Have another virus

Viruses and worms
1

Hi guys, sorry about the last 1, pressed enter by mistake. don’t know if you remember me but you helped me out heaps the last time i had a virus. Could you please do so again? my son - this time, wasn’t me - downloaded something and put a virus on my comp, doesn’t seem to do much but enough strange things are happening that i want rid of it. Done a scan with Avast: “12/12/2007 20:09:31 OURS 3576 Sign of “Win32:Obfuscated-CCV [trj]” has been found in “C:\WINDOWS\system32\xppwglpj.exe” file.
12/12/2007 20:09:50 OURS 3576 Sign of “Win32:SecBar-B [Adw]” has been found in “C:\WINDOWS\system32\uuaiujys.dll” file.
12/12/2007 20:09:50 OURS 3576 Sign of “Win32:Obfuscated-CCV [trj]” has been found in “C:\WINDOWS\system32\wsgsfbiv.exe” file.
12/12/2007 20:24:37 OURS 3576 Sign of “Win32:Obfuscated-CCV [trj]” has been found in “C:\Documents and Settings\OURS\Local Settings\Temp\dmnqtari.exe” file.
12/12/2007 20:24:45 OURS 3576 Sign of “Win32:Obfuscated-CCV [trj]” has been found in “C:\Documents and Settings\OURS\Local Settings\Temp\kscjfiwe.exe” file.
12/12/2007 21:53:34 OURS 3576 Sign of “Win32:Adware-gen [Adw]” has been found in “C:\System Volume Information_restore{A442C64B-6C53-4CC0-8492-83D4D0A0CC3D}\RP352\A0045344.dll” file.
12/12/2007 21:54:13 OURS 3576 Sign of “Win32:SecBar-B [Adw]” has been found in “C:\System Volume Information_restore{A442C64B-6C53-4CC0-8492-83D4D0A0CC3D}\RP358\A0046749.DLL” file.
12/12/2007 21:54:34 OURS 3576 Sign of “Win32:Delf-GVX [trj]” has been found in “C:\System Volume Information_restore{A442C64B-6C53-4CC0-8492-83D4D0A0CC3D}\RP360\A0046914.exe” file.
12/12/2007 21:54:55 OURS 3576 Sign of “Win32:Adware-gen [Adw]” has been found in “C:\System Volume Information_restore{A442C64B-6C53-4CC0-8492-83D4D0A0CC3D}\RP363\A0047017.DLL” file.
12/12/2007 21:55:01 OURS 3576 Sign of “Win32:Adware-gen [Adw]” has been found in “C:\System Volume Information_restore{A442C64B-6C53-4CC0-8492-83D4D0A0CC3D}\RP363\A0047079.dll” file.
12/12/2007 21:55:08 OURS 3576 Sign of “Win32:Adware-gen [Adw]” has been found in “C:\System Volume Information_restore{A442C64B-6C53-4CC0-8492-83D4D0A0CC3D}\RP364\A0048111.DLL” file.
12/12/2007 21:55:15 OURS 3576 Sign of “Win32:Obfuscated-CCV [trj]” has been found in “C:\System Volume Information_restore{A442C64B-6C53-4CC0-8492-83D4D0A0CC3D}\RP365\A0048182.EXE” file.
12/12/2007 21:56:02 OURS 3576 Sign of “Win32:Obfuscated-CCV [trj]” has been found in “C:\System Volume Information_restore{A442C64B-6C53-4CC0-8492-83D4D0A0CC3D}\RP371\A0048392.exe” file.
12/12/2007 21:56:03 OURS 3576 Sign of “Win32:SecBar-B [Adw]” has been found in “C:\System Volume Information_restore{A442C64B-6C53-4CC0-8492-83D4D0A0CC3D}\RP371\A0048393.dll” file.
12/12/2007 21:56:03 OURS 3576 Sign of “Win32:Obfuscated-CCV [trj]” has been found in “C:\System Volume Information_restore{A442C64B-6C53-4CC0-8492-83D4D0A0CC3D}\RP371\A0048394.exe” file.
12/12/2007 22:18:18 OURS 3576 Sign of “Win32:Adware-gen [Adw]” has been found in “C:\QooBox\Quarantine\C\DOCUME~1\OURS\APPLIC~1\tmpF5.tmp.exe.vir” file.
12/12/2007 22:18:20 OURS 3576 Sign of “Win32:Adware-gen [Adw]” has been found in “C:\QooBox\Quarantine\C\DOCUME~1\OURS\APPLIC~1\tmp2.tmp.exe.vir” file.
12/12/2007 22:18:20 OURS 3576 Sign of “Win32:Trojan-gen {Other}” has been found in “C:\QooBox\Quarantine\C\WINDOWS\system32\tmp73.tmp.dll.vir” file.
12/12/2007 22:18:20 OURS 3576 Sign of “Win32:Trojan-gen {Other}” has been found in “C:\QooBox\Quarantine\C\WINDOWS\system32\tmp34.tmp.dll.vir” file.
12/12/2007 22:18:21 OURS 3576 Sign of “Win32:Trojan-gen {Other}” has been found in “C:\QooBox\Quarantine\C\WINDOWS\system32\tmp9827.tmp.dll.vir” file.
12/12/2007 22:18:21 OURS 3576 Sign of “Win32:Virtumonde-EO [Adw]” has been found in “C:\QooBox\Quarantine\C\WINDOWS\efcaax.dll.vir” file.” this is what i got back. Also have two icons on my desktop “Online Security Guide” and “Live Safety Center”, can’t seem to get rid of these… please help. Thank you Steve

2

HI Steven could you do the following

Download ComboFix from Here or Here to your Desktop.

[*]Double click combofix.exe and follow the prompts.
[*]When finished, it shall produce a log for you. Post that log and a HiJackthis log in your next reply

Note: Do not mouseclick combofix’s window while its running. That may cause it to stall

If I could have the combofix log and a Hijackthis log on completion

3

herewe go: ComboFix 07-08-14.4 - “OURS” 2007-12-18 17:34:32.4 - FAT32x86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.685 [GMT 10.5:30]

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))

C:\WINDOWS\system32~.exe
C:\WINDOWS\system32\regscan.exe

((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

-------\LEGACY_DOMAINSERVICE
-------\DomainService

((((((((((((((((((((((((( Files Created from 2007-11-18 to 2007-12-18 )))))))))))))))))))))))))))))))

2007-12-18 17:28 d–hs---- C:\FOUND.004
2007-12-18 16:14 80,448 --a------ C:\WINDOWS\system32\ywsnvjxq.dll
2007-12-18 16:11 85,568 --a------ C:\WINDOWS\system32\jxllisch.dll
2007-12-18 16:11 74,304 --a------ C:\WINDOWS\system32\mglamaah.exe
2007-12-17 16:16 80,448 --a------ C:\WINDOWS\system32\tpeflcsq.dll
2007-12-17 16:10 74,304 --a------ C:\WINDOWS\system32\aybhcmrg.exe
2007-12-16 21:38 10,872 --a------ C:\WINDOWS\system32\drivers\AvgAsCln.sys
2007-12-16 15:36 80,448 --a------ C:\WINDOWS\system32\jbcdsdmu.dll
2007-12-16 15:36 74,304 --a------ C:\WINDOWS\system32\nuevepyx.exe
2007-12-15 21:42 d-------- C:\UT2004
2007-12-15 15:38 80,448 --a------ C:\WINDOWS\system32\smawftiv.dll
2007-12-15 15:35 74,304 --a------ C:\WINDOWS\system32\vmgknsqh.exe
2007-12-14 15:36 80,448 --a------ C:\WINDOWS\system32\emyuhtif.dll
2007-12-14 15:36 74,304 --a------ C:\WINDOWS\system32\gvrepnvu.exe
2007-12-13 15:37 80,448 --a------ C:\WINDOWS\system32\bsbdebsn.dll
2007-12-13 15:35 74,304 --a------ C:\WINDOWS\system32\xghalvam.exe
2007-12-12 10:32 80,448 --a------ C:\WINDOWS\system32\jwnjjiup.dll
2007-12-12 10:29 74,304 --a------ C:\WINDOWS\system32\luircggt.exe
2007-12-11 10:28 80,448 --a------ C:\WINDOWS\system32\myrttoov.dll
2007-12-11 10:28 74,304 --a------ C:\WINDOWS\system32\dcsfgvbc.exe
2007-12-10 10:32 80,448 --a------ C:\WINDOWS\system32\ohvesanp.dll
2007-12-10 10:26 74,304 --a------ C:\WINDOWS\system32\mimrybyy.exe
2007-12-09 18:03 80,448 --a------ C:\WINDOWS\system32\suyiovxp.dll
2007-12-08 18:02 80,448 --a------ C:\WINDOWS\system32\yyrsmfrn.dll
2007-12-07 18:00 80,448 --a------ C:\WINDOWS\system32\igrxqrfn.dll
2007-12-07 17:57 74,304 --a------ C:\WINDOWS\system32\qubuigrk.exe
2007-12-06 14:39 81,984 --a------ C:\WINDOWS\system32\teyulygv.dll
2007-12-06 14:33 74,304 --a------ C:\WINDOWS\system32\ptyjmapj.exe
2007-12-06 07:42 d–hs---- C:\FOUND.003
2007-12-05 16:14 81,984 --a------ C:\WINDOWS\system32\htjwthdf.dll
2007-12-04 16:41 28,929 --a------ C:\WINDOWS\trayicons.exe
2007-12-04 10:59 77,376 --a------ C:\WINDOWS\system32\rphcywqn.dll
2007-12-03 22:02 73,280 --a------ C:\WINDOWS\system32\jsdqgsad.dll
2007-12-02 21:59 336,480 --a------ C:\WINDOWS\system32\vtsqo.dll
2007-12-02 21:59 227,663 --ahs---- C:\WINDOWS\system32\oqstv.ini2
2007-11-29 15:57 77,888 --a------ C:\WINDOWS\system32\lrsubwhc.dll
2007-11-28 16:58 81,984 --a------ C:\WINDOWS\system32\jahqsyts.dll
2007-11-27 11:48 37,376 --a------ C:\WINDOWS\system32\urqpqpn.dll
2007-11-23 08:20 d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Apple

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-12-12 17:53 43520 --a------ C:\WINDOWS\system32\CmdLineExt03.dll
2007-12-05 01:26 93264 --a------ C:\WINDOWS\system32\drivers\aswmon.sys
2007-12-05 01:25 94544 --a------ C:\WINDOWS\system32\drivers\aswmon2.sys
2007-12-05 01:23 23152 --a------ C:\WINDOWS\system32\drivers\aswRdr.sys
2007-12-05 01:21 42912 --a------ C:\WINDOWS\system32\drivers\aswTdi.sys
2007-12-05 01:19 26624 --a------ C:\WINDOWS\system32\drivers\aavmker4.sys
2007-12-04 23:34 837496 --a------ C:\WINDOWS\system32\aswBoot.exe
2007-12-04 23:24 95608 --a------ C:\WINDOWS\system32\AVASTSS.scr
2007-11-13 20:55 20480 --a------ C:\WINDOWS\system32\drivers\secdrv.sys
2007-11-10 21:45 --------- d-------- C:\Program Files\Belkin
2007-11-10 17:54 --------- d-------- C:\Program Files\Jowood
2007-11-06 20:08 --------- d-------- C:\Program Files\Movie DVD Maker
2007-11-04 20:30 21840 --a------ C:\WINDOWS\system32\SIntfNT.dll
2007-11-04 20:30 17212 --a------ C:\WINDOWS\system32\SIntf32.dll
2007-11-04 20:30 12067 --a------ C:\WINDOWS\system32\SIntf16.dll
2007-10-31 10:12 3590656 --a------ C:\WINDOWS\system32\dllcache\mshtml.dll
2007-10-30 09:13 1287680 --a------ C:\WINDOWS\system32\quartz.dll
2007-10-30 09:13 1287680 --a------ C:\WINDOWS\system32\dllcache\quartz.dll
2007-10-29 03:47 96832 --a------ C:\WINDOWS\system32\drivers\AnyDVD.sys
2007-10-27 21:33 --------- d-------- C:\Program Files\directx
2007-10-27 17:40 222720 --a------ C:\WINDOWS\system32\wmasf.dll
2007-10-27 17:40 222720 --a------ C:\WINDOWS\system32\dllcache\wmasf.dll
2007-10-26 14:04 8460288 --a------ C:\WINDOWS\system32\dllcache\shell32.dll
2007-10-24 20:45 87608 --a------ C:\DOCUME~1\OURS\APPLIC~1\inst.exe
2007-10-24 20:45 47360 --a------ C:\WINDOWS\system32\drivers\pcouffin.sys
2007-10-24 20:45 47360 --a------ C:\DOCUME~1\OURS\APPLIC~1\pcouffin.sys
2007-10-24 20:45 --------- d-------- C:\Program Files\VSO
2007-10-23 17:21 --------- d-------- C:\DOCUME~1\OURS\APPLIC~1\Vso
2007-10-18 19:56 --------- d-------- C:\Program Files\uTorrent
2007-10-18 19:56 --------- d-------- C:\DOCUME~1\OURS\APPLIC~1\uTorrent
2007-10-18 19:41 2560 --a------ C:\WINDOWS\system32\BitCometRes.dll
2007-10-18 19:40 --------- d-------- C:\Program Files\BitComet
2007-10-17 19:12 98304 --a------ C:\WINDOWS\system32\CmdLineExt.dll
2007-10-11 10:26 824832 --a------ C:\WINDOWS\system32\dllcache\wininet.dll
2007-10-11 10:26 671232 --a------ C:\WINDOWS\system32\dllcache\mstime.dll
2007-10-11 10:26 232960 --a------ C:\WINDOWS\system32\dllcache\webcheck.dll
2007-10-11 10:26 1159680 --a------ C:\WINDOWS\system32\dllcache\urlmon.dll
2007-10-11 10:26 105984 --a------ C:\WINDOWS\system32\dllcache\url.dll
2007-10-11 10:26 102400 --a------ C:\WINDOWS\system32\dllcache\occache.dll
2007-10-11 10:25 63488 --------- C:\WINDOWS\system32\dllcache\icardie.dll
2007-10-11 10:25 6065664 --------- C:\WINDOWS\system32\dllcache\ieframe.dll
2007-10-11 10:25 52224 --------- C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2007-10-11 10:25 478208 --a------ C:\WINDOWS\system32\dllcache\mshtmled.dll
2007-10-11 10:25 459264 --------- C:\WINDOWS\system32\dllcache\msfeeds.dll
2007-10-11 10:25 44544 --a------ C:\WINDOWS\system32\dllcache\iernonce.dll
2007-10-11 10:25 384512 --a------ C:\WINDOWS\system32\dllcache\iedkcs32.dll
2007-10-11 10:25 383488 --------- C:\WINDOWS\system32\dllcache\ieapfltr.dll
2007-10-11 10:25 27648 --a------ C:\WINDOWS\system32\dllcache\jsproxy.dll
2007-10-11 10:25 267776 --------- C:\WINDOWS\system32\dllcache\iertutil.dll
2007-10-11 10:25 230400 --a------ C:\WINDOWS\system32\dllcache\ieaksie.dll
2007-10-11 10:25 214528 --a------ C:\WINDOWS\system32\dllcache\dxtrans.dll
2007-10-11 10:25 193024 --a------ C:\WINDOWS\system32\dllcache\msrating.dll
2007-10-11 10:25 153088 --a------ C:\WINDOWS\system32\dllcache\ieakeng.dll
2007-10-11 10:25 132608 --a------ C:\WINDOWS\system32\dllcache\extmgr.dll
2007-10-11 10:25 124928 --a------ C:\WINDOWS\system32\dllcache\advpack.dll
2007-10-10 21:29 70656 --a------ C:\WINDOWS\system32\dllcache\ie4uinit.exe
2007-10-10 21:29 625152 --a------ C:\WINDOWS\system32\dllcache\iexplore.exe
2007-10-10 21:29 13824 --------- C:\WINDOWS\system32\dllcache\ieudinit.exe
2007-10-10 16:16 161792 --a------ C:\WINDOWS\system32\dllcache\ieakui.dll
2004-03-11 13:27 40960 --a------ C:\Program Files\Uninstall_CDS.exe

4

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))

Note empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE~\Browser Helper Objects{C360B48A-3D5E-42C7-BC45-F6DAF5702142}]
2007-12-02 21:59 336480 --a------ C:\WINDOWS\system32\vtsqo.dll

[HKEY_LOCAL_MACHINE~\Browser Helper Objects{ea6b87b9-f466-4fb6-88f4-a969fcf7d1b6}]
2007-12-18 16:14 80448 --a------ C:\WINDOWS\system32\ywsnvjxq.dll

[HKEY_LOCAL_MACHINE~\Browser Helper Objects{ED203331-9C33-49D8-8714-D24A366A04EC}]
2007-11-27 11:48 37376 --a------ C:\WINDOWS\system32\urqpqpn.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“AGRSMMSG”=“AGRSMMSG.exe” [2004-06-29 09:06 C:\WINDOWS\AGRSMMSG.exe]
“SoundMan”=“SOUNDMAN.EXE” [2004-05-14 15:47 C:\WINDOWS\SOUNDMAN.EXE]
“Aspire Schedule”=“C:\Program Files\Aspire\WFTVFM\WFWIZ.exe” [2004-05-03 15:11]
“WinFast Schedule”=“C:\Program Files\Aspire\WFTVFM\WFWIZ.exe” [2004-05-03 15:11]
“SunJavaUpdateSched”=“C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe” [2007-09-25 01:11]
“QuickTime Task”=“C:\Program Files\QuickTime\qttask.exe” [2007-04-27 09:41]
“FinePrint Dispatcher v5”=“C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fpdisp5a.exe” [2007-04-20 14:28]
“RemoteControl”=“C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe” [2003-12-08 17:35]
“Adobe Reader Speed Launcher”=“C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe” [2007-05-11 03:06]
“avast!”=“C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe” [2007-12-04 23:30]
“!AVG Anti-Spyware”=“C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe” [2007-06-11 19:55]
“320d18a1”=“C:\WINDOWS\system32\jxllisch.dll” [2007-12-18 16:11]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“ctfmon.exe”=“C:\WINDOWS\system32\ctfmon.exe” [2004-08-04 05:00]
“PowerBar”=“”
“swg”=“C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe” [2007-04-04 15:35]
“AnyDVD”=“C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe” [2007-10-29 04:21]
“AdobeUpdater”=“C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe” [2007-03-01 10:37]
“StartUp”=“C:\WINDOWS\trayicons.exe” [2007-12-04 16:41]

[HKEY_USERS.default\software\microsoft\windows\currentversion\runonce]
“RunNarrator”=Narrator.exe

C:\Documents and Settings\OURS\Start Menu\Programs\Startup
Picture Motion Browser Media Check Tool.lnk - C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe [2007-10-11 21:36:43]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office\OSA9.EXE [1999-03-22 11:30:00]
Loadout Manager.lnk - C:\Program Files\Belkin\Nostromo\nost_LM.exe [2003-06-24 17:01:35]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
“DisableRegistryTools”=0 (0x0)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
“{ED203331-9C33-49D8-8714-D24A366A04EC}”= C:\WINDOWS\system32\urqpqpn.dll [2007-11-27 11:48 37376]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\rmxkrdbp]
rmxkrdbp.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\urqpqpn]
urqpqpn.dll 2007-11-27 11:48 37376 C:\WINDOWS\system32\urqpqpn.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
“Authentication Packages”= msv1_0 C:\WINDOWS\system32\vtsqo.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Acrobat Assistant.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Acrobat Assistant.lnk
backup=C:\WINDOWS\pss\Acrobat Assistant.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Google Updater.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Google Updater.lnk
backup=C:\WINDOWS\pss\Google Updater.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AnyDVD]
C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AspireService]
C:\Program Files\Acer\Acer eMode Management\AspireService.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CloneCDTray]
“C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe” /s

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DTVRemote]
“C:\Program Files\LifeView DTV\RemoteControl.exe”

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Desktop Search]
“C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe” /startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\InCD]
C:\Program Files\Ahead\InCD\InCD.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
“C:\Program Files\iTunes\iTunesHelper.exe”

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\L06ZXLRD_2125796]
“C:\Program Files\Microsoft Student\Microsoft Student DVD 2006\EDICT.EXE” -m

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\L06ZXLRD_60680406]
“C:\Program Files\Microsoft Student\Microsoft Student DVD 2006\EDICT.EXE” -m

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MediaSync]
C:\Program Files\Acer\Acer eConsole\MediaSync.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Picasa Media Detector]
C:\Program Files\Picasa2\PicasaMediaDetector.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpyHunter]
C:\Program Files\Ahead\InCD\InCD.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Success Programmer Special Edition]
C:\Program Files\Success Programmer Special Edition\Success Programmer Special Edition.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ViralShock]
C:\Program Files\ViralShock\ViralShock.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
“Ati HotKey Poller”=2 (0x2)

R3 ovt519;D-Link VGA Webcam;C:\WINDOWS\system32\Drivers\ov519vid.sys
S3 bcgame;Nostromo HID Device Minidriver;C:\WINDOWS\system32\drivers\bcgame.sys
S3 DMSKSSRh;DMSKSSRh;??\C:\DOCUME~1\OURS\LOCALS~1\Temp\DMSKSSRh.sys
S3 FontCache6.0.5070.0;WinFX Font Cache 6.0.5070.0;C:\WINDOWS\Microsoft.NET\Windows\v6.0.5070\PresentationFontCache.exe
S3 NUVision;NUVision Video Service;C:\WINDOWS\system32\DRIVERS\nuvvid2.sys
S4 itcppss;Indigo Tcp Port Sharing Service;C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\IndigoListener.exe

Contents of the ‘Scheduled Tasks’ folder
2007-12-18 06:23:28 C:\WINDOWS\Tasks\User_Feed_Synchronization-{DF9AE4EA-1FAA-412E-8E06-5C076ED17214}.job
2007-12-13 10:42:02 C:\WINDOWS\Tasks\dfrg.job
2007-12-10 00:48:04 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-18 17:43:13
Windows 5.1.2600 Service Pack 2 FAT NTAPI

scanning hidden processes …

scanning hidden autostart entries …

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
PowerBar = ?p?s???p??|??A~??A~?|???C~J?C~?Kf???C~|???4?A~X???C~???C~???A~???Z?A~????A~???Kf??Kf???|Jf???|???W?D~0?A~????A~??A~???C~X???|???,@?@???E]B~???,@

scanning hidden files …

scan completed successfully
hidden files: 0

Completion time: 2007-12-18 17:45:22 - machine was rebooted
C:\ComboFix2.txt … 2007-11-29 21:14
C:\ComboFix-quarantined-files.txt … 2007-12-18 17:45
C:\ComboFix3.txt … 2007-08-20 08:05

--- E O F ---
5

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 17:51:30, on 18/12/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Acer\Acer eConsole\MediaServerService.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\AGRSMMSG.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Aspire\WFTVFM\WFWIZ.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fpdisp5a.exe
C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\devldr32.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Belkin\Nostromo\nost_LM.exe
C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Encarta Web Companion - {147D6308-0614-4112-89B1-31402F9B82C4} - C:\Program Files\Common Files\Microsoft Shared\Encarta Web Companion\ENCWCBAR.DLL
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM..\Run: [Aspire Schedule] C:\Program Files\Aspire\WFTVFM\WFWIZ.exe
O4 - HKLM..\Run: [WinFast Schedule] C:\Program Files\Aspire\WFTVFM\WFWIZ.exe
O4 - HKLM..\Run: [SunJavaUpdateSched] “C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe”
O4 - HKLM..\Run: [QuickTime Task] “C:\Program Files\QuickTime\qttask.exe” -atboottime
O4 - HKLM..\Run: [FinePrint Dispatcher v5] “C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\fpdisp5a.exe” /source=HKLM
O4 - HKLM..\Run: [RemoteControl] “C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe”
O4 - HKLM..\Run: [Adobe Reader Speed Launcher] “C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe”
O4 - HKLM..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM..\Run: [!AVG Anti-Spyware] “C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\avgas.exe” /minimized
O4 - HKLM..\Run: [320d18a1] rundll32.exe “C:\WINDOWS\system32\jxllisch.dll”,b
O4 - HKCU..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU..\Run: [AnyDVD] C:\Program Files\SlySoft\AnyDVD\AnyDVD.exe
O4 - HKCU..\Run: [AdobeUpdater] C:\Program Files\Common Files\Adobe\Updater5\AdobeUpdater.exe
O4 - HKCU..\Run: [StartUp] C:\WINDOWS\trayicons.exe /optimize speed
O4 - HKUS\S-1-5-18..\RunOnce: [RunNarrator] Narrator.exe (User ‘SYSTEM’)
O4 - HKUS.DEFAULT..\RunOnce: [RunNarrator] Narrator.exe (User ‘Default user’)
O4 - Startup: Picture Motion Browser Media Check Tool.lnk = C:\Program Files\Sony\Sony Picture Utility\VolumeWatcher\SPUVolumeWatcher.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Loadout Manager.lnk = C:\Program Files\Belkin\Nostromo\nost_LM.exe
O8 - Extra context menu item: &D&ownload &with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddLink.htm
O8 - Extra context menu item: &D&ownload all video with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddVideo.htm
O8 - Extra context menu item: &D&ownload all with BitComet - res://C:\Program Files\BitComet\BitComet.exe/AddAllLink.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: (no name) - {B205A35E-1FC4-4CE3-818B-899DBBB3388C} - C:\Program Files\Common Files\Microsoft Shared\Encarta Search Bar\ENCSBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra ‘Tools’ menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O14 - IERESET.INF: START_PAGE_URL=http://GLOBAL.ACER.COM/
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/20061205/qtinstall.info.apple.com/qtactivex/qtplugin.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/20031216/qtinstall.info.apple.com/mickey/us/win/QuickTimeInstaller.exe
O16 - DPF: {67A5F8DC-1A4B-4D66-9F24-A704AD929EEE} (System Requirements Lab) - http://www.systemrequirementslab.com/sysreqlab2.cab
O16 - DPF: {B8BE5E93-A60C-4D26-A2DC-220313175592} (MSN Games - Installer) - http://messenger.zone.msn.com/binary/ZIntro.cab56649.cab
O16 - DPF: {C3F79A2B-B9B4-4A66-B012-3EE46475B072} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/MessengerStatsPAClient.cab56907.cab
O16 - DPF: {F977E961-BC9E-4B91-ACF8-468E1CC224DD} (FixUpdate Class) - http://216.93.170.133:82/TqUpdate_Release.CAB
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O23 - Service: Acer Media Server - Acer Inc. - C:\Program Files\Acer\Acer eConsole\MediaServerService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: AVG Anti-Spyware Guard - GRISOFT s.r.o. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktopManager.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD Helper (InCDsrv) - Ahead Software AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe


End of file - 8205 bytes

6

Ok it is time for a massacre. I hope you are not squeamish

Please download the OTMoveIt by OldTimer.

[*] Save it to your desktop.
[*] Please double-click OTMoveIt.exe to run it.
[*]Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):

C:\FOUND.004
C:\WINDOWS\system32\ywsnvjxq.dll
C:\WINDOWS\system32\jxllisch.dll
C:\WINDOWS\system32\mglamaah.exe
C:\WINDOWS\system32\tpeflcsq.dll
C:\WINDOWS\system32\aybhcmrg.exe
C:\WINDOWS\system32\jbcdsdmu.dll
C:\WINDOWS\system32\nuevepyx.exe
C:\WINDOWS\system32\smawftiv.dll
C:\WINDOWS\system32\vmgknsqh.exe
C:\WINDOWS\system32\emyuhtif.dll
C:\WINDOWS\system32\gvrepnvu.exe
C:\WINDOWS\system32\bsbdebsn.dll
C:\WINDOWS\system32\xghalvam.exe
C:\WINDOWS\system32\jwnjjiup.dll
C:\WINDOWS\system32\luircggt.exe
C:\WINDOWS\system32\myrttoov.dll
C:\WINDOWS\system32\dcsfgvbc.exe
C:\WINDOWS\system32\ohvesanp.dll
C:\WINDOWS\system32\mimrybyy.exe
C:\WINDOWS\system32\suyiovxp.dll
C:\WINDOWS\system32\yyrsmfrn.dll
C:\WINDOWS\system32\igrxqrfn.dll
C:\WINDOWS\system32\qubuigrk.exe
C:\WINDOWS\system32\teyulygv.dll
C:\WINDOWS\system32\ptyjmapj.exe
C:\FOUND.003
C:\WINDOWS\system32\htjwthdf.dll
C:\WINDOWS\system32\rphcywqn.dll
C:\WINDOWS\system32\jsdqgsad.dll
C:\WINDOWS\system32\vtsqo.dll
C:\WINDOWS\system32\oqstv.ini2
C:\WINDOWS\system32\lrsubwhc.dll
C:\WINDOWS\system32\jahqsyts.dll
C:\WINDOWS\system32\urqpqpn.dll
C:\WINDOWS\system32\SIntfNT.dll
C:\WINDOWS\system32\SIntf32.dll
C:\WINDOWS\system32\SIntf16.dll
C:\WINDOWS\system32\vtsqo.dll
C:\WINDOWS\system32\ywsnvjxq.dll
C:\WINDOWS\system32\urqpqpn.dll
C:\WINDOWS\system32\jxllisch.dll
C:\WINDOWS\system32\urqpqpn.dll
C:\WINDOWS\system32\urqpqpn.dll
C:\Program Files\ViralShock
C:\WINDOWS\trayicons.exe

[*] Return to OTMoveIt, right click on the “Paste List of Files/Folders to be moved” window and choose Paste.
[*]Click the red Moveit! button.
[*]Copy everything on the Results window to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it on your next reply.
[*]Close OTMoveIt

If a file or folder cannot be moved immediately, you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine, choose Yes.
**If a reboot was necessary or you needed to Exit before posting the log, you will find a copy of the log at the root of the drive where OTMoveIt is installed, usually at :
[b]C:_OTMoveIt\MovedFiles*_.log[/b]
(where “**_” is the “date_time”)

Click “Exit” to close OTMoveIt.

NEXT

Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below. [b]

O4 - HKCU..\Run: [StartUp] C:\WINDOWS\trayicons.exe /optimize speed

[/b]Now close all windows other than HiJackThis, then click Fix Checked. Close HiJackThis.

THEN

Download and run ERUNT http://www.larshederer.homepage.t-online.de/erunt/

Start ERUNT, confirm the Welcome message.

Type in the name of a restore folder where the backed up registry
files should be saved, or click “…” to browse your computer’s drives
and select a folder. You can also simply leave the default, which is a
folder named ERDNT inside your Windows folder, the advantage being
that you have access to this folder from the Windows Recovery Console
in case Windows does not boot anymore.

Next, select the backup options:

  • System registry:

- Current user registy: .

  • Other open user registries:

Click “OK” and wait until the backup process is complete. (Note that
depending on your system configuration this may take some time, and
that the first bar is NOT a progress bar, just an indicator that the
program is still running.) The ERDNT program for later restoration of
the registry is automatically copied to the restore folder.

WARNING these fixes are designed for this user only and may cause damage if run on an uninfected machine

REGISTRY FIX

REGEDIT4

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
“Authentication Packages”=hex(7):6d,73,76,31,5f,30,00,00

Next you will need to create the repair registry fix to do that copy and paste ALL of the above in the quote box to a notepad file. Ensure there is no space above the REGEDIT4.
Then in notepad go to FILE > SAVE AS and in the dropdown box select SAVE AS TYPE to ALL FILES
Then in the FILE NAME box type fix.reg
This will create a fix.reg file on your desktop
http://img127.imageshack.us/img127/433/regtg8.jpg

To use this file you will need to right click the icon and select merge, accept the warning if it appears and you are done.

FINALLY

Download WinPFind3u.exe to your Desktop and double-click on it to extract the files. It will create a folder named WinPFind3u on your desktop.

[*]Close ALL OTHER PROGRAMS.
[*]Open the WinPFind3u folder and double-click on WinPFind3U.exe to start the program.
[*]Under Additional Scans click the checkboxes in front of the following items to select them:
[list]
Reg - BotCheck

[*]Now click the Run Scan button on the toolbar.
[*]Let it run unhindered until it finishes.
[*]When the scan is complete Notepad will open with the report file loaded in it.
[*]Click the Format menu and make sure that Wordwrap is not checked. If it is then click on it to uncheck it.

Use the Add Reply button and Copy/Paste the information back here. I will review it when it comes in. If, after posting, the last line is not < End of Report > then the log is too big to fit into a single post and you will need to split it into multiple posts.