can someone look over my hijack this log for anything bad?

Viruses and worms
1

THANKS ANY WHO CAN HELP!

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:53:17 AM, on 02/01/08
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray .exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\Java\jre1.6.0_03\bin\jusched .exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp .exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\cisvc.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Kontiki\KService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\PROGRA~1\Mozilla Firefox\firefox.exe
C:\WINDOWS\SYSTEM32\cidaemon.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Documents and Settings\Dan\Desktop\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.fark.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr6/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ie/defaults/sb/ymsgr6/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ie/defaults/sp/ymsgr6/*http://www.yahoo.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
F3 - REG:win.ini: load=C:\WINDOWS\system32\sstqo.exe
O1 - Hosts: 87.106.166.63 www.winmx.com
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM..\Run: [NvMixerTray] “C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe”
O4 - HKLM..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM..\Run: [nwiz] nwiz.exe /install
O4 - HKLM..\Run: [Creative WebCam Tray] C:\Program Files\Creative\PC-CAM Center\CAMTRAY.EXE
O4 - HKLM..\Run: [SunJavaUpdateSched] “C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe”
O4 - HKLM..\Run: [Adobe Photo Downloader] “C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe”
O4 - HKLM..\Run: [QuickTime Task] “C:\Program Files\QuickTime\qttask .exe” -atboottime
O4 - HKLM..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {1E3F888F-96D7-4A1B-8514-8991264E8B7D} (iSite 3D Renderer Class) - http://www.pc.gc.ca/apps/dci/source/bin/iS3DCtrl.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1113352044749
O16 - DPF: {821C0E13-32A6-4D85-A62C-C85338C03299} - http://download2.nba.com/Cabs/NBA_1_0_0_2.cab
O16 - DPF: {94B82441-A413-4E43-8422-D49930E69764} (TLIEFlashObj Class) - https://echat.us.dell.com/Media/VisitorChat/TLIEFlash.CAB
O16 - DPF: {CE7D2BF2-D173-4CE2-9DAF-15EA153B5B43} - http://download2.nba.com/Cabs/Entriq_3_6_0_15_Silent.cab
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abacast.com/download/files/abasetup162.cab
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: KService - Unknown owner - C:\Program Files\Kontiki\KService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe


End of file - 5775 bytes

2

SUPERANTISPYWARE SAYS I HAVE TOJAN.WINFIXER

everytime i tell it to remove it and reboot it comes back. help!

3

Try scans with these specialist tools:

http://www.malwarebytes.org/rogueremover.php
http://siri.geekstogo.com/SmitfraudFix.php

And a couple of general anti-spyware scanners:

AVG Anti-Spyware Free
Spybot Search & Destroy

4

Suggest installing/using a firewall. Windows firewall is better than none!
Comodo
Comodo ™ Free Firewall Software Download
ZoneAlarm
Download ZoneAlarm Free 7.0.462.0 from filehippo.com

5

Besides what have already been suggested, why don’t you try?

  1. Disable System Restore and reenable it after step 3.
  2. Clean your temporary files.
  3. Schedule a boot time scanning with avast with archive scanning turned on.
  4. Use SUPERantispyware and/or Spyware Terminator to scan for spywares and trojans. If any infection is detected, better and safer is send the file to Quarantine than to simple delete than.
  5. Test your machine with anti-rootkit applications. I suggest AVG or Trend Micro RootkitBuster.
  6. Make a HijackThis log to post here or, better, submit the RunScanner log to to on-line analysis.
  7. Immunize your system with SpywareBlaster or Windows Advanced Care.
  8. Check if you have insecure applications with Secunia Software Inspector.
6

Hi ltdanman44,

This should be fixed: O1 - Hosts: 87.106.166.63 www.winmx.com

Fire up HJT, tag it and click enter

But you also should run vundoFix against winfixer:
VundoFix.exe is a removal tool developed to remove Virtumonde infections. To use the tool follow the instrctions below.

Please download VundoFix.exe to your desktop from: http://www.atribune.org/ccount/click.php?id=4

* Double-click VundoFix.exe to run it.
* When VundoFix re-opens, click the Scan for Vundo button.
* Once it's done scanning, click the Remove Vundo button.
* You will receive a prompt asking if you want to remove the files, click YES
* Once you click yes, your desktop will go blank as it starts removing Vundo.
* When completed, it will prompt that it will reboot your computer, click OK.

Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will run on reboot, simply follow the above instructions starting from “Click the
Scan for Vundo button.” when VundoFix appears at reboot.

After that post the text file and a new HJT log here,

polonus

7

tried all the above. All the programs/processes mentioned above successfully finds the program, however upon reboot it still is on my system. im at my wits end here, thinking about wiping windows with a fresh install. my system proformance is falling off. My hard drive is constantly churning even with all programs shut down. lsass.exe in processes is taking up most of my CPU time, help!

8

No reformat yet

Download ComboFix from Here or Here to your Desktop.

[*]Double click combofix.exe and follow the prompts.
[*]When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply

Note: Do not mouseclick combofix’s window while its running. That may cause it to stall

9

COMBOFIX DID IT!!! OMG!!!1 THANK YOU SO VERY MUCH!!! IM SO HAPPY!!!

10

It probably got some/most but there is probaly more left. You should do as essexboy asks and post the 2 logs he asked for. This way the remnants can be removed.

11

ok here are the results of those 2 files you asked for…but everything seems ok let me know if i have to worry some more

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 03:56, on 2008-01-06
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\Program Files\Kontiki\KService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\PnkBstrA.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Dan\Desktop\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.fark.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapps.yahoo.com/customize/ie/defaults/su/ymsgr6/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapps.yahoo.com/customize/ie/defaults/sb/ymsgr6/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ie/defaults/sp/ymsgr6/*http://www.yahoo.com
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM..\Run: [nwiz] nwiz.exe /install
O4 - HKLM..\Run: [Adobe Photo Downloader] “C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe”
O4 - HKLM..\Run: [QuickTime Task] “C:\Program Files\QuickTime\qttask .exe” -atboottime
O4 - HKLM..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {1E3F888F-96D7-4A1B-8514-8991264E8B7D} (iSite 3D Renderer Class) - http://www.pc.gc.ca/apps/dci/source/bin/iS3DCtrl.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1113352044749
O16 - DPF: {821C0E13-32A6-4D85-A62C-C85338C03299} - http://download2.nba.com/Cabs/NBA_1_0_0_2.cab
O16 - DPF: {94B82441-A413-4E43-8422-D49930E69764} (TLIEFlashObj Class) - https://echat.us.dell.com/Media/VisitorChat/TLIEFlash.CAB
O16 - DPF: {CE7D2BF2-D173-4CE2-9DAF-15EA153B5B43} - http://download2.nba.com/Cabs/Entriq_3_6_0_15_Silent.cab
O16 - DPF: {E7DBFB6C-113A-47CF-B278-F5C6AF4DE1BD} - http://download.abacast.com/download/files/abasetup162.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: KService - Unknown owner - C:\Program Files\Kontiki\KService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe


End of file - 5120 bytes

12

ComboFix 08-01-04.1 - Dan 2008-01-06 3:57:00.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.609 [GMT -5:00]
Running from: C:\Documents and Settings\Dan\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run -------
.
C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager .exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\Alwil Software\Avast4\ashDisp .exe
C:\Program Files\Messenger\msmsgs .exe
C:\Program Files\QdrDrive
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware .exe
C:\WINDOWS\system32\oqtss.ini
C:\WINDOWS\system32\oqtss.ini2
C:\WINDOWS\system32\sstqo.dll
C:\WINDOWS\system32\sstqo.exe

 <pre>
"C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager .exe" moved to QooBox
"C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy .exe" replaces infected copy of "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
"C:\Program Files\Alwil Software\Avast4\ashDisp .exe" moved to QooBox
"C:\Program Files\Messenger\msmsgs .exe" moved to QooBox
"C:\Program Files\QuickTime\qttask      .exe" replaces infected copy of "C:\Program Files\QuickTime\qttask.exe"
"C:\Program Files\QuickTime\qttask     .exe" replaces infected copy of "C:\Program Files\QuickTime\qttask.exe"
"C:\Program Files\QuickTime\qttask    .exe" replaces infected copy of "C:\Program Files\QuickTime\qttask.exe"
"C:\Program Files\QuickTime\qttask   .exe" replaces infected copy of "C:\Program Files\QuickTime\qttask.exe"
"C:\Program Files\QuickTime\qttask  .exe" replaces infected copy of "C:\Program Files\QuickTime\qttask.exe"
"C:\Program Files\QuickTime\qttask .exe" replaces infected copy of "C:\Program Files\QuickTime\qttask.exe"
"C:\Program Files\Spybot - Search & Destroy\TeaTimer .exe" replaces infected copy of "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe"
"C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware .exe" moved to QooBox
</pre>

.
.
((((((((((((((((((((((((( Files Created from 2007-12-06 to 2008-01-06 )))))))))))))))))))))))))))))))
.

2008-01-06 03:25 . 2007-12-04 08:04 837,496 --a------ C:\WINDOWS\system32\aswBoot.exe
2008-01-06 03:25 . 2004-01-09 04:13 380,928 --a------ C:\WINDOWS\system32\actskin4.ocx
2008-01-06 03:25 . 2007-12-04 07:54 95,608 --a------ C:\WINDOWS\system32\AvastSS.scr
2008-01-06 03:25 . 2007-12-04 09:55 94,544 --a------ C:\WINDOWS\system32\drivers\aswmon2.sys
2008-01-06 03:25 . 2007-12-04 09:56 93,264 --a------ C:\WINDOWS\system32\drivers\aswmon.sys
2008-01-06 03:25 . 2007-12-04 09:51 42,912 --a------ C:\WINDOWS\system32\drivers\aswTdi.sys
2008-01-06 03:25 . 2007-12-04 09:49 26,624 --a------ C:\WINDOWS\system32\drivers\aavmker4.sys
2008-01-06 03:25 . 2007-12-04 09:53 23,152 --a------ C:\WINDOWS\system32\drivers\aswRdr.sys
2008-01-05 20:10 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2008-01-05 19:05 . 2008-01-05 19:05 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-01-03 19:30 . 2008-01-03 19:30 d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-01-03 19:22 . 2007-09-05 23:22 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2008-01-03 19:22 . 2006-04-27 16:49 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2008-01-03 19:22 . 2007-12-20 23:11 81,920 --a------ C:\WINDOWS\system32\IEDFix.exe
2008-01-03 19:22 . 2003-06-05 20:13 53,248 --a------ C:\WINDOWS\system32\Process.exe
2008-01-03 19:22 . 2004-07-31 17:50 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2008-01-03 19:22 . 2007-10-03 23:36 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2008-01-03 19:22 . 2008-01-03 19:24 2,654 --a------ C:\WINDOWS\system32\tmp.reg
2008-01-03 19:20 . 2008-01-06 03:19 d-------- C:\Program Files\RogueRemover FREE
2008-01-03 17:43 . 2008-01-03 19:28 1,038,424 --ahs---- C:\WINDOWS\system32\wqupvamw.ini
2008-01-03 17:39 . 2008-01-03 17:39 1,038,364 --ahs---- C:\WINDOWS\system32\kywfdvxy.ini
2008-01-02 16:22 . 2008-01-06 03:52 d-------- C:\VundoFix Backups
2008-01-02 01:35 . 2008-01-02 01:35 d-------- C:\Documents and Settings\Administrator\Application Data\SUPERAntiSpyware.com
2008-01-01 17:21 . 2008-01-01 20:19 d-------- C:\Documents and Settings\Dan.housecall6.6
2008-01-01 15:11 . 2008-01-05 20:19 d-------- C:\Documents and Settings\All Users\Application Data\Google Updater
2008-01-01 14:58 . 2008-01-01 14:58 d-------- C:\Documents and Settings\LocalService\Application Data\PIE Service
2007-12-31 07:04 . 2007-12-31 15:32 1,031,259 --ahs---- C:\WINDOWS\system32\xjsrmhgo.ini
2007-12-31 06:56 . 2007-12-31 06:56 1,031,139 --ahs---- C:\WINDOWS\system32\rhctrvsr.ini
2007-12-30 07:56 . 2008-01-06 03:33 d-------- C:\Program Files\SUPERAntiSpyware
2007-12-30 07:56 . 2008-01-03 20:16 d-------- C:\Documents and Settings\Dan\Application Data\SUPERAntiSpyware.com
2007-12-30 07:56 . 2007-12-30 07:56 d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2007-12-30 07:15 . 2007-12-30 07:15 d-------- C:\Documents and Settings\Dan\Application Data\AdwareAlert
2007-12-30 07:11 . 2007-12-30 07:11 0 --ahs---- C:\Documents and Settings\Dan\Application Data\a455753f42bd9f9b59cd549609fa5bdde966ef01.dat
2007-12-30 07:04 . 2005-09-23 08:29 626,688 --a------ C:\WINDOWS\system32\msvcr80.dll
2007-12-18 16:34 . 2007-12-18 16:34 d-------- C:\Documents and Settings\Dan\Application Data\vlc
2007-12-10 16:02 . 2007-12-10 16:02 0 --a------ C:\WINDOWS\oodcnt.INI
2007-12-10 00:51 . 2007-12-15 11:50 d-------- C:\WINDOWS\system32\oodag
2007-12-09 17:58 . 2007-12-09 18:02 d-------- C:\Program Files\Common Files\Blizzard Entertainment

13

rest of combo fix…wouldn’t fit in above post

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-06 01:23 --------- d-----w C:\Program Files\QuickTime
2008-01-06 01:10 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-01-04 02:36 22,328 ----a-w C:\WINDOWS\system32\drivers\PnkBstrK.sys
2008-01-04 02:34 107,832 ----a-w C:\WINDOWS\system32\PnkBstrB.exe
2008-01-02 00:38 --------- d-----w C:\Program Files\UOAM
2008-01-01 20:13 --------- d-----w C:\Program Files\Google
2007-12-30 20:03 --------- d-----w C:\Program Files\Kontiki
2007-12-30 12:00 --------- d-----w C:\Program Files\Invoice by Click
2007-12-23 10:08 --------- d-----w C:\Documents and Settings\Dan\Application Data\MailWasherPro
2007-12-18 02:23 --------- d-----w C:\Documents and Settings\Dan\Application Data\SopCast
2007-12-15 16:27 --------- d–h–w C:\Program Files\InstallShield Installation Information
2007-12-09 01:03 --------- d-----w C:\Program Files\Razor
2007-12-03 23:18 --------- d-----w C:\Program Files\SopCast
2007-11-10 03:01 --------- d-----w C:\Program Files\EmpirePokerMaster
2003-12-31 23:56 271 --sh–w C:\Program Files\desktop.ini
2003-12-31 23:56 23,357 —ha-w C:\Program Files\folder.htt
.

<pre>
----a-w           132,496 2008-01-04 00:27:59  C:\Program Files\Java\jre1.6.0_03\bin\jusched .exe
----a-w           131,072 2008-01-04 00:27:56  C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray .exe
</pre>

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
Note empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“Steam”=“”

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“NvCplDaemon”=“C:\WINDOWS\system32\NvCpl.dll” [2006-10-22 12:22 7700480]
“nwiz”=“nwiz.exe” [2007-04-19 12:26 1626112 C:\WINDOWS\system32\nwiz.exe]
“Adobe Photo Downloader”=“C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe” [2008-01-05 18:59 57344]
“QuickTime Task”=“C:\Program Files\QuickTime\qttask .exe”
“Logitech Utility”=“Logi_MwX.Exe” [2003-12-17 09:50 19968 C:\WINDOWS\LOGI_MWX.EXE]
“NvMediaCenter”=“NvMCTray.dll” [2006-10-22 12:22 86016 C:\WINDOWS\system32\nvmctray.dll]
“avast!”=“C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe” [2007-12-04 08:00 79224]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
Office Startup.lnk - C:\Program Files\Microsoft Office\Office\OSA.EXE [1997-07-10 23:00:00]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
“{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}”= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

R3 GETNDIS;VIA Networking Velocity Family Giga-bit Ethernet Adapter Driver;C:\WINDOWS\system32\DRIVERS\getnd5b.sys [2003-09-02 05:22]
S2 KYAKCCND;KYAKCCND;C:\WINDOWS\system32\kyakccnd.ncq
S3 adxapie;adxapie;C:\DOCUME~1\Dan\LOCALS~1\Temp\adxapie.sys
S3 Memctl;Memctl;C:\Program Files\ABIT\FlashMenu\Memctl.sys

Newly Created Service - ASWUPDSV
Newly Created Service - AVAST!_MAIL_SCANNER
Newly Created Service - AVAST!_WEB_SCANNER
.
Contents of the ‘Scheduled Tasks’ folder
“2008-01-06 08:00:02 C:\WINDOWS\Tasks\AdwareAlert Scheduled Scan.job”

  • C:\Program Files\AdwareAlert\AdwareAlert.ex
  • C:\Program Files\AdwareAlert
    .

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-06 04:00:52
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes …

scanning hidden autostart entries …

scanning hidden files …

scan completed successfully
hidden files: 0

.
Completion time: 2008-01-06 4:01:42
ComboFix-quarantined-files.txt 2008-01-06 09:01:21

14

Yes there is a bit more to do. Do not reboot your computer or open any new programs. In the fix that will follow, combofix may ask for a reboot, that’s ok, let it, Be back soon,

15

what? i don’t understand

16

If you reboot before all the files are removed, the infection may start all over.

If combofix needs to reboot, let it.

Start with this

Open a new Notepad session (Do not use a Word Processor or WordPad). Click “Format” and be certain that Word Wrap is not enabled.

Copy and paste all the text in the quote box below into Notepad.

Click File, Save as…, and set the location to your Desktop, and enter (including quotation marks) as the filename: “CFscript.txt” . Using your mouse left button, drag the new file CFscript.txt and drop it on the ComboFix.exe icon as shown at the bottom of this post.

File:: C:\WINDOWS\system32\wqupvamw.ini C:\WINDOWS\system32\kywfdvxy.ini C:\WINDOWS\system32\xjsrmhgo.ini C:\WINDOWS\system32\rhctrvsr.ini

RENV::
C:\Program Files\Alwil Software\Avast4\ashDisp .exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager .exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware .exe
C:\Program Files\Messenger\msmsgs .exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched .exe
C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray .exe

This will start ComboFix again.Close all browser/windows first. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HJT log.

17

EDIT : Ooops did not see oldmans reply. Continue with his fix

18

result of renv.exe log


Ran on 06/01/08 - 14:28:51.90

 Entries:                0  (0)
 Directories:            0  Files:             0
 Bytes:                  0  Blocks:            0

result of combofix.exe

ComboFix 08-01-04.1 - Dan 2008-01-06 14:33:23.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.687 [GMT -5:00]
Running from: C:\Documents and Settings\Dan\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Dan\Desktop\cfscript.txt

  • Created a new restore point

FILE
C:\WINDOWS\system32\kywfdvxy.ini
C:\WINDOWS\system32\rhctrvsr.ini
C:\WINDOWS\system32\wqupvamw.ini
C:\WINDOWS\system32\xjsrmhgo.ini
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\kywfdvxy.ini
C:\WINDOWS\system32\rhctrvsr.ini
C:\WINDOWS\system32\wqupvamw.ini
C:\WINDOWS\system32\xjsrmhgo.ini

.
((((((((((((((((((((((((( Files Created from 2007-12-06 to 2008-01-06 )))))))))))))))))))))))))))))))
.

2008-01-06 03:25 . 2007-12-04 08:04 837,496 --a------ C:\WINDOWS\system32\aswBoot.exe
2008-01-06 03:25 . 2004-01-09 04:13 380,928 --a------ C:\WINDOWS\system32\actskin4.ocx
2008-01-06 03:25 . 2007-12-04 07:54 95,608 --a------ C:\WINDOWS\system32\AvastSS.scr
2008-01-06 03:25 . 2007-12-04 09:55 94,544 --a------ C:\WINDOWS\system32\drivers\aswmon2.sys
2008-01-06 03:25 . 2007-12-04 09:56 93,264 --a------ C:\WINDOWS\system32\drivers\aswmon.sys
2008-01-06 03:25 . 2007-12-04 09:51 42,912 --a------ C:\WINDOWS\system32\drivers\aswTdi.sys
2008-01-06 03:25 . 2007-12-04 09:49 26,624 --a------ C:\WINDOWS\system32\drivers\aavmker4.sys
2008-01-06 03:25 . 2007-12-04 09:53 23,152 --a------ C:\WINDOWS\system32\drivers\aswRdr.sys
2008-01-05 20:10 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
2008-01-05 19:05 . 2008-01-05 19:05 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-01-03 19:30 . 2008-01-03 19:30 d-------- C:\Documents and Settings\All Users\Application Data\Grisoft
2008-01-03 19:22 . 2007-09-05 23:22 289,144 --a------ C:\WINDOWS\system32\VCCLSID.exe
2008-01-03 19:22 . 2006-04-27 16:49 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2008-01-03 19:22 . 2007-12-20 23:11 81,920 --a------ C:\WINDOWS\system32\IEDFix.exe
2008-01-03 19:22 . 2003-06-05 20:13 53,248 --a------ C:\WINDOWS\system32\Process.exe
2008-01-03 19:22 . 2004-07-31 17:50 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2008-01-03 19:22 . 2007-10-03 23:36 25,600 --a------ C:\WINDOWS\system32\WS2Fix.exe
2008-01-03 19:22 . 2008-01-03 19:24 2,654 --a------ C:\WINDOWS\system32\tmp.reg
2008-01-03 19:20 . 2008-01-06 03:19 d-------- C:\Program Files\RogueRemover FREE
2008-01-02 16:22 . 2008-01-06 03:52 d-------- C:\VundoFix Backups
2008-01-02 01:35 . 2008-01-02 01:35 d-------- C:\Documents and Settings\Administrator\Application Data\SUPERAntiSpyware.com
2008-01-01 17:21 . 2008-01-01 20:19 d-------- C:\Documents and Settings\Dan.housecall6.6
2008-01-01 15:11 . 2008-01-05 20:19 d-------- C:\Documents and Settings\All Users\Application Data\Google Updater
2008-01-01 14:58 . 2008-01-01 14:58 d-------- C:\Documents and Settings\LocalService\Application Data\PIE Service
2007-12-30 07:56 . 2008-01-06 14:33 d-------- C:\Program Files\SUPERAntiSpyware
2007-12-30 07:56 . 2008-01-03 20:16 d-------- C:\Documents and Settings\Dan\Application Data\SUPERAntiSpyware.com
2007-12-30 07:56 . 2007-12-30 07:56 d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2007-12-30 07:15 . 2007-12-30 07:15 d-------- C:\Documents and Settings\Dan\Application Data\AdwareAlert
2007-12-30 07:11 . 2007-12-30 07:11 0 --ahs---- C:\Documents and Settings\Dan\Application Data\a455753f42bd9f9b59cd549609fa5bdde966ef01.dat
2007-12-30 07:04 . 2005-09-23 08:29 626,688 --a------ C:\WINDOWS\system32\msvcr80.dll
2007-12-18 16:34 . 2007-12-18 16:34 d-------- C:\Documents and Settings\Dan\Application Data\vlc
2007-12-10 16:02 . 2007-12-10 16:02 0 --a------ C:\WINDOWS\oodcnt.INI
2007-12-10 00:51 . 2007-12-15 11:50 d-------- C:\WINDOWS\system32\oodag
2007-12-09 17:58 . 2007-12-09 18:02 d-------- C:\Program Files\Common Files\Blizzard Entertainment

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-06 09:17 --------- d-----w C:\Documents and Settings\All Users\Application Data\WinZip
2008-01-06 01:23 --------- d-----w C:\Program Files\QuickTime
2008-01-06 01:10 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-01-04 02:36 22,328 ----a-w C:\WINDOWS\system32\drivers\PnkBstrK.sys
2008-01-04 02:34 107,832 ----a-w C:\WINDOWS\system32\PnkBstrB.exe
2008-01-02 00:38 --------- d-----w C:\Program Files\UOAM
2008-01-01 20:13 --------- d-----w C:\Program Files\Google
2007-12-30 20:03 --------- d-----w C:\Program Files\Kontiki
2007-12-30 12:00 --------- d-----w C:\Program Files\Invoice by Click
2007-12-23 10:08 --------- d-----w C:\Documents and Settings\Dan\Application Data\MailWasherPro
2007-12-18 02:23 --------- d-----w C:\Documents and Settings\Dan\Application Data\SopCast
2007-12-15 16:27 --------- d–h–w C:\Program Files\InstallShield Installation Information
2007-12-09 01:03 --------- d-----w C:\Program Files\Razor
2007-12-03 23:18 --------- d-----w C:\Program Files\SopCast
2007-11-10 03:01 --------- d-----w C:\Program Files\EmpirePokerMaster
2003-12-31 23:56 271 --sh–w C:\Program Files\desktop.ini
2003-12-31 23:56 23,357 —ha-w C:\Program Files\folder.htt
.

((((((((((((((((((((((((((((( snapshot@2008-01-06_ 4.01.02.50 )))))))))))))))))))))))))))))))))))))))))
.

  • 2008-01-06 08:27:41 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_5fc.dat
    .
    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    Note empty entries & legit default entries are not shown
    REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“Steam”=“”

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“NvCplDaemon”=“C:\WINDOWS\system32\NvCpl.dll” [2006-10-22 12:22 7700480]
“nwiz”=“nwiz.exe” [2007-04-19 12:26 1626112 C:\WINDOWS\system32\nwiz.exe]
“Adobe Photo Downloader”=“C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe” [2008-01-05 18:59 57344]
“QuickTime Task”=“C:\Program Files\QuickTime\qttask .exe”
“Logitech Utility”=“Logi_MwX.Exe” [2003-12-17 09:50 19968 C:\WINDOWS\LOGI_MWX.EXE]
“NvMediaCenter”=“NvMCTray.dll” [2006-10-22 12:22 86016 C:\WINDOWS\system32\nvmctray.dll]
“avast!”=“C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe” [2007-12-04 08:00 79224]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
Office Startup.lnk - C:\Program Files\Microsoft Office\Office\OSA.EXE [1997-07-10 23:00:00]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
“{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}”= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

R3 GETNDIS;VIA Networking Velocity Family Giga-bit Ethernet Adapter Driver;C:\WINDOWS\system32\DRIVERS\getnd5b.sys [2003-09-02 05:22]
S2 KYAKCCND;KYAKCCND;C:\WINDOWS\system32\kyakccnd.ncq
S3 adxapie;adxapie;C:\DOCUME~1\Dan\LOCALS~1\Temp\adxapie.sys
S3 Memctl;Memctl;C:\Program Files\ABIT\FlashMenu\Memctl.sys

Newly Created Service - ASWUPDSV
Newly Created Service - AVAST!_MAIL_SCANNER
Newly Created Service - AVAST!_WEB_SCANNER
.
Contents of the ‘Scheduled Tasks’ folder
“2008-01-06 08:00:02 C:\WINDOWS\Tasks\AdwareAlert Scheduled Scan.job”

  • C:\Program Files\AdwareAlert\AdwareAlert.exe
  • C:\Program Files\AdwareAlert
    .

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-06 14:35:10
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes …

scanning hidden autostart entries …

scanning hidden files …

scan completed successfully
hidden files: 0

.
Completion time: 2008-01-06 14:36:08
ComboFix-quarantined-files.txt 2008-01-06 19:35:39
ComboFix2.txt 2008-01-06 09:01:43

19

am i safe now?? ty for all your help guys i really appreciate it

20

The combofix log looks good. I need a HJT log.