Free Malware Removal Forum

by **Chaues** » January 7th, 2009, 7:04 pm

Ok, so, I have acquired some form of virus that disguised itself as a windows update on my computer. Upon clicking it it then proceeded to try to download a "anti virus" program onto my computer. I do not know the name of said anti virus, as far as I know it didn't say. Now it has completely hijacked my system. Placing a picture on my desktop, as we as locking it. It shut down my windows task manager, as well as my disk defrag. I suffer constant "anti spyware" and "anti virus" pop ups whenever any internet application is open, and the windows disguised tool bar option still pops up. Here is my Hijack file... I hope you can help.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:53:50 PM, on 1/7/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\userinit.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\ThreatFire\TFService.exe
C:\WINDOWS\system32\frmwrk32.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\WINDOWS\System32\alg.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\WINDOWS\system32\ntdll64.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\World of Warcraft\WoW.exe
C:\Program Files\Java\jre1.6.0_06\bin\jucheck.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe

O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Gmoluqadiruv] rundll32.exe "C:\WINDOWS\Ireseji.dll",e
O4 - HKLM\..\Run: [Gbegid] rundll32.exe "C:\WINDOWS\aboqubefovahubi.dll",e
O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe -expressboot
O4 - HKLM\..\Run: [Framework Windows] frmwrk32.exe
O4 - HKLM\..\Run: [38ff1f85] rundll32.exe "C:\WINDOWS\system32\xkovtadk.dll",b
O4 - HKCU\..\Run: [StartCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKUS\S-1-5-18\..\Run: [msiexec.exe] msiconf.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [msiexec.exe] msiconf.exe (User 'Default user')
O4 - S-1-5-18 Startup: Rapid Antivirus.lnk = C:\Program Files\Rapid Antivirus\Rapid Antivirus.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: Rapid Antivirus.lnk = C:\Program Files\Rapid Antivirus\Rapid Antivirus.exe (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O10 - Unknown file in Winsock LSP: c:\windows\temp\ntdll64.dll
O10 - Unknown file in Winsock LSP: c:\windows\temp\ntdll64.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windows ... 1942519578
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microso ... 1945223593
O20 - AppInit_DLLs: mvdclk.dll fykzan.dll yytweq.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Panda Process Protection Service (PavPrSrv) - Unknown owner - C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe (file missing)
O23 - Service: ThreatFire - PC Tools - C:\Program Files\ThreatFire\TFService.exe

--
End of file - 4677 bytes

Thanks.

by **Odd dude** » January 8th, 2009, 11:34 am

Hello and welcome to the forums!

I'm Odd dude, pleased to meet you; if it helps, you can call me OD

. I will be helping you with your infection. However, it is important to take note of the following - quite the wall of text, I know, but please bear with me:

Logs from malware removal programs (Hijackthis is one of them) can take some time to analyze. I need you to be patient whilst I analyze any logs you post.
Please carefully read any instruction that I give you.
Reading too lightly will cause you to miss important steps, which could have destructive effects.
If you're not sure, or if something unexpected happens, do NOT continue! Stop and ask!
Only YOU must use these instructions, they are not suitable for any other computer, similar issues or not.
Do not do things I do not ask for, such as running a spyware scan. The one thing you should always do, though, is making sure that your antivirus definitions are up-to-date!
If I tell you to download a tool which you already have, please re-download it and do not use the copy you already have. This is because the tools are updated regularly.
In Windows Vista, all tools need to be started by right clicking and selecting Run as administrator!
I am going to stick with you until ALL malware is gone from your system. I would appreciate it if you were to do the same. From this point, we're in this together
Because of this, you must reply within five days. I will post a reminder should you seem to fail to do this, however, if you fail to reply within five days then, unless I have been notified of your absence in advance, the topic shall be closed!
As I am still in training at the Malware Removal University, anything I do must be checked by an experienced malware fighter. This means there might be a slight delay in my answers.
Lastly, I am no magican. I will try very hard to fix your issues, but no promises can be made. Also be aware that some infections are so severe that you might need to resort to reformatting and reinstalling your operating system. Don't worry, this only happens in severe cases, but it sadly does happen. Be prepared to back up your data. Have means of backing up your data available.

I am now analyzing your situation and hope to be back with you soon. While I am reviewing your situation, could you please do the following for me:

Make an Uninstall List
I need you to create an uninstall list so I can further analyze your situation.

Start HijackThis.
Click Open the Misc Tools section
Click Open Uninstall Manager
Click Save list...
Save the list to your desktop, or any other convenient place.

Please post back:

Uninstall list
New hijackthis log

by **Chaues** » January 8th, 2009, 6:34 pm

Hey OD,

I appreciate your service. However, I run into my first problem. When I hit "Save List..." Hijack closes. It doesn't give me an option of where to save it, or anything else. I searched for it, but I can't find it anywhere. So I would assume it isn't saving. Here is another second log though.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:25:39 PM, on 1/8/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\userinit.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\ThreatFire\TFService.exe
C:\WINDOWS\system32\frmwrk32.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\WINDOWS\System32\alg.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\WINDOWS\system32\ntdll64.exe
C:\Program Files\Java\jre1.6.0_06\bin\jucheck.exe
C:\WINDOWS\system32\ntdll64.exe
C:\WINDOWS\system32\ntdll64.exe
C:\WINDOWS\system32\ntdll64.exe
C:\WINDOWS\system32\ntdll64.exe
C:\WINDOWS\system32\ntdll64.exe
C:\WINDOWS\system32\ntdll64.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\ntdll64.exe
C:\WINDOWS\system32\ntdll64.exe
C:\WINDOWS\system32\ntdll64.exe
C:\WINDOWS\system32\ntdll64.exe
C:\WINDOWS\system32\ntdll64.exe
C:\WINDOWS\system32\ntdll64.exe
C:\WINDOWS\system32\ntdll64.exe
C:\WINDOWS\system32\ntdll64.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\ntdll64.exe
C:\WINDOWS\system32\ntdll64.exe
C:\WINDOWS\system32\ntdll64.exe
C:\WINDOWS\system32\ntdll64.exe
C:\WINDOWS\system32\ntdll64.exe
C:\WINDOWS\system32\ntdll64.exe
C:\WINDOWS\system32\ntdll64.exe
C:\WINDOWS\system32\ntdll64.exe
C:\WINDOWS\system32\ntdll64.exe
C:\WINDOWS\system32\ntdll64.exe
C:\WINDOWS\system32\ntdll64.exe
C:\WINDOWS\system32\ntdll64.exe
C:\WINDOWS\system32\ntdll64.exe
C:\WINDOWS\system32\ntdll64.exe
C:\WINDOWS\system32\ntdll64.exe
C:\WINDOWS\system32\ntdll64.exe
C:\WINDOWS\system32\ntdll64.exe
C:\WINDOWS\system32\ntdll64.exe
C:\WINDOWS\system32\ntdll64.exe
C:\WINDOWS\system32\ntdll64.exe
C:\WINDOWS\system32\ntdll64.exe
C:\WINDOWS\system32\ntdll64.exe
C:\WINDOWS\system32\ntdll64.exe
C:\WINDOWS\system32\ntdll64.exe
C:\WINDOWS\system32\ntdll64.exe
C:\WINDOWS\system32\ntdll64.exe
C:\WINDOWS\system32\ntdll64.exe
C:\WINDOWS\system32\ntdll64.exe
C:\WINDOWS\system32\ntdll64.exe
C:\WINDOWS\system32\ntdll64.exe
C:\WINDOWS\system32\ntdll64.exe
C:\WINDOWS\system32\ntdll64.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\World of Warcraft\WoW.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe

O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Gmoluqadiruv] rundll32.exe "C:\WINDOWS\Ireseji.dll",e
O4 - HKLM\..\Run: [Gbegid] rundll32.exe "C:\WINDOWS\aboqubefovahubi.dll",e
O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe -expressboot
O4 - HKLM\..\Run: [Framework Windows] frmwrk32.exe
O4 - HKCU\..\Run: [StartCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKUS\S-1-5-18\..\Run: [msiexec.exe] msiconf.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [msiexec.exe] msiconf.exe (User 'Default user')
O4 - S-1-5-18 Startup: Rapid Antivirus.lnk = C:\Program Files\Rapid Antivirus\Rapid Antivirus.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: Rapid Antivirus.lnk = C:\Program Files\Rapid Antivirus\Rapid Antivirus.exe (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O10 - Unknown file in Winsock LSP: c:\windows\temp\ntdll64.dll
O10 - Unknown file in Winsock LSP: c:\windows\temp\ntdll64.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windows ... 1942519578
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microso ... 1945223593
O20 - AppInit_DLLs: mvdclk.dll fykzan.dll yytweq.dll worpvv.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Panda Process Protection Service (PavPrSrv) - Unknown owner - C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe (file missing)
O23 - Service: ThreatFire - PC Tools - C:\Program Files\ThreatFire\TFService.exe

--
End of file - 6160 bytes

by **Odd dude** » January 9th, 2009, 2:44 am

So I would assume it isn't saving.

You are correct, and it's no problem. An infection is interfering with Hijackthis.

I will be back with instructions soon

by **Odd dude** » January 10th, 2009, 5:34 pm

Sorry for the delay.

You are quite heavily infected. This will hopefully clear out a lot of it. It won't be over after this, but it'll get better.

Before we begin, however, I must ask an important question. Do you still use Panda antivirus? If not, what have you replaced it with?

One of the infections is entrenched in such a way that there is a chance that removing it breaks your internet connection. To prevent this, please download LSP-Fix and save it to your desktop.

If, after performing the below steps and rebooting you lose your internet connection (can't connect to the internet anymore), please run LSP-Fix.. Start the program, click Finish and reboot. Your internet should now work again.

Malwarebytes' Anti-Malware
I need you to download Malwarebytes' Anti-Malware.

Install the program by following the prompts after double-clicking on mbam-setup.exe
Once you approach the final installation screen, put a check next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish
MBAM (that's an acronym of Malwarebytes' Anti-Malware) will now start. Choose Perform full scan and click Scan
Get a cup of coffee/tea/hot chocolate and watch some TV for about an hour.
Once the scan has finished, click OK, then Show Results.
Put a check next to everything, then click Remove selected.
Now, a log will open. Save this to your desktop and post it.

ATF-Cleaner
Download ATF-Cleaner by Atribune to your desktop.
Start the program and place a check next to the following items:

Windows Temp
Current User Temp
All Users Temp
Temporary Internet Files
Java Cache
Recycle Bin

Now click Empty Selected and click OK.

If you use FireFox, click the FireFox tab and place a check Select All. Click Empty Selected and answer No at the prompt.
If you use Opera, click the Opera tab and place a check Select All. Click Empty Selected and answer No at the prompt.

After performing those instructions reboot first, then post a new hijackthis log and the answer to my question. If you can't connect to the internet, run LSP-Fix as I described above.

by **Chaues** » January 10th, 2009, 6:19 pm

Hey OD,

I wish I could have taken your advice. I downloaded all said applications, and even had a movie picked out. However, Mbam is being prevented from being installed. I ran the ATF-Cleaner and tried again, yet still had the same response as before. It says something about a free floating operation not being legalized, which I assume is virus for "Not in my house." I will provide you with another log like you asked, though. I uninstalled Panda because it seemed to not be helping. I downloading something called Threatfire, but it didn't work either. It is, however, still on my computer.

Here is the log.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:15:14 PM, on 1/10/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\userinit.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\ThreatFire\TFService.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Java\jre1.6.0_06\bin\jucheck.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\World of Warcraft\WoW.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\ThreatFire\TFTray.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe

O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [Gmoluqadiruv] rundll32.exe "C:\WINDOWS\Ireseji.dll",e
O4 - HKLM\..\Run: [Gbegid] rundll32.exe "C:\WINDOWS\aboqubefovahubi.dll",e
O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe -expressboot
O4 - HKLM\..\Run: [38ff1f85] rundll32.exe "C:\WINDOWS\system32\uferhxdt.dll",b
O4 - HKLM\..\Run: [ThreatFire] C:\Program Files\ThreatFire\TFTray.exe
O4 - HKCU\..\Run: [StartCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKUS\S-1-5-18\..\Run: [msiexec.exe] msiconf.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [msiexec.exe] msiconf.exe (User 'Default user')
O4 - S-1-5-18 Startup: Rapid Antivirus.lnk = C:\Program Files\Rapid Antivirus\Rapid Antivirus.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: Rapid Antivirus.lnk = C:\Program Files\Rapid Antivirus\Rapid Antivirus.exe (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O10 - Unknown file in Winsock LSP: c:\windows\temp\ntdll64.dll
O10 - Unknown file in Winsock LSP: c:\windows\temp\ntdll64.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windows ... 1942519578
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microso ... 1945223593
O20 - AppInit_DLLs: mvdclk.dll fykzan.dll yytweq.dll worpvv.dll qmiiuf.dll dunyjj.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Panda Process Protection Service (PavPrSrv) - Unknown owner - C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe (file missing)
O23 - Service: ThreatFire - PC Tools - C:\Program Files\ThreatFire\TFService.exe

--
End of file - 4669 bytes

I will try again after a restart, but I wanted to post first, it can take some time.

by **Chaues** » January 10th, 2009, 10:24 pm

Scratch that sparky (OD), we got a positive on that reading. I got it to install finally, and work, I had to use the LSP fix, but no biggy there. Here is the log from the MBAM.

Malwarebytes' Anti-Malware 1.32
Database version: 1638
Windows 5.1.2600 Service Pack 3

1/10/2009 8:19:35 PM
mbam-log-2009-01-10 (20-19-35).txt

Scan type: Full Scan (A:\|C:\|)
Objects scanned: 81511
Time elapsed: 11 minute(s), 42 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 7
Registry Keys Infected: 31
Registry Values Infected: 4
Registry Data Items Infected: 11
Folders Infected: 2
Files Infected: 59

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
C:\WINDOWS\system32\dxirpxfa.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\khfFVopq.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\mvdclk.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\fykzan.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\yytweq.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\xxywuRhH.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\pbcjqyll.dll (Trojan.Vundo.H) -> Delete on reboot.

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{f2d94172-fa12-4a30-9d05-99b25b8e1b74} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_CLASSES_ROOT\CLSID\{f2d94172-fa12-4a30-9d05-99b25b8e1b74} (Trojan.Vundo.H) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{77ab5974-55a3-4737-9fd5-b93c64307f78} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{77ab5974-55a3-4737-9fd5-b93c64307f78} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{fb766902-3990-48fd-bd02-7d1b51bffbce} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{fb766902-3990-48fd-bd02-7d1b51bffbce} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{a9016c5a-962b-48ae-ae7f-bd2fb3df9670} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{a9016c5a-962b-48ae-ae7f-bd2fb3df9670} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{76ed1138-b18a-4459-a56c-ff5eab32c51f} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} (Trojan.Vundo) -> Delete on reboot.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} (Trojan.Vundo) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\xxywurhh (Trojan.Vundo) -> Delete on reboot.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{f2d94172-fa12-4a30-9d05-99b25b8e1b74} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Ext\Stats\{77ab5974-55a3-4737-9fd5-b93c64307f78} (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\{5222008a-dd62-49c7-a735-7bd18ecc7350} (Rogue.VirusRemover) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\{5222008a-dd62-49c7-a735-7bd18ecc7350} (Rogue.VirusRemover) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\atmlanee (Rootkit.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Services\atmlanee (Rootkit.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\atmlanee (Rootkit.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\prunnet (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\xpreapp (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\virusremover2008 (Rogue.VirusRemove) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\virusremover2008 (Rogue.VirusRemove) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\contim (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\instkey (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Track System (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\FCOVM (Trojan.Vundo) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\RemoveRP (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\38ff1f85 (Trojan.Vundo.H) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{6d794cb4-c7cd-4c6f-bfdc-9b77afbdc02c} (Trojan.Vundo) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\gmoluqadiruv (Trojan.Agent) -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\gbegid (Trojan.Agent) -> Delete on reboot.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Notification Packages (Trojan.Vundo.H) -> Data: c:\windows\system32\khffvopq -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA\Authentication Packages (Trojan.Vundo.H) -> Data: c:\windows\system32\khffvopq -> Delete on reboot.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: c:\windows\system32\userinit.exe -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit (Trojan.Agent) -> Data: system32\userinit.exe -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr (Hijack.TaskManager) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\ActiveDesktop\NoChangingWallpaper (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\activedesktop\NoChangingWallpaper (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetActiveDesktop (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoActiveDesktopChanges (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoSetActiveDesktop (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoActiveDesktopChanges (Hijack.DisplayProperties) -> Bad: (1) Good: (0) -> Quarantined and deleted successfully.

Folders Infected:
C:\Program Files\Rapid Antivirus (Rogue.RapidAntivirus) -> Quarantined and deleted successfully.
C:\Documents and Settings\Robert\Application Data\gadcom (Trojan.Agent) -> Quarantined and deleted successfully.

Files Infected:
C:\WINDOWS\system32\khfFVopq.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\qpoVFfhk.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\qpoVFfhk.ini2 (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\dxirpxfa.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\afxprixd.ini (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\pbcjqyll.dll (Trojan.Vundo.H) -> Delete on reboot.
C:\WINDOWS\system32\drivers\atmlanee.sys (Rootkit.Agent.H) -> Delete on reboot.
C:\WINDOWS\system32\mvdclk.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\fykzan.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\yytweq.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\xxywuRhH.dll (Trojan.Vundo) -> Delete on reboot.
C:\WINDOWS\system32\msiconf.exe (Trojan.akeAlert) -> Quarantined and deleted successfully.
C:\Documents and Settings\Robert\Application Data\gadcom\gadcom.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\Documents and Settings\Robert\Local Settings\Temp\seneka7cf8.tmp (Trojan.Agent) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{DB7662FA-9172-403D-90FC-27C00CB2A4FA}\RP204\A0028354.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ifxtulbk.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\prunnet.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\aewrxm.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\bbnyzz.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\chxorbgk.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\hallanee.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\jiejlvhj.dll (Trojan.Vundo.H) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\mguaalfl.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\rlsbdkix.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\rndxyr.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\pcload.exe (Trojan.Downloader) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\dunyjj.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\kejfzt.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ksosgt.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\pmnmLDTK.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\aojiwoak.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\wvUljGYq.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\senekakytlsvif.dll (Trojan.Seneka) -> Delete on reboot.
C:\WINDOWS\system32\senekawqjepjnr.dll (Trojan.TDSS) -> Delete on reboot.
C:\WINDOWS\system32\tskhhaks.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\uapkqnlp.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\eatboy.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\lwoskhrb.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\lyttuyap.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\xorrch.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\qybygeve.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\dgukxkha.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\fzsgtj.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\geBsTkIb.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ntdll64.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\dllcache\userinit.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\p2\EV21AIP.exe (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\senekaeaydaqoc.sys (Trojan.TDSS) -> Delete on reboot.
C:\Program Files\Rapid Antivirus\Uninstall.exe (Rogue.RapidAntivirus) -> Quarantined and deleted successfully.
C:\WINDOWS\Ireseji.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\aboqubefovahubi.dll (Trojan.Agent) -> Delete on reboot.
C:\WINDOWS\system32\senekaemnmwfhl.dll (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\senekadf.dat (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\seneka.dat (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\senekalog.dat (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\seneka.sys (Trojan.Agent) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\warning.gif (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ahtn.htm (Trojan.FakeAlert) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\drivers\core.cache.dsk (Rootkit.Agent) -> Delete on reboot.

I did reboot.

New Hijack this log incoming...

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:24:01 PM, on 1/10/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\ThreatFire\TFService.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\Program Files\ThreatFire\TFTray.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\WINDOWS\System32\wbem\wmiprvse.exe

O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe -expressboot
O4 - HKLM\..\Run: [ThreatFire] C:\Program Files\ThreatFire\TFTray.exe
O4 - HKCU\..\Run: [StartCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKUS\S-1-5-18\..\Run: [msiexec.exe] msiconf.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [msiexec.exe] msiconf.exe (User 'Default user')
O4 - S-1-5-18 Startup: Rapid Antivirus.lnk = C:\Program Files\Rapid Antivirus\Rapid Antivirus.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: Rapid Antivirus.lnk = C:\Program Files\Rapid Antivirus\Rapid Antivirus.exe (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windows ... 1942519578
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microso ... 1945223593
O20 - AppInit_DLLs: mvdclk.dll fykzan.dll yytweq.dll worpvv.dll qmiiuf.dll wpyqgq.dll
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Panda Process Protection Service (PavPrSrv) - Unknown owner - C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe (file missing)
O23 - Service: ThreatFire - PC Tools - C:\Program Files\ThreatFire\TFService.exe

--
End of file - 4371 bytes

See above post for the answer on the Panda. Things are looking up. I will be expectantly waiting the next installment.

by **Odd dude** » January 11th, 2009, 8:25 am

Hi Chaues

I uninstalled Panda because it seemed to not be helping. I downloading something called Threatfire, but it didn't work either. It is, however, still on my computer.

Panda was antivirus, yet ThreatFire is not - ThreatFire purely detects based on behaviour. You also need a signature scanner such as Panda.
I strongly recommend you to reinstall it. If you don't want to go with Panda anymore, give Avira Antivir or Avast a try.
Please do not install an AV until after you have run ComboFix (yes, I am going to ask you to do that

). The antivirus software will most certainly flag the program due to the aggressive techniques it uses, and since I won't know what AV you'll be installing, I won't be able to instruct on how to disable it to prevent interference.

It says something about a free floating operation not being legalized, which I assume is virus for "Not in my house."

Hehe, you're right about that. Something was interfering with MBAM, which means we'll need to run a few more scans.

ComboFix
IMPORTANT NOTE: ComboFix is a VERY POWERFUL tool. DO NOT use it without expert guidance.

Download ComboFix from here and save it to your desktop
Disable ALL antivirus/antimalware programs before proceeding!
Now start ComboFix.
The tool will check whether the Recovery Console is present on your system. If it is not, ComboFix will prompt you whether you would like to install it.
If it is not, make sure you are connected to the internet as ComboFix needs to download a file. When you are connected to the internet, click Yes and follow the prompts. When asked whether to continue scanning or to exit, click Yes to continue scanning (no need to disconnect from the internet as ComboFix breaks your internet connection for you).
Do not touch the computer AT ALL while ComboFix is running!
When finished, the report will open. Reenable your protection software and post the log in your next reply

If you cannot connect to the internet after running ComboFix, plug the cable/reciever/whatever you use to connect to the internet out and back in.

If you didn't yet install antivirus software, now is the time to do so.

GMER
Do not touch the computer while GMER is running! If you do, it'll go completely unresponsive and you'll have to shut it down using the power switch. Just don't touch the PC while GMER is working.
Please download gmer.zip by GMER and save it to your desktop.

Right click the file you just downloaded and choose Extract all
Click Next
Click Browse
Click the + next to My Computer
Click Local Disk (C:)
Click Make new folder
Enter GMER
Click OK, then Next
Check Show extracted files and click Finish
Double click on GMER.exe to run it.
Select the Rootkit tab.
On the right hand side, check all the items to be scanned, but leave Show All box unchecked.
Select all drives that are connected to your system to be scanned.
Click on the Scan button.
When the scan is finished, click Copy to save the scan log to the Windows clipboard.
Open Notepad or a similar text editor.
Paste the clipboard contents into the text editor.
Save the GMER scan log and post it in your next reply.
Close GMER.

In your next post, provide me with:
- Log from Combofix
- Log from GMER
- New hijackthis log

This isn't going to fit into one post so please divide it over multiple posts.

by **Chaues** » January 11th, 2009, 3:22 pm

Hey OD, just to make sure, I did post a second time before saying that I was able to get MBAM to run, and posted its log. If you already saw it, then sorry. Anyways, both programs ran like you said they should and I will be posting their logs now. However, I have to uninstall Threatfire for it to allow ComboFix to run. I could suspend Threatfire for the scan, but it would stop it upon the reboot. I will reinstall it if you think the program (Threatfire) is worth it. Also, I downloaded Avast! and am currently installing it for future reference.

Here is the ComboFix

ComboFix 09-01-10.03 - Robert 2009-01-11 12:59:40.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2046.1702 [GMT -6:00]
Running from: c:\documents and settings\Robert\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run -------
.
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
c:\documents and settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
c:\documents and settings\Robert\Local Settings\Temporary Internet Files\fbk.sts
c:\temp\1cb
c:\temp\1cb\syscheck.log
c:\windows\system32\hynqsklg.ini
c:\windows\system32\ieoxcyhu.ini
c:\windows\system32\kdatvokx.ini
c:\windows\system32\lduhkrol.ini
c:\windows\system32\lfwqugki.ini
c:\windows\system32\lkgikvrv.ini
c:\windows\system32\mdm.exe
c:\windows\system32\msrdo20.dll
c:\windows\system32\mwlysywt.dll
c:\windows\system32\oybmoecb.ini
c:\windows\system32\p2
c:\windows\system32\pcdsccpf.dll
c:\windows\system32\qevxaibw.ini
c:\windows\system32\qmiiuf.dll
c:\windows\system32\rdocurs.dll
c:\windows\system32\tdxhrefu.ini
c:\windows\system32\uniq.tll
c:\windows\system32\utydkkxi.dll
c:\windows\system32\vdkjmdet.ini
c:\windows\system32\vhuaoxad.ini
c:\windows\system32\win32hlp.cnf
c:\windows\SYSTEM32\worpvv.dll
c:\windows\system32\wpyqgq.dll
c:\windows\system32\xgrgakto.ini
c:\windows\system32\ydhkdqgu.ini

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Service_seneka

((((((((((((((((((((((((( Files Created from 2008-12-11 to 2009-01-11 )))))))))))))))))))))))))))))))
.

2009-01-10 20:00 . 2009-01-10 20:00 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-01-10 20:00 . 2009-01-10 20:00 <DIR> d-------- c:\documents and settings\Robert\Application Data\Malwarebytes
2009-01-10 20:00 . 2009-01-10 20:00 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-01-10 20:00 . 2009-01-04 18:38 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-10 20:00 . 2009-01-04 18:38 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-01-07 16:53 . 2009-01-07 16:53 <DIR> d-------- c:\program files\Trend Micro
2009-01-07 11:02 . 2009-01-07 11:02 73,216 --a------ c:\windows\system32\ffkuz.dll
2008-12-28 10:57 . 2009-01-11 12:58 <DIR> d-------- c:\program files\ThreatFire
2008-12-28 10:57 . 2009-01-11 12:58 <DIR> d-a------ c:\documents and settings\All Users\Application Data\TEMP
2008-12-28 10:53 . 2008-12-28 10:53 <DIR> d-------- c:\documents and settings\Robert\Application Data\AdobeUM
2008-12-28 10:46 . 2008-12-28 10:46 <DIR> d-------- c:\program files\BillP Studios
2008-12-28 10:46 . 2008-12-28 10:46 <DIR> d-------- c:\documents and settings\Robert\Application Data\WinPatrol
2008-12-27 22:47 . 2008-12-28 10:30 <DIR> d-------- c:\windows\SxsCaPendDel
2008-12-27 21:03 . 2008-12-27 21:03 40,448 --a------ c:\windows\system32\k9261108.exe
2008-12-27 20:48 . 2008-12-27 20:48 <DIR> d-------- c:\windows\system32\xn
2008-12-27 20:48 . 2008-12-27 20:48 <DIR> d-------- c:\temp\REX81

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2009-01-11 02:26 --------- d-----w c:\documents and settings\Robert\Application Data\LimeWire
2008-12-28 16:40 --------- d-----w c:\program files\DNA
2008-12-28 16:40 --------- d-----w c:\documents and settings\Robert\Application Data\DNA
2008-12-28 16:30 --------- d--h--w c:\program files\InstallShield Installation Information
2008-12-28 05:29 --------- d-----w c:\program files\ASUS
2008-12-28 04:47 --------- d-----w c:\program files\The Chronicles of Spellborn
2008-12-17 19:49 --------- d-----w c:\program files\World of Warcraft
2008-10-23 12:36 286,720 ----a-w c:\windows\system32\gdi32.dll
2008-10-16 20:13 202,776 ----a-w c:\windows\system32\wuweb.dll
2008-10-16 20:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 20:12 561,688 ----a-w c:\windows\system32\wuapi.dll
2008-10-16 20:12 323,608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 20:09 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 20:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
2008-10-16 20:09 43,544 ----a-w c:\windows\system32\wups2.dll
2008-10-16 20:08 34,328 ----a-w c:\windows\system32\wups.dll
2008-10-16 01:00 666,112 ----a-w c:\windows\system32\wininet.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 90112]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-13 1695232]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_06\bin\jusched.exe" [2008-03-25 144784]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-01-08 8523776]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-05-27 413696]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-01-08 81920]
"WinPatrol"="c:\program files\BillP Studios\WinPatrol\winpatrol.exe" [2008-10-09 333120]
"nwiz"="nwiz.exe" [2008-01-08 c:\windows\system32\nwiz.exe]
"RTHDCPL"="RTHDCPL.EXE" [2007-04-12 c:\windows\RTHDCPL.exe]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-02-17 65588]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"= 1 (0x1)
"NoActiveDesktopChanges"= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.asv2"= asusasv2.dll

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"c:\\Program Files\\LimeWire\\LimeWire.exe"=
"c:\\Program Files\\DNA\\btdna.exe"=
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=

R1 EIO_XP;EIO_XP;c:\windows\system32\drivers\EIO_XP.sys [2008-06-28 12288]
S1 ShldDrv;Panda File Shield Driver;c:\windows\system32\DRIVERS\ShlDrv51.sys --> c:\windows\system32\DRIVERS\ShlDrv51.sys [?]
S3 Video3D;ASUS Video3D Service;c:\windows\system32\Drivers\Video3D32.sys --> c:\windows\system32\Drivers\Video3D32.sys [?]
S4 PavProc;Panda Process Protection Driver;\??\c:\windows\system32\DRIVERS\PavProc.sys --> c:\windows\system32\DRIVERS\PavProc.sys [?]

--- Other Services/Drivers In Memory ---

*Deregistered* - mchInjDrv

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a356b1f1-88f9-11dd-a02f-001fc6ab2ffd}]
\Shell\AutoRun\command - LinksysConnectPC.exe

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\ccc-core-static]
msiexec /fums {A75BF1D0-C7C3-CB55-EE17-3225387FD154} /qb
.
Contents of the 'Scheduled Tasks' folder

2009-01-06 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 16:57]

2009-01-11 c:\windows\Tasks\qfpdvosu.job
- c:\windows\system32\rundll32.exe [2008-04-13 18:12]
.
- - - - ORPHANS REMOVED - - - -

HKU-Default-Run-msiexec.exe - msiconf.exe

.
------- Supplementary Scan -------
.
FF - ProfilePath - c:\documents and settings\Robert\Application Data\Mozilla\Firefox\Profiles\ubao93oa.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?ei=UTF-8&fr=ytff-sunm&p=
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?ei=UTF-8&fr=ytff-sunm&p=
FF - plugin: c:\program files\Mozilla Firefox\plugins\npbittorrent.dll
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-11 13:00:26
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(700)
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2009-01-11 13:01:28
ComboFix-quarantined-files.txt 2009-01-11 19:01:06

Pre-Run: 133,503,299,584 bytes free
Post-Run: 133,490,364,416 bytes free

by **Chaues** » January 11th, 2009, 3:23 pm

Here is the Gmer report.

GMER 1.0.14.14536 - http://www.gmer.net
Rootkit scan 2009-01-11 13:13:04
Windows 5.1.2600 Service Pack 3

---- System - GMER 1.0.14 ----

SSDT TfSysMon.sys ZwCreateKey [0xBA8FCDFA]
SSDT TfSysMon.sys ZwDeleteKey [0xBA8FCFEA]
SSDT TfSysMon.sys ZwDeleteValueKey [0xBA8FD08C]
SSDT TfSysMon.sys ZwOpenKey [0xBA8FCCEE]
SSDT TfSysMon.sys ZwSetValueKey [0xBA8FD224]
SSDT TfSysMon.sys ZwTerminateProcess [0xBA8FE798]

---- Kernel code sections - GMER 1.0.14 ----

? TfFsMon.sys The system cannot find the file specified. !
? TfSysMon.sys The system cannot find the file specified. !
? Combo-Fix.sys The system cannot find the file specified. !
? System32\Drivers\TfKbMon.sys The system cannot find the file specified. !
? C:\WINDOWS\system32\drivers\TfNetMon.sys The system cannot find the file specified. !
? C:\WINDOWS\system32\Drivers\mchInjDrv.sys The system cannot find the file specified. !
? C:\WINDOWS\system32\Drivers\PROCEXP90.SYS The system cannot find the file specified. !
? C:\ComboFix\catchme.sys The system cannot find the file specified. !

---- User code sections - GMER 1.0.14 ----

.text C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe[188] kernel32.dll!FreeLibrary + 15 7C80AC83 4 Bytes [ B5, 53, EF, F4 ]
.text C:\WINDOWS\RTHDCPL.EXE[304] kernel32.dll!FreeLibrary + 15 7C80AC83 4 Bytes [ B5, 53, EF, F4 ]
.text C:\WINDOWS\system32\RUNDLL32.EXE[408] kernel32.dll!FreeLibrary + 15 7C80AC83 4 Bytes [ B5, 53, EF, F4 ]
.text C:\WINDOWS\system32\ctfmon.exe[964] kernel32.dll!FreeLibrary + 15 7C80AC83 4 Bytes [ B5, 53, EF, F4 ]
.text C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE[1088] KERNEL32.dll!FreeLibrary + 15 7C80AC83 4 Bytes [ B5, 53, EF, F4 ]
.text ...

---- Devices - GMER 1.0.14 ----

AttachedDevice \FileSystem\Ntfs \Ntfs TfFsMon.sys
AttachedDevice \Driver\Tcpip \Device\Tcp TfNetMon.sys
AttachedDevice \FileSystem\Fastfat \Fat TfFsMon.sys

---- EOF - GMER 1.0.14 ----

And the new Hijackthis.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:18:18 PM, on 1/11/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
C:\WINDOWS\RTHDCPL.EXE
C:\WINDOWS\system32\RUNDLL32.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Java\jre1.6.0_06\bin\jucheck.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [WinPatrol] C:\Program Files\BillP Studios\WinPatrol\winpatrol.exe -expressboot
O4 - HKCU\..\Run: [StartCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - S-1-5-18 Startup: Rapid Antivirus.lnk = C:\Program Files\Rapid Antivirus\Rapid Antivirus.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: Rapid Antivirus.lnk = C:\Program Files\Rapid Antivirus\Rapid Antivirus.exe (User 'Default user')
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windows ... 1942519578
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microso ... 1945223593
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Panda Process Protection Service (PavPrSrv) - Unknown owner - C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe (file missing)

--
End of file - 4031 bytes

by **Odd dude** » January 12th, 2009, 11:19 am

However, I have to uninstall Threatfire for it to allow ComboFix to run. I will reinstall it if you think the program (Threatfire) is worth it

It is good that you took that precautionary measure. Personally I think ThreatFire is a good program for those occasions on which your antivirus program doesn't get an infection. I've also had good experiences with it.
It's all up to you, but if you know how to use it I suggest you reinstall it once you're clean.

Before we continue, you'll have to uninstall BitTorrent DNA (may also show as just DNA) and LimeWire as per the rules: viewtopic.php?f=11&t=33112.

I still don't see an antivirus. Be sure to install one after the next steps.

Fixing malicious lines in Hijackthis
You must fix some malicious entries using Hijackthis.

Start HijackThis
Click Do a system scan only
Put a check next to the following items. If one of them isn't present, don't worry, just proceed to the next one.
Make sure that all other open windows are closed!
Press Fix checked.

Run CFScript
Open notepad and copy/paste the following to it:

Code: Select all

File::
c:\windows\Tasks\qfpdvosu.job
c:\windows\system32\ffkuz.dll
c:\windows\system32\k9261108.exe
Folder::
c:\windows\system32\xn
C:\temp
c:\documents and settings\Robert\Application Data\LimeWire
c:\documents and settings\Robert\Application Data\DNA
c:\program files\DNA
Dirlook::
c:\windows\SxsCaPendDel
Registry::
[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoSetActiveDesktop"=dword:00000000
"NoActiveDesktopChanges"=dword:00000000
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=-
"c:\\Program Files\\LimeWire\\LimeWire.exe"=-
"c:\\Program Files\\DNA\\btdna.exe"=-
"c:\\Program Files\\BitTorrent\\bittorrent.exe"=-
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000000
Firefox::
FF - ProfilePath - c:\documents and settings\Robert\Application Data\Mozilla\Firefox\Profiles\ubao93oa.default\
FF - plugin: c:\program files\Mozilla Firefox\plugins\npbittorrent.dll

Save this to your desktop as "CFScript.txt".

Disconnect from the internet, disable your antimalware software like you did before, and drag CFScript into ComboFix

ComboFix will run again, please be patient and post the log like usual along with a new HJT log.

Install an antivirus program before making that new HJT log.

by **Chaues** » January 12th, 2009, 12:17 pm

Done, and done. Scouts honor I actually uninstalled those programs since we last spoke, and before I read this

. I'm not so dumb. I had not installed Avast! until after I had done all the ComboFix and Hijackthis because I thought it would interfere. You should definitely see it now. Here is the ComboFix log first.

ComboFix 09-01-10.03 - Robert 2009-01-12 10:08:35.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.3.1252.1.1033.18.2046.1614 [GMT -6:00]
Running from: c:\documents and settings\Robert\Desktop\ComboFix.exe
Command switches used :: c:\documents and settings\Robert\Desktop\CFScript.txt
AV: avast! antivirus 4.8.1296 [VPS 090112-0] *On-access scanning disabled* (Updated)
* Created a new restore point

FILE ::
c:\windows\system32\ffkuz.dll
c:\windows\system32\k9261108.exe
c:\windows\Tasks\qfpdvosu.job
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

c:\documents and settings\Robert\Application Data\DNA
c:\documents and settings\Robert\Application Data\DNA\dht.dat
c:\documents and settings\Robert\Application Data\DNA\dht.dat.old
c:\documents and settings\Robert\Application Data\DNA\dna.lng
c:\documents and settings\Robert\Application Data\DNA\resume.dat
c:\documents and settings\Robert\Application Data\DNA\resume.dat.old
c:\documents and settings\Robert\Application Data\DNA\rss.dat
c:\documents and settings\Robert\Application Data\DNA\rss.dat.old
c:\documents and settings\Robert\Application Data\DNA\settings.dat
c:\documents and settings\Robert\Application Data\DNA\settings.dat.old
c:\documents and settings\Robert\Application Data\LimeWire
c:\documents and settings\Robert\Application Data\LimeWire\.AppSpecialShare\American Gods.torrent.bak
c:\documents and settings\Robert\Application Data\LimeWire\.AppSpecialShare\Neil.Gaiman.&Terry.Pratchett.-.Good.Omens.rar.torrent.bak
c:\documents and settings\Robert\Application Data\LimeWire\active.mojito
c:\documents and settings\Robert\Application Data\LimeWire\certificate\limewire.keystore
c:\documents and settings\Robert\Application Data\LimeWire\createtimes.cache
c:\documents and settings\Robert\Application Data\LimeWire\downloads.dat
c:\documents and settings\Robert\Application Data\LimeWire\fileurns.bak
c:\documents and settings\Robert\Application Data\LimeWire\fileurns.cache
c:\documents and settings\Robert\Application Data\LimeWire\filters.props
c:\documents and settings\Robert\Application Data\LimeWire\gnutella.net
c:\documents and settings\Robert\Application Data\LimeWire\installation.props
c:\documents and settings\Robert\Application Data\LimeWire\library.dat
c:\documents and settings\Robert\Application Data\LimeWire\limewire.props
c:\documents and settings\Robert\Application Data\LimeWire\mojito.props
c:\documents and settings\Robert\Application Data\LimeWire\passive.mojito
c:\documents and settings\Robert\Application Data\LimeWire\promotion\promodb.backup
c:\documents and settings\Robert\Application Data\LimeWire\promotion\promodb.data
c:\documents and settings\Robert\Application Data\LimeWire\promotion\promodb.properties
c:\documents and settings\Robert\Application Data\LimeWire\promotion\promodb.script
c:\documents and settings\Robert\Application Data\LimeWire\questions.props
c:\documents and settings\Robert\Application Data\LimeWire\responses.cache
c:\documents and settings\Robert\Application Data\LimeWire\simpp.xml
c:\documents and settings\Robert\Application Data\LimeWire\spam.dat
c:\documents and settings\Robert\Application Data\LimeWire\tables.props
c:\documents and settings\Robert\Application Data\LimeWire\themes\windows_theme.lwtp
c:\documents and settings\Robert\Application Data\LimeWire\themes\windows_theme\01_star.gif
c:\documents and settings\Robert\Application Data\LimeWire\themes\windows_theme\02_star.gif
c:\documents and settings\Robert\Application Data\LimeWire\themes\windows_theme\03_star.gif
c:\documents and settings\Robert\Application Data\LimeWire\themes\windows_theme\04_star.gif
c:\documents and settings\Robert\Application Data\LimeWire\themes\windows_theme\05_star.gif
c:\documents and settings\Robert\Application Data\LimeWire\themes\windows_theme\chat.gif
c:\documents and settings\Robert\Application Data\LimeWire\themes\windows_theme\forward_dn.gif
c:\documents and settings\Robert\Application Data\LimeWire\themes\windows_theme\forward_up.gif
c:\documents and settings\Robert\Application Data\LimeWire\themes\windows_theme\kill.gif
c:\documents and settings\Robert\Application Data\LimeWire\themes\windows_theme\kill_on.gif
c:\documents and settings\Robert\Application Data\LimeWire\themes\windows_theme\pause_dn.gif
c:\documents and settings\Robert\Application Data\LimeWire\themes\windows_theme\pause_up.gif
c:\documents and settings\Robert\Application Data\LimeWire\themes\windows_theme\play_dn.gif
c:\documents and settings\Robert\Application Data\LimeWire\themes\windows_theme\play_up.gif
c:\documents and settings\Robert\Application Data\LimeWire\themes\windows_theme\question.gif
c:\documents and settings\Robert\Application Data\LimeWire\themes\windows_theme\rewind_dn.gif
c:\documents and settings\Robert\Application Data\LimeWire\themes\windows_theme\rewind_up.gif
c:\documents and settings\Robert\Application Data\LimeWire\themes\windows_theme\stop_dn.gif
c:\documents and settings\Robert\Application Data\LimeWire\themes\windows_theme\stop_up.gif
c:\documents and settings\Robert\Application Data\LimeWire\themes\windows_theme\theme.txt
c:\documents and settings\Robert\Application Data\LimeWire\themes\windows_theme\version.txt
c:\documents and settings\Robert\Application Data\LimeWire\themes\windows_theme\warning.gif
c:\documents and settings\Robert\Application Data\LimeWire\ttrees.cache
c:\documents and settings\Robert\Application Data\LimeWire\ttroot.cache
c:\documents and settings\Robert\Application Data\LimeWire\version.xml
c:\documents and settings\Robert\Application Data\LimeWire\versions.props
c:\documents and settings\Robert\Application Data\LimeWire\xml\data\audio.sxml2
c:\program files\DNA
c:\program files\DNA\btdna.exe
c:\program files\DNA\DNAcpl.cpl
c:\program files\DNA\plugins\npbtdna.dll
C:\temp
c:\temp\ext18866\install.exe
c:\temp\ext18866\install.res.dll
c:\temp\REX81\BDF.log
c:\temp\SrtTrail.log
c:\temp\SrtTrail.txt
c:\windows\system32\ffkuz.dll
c:\windows\system32\k9261108.exe
c:\windows\system32\xn
c:\windows\Tasks\qfpdvosu.job

.
((((((((((((((((((((((((( Files Created from 2008-12-12 to 2009-01-12 )))))))))))))))))))))))))))))))
.

2009-01-11 13:22 . 2009-01-11 13:22 <DIR> d-------- c:\program files\Alwil Software
2009-01-11 13:22 . 2003-03-18 15:20 1,060,864 --a------ c:\windows\system32\MFC71.dll
2009-01-11 13:04 . 2009-01-11 13:05 250 --a------ c:\windows\gmer.ini
2009-01-10 20:00 . 2009-01-10 20:00 <DIR> d-------- c:\program files\Malwarebytes' Anti-Malware
2009-01-10 20:00 . 2009-01-10 20:00 <DIR> d-------- c:\documents and settings\Robert\Application Data\Malwarebytes
2009-01-10 20:00 . 2009-01-10 20:00 <DIR> d-------- c:\documents and settings\All Users\Application Data\Malwarebytes
2009-01-10 20:00 . 2009-01-04 18:38 38,496 --a------ c:\windows\system32\drivers\mbamswissarmy.sys
2009-01-10 20:00 . 2009-01-04 18:38 15,504 --a------ c:\windows\system32\drivers\mbam.sys
2009-01-07 16:53 . 2009-01-07 16:53 <DIR> d-------- c:\program files\Trend Micro
2008-12-28 10:57 . 2009-01-11 12:58 <DIR> d-------- c:\program files\ThreatFire
2008-12-28 10:57 . 2009-01-11 12:58 <DIR> d-a------ c:\documents and settings\All Users\Application Data\TEMP
2008-12-28 10:53 . 2008-12-28 10:53 <DIR> d-------- c:\documents and settings\Robert\Application Data\AdobeUM
2008-12-28 10:46 . 2008-12-28 10:46 <DIR> d-------- c:\program files\BillP Studios
2008-12-28 10:46 . 2008-12-28 10:46 <DIR> d-------- c:\documents and settings\Robert\Application Data\WinPatrol
2008-12-27 22:47 . 2008-12-28 10:30 <DIR> d-------- c:\windows\SxsCaPendDel

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-12-28 16:30 --------- d--h--w c:\program files\InstallShield Installation Information
2008-12-28 05:29 --------- d-----w c:\program files\ASUS
2008-12-28 04:47 --------- d-----w c:\program files\The Chronicles of Spellborn
2008-12-17 19:49 --------- d-----w c:\program files\World of Warcraft
2008-10-23 12:36 286,720 ----a-w c:\windows\system32\gdi32.dll
2008-10-16 20:13 202,776 ----a-w c:\windows\system32\wuweb.dll
2008-10-16 20:13 1,809,944 ----a-w c:\windows\system32\wuaueng.dll
2008-10-16 20:12 561,688 ----a-w c:\windows\system32\wuapi.dll
2008-10-16 20:12 323,608 ----a-w c:\windows\system32\wucltui.dll
2008-10-16 20:09 92,696 ----a-w c:\windows\system32\cdm.dll
2008-10-16 20:09 51,224 ----a-w c:\windows\system32\wuauclt.exe
2008-10-16 20:09 43,544 ----a-w c:\windows\system32\wups2.dll
2008-10-16 20:08 34,328 ----a-w c:\windows\system32\wups.dll
2008-10-16 01:00 666,112 ----a-w c:\windows\system32\wininet.dll
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.

---- Directory of c:\windows\SxsCaPendDel ----

((((((((((((((((((((((((((((( snapshot@2009-01-11_13.00.36.21 )))))))))))))))))))))))))))))))))))))))))
.
+ 2009-01-11 19:04:54 884,736 ----a-w c:\windows\gmer.dll
+ 2008-04-18 03:13:02 811,008 ----a-r c:\windows\gmer.exe
+ 2008-11-26 17:21:30 1,236,208 ----a-w c:\windows\system32\aswBoot.exe
+ 2008-11-26 17:15:10 97,480 ----a-w c:\windows\system32\AvastSS.scr
+ 2008-11-26 17:15:35 26,944 ----a-w c:\windows\system32\drivers\aavmker4.sys
+ 2008-11-26 17:17:25 20,560 ----a-w c:\windows\system32\drivers\aswFsBlk.sys
+ 2008-11-26 17:18:25 93,296 ----a-w c:\windows\system32\drivers\aswmon.sys
+ 2008-11-26 17:18:18 94,032 ----a-w c:\windows\system32\drivers\aswmon2.sys
+ 2008-11-26 17:16:29 23,152 ----a-w c:\windows\system32\drivers\aswRdr.sys
+ 2008-11-26 17:17:36 111,184 ----a-w c:\windows\system32\drivers\aswSP.sys
+ 2008-11-26 17:16:38 50,864 ----a-w c:\windows\system32\drivers\aswTdi.sys
+ 2009-01-11 19:04:54 85,969 ----a-w c:\windows\system32\drivers\gmer.sys
+ 2009-01-11 19:26:35 16,384 ----atw c:\windows\temp\Perflib_Perfdata_604.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" [2006-11-10 90112]
"ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2008-04-13 15360]
"MSMSGS"="c:\program files\Messenger\msmsgs.exe" [2008-04-13 1695232]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="c:\program files\Java\jre1.6.0_06\bin\jusched.exe" [2008-03-25 144784]
"NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2008-01-08 8523776]
"QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-05-27 413696]
"NvMediaCenter"="c:\windows\system32\NvMcTray.dll" [2008-01-08 81920]
"avast!"="c:\progra~1\ALWILS~1\Avast4\ashDisp.exe" [2008-11-26 81000]
"nwiz"="nwiz.exe" [2008-01-08 c:\windows\system32\nwiz.exe]
"RTHDCPL"="RTHDCPL.EXE" [2007-04-12 c:\windows\RTHDCPL.exe]

c:\documents and settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - c:\program files\Microsoft Office\Office\OSA9.EXE [1999-02-17 65588]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"vidc.asv2"= asusasv2.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=

R1 aswSP;avast! Self Protection;c:\windows\system32\drivers\aswSP.sys [2009-01-11 111184]
R1 EIO_XP;EIO_XP;c:\windows\system32\drivers\EIO_XP.sys [2008-06-28 12288]
R4 aswFsBlk;aswFsBlk;c:\windows\system32\drivers\aswFsBlk.sys [2009-01-11 20560]
S1 ShldDrv;Panda File Shield Driver;c:\windows\system32\DRIVERS\ShlDrv51.sys --> c:\windows\system32\DRIVERS\ShlDrv51.sys [?]
S3 Video3D;ASUS Video3D Service;c:\windows\system32\Drivers\Video3D32.sys --> c:\windows\system32\Drivers\Video3D32.sys [?]
S4 PavProc;Panda Process Protection Driver;\??\c:\windows\system32\DRIVERS\PavProc.sys --> c:\windows\system32\DRIVERS\PavProc.sys [?]

--- Other Services/Drivers In Memory ---

*NewlyCreated* - AAVMKER4
*NewlyCreated* - ASWFSBLK
*NewlyCreated* - ASWMON2
*NewlyCreated* - ASWRDR
*NewlyCreated* - ASWSP
*NewlyCreated* - ASWTDI
*NewlyCreated* - ASWUPDSV
*NewlyCreated* - AVAST!_ANTIVIRUS
*NewlyCreated* - AVAST!_MAIL_SCANNER
*NewlyCreated* - AVAST!_WEB_SCANNER

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{a356b1f1-88f9-11dd-a02f-001fc6ab2ffd}]
\Shell\AutoRun\command - LinksysConnectPC.exe

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\ccc-core-static]
msiexec /fums {A75BF1D0-C7C3-CB55-EE17-3225387FD154} /qb
.
Contents of the 'Scheduled Tasks' folder

2009-01-06 c:\windows\Tasks\AppleSoftwareUpdate.job
- c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-04-11 16:57]
.
.
------- Supplementary Scan -------
.
FF - ProfilePath - c:\documents and settings\Robert\Application Data\Mozilla\Firefox\Profiles\ubao93oa.default\
FF - prefs.js: browser.search.defaulturl - hxxp://search.yahoo.com/search?ei=UTF-8&fr=ytff-sunm&p=
FF - prefs.js: keyword.URL - hxxp://search.yahoo.com/search?ei=UTF-8&fr=ytff-sunm&p=
.

**************************************************************************

catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-01-12 10:09:36
Windows 5.1.2600 Service Pack 3 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

- - - - - - - > 'winlogon.exe'(700)
c:\windows\system32\Ati2evxx.dll
.
Completion time: 2009-01-12 10:10:47
ComboFix-quarantined-files.txt 2009-01-12 16:10:29
ComboFix2.txt 2009-01-11 19:01:29

Pre-Run: 133,396,983,808 bytes free
Post-Run: 133,383,540,736 bytes free

221 --- E O F --- 2008-12-18 09:00:48

And, the new Hijackthis.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:13:27 AM, on 1/12/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
C:\WINDOWS\RTHDCPL.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\Java\jre1.6.0_06\bin\jucheck.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [StartCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windows ... 1942519578
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microso ... 1945223593
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Panda Process Protection Service (PavPrSrv) - Unknown owner - C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe (file missing)

--
End of file - 4306 bytes

by **Odd dude** » January 12th, 2009, 12:52 pm

I see Avast now!

We're making tremendous progress. A few more checks will be needed, but the end looks near

Kaspersky Online Scan
I would like you to run an online antivirus scan. Please click HERE to be taken to the Kaspersky site.

The site will present you with a list of important items. Read those. If you're unsure about something, stop and ask! If you're sure everything is all right, close all other windows.
Now, click Accept.
It will start a download rougly 10 MB in size. If prompted by your firewall to allow internet access, allow.
Once the download has finished, click Next.
Under Please select a target to scan, choose My Computer
Get a cup of coffee and watch some TV. Do not run any other programs while Kaspersky is scanning! If you're on dial-up, you can now terminate the internet connection if you wish.
Once finished, you will be presented with the results. Click Save as text and save the log to your desktop.

Post the results in your next reply. Please include an uninstall list in your next reply. Instructions for making one were given in my first post.

So we're looking for:
- Kaspersky log
- Uninstall list

No need for a new HJT log... yet.

by **Chaues** » January 13th, 2009, 3:03 pm

Here we go OD,

The KasScan

KASPERSKY ONLINE SCANNER 7 REPORT
Tuesday, January 13, 2009
Operating System: Microsoft Windows XP Home Edition Service Pack 3 (build 2600)
Kaspersky Online Scanner 7 version: 7.0.25.0
Program database last update: Tuesday, January 13, 2009 06:15:04
Records in database: 1612568
Scan settings
Scan using the following database extended
Scan archives yes
Scan mail databases yes
Scan area My Computer
A:\
C:\
D:\
Scan statistics
Files scanned 46764
Threat name 6
Infected objects 10
Suspicious objects 0
Duration of the scan 00:44:37

File name Threat name Threats count
C:\Documents and Settings\Robert\My Documents\LimeWire\Saved\seether fallen.mp3 Infected: Trojan-Downloader.WMA.GetCodec.c 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\ffkuz.dll.vir Infected: Trojan-Downloader.Win32.Murlo.vn 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\k9261108.exe.vir Infected: Trojan-Dropper.Win32.Agent.adhp 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\mwlysywt.dll.vir Infected: not-a-virus:AdWare.Win32.SuperJuan.gad 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\pcdsccpf.dll.vir Infected: not-a-virus:AdWare.Win32.SuperJuan.fys 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\qmiiuf.dll.vir Infected: not-a-virus:AdWare.Win32.SuperJuan.fys 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\userinit.exe.vir Infected: Trojan.Win32.Agent.bfsd 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\utydkkxi.dll.vir Infected: not-a-virus:AdWare.Win32.SuperJuan.fys 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\worpvv.dll.vir Infected: not-a-virus:AdWare.Win32.SuperJuan.fys 1
C:\Qoobox\Quarantine\C\WINDOWS\system32\wpyqgq.dll.vir Infected: not-a-virus:AdWare.Win32.SuperJuan.gad 1
The selected area was scanned.

The uninstall list.

Adobe Reader 7.0
Apple Software Update
ATI - Software Uninstall Utility
ATI Catalyst Control Center
ATI Display Driver
ATI Parental Control & Encoder
avast! Antivirus
DivX Web Player
HijackThis 2.0.2
Hotfix for Windows XP (KB952287)
Java(TM) 6 Update 6
Malwarebytes' Anti-Malware
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1
Microsoft .NET Framework 1.1 Hotfix (KB928366)
Microsoft .NET Framework 2.0
Microsoft Compression Client Pack 1.0 for Windows XP
Microsoft Internationalized Domain Names Mitigation APIs
Microsoft National Language Support Downlevel APIs
Microsoft Office 2000 Disc 2
Microsoft Office 2000 Professional
Microsoft Silverlight
Microsoft User-Mode Driver Framework Feature Pack 1.0
Mozilla Firefox (3.0.5)
NVIDIA Drivers
QuickTime
QuickTime
REALTEK GbE & FE Ethernet PCI-E NIC Driver
Realtek High Definition Audio Driver
Security Update for Microsoft .NET Framework 2.0 (KB928365)
Security Update for Windows Media Player (KB952069)
Security Update for Windows Media Player 11 (KB954154)
Security Update for Windows Media Player 8 (KB917734)
Security Update for Windows XP (KB923789)
Security Update for Windows XP (KB938464)
Security Update for Windows XP (KB950762)
Security Update for Windows XP (KB950974)
Security Update for Windows XP (KB951066)
Security Update for Windows XP (KB951698)
Security Update for Windows XP (KB951748)
Security Update for Windows XP (KB952954)
Security Update for Windows XP (KB953155)
Security Update for Windows XP (KB953838)
Security Update for Windows XP (KB954211)
Security Update for Windows XP (KB954459)
Security Update for Windows XP (KB954600)
Security Update for Windows XP (KB955069)
Security Update for Windows XP (KB956390)
Security Update for Windows XP (KB956391)

The new Hijackthis.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:00:57 PM, on 1/13/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP3 (6.00.2900.5512)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
C:\WINDOWS\RTHDCPL.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe
C:\Program Files\Java\jre1.6.0_06\bin\jucheck.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [StartCCC] C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windows ... 1942519578
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microso ... 1945223593
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Panda Process Protection Service (PavPrSrv) - Unknown owner - C:\Program Files\Common Files\Panda Software\PavShld\pavprsrv.exe (file missing)

--
End of file - 4278 bytes

:bounce:

by **Odd dude** » January 14th, 2009, 2:18 am

We'll be running ComboFix again, so let's disable Avast first.

Temporarily disable Avast
We need to temporarily disable Avast, so it won't interfere with what we need to do.

Right click the Avast tray icon and choose Stop on-access protection
Right click the tray icon again and click Program settings
On the left, click Troubleshooting
Check the box next to Disable avast! self-defense module
Click OK

Do not forget to reverse this process when I give the All Clean.

Run CFScript
Open notepad and copy/paste the following to it:

Code: Select all

folder::
C:\Documents and Settings\Robert\My Documents\LimeWire
C:\Program Files\Common Files\Panda Software
Driver::
PavPrSrv

Save this to your desktop as "CFScript.txt".

Disconnect from the internet, disable your antimalware software like you did before, and drag CFScript into ComboFix

ComboFix will run again, please be patient and post the log like usual.

Uninstall these programs by clicking Start>Control Panel>Software
Adobe Reader 7.0
Java(TM) 6 Update 6

Download and install the newest version of Adobe Reader from here.
Next, download and install the latest version of Java from here. The site is a bit confusing; this is what you should do:
- Scroll down to where it says Java Runtime Environment (JRE) 6 Update 11.
- Click the Download button to the right.
- Choose the correct Platform. Also, check the box that says I agree to the Java SE Runtime Environment 6 License Agreement.
- Now, click Continue.
- Click on the filename under Windows Offline Installation and save it to your desktop.
- Now, close all other windows. Including Internet Explorer.
- You can now install Java by double-clicking the executable you just downloaded.

Post the log from ComboFix and a new hijackthis log.

Free Malware Removal Forum

Antivirus virus, help.

Antivirus virus, help.

Re: Antivirus virus, help.

Re: Antivirus virus, help.

Re: Antivirus virus, help.

Re: Antivirus virus, help.

Re: Antivirus virus, help.

Re: Antivirus virus, help.

Re: Antivirus virus, help.

Re: Antivirus virus, help.

Re: Antivirus virus, help.

Re: Antivirus virus, help.

Re: Antivirus virus, help.

Re: Antivirus virus, help.

Re: Antivirus virus, help.

Re: Antivirus virus, help.

Who is online