Can't delete awtqo.dll or wvutqrr.dll

Viruses and worms
1

I was wondering if someone could help me. My avast anti virus keeps popping up with boxes every few seconds titled SUSPICIOUS MESSAGE! (There are too many identical e-mails in appointed time) and includes several email addresses with crude sentences - its even taking ages for me to type this message due to all the pop ups lol! This has happened ever since my son had a box pop up last night saying “Trojan Detected” and we moved it to the chest.

I’ve run the virus check and it didn’t find anything. I then ran SECURITY TASK MANAGER and it came up with awtqo.dll and wvutqrr.dll but it wouldn’t let me delete them unless I bought the program.

I then went to where these files where on my PC (in system32) and again it wouldn’t let me delete them as they were being used by another program.

Any ideas on how to get rid of them? Thanks in advance.

2

It appears to me that you have 2 trojan infections.

awtqo.dll = a possible Vundo infection
wvutqrr.dll = a possible Zlob infection

I do not know enough to help you but I am sure someone will help you as soon as they can. In the mean time, you might want to go to www.filehippo.com/download_hijackthis to download the HijackThis program. Run the program and post the resulting log here in this thread. It will probably take more than one post in order to get it all posted.

3

both are Vundo/TratBHO related, i guess :wink:

4

Correct you have multiple infections… If you could post a Hijackthis I will see how to proceed from there

5

Hi Charley O, thanks for the response. I hope someone can help me solve this problem as it’s driving me nuts! It’s completely corrupted my broadband connection, I’m having to use a slow dial up and it won’t let me reinstall broadband, keeps coming up with errors!

I downloaded the Hijack thing and below is the log:

ogfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 21:08:19, on 07/02/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Norton Ghost\Agent\GhostTray.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\Program Files\Norton Ghost\Agent\VProSvc.exe
C:\Program Files\Corel\Corel Snapfire Plus\Corel Photo Downloader.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb05.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Documents and Settings\MJH\Desktop\HIJACKTHIS.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.co.uk/ig/dell?hl=en&client=dell-usuk&channel=uk&ibd=3061211
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.co.uk
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.co.uk/ig/dell?hl=en&client=dell-usuk&channel=uk&ibd=3061211
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.google.co.uk/ig/dell?hl=en&client=dell-usuk&channel=uk&ibd=3061211
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O3 - Toolbar: Easy Gif Animator Toolbar - {35065594-9169-4A34-B167-FC4865038E53} - C:\Program Files\Easy Gif Animator Extension\v3.2.0.0\EasyGifAnimator_Toolbar.dll
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM..\Run: [SunJavaUpdateSched] “C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe”
O4 - HKLM..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
O4 - HKLM..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM..\Run: [ccApp] “C:\Program Files\Common Files\Symantec Shared\ccApp.exe”
O4 - HKLM..\Run: [Norton Ghost 10.0] “C:\Program Files\Norton Ghost\Agent\GhostTray.exe”
O4 - HKLM..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM..\Run: [ISUSScheduler] “C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe” -start
O4 - HKLM..\Run: [GSICONEXE] gsicon.exe
O4 - HKLM..\Run: [DSLAGENTEXE] dslagent.exe USB
O4 - HKLM..\Run: [Corel Photo Downloader] C:\Program Files\Corel\Corel Snapfire Plus\Corel Photo Downloader.exe
O4 - HKLM..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb05.exe

TO BE CONTINUED…

6

O4 - HKLM..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM..\Run: [UVS10 Preload] C:\Program Files\Ulead Systems\Ulead VideoStudio 10\uvPL.exe
O4 - HKLM..\Run: [iTunesHelper] “C:\Program Files\iTunes\iTunesHelper.exe”
O4 - HKLM..\Run: [Adobe Reader Speed Launcher] “C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe”
O4 - HKLM..\Run: [QuickTime Task] “C:\Program Files\QuickTime\qttask.exe” -atboottime
O4 - HKLM..\Run: [TkBellExe] “C:\Program Files\Common Files\Real\Update_OB\realsched.exe” -osboot
O4 - HKLM..\Run: [IntelliPoint] “C:\Program Files\Microsoft IntelliPoint\ipoint.exe”
O4 - HKCU..\Run: [DellSupport] “C:\Program Files\Dell Support\DSAgnt.exe” /startup
O4 - HKCU..\Run: [msnmsgr] “C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe” /background
O4 - HKCU..\Run: [Yahoo! Pager] “C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE” -quiet
O4 - HKCU..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU..\Run: [kdx] C:\Program Files\Kontiki\KHost.exe -all
O4 - HKCU..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-18..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User ‘SYSTEM’)
O4 - HKUS\S-1-5-18..\Run: [DWQueuedReporting] “C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe” -t (User ‘SYSTEM’)
O4 - HKUS.DEFAULT..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User ‘Default user’)
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredits/menusearch.jhtml?p=ZKxdm099YYGB
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra ‘Tools’ menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfarm.com/images/nocache/funwebproducts/ei/WebfettiInitialSetup1.0.0.15-3.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1172838573984
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1172838565328
O16 - DPF: {FFC0A381-8145-4CFD-A768-A2259776C179} (PTV xVectorMap Plugin 3.1) - http://xvectormap.ptv.de/xvectormap/PTVxVectorMap31.cab
O17 - HKLM\System\CCS\Services\Tcpip..{BA9CD029-6846-42EA-B220-8110D28192A6}: NameServer = 213.130.128.32 213.130.128.33
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: McAfee Application Installer Cleanup (0225721174147521) (0225721174147521mcinstcleanup) - Unknown owner - C:\DOCUME~1\Laura\LOCALS~1\Temp\022572~1.EXE (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton Ghost - Symantec Corporation - C:\Program Files\Norton Ghost\Agent\VProSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe


End of file - 11479 bytes

7

OK it is hiding

You may have some infections that target Hijackthis.
I will need you to rename Hijackthis:
To do this:

*Go to Start
*Right click and choose Explore
*Navigate to this location C:\Program Files\TrendMicro\Hijackthis
*Open the Hijackthis folder
*Right click on the Hijackthis icon and click rename
*rename it to Gotcha

THEN

Download ComboFix from Here or Here to your Desktop.

[*]Double click combofix.exe and follow the prompts.
[*]When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply

Note: Do not mouseclick combofix’s window while its running. That may cause it to stall

8

Hi essexboy, thanks for your help so far :slight_smile:

I’ve renamed Hijack and the follwoing is the combi fix log and another hijack log, I hope you can help:

COMBI FIX LOG:

ComboFix 08-02.05.3 - MJH 2008-02-07 22:21:11.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.473 [GMT 0:00]
Running from: C:\Documents and Settings\MJH\Desktop\ComboFix.exe

  • Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\awtqo.dll
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat
C:\Program Files\FunWebProducts
C:\Program Files\Helper
C:\Program Files\Helper\1202348676.dll
C:\Program Files\Helper\1202348677.dll
C:\Program Files\MyWebSearch
C:\Program Files\MyWebSearch\bar\History\search2
C:\Program Files\MyWebSearch\bar\Settings\s_pid.dat
C:\Program Files\MyWebSearch\bar\Settings\setting2.htm
C:\Program Files\MyWebSearch\bar\Settings\settings.dat
C:\WINDOWS\Fonts\acrsecB.fon
C:\WINDOWS\Fonts\acrsecI.fon
C:\WINDOWS\system32\alog.txt
C:\WINDOWS\system32\awtqo.dll
C:\WINDOWS\system32\conf.dat
C:\WINDOWS\system32\fo-remove.exe
C:\WINDOWS\system32\oqtwa.ini
C:\WINDOWS\system32\oqtwa.ini2
C:\WINDOWS\system32\UpMedia

----- BITS: Possible infected sites -----

hxxp://www.download.windowsupdate.com

.
((((((((((((((((((((((((( Files Created from 2008-01-07 to 2008-02-07 )))))))))))))))))))))))))))))))
.

2008-02-07 20:34 . 2008-02-07 20:34 d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-02-07 20:34 . 2008-02-07 20:34 d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2008-02-07 16:53 . 2008-02-07 20:47 d-------- C:\Program Files\SUPERAntiSpyware
2008-02-07 16:53 . 2008-02-07 16:53 d-------- C:\Documents and Settings\MJH\Application Data\SUPERAntiSpyware.com
2008-02-07 13:57 . 2008-02-07 20:34 d-------- C:\Documents and Settings\All Users\Application Data\SecTaskMan
2008-02-07 13:56 . 2008-02-07 20:34 d-------- C:\Program Files\Security Task Manager
2008-02-07 13:22 . 2008-02-07 13:22 d-------- C:\WINDOWS\system32\Kaspersky Lab
2008-02-07 12:48 . 2008-02-07 12:48 268 --ah----- C:\sqmdata15.sqm
2008-02-07 12:48 . 2008-02-07 12:48 244 --ah----- C:\sqmnoopt15.sqm
2008-02-07 02:03 . 2008-02-07 02:03 268 --ah----- C:\sqmdata14.sqm
2008-02-07 02:03 . 2008-02-07 02:03 244 --ah----- C:\sqmnoopt14.sqm
2008-02-07 01:51 . 2008-02-07 01:51 100,928 --a------ C:\WINDOWS\system32\gldginvf.exe
2008-02-07 01:51 . 2008-02-07 01:51 1 --a------ C:\WINDOWS\system32\rc.dat
2008-02-07 01:51 . 2008-02-07 01:51 1 --a------ C:\WINDOWS\system32\ps1.dat
2008-02-07 01:51 . 2008-02-07 01:51 1 --a------ C:\WINDOWS\system32\cs.dat
2008-02-07 01:44 . 2008-02-07 01:44 58,368 --a------ C:\wpohl.exe
2008-02-07 01:44 . 2008-02-07 01:44 54,764 --a------ C:\WINDOWS\system32\jnhjkfrn
2008-02-07 01:44 . 2008-02-07 01:44 53,760 --a------ C:\WINDOWS\system32\btask.dll
2008-02-07 01:44 . 2008-02-07 01:44 3,584 --a------ C:\qrwkjyd.exe
2008-02-07 01:44 . 2008-02-07 01:44 2 --a------ C:\1420336327
2008-02-06 20:45 . 2008-02-06 20:45 268 --ah----- C:\sqmdata13.sqm
2008-02-06 20:45 . 2008-02-06 20:45 244 --ah----- C:\sqmnoopt13.sqm
2008-02-06 17:55 . 2008-02-06 17:55 268 --ah----- C:\sqmdata12.sqm
2008-02-06 17:55 . 2008-02-06 17:55 244 --ah----- C:\sqmnoopt12.sqm
2008-02-06 17:21 . 2008-02-06 17:21 268 --ah----- C:\sqmdata11.sqm
2008-02-06 17:21 . 2008-02-06 17:21 244 --ah----- C:\sqmnoopt11.sqm
2008-02-06 13:07 . 2008-02-06 13:07 268 --ah----- C:\sqmdata10.sqm
2008-02-06 13:07 . 2008-02-06 13:07 244 --ah----- C:\sqmnoopt10.sqm
2008-02-05 15:11 . 2008-02-05 15:11 244 --ah----- C:\sqmnoopt09.sqm
2008-02-05 15:11 . 2008-02-05 15:11 232 --ah----- C:\sqmdata09.sqm
2008-02-05 14:57 . 2008-02-05 14:57 244 --ah----- C:\sqmnoopt08.sqm
2008-02-05 14:57 . 2008-02-05 14:57 232 --ah----- C:\sqmdata08.sqm
2008-02-03 16:52 . 2008-02-03 16:52 d-------- C:\Program Files\Common Files\DirectX
2008-02-03 16:52 . 2008-02-03 16:52 108,144 --a------ C:\WINDOWS\system32\CmdLineExt.dll
2008-02-03 16:48 . 2008-02-03 16:48 d-------- C:\Program Files\Codemasters
2008-01-31 23:26 . 2008-01-31 23:26 268 --ah----- C:\sqmdata07.sqm
2008-01-31 23:26 . 2008-01-31 23:26 244 --ah----- C:\sqmnoopt07.sqm
2008-01-31 21:32 . 2008-01-31 21:32 d-------- C:\Documents and Settings\MJH\Contacts
2008-01-31 21:26 . 2008-01-31 21:31 d–hsc— C:\Program Files\Common Files\WindowsLiveInstaller
2008-01-31 21:25 . 2008-01-31 21:31 d-------- C:\Program Files\Windows Live
2008-01-31 21:25 . 2008-01-31 21:25 d-------- C:\Documents and Settings\All Users\Application Data\WLInstaller
2008-01-24 19:30 . 2008-01-24 19:30 d-------- C:\Documents and Settings\All Users\Application Data\Dell
2008-01-22 12:27 . 2008-01-22 12:27 d-------- C:\Program Files\Kazaa
2008-01-18 17:43 . 2008-01-18 17:43 d-------- C:\Program Files\Participatory Culture Foundation
2008-01-18 17:43 . 2008-01-18 17:43 d-------- C:\Documents and Settings\All Users\Application Data\Participatory Culture Foundation
2008-01-14 19:23 . 2001-08-17 13:56 7,552 --a------ C:\WINDOWS\system32\drivers\SONYPVU1.SYS
2008-01-14 19:23 . 2001-08-17 13:56 7,552 --a------ C:\WINDOWS\system32\dllcache\sonypvu1.sys
2008-01-09 11:18 . 2008-01-09 11:18 3,596,288 --a------ C:\WINDOWS\system32\qt-dx331.dll
2008-01-09 11:18 . 2008-01-09 11:18 1,044,480 --a------ C:\WINDOWS\system32\libdivx.dll
2008-01-09 11:18 . 2008-01-09 11:18 524,288 --a------ C:\WINDOWS\system32\DivXsm.exe
2008-01-09 11:18 . 2008-01-09 11:18 200,704 --a------ C:\WINDOWS\system32\ssldivx.dll
2008-01-09 11:18 . 2008-01-09 11:18 4,816 --a------ C:\WINDOWS\system32\divxsm.tlb
2008-01-09 11:16 . 2008-01-09 11:16 823,296 --a------ C:\WINDOWS\system32\divx_xx0c.dll
2008-01-09 11:16 . 2008-01-09 11:16 823,296 --a------ C:\WINDOWS\system32\divx_xx07.dll
2008-01-09 11:16 . 2008-01-09 11:16 802,816 --a------ C:\WINDOWS\system32\divx_xx11.dll
2008-01-09 11:16 . 2008-01-09 11:16 682,496 --a------ C:\WINDOWS\system32\DivX.dll
2008-01-09 11:16 . 2008-01-09 11:16 196,608 --a------ C:\WINDOWS\system32\dtu100.dll
2008-01-09 11:16 . 2008-01-09 11:16 81,920 --a------ C:\WINDOWS\system32\dpl100.dll
2008-01-09 11:16 . 2008-01-09 11:16 416 --a------ C:\WINDOWS\system32\dtu100.dll.manifest
2008-01-09 11:16 . 2008-01-09 11:16 416 --a------ C:\WINDOWS\system32\dpl100.dll.manifest

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-02-07 20:22 --------- d-----w C:\Program Files\BT Voyager 100 ADSL Modem
2008-02-07 16:53 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-01-31 16:17 --------- d-----w C:\Documents and Settings\MJH\Application Data\Corel
2008-01-24 10:51 --------- d-----w C:\Program Files\DivX
2007-12-11 19:02 --------- d-----w C:\Program Files\Replay Converter
2007-12-11 19:00 737,280 ----a-w C:\WINDOWS\iun6002.exe
2007-03-13 03:28 56 --sh–r C:\WINDOWS\system32\A9A7D86422.sys
2007-03-09 08:12 27,648 --sha-w C:\WINDOWS\system32\AVSredirect.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
Note empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE~\Browser Helper Objects{E1290342-AAFF-4f7c-9F45-D665E4BF1A00}]

TO BE CONTINUED…

9

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“DellSupport”=“C:\Program Files\Dell Support\DSAgnt.exe” [2006-08-28 21:57 395776]
“msnmsgr”=“C:\Program Files\Windows Live\Messenger\MsnMsgr.exe” [2007-10-18 11:34 5724184]
“Yahoo! Pager”=“C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.exe” [2007-03-01 18:11 4670968]
“ctfmon.exe”=“C:\WINDOWS\system32\ctfmon.exe” [2004-08-10 05:00 15360]
“kdx”=“C:\Program Files\Kontiki\KHost.exe”
“swg”=“C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe” [2007-07-25 14:02 68856]
“SUPERAntiSpyware”=“C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe” [2007-06-21 14:06 1318912]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“ehTray”=“C:\WINDOWS\ehome\ehtray.exe” [2005-09-29 14:01 67584]
“NvCplDaemon”=“C:\WINDOWS\system32\NvCpl.dll” [2006-06-16 08:39 7323648]
“SunJavaUpdateSched”=“C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe” [2007-03-14 02:43 83608]
“SigmatelSysTrayApp”=“stsystra.exe” [2006-07-24 10:20 282624 C:\WINDOWS\stsystra.exe]
“IAAnotif”=“C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe” [2006-07-06 07:15 151552]
“DMXLauncher”=“C:\Program Files\Dell\Media Experience\DMXLauncher.exe”
“ccApp”=“C:\Program Files\Common Files\Symantec Shared\ccApp.exe” [2004-12-13 15:30 58992]
“Norton Ghost 10.0”=“C:\Program Files\Norton Ghost\Agent\GhostTray.exe” [2005-12-07 16:05 1537696]
“ISUSPM Startup”=“C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe” [2004-07-27 16:50 221184]
“ISUSScheduler”=“C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe” [2004-07-27 16:50 81920]
“GSICONEXE”=“gsicon.exe” [2003-05-14 20:25 90112 C:\WINDOWS\system32\gsicon.exe]
“DSLAGENTEXE”=“dslagent.exe”
“Corel Photo Downloader”=“C:\Program Files\Corel\Corel Snapfire Plus\Corel Photo Downloader.exe” [2006-08-14 14:20 462336]
“HPDJ Taskbar Utility”=“C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb05.exe” [2002-12-24 02:33 188416]
“avast!”=“C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe” [2007-12-04 13:00 79224]
“UVS10 Preload”=“C:\Program Files\Ulead Systems\Ulead VideoStudio 10\uvPL.exe” [2006-03-07 00:52 36864]
“iTunesHelper”=“C:\Program Files\iTunes\iTunesHelper.exe” [2007-04-27 10:25 257088]
“Adobe Reader Speed Launcher”=“C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe” [2007-10-10 19:51 39792]
“QuickTime Task”=“C:\Program Files\QuickTime\qttask.exe” [2007-06-29 05:24 286720]
“TkBellExe”=“C:\Program Files\Common Files\Real\Update_OB\realsched.exe” [2007-09-14 17:48 185632]
“IntelliPoint”=“C:\Program Files\Microsoft IntelliPoint\ipoint.exe” [2007-02-05 23:52 849280]

[HKEY_USERS.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
“CTFMON.EXE”=“C:\WINDOWS\system32\CTFMON.EXE” [2004-08-10 05:00 15360]
“DWQueuedReporting”=“C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe” [2005-04-25 13:45 36040]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
Adobe Gamma Loader.lnk - C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2007-03-14 03:01:56 113664]
Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2006-12-11 23:17:37 24576]
Service Manager.lnk - C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe [2005-05-03 22:07:32 81920]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
“InstallVisualStyle”= C:\WINDOWS\Resources\Themes\Royale\Royale.msstyles
“InstallTheme”= C:\WINDOWS\Resources\Themes\Royale.theme

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
“{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}”= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

S2 0225721174147521mcinstcleanup;McAfee Application Installer Cleanup (0225721174147521);C:\DOCUME~1\Laura\LOCALS~1\Temp[u]0[/u]22572~1.EXE C:\PROGRA~1\COMMON~1\McAfee\INSTAL~1\cleanup.ini -cleanup -nolog
S3 NAL;Nal Service ;C:\WINDOWS\system32\Drivers\iqvw32.sys [2006-06-05 03:39]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{361ac05d-0e0d-11da-9aa9-806d6172696f}]
\Shell\AutoRun\command - E:\setup.exe

.
Contents of the ‘Scheduled Tasks’ folder
“2007-08-27 14:47:03 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job”

  • C:\Program Files\Apple Software Update\SoftwareUpdate.exe
    “2007-03-18 16:57:15 C:\WINDOWS\Tasks\MP Scheduled Quick Scan.job”
  • C:\Program Files\Microsoft Windows OneCare Live\Antivirus\MpCmdRun.exe%Scan -RestrictPrivileges -ScanType 1
    .

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-02-07 22:24:51
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes …

scanning hidden autostart entries …

scanning hidden files …

scan completed successfully
hidden files: 0

.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\WINDOWS\ehome\mcrdsvc.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Norton Ghost\Agent\VProSvc.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\DOCUME~1\MJH\LOCALS~1\Temp\SSUPDATE.EXE
.

.
Completion time: 2008-02-07 22:26:54 - machine was rebooted
ComboFix-quarantined-files.txt 2008-02-07 22:26:51
.
2008-02-07 19:34:31 — E O F —

END OF COMBI FIX LOG. TO BE CONTINUED…

10

HIJACK THIS LOG:

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 22:31:42, on 07/02/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTSMLBIZ\Binn\sqlservr.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Norton Ghost\Agent\GhostTray.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\WINDOWS\system32\gsicon.exe
C:\Program Files\Corel\Corel Snapfire Plus\Corel Photo Downloader.exe
C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb05.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Norton Ghost\Agent\VProSvc.exe
C:\Program Files\Microsoft IntelliPoint\ipoint.exe
C:\Program Files\Dell Support\DSAgnt.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\PROGRA~1\Yahoo!\MESSEN~1\ymsgr_tray.exe
C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Documents and Settings\MJH\Desktop\Gotcha.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.co.uk
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.co.uk/ig/dell?hl=en&client=dell-usuk&channel=uk&ibd=3061211
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://www.google.co.uk/ig/dell?hl=en&client=dell-usuk&channel=uk&ibd=3061211
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: Easy Gif Animator Toolbar Helper - {96372AB6-15EB-4316-B497-71C741BC548C} - C:\Program Files\Easy Gif Animator Extension\v3.2.0.0\EasyGifAnimator_Toolbar.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.1.615.5858\swg.dll
O2 - BHO: CBrowserHelperObject Object - {CA6319C0-31B7-401E-A518-A07C3DB8F777} - C:\Program Files\BAE\BAE.dll
O2 - BHO: Google Module - {E1290342-AAFF-4f7c-9F45-D665E4BF1A00} - btask.dll (file missing)
O3 - Toolbar: Easy Gif Animator Toolbar - {35065594-9169-4A34-B167-FC4865038E53} - C:\Program Files\Easy Gif Animator Extension\v3.2.0.0\EasyGifAnimator_Toolbar.dll
O3 - Toolbar: (no name) - {0BF43445-2F28-4351-9252-17FE6E806AA0} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM..\Run: [SunJavaUpdateSched] “C:\Program Files\Java\jre1.6.0_01\bin\jusched.exe”
O4 - HKLM..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
O4 - HKLM..\Run: [DMXLauncher] C:\Program Files\Dell\Media Experience\DMXLauncher.exe
O4 - HKLM..\Run: [ccApp] “C:\Program Files\Common Files\Symantec Shared\ccApp.exe”
O4 - HKLM..\Run: [Norton Ghost 10.0] “C:\Program Files\Norton Ghost\Agent\GhostTray.exe”
O4 - HKLM..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM..\Run: [ISUSScheduler] “C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe” -start

TO BE CONTINUED…

11

O4 - HKLM..\Run: [GSICONEXE] gsicon.exe
O4 - HKLM..\Run: [DSLAGENTEXE] dslagent.exe USB
O4 - HKLM..\Run: [Corel Photo Downloader] C:\Program Files\Corel\Corel Snapfire Plus\Corel Photo Downloader.exe
O4 - HKLM..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\system32\spool\drivers\w32x86\3\hpztsb05.exe
O4 - HKLM..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM..\Run: [UVS10 Preload] C:\Program Files\Ulead Systems\Ulead VideoStudio 10\uvPL.exe
O4 - HKLM..\Run: [iTunesHelper] “C:\Program Files\iTunes\iTunesHelper.exe”
O4 - HKLM..\Run: [Adobe Reader Speed Launcher] “C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe”
O4 - HKLM..\Run: [QuickTime Task] “C:\Program Files\QuickTime\qttask.exe” -atboottime
O4 - HKLM..\Run: [TkBellExe] “C:\Program Files\Common Files\Real\Update_OB\realsched.exe” -osboot
O4 - HKLM..\Run: [IntelliPoint] “C:\Program Files\Microsoft IntelliPoint\ipoint.exe”
O4 - HKCU..\Run: [DellSupport] “C:\Program Files\Dell Support\DSAgnt.exe” /startup
O4 - HKCU..\Run: [msnmsgr] “C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe” /background
O4 - HKCU..\Run: [Yahoo! Pager] “C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE” -quiet
O4 - HKCU..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU..\Run: [kdx] C:\Program Files\Kontiki\KHost.exe -all
O4 - HKCU..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - HKUS\S-1-5-18..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User ‘SYSTEM’)
O4 - HKUS\S-1-5-18..\Run: [DWQueuedReporting] “C:\PROGRA~1\COMMON~1\MICROS~1\DW\dwtrig20.exe” -t (User ‘SYSTEM’)
O4 - HKUS.DEFAULT..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User ‘Default user’)
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Service Manager.lnk = C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlmangr.exe
O8 - Extra context menu item: &Search - http://edits.mywebsearch.com/toolbaredits/menusearch.jhtml?p=ZKxdm099YYGB
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_01\bin\ssv.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra ‘Tools’ menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB} - http://ak.exe.imgfarm.com/images/nocache/funwebproducts/ei/WebfettiInitialSetup1.0.0.15-3.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1172838573984
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1172838565328
O16 - DPF: {FFC0A381-8145-4CFD-A768-A2259776C179} (PTV xVectorMap Plugin 3.1) - http://xvectormap.ptv.de/xvectormap/PTVxVectorMap31.cab
O17 - HKLM\System\CCS\Services\Tcpip..{BA9CD029-6846-42EA-B220-8110D28192A6}: NameServer = 213.130.128.32 213.130.128.33
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: McAfee Application Installer Cleanup (0225721174147521) (0225721174147521mcinstcleanup) - Unknown owner - C:\DOCUME~1\Laura\LOCALS~1\Temp\022572~1.EXE (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton Ghost - Symantec Corporation - C:\Program Files\Norton Ghost\Agent\VProSvc.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe


End of file - 12644 bytes

12

?

Anybody able to help? :slight_smile:

Thanks!

13

  1. Please open Notepad
    [*] Click Start , then Run[*]Type notepad .exe in the Run Box.

  2. Now copy/paste the entire content of the codebox below into the Notepad window:


File::
C:\WINDOWS\system32\gldginvf.exe
C:\wpohl.exe
C:\WINDOWS\system32\jnhjkfrn
C:\WINDOWS\system32\btask.dll
C:\qrwkjyd.exe
C:\1420336327

  1. Then in the text file go to FILE > SAVE AS and in the dropdown box select SAVE AS TYPE to ALL FILES

  2. Save the above as CFScript.txt

  3. Then drag the CFScript.txt into ComboFix.exe as depicted in the animation below. This will start ComboFix again.

http://users.pandora.be/bluepatchy/miekiemoes/images/CFScript.gif

  1. After reboot, (in case it asks to reboot), please post the following reports/logs into your next reply:
    [*]Combofix.txt .

THEN

Attach the log generated by the following programme

Download WinPFind35u.exe to your Desktop and double-click on it to extract the files. It will create a folder named WinPFind35u on your desktop.

[*]Close ALL OTHER PROGRAMS.
[*]Open the WinPFind35u folder and double-click on WinPFind35U.exe to start the program.
[*]Under Additional Scans click the checkboxes in front of the following items to select them:

Reg - BotCheck

[*]Now click the Run Scan button on the toolbar.
[*]Let it run unhindered until it finishes.
[*]When the scan is complete Notepad will open with the report file loaded in it.
[*]Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.

Use the Add Reply button and attach the log. I will review it when it comes in.

14

Hi essexboy, thank you for the reply, I’ve done as you’ve said and have attached the two logs:

COMBI FIX

WINPFIND35

Thanks :slight_smile:

15

How is it running now ?

Start WinPFind3U. Copy/Paste the information in the quotebox below into the pane where it says “Paste fix here” and then click the Run Fix button.

[Unregister Dlls] [Registry - Non-Microsoft Only] < BHO's [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\ YY -> {CA6319C0-31B7-401E-A518-A07C3DB8F777} [HKEY_LOCAL_MACHINE] -> %ProgramFiles%\BAE\BAE.dll [CBrowserHelperObject Object] YN -> {E1290342-AAFF-4f7c-9F45-D665E4BF1A00} [HKEY_LOCAL_MACHINE] -> btask.dll [Google Module] < Internet Explorer ToolBars [HKEY_LOCAL_MACHINE] > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ToolBar YN -> {0BF43445-2F28-4351-9252-17FE6E806AA0} [HKEY_LOCAL_MACHINE] -> Reg Error: Key does not exist or could not be opened. [Reg Error: Key does not exist or could not be opened.] < Downloaded Program Files > -> HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Code Store Database\Distribution Units\ YN -> {1D4DB7D2-6EC9-47A3-BD87-1E41684E07BB}[HKEY_LOCAL_MACHINE] -> http://ak.exe.imgfarm.com/images/nocache/funwebproducts/ei/WebfettiInitialSetup1.0.0.15-3.cab[Reg Error: Key does not exist or could not be opened.] [Files/Folders - Modified Within 30 days] YY -> 5558EA3588.sys -> %System32%\5558EA3588.sys [Empty Temp Folders]

The fix should only take a very short time. When the fix is completed a message box will popup telling you that it is finished. CLick the Ok button and Notepad will open with a log of actions taken during the fix. Post that information back here along with a new Hijackthis log.

I will review the information when it comes back in.

Also let me know of any problems you encountered performing the steps above or any continuing problems you are still having with the computer.

16

Hi essexboy,

I got up to RUN FIX and then it popped up to reboot, but nothing appeared once rebooted. I did it again and chose not to reboot but no box came up and no log either…?

I’ve attached another Hijack log :slight_smile:

17

:slight_smile: Hi :

 At some point you should stop using that outdated ver ( 2.0.0 Beta ) of
 HijackThis and use the latest version ( 2.0.2 ), which is available at
 www.filehippo.com/download_hijackthis . There is a slight possibly that
 your Log may be different !?
 And I wonder IF those "Symantec Shared/ccSetMgr.exe" & its companion
"ccEvtMgr.exe" are going to be recommended to be fixed !?
 Lastly, your Sun Java program is 3 "Updates/Versions" behind, a security
 risk ; should uninstall ALL versions of this program; the latest "Version" is
 at http://java.sun.com/javase/downloads/index.jsp . click on the 
  "Download" button for "JRE6 Update4" .
18

Looks good, Spirit song is right re Java and you are showing elements of old av’s that should be removed

Now the best part of the day ----- Your log now appears clean :thumbsup:

Double click Winpfind35 once again and you should see a CleanUp! button, press that button, you may get prompted by your firewall that OTMoveIt wants to contact the internet, allow this, a cleanup.txt will be downloaded, a message dialog will ask you if you want to proceed with the cleanup process, click Yes. This will delete all the tools you have downloaded plus itself

Now to get you off to a good start we will re-set your restore points so that all the bad stuff is gone for good. Then if you need to restore at some stage you will be clean. There are several ways to reset your your restore point but this is my method:

  1. Select Start > All Programs > Accessories > System tools > System Restore.
  2. On the dialogue box that appears select Create a Restore Point
  3. Click NEXT
  4. Enter a name e.g. Clean
  5. Click CREATE

You now have a clean restore point, to get rid of the bad ones:

  1. Select Start > All Programs > Accessories > System tools > Disk Cleanup.
  2. In the Drop down box that appears select your main drive e.g. C
  3. Click OK
  4. The System will do some calculation and the display a dialogue box with TABS
  5. Select the More Options Tab.
  6. At the bottom will be a system restore box with a CLEANUP button click this
  7. Accept the Warning and select OK again, the program will close and you are done

Now that you are clean, to help protect your computer in the future I recommend that you get the following free program:
[*]SpywareBlaster to help prevent spyware from installing in the first place.
It is critical to have both a firewall and anti virus to protect your system and to keep them updated.

To keep your operating system up to date visit
[*]Microsoft Windows Update

To learn more about how to protect yourself while on the internet read this article by Tony Klien: So how did I get infected in the first place?

Keep safe :wave:

19

Hi essexboy,

Thank you so much for your help, I’ve just come back from a couple of days away and have done everything you’ve said to do and the PC is running fine now.

You’re a star, thanks a lot, it’s appreciated more than I can say in words and smiley faces lol :smiley: 8)

20

Hi, it’s me again!

Thanks again for all the help with my PC… but ;)…

Since I did everything you suggested to get rid of my virus and keep my PC safe, everything has been running fine, but I’ve just noticed that there’s a couple of problems, although I don’t think I have a new virus…

  1. When I go to START > SEARCH, nothing comes up for me to search.

http://img.photobucket.com/albums/v71/100s1000s/searchbox.jpg

  1. Windows Media Player won’t load at all.

I know these two functions were working even when I had the virus as I remember using both during the few days before the virus was fully gone. Today was the first time since that I have happened to want to use both funnily enough.

Any help would be greatly appreciated, I don’t know why both these functions have stopped working. Do you think there might be some other stuff that isn’t working too, maybe things I don’t even use?

THANKS

Technophobe :slight_smile: