conversion Toolbar Helper)
[03/22/2008, 10:15:14] - BHO 7: {e2a87ab3-8bd4-4b9e-ad2d-746e5a8e1470} ()
[03/22/2008, 10:15:14] - WARNING: BHO has no default name. Checking for Winlogon reference.
[03/22/2008, 10:15:14] - Checking for HKLM\...\Winlogon\Notify\iscmlxap
[03/22/2008, 10:15:14] - Key not found: HKLM\...\Winlogon\Notify\iscmlxap, continuing.
[03/22/2008, 10:15:14] - Finished Searching Browser Helper Objects
[03/22/2008, 10:15:14] - *** Detected MSEvents Object
[03/22/2008, 10:15:14] - Trying to remove MSEvents Object...
[03/22/2008, 10:15:15] - Terminating Process: IEXPLORE.EXE
[03/22/2008, 10:15:15] - Terminating Process: RUNDLL32.EXE
[03/22/2008, 10:15:15] - Disabling Automatic Shell Restart
[03/22/2008, 10:15:15] - Terminating Process: EXPLORER.EXE
[03/22/2008, 10:15:16] - Suspending the NT Session Manager System Service
[03/22/2008, 10:15:16] - Terminating Windows NT Logon/Logoff Manager
[03/22/2008, 10:15:16] - Re-enabling Automatic Shell Restart
[03/22/2008, 10:15:16] - File to disable: C:\WINDOWS\system32\qomlmjg.dll
[03/22/2008, 10:15:16] - Renaming C:\WINDOWS\system32\qomlmjg.dll -> C:\WINDOWS\system32\qomlmjg.dll.vir
[03/22/2008, 10:15:16] - File successfully renamed!
[03/22/2008, 10:15:16] - Removing HKLM\...\Browser Helper Objects\{85A611CA-CA0F-469B-8220-B70221A545BB}
[03/22/2008, 10:15:16] - Removing HKCR\CLSID\{85A611CA-CA0F-469B-8220-B70221A545BB}
[03/22/2008, 10:15:16] - Adding Kill Bit for ActiveX for GUID: {85A611CA-CA0F-469B-8220-B70221A545BB}
[03/22/2008, 10:15:16] - Deleting ATLEvents/MSEvents Registry entries
[03/22/2008, 10:15:16] - Removing HKLM\...\Winlogon\Notify\qomlmjg
[03/22/2008, 10:15:16] - Searching for Browser Helper Objects:
[03/22/2008, 10:15:16] - BHO 1: {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} (Adobe PDF Reader Link Helper)
[03/22/2008, 10:15:16] - BHO 2: {1B0CA4CD-88F0-43B1-947B-AEB7191914C7} ()
[03/22/2008, 10:15:16] - WARNING: BHO has no default name. Checking for Winlogon reference.
[03/22/2008, 10:15:16] - Checking for HKLM\...\Winlogon\Notify\vtuts
[03/22/2008, 10:15:16] - Key not found: HKLM\...\Winlogon\Notify\vtuts, continuing.
[03/22/2008, 10:15:16] - BHO 3: {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} (SSVHelper Class)
[03/22/2008, 10:15:16] - BHO 4: {94D41164-3095-4A82-8AC4-4F62EA83C2F8} ()
[03/22/2008, 10:15:16] - WARNING: BHO has no default name. Checking for Winlogon reference.
[03/22/2008, 10:15:16] - Checking for HKLM\...\Winlogon\Notify\pmnnl
[03/22/2008, 10:15:16] - Key not found: HKLM\...\Winlogon\Notify\pmnnl, continuing.
[03/22/2008, 10:15:16] - BHO 5: {AE7CD045-E861-484f-8273-0445EE161910} (Adobe PDF Conversion Toolbar Helper)
[03/22/2008, 10:15:16] - BHO 6: {e2a87ab3-8bd4-4b9e-ad2d-746e5a8e1470} ()
[03/22/2008, 10:15:16] - WARNING: BHO has no default name. Checking for Winlogon reference.
[03/22/2008, 10:15:16] - Checking for HKLM\...\Winlogon\Notify\iscmlxap
[03/22/2008, 10:15:16] - Key not found: HKLM\...\Winlogon\Notify\iscmlxap, continuing.
[03/22/2008, 10:15:16] - Finished Searching Browser Helper Objects
[03/22/2008, 10:15:16] - Finishing up...
[03/22/2008, 10:15:16] - A restart is needed.
[03/22/2008, 10:15:32] - Attempting to Restart via STOP error (Blue Screen!)

Ltangel · Mar 22, 2008

Hey Tigrita,

Ah, so you'll be away for two weeks? Alright, I'll try to finish fixing your computer today. How long more can you stay?

You did the exact right thing to delete C:\WINDOWS\system32\qomlmjg.dll.vir. The .vir was there because VirtumundoBegone renamed it.

Alright, VirtumundoBegone got rid of some vundo files, but there are still some persistent ones. We'll download another tool to solve this problem. We'll close to closing this issue.

Use OTMoveIt2 to move persistent files

Please download the OTMoveIt2 by OldTimer.

[*] Save it to your desktop.
[*] Please double-click OTMoveIt2.exe to run it. (Vista users, please right click on OTMoveit2.exe and select "Run as an Administrator")
[*]Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

C:\WINDOWS\system32\bastjsio.dll
C:\WINDOWS\system32\bqcxkvkq.dll
C:\WINDOWS\system32\pmnnl.dll

Click to expand...

[*] Return to OTMoveIt2, right click in the "Paste List of Files/Folders to be Moved" window (under the light blue bar) and choose Paste.

[*]Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

C:\WINDOWS\system32\ummrbxoj.dll
C:\WINDOWS\system32\nnnkklj.dll

Click to expand...

[*] Return to OTMoveIt2, right click in the "Paste List Of Files/Patterns To Search For and Move" window (under the yellow bar) and choose Paste.

[*]Click the red Moveit! button.
[*]A log of files and folders moved will be created in the c:\_OTMoveIt\MovedFiles folder in the form of Date and Time (mmddyyyy_hhmmss.log). Please open this log in Notepad and post its contents in your next reply.
[*]Close OTMoveIt2

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.

----------------------------------------------------------------------

Clean your temporary files

Download ATF Cleaner.

*Double-click ATF-Cleaner.exe.
* Under Main tab choose "Select All".
* Click the Empty Selected button.

If you use Firefox browser

Click Firefox and choose Select All
Click the Empty Selected button.

If you use Opera browser

Click Opera at the top and choose Select All
Click the Empty Selected button.

Click Exit to close the program.

--------------------------------------------------------------------

Do an online scan with Panda Activescan

Let's try an online scan to see if there are any infections. You will need IE to do the scan.

Go here

1. Click the Scan your PC button
2. A new window will open, click the Check Now button
3. Enter your Country, State/Province and e-mail address and click send
4. Select Home User
5. Click the Scan Now button
8. Allow any installation of ActiveX component(s)
9. It will start downloading the files it requires for the scan (Note: It may take a while)
10. When done, click on My Computer
11. When the scan completes, click the See Report button, then save it to desktop. Post the contents of the ActiveScan report on here.

---------------------------------------------------------------------

In your next reply (please include):

Fresh HijackThis log
OTMoveIt2 log
PandaActiveScan log

Go!

~Ltangel~

Tigrita · Mar 22, 2008

Hello Ltangel,

I will be here as long as you can help me. Thank you )) When I said I am leaving tomorrow morning, I meant "Sunday" morning.

First: I keep getting a Microsoft Visual C++ Runtime Library window which states:

Buffer overrun detected!
Program C:\Windows\Explorer.exe
A buffer overrun has been detected which has corrupted the program’s internal state. The program cannot safely continue execution and must be terminated.

I don’t really notice anything happening when I click YES except that my task bar hides and comes back up (I have the bar set for auto-hide)

After restarting I got 2 additional RUNDLL messages:
1. Error loading C:\windows\system32\bqcxkvkq.dll
The specified module could not be found and
2. Error loading C:\windows\system32\bastjsio.dll
The specified module could not be found.

When I go on the internet I keep getting some messages which are attached to the page (I am not sure I am explaining this correctly) it is not a pop-up window. They have symbols of bugs and state messages that my antivirus is out of date. The only way I get rid of them is by refreshing the page.

As with all online antivirus detectors I have tried so far, I cannot seem to run Panda, nothing happens when I click on “Scan your PC” Except for the error in page message.
Therefore I don’t have that log ((((

Here are the other ones:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:57:45 PM, on 3/22/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16608)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Logitech\SetPoint\SetPoint.exe
C:\Program Files\Common Files\Logishrd\KHAL2\KHALMNPR.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\Betty.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.foxnews.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O2 - BHO: (no name) - {B678C203-23EB-42C2-AE1B-F2A67A87E5FB} - C:\WINDOWS\system32\pmnnl.dll
O2 - BHO: {0741e8a5-e647-d2da-e9b4-4db83ba78a2e} - {e2a87ab3-8bd4-4b9e-ad2d-746e5a8e1470} - C:\WINDOWS\system32\iscmlxap.dll (file missing)
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [4051595e] rundll32.exe "C:\WINDOWS\system32\bastjsio.dll",b
O4 - HKLM\..\Run: [BM43626ac2] Rundll32.exe "C:\WINDOWS\system32\bqcxkvkq.dll",s
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Global Startup: Logitech SetPoint.lnk = C:\Program Files\Logitech\SetPoint\SetPoint.exe
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1200211951812
O16 - DPF: {7B297BFD-85E4-4092-B2AF-16A91B2EA103} (WScanCtl Class) - http://www.ca.com/us/securityadvisor/virusinfo/webscan.cab
O16 - DPF: {8167C273-DF59-4416-B647-C8BB2C7EE83E} (WebSDev Control) - http://liveupdate.msi.com.tw/autobios/LOnline/install.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://sdlc-esd.sun.com/ESD39/JSCDL...-jc.cab&File=jinstall-6u5-windows-i586-jc.cab
O16 - DPF: {BDBDE413-7B1C-4C68-A8FF-C5B2B4090876} (F-Secure Online Scanner 3.3) - http://support.f-secure.com/ols/fscax.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Logitech Bluetooth Service (LBTServ) - Logitech, Inc. - C:\Program Files\Common Files\Logitech\Bluetooth\LBTServ.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
O24 - Desktop Component AutorunsDisabled: (no name) - (no file)

--
End of file - 7081 bytes

DllUnregisterServer procedure not found in C:\WINDOWS\system32\bastjsio.dll
C:\WINDOWS\system32\bastjsio.dll NOT unregistered.
C:\WINDOWS\system32\bastjsio.dll moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\system32\bqcxkvkq.dll
C:\WINDOWS\system32\bqcxkvkq.dll NOT unregistered.
C:\WINDOWS\system32\bqcxkvkq.dll moved successfully.
DllUnregisterServer procedure not found in C:\WINDOWS\system32\pmnnl.dll
C:\WINDOWS\system32\pmnnl.dll NOT unregistered.
File move failed. C:\WINDOWS\system32\pmnnl.dll scheduled to be moved on reboot.
[Custom Input]
< C:\WINDOWS\system32\ummrbxoj.dll >
File/Folder C:\WINDOWS\system32\ummrbxoj.dll not found.
< C:\WINDOWS\system32\nnnkklj.dll >
File/Folder C:\WINDOWS\system32\nnnkklj.dll not found.

OTMoveIt2 by OldTimer - Version 1.0.21 log created on 03222008_124447

Ltangel · Mar 22, 2008

Hey Tigrita,

That's great.

Something hidden seems to be putting all the malicious files back into your computer.

Enable show hidden folders and files

1) Please go to Control Panel>Appearance and Themes>Folder Options and go under "View" tab.
2) Then under "Hidden Files and Folders" please select "Show hidden files and folders" and UNcheck "Hide extentions for known file types".
3) Click Apply and close Control panel.

Rerun Deckard's System Scan

[*]Close all other windows before proceeding.
[*]Double-click on dss.exe and follow the prompts.
[*]When it has finished, dss will open two Notepads main.txt and extra.txt -- please copy (CTRL+A and then CTRL+C) and paste (CTRL+V) the contents of main.txt and extra.txt in your next reply.

Go!

~Ltangel~

Tigrita · Mar 22, 2008

Hi Ltangel,
I don't have a folder "Appearance and Themes" in my control pannel. But I went to my Windows Explorer/tools/folders options/view

And already had marked the way you want them.

Tigrita · Mar 22, 2008

Hi Ltangel,
I don't have a folder "Appearance and Themes" in my control pannel. But I went to my Windows Explorer/tools/folders options/view

And already had marked the way you want them.

Ltangel · Mar 22, 2008

Hey Tigrita,

That's fine. How about a Deckard's System Scan log now?

Tigrita · Mar 22, 2008

Rerun Deckard's System Scan?
I don't remember doing that before

Ltangel · Mar 22, 2008

Yes, please do. I need to see what is causing the malicious files to come back.

Edit: DSS.exe was the first tool I asked you to download. Look at my first post.

Log in or Sign up

PC infected with many worms, trojans, spyware, etc.

Tigrita Member

Ltangel Regular member

Tigrita Member

Ltangel Regular member

Ltangel Regular member

Tigrita Member

Ltangel Regular member

Tigrita Member

Tigrita Member

Tigrita Member

Ltangel Regular member

Tigrita Member

Ltangel Regular member

Tigrita Member

Ltangel Regular member

Tigrita Member

Tigrita Member

Ltangel Regular member

Tigrita Member

Ltangel Regular member

Share This Page

Log in or Sign up

PC infected with many worms, trojans, spyware, etc.

Tigrita Member

Ltangel Regular member

Tigrita Member

Ltangel Regular member

Ltangel Regular member

Tigrita Member

Ltangel Regular member

Tigrita Member

Tigrita Member

Tigrita Member

Ltangel Regular member

Tigrita Member

Ltangel Regular member

Tigrita Member

Ltangel Regular member

Tigrita Member

Tigrita Member

Ltangel Regular member

Tigrita Member

Ltangel Regular member

Share This Page

Useful Searches