1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

System Infected w/ VirtuMonde and other Spyware PLEASE HELP

Discussion in 'Virus & Other Malware Removal' started by Willeec, Jul 16, 2007.

Thread Status:
Not open for further replies.
Advertisement
  1. Willeec

    Willeec Thread Starter

    Joined:
    Jul 16, 2007
    Messages:
    10
    My system has been infected with VirtuMonde and some other spywares. It is running super slow and pop ups all through system. Please see the HiJackThis Log below...and advise. Thank you very much in advance for any help you might be able to provide. This is my only system I have and I can't work without it, Please help.

    Thanks,
    Will


    Logfile of HijackThis v1.99.1
    Scan saved at 6:39:36 PM, on 7/16/2007
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
    C:\WINDOWS\System32\CTsvcCDA.EXE
    C:\Program Files\NavNT\defwatch.exe
    C:\Program Files\Executive Software\DiskeeperWorkstation\DKService.exe
    C:\WINDOWS\System32\qwerty12.exe
    C:\PROGRA~1\Iomega\System32\ActivityDisk.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\Program Files\NavNT\rtvscan.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\System32\tcpsvcs.exe
    C:\WINDOWS\System32\snmp.exe
    C:\WINDOWS\System32\svchost.exe
    D:\Winamp\Winampa.exe
    C:\Program Files\NavNT\vptray.exe
    D:\QuickTime\qttask.exe
    C:\WINDOWS\System32\devldr32.exe
    C:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE
    C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
    C:\WINDOWS\System32\MsgSys.EXE
    C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
    C:\Program Files\Lavasoft\Ad-Aware 2007\Ad-Aware2007.exe
    C:\DOCUME~1\Wilson\LOCALS~1\Temp\Rar$EX04.479\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = sas.r2.attbi.com
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [WinampAgent] "D:\Winamp\Winampa.exe"
    O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
    O4 - HKLM\..\Run: [QuickTime Task] "D:\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
    O4 - HKLM\..\Run: [AudioHQ] C:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE
    O4 - HKLM\..\Run: [icq.com] rundll32.exe "C:\WINDOWS\System32\tyaggcjl.dll",forkonce
    O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
    O4 - HKCU\..\Run: [Arda] "C:\PROGRA~1\ASEMBL~1\rundll32.exe" -vt yazb
    O4 - HKCU\..\Run: [Tsst] "C:\WINDOWS\TSKS~1\csrss.exe" -vt yazb
    O4 - HKCU\..\Run: [DDC] C:\WINDOWS\System32\qwerty12.exe
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - D:\Program Files\Yahoo!\Messenger\yhexbmes0522.dll
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - D:\Program Files\Yahoo!\Messenger\yhexbmes0522.dll
    O9 - Extra button: UltimateBet - {94148DB5-B42D-4915-95DA-2CBB4F7095BF} - C:\Program Files\UltimateBet\UltimateBet.exe
    O9 - Extra 'Tools' menuitem: UltimateBet - {94148DB5-B42D-4915-95DA-2CBB4F7095BF} - C:\Program Files\UltimateBet\UltimateBet.exe
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (sys Class) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1184553464979
    O16 - DPF: {6FB9FE59-7D3B-483D-9909-C870BE5AFA1F} (DiskHealth Class) - http://www.pcpitstop.com/pcpitstop/diskhealth.cab
    O16 - DPF: {75D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin.SecureControl) - http://secure2.comned.com/signuptemplates/ActiveSecurity.cab
    O16 - DPF: {9732FB42-C321-11D1-836F-00A0C993F125} (mhLabel Class) - http://www.pcpitstop.com/mhLbl.cab
    O16 - DPF: {A93D84FD-641F-43AE-B963-E6FA84BE7FE7} (LinkSys Content Update) - http://www.linksysfix.com/netcheck/67/install/gtdownls.cab
    O16 - DPF: {DBA230D1-8467-4e69-987E-5FAE815A3B45} -
    O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
    O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
    O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
    O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\DiskeeperWorkstation\DKService.exe
    O23 - Service: DomainService - - C:\WINDOWS\System32\qwerty12.exe
    O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: Iomega Activity Disk2 - Iomega Corporation - C:\PROGRA~1\Iomega\System32\ActivityDisk.exe
    O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
    O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
     
  2. MFDnNC

    MFDnNC

    Joined:
    Sep 7, 2004
    Messages:
    49,014
    NOTE: If you have downloaded ComboFix previously please delete that version and download it again!

    Download this file :

    http://www.techsupportforum.com/sectools/sUBs/ComboFix.exe
    or
    http://download.bleepingcomputer.com/sUBs/Beta/ComboFix.exe

    Double click combofix.exe & follow the prompts.
    When finished, it shall produce a log for you. Post that log and a HiJack log in your next reply

    Note:
    Do not mouseclick combofix's window while its running. That may cause it to stall

    =================
    If you have vundofix, remove it and get the current version

    Please download http://www.atribune.org/ccount/click.php?id=4 to C:\
    Double-click VundoFix.exe to run it.
    click the Scan for Vundo button.
    Once it's done scanning, click the Remove Vundo button.
    You will receive a prompt asking if you want to remove the files, click YES.
    Once you click yes, your desktop will go blank as it starts removing Vundo.
    When completed, it will prompt that it will shutdown your computer, click OK.
    Turn your computer back on.
    Please post the contents of C:\vundofix.txt
    Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears at reboot.

    Please let Vundo finish its thing, sometimes it can take multiple passes
    ====================
    Download Superantispyware (SAS)

    http://www.superantispyware.com/superantispywarefreevspro.html

    Install it and double-click the icon on your desktop to run it.
    · It will ask if you want to update the program definitions, click Yes.
    · Under Configuration and Preferences, click the Preferences button.
    · Click the Scanning Control tab.
    · Under Scanner Options make sure the following are checked:
    o Close browsers before scanning
    o Scan for tracking cookies
    o Terminate memory threats before quarantining.
    o Please leave the others unchecked.
    o Click the Close button to leave the control center screen.
    · On the main screen, under Scan for Harmful Software click Scan your computer.
    · On the left check C:\Fixed Drive.
    · On the right, under Complete Scan, choose Perform Complete Scan.
    · Click Next to start the scan. Please be patient while it scans your computer.
    · After the scan is complete a summary box will appear. Click OK.
    · Make sure everything in the white box has a check next to it, then click Next.
    · It will quarantine what it found and if it asks if you want to reboot, click Yes.
    · To retrieve the removal information for me please do the following:
    o After reboot, double-click the SUPERAntispyware icon on your desktop.
    o Click Preferences. Click the Statistics/Logs tab.
    o Under Scanner Logs, double-click SUPERAntiSpyware Scan Log.
    o It will open in your default text editor (such as Notepad/Wordpad).
    o Please highlight everything in the notepad, then right-click and choose copy.
    · Click close and close again to exit the program.
    · Please paste that information here for me with a new HijackThis log.

    This can take a while!
     
  3. Willeec

    Willeec Thread Starter

    Joined:
    Jul 16, 2007
    Messages:
    10
    First Thank you very much for your prompt response. I do appreciate it very much.

    Here is the new HiJackThis Log:

    Logfile of HijackThis v1.99.1
    Scan saved at 7:29:02 PM, on 7/16/2007
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\NOTEPAD.EXE
    C:\WINDOWS\system32\NOTEPAD.EXE
    C:\WINDOWS\system32\NOTEPAD.EXE
    C:\Program Files\Internet Explorer\IEXPLORE.EXE
    C:\Program Files\WinRAR\WinRAR.exe
    C:\DOCUME~1\Wilson\LOCALS~1\Temp\Rar$EX03.416\HijackThis.exe
    C:\WINDOWS\System32\rundll32.exe

    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = sas.r2.attbi.com
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - d:\adobe\acrobat5.0.5\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: (no name) - {6249C28B-8450-4541-B5A4-47384FF76038} - C:\WINDOWS\System32\ssqpo.dll (file missing)
    O2 - BHO: (no name) - {941508F8-CCD9-44E0-AC29-4F1E141373F7} - C:\WINDOWS\system32\mljhige.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [WinampAgent] "D:\Winamp\Winampa.exe"
    O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
    O4 - HKLM\..\Run: [QuickTime Task] "D:\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
    O4 - HKLM\..\Run: [AudioHQ] C:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE
    O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
    O4 - HKCU\..\Run: [Arda] "C:\PROGRA~1\ASEMBL~1\rundll32.exe" -vt yazb
    O4 - HKCU\..\Run: [Tsst] "C:\WINDOWS\TSKS~1\csrss.exe" -vt yazb
    O4 - HKCU\..\Run: [DDC] C:\WINDOWS\System32\qwerty12.exe
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - D:\Program Files\Yahoo!\Messenger\yhexbmes0522.dll
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - D:\Program Files\Yahoo!\Messenger\yhexbmes0522.dll
    O9 - Extra button: UltimateBet - {94148DB5-B42D-4915-95DA-2CBB4F7095BF} - C:\Program Files\UltimateBet\UltimateBet.exe
    O9 - Extra 'Tools' menuitem: UltimateBet - {94148DB5-B42D-4915-95DA-2CBB4F7095BF} - C:\Program Files\UltimateBet\UltimateBet.exe
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (sys Class) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1184553464979
    O16 - DPF: {6FB9FE59-7D3B-483D-9909-C870BE5AFA1F} (DiskHealth Class) - http://www.pcpitstop.com/pcpitstop/diskhealth.cab
    O16 - DPF: {75D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin.SecureControl) - http://secure2.comned.com/signuptemplates/ActiveSecurity.cab
    O16 - DPF: {9732FB42-C321-11D1-836F-00A0C993F125} (mhLabel Class) - http://www.pcpitstop.com/mhLbl.cab
    O16 - DPF: {A93D84FD-641F-43AE-B963-E6FA84BE7FE7} (LinkSys Content Update) - http://www.linksysfix.com/netcheck/67/install/gtdownls.cab
    O16 - DPF: {DBA230D1-8467-4e69-987E-5FAE815A3B45} -
    O20 - Winlogon Notify: mljhige - C:\WINDOWS\SYSTEM32\mljhige.dll
    O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
    O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
    O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
    O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
    O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\DiskeeperWorkstation\DKService.exe
    O23 - Service: DomainService - - C:\WINDOWS\System32\qwerty12.exe
    O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: Iomega Activity Disk2 - Iomega Corporation - C:\PROGRA~1\Iomega\System32\ActivityDisk.exe
    O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
    O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe

    Here is the Combo Fix Logs:

    "Wilson" - 2007-07-16 14:40:55 - ComboFix 07-07-13.8 - Service Pack 1 NTFS [SAFE MODE]


    (((((((((((((((((((((((((((((((((((((((((((( V Log )))))))))))))))))))))))))))))))))))))))))))))))))))))))


    C:\WINDOWS\system32\ejmijlvc.dll
    C:\WINDOWS\system32\ghtxqtua.dll
    C:\WINDOWS\system32\jkkjihh.dll
    C:\WINDOWS\system32\lnkanfap.dll
    C:\WINDOWS\system32\opnljji.dll
    C:\WINDOWS\system32\rqrspnk.dll
    C:\WINDOWS\system32\sbeivnna.dll
    C:\WINDOWS\system32\tytvlfuw.dll
    C:\WINDOWS\system32\wpxkmupu.dll
    C:\WINDOWS\system32\yayyabc.dll
    C:\WINDOWS\system32\deklwqcv.exe
    C:\WINDOWS\system32\hpbhybin.exe
    C:\WINDOWS\system32\hsivkylu.exe
    C:\WINDOWS\system32\jiqwsgtl.exe
    C:\WINDOWS\system32\lmddohew.exe
    C:\WINDOWS\system32\jkkjihh.dll
    C:\WINDOWS\system32\opnljji.dll
    C:\WINDOWS\system32\rqrspnk.dll
    C:\WINDOWS\system32\yayyabc.dll
    C:\WINDOWS\system32\winzqb32.dll
    C:\WINDOWS\system32\opqss.bak1
    C:\WINDOWS\system32\opqss.bak2
    C:\WINDOWS\system32\opqss.ini
    C:\WINDOWS\system32\opqss.ini2
    C:\WINDOWS\system32\opqss.tmp
    C:\WINDOWS\system32\cvljimje.ini
    C:\WINDOWS\system32\autqxthg.ini
    C:\WINDOWS\system32\pafnaknl.ini
    C:\WINDOWS\system32\annviebs.ini
    C:\WINDOWS\system32\wuflvtyt.ini
    C:\WINDOWS\system32\upumkxpw.ini
    C:\WINDOWS\system32\opqss.bak1
    C:\WINDOWS\system32\opqss.bak2
    C:\WINDOWS\system32\opqss.ini
    C:\WINDOWS\system32\opqss.ini2
    C:\WINDOWS\system32\opqss.tmp
    C:\WINDOWS\system32\opqss.bak1
    C:\WINDOWS\system32\opqss.bak2
    C:\WINDOWS\system32\opqss.ini
    C:\WINDOWS\system32\opqss.ini2
    C:\WINDOWS\system32\opqss.tmp
    C:\WINDOWS\system32\ssqpo.dll
    C:\WINDOWS\system32\mljhige.dll
    C:\WINDOWS\system32\mljhige.dll


    * * * POST RUN FILES/FOLDERS * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


    C:\WINDOWS\system32\ssqpo.dll
    C:\WINDOWS\system32\mljhige.dll
    C:\WINDOWS\system32\mljhige.dll
    C:\WINDOWS\system32\opqss.tmp

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


    C:\Program Files\asembl~1
    C:\Program Files\asembl~1\rundll32.exe
    C:\Program Files\Common Files\Yazzle1162OinAdmin.exe
    C:\Program Files\Common Files\Yazzle1162OinUninstaller.exe
    C:\Program Files\outerinfo
    C:\Program Files\outerinfo\OiUninstaller.exe
    C:\Program Files\outerinfo\outerinfo.ico
    C:\Program Files\outerinfo\Terms.rtf
    C:\WINDOWS\avp.exe
    C:\WINDOWS\mgrs.exe
    C:\WINDOWS\system32\jtrpnvc.dll
    C:\WINDOWS\system32\syswin.exe
    C:\WINDOWS\tsks~1
    C:\WINDOWS\tsks~1\csrss.exe


    ((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


    -------\LEGACY_DOMAINSERVICE
    -------\LEGACY_IPRIP
    -------\LEGACY_NWSAPAGENT
    -------\DomainService
    -------\Iprip
    -------\nm
    -------\NwSapAgent


    ((((((((((((((((((((((((( Files Created from 2007-06-16 to 2007-07-16 )))))))))))))))))))))))))))))))


    2007-07-16 14:40 93,696 --a------ C:\WINDOWS\system32\drvxan.dll
    2007-07-16 14:39 51,200 --a------ C:\WINDOWS\nircmd.exe
    2007-07-16 14:36 66,624 --a------ C:\WINDOWS\system32\nmkesfit.dll
    2007-07-16 14:33 66,112 --a------ C:\WINDOWS\system32\pcyxshxn.exe
    2007-07-16 13:59 93,696 --a------ C:\WINDOWS\system32\drvhez.dll
    2007-07-16 13:27 66,624 --a------ C:\WINDOWS\system32\rtgrxpew.dll
    2007-07-16 13:18 66,112 --a------ C:\WINDOWS\system32\powgbang.exe
    2007-07-16 12:45 66,112 --a------ C:\WINDOWS\system32\wjnbbmsy.exe
    2007-07-16 11:57 66,624 --a------ C:\WINDOWS\system32\jniemwbx.dll
    2007-07-16 11:57 66,112 --a------ C:\WINDOWS\system32\tsudhass.exe
    2007-07-16 11:20 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Spybot - Search & Destroy
    2007-07-16 10:42 <DIR> d-------- C:\WINDOWS\Prefetch
    2007-07-16 10:33 81,408 --a------ C:\WINDOWS\system32\msoert2.dll
    2007-07-16 10:33 73,728 --a------ C:\WINDOWS\system32\ils.dll
    2007-07-16 10:33 69,248 --a------ C:\WINDOWS\system32\drivers\sr.sys
    2007-07-16 10:33 65,536 --a------ C:\WINDOWS\system32\msconf.dll
    2007-07-16 10:33 63,488 --a------ C:\WINDOWS\system32\srclient.dll
    2007-07-16 10:33 32,256 --a------ C:\WINDOWS\system32\mnmdd.dll
    2007-07-16 10:33 24,576 --a------ C:\WINDOWS\system32\nmmkcert.dll
    2007-07-16 10:33 228,864 --a------ C:\WINDOWS\system32\msoeacct.dll
    2007-07-16 10:33 226,304 --a------ C:\WINDOWS\system32\srrstr.dll
    2007-07-16 10:33 221,696 --a------ C:\WINDOWS\system32\qmgr.dll
    2007-07-16 10:33 17,408 --a------ C:\WINDOWS\system32\qmgrprxy.dll
    2007-07-16 10:33 158,720 --a------ C:\WINDOWS\system32\srsvc.dll
    2007-07-16 10:32 9,728 --a------ C:\WINDOWS\system32\mstinit.exe
    2007-07-16 10:32 250,368 --a------ C:\WINDOWS\system32\mstask.dll
    2007-07-16 10:32 159,232 --a------ C:\WINDOWS\system32\schedsvc.dll
    2007-07-16 10:31 98,816 --a------ C:\WINDOWS\system32\clipbrd.exe
    2007-07-16 10:31 9,216 --a------ C:\WINDOWS\system32\wuauserv.dll
    2007-07-16 10:31 869,376 --a------ C:\WINDOWS\system32\msdtctm.dll
    2007-07-16 10:31 83,968 --a------ C:\WINDOWS\system32\mtxoci.dll
    2007-07-16 10:31 56,832 --a------ C:\WINDOWS\system32\colbact.dll
    2007-07-16 10:31 534,016 --a------ C:\WINDOWS\system32\spider.exe
    2007-07-16 10:31 53,080 --a------ C:\WINDOWS\system32\wuauclt.exe
    2007-07-16 10:31 495,616 --a------ C:\WINDOWS\system32\comuid.dll
    2007-07-16 10:31 468,480 --a------ C:\WINDOWS\system32\clbcatq.dll
    2007-07-16 10:31 339,968 --a------ C:\WINDOWS\system32\mspaint.exe
    2007-07-16 10:31 215,040 --a------ C:\WINDOWS\system32\catsrv.dll
    2007-07-16 10:31 151,040 --a------ C:\WINDOWS\system32\msdtcuiu.dll
    2007-07-16 10:31 116,736 --a------ C:\WINDOWS\system32\mplay32.exe
    2007-07-16 10:31 115,976 --a------ C:\WINDOWS\system32\drivers\rdpwd.sys
    2007-07-16 10:31 100,864 --a------ C:\WINDOWS\system32\clbcatex.dll
    2007-07-16 10:31 1,710,936 --a------ C:\WINDOWS\system32\wuaueng.dll
    2007-07-16 10:30 9,216 --a------ C:\WINDOWS\system32\icaapi.dll
    2007-07-16 10:30 88,064 --a------ C:\WINDOWS\system32\tscfgwmi.dll
    2007-07-16 10:30 75,912 --a------ C:\WINDOWS\system32\rdpwsx.dll
    2007-07-16 10:30 598,016 --a------ C:\WINDOWS\system32\mstscax.dll
    2007-07-16 10:30 582,656 --a------ C:\WINDOWS\system32\catsrvut.dll
    2007-07-16 10:30 57,856 --a------ C:\WINDOWS\system32\licwmi.dll
    2007-07-16 10:30 56,320 --a------ C:\WINDOWS\system32\remotepg.dll
    2007-07-16 10:30 44,032 --a------ C:\WINDOWS\system32\rdpclip.exe
    2007-07-16 10:30 40,960 --a------ C:\WINDOWS\system32\tscupgrd.exe
    2007-07-16 10:30 388,608 --a------ C:\WINDOWS\system32\mstsc.exe
    2007-07-16 10:30 359,936 --a------ C:\WINDOWS\system32\msdtcprx.dll
    2007-07-16 10:30 32,768 --a------ C:\WINDOWS\system32\cfgbkend.dll
    2007-07-16 10:30 200,192 --a------ C:\WINDOWS\system32\termsrv.dll
    2007-07-16 10:30 14,848 --a------ C:\WINDOWS\system32\rdpsnd.dll
    2007-07-16 10:30 135,680 --a------ C:\WINDOWS\system32\rdchost.dll
    2007-07-16 10:30 129,024 --a------ C:\WINDOWS\system32\sessmgr.exe
    2007-07-16 10:30 12,288 --a------ C:\WINDOWS\system32\rdsaddin.exe
    2007-07-16 10:30 1,172,992 --a------ C:\WINDOWS\system32\comsvcs.dll
    2007-07-16 10:29 5,888 --a------ C:\WINDOWS\system32\drivers\splitter.sys
    2007-07-16 10:28 56,576 --a------ C:\WINDOWS\system32\drivers\redbook.sys
    2007-07-16 10:04 36,224 --a------ C:\WINDOWS\system32\drivers\an983.sys
    2007-07-16 10:03 38,024 --a------ C:\WINDOWS\system32\drivers\termdd.sys
    2007-07-16 10:03 182,400 --a------ C:\WINDOWS\system32\drivers\rdpdr.sys
    2007-07-16 10:01 71,168 --a------ C:\WINDOWS\system32\storprop.dll
    2007-07-16 10:01 24,661 --a------ C:\WINDOWS\system32\spxcoins.dll
    2007-07-16 10:01 13,312 --a------ C:\WINDOWS\system32\irclass.dll
    2007-07-16 09:44 96,256 --a------ C:\WINDOWS\system32\evntagnt.dll
    2007-07-16 09:44 84,992 --a------ C:\WINDOWS\system32\evntwin.exe
    2007-07-16 09:44 5,120 --a------ C:\WINDOWS\system32\snmpmib.dll
    2007-07-16 09:44 35,328 --a------ C:\WINDOWS\system32\hostmib.dll
    2007-07-16 09:44 22,528 --a------ C:\WINDOWS\system32\evntcmd.exe
    2007-07-16 09:27 <DIR> d-------- C:\WINDOWS\setup.pss
    2007-07-16 09:25 66,624 --a------ C:\WINDOWS\system32\nsdxqqfy.dll
    2007-07-16 09:25 66,112 --a------ C:\WINDOWS\system32\tynaxbui.exe
    2007-07-15 19:45 66,624 --a------ C:\WINDOWS\system32\gcexpypa.dll
    2007-07-15 19:45 66,112 --a------ C:\WINDOWS\system32\uciyptfc.exe
    2007-07-15 19:38 43,352 --a------ C:\WINDOWS\system32\wups2.dll
    2007-07-15 19:38 <DIR> d-------- C:\WINDOWS\system32\SoftwareDistribution
    2007-07-14 18:51 66,624 --a------ C:\WINDOWS\system32\axyoiihw.dll
    2007-07-14 18:49 66,112 --a------ C:\WINDOWS\system32\lxiyyudp.exe
    2007-07-14 11:52 66,624 --a------ C:\WINDOWS\system32\lxrulbne.dll
    2007-07-14 11:46 66,112 --a------ C:\WINDOWS\system32\oimltcoq.exe
    2007-07-14 11:46 50,688 --a------ C:\WINDOWS\system32\qwerty12.exe
    2007-07-13 18:31 77,312 --a------ C:\WINDOWS\ua2.dll
    2007-07-13 18:20 15,360 --a------ C:\WINDOWS\system32\s2f.exe
    2007-07-13 18:10 <DIR> d--hs---- C:\WINDOWS\CSC
    2007-07-12 17:44 <DIR> d-------- C:\Program Files\Lavasoft
    2007-07-12 17:44 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Lavasoft
    2007-07-12 17:42 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
    2007-07-12 17:27 266,336 --------- C:\WINDOWS\system32\ssqpo.dll
    2007-07-12 17:22 31,254 --------- C:\WINDOWS\system32\mljhige.dll
    2007-07-12 16:48 <DIR> d-------- C:\Program Files\RegCure
    2007-07-11 10:33 <DIR> d-------- C:\DOCUME~1\Wilson\APPLIC~1\MSN6
    2007-07-11 10:33 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\MSN6
    2007-07-10 13:10 <DIR> d-------- C:\Program Files\UltimateBet
    2007-07-09 14:07 7,882 --a------ C:\WINDOWS\system32\GTKCMOS.sys
    2007-07-09 14:07 7,626 --a------ C:\WINDOWS\system32\GPCIEnum.sys


    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

    2007-07-16 17:31:53 22,720 ----a-w C:\WINDOWS\system32\emptyregdb.dat
    2007-07-16 17:31:23 -------- d-----w C:\Program Files\Online Services
    2007-07-16 17:31:20 -------- d-----w C:\Program Files\Messenger
    2007-07-16 01:10:42 2,180 ----a-w C:\WINDOWS\system32\d3d8caps.dat
    2007-07-09 22:22:06 -------- d-----w C:\Program Files\Google
    2007-07-09 20:23:43 -------- d-----w C:\DOCUME~1\Wilson\APPLIC~1\Google
    2007-06-04 22:18:48 9,344 ----a-w C:\WINDOWS\system32\drivers\NSDriver.sys
    2007-06-04 22:17:02 8,320 ----a-w C:\WINDOWS\system32\drivers\AWRTRD.sys
    2007-06-04 22:14:56 6,272 ----a-w C:\WINDOWS\system32\drivers\AWRTPD.sys
    2007-04-17 05:45:42 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll
    2007-04-17 05:45:28 92,504 ----a-w C:\WINDOWS\system32\cdm.dll
    2005-02-01 01:10:52 19,552 ----a-w C:\DOCUME~1\Wilson\APPLIC~1\GDIPFONTCACHEV1.DAT
    2003-08-05 00:54:52 784 ------w C:\DOCUME~1\Wilson\APPLIC~1\mpauth.dat
    2002-11-29 04:21:20 27,136 --sha-w C:\Program Files\Thumbs.db


    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


    *Note* empty entries & legit default entries are not shown

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}]
    2001-04-16 16:39 37808 --a------ d:\adobe\acrobat5.0.5\Reader\ActiveX\AcroIEHelper.ocx

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1FBC6C56-5002-4358-A890-808E907F6D27}]
    2007-07-12 17:27 266336 --------- C:\WINDOWS\System32\ssqpo.dll

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{53707962-6F74-2D53-2644-206D7942484F}]
    2005-05-31 01:04 853672 --a------ C:\PROGRA~1\SPYBOT~1\SDHelper.dll

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{941508F8-CCD9-44E0-AC29-4F1E141373F7}]
    2007-07-12 17:22 31254 --------- C:\WINDOWS\system32\mljhige.dll

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{AA58ED58-01DD-4d91-8333-CF10577473F7}]
    2007-01-19 23:55 2403392 -ra------ c:\program files\google\googletoolbar1.dll

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "WinampAgent"="D:\Winamp\Winampa.exe" [2002-03-20 00:15]
    "vptray"="C:\Program Files\NavNT\vptray.exe" [2001-06-21 16:21]
    "QuickTime Task"="D:\QuickTime\qttask.exe" [2003-01-07 00:51]
    "nwiz"="nwiz.exe" [2002-09-26 15:11 C:\WINDOWS\system32\nwiz.exe]
    "NvCplDaemon"="NvQTwk" []
    "AudioHQ"="C:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE" [2001-08-17 17:01]

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "swg"="C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe" [2007-07-09 13:13]
    "Arda"="C:\PROGRA~1\ASEMBL~1\rundll32.exe" []
    "Tsst"="C:\WINDOWS\TSKS~1\csrss.exe" []

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonce]
    "combofix"=C:\WINDOWS\system32\cmd.exe /c C:\ComboFix\Combobatch.bat

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
    @=

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
    @=

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
    "{941508F8-CCD9-44E0-AC29-4F1E141373F7}"="C:\WINDOWS\system32\mljhige.dll" [2007-07-12 17:22]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\mljhige]
    mljhige.dll --------- 2007-07-12 17:22 31254 C:\WINDOWS\system32\mljhige.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ssqpo]
    C:\WINDOWS\System32\ssqpo.dll --------- 2007-07-12 17:27 266336 C:\WINDOWS\system32\ssqpo.dll

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\aawservice]


    Contents of the 'Scheduled Tasks' folder
    2007-07-16 17:48:03 C:\WINDOWS\tasks\RegCure Program Check.job
    2007-07-12 23:48:33 C:\WINDOWS\tasks\RegCure.job

    **************************************************************************

    catchme 0.3.915 W2K/XP/Vista - rootkit detector by Gmer, http://www.gmer.net
    Rootkit scan 2007-07-16 14:44:51
    Windows 5.1.2600 Service Pack 1 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************

    Completion time: 2007-07-16 14:45:37 - machine was rebooted
    C:\ComboFix-quarantined-files.txt ... 2007-07-16 14:45

    --- E O F ---



    Here is the second comboFix Log:
    Code:
    2007-01-12 13:00      18031    --a------    C:\Qoobox\Quarantine\C\Program Files\Outerinfo\Terms.rtf.vir
    2007-03-06 08:59      34494    --a------    C:\Qoobox\Quarantine\C\Program Files\Outerinfo\outerinfo.ico.vir
    2007-06-20 07:49      60928    --a------    C:\Qoobox\Quarantine\C\WINDOWS\system32\jtrpnvc.dll.vir
    2007-06-20 07:51      111640    --a------    C:\Qoobox\Quarantine\C\Program Files\Outerinfo\OiUninstaller.exe.vir
    2007-07-12 17:23      12288    --a------    C:\Qoobox\Quarantine\C\WINDOWS\mgrs.exe.vir
    2007-07-12 17:23      31254    --a------    C:\Qoobox\Quarantine\C\WINDOWS\system32\opnljji.dll.vir
    2007-07-13 15:12      20992    --a------    C:\Qoobox\Quarantine\C\WINDOWS\system32\winzqb32.dll.vir
    2007-07-13 18:20      31254    --a------    C:\Qoobox\Quarantine\C\WINDOWS\system32\yayyabc.dll.vir
    2007-07-14 09:24      13580    --a------    C:\Qoobox\Quarantine\C\WINDOWS\system32\opqss.tmp.vir
    2007-07-14 18:54      128576    --a------    C:\Qoobox\Quarantine\C\WINDOWS\system32\lnkanfap.dll.vir
    2007-07-15 15:27      1193059    --a------    C:\Qoobox\Quarantine\C\WINDOWS\system32\pafnaknl.ini.vir
    2007-07-15 19:45      4672    --a------    C:\Qoobox\Quarantine\C\WINDOWS\system32\hsivkylu.exe.vir
    2007-07-15 19:48      128576    --a------    C:\Qoobox\Quarantine\C\WINDOWS\system32\tytvlfuw.dll.vir
    2007-07-15 19:48      345    --a------    C:\Qoobox\Quarantine\C\WINDOWS\system32\wuflvtyt.ini.vir
    2007-07-15 19:48      4672    --a------    C:\Qoobox\Quarantine\C\WINDOWS\system32\jiqwsgtl.exe.vir
    2007-07-16 09:28      4672    --a------    C:\Qoobox\Quarantine\C\WINDOWS\system32\deklwqcv.exe.vir
    2007-07-16 09:31      128576    --a------    C:\Qoobox\Quarantine\C\WINDOWS\system32\ejmijlvc.dll.vir
    2007-07-16 09:31      295    --a------    C:\Qoobox\Quarantine\C\WINDOWS\system32\cvljimje.ini.vir
    2007-07-16 12:00      128576    --a------    C:\Qoobox\Quarantine\C\WINDOWS\system32\ghtxqtua.dll.vir
    2007-07-16 12:00      4672    --a------    C:\Qoobox\Quarantine\C\WINDOWS\system32\lmddohew.exe.vir
    2007-07-16 12:44      1191526    --a------    C:\Qoobox\Quarantine\C\WINDOWS\system32\autqxthg.ini.vir
    2007-07-16 13:24      128576    --a------    C:\Qoobox\Quarantine\C\WINDOWS\system32\sbeivnna.dll.vir
    2007-07-16 13:59      31254    --a------    C:\Qoobox\Quarantine\C\WINDOWS\system32\jkkjihh.dll.vir
    2007-07-16 13:59      40183    --a------    C:\Qoobox\Quarantine\C\Program Files\Common Files\Yazzle1162OinUninstaller.exe.vir
    2007-07-16 14:03      1191467    --a------    C:\Qoobox\Quarantine\C\WINDOWS\system32\annviebs.ini.vir
    2007-07-16 14:13      10240    --a------    C:\Qoobox\Quarantine\C\WINDOWS\system32\syswin.exe.vir
    2007-07-16 14:31      1930103    --a------    C:\Qoobox\Quarantine\C\WINDOWS\system32\opqss.bak2.vir
    2007-07-16 14:31      1930664    --a------    C:\Qoobox\Quarantine\C\WINDOWS\system32\opqss.bak1.vir
    2007-07-16 14:33      4672    --a------    C:\Qoobox\Quarantine\C\WINDOWS\system32\hpbhybin.exe.vir
    2007-07-16 14:39      128576    --a------    C:\Qoobox\Quarantine\C\WINDOWS\system32\wpxkmupu.dll.vir
    2007-07-16 14:40      31254    --a------    C:\Qoobox\Quarantine\C\WINDOWS\system32\rqrspnk.dll.vir
    2007-07-16 14:40      345    --a------    C:\Qoobox\Quarantine\C\WINDOWS\system32\upumkxpw.ini.vir
    2007-07-16 14:41      10176    --a------    C:\Qoobox\Quarantine\Registry_backups\services_nm.reg.cf
    2007-07-16 14:41      1932782    --a------    C:\Qoobox\Quarantine\C\WINDOWS\system32\opqss.ini2.vir
    2007-07-16 14:41      3628    --a------    C:\Qoobox\Quarantine\Registry_backups\services_NwSapAgent.reg.cf
    2007-07-16 14:41      3674    --a------    C:\Qoobox\Quarantine\Registry_backups\services_Iprip.reg.cf
    2007-07-16 14:41      796    --a------    C:\Qoobox\Quarantine\Registry_backups\LEGACY_IPRIP.reg.cf
    2007-07-16 14:41      820    --a------    C:\Qoobox\Quarantine\Registry_backups\LEGACY_NWSAPAGENT.reg.cf
    2007-07-16 14:50      128576    --a------    C:\Qoobox\Quarantine\C\WINDOWS\system32\tyaggcjl.dll.vir
    2007-07-16 18:55      1191527    --a------    C:\Qoobox\Quarantine\C\WINDOWS\system32\ljcggayt.ini.vir
    2007-07-16 19:01      1932915    --a------    C:\Qoobox\Quarantine\C\WINDOWS\system32\opqss.ini.vir
    2007-07-16 19:01      2956    --a------    C:\Qoobox\Quarantine\Registry_backups\services_DomainService.reg.cf
    2007-07-16 19:01      314    --a------    C:\Qoobox\Quarantine\catchme.log
    2007-07-16 19:01      846    --a------    C:\Qoobox\Quarantine\Registry_backups\LEGACY_DOMAINSERVICE.reg.cf
    
    
    Folder PATH listing for volume System (10GB)
    Volume serial number is 71FAE346 64B8:3965
    C:\QOOBOX
    \---Quarantine
        |   catchme.log
        |   
        +---C
        |   +---Program Files
        |   |   +---ASEMBL~1
        |   |   +---Common Files
        |   |   |       Yazzle1162OinUninstaller.exe.vir
        |   |   |       
        |   |   \---Outerinfo
        |   |           OiUninstaller.exe.vir
        |   |           outerinfo.ico.vir
        |   |           Terms.rtf.vir
        |   |           
        |   \---WINDOWS
        |       |   mgrs.exe.vir
        |       |   
        |       +---system32
        |       |       annviebs.ini.vir
        |       |       autqxthg.ini.vir
        |       |       cvljimje.ini.vir
        |       |       deklwqcv.exe.vir
        |       |       ejmijlvc.dll.vir
        |       |       ghtxqtua.dll.vir
        |       |       hpbhybin.exe.vir
        |       |       hsivkylu.exe.vir
        |       |       jiqwsgtl.exe.vir
        |       |       jkkjihh.dll.vir
        |       |       jtrpnvc.dll.vir
        |       |       ljcggayt.ini.vir
        |       |       lmddohew.exe.vir
        |       |       lnkanfap.dll.vir
        |       |       opnljji.dll.vir
        |       |       opqss.bak1.vir
        |       |       opqss.bak2.vir
        |       |       opqss.ini.vir
        |       |       opqss.ini2.vir
        |       |       opqss.tmp.vir
        |       |       pafnaknl.ini.vir
        |       |       rqrspnk.dll.vir
        |       |       sbeivnna.dll.vir
        |       |       syswin.exe.vir
        |       |       tyaggcjl.dll.vir
        |       |       tytvlfuw.dll.vir
        |       |       upumkxpw.ini.vir
        |       |       winzqb32.dll.vir
        |       |       wpxkmupu.dll.vir
        |       |       wuflvtyt.ini.vir
        |       |       yayyabc.dll.vir
        |       |       
        |       \---TSKS~1
        \---Registry_backups
                LEGACY_DOMAINSERVICE.reg.cf
                LEGACY_IPRIP.reg.cf
                LEGACY_NWSAPAGENT.reg.cf
                services_DomainService.reg.cf
                services_Iprip.reg.cf
                services_nm.reg.cf
                services_NwSapAgent.reg.cf
                
    

    And Finally here is the Vundo Fix Log:


    VundoFix V6.5.6

    Checking Java version...

    Sun Java not detected
    Scan started at 7:08:49 PM 7/16/2007

    Listing files found while scanning....

    C:\windows\system32\awspmhnp.exe
    C:\windows\system32\axyoiihw.dll
    C:\windows\system32\gcexpypa.dll
    C:\WINDOWS\System32\hgepflbr.ini
    C:\WINDOWS\System32\hijepyxy.dll
    C:\windows\system32\idscenbm.exe
    C:\windows\system32\jniemwbx.dll
    C:\windows\system32\lxrulbne.dll
    C:\windows\system32\nmkesfit.dll
    C:\windows\system32\nnyuuhkt.dll
    C:\windows\system32\nsdxqqfy.dll
    C:\WINDOWS\System32\rblfpegh.dll
    C:\windows\system32\rtgrxpew.dll
    C:\WINDOWS\System32\ssqpo.dll

    Beginning removal...

    Attempting to delete C:\windows\system32\awspmhnp.exe
    C:\windows\system32\awspmhnp.exe Could not be deleted.

    Attempting to delete C:\windows\system32\axyoiihw.dll
    C:\windows\system32\axyoiihw.dll Has been deleted!

    Attempting to delete C:\windows\system32\gcexpypa.dll
    C:\windows\system32\gcexpypa.dll Has been deleted!

    Attempting to delete C:\WINDOWS\System32\hgepflbr.ini
    C:\WINDOWS\System32\hgepflbr.ini Has been deleted!

    Attempting to delete C:\WINDOWS\System32\hijepyxy.dll
    C:\WINDOWS\System32\hijepyxy.dll Has been deleted!

    Attempting to delete C:\windows\system32\idscenbm.exe
    C:\windows\system32\idscenbm.exe Could not be deleted.

    Attempting to delete C:\windows\system32\jniemwbx.dll
    C:\windows\system32\jniemwbx.dll Has been deleted!

    Attempting to delete C:\windows\system32\lxrulbne.dll
    C:\windows\system32\lxrulbne.dll Has been deleted!

    Attempting to delete C:\windows\system32\nmkesfit.dll
    C:\windows\system32\nmkesfit.dll Has been deleted!

    Attempting to delete C:\windows\system32\nnyuuhkt.dll
    C:\windows\system32\nnyuuhkt.dll Has been deleted!

    Attempting to delete C:\windows\system32\nsdxqqfy.dll
    C:\windows\system32\nsdxqqfy.dll Has been deleted!

    Attempting to delete C:\WINDOWS\System32\rblfpegh.dll
    C:\WINDOWS\System32\rblfpegh.dll Could not be deleted.

    Attempting to delete C:\windows\system32\rtgrxpew.dll
    C:\windows\system32\rtgrxpew.dll Has been deleted!

    Attempting to delete C:\WINDOWS\System32\ssqpo.dll
    C:\WINDOWS\System32\ssqpo.dll Could not be deleted.

    Performing Repairs to the registry.
    Done!

    Beginning removal...

    Attempting to delete C:\windows\system32\awspmhnp.exe
    C:\windows\system32\awspmhnp.exe Has been deleted!

    Attempting to delete C:\windows\system32\idscenbm.exe
    C:\windows\system32\idscenbm.exe Has been deleted!

    Attempting to delete C:\WINDOWS\System32\rblfpegh.dll
    C:\WINDOWS\System32\rblfpegh.dll Has been deleted!

    Attempting to delete C:\WINDOWS\System32\ssqpo.dll
    C:\WINDOWS\System32\ssqpo.dll Could not be deleted.

    Performing Repairs to the registry.
    Done!

    VundoFix V6.5.6

    Checking Java version...

    Sun Java not detected
    Scan started at 7:17:43 PM 7/16/2007

    Listing files found while scanning....

    C:\WINDOWS\System32\opqss.ini
    C:\WINDOWS\System32\ssqpo.dll

    Beginning removal...

    Attempting to delete C:\WINDOWS\System32\opqss.ini
    C:\WINDOWS\System32\opqss.ini Has been deleted!

    Attempting to delete C:\WINDOWS\System32\ssqpo.dll
    C:\WINDOWS\System32\ssqpo.dll Has been deleted!

    Performing Repairs to the registry.
    Done!

    Hopefully this info helpsyou out.

    I'll anxiously awaiting your instructions.

    Thanks AGAIN
    WILL
     
  4. MFDnNC

    MFDnNC

    Joined:
    Sep 7, 2004
    Messages:
    49,014
    You did not do all of my post - go back and do SAS
     
  5. Willeec

    Willeec Thread Starter

    Joined:
    Jul 16, 2007
    Messages:
    10
    I have attempted 4 times to do the scan as you instructed. However, the scans stalls everytime at this particular file. C:\\WINDOWS\system32\oobe\msbshel.htm
    Up to that point the scan details are as follows:
    Memory Items: Scanned:357 Detected: 3
    Registry Items: Scanned:4842 Detected:19
    File Items: Scanned:25749 Detected:79
    Threats Detected: 101

    Threat Description
    Adaware Vundo Variant/Resident: 4
    Adaware eZula: 2
    Trojan. WinFixer: 6
    Unclassified Unknown Origin: 7
    Adaware Vundo Variant: 7
    Trojan Downloader-Gen/HitltQuitlt: 1
    Adaware track cookies: 69
    Adaware ClickSpring/Outer Info Network: 1
    Trojan. Downloader-UDL2: 1
    Adaware ClickSpring/Yazzle: 1
    Adaware ClickSpring Resident: 1
    Trojan.Downloader-NoName: 1

    Please advise on what I need to do at this point to get the scan to complete.

    Thanks again for your time.
    WILL
     
  6. MFDnNC

    MFDnNC

    Joined:
    Sep 7, 2004
    Messages:
    49,014
    Do it in safe mode
     
  7. Willeec

    Willeec Thread Starter

    Joined:
    Jul 16, 2007
    Messages:
    10
    I have completed the SAS Scan in Safe Mode.

    Here is the SAS Log:

    SUPERAntiSpyware Scan Log
    http://www.superantispyware.com

    Generated 07/17/2007 at 02:34 PM

    Application Version : 3.9.1008

    Core Rules Database Version : 3270
    Trace Rules Database Version: 1281

    Scan type : Complete Scan
    Total Scan Time : 00:49:28

    Memory items scanned : 193
    Memory threats detected : 2
    Registry items scanned : 4841
    Registry threats detected : 19
    File items scanned : 27114
    File threats detected : 79

    Adware.Vundo Variant/Resident
    C:\WINDOWS\SYSTEM32\WVWWU.DLL
    C:\WINDOWS\SYSTEM32\WVWWU.DLL
    C:\WINDOWS\SYSTEM32\MLJHIGE.DLL
    C:\WINDOWS\SYSTEM32\MLJHIGE.DLL

    Trojan.WinFixer
    HKLM\Software\Classes\CLSID\{6249C28B-8450-4541-B5A4-47384FF76038}
    HKCR\CLSID\{6249C28B-8450-4541-B5A4-47384FF76038}
    HKCR\CLSID\{6249C28B-8450-4541-B5A4-47384FF76038}\InprocServer32
    HKCR\CLSID\{6249C28B-8450-4541-B5A4-47384FF76038}\InprocServer32#ThreadingModel
    C:\WINDOWS\SYSTEM32\SSQPO.DLL
    HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6249C28B-8450-4541-B5A4-47384FF76038}

    Unclassified.Unknown Origin
    HKLM\Software\Classes\CLSID\{938A8A03-A938-4019-B764-03FF8D167D79}
    HKCR\CLSID\{938A8A03-A938-4019-B764-03FF8D167D79}
    HKCR\CLSID\{938A8A03-A938-4019-B764-03FF8D167D79}\InprocServer32
    HKCR\CLSID\{938A8A03-A938-4019-B764-03FF8D167D79}\InprocServer32#ThreadingModel
    C:\WINDOWS\SYSTEM32\DCTXVFGC.DLL
    HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{938A8A03-A938-4019-B764-03FF8D167D79}
    HKCR\CLSID\{938A8A03-A938-4019-B764-03FF8D167D79}

    Adware.Vundo Variant
    HKLM\Software\Classes\CLSID\{941508F8-CCD9-44E0-AC29-4F1E141373F7}
    HKCR\CLSID\{941508F8-CCD9-44E0-AC29-4F1E141373F7}
    HKCR\CLSID\{941508F8-CCD9-44E0-AC29-4F1E141373F7}\InprocServer32
    HKCR\CLSID\{941508F8-CCD9-44E0-AC29-4F1E141373F7}\InprocServer32#ThreadingModel
    HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{941508F8-CCD9-44E0-AC29-4F1E141373F7}
    HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks#{941508F8-CCD9-44E0-AC29-4F1E141373F7}
    HKCR\CLSID\{941508F8-CCD9-44E0-AC29-4F1E141373F7}

    Trojan.Downloader-Gen/HitItQuitIt
    Software\Microsoft\Windows NT\CurrentVersion\WinLogon\Notify\mljhige

    Adware.Tracking Cookie
    C:\Documents and Settings\Wilson\Cookies\[email protected][3].txt
    C:\Documents and Settings\Wilson\Cookies\[email protected][1].txt
    C:\Documents and Settings\Wilson\Cookies\[email protected][1].txt
    C:\Documents and Settings\Wilson\Cookies\[email protected][4].txt
    C:\Documents and Settings\Wilson\Cookies\[email protected][2].txt
    C:\Documents and Settings\Wilson\Cookies\[email protected][1].txt
    C:\Documents and Settings\Wilson\Cookies\[email protected][1].txt
    C:\Documents and Settings\Wilson\Cookies\[email protected][3].txt
    C:\Documents and Settings\Wilson\Cookies\[email protected][2].txt
    C:\Documents and Settings\Wilson\Cookies\[email protected][1].txt
    C:\Documents and Settings\Wilson\Cookies\[email protected][2].txt
    C:\Documents and Settings\Wilson\Cookies\[email protected][2].txt
    C:\Documents and Settings\Wilson\Cookies\[email protected][5].txt
    C:\Documents and Settings\Wilson\Cookies\[email protected][6].txt
    C:\Documents and Settings\Wilson\Cookies\[email protected][2].txt
    C:\Documents and Settings\Wilson\Cookies\[email protected][2].txt
    C:\Documents and Settings\Wilson\Cookies\[email protected][1].txt
    C:\Documents and Settings\Wilson\Cookies\[email protected][1].txt
    C:\Documents and Settings\Wilson\Cookies\[email protected][2].txt
    C:\Documents and Settings\Wilson\Cookies\[email protected][1].txt
    C:\Documents and Settings\Wilson\Cookies\[email protected][2].txt
    C:\Documents and Settings\Wilson\Cookies\[email protected][2].txt
    C:\Documents and Settings\Wilson\Cookies\[email protected][2].txt
    C:\Documents and Settings\Wilson\Cookies\[email protected][1].txt
    C:\Documents and Settings\Wilson\Cookies\[email protected][2].txt
    C:\Documents and Settings\Wilson\Cookies\[email protected][1].txt
    C:\Documents and Settings\Wilson\Cookies\[email protected][2].txt
    C:\Documents and Settings\Wilson\Cookies\[email protected][1].txt
    C:\Documents and Settings\Wilson\Cookies\[email protected][2].txt
    C:\Documents and Settings\Wilson\Cookies\[email protected][1].txt
    C:\Documents and Settings\Wilson\Cookies\[email protected][1].txt
    C:\Documents and Settings\Wilson\Cookies\[email protected][1].txt
    C:\Documents and Settings\Wilson\Cookies\[email protected][1].txt
    C:\Documents and Settings\Wilson\Cookies\[email protected][2].txt
    C:\Documents and Settings\Wilson\Cookies\[email protected][2].txt
    C:\Documents and Settings\Wilson\Cookies\[email protected][1].txt
    C:\Documents and Settings\Wilson\Cookies\[email protected][2].txt
    C:\Documents and Settings\Wilson\Cookies\[email protected][2].txt
    C:\Documents and Settings\Wilson\Cookies\[email protected][1].txt
    C:\Documents and Settings\Wilson\Cookies\[email protected][1].txt
    C:\Documents and Settings\Wilson\Cookies\[email protected][1].txt
    C:\Documents and Settings\Wilson\Cookies\[email protected][1].txt
    C:\Documents and Settings\Wilson\Cookies\[email protected][1].txt
    C:\Documents and Settings\Wilson\Cookies\[email protected][2].txt
    C:\Documents and Settings\Wilson\Cookies\[email protected][1].txt
    C:\Documents and Settings\Wilson\Cookies\[email protected][1].txt
    C:\Documents and Settings\Wilson\Cookies\[email protected][1].txt
    C:\Documents and Settings\Wilson\Cookies\[email protected][1].txt
    C:\Documents and Settings\Wilson\Cookies\[email protected][1].txt
    C:\Documents and Settings\Wilson\Cookies\[email protected][2].txt
    C:\Documents and Settings\Wilson\Cookies\[email protected][2].txt
    C:\Documents and Settings\Wilson\Cookies\[email protected][2].txt
    C:\Documents and Settings\Wilson\Cookies\[email protected][2].txt
    C:\Documents and Settings\Wilson\Cookies\[email protected][2].txt
    C:\Documents and Settings\Wilson\Cookies\[email protected][2].txt
    C:\Documents and Settings\Wilson\Cookies\[email protected][1].txt
    C:\Documents and Settings\Wilson\Cookies\[email protected]erialkeygen[1].txt
    C:\Documents and Settings\Wilson\Cookies\[email protected][2].txt
    C:\Documents and Settings\Wilson\Cookies\[email protected][2].txt
    C:\Documents and Settings\Wilson\Cookies\[email protected][2].txt
    C:\Documents and Settings\Wilson\Cookies\[email protected][2].txt
    C:\Documents and Settings\Wilson\Cookies\[email protected][1].txt
    C:\Documents and Settings\Wilson\Cookies\[email protected][1].txt
    C:\Documents and Settings\Wilson\Cookies\[email protected][1].txt
    C:\Documents and Settings\Wilson\Cookies\[email protected][2].txt
    C:\Documents and Settings\Wilson\Cookies\[email protected][2].txt
    C:\Documents and Settings\Wilson\Cookies\[email protected][2].txt
    C:\Documents and Settings\Wilson\Cookies\[email protected][1].txt
    C:\Documents and Settings\Wilson\Cookies\[email protected][2].txt

    Adware.ClickSpring/Outer Info Network
    C:\Documents and Settings\Wilson\Start Menu\Programs\Outerinfo

    Trojan.Downloader-UDL2
    C:\DOCUMENTS AND SETTINGS\WILSON\DESKTOP\DOWNLOAD SOFTWARE\CRACK.EXE

    Adware.ClickSpring/Yazzle
    C:\QOOBOX\QUARANTINE\C\PROGRAM FILES\COMMON FILES\YAZZLE1162OINUNINSTALLER.EXE.VIR

    Adware.ClickSpring/Resident
    C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\JTRPNVC.DLL.VIR

    Trojan.Downloader-NoName
    C:\QOOBOX\QUARANTINE\C\WINDOWS\SYSTEM32\SYSWIN.EXE.VIR

    Trace.Known Threat Sources
    C:\Documents and Settings\Wilson\Local Settings\Temporary Internet Files\Content.IE5\NAWBNP8T\masiyxanidi[1]



    And here is the most up to date HiJackThis Log:

    Logfile of HijackThis v1.99.1
    Scan saved at 2:54:51 PM, on 7/17/2007
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
    C:\WINDOWS\System32\CTsvcCDA.EXE
    C:\Program Files\NavNT\defwatch.exe
    C:\Program Files\Executive Software\DiskeeperWorkstation\DKService.exe
    C:\WINDOWS\System32\qwerty12.exe
    C:\PROGRA~1\Iomega\System32\ActivityDisk.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\Program Files\NavNT\rtvscan.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\System32\tcpsvcs.exe
    C:\WINDOWS\System32\snmp.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\System32\MsgSys.EXE
    C:\WINDOWS\Explorer.EXE
    D:\Winamp\Winampa.exe
    C:\Program Files\NavNT\vptray.exe
    D:\QuickTime\qttask.exe
    C:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE
    C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
    C:\WINDOWS\System32\devldr32.exe
    C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    C:\WINDOWS\System32\wuauclt.exe
    C:\Program Files\WinRAR\WinRAR.exe
    C:\DOCUME~1\Wilson\LOCALS~1\Temp\Rar$EX01.418\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = sas.r2.attbi.com
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - d:\adobe\acrobat5.0.5\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
    O2 - BHO: (no name) - {CC844E74-749F-46E1-81D6-CDDAB3F8B026} - C:\WINDOWS\System32\wvwwu.dll (file missing)
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [WinampAgent] "D:\Winamp\Winampa.exe"
    O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
    O4 - HKLM\..\Run: [QuickTime Task] "D:\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
    O4 - HKLM\..\Run: [AudioHQ] C:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE
    O4 - HKLM\..\Run: [icq.com] rundll32.exe "C:\WINDOWS\System32\modumstv.dll",forkonce
    O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
    O4 - HKCU\..\Run: [Arda] "C:\PROGRA~1\ASEMBL~1\rundll32.exe" -vt yazb
    O4 - HKCU\..\Run: [Tsst] "C:\WINDOWS\TSKS~1\csrss.exe" -vt yazb
    O4 - HKCU\..\Run: [DDC] C:\WINDOWS\System32\qwerty12.exe
    O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - D:\Program Files\Yahoo!\Messenger\yhexbmes0522.dll
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - D:\Program Files\Yahoo!\Messenger\yhexbmes0522.dll
    O9 - Extra button: UltimateBet - {94148DB5-B42D-4915-95DA-2CBB4F7095BF} - C:\Program Files\UltimateBet\UltimateBet.exe
    O9 - Extra 'Tools' menuitem: UltimateBet - {94148DB5-B42D-4915-95DA-2CBB4F7095BF} - C:\Program Files\UltimateBet\UltimateBet.exe
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (sys Class) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1184553464979
    O16 - DPF: {6FB9FE59-7D3B-483D-9909-C870BE5AFA1F} (DiskHealth Class) - http://www.pcpitstop.com/pcpitstop/diskhealth.cab
    O16 - DPF: {75D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin.SecureControl) - http://secure2.comned.com/signuptemplates/ActiveSecurity.cab
    O16 - DPF: {9732FB42-C321-11D1-836F-00A0C993F125} (mhLabel Class) - http://www.pcpitstop.com/mhLbl.cab
    O16 - DPF: {A93D84FD-641F-43AE-B963-E6FA84BE7FE7} (LinkSys Content Update) - http://www.linksysfix.com/netcheck/67/install/gtdownls.cab
    O16 - DPF: {DBA230D1-8467-4e69-987E-5FAE815A3B45} -
    O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
    O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
    O20 - Winlogon Notify: wvwwu - C:\WINDOWS\System32\wvwwu.dll (file missing)
    O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
    O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
    O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
    O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\DiskeeperWorkstation\DKService.exe
    O23 - Service: DomainService - - C:\WINDOWS\System32\qwerty12.exe
    O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: Iomega Activity Disk2 - Iomega Corporation - C:\PROGRA~1\Iomega\System32\ActivityDisk.exe
    O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
    O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe


    Thanks in advance for the response.

    Will
     
  8. MFDnNC

    MFDnNC

    Joined:
    Sep 7, 2004
    Messages:
    49,014
    You may want to print this or save it to notepad as we will go to safe mode.

    Fix these with HiJackThis – mark them, close IE, click fix checked

    O2 - BHO: (no name) - {CC844E74-749F-46E1-81D6-CDDAB3F8B026} - C:\WINDOWS\System32\wvwwu.dll (file missing)

    O4 - HKCU\..\Run: [Arda] "C:\PROGRA~1\ASEMBL~1\rundll32.exe" -vt yazb

    O4 - HKCU\..\Run: [Tsst] "C:\WINDOWS\TSKS~1\csrss.exe" -vt yazb

    O4 - HKCU\..\Run: [DDC] C:\WINDOWS\System32\qwerty12.exe

    O20 - Winlogon Notify: wvwwu - C:\WINDOWS\System32\wvwwu.dll (file missing)

    O23 - Service: DomainService - - C:\WINDOWS\System32\qwerty12.exe

    DownLoad http://www.downloads.subratam.org/KillBox.zip or
    http://www.thespykiller.co.uk/files/killbox.exe

    Restart your computer into safe mode now. (Tapping F8 at the first black screen) Perform the following steps in safe mode:

    Double-click on Killbox.exe to run it. Now put a tick by Standard File Kill. In the "Full Path of File to Delete" box, copy and paste each of the following lines one at a time then click on the button that has the red circle with the X in the middle after you enter each file. It will ask for confimation to delete the file. Click Yes. Continue with that same procedure until you have copied and pasted all of these in the "Paste Full Path of File to Delete" box.

    C:\WINDOWS\System32\qwerty12.exe

    Note: It is possible that Killbox will tell you that one or more files do not exist. If that happens, just continue on with all the files. Be sure you don't miss any.

    START – RUN – type in %temp% - OK - Edit – Select all – File – Delete

    Delete everything in the C:\Windows\Temp folder or C:\WINNT\temp

    Not all temp files will delete and that is normal
    Empty the recycle bin
    Boot and post a new hijack log from normal NOT safe mode

    Please give feedback on what worked/didn’t work and the current status of your system
     
  9. Willeec

    Willeec Thread Starter

    Joined:
    Jul 16, 2007
    Messages:
    10
    I have performed all the task you listed. All the steps you listed seem to work. At this point, system is seems to be hanging up or lagging on performing a command I click on. The internet is definitely lagging to load webpages. Weird...System still doesn't feel like it is running as normal. Please advise.

    Thanks,
    Will

    Here is the most current Hijackthis file:

    Logfile of HijackThis v1.99.1
    Scan saved at 5:21:28 PM, on 7/17/2007
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
    C:\WINDOWS\System32\CTsvcCDA.EXE
    C:\Program Files\NavNT\defwatch.exe
    C:\Program Files\Executive Software\DiskeeperWorkstation\DKService.exe
    C:\PROGRA~1\Iomega\System32\ActivityDisk.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\Program Files\NavNT\rtvscan.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\System32\tcpsvcs.exe
    C:\WINDOWS\System32\snmp.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    D:\Winamp\Winampa.exe
    C:\Program Files\NavNT\vptray.exe
    D:\QuickTime\qttask.exe
    C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
    C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    C:\WINDOWS\System32\devldr32.exe
    C:\WINDOWS\System32\MsgSys.EXE
    C:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE
    C:\WINDOWS\System32\wuauclt.exe
    C:\Program Files\WinRAR\WinRAR.exe
    C:\DOCUME~1\Wilson\LOCALS~1\Temp\Rar$EX03.843\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = sas.r2.attbi.com
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - d:\adobe\acrobat5.0.5\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [WinampAgent] "D:\Winamp\Winampa.exe"
    O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
    O4 - HKLM\..\Run: [QuickTime Task] "D:\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
    O4 - HKLM\..\Run: [AudioHQ] C:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE
    O4 - HKLM\..\Run: [icq.com] rundll32.exe "C:\WINDOWS\System32\modumstv.dll",forkonce
    O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
    O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - D:\Program Files\Yahoo!\Messenger\yhexbmes0522.dll
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - D:\Program Files\Yahoo!\Messenger\yhexbmes0522.dll
    O9 - Extra button: UltimateBet - {94148DB5-B42D-4915-95DA-2CBB4F7095BF} - C:\Program Files\UltimateBet\UltimateBet.exe
    O9 - Extra 'Tools' menuitem: UltimateBet - {94148DB5-B42D-4915-95DA-2CBB4F7095BF} - C:\Program Files\UltimateBet\UltimateBet.exe
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (sys Class) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1184553464979
    O16 - DPF: {6FB9FE59-7D3B-483D-9909-C870BE5AFA1F} (DiskHealth Class) - http://www.pcpitstop.com/pcpitstop/diskhealth.cab
    O16 - DPF: {75D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin.SecureControl) - http://secure2.comned.com/signuptemplates/ActiveSecurity.cab
    O16 - DPF: {9732FB42-C321-11D1-836F-00A0C993F125} (mhLabel Class) - http://www.pcpitstop.com/mhLbl.cab
    O16 - DPF: {A93D84FD-641F-43AE-B963-E6FA84BE7FE7} (LinkSys Content Update) - http://www.linksysfix.com/netcheck/67/install/gtdownls.cab
    O16 - DPF: {DBA230D1-8467-4e69-987E-5FAE815A3B45} -
    O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
    O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
    O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
    O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
    O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
    O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\DiskeeperWorkstation\DKService.exe
    O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: Iomega Activity Disk2 - Iomega Corporation - C:\PROGRA~1\Iomega\System32\ActivityDisk.exe
    O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
    O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
     
  10. Willeec

    Willeec Thread Starter

    Joined:
    Jul 16, 2007
    Messages:
    10
    I wondering do I need to Defrag my system maybe? Do you think that will help? Internet takes a long time to detect proxy setting and loading pages. Other programs seem to hang up when performing commands also.

    Please advise.

    Thanks
    Will
     
  11. MFDnNC

    MFDnNC

    Joined:
    Sep 7, 2004
    Messages:
    49,014
    You may want to print this or save it to notepad as we will go to safe mode.

    Fix these with HiJackThis – mark them, close IE, click fix checked

    O4 - HKLM\..\Run: [icq.com] rundll32.exe "C:\WINDOWS\System32\modumstv.dll",forkonce

    O16 - DPF: {DBA230D1-8467-4e69-987E-5FAE815A3B45} -

    DownLoad http://www.downloads.subratam.org/KillBox.zip or
    http://www.thespykiller.co.uk/files/killbox.exe

    Restart your computer into safe mode now. (Tapping F8 at the first black screen) Perform the following steps in safe mode:

    Double-click on Killbox.exe to run it. Now put a tick by Standard File Kill. In the "Full Path of File to Delete" box, copy and paste each of the following lines one at a time then click on the button that has the red circle with the X in the middle after you enter each file. It will ask for confimation to delete the file. Click Yes. Continue with that same procedure until you have copied and pasted all of these in the "Paste Full Path of File to Delete" box.

    C:\WINDOWS\System32\modumstv.dll

    Note: It is possible that Killbox will tell you that one or more files do not exist. If that happens, just continue on with all the files. Be sure you don't miss any.

    START – RUN – type in %temp% - OK - Edit – Select all – File – Delete

    Delete everything in the C:\Windows\Temp folder or C:\WINNT\temp

    Not all temp files will delete and that is normal
    Empty the recycle bin
    Boot and post a new hijack log from normal NOT safe mode

    Please give feedback on what worked/didn’t work and the current status of your system
     
  12. MFDnNC

    MFDnNC

    Joined:
    Sep 7, 2004
    Messages:
    49,014
    Defrag is not the issue see my post before this one
     
  13. Willeec

    Willeec Thread Starter

    Joined:
    Jul 16, 2007
    Messages:
    10
    I have performed all the task you listed. All the steps you listed seem to work. At this point, system is seems to be hanging up or lagging on performing a command I click on. The internet is definitely lagging to load webpages. Weird...System still doesn't feel like it is running as normal. Please advise.

    Thanks,
    Will

    Here is the most current Hijackthis file:

    Logfile of HijackThis v1.99.1
    Scan saved at 5:21:28 PM, on 7/17/2007
    Platform: Windows XP SP1 (WinNT 5.01.2600)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
    C:\WINDOWS\System32\CTsvcCDA.EXE
    C:\Program Files\NavNT\defwatch.exe
    C:\Program Files\Executive Software\DiskeeperWorkstation\DKService.exe
    C:\PROGRA~1\Iomega\System32\ActivityDisk.exe
    C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
    C:\Program Files\NavNT\rtvscan.exe
    C:\WINDOWS\System32\nvsvc32.exe
    C:\WINDOWS\System32\tcpsvcs.exe
    C:\WINDOWS\System32\snmp.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Explorer.EXE
    D:\Winamp\Winampa.exe
    C:\Program Files\NavNT\vptray.exe
    D:\QuickTime\qttask.exe
    C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
    C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    C:\WINDOWS\System32\devldr32.exe
    C:\WINDOWS\System32\MsgSys.EXE
    C:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE
    C:\WINDOWS\System32\wuauclt.exe
    C:\Program Files\WinRAR\WinRAR.exe
    C:\DOCUME~1\Wilson\LOCALS~1\Temp\Rar$EX03.843\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = sas.r2.attbi.com
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - d:\adobe\acrobat5.0.5\Reader\ActiveX\AcroIEHelper.ocx
    O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O4 - HKLM\..\Run: [WinampAgent] "D:\Winamp\Winampa.exe"
    O4 - HKLM\..\Run: [vptray] C:\Program Files\NavNT\vptray.exe
    O4 - HKLM\..\Run: [QuickTime Task] "D:\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
    O4 - HKLM\..\Run: [AudioHQ] C:\Program Files\Creative\SBLive\AudioHQ\AHQTB.EXE
    O4 - HKLM\..\Run: [icq.com] rundll32.exe "C:\WINDOWS\System32\modumstv.dll",forkonce
    O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe
    O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
    O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - D:\Program Files\Yahoo!\Messenger\yhexbmes0522.dll
    O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - D:\Program Files\Yahoo!\Messenger\yhexbmes0522.dll
    O9 - Extra button: UltimateBet - {94148DB5-B42D-4915-95DA-2CBB4F7095BF} - C:\Program Files\UltimateBet\UltimateBet.exe
    O9 - Extra 'Tools' menuitem: UltimateBet - {94148DB5-B42D-4915-95DA-2CBB4F7095BF} - C:\Program Files\UltimateBet\UltimateBet.exe
    O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
    O16 - DPF: {0E5F0222-96B9-11D3-8997-00104BD12D94} (sys Class) - http://www.pcpitstop.com/pcpitstop/PCPitStop.CAB
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsu...?1184553464979
    O16 - DPF: {6FB9FE59-7D3B-483D-9909-C870BE5AFA1F} (DiskHealth Class) - http://www.pcpitstop.com/pcpitstop/diskhealth.cab
    O16 - DPF: {75D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin.SecureControl) - http://secure2.comned.com/signuptemp...veSecurity.cab
    O16 - DPF: {9732FB42-C321-11D1-836F-00A0C993F125} (mhLabel Class) - http://www.pcpitstop.com/mhLbl.cab
    O16 - DPF: {A93D84FD-641F-43AE-B963-E6FA84BE7FE7} (LinkSys Content Update) - http://www.linksysfix.com/netcheck/6...l/gtdownls.cab
    O16 - DPF: {DBA230D1-8467-4e69-987E-5FAE815A3B45} -
    O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
    O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
    O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
    O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.EXE
    O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\NavNT\defwatch.exe
    O23 - Service: Diskeeper - Executive Software International, Inc. - C:\Program Files\Executive Software\DiskeeperWorkstation\DKService.exe
    O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: Iomega Activity Disk2 - Iomega Corporation - C:\PROGRA~1\Iomega\System32\ActivityDisk.exe
    O23 - Service: Norton AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\NavNT\rtvscan.exe
    O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
     
  14. MFDnNC

    MFDnNC

    Joined:
    Sep 7, 2004
    Messages:
    49,014
    Any reason why you do not have SP2
     
  15. Willeec

    Willeec Thread Starter

    Joined:
    Jul 16, 2007
    Messages:
    10
    I had a friend help me install Window XP Pro onto this system. There's no particular reason why I don't have SP2 yet, I just haven't. Do you recommend I do that? Can you direct me to a place where I can download SP2 and upgrade my OS?

    Thanks,
    Will
     
  16. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/596696

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice