1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

Windows updates won't turn on.

Discussion in 'Virus & Other Malware Removal' started by iPlox, Nov 25, 2008.

Thread Status:
Not open for further replies.
Advertisement
  1. iPlox

    iPlox Thread Starter

    Joined:
    Nov 25, 2008
    Messages:
    10
    My computer recently got infected with a few viruses. I have the full paid version of NOD32, and it caught a lot in it's quarantine, and I removed them all. I also did a full scan with NOD32 and Spybot: Search & Destroy in safe mode. But now whenever my computer starts up, it says windows automatic updates is turned off. I try to turn it back on, and it says i should turn it back on manually in control panel>system>automatic updates. When i go there, it says automatic updates ARE on.Do I still have a virus on my computer? :(
     
  2. iPlox

    iPlox Thread Starter

    Joined:
    Nov 25, 2008
    Messages:
    10
    So, I scanned again, and all of the same viruses are back. Also, my free version of AVG detect something called TrojanHorseVondu. The things spybot detects are Virtuamonde.generic, Smitfraud-C, WildTangent and Virtumonde.
    Help please :(
     
  3. cybertech

    cybertech Moderator

    Joined:
    Apr 16, 2002
    Messages:
    69,448
    Hi, Welcome to TSG!!


    Click here to download HJTInstall.exe
    • Save HJTInstall.exe to your desktop.
    • Doubleclick on the HJTInstall.exe icon on your desktop.
    • By default it will install to C:\Program Files\Trend Micro\HijackThis .
    • Click on Install.
    • It will create a HijackThis icon on the desktop.
    • Once installed, it will launch Hijackthis.
    • Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
    • Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
    • Come back here to this thread and Paste the log in your next reply.
    • DO NOT have Hijackthis fix anything yet. Most of what it finds will be harmless or even required.
     
  4. iPlox

    iPlox Thread Starter

    Joined:
    Nov 25, 2008
    Messages:
    10
    Hi, thanks for the help.

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 6:10:00 PM, on 11/25/2008
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16735)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
    C:\Program Files\ESET\ESET Smart Security\ekrn.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\Program Files\MySQL\MySQL Server 5.0\bin\mysqld-nt.exe
    C:\PROGRA~1\AVG\AVG8\avgrsx.exe
    C:\WINDOWS\system32\PnkBstrA.exe
    C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
    C:\WINDOWS\system32\svchost.exe
    C:\PROGRA~1\AVG\AVG8\avgemc.exe
    C:\Program Files\TortoiseSVN\bin\TSVNCache.exe
    C:\WINDOWS\RTHDCPL.EXE
    C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
    C:\Program Files\ESET\ESET Smart Security\egui.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\Java\jre6\bin\jusched.exe
    C:\PROGRA~1\AVG\AVG8\avgtray.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Electronic Arts\EADM\Core.exe
    C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
    C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    C:\Program Files\Digital Line Detect\DLG.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=6080415
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=6080415
    R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: {4a664a77-ce1e-e878-0da4-0da7bef26b33} - {33b62feb-7ad0-4ad0-878e-e1ec77a466a4} - C:\WINDOWS\system32\jcciln.dll
    O2 - BHO: WormRadar.com IESiteBlocker.NavFilter - {3CA2F312-6F6E-4B53-A66E-4E65E497C8C0} - C:\Program Files\AVG\AVG8\avgssie.dll
    O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: (no name) - {602ADB0E-4AFF-4217-8AA1-95DAC4DFA408} - (no file)
    O2 - BHO: (no name) - {6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C} - C:\WINDOWS\system32\efcCVLbC.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
    O2 - BHO: (no name) - {98D72D79-F108-4792-8048-DBD6C709B25B} - C:\WINDOWS\system32\cbXOGAPi.dll (file missing)
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
    O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
    O2 - BHO: CBrowserHelperObject Object - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\Dell\BAE\BAE.dll
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
    O2 - BHO: JQSIEStartDetectorImpl Class - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    O2 - BHO: Ask Toolbar BHO - {F4D76F01-7896-458a-890F-E1F05C46069F} - C:\Program Files\AskPBar\bar\1.bin\ASKPBAR.DLL
    O3 - Toolbar: (no name) - {7FEBEFE3-6B19-4349-98D2-FFB09D4B49CA} - (no file)
    O3 - Toolbar: Ask Toolbar - {F4D76F09-7896-458a-890F-E1F05C46069F} - C:\Program Files\AskPBar\bar\1.bin\ASKPBAR.DLL
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
    O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
    O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
    O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
    O4 - HKLM\..\Run: [PDVDDXSrv] "C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe"
    O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
    O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET Smart Security\egui.exe" /hide /waitservice
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
    O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
    O4 - HKLM\..\Run: [AVG8_TRAY] C:\PROGRA~1\AVG\AVG8\avgtray.exe
    O4 - HKLM\..\RunOnce: [SpybotSnD] "C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [AlcoholAutomount] "C:\Program Files\Alcohol Soft\Alcohol 120\axcmd.exe" /automount
    O4 - HKCU\..\Run: [EA Core] C:\Program Files\Electronic Arts\EADM\Core.exe -silent
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: Digital Line Detect.lnk = ?
    O8 - Extra context menu item: &Clean Traces - C:\Program Files\DAP\Privacy Package\dapcleanerie.htm
    O8 - Extra context menu item: &Download with &DAP - C:\Program Files\DAP\dapextie.htm
    O8 - Extra context menu item: Download &all with DAP - C:\Program Files\DAP\dapextie2.htm
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
    O9 - Extra button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files\PokerStars\PokerStarsUpdate.exe
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
    O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} (System Requirements Lab) - http://www.srtest.com/srl_bin/sysreqlab_srl.cab
    O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
    O18 - Protocol: linkscanner - {F274614C-63F8-47D5-A4D1-FBDDE494F8D1} - C:\Program Files\AVG\AVG8\avgpp.dll
    O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~2\GOEC62~1.DLL,jcciln.dll,avgrsstx.dll
    O20 - Winlogon Notify: efcCVLbC - C:\WINDOWS\SYSTEM32\efcCVLbC.dll
    O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
    O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
    O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
    O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
    O23 - Service: AVG Free8 E-mail Scanner (avg8emc) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgemc.exe
    O23 - Service: AVG Free8 WatchDog (avg8wd) - AVG Technologies CZ, s.r.o. - C:\PROGRA~1\AVG\AVG8\avgwdsvc.exe
    O23 - Service: Eset HTTP Server (EhttpSrv) - Unknown owner - C:\Program Files\ESET\ESET Smart Security\EHttpSrv.exe
    O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET Smart Security\ekrn.exe
    O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
    O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
    O23 - Service: MySQL - Unknown owner - C:\Program.exe (file missing)
    O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
    O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
    O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
    O23 - Service: wampapache - Apache Software Foundation - c:\wamp\bin\apache\apache2.2.8\bin\httpd.exe
    O23 - Service: wampmysqld - Unknown owner - c:\wamp\bin\mysql\mysql5.0.51a\bin\mysqld-nt.exe

    --
    End of file - 10268 bytes
     
  5. iPlox

    iPlox Thread Starter

    Joined:
    Nov 25, 2008
    Messages:
    10
    I got automatic updates to turn back on, but Spybot: Search and Destroy still says there's a virus when I scan with it. I've tried removing it numerous times, and it always pops back up.
     
  6. cybertech

    cybertech Moderator

    Joined:
    Apr 16, 2002
    Messages:
    69,448
    Visit this webpage for instructions for downloading and running ComboFix.

    Post the log from ComboFix when you've accomplished that, along with a new HijackThis log.
     
  7. iPlox

    iPlox Thread Starter

    Joined:
    Nov 25, 2008
    Messages:
    10
    Here's the combofix first:


    ComboFix 08-11-26.05 - Cody Farry 2008-11-26 18:06:19.1 - NTFSx86
    Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2426 [GMT -6:00]
    Running from: c:\documents and settings\Cody Farry\Desktop\ComboFix.exe
    * Resident AV is active

    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    c:\documents and settings\Cody Farry\Local Settings\Temporary Internet Files\ijjistarter_verinfo.dat
    c:\windows\system32\jcciln.dll
    c:\windows\system32\lfdathpn.dll
    c:\windows\system32\x64

    .
    ((((((((((((((((((((((((( Files Created from 2008-10-27 to 2008-11-27 )))))))))))))))))))))))))))))))
    .

    2008-11-25 01:54 . 2008-11-25 01:54 <DIR> d-------- c:\program files\AVG
    2008-11-25 01:51 . 2008-11-25 01:51 <DIR> d-------- c:\program files\Lavasoft
    2008-11-25 01:51 . 2008-11-25 01:53 <DIR> d-------- c:\documents and settings\All Users\Application Data\Lavasoft
    2008-11-25 01:31 . 2008-11-25 01:31 <DIR> d-------- c:\program files\Trend Micro
    2008-11-24 21:57 . 2008-11-24 21:57 86 --a------ c:\windows\wininit.ini
    2008-11-24 21:33 . 2008-11-24 21:33 <DIR> d-------- c:\program files\Spybot - Search & Destroy
    2008-11-24 21:33 . 2008-11-24 22:03 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
    2008-11-24 20:29 . 2008-11-24 20:29 32,768 --a------ c:\windows\system32\mlJbbyvu.dll
    2008-11-24 20:14 . 2008-11-24 20:14 32,768 --a------ c:\windows\system32\efcCVLbC.dll
    2008-11-24 19:59 . 2008-11-24 20:23 29,184 --a------ c:\windows\system32\MSINET.oca
    2008-11-24 19:59 . 2008-11-24 20:23 2,407 --a------ c:\windows\system32\MSINET.DEP
    2008-11-21 23:31 . 2008-11-21 23:31 552 --a------ c:\windows\system32\d3d8caps.dat
    2008-11-16 04:56 . 2008-11-16 04:56 <DIR> d-------- c:\program files\Peggle Extreme
    2008-11-11 11:41 . 2008-11-11 11:41 <DIR> d-------- c:\program files\Pando Networks
    2008-11-11 11:41 . 2008-11-11 11:41 <DIR> d-------- c:\documents and settings\All Users\Application Data\PMB Files
    2008-11-07 21:08 . 2008-11-07 21:15 <DIR> d-------- c:\program files\Common Files\ATI Technologies
    2008-11-07 21:07 . 2008-01-22 14:44 368,640 -ra------ c:\windows\system32\SETA6.tmp
    2008-11-07 20:22 . 2008-05-20 18:53 93,696 --a------ c:\windows\system32\drivers\AtiHdmi.sys
    2008-11-07 20:10 . 2008-11-07 20:10 <DIR> d-------- c:\program files\PC Drivers HeadQuarters
    2008-11-07 20:10 . 2008-11-07 20:10 <DIR> d-------- c:\documents and settings\All Users\Application Data\PC Drivers HeadQuarters
    2008-11-06 22:33 . 2008-11-06 22:33 <DIR> d-------- c:\documents and settings\Cody Farry\Application Data\ATI
    2008-11-06 22:33 . 2008-11-06 22:33 <DIR> d-------- c:\documents and settings\All Users\Application Data\ATI
    2008-11-06 22:29 . 2008-06-02 21:28 23,040 --a------ c:\windows\system32\atiadlxx.dll
    2008-11-01 18:00 . 2004-08-03 23:56 159,232 --a------ c:\windows\system32\ptpusd.dll
    2008-11-01 18:00 . 2004-08-03 21:58 15,104 --a------ c:\windows\system32\drivers\usbscan.sys
    2008-11-01 18:00 . 2004-08-03 21:58 15,104 --a------ c:\windows\system32\dllcache\usbscan.sys
    2008-11-01 18:00 . 2001-08-17 21:36 5,632 --a------ c:\windows\system32\ptpusb.dll
    2008-11-01 01:29 . 2008-11-01 01:29 <DIR> d-------- c:\documents and settings\All Users\Application Data\Blizzard

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2008-11-27 00:12 --------- d-----w c:\program files\Trillian
    2008-11-26 03:37 --------- d-----w c:\program files\Steam
    2008-11-25 07:51 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
    2008-11-23 05:11 --------- d--h--w c:\documents and settings\Cody Farry\Application Data\ijjigame
    2008-11-22 05:29 --------- d-----w c:\documents and settings\Cody Farry\Application Data\Hamachi
    2008-11-16 23:11 --------- d-----w c:\documents and settings\Cody Farry\Application Data\uTorrent
    2008-11-11 20:26 30 ----a-w c:\documents and settings\Cody Farry\jagex_runescape_preferences.dat
    2008-11-11 15:45 --------- d-----w c:\program files\Starcraft
    2008-11-08 02:22 --------- d--h--w c:\program files\InstallShield Installation Information
    2008-11-07 04:30 --------- d-----w c:\program files\ATI Technologies
    2008-11-03 01:49 --------- d-----w c:\program files\SystemRequirementsLab
    2008-11-02 19:44 --------- d-----w c:\program files\World of Warcraft
    2008-11-01 19:07 --------- d-----w c:\documents and settings\Cody Farry\Application Data\SPORE
    2008-10-26 07:27 --------- d-----w c:\documents and settings\All Users\Application Data\2DBoy
    2008-10-24 11:10 453,632 ----a-w c:\windows\system32\drivers\mrxsmb.sys
    2008-10-24 11:10 453,632 ------w c:\windows\system32\dllcache\mrxsmb.sys
    2008-10-20 00:35 --------- d-----w c:\program files\Diablo II
    2008-10-16 20:13 202,776 ----a-w c:\windows\system32\wuweb.dll
    2008-10-16 20:13 202,776 ----a-w c:\windows\system32\dllcache\wuweb.dll
    2008-10-16 20:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
    2008-10-16 20:13 1,809,944 ----a-w c:\windows\system32\dllcache\wuaueng.dll
    2008-10-16 20:12 561,688 ----a-w c:\windows\system32\wuapi.dll
    2008-10-16 20:12 561,688 ----a-w c:\windows\system32\dllcache\wuapi.dll
    2008-10-16 20:12 323,608 ----a-w c:\windows\system32\wucltui.dll
    2008-10-16 20:12 323,608 ----a-w c:\windows\system32\dllcache\wucltui.dll
    2008-10-16 20:09 92,696 ----a-w c:\windows\system32\dllcache\cdm.dll
    2008-10-16 20:09 92,696 ----a-w c:\windows\system32\cdm.dll
    2008-10-16 20:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
    2008-10-16 20:09 51,224 ----a-w c:\windows\system32\dllcache\wuauclt.exe
    2008-10-16 20:09 43,544 ----a-w c:\windows\system32\wups2.dll
    2008-10-16 20:08 34,328 ----a-w c:\windows\system32\wups.dll
    2008-10-16 20:08 34,328 ----a-w c:\windows\system32\dllcache\wups.dll
    2008-10-15 16:57 332,800 ------w c:\windows\system32\dllcache\netapi32.dll
    2008-10-03 17:41 6,066,176 ------w c:\windows\system32\dllcache\ieframe.dll
    2008-09-29 04:15 --------- d-----w c:\program files\MicroProse
    2008-09-15 11:57 1,846,016 ----a-w c:\windows\system32\win32k.sys
    2008-09-15 11:57 1,846,016 ------w c:\windows\system32\dllcache\win32k.sys
    2008-09-08 20:35 107,888 ----a-w c:\windows\system32\CmdLineExt.dll
    2008-09-08 20:34 1,696 ----a-w c:\windows\system32\ealregsnapshot1.reg
    2008-09-04 16:42 1,106,944 ----a-w c:\windows\system32\msxml3.dll
    2008-09-04 16:42 1,106,944 ------w c:\windows\system32\dllcache\msxml3.dll
    2008-08-30 02:06 1,350,664 ----a-w c:\windows\system32\msxml6.dll
    2008-08-28 10:04 333,056 ------w c:\windows\system32\dllcache\srv.sys
    2008-08-27 08:24 3,593,216 ------w c:\windows\system32\dllcache\mshtml.dll
    2008-06-14 21:27 22,328 ----a-w c:\documents and settings\Cody Farry\Application Data\PnkBstrK.sys
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C}]
    2008-11-24 20:14 32768 --a------ c:\windows\system32\efcCVLbC.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\1TortoiseSVN]
    @="{30351346-7B7D-4FCC-81B4-1E394CA267EB}"
    [HKEY_CLASSES_ROOT\CLSID\{30351346-7B7D-4FCC-81B4-1E394CA267EB}]
    2008-02-16 12:35 536576 --a------ c:\program files\TortoiseSVN\bin\tortoisesvn.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\2TortoiseSVN]
    @="{30351347-7B7D-4FCC-81B4-1E394CA267EB}"
    [HKEY_CLASSES_ROOT\CLSID\{30351347-7B7D-4FCC-81B4-1E394CA267EB}]
    2008-02-16 12:35 536576 --a------ c:\program files\TortoiseSVN\bin\tortoisesvn.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\3TortoiseSVN]
    @="{30351348-7B7D-4FCC-81B4-1E394CA267EB}"
    [HKEY_CLASSES_ROOT\CLSID\{30351348-7B7D-4FCC-81B4-1E394CA267EB}]
    2008-02-16 12:35 536576 --a------ c:\program files\TortoiseSVN\bin\tortoisesvn.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\4TortoiseSVN]
    @="{3035134B-7B7D-4FCC-81B4-1E394CA267EB}"
    [HKEY_CLASSES_ROOT\CLSID\{3035134B-7B7D-4FCC-81B4-1E394CA267EB}]
    2008-02-16 12:35 536576 --a------ c:\program files\TortoiseSVN\bin\tortoisesvn.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\5TortoiseSVN]
    @="{3035134C-7B7D-4FCC-81B4-1E394CA267EB}"
    [HKEY_CLASSES_ROOT\CLSID\{3035134C-7B7D-4FCC-81B4-1E394CA267EB}]
    2008-02-16 12:35 536576 --a------ c:\program files\TortoiseSVN\bin\tortoisesvn.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\6TortoiseSVN]
    @="{3035134D-7B7D-4FCC-81B4-1E394CA267EB}"
    [HKEY_CLASSES_ROOT\CLSID\{3035134D-7B7D-4FCC-81B4-1E394CA267EB}]
    2008-02-16 12:35 536576 --a------ c:\program files\TortoiseSVN\bin\tortoisesvn.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\7TortoiseSVN]
    @="{3035134E-7B7D-4FCC-81B4-1E394CA267EB}"
    [HKEY_CLASSES_ROOT\CLSID\{3035134E-7B7D-4FCC-81B4-1E394CA267EB}]
    2008-02-16 12:35 536576 --a------ c:\program files\TortoiseSVN\bin\tortoisesvn.dll

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
    "AlcoholAutomount"="c:\program files\Alcohol Soft\Alcohol 120\axcmd.exe" [2008-06-17 4608]
    "EA Core"="c:\program files\Electronic Arts\EADM\Core.exe" [2008-07-21 2752512]
    "MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208]
    "SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2008-07-07 2156368]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-07-16 142104]
    "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-07-16 162584]
    "Persistence"="c:\windows\system32\igfxpers.exe" [2007-07-16 138008]
    "PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2007-09-17 124200]
    "dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2008-02-13 16384]
    "egui"="c:\program files\ESET\ESET Smart Security\egui.exe" [2007-10-25 1410304]
    "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-04-14 98304]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
    "SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-06-21 136600]
    "StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-01-21 61440]
    "RTHDCPL"="RTHDCPL.EXE" [2007-07-16 c:\windows\RTHDCPL.EXE]

    c:\documents and settings\Cody Farry\Start Menu\Programs\Startup\
    Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 113664]

    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2008-04-14 24576]

    [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
    "{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C}"= "c:\windows\system32\efcCVLbC.dll" [2008-11-24 32768]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\efcCVLbC]
    2008-11-24 20:14 32768 c:\windows\system32\efcCVLbC.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
    "DisableMonitoring"=dword:00000001

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
    "DisableMonitoring"=dword:00000001

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
    "DisableMonitoring"=dword:00000001

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall"= 0 (0x0)

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\CyberLink\\PowerDVD DX\\PowerDVD.exe"=
    "c:\\Program Files\\CyberLink\\PowerDVD DX\\PDVDDXSrv.exe"=
    "c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
    "c:\\Program Files\\Common Files\\AolCoach\\en_en\\player\\AOLNySEV.exe"=
    "c:\\ijji\\ENGLISH\\u_gunz.exe"=
    "c:\\Program Files\\Trillian\\trillian.exe"=
    "c:\\Program Files\\uTorrent\\uTorrent.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "c:\\Program Files\\Electronic Arts\\Crytek\\Crysis\\Bin32\\Crysis.exe"=
    "c:\\Program Files\\Electronic Arts\\Crytek\\Crysis\\Bin32\\CrysisDedicatedServer.exe"=
    "c:\\WINDOWS\\system32\\PnkBstrA.exe"=
    "c:\\WINDOWS\\system32\\PnkBstrB.exe"=
    "c:\\Program Files\\CAPCOM\\LOSTPLANETCOLONIES\\LostPlanetColoniesDX9.exe"=
    "c:\\Program Files\\CAPCOM\\LOSTPLANETCOLONIES\\LostPlanetColoniesDX10.exe"=
    "c:\\Program Files\\YVD\\Yugioh Virtual Desktop 9.exe"=
    "c:\\ijji\\ENGLISH\\Gunz\\Gunz.exe"=
    "c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "58546:TCP"= 58546:TCP:pando Media Booster
    "58546:UDP"= 58546:UDP:pando Media Booster

    R3 msloop;Microsoft Loopback Adapter Driver;c:\windows\system32\DRIVERS\loop.sys [2008-06-23 4992]
    S3 AtiHdmiService;ATI Function Driver for HDMI Service;c:\windows\system32\drivers\AtiHdmi.sys [2008-11-07 93696]
    S3 wampapache;wampapache;"c:\wamp\bin\apache\apache2.2.8\bin\httpd.exe" -k runservice [2008-06-21 24635]
    S3 wampmysqld;wampmysqld;c:\wamp\bin\mysql\mysql5.0.51a\bin\mysqld-nt.exe wampmysqld []
    S3 XDva143;XDva143;\??\c:\windows\system32\XDva143.sys []
    .
    .
    ------- Supplementary Scan -------
    .
    FireFox -: Profile - c:\documents and settings\Cody Farry\Application Data\Mozilla\Firefox\Profiles\eoigvs5d.default\
    FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.google.com/
    FF -: plugin - c:\documents and settings\Cody Farry\Application Data\Mozilla\plugins\npoctoshape.dll
    FF -: plugin - c:\program files\Java\jre6\bin\new_plugin\npdeploytk.dll
    FF -: plugin - c:\program files\Java\jre6\bin\new_plugin\npjp2.dll
    FF -: plugin - c:\program files\Mozilla Firefox\plugins\npdeploytk.dll
    FF -: plugin - c:\program files\Mozilla Firefox\plugins\npPandoWebInst.dll
    FF -: plugin - c:\program files\Octoshape Streaming Services\Cody Farry\octoprogram-L03-NMS0806260_SUA_000\npoctoshape.dll
    FF -: plugin - c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
    FF -: plugin - c:\program files\Yahoo!\Common\npyaxmpb.dll
    FF -: plugin - c:\windows\Microsoft.NET\Framework\v3.5\Windows Presentation Foundation\NPWPF.dll
    .

    **************************************************************************

    catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2008-11-26 18:13:57
    Windows 5.1.2600 Service Pack 2 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************

    [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MySQL]
    "ImagePath"="\"c:\program files\MySQL\MySQL Server 5.0\bin\mysqld-nt\" --defaults-file=\"c:\program files\MySQL\MySQL Server 5.0\my.ini\" MySQL"
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------

    - - - - - - - > 'winlogon.exe'(1132)
    c:\windows\system32\Ati2evxx.dll
    c:\windows\system32\efcCVLbC.dll
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\windows\system32\ati2evxx.exe
    c:\program files\Lavasoft\Ad-Aware\aawservice.exe
    c:\windows\system32\ati2evxx.exe
    c:\program files\TortoiseSVN\bin\TSVNCache.exe
    c:\program files\ESET\ESET Smart Security\ekrn.exe
    c:\program files\Java\jre6\bin\jqs.exe
    c:\program files\MySQL\MySQL Server 5.0\bin\mysqld-nt.exe
    c:\program files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
    c:\windows\system32\PnkBstrA.exe
    c:\program files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
    c:\windows\system32\wdfmgr.exe
    c:\program files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
    .
    **************************************************************************
    .
    Completion time: 2008-11-26 18:19:28 - machine was rebooted [Cody Farry]
    ComboFix-quarantined-files.txt 2008-11-27 00:19:25

    Pre-Run: 94,035,296,256 bytes free
    Post-Run: 94,146,441,216 bytes free

    242 --- E O F --- 2008-11-13 04:59:38














    Here's the HJT:




    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 6:23:38 PM, on 11/26/2008
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16735)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\TortoiseSVN\bin\TSVNCache.exe
    C:\Program Files\ESET\ESET Smart Security\ekrn.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\Program Files\MySQL\MySQL Server 5.0\bin\mysqld-nt.exe
    C:\WINDOWS\RTHDCPL.EXE
    C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
    C:\Program Files\ESET\ESET Smart Security\egui.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\Java\jre6\bin\jusched.exe
    C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\WINDOWS\system32\PnkBstrA.exe
    C:\Program Files\Electronic Arts\EADM\Core.exe
    C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    C:\Program Files\Digital Line Detect\DLG.exe
    C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\WINDOWS\explorer.exe
    C:\WINDOWS\system32\notepad.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=6080415
    R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: (no name) - {6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C} - C:\WINDOWS\system32\efcCVLbC.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
    O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
    O2 - BHO: CBrowserHelperObject Object - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\Dell\BAE\BAE.dll
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
    O2 - BHO: JQSIEStartDetectorImpl Class - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    O2 - BHO: Ask Toolbar BHO - {F4D76F01-7896-458a-890F-E1F05C46069F} - C:\Program Files\AskPBar\bar\1.bin\ASKPBAR.DLL
    O3 - Toolbar: Ask Toolbar - {F4D76F09-7896-458a-890F-E1F05C46069F} - C:\Program Files\AskPBar\bar\1.bin\ASKPBAR.DLL
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
    O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
    O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
    O4 - HKLM\..\Run: [PDVDDXSrv] "C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe"
    O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
    O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET Smart Security\egui.exe" /hide /waitservice
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
    O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [AlcoholAutomount] "C:\Program Files\Alcohol Soft\Alcohol 120\axcmd.exe" /automount
    O4 - HKCU\..\Run: [EA Core] C:\Program Files\Electronic Arts\EADM\Core.exe -silent
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: Digital Line Detect.lnk = ?
    O8 - Extra context menu item: &Clean Traces - C:\Program Files\DAP\Privacy Package\dapcleanerie.htm
    O8 - Extra context menu item: &Download with &DAP - C:\Program Files\DAP\dapextie.htm
    O8 - Extra context menu item: Download &all with DAP - C:\Program Files\DAP\dapextie2.htm
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
    O9 - Extra button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files\PokerStars\PokerStarsUpdate.exe
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
    O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} (System Requirements Lab) - http://www.srtest.com/srl_bin/sysreqlab_srl.cab
    O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
    O20 - Winlogon Notify: efcCVLbC - C:\WINDOWS\SYSTEM32\efcCVLbC.dll
    O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
    O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
    O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
    O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
    O23 - Service: Eset HTTP Server (EhttpSrv) - Unknown owner - C:\Program Files\ESET\ESET Smart Security\EHttpSrv.exe
    O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET Smart Security\ekrn.exe
    O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
    O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
    O23 - Service: MySQL - Unknown owner - C:\Program.exe (file missing)
    O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
    O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
    O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
    O23 - Service: wampapache - Apache Software Foundation - c:\wamp\bin\apache\apache2.2.8\bin\httpd.exe
    O23 - Service: wampmysqld - Unknown owner - c:\wamp\bin\mysql\mysql5.0.51a\bin\mysqld-nt.exe

    --
    End of file - 8881 bytes





    Thanks again for the help.
     
  8. cybertech

    cybertech Moderator

    Joined:
    Apr 16, 2002
    Messages:
    69,448
    Open Notepad and copy and paste the text in the code box below into it:
    Code:
    KILLALL::
    File::
    c:\windows\system32\mlJbbyvu.dll
    c:\windows\system32\efcCVLbC.dll
    c:\windows\system32\MSINET.oca
    c:\windows\system32\MSINET.DEP
    c:\windows\system32\efcCVLbC.dll
    
    Registry::
    [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C}]
    [-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\efcCVLbC]
    
    

    Save the file to you desktop and name it CFScript.txt

    Then drag the CFScript.txt into the ComboFix.exe as shown in the screenshot below.

    [​IMG]

    This will start ComboFix again. It may ask to reboot. Post the contents of Combofix.txt in your next reply.


    Please download ATF Cleaner by Atribune.

    • Double-click ATF-Cleaner.exe to run the program.
    • Under Main choose: Select All
    • Click the Empty Selected button.

    Click Exit on the Main menu to close the program.




    Please download Malwarebytes Anti-Malware and save it to your desktop. alternate link 1 alternate link 2
    • Make sure you are connected to the Internet.
    • Double-click on Download_mbam-setup.exe to install the application.
    • When the installation begins, follow the prompts and do not make any changes to default settings.
    • When installation has finished, make sure you leave both of these checked:
      • Update Malwarebytes' Anti-Malware
      • Launch Malwarebytes' Anti-Malware
    • Then click Finish.
    • MBAM will automatically start and you will be asked to update the program before performing a scan. If an update is found, the program will automatically update itself. Press the OK button to close that box and continue. If you encounter any problems while downloading the updates, manually download them from here and just double-click on mbam-rules.exe to install.
    • On the Scanner tab:
      • Make sure the "Perform Quick Scan" option is selected.
      • Then click on the Scan button.
    • If asked to select the drives to scan, leave all the drives selected and click on the Start Scan button.
    • The scan will begin and "Scan in progress" will show at the top. It may take some time to complete so please be patient.
    • When the scan is finished, a message box will say "The scan completed successfully. Click 'Show Results' to display all objects found".
    • Click OK to close the message box and continue with the removal process.
    • Back at the main Scanner screen, click on the Show Results button to see a list of any malware that was found.
    • Make sure that everything is checked, and click Remove Selected.
    • When removal is completed, a log report will open in Notepad and you may be prompted to restart your computer. (see Note below)
    • The log is automatically saved and can be viewed by clicking the Logs tab in MBAM.
    • Copy and paste the contents of that report in your next reply with a new hijackthis log.
    Note: If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately. Failure to reboot will prevent MBAM from removing all the malware.
     
  9. iPlox

    iPlox Thread Starter

    Joined:
    Nov 25, 2008
    Messages:
    10
    Okay, Combifix log first:


    ComboFix 08-11-26.05 - Cody Farry 2008-11-27 20:51:39.2 - NTFSx86
    Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2351 [GMT -6:00]
    Running from: c:\documents and settings\Cody Farry\Desktop\ComboFix.exe
    Command switches used :: c:\documents and settings\Cody Farry\Desktop\CFScript.txt
    * Created a new restore point
    * Resident AV is active


    FILE ::
    c:\windows\system32\efcCVLbC.dll
    c:\windows\system32\mlJbbyvu.dll
    c:\windows\system32\MSINET.DEP
    c:\windows\system32\MSINET.oca
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    c:\documents and settings\Cody Farry\Local Settings\Temporary Internet Files\ijjistarter_verinfo.dat
    c:\windows\system32\bpuhfqrp.dll
    c:\windows\system32\byXPHxvV.dll
    c:\windows\system32\ebkqasfb.dll
    c:\windows\system32\efcCVLbC.dll
    c:\windows\system32\jhednb.dll
    c:\windows\system32\kllepmwn.ini
    c:\windows\system32\mlJbbyvu.dll
    c:\windows\system32\MSINET.DEP
    c:\windows\system32\MSINET.oca
    c:\windows\system32\nwmpellk.dll
    c:\windows\system32\prqfhupb.ini
    c:\windows\system32\uwgglmfb.dll
    c:\windows\system32\VvxHPXyb.ini
    c:\windows\system32\VvxHPXyb.ini2
    c:\windows\system32\zfsjbt.dll

    .
    ((((((((((((((((((((((((( Files Created from 2008-10-28 to 2008-11-28 )))))))))))))))))))))))))))))))
    .

    2008-11-27 01:06 . 2008-11-27 02:06 <DIR> d-------- C:\HammerAutosave
    2008-11-26 23:59 . 2008-11-27 00:46 <DIR> d-------- c:\program files\KeyScrambler
    2008-11-26 23:59 . 2008-03-22 15:37 113,896 --a------ c:\windows\system32\drivers\keyscrambler.sys
    2008-11-25 01:54 . 2008-11-25 01:54 <DIR> d-------- c:\program files\AVG
    2008-11-25 01:51 . 2008-11-25 01:51 <DIR> d-------- c:\program files\Lavasoft
    2008-11-25 01:51 . 2008-11-25 01:53 <DIR> d-------- c:\documents and settings\All Users\Application Data\Lavasoft
    2008-11-25 01:31 . 2008-11-25 01:31 <DIR> d-------- c:\program files\Trend Micro
    2008-11-24 21:57 . 2008-11-24 21:57 86 --a------ c:\windows\wininit.ini
    2008-11-24 21:33 . 2008-11-24 21:33 <DIR> d-------- c:\program files\Spybot - Search & Destroy
    2008-11-24 21:33 . 2008-11-26 23:45 <DIR> d-------- c:\documents and settings\All Users\Application Data\Spybot - Search & Destroy
    2008-11-21 23:31 . 2008-11-21 23:31 552 --a------ c:\windows\system32\d3d8caps.dat
    2008-11-16 04:56 . 2008-11-16 04:56 <DIR> d-------- c:\program files\Peggle Extreme
    2008-11-11 11:41 . 2008-11-11 11:41 <DIR> d-------- c:\program files\Pando Networks
    2008-11-11 11:41 . 2008-11-11 11:41 <DIR> d-------- c:\documents and settings\All Users\Application Data\PMB Files
    2008-11-07 21:08 . 2008-11-07 21:15 <DIR> d-------- c:\program files\Common Files\ATI Technologies
    2008-11-07 21:07 . 2008-01-22 14:44 368,640 -ra------ c:\windows\system32\SETA6.tmp
    2008-11-07 20:22 . 2008-05-20 18:53 93,696 --a------ c:\windows\system32\drivers\AtiHdmi.sys
    2008-11-07 20:10 . 2008-11-07 20:10 <DIR> d-------- c:\program files\PC Drivers HeadQuarters
    2008-11-07 20:10 . 2008-11-07 20:10 <DIR> d-------- c:\documents and settings\All Users\Application Data\PC Drivers HeadQuarters
    2008-11-06 22:33 . 2008-11-06 22:33 <DIR> d-------- c:\documents and settings\Cody Farry\Application Data\ATI
    2008-11-06 22:33 . 2008-11-06 22:33 <DIR> d-------- c:\documents and settings\All Users\Application Data\ATI
    2008-11-06 22:29 . 2008-06-02 21:28 23,040 --a------ c:\windows\system32\atiadlxx.dll
    2008-11-01 18:00 . 2004-08-03 23:56 159,232 --a------ c:\windows\system32\ptpusd.dll
    2008-11-01 18:00 . 2004-08-03 21:58 15,104 --a------ c:\windows\system32\drivers\usbscan.sys
    2008-11-01 18:00 . 2004-08-03 21:58 15,104 --a------ c:\windows\system32\dllcache\usbscan.sys
    2008-11-01 18:00 . 2001-08-17 21:36 5,632 --a------ c:\windows\system32\ptpusb.dll
    2008-11-01 01:29 . 2008-11-01 01:29 <DIR> d-------- c:\documents and settings\All Users\Application Data\Blizzard

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2008-11-27 08:26 --------- d-----w c:\program files\Steam
    2008-11-27 00:12 --------- d-----w c:\program files\Trillian
    2008-11-25 07:51 --------- d-----w c:\program files\Common Files\Wise Installation Wizard
    2008-11-23 05:11 --------- d--h--w c:\documents and settings\Cody Farry\Application Data\ijjigame
    2008-11-22 05:29 --------- d-----w c:\documents and settings\Cody Farry\Application Data\Hamachi
    2008-11-16 23:11 --------- d-----w c:\documents and settings\Cody Farry\Application Data\uTorrent
    2008-11-11 20:26 30 ----a-w c:\documents and settings\Cody Farry\jagex_runescape_preferences.dat
    2008-11-11 15:45 --------- d-----w c:\program files\Starcraft
    2008-11-08 02:22 --------- d--h--w c:\program files\InstallShield Installation Information
    2008-11-07 04:30 --------- d-----w c:\program files\ATI Technologies
    2008-11-03 01:49 --------- d-----w c:\program files\SystemRequirementsLab
    2008-11-02 19:44 --------- d-----w c:\program files\World of Warcraft
    2008-11-01 19:07 --------- d-----w c:\documents and settings\Cody Farry\Application Data\SPORE
    2008-10-26 07:27 --------- d-----w c:\documents and settings\All Users\Application Data\2DBoy
    2008-10-24 11:10 453,632 ----a-w c:\windows\system32\drivers\mrxsmb.sys
    2008-10-20 00:35 --------- d-----w c:\program files\Diablo II
    2008-09-29 04:15 --------- d-----w c:\program files\MicroProse
    2008-06-14 21:27 22,328 ----a-w c:\documents and settings\Cody Farry\Application Data\PnkBstrK.sys
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\1TortoiseSVN]
    @="{30351346-7B7D-4FCC-81B4-1E394CA267EB}"
    [HKEY_CLASSES_ROOT\CLSID\{30351346-7B7D-4FCC-81B4-1E394CA267EB}]
    2008-02-16 12:35 536576 --a------ c:\program files\TortoiseSVN\bin\tortoisesvn.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\2TortoiseSVN]
    @="{30351347-7B7D-4FCC-81B4-1E394CA267EB}"
    [HKEY_CLASSES_ROOT\CLSID\{30351347-7B7D-4FCC-81B4-1E394CA267EB}]
    2008-02-16 12:35 536576 --a------ c:\program files\TortoiseSVN\bin\tortoisesvn.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\3TortoiseSVN]
    @="{30351348-7B7D-4FCC-81B4-1E394CA267EB}"
    [HKEY_CLASSES_ROOT\CLSID\{30351348-7B7D-4FCC-81B4-1E394CA267EB}]
    2008-02-16 12:35 536576 --a------ c:\program files\TortoiseSVN\bin\tortoisesvn.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\4TortoiseSVN]
    @="{3035134B-7B7D-4FCC-81B4-1E394CA267EB}"
    [HKEY_CLASSES_ROOT\CLSID\{3035134B-7B7D-4FCC-81B4-1E394CA267EB}]
    2008-02-16 12:35 536576 --a------ c:\program files\TortoiseSVN\bin\tortoisesvn.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\5TortoiseSVN]
    @="{3035134C-7B7D-4FCC-81B4-1E394CA267EB}"
    [HKEY_CLASSES_ROOT\CLSID\{3035134C-7B7D-4FCC-81B4-1E394CA267EB}]
    2008-02-16 12:35 536576 --a------ c:\program files\TortoiseSVN\bin\tortoisesvn.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\6TortoiseSVN]
    @="{3035134D-7B7D-4FCC-81B4-1E394CA267EB}"
    [HKEY_CLASSES_ROOT\CLSID\{3035134D-7B7D-4FCC-81B4-1E394CA267EB}]
    2008-02-16 12:35 536576 --a------ c:\program files\TortoiseSVN\bin\tortoisesvn.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shelliconoverlayidentifiers\7TortoiseSVN]
    @="{3035134E-7B7D-4FCC-81B4-1E394CA267EB}"
    [HKEY_CLASSES_ROOT\CLSID\{3035134E-7B7D-4FCC-81B4-1E394CA267EB}]
    2008-02-16 12:35 536576 --a------ c:\program files\TortoiseSVN\bin\tortoisesvn.dll

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-04 15360]
    "AlcoholAutomount"="c:\program files\Alcohol Soft\Alcohol 120\axcmd.exe" [2008-06-17 4608]
    "EA Core"="c:\program files\Electronic Arts\EADM\Core.exe" [2008-07-21 2752512]
    "MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2004-10-13 1694208]
    "SpybotSD TeaTimer"="c:\program files\Spybot - Search & Destroy\TeaTimer.exe" [2008-07-07 2156368]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "IgfxTray"="c:\windows\system32\igfxtray.exe" [2007-07-16 142104]
    "HotKeysCmds"="c:\windows\system32\hkcmd.exe" [2007-07-16 162584]
    "Persistence"="c:\windows\system32\igfxpers.exe" [2007-07-16 138008]
    "PDVDDXSrv"="c:\program files\CyberLink\PowerDVD DX\PDVDDXSrv.exe" [2007-09-17 124200]
    "dscactivate"="c:\program files\Dell Support Center\gs_agent\custom\dsca.exe" [2008-02-13 16384]
    "egui"="c:\program files\ESET\ESET Smart Security\egui.exe" [2007-10-25 1410304]
    "QuickTime Task"="c:\program files\QuickTime\qttask.exe" [2008-04-14 98304]
    "Adobe Reader Speed Launcher"="c:\program files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2008-01-11 39792]
    "SunJavaUpdateSched"="c:\program files\Java\jre6\bin\jusched.exe" [2008-06-21 136600]
    "StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2008-01-21 61440]
    "RTHDCPL"="RTHDCPL.EXE" [2007-07-16 c:\windows\RTHDCPL.EXE]

    [HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
    "KeyScrambler"="c:\program files\KeyScrambler\getting_started.html" [X]

    c:\documents and settings\Cody Farry\Start Menu\Programs\Startup\
    Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-03-16 113664]

    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2008-04-14 24576]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
    "AppInit_DLLs"=jhednb.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring]
    "DisableMonitoring"=dword:00000001

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
    "DisableMonitoring"=dword:00000001

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
    "DisableMonitoring"=dword:00000001

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall"= 0 (0x0)

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\CyberLink\\PowerDVD DX\\PowerDVD.exe"=
    "c:\\Program Files\\CyberLink\\PowerDVD DX\\PDVDDXSrv.exe"=
    "c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
    "c:\\Program Files\\Common Files\\AolCoach\\en_en\\player\\AOLNySEV.exe"=
    "c:\\ijji\\ENGLISH\\u_gunz.exe"=
    "c:\\Program Files\\Trillian\\trillian.exe"=
    "c:\\Program Files\\uTorrent\\uTorrent.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "c:\\Program Files\\Electronic Arts\\Crytek\\Crysis\\Bin32\\Crysis.exe"=
    "c:\\Program Files\\Electronic Arts\\Crytek\\Crysis\\Bin32\\CrysisDedicatedServer.exe"=
    "c:\\WINDOWS\\system32\\PnkBstrA.exe"=
    "c:\\WINDOWS\\system32\\PnkBstrB.exe"=
    "c:\\Program Files\\CAPCOM\\LOSTPLANETCOLONIES\\LostPlanetColoniesDX9.exe"=
    "c:\\Program Files\\CAPCOM\\LOSTPLANETCOLONIES\\LostPlanetColoniesDX10.exe"=
    "c:\\Program Files\\YVD\\Yugioh Virtual Desktop 9.exe"=
    "c:\\ijji\\ENGLISH\\Gunz\\Gunz.exe"=
    "c:\\Program Files\\Pando Networks\\Media Booster\\PMB.exe"=

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
    "58546:TCP"= 58546:TCP:pando Media Booster
    "58546:UDP"= 58546:UDP:pando Media Booster

    R3 KeyScrambler;KeyScrambler;c:\windows\system32\drivers\keyscrambler.sys [2008-11-26 113896]
    R3 msloop;Microsoft Loopback Adapter Driver;c:\windows\system32\DRIVERS\loop.sys [2008-06-23 4992]
    S3 AtiHdmiService;ATI Function Driver for HDMI Service;c:\windows\system32\drivers\AtiHdmi.sys [2008-11-07 93696]
    S3 wampapache;wampapache;"c:\wamp\bin\apache\apache2.2.8\bin\httpd.exe" -k runservice [2008-06-21 24635]
    S3 wampmysqld;wampmysqld;c:\wamp\bin\mysql\mysql5.0.51a\bin\mysqld-nt.exe wampmysqld []
    S3 XDva143;XDva143;\??\c:\windows\system32\XDva143.sys []
    .
    - - - - ORPHANS REMOVED - - - -

    BHO-{5CC25D1D-A254-4432-A58F-9A3323B4901B} - (no file)
    BHO-{6116a149-cf81-4e28-96ae-44a76182376b} - (no file)
    BHO-{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C} - (no file)
    BHO-{a014038d-a904-4347-ad23-d8991c975773} - c:\windows\system32\jhednb.dll
    BHO-{B8B90CEA-9A31-4291-ABA7-862CB64FDB94} - c:\windows\system32\byXPHxvV.dll



    **************************************************************************

    catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2008-11-27 21:04:16
    Windows 5.1.2600 Service Pack 2 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************

    [HKEY_LOCAL_MACHINE\System\ControlSet001\Services\MySQL]
    "ImagePath"="\"c:\program files\MySQL\MySQL Server 5.0\bin\mysqld-nt\" --defaults-file=\"c:\program files\MySQL\MySQL Server 5.0\my.ini\" MySQL"
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------

    - - - - - - - > 'winlogon.exe'(1132)
    c:\windows\system32\Ati2evxx.dll
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\windows\system32\ati2evxx.exe
    c:\program files\Lavasoft\Ad-Aware\aawservice.exe
    c:\windows\system32\ati2evxx.exe
    c:\program files\TortoiseSVN\bin\TSVNCache.exe
    c:\program files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
    c:\program files\ESET\ESET Smart Security\ekrn.exe
    c:\program files\Java\jre6\bin\jqs.exe
    c:\program files\MySQL\MySQL Server 5.0\bin\mysqld-nt.exe
    c:\windows\system32\PnkBstrA.exe
    c:\program files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe
    c:\program files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
    c:\windows\system32\wdfmgr.exe
    .
    **************************************************************************
    .
    Completion time: 2008-11-27 21:09:25 - machine was rebooted
    ComboFix-quarantined-files.txt 2008-11-28 03:09:22
    ComboFix2.txt 2008-11-27 00:19:30

    Pre-Run: 93,739,929,600 bytes free
    Post-Run: 93,723,156,480 bytes free

    223 --- E O F --- 2008-11-13 04:59:38





    Now mbam:



    Malwarebytes' Anti-Malware 1.30
    Database version: 1430
    Windows 5.1.2600 Service Pack 2

    11/27/2008 9:18:37 PM
    mbam-log-2008-11-27 (21-18-37).txt

    Scan type: Quick Scan
    Objects scanned: 49896
    Time elapsed: 2 minute(s), 42 second(s)

    Memory Processes Infected: 0
    Memory Modules Infected: 0
    Registry Keys Infected: 2
    Registry Values Infected: 0
    Registry Data Items Infected: 0
    Folders Infected: 0
    Files Infected: 1

    Memory Processes Infected:
    (No malicious items detected)

    Memory Modules Infected:
    (No malicious items detected)

    Registry Keys Infected:
    HKEY_LOCAL_MACHINE\SOFTWARE\xpre (Trojan.Downloader) -> Quarantined and deleted successfully.
    HKEY_CURRENT_USER\SOFTWARE\Microsoft\instkey (Trojan.Vundo) -> Quarantined and deleted successfully.

    Registry Values Infected:
    (No malicious items detected)

    Registry Data Items Infected:
    (No malicious items detected)

    Folders Infected:
    (No malicious items detected)

    Files Infected:
    C:\WINDOWS\Explorer.sav (Heuristics.Reserved.Word.Exploit) -> Quarantined and deleted successfully.




    And finally, HJT:



    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 9:19:48 PM, on 11/27/2008
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16735)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\TortoiseSVN\bin\TSVNCache.exe
    C:\WINDOWS\RTHDCPL.EXE
    C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
    C:\Program Files\ESET\ESET Smart Security\egui.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\Java\jre6\bin\jusched.exe
    C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Electronic Arts\EADM\Core.exe
    C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    C:\Program Files\Digital Line Detect\DLG.exe
    C:\Program Files\ESET\ESET Smart Security\ekrn.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\Program Files\MySQL\MySQL Server 5.0\bin\mysqld-nt.exe
    C:\WINDOWS\system32\PnkBstrA.exe
    C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
    C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\wuauclt.exe
    C:\WINDOWS\explorer.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=6080415
    R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
    O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
    O2 - BHO: CBrowserHelperObject Object - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\Dell\BAE\BAE.dll
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
    O2 - BHO: JQSIEStartDetectorImpl Class - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    O2 - BHO: Ask Toolbar BHO - {F4D76F01-7896-458a-890F-E1F05C46069F} - C:\Program Files\AskPBar\bar\1.bin\ASKPBAR.DLL
    O3 - Toolbar: Ask Toolbar - {F4D76F09-7896-458a-890F-E1F05C46069F} - C:\Program Files\AskPBar\bar\1.bin\ASKPBAR.DLL
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
    O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
    O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
    O4 - HKLM\..\Run: [PDVDDXSrv] "C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe"
    O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
    O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET Smart Security\egui.exe" /hide /waitservice
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
    O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
    O4 - HKLM\..\RunOnce: [Malwarebytes' Anti-Malware] C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe /install /silent
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [AlcoholAutomount] "C:\Program Files\Alcohol Soft\Alcohol 120\axcmd.exe" /automount
    O4 - HKCU\..\Run: [EA Core] C:\Program Files\Electronic Arts\EADM\Core.exe -silent
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    O4 - HKUS\S-1-5-18\..\RunOnce: [KeyScrambler] C:\Program Files\KeyScrambler\getting_started.html (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\RunOnce: [KeyScrambler] C:\Program Files\KeyScrambler\getting_started.html (User 'Default user')
    O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: Digital Line Detect.lnk = ?
    O8 - Extra context menu item: &Clean Traces - C:\Program Files\DAP\Privacy Package\dapcleanerie.htm
    O8 - Extra context menu item: &Download with &DAP - C:\Program Files\DAP\dapextie.htm
    O8 - Extra context menu item: Download &all with DAP - C:\Program Files\DAP\dapextie2.htm
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
    O9 - Extra button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files\PokerStars\PokerStarsUpdate.exe
    O9 - Extra button: (no name) - {5C106A59-CC3C-4caa-81A4-6D909B5ACE23} - C:\Program Files\KeyScrambler\KeyScramblerIE.dll
    O9 - Extra 'Tools' menuitem: &KeyScrambler... - {5C106A59-CC3C-4caa-81A4-6D909B5ACE23} - C:\Program Files\KeyScrambler\KeyScramblerIE.dll
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
    O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} (System Requirements Lab) - http://www.srtest.com/srl_bin/sysreqlab_srl.cab
    O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
    O20 - AppInit_DLLs: jhednb.dll
    O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
    O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
    O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
    O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
    O23 - Service: Eset HTTP Server (EhttpSrv) - Unknown owner - C:\Program Files\ESET\ESET Smart Security\EHttpSrv.exe
    O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET Smart Security\ekrn.exe
    O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
    O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
    O23 - Service: MySQL - Unknown owner - C:\Program.exe (file missing)
    O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
    O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
    O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
    O23 - Service: wampapache - Apache Software Foundation - c:\wamp\bin\apache\apache2.2.8\bin\httpd.exe
    O23 - Service: wampmysqld - Unknown owner - c:\wamp\bin\mysql\mysql5.0.51a\bin\mysqld-nt.exe

    --
    End of file - 9335 bytes








    Thank you so much for all your help.:)
     
  10. iPlox

    iPlox Thread Starter

    Joined:
    Nov 25, 2008
    Messages:
    10
    I restarted my computer and did another HJT scan, and it looks like the virus is back. :(





    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 12:00:40 AM, on 11/28/2008
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16735)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\Ati2evxx.exe
    C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\TortoiseSVN\bin\TSVNCache.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\RTHDCPL.EXE
    C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe
    C:\Program Files\ESET\ESET Smart Security\egui.exe
    C:\Program Files\QuickTime\qttask.exe
    C:\Program Files\Java\jre6\bin\jusched.exe
    C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Electronic Arts\EADM\Core.exe
    C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    C:\Program Files\Digital Line Detect\DLG.exe
    C:\Program Files\ESET\ESET Smart Security\ekrn.exe
    C:\Program Files\Java\jre6\bin\jqs.exe
    C:\Program Files\Steam\Steam.exe
    C:\Program Files\MySQL\MySQL Server 5.0\bin\mysqld-nt.exe
    C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
    C:\WINDOWS\system32\PnkBstrA.exe
    C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\wuauclt.exe
    c:\program files\steam\steamapps\weazeldoom\team fortress 2\hl2.exe
    C:\Program Files\Steam\GameOverlayUI.exe
    C:\Program Files\Trillian\trillian.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=6080415
    R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
    O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
    O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O2 - BHO: (no name) - {5CC25D1D-A254-4432-A58F-9A3323B4901B} - (no file)
    O2 - BHO: (no name) - {6116a149-cf81-4e28-96ae-44a76182376b} - (no file)
    O2 - BHO: (no name) - {6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C} - (no file)
    O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre6\bin\ssv.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
    O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.0.1225.9868\swg.dll
    O2 - BHO: CBrowserHelperObject Object - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\Dell\BAE\BAE.dll
    O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
    O2 - BHO: JQSIEStartDetectorImpl Class - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
    O2 - BHO: Ask Toolbar BHO - {F4D76F01-7896-458a-890F-E1F05C46069F} - C:\Program Files\AskPBar\bar\1.bin\ASKPBAR.DLL
    O3 - Toolbar: Ask Toolbar - {F4D76F09-7896-458a-890F-E1F05C46069F} - C:\Program Files\AskPBar\bar\1.bin\ASKPBAR.DLL
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
    O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
    O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
    O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
    O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
    O4 - HKLM\..\Run: [PDVDDXSrv] "C:\Program Files\CyberLink\PowerDVD DX\PDVDDXSrv.exe"
    O4 - HKLM\..\Run: [dscactivate] "C:\Program Files\Dell Support Center\gs_agent\custom\dsca.exe"
    O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET Smart Security\egui.exe" /hide /waitservice
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
    O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre6\bin\jusched.exe"
    O4 - HKLM\..\Run: [StartCCC] "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [AlcoholAutomount] "C:\Program Files\Alcohol Soft\Alcohol 120\axcmd.exe" /automount
    O4 - HKCU\..\Run: [EA Core] C:\Program Files\Electronic Arts\EADM\Core.exe -silent
    O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
    O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
    O4 - HKUS\S-1-5-18\..\RunOnce: [KeyScrambler] C:\Program Files\KeyScrambler\getting_started.html (User 'SYSTEM')
    O4 - HKUS\.DEFAULT\..\RunOnce: [KeyScrambler] C:\Program Files\KeyScrambler\getting_started.html (User 'Default user')
    O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
    O4 - Global Startup: Digital Line Detect.lnk = ?
    O8 - Extra context menu item: &Clean Traces - C:\Program Files\DAP\Privacy Package\dapcleanerie.htm
    O8 - Extra context menu item: &Download with &DAP - C:\Program Files\DAP\dapextie.htm
    O8 - Extra context menu item: Download &all with DAP - C:\Program Files\DAP\dapextie2.htm
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre6\bin\jp2iexp.dll
    O9 - Extra button: PokerStars - {3AD14F0C-ED16-4e43-B6D8-661B03F6A1EF} - C:\Program Files\PokerStars\PokerStarsUpdate.exe
    O9 - Extra button: (no name) - {5C106A59-CC3C-4caa-81A4-6D909B5ACE23} - C:\Program Files\KeyScrambler\KeyScramblerIE.dll
    O9 - Extra 'Tools' menuitem: &KeyScrambler... - {5C106A59-CC3C-4caa-81A4-6D909B5ACE23} - C:\Program Files\KeyScrambler\KeyScramblerIE.dll
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
    O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O16 - DPF: {1E54D648-B804-468d-BC78-4AFFED8E262E} (System Requirements Lab) - http://www.srtest.com/srl_bin/sysreqlab_srl.cab
    O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
    O20 - AppInit_DLLs: jhednb.dll
    O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
    O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
    O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
    O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
    O23 - Service: Eset HTTP Server (EhttpSrv) - Unknown owner - C:\Program Files\ESET\ESET Smart Security\EHttpSrv.exe
    O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET Smart Security\ekrn.exe
    O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
    O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
    O23 - Service: MySQL - Unknown owner - C:\Program.exe (file missing)
    O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
    O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
    O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
    O23 - Service: wampapache - Apache Software Foundation - c:\wamp\bin\apache\apache2.2.8\bin\httpd.exe
    O23 - Service: wampmysqld - Unknown owner - c:\wamp\bin\mysql\mysql5.0.51a\bin\mysqld-nt.exe

    --
    End of file - 9572 bytes
     
  11. cybertech

    cybertech Moderator

    Joined:
    Apr 16, 2002
    Messages:
    69,448
    Download OTScanIt.exe to your Desktop and double-click on it to extract the files. It will create a folder named OTScanIt on your desktop.
    1. Close any open browsers.
    2. If your Real protection or Antivirus intervenes with OTScanIt, allow it to run.
    3. Open the OTScanit folder and double-click on OTScanit.exe to start the program.
    4. In Additional Scans section put a check in BotCheck and Disabled MS Config Items and EventViewer Errors/Warnings
    5. Now click the Run Scan button on the toolbar.
    6. The program will be scanning huge amounts of data so depending on your system it could take a long time to complete. Let it run unhindered until it finishes.
    7. When the scan is complete Notepad will open with the report file loaded in it.
    8. Save that notepad file
    If the log is too large to post, use the Reply button, scroll down to the attachments section and attach the notepad file here.
     
  12. iPlox

    iPlox Thread Starter

    Joined:
    Nov 25, 2008
    Messages:
    10
    Here's the OTScanIT log.
     

    Attached Files:

  13. cybertech

    cybertech Moderator

    Joined:
    Apr 16, 2002
    Messages:
    69,448
    You posted my instructions, not the OTScanit log.
     
  14. iPlox

    iPlox Thread Starter

    Joined:
    Nov 25, 2008
    Messages:
    10
    Sorry, stupid me :p
     

    Attached Files:

  15. cybertech

    cybertech Moderator

    Joined:
    Apr 16, 2002
    Messages:
    69,448
    Start OTScanIt. Copy/Paste the information in the Code box below into the pane where it says Paste fix here and then click the Run Fix button.


    Code:
    [Kill Explorer]
    [Unregister Dlls]
    [Registry - Non-Microsoft Only]
    < AppInit_DLLs [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_DLLs
    *AppInit_DLLs* -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_Dlls
    YN -> jhednb.dll -> 
    < AppInit_DLLs [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\\AppInit_DLLs
    < Internet Explorer Settings [HKEY_CURRENT_USER\] > -> 
    YN -> HKEY_CURRENT_USER\: URLSearchHooks\\{EF99BD32-C1FB-11D2-892F-0090271D4F88} [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. [Yahoo! Toolbar]
    < BHO's [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
    YN -> {5CC25D1D-A254-4432-A58F-9A3323B4901B} [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. [Reg Error: Key does not exist or could not be opened.]
    YN -> {6116a149-cf81-4e28-96ae-44a76182376b} [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. [Reg Error: Key does not exist or could not be opened.]
    [Files/Folders - Modified Within 30 days]
    NY -> 2 C:\WINDOWS\System32\*.tmp files -> C:\WINDOWS\System32\*.tmp
    NY -> 5 C:\WINDOWS\Temp\*.tmp files -> C:\WINDOWS\Temp\*.tmp
    [Empty Temp Folders]
    [Start Explorer]
    [Reboot]
    

    The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. Click the Ok button and Notepad will open with a log of actions taken during the fix.
    Post that information back here.

    I will review the information when it comes back in.
     
  16. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/772832