I’m a bit of a novice at this but I need to figure out what to do to clean my PC. I was surfing the Web and got a warning from Avast AV that a virus had been found. I am running Windows XP and the Avast Home 4.7 version with current updates 080105-0, 01/05. The hardware is an Intel Pentium M Processor 1.4 GHz 587 MHZ 512 MB RAM. I have a DSL connection via Embarq. The bug just seems to pop up randomly as well as most of the time when I’m booting up. I think I was attempting to download a video clip when the problem first occurred. I searched my C drive for .dll files modified within the last week and came up with 5, 4 of which were moved into the chest and the 5th, which, i suspect the most, the system won’t let me move because '" it is being used by another person or program". It is C:\WINDOWS\SYSTEM32\ljjghii.dll

The results from the Avast Log Warning page, through the 4th, are pasted below. Some files I deleted and some are in the chest.
I don’t know what to do next.
Thanks in advance for any guidance you can provide. Henry

1/1/2008 9:33:31 PM SYSTEM 1968 Sign of “Win32:Zlob-AHS [trj]” has been found in “http://www.sysprocedure.com/download.php?id=1116\$INSTDIR\$PLUGINSDIR\barf.dll” file.
1/1/2008 9:48:19 PM SYSTEM 1968 Sign of “Win32:Trojan-gen {Other}” has been found in “C:\Documents and Settings\Henry\Local Settings\Temporary Internet Files\Content.IE5\AU0RAV5R\yazzsnet[1].exe” file.
1/1/2008 9:50:30 PM SYSTEM 1968 Sign of “Win32:Trojan-gen {Other}” has been found in “C:\DOCUME~1\Henry\LOCALS~1\Temp\yazzsnet.exe” file.
1/1/2008 9:50:47 PM SYSTEM 1968 Sign of “Win32:Trojano-2873 [trj]” has been found in “C:\WINDOWS\system32\z1\aroblcidr31z.exe” file.
1/1/2008 9:50:52 PM SYSTEM 1968 Sign of “Win32:Small-IKZ [trj]” has been found in “C:\WINDOWS\system32\pp1\upzdrvr1.exe[UPX]” file.
1/1/2008 9:50:58 PM SYSTEM 1968 Sign of “Win32:Adloader-KH [trj]” has been found in “C:\Program Files\TTC.dll” file.
1/1/2008 9:51:02 PM SYSTEM 1968 Sign of “Win32:Agent-NMX [trj]” has been found in “C:\WINDOWS\17PHolmes572.exe[UPX]” file.
1/1/2008 9:51:10 PM SYSTEM 1968 Sign of “Win32:Trojan-gen {Other}” has been found in “C:\WINDOWS\System32\Drivers\core.sys” file.
1/4/2008 2:26:52 PM SYSTEM 132 Sign of “Win32:TratBHO [trj]” has been found in “C:\WINDOWS\system32\xxyvs.dll” file.
1/4/2008 2:27:07 PM SYSTEM 132 Sign of “Win32:TratBHO [trj]” has been found in “C:\WINDOWS\system32\xxyvs.dll” file.
1/4/2008 2:27:11 PM SYSTEM 132 Sign of “Win32:TratBHO [trj]” has been found in “C:\WINDOWS\system32\xxyvs.dll” file.
1/4/2008 2:27:11 PM SYSTEM 132 Sign of “Win32:TratBHO [trj]” has been found in “C:\WINDOWS\system32\xxyvs.dll” file.
1/4/2008 2:27:12 PM SYSTEM 132 Sign of “Win32:TratBHO [trj]” has been found in “C:\WINDOWS\system32\xxyvs.dll” file.
1/4/2008 2:27:13 PM SYSTEM 132 Sign of “Win32:TratBHO [trj]” has been found in “C:\WINDOWS\system32\xxyvs.dll” file.
1/4/2008 2:27:14 PM SYSTEM 132 Sign of “Win32:TratBHO [trj]” has been found in “C:\WINDOWS\system32\xxyvs.dll” file.
1/4/2008 2:27:15 PM SYSTEM 132 Sign of “Win32:TratBHO [trj]” has been found in “C:\WINDOWS\system32\xxyvs.dll” file.
1/4/2008 2:27:19 PM SYSTEM 132 Sign of “Win32:TratBHO [trj]” has been found in “C:\WINDOWS\system32\xxyvs.dll” file.
1/4/2008 2:27:24 PM SYSTEM 132 Sign of “Win32:TratBHO [trj]” has been found in “C:\WINDOWS\system32\xxyvs.dll” file.
1/4/2008 2:27:33 PM SYSTEM 132 Sign of “Win32:TratBHO [trj]” has been found in “C:\WINDOWS\system32\xxyvs.dll” file.
1/4/2008 2:27:38 PM SYSTEM 132 Sign of “Win32:TratBHO [trj]” has been found in “C:\WINDOWS\system32\xxyvs.dll” file.
1/4/2008 2:27:44 PM SYSTEM 132 Sign of “Win32:TratBHO [trj]” has been found in “C:\WINDOWS\system32\xxyvs.dll” file.
1/4/2008 2:29:41 PM SYSTEM 132 Sign of “Win32:TratBHO [trj]” has been found in “C:\WINDOWS\SYSTEM32\XXYVS.DLL” file.
1/4/2008 2:29:47 PM SYSTEM 132 Sign of “Win32:TratBHO [trj]” has been found in “C:\WINDOWS\system32\xxyvs.dll” file.
1/4/2008 2:30:05 PM SYSTEM 132 Sign of “Win32:TratBHO [trj]” has been found in “C:\WINDOWS\system32\xxyvs.dll” file.
1/4/2008 2:30:17 PM SYSTEM 132 Sign of “Win32:TratBHO [trj]” has been found in “C:\WINDOWS\system32\xxyvs.dll” file.
1/4/2008 2:31:16 PM SYSTEM 132 Sign of “Win32:TratBHO [trj]” has been found in “C:\WINDOWS\system32\xxyvs.dll” file.
1/4/2008 2:31:52 PM SYSTEM 132 Sign of “Win32:TratBHO [trj]” has been found in “C:\WINDOWS\system32\xxyvs.dll” file.
1/4/2008 2:49:54 PM Henry 2176 Sign of “Win32:TratBHO [trj]” has been found in “c:\windows\system32\xxyvs.dll” file.
1/4/2008 3:04:10 PM Henry 1832 Sign of “Win32:TratBHO [trj]” has been found in “c:\windows\system32\xxyvs.dll” file.
1/4/2008 3:05:10 PM SYSTEM 132 Sign of “Win32:TratBHO [trj]” has been found in “C:\WINDOWS\system32\xxyvs.dll” file.
1/4/2008 4:04:49 PM Henry 2480 Sign of “Win32:Trojan-gen {Other}” has been found in “C:\WINDOWS\SYSTEM32\rock.exe” file.
1/4/2008 7:06:03 PM SYSTEM 132 Sign of “Win32:TratBHO [trj]” has been found in “C:\WINDOWS\system32\xxyvs.dll” file.
1/4/2008 9:27:09 PM Henry 2480 Sign of “Win32:TratBHO [trj]” has been found in “C:\WINDOWS\SYSTEM32\xxyvs.dll” file.
1/4/2008 10:20:33 PM SYSTEM 352 Sign of “Win32:TratBHO [trj]” has been found in “C:\WINDOWS\system32\xxyvs.dll” file.
1/4/2008 10:20:33 PM SYSTEM 352 Sign of “Win32:TratBHO [trj]” has been found in “C:\WINDOWS\system32\xxyvs.dll” file.
1/4/2008 10:20:35 PM SYSTEM 352 Sign of “Win32:TratBHO [trj]” has been found in “C:\WINDOWS\system32\xxyvs.dll” file.
1/4/2008 10:20:37 PM SYSTEM 352 Sign of “Win32:TratBHO [trj]” has been found in “C:\WINDOWS\system32\xxyvs.dll” file.
1/4/2008 10:20:40 PM SYSTEM 352 Sign of “Win32:TratBHO [trj]” has been found in “C:\WINDOWS\system32\xxyvs.dll” file.
1/4/2008 10:20:41 PM SYSTEM 352 Sign of “Win32:TratBHO [trj]” has been found in “C:\WINDOWS\system32\xxyvs.dll” file.
1/4/2008 10:20:45 PM SYSTEM 352 Sign of “Win32:TratBHO [trj]” has been found in “C:\WINDOWS\system32\xxyvs.dll” file.
1/4/2008 10:20:47 PM SYSTEM 352 Sign of “Win32:TratBHO [trj]” has been found in “C:\WINDOWS\system32\xxyvs.dll” file.
1/4/2008 10:20:54 PM SYSTEM 352 Sign of “Win32:TratBHO [trj]” has been found in “C:\WINDOWS\system32\xxyvs.dll” file.
1/4/2008 10:20:59 PM SYSTEM 352 Sign of “Win32:TratBHO [trj]” has been found in “C:\WINDOWS\system32\xxyvs.dll” file.
1/4/2008 10:21:02 PM SYSTEM 352 Sign of “Win32:TratBHO [trj]” has been found in “C:\WINDOWS\system32\xxyvs.dll” file.
1/4/2008 10:21:18 PM SYSTEM 352 Sign of “Win32:TratBHO [trj]” has been found in “C:\WINDOWS\SYSTEM32\XXYVS.DLL” file.
1/4/2008 10:25:36 PM SYSTEM 352 Sign of “Win32:TratBHO [trj]” has been found in “C:\WINDOWS\system32\nnljk.dll” file.
1/4/2008 11:14:11 PM SYSTEM 352 Sign of “Win32:TratBHO [trj]” has been found in “C:\WINDOWS\system32\xxyvs.dll” file.

you’re infected with a Virtumonde related infection… next two VPS updates will give you more detections for it… you can also follow other threads in this forum to do a manual cleaning…

Sounds very much like a vundo infection

Download ComboFix from Here or Here to your Desktop.

[*]Double click combofix.exe and follow the prompts.
[*]When finished, it shall produce a log for you. Post that log along with a new HJT
log in your next reply.

Note: Do not mouseclick combofix’s window while its running. That may cause it to stall

Run combofix first, the hijackthis.

.
Click here to download HJTsetup.exe

[*]Save HJTsetup.exe to your desktop.
[*]Doubleclick on the HJTsetup.exe icon on your desktop.
[*]By default it will install to C:\Program Files\Hijack This.
[*]Continue to click Next in the setup dialogue boxes until you get to the Select Addition Tasks dialogue.
[*]Put a check by Create a desktop icon then click Next again.
[*]Continue to follow the rest of the prompts from there.
[*]At the final dialogue box click Finish and it will launch Hijack This.
[*]Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
[*]Click on “Edit > Select All” then click on “Edit > Copy” to copy the entire contents of the log.
[*]Come back here to this thread and Paste the log in your next reply.
[*]DO NOT have Hijack This fix anything yet. Most of what it finds will be harmless or even required.

Here are the results, but the file is too big to post at one time so I’ll post in two parts. Do the results of ComboFix need to be posted as well?.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:45:05 PM, on 1/7/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\EarthLink TotalAccess\WENGINE\wmonitor.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe
C:\PROGRA~1\Intel\Wireless\Bin\1XConfig.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\EarthLink TotalAccess\FastLane2\IPMon32.exe
C:\Program Files\EarthLink TotalAccess\FastLane2\IPClient.exe
C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe
C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe
C:\WINDOWS\system32\dla\tfswctrl.exe
C:\Program Files\BroadJump\Client Foundation\CFD.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Dell Photo AIO Printer 922\dlbtbmgr.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Dell Photo AIO Printer 922\dlbtbmon.exe
C:\Program Files\Apoint\Apntex.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\dlbtcoms.exe
C:\Documents and Settings\Henry\Local Settings\Temporary Internet Files\Content.IE5\P9BIYK71\HiJackThis[1].exe

Part 2

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.earthlink.net/partner/more/msie/button/search.html
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.myembarq.com/index.php
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1;
R3 - URLSearchHook: SrchHook Class - {44F9B173-041C-4825-A9B9-D914BD9DCBB3} - C:\Program Files\EarthLink TotalAccess\elnIE.dll
R3 - URLSearchHook: (no name) - ~4D25F926-B9FE-4682-BF72-8AB8210D6D75} - (no file)
R3 - URLSearchHook: (no name) - ~CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: EarthLink BHO Guard - {00000000-0000-0000-0000-000000000002} - C:\Program Files\EarthLink TotalAccess\Toolbar\EScamBlk.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: EarthLink ScamBlocker V3 - {15F4D456-5BAA-4076-8486-EECB38CD3E57} - C:\Program Files\EarthLink TotalAccess\Toolbar\EScamBlk.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: EarthLink PopUp Blocker V2 - {512ACF1B-64D9-4928-B382-A80556F28DB4} - C:\Program Files\EarthLink TotalAccess\Toolbar\ElnkPuB.dll
O2 - BHO: DriveLetterAccess - {5CA3D70E-1895-11CF-8E15-001234567890} - C:\WINDOWS\system32\dla\tfswshx.dll
O2 - BHO: (no name) - {5E4FD806-49F8-4428-99EA-A09FD513A5B7} - C:\Program Files\MSN\hokevofC:\WINDOWS\system32\mr9\gyreo83122.exe.dll (file missing)
O2 - BHO: Earthlink Protection BHO - {9579D574-D4D8-4335-9560-FE8641A013BD} - C:\Program Files\EarthLink TotalAccess\Toolbar\ProtctIE.dll
O2 - BHO: Uninstall Legacy Earthlink Toolbar - {E713904C-DF05-4C79-BBAD-02DB923253BE} - C:\Program Files\EarthLink TotalAccess\Toolbar\uninsttb.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: EarthLink Toolbar - {C7768536-96F8-4001-B1A2-90EE21279187} - C:\Program Files\EarthLink TotalAccess\Toolbar\Toolbar.dll
O4 - HKLM..\Run: [SprintModemUpdate] javaw.exe -cp “C:\Program Files\Motive\FirmwareUpdater\lib\SprintModemUpdate.jar” com.motive.firmwareUpdater.client.SprintModemUpdate
O4 - HKLM..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM..\Run: [IPInSightMonitor 01] “C:\Program Files\EarthLink TotalAccess\FastLane2\IPMon32.exe”
O4 - HKLM..\Run: [IPInSightLAN 01] “C:\Program Files\EarthLink TotalAccess\FastLane2\IPClient.exe” -l
O4 - HKLM..\Run: [IntelWireless] C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe /tf Intel PROSet/Wireless
O4 - HKLM..\Run: [DVDLauncher] “C:\Program Files\CyberLink\PowerDVD\DVDLauncher.exe”
O4 - HKLM..\Run: [dla] C:\WINDOWS\system32\dla\tfswctrl.exe
O4 - HKLM..\Run: [BJCFD] C:\Program Files\BroadJump\Client Foundation\CFD.exe
O4 - HKLM..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM..\Run: [nwiz] nwiz.exe /installquiet
O4 - HKLM..\Run: [Dell Photo AIO Printer 922] “C:\Program Files\Dell Photo AIO Printer 922\dlbtbmgr.exe”
O4 - HKLM..\Run: [QuickTime Task] “C:\Program Files\QuickTime\qttask .exe” -atboottime
O4 - HKLM..\Run: [TkBellExe] “C:\Program Files\Common Files\Real\Update_OB\realsched.exe” -osboot
O4 - HKCU..\Run: [MSMSGS] “C:\Program Files\Messenger\msmsgs.exe” /background
O4 - HKCU..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU..\Run: [updateMgr] “C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe” AcRdB7_0_8 -reboot 1
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: EarthLink Google Search - res://C:\Program Files\EarthLink TotalAccess\Toolbar\SearchUI.dll/search.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra ‘Tools’ menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\system32\msjava.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra ‘Tools’ menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.amaena.com
O15 - Trusted Zone: *.avsystemcare.com
O15 - Trusted Zone: *.gomyhit.com
O15 - Trusted Zone: *.imageservr.com
O15 - Trusted Zone: *.imagesrvr.com
O15 - Trusted Zone: *.onerateld.com
O15 - Trusted Zone: *.safetydownload.com
O15 - Trusted Zone: *.storageguardsoft.com
O15 - Trusted Zone: *.trustedantivirus.com
O15 - Trusted Zone: *.virusschlacht.com
O15 - Trusted Zone: *.amaena.com (HKLM)
O15 - Trusted Zone: *.avsystemcare.com (HKLM)
O15 - Trusted Zone: *.gomyhit.com (HKLM)
O15 - Trusted Zone: *.imageservr.com (HKLM)
O15 - Trusted Zone: *.imagesrvr.com (HKLM)
O15 - Trusted Zone: *.onerateld.com (HKLM)
O15 - Trusted Zone: *.safetydownload.com (HKLM)
O15 - Trusted Zone: *.storageguardsoft.com (HKLM)
O15 - Trusted Zone: *.trustedantivirus.com (HKLM)
O15 - Trusted Zone: *.virusschlacht.com (HKLM)
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1146874333483
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1165282170918
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: dlbt_device - Dell - C:\WINDOWS\system32\dlbtcoms.exe
O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
O23 - Service: EarthLink Monitor Service (EarthLinkMonitor) - Boingo Wireless, Inc. - C:\Program Files\EarthLink TotalAccess\WENGINE\wmonitor.exe
O23 - Service: EvtEng - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\EvtEng.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1150\Intel 32\IDriverT.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: RegSrvc - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe
O23 - Service: Spectrum24 Event Monitor (S24EventMonitor) - Intel Corporation - C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe
O23 - Service: WLANKEEPER - Intel® Corporation - C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe
O24 - Desktop Component 0: Desktop Uninstall - C:\WINDOWS\warnhp.html

–
End of file - 10444 bytes

Here are the results, but the file is too big to post at one time so I'll post in two parts. Do the results of ComboFix need to be posted as well?.

Yes, the combofix log is a very important part of getting clean, I’m basically blind with it. You can attach logs by using the extra options button on the reply page.

We can start with this

Open HJT, run a system scan only, check mark the following lines if present.

[b]R3 - URLSearchHook: (no name) - ~4D25F926-B9FE-4682-BF72-8AB8210D6D75} - (no file)
R3 - URLSearchHook: (no name) - ~CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: (no name) - {5E4FD806-49F8-4428-99EA-A09FD513A5B7} - C:\Program Files\MSN\hokevofC:\WINDOWS\system32\mr9\gyreo83122.exe.dll (file missing)

all the 015 lines

O24 - Desktop Component 0: Desktop Uninstall - C:\WINDOWS\warnhp.html[/b]

I’ve attached the ComboFix results. Now I’ll go back and work through the directions in your last post.

Hi HLS

I hit post instead of preview and got locked out of the forum.

The correct instructions for my previous post are here.

Open HJT, run a system scan only, check mark the following lines if present.

[b]R3 - URLSearchHook: (no name) - ~4D25F926-B9FE-4682-BF72-8AB8210D6D75} - (no file)
R3 - URLSearchHook: (no name) - ~CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
O2 - BHO: (no name) - {5E4FD806-49F8-4428-99EA-A09FD513A5B7} - C:\Program Files\MSN\hokevofC:\WINDOWS\system32\mr9\gyreo83122.exe.dll (file missing)

all the 015 lines

O24 - Desktop Component 0: Desktop Uninstall - C:\WINDOWS\warnhp.html[/b]

close all browsers/windows, click fix, close HJT

Ran the scan, found and checked all the lines you listed, clicked fix and closed HJT.
Did the ComboFix attachment come through OK? The system seemed to lock up when I sent it.

Got the log. It may have been the forum, it’s getting glichy again. >:(

We’ll carry on, but I will be off line for awhile

Open a new Notepad session (Do not use a Word Processor or WordPad). Click “Format” and be certain that Word Wrap is not enabled.

Copy and paste all the text in the quote box below into Notepad.

Click File, Save as…, and set the location to your Desktop, and enter (including quotation marks) as the filename: “CFscript.txt” . Using your mouse left button, drag the new file CFscript.txt and drop it on the ComboFix.exe icon as shown at the bottom of this post.

This will start ComboFix again.Close all browser/windows first. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply along with a new HJT log.

I’ve attached the results of the new ComboFix and HJT.

Open HJT, run a system scan only, check mark these lines if present

O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
[

Close all other browsers/windows, click fix, close HJT.

Open a new Notepad session (Do not use a Word Processor or WordPad). Click “Format” and be certain that Word Wrap is not enabled.

Copy and paste all the text in the quote box below into Notepad.

Click File, Save as…, and set the location to your Desktop, and enter (including quotation marks) as the filename: “CFscript.txt” . Using your mouse left button, drag the new file CFscript.txt and drop it on the ComboFix.exe icon as shown at the bottom of this post.

RENV:: C:\Program Files\QuickTime\qttask .exe

This will start ComboFix again.Close all browser/windows first. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HJTlog.

Download RenV from the link below

1. Save it to your Desktop.
2. Double-click RenV.exe
3. It shall produce a log for you. Please post that log in your reply.
   

http://download.bleepingcomputer.com/sUBs/Beta/RenV.exe

Here are all the results.

Please submit these file(s)

To submit a file to virustotal, please click on this link

www.virustotal.com

copy and paste the following into the upload a file box (one at a time if more than one file is listed)

C:\WINDOWS\QTFont.qfn
C:\WINDOWS\QTFont.for

scroll down a bit and click “send file”, wait for the results and post then in your next reply.

Virus Total results attached.

REGEDIT4 [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "QuickTime Task"="C:\Program Files\QuickTime\qttask.exe"

Next you will need to create the repair registry fix to do that copy and paste ALL of the above in the quote box to a notepad file. Ensure there is no space above the REGEDIT4.
Then in notepad go to FILE > SAVE AS make sure it is set in the top box to save to DESKTOP and in the dropdown box select SAVE AS TYPE to ALL FILES
Then in the FILE NAME box type fix.reg
This will create a fix.reg file on your desktop
http://img127.imageshack.us/img127/433/regtg8.jpg

To use this file you will need to right click the icon and select merge, accept the warning if it appears and you are done.

Just a hijackthis log required. Let me know how things are.

Ran the fix.reg.
When you said “a hijackthis log required” I wasn’t sure what exactly to do. I ran a new HJT and have attached the results. Was there something else I need to do with it?

Open HJT, run system scan only, checkmark the following line

O4 - HKLM..\Run: [QuickTime Task] “C:\Program Files\QuickTime\qttask .exe” -atboottime

close all windows/browser, click fix.

Reboot and post a new HJT.

A new HJT attached.

Okay, you’re done. Go ahead and clean up, but check this thread later, that key kind of intregued me.

1. Click start button, click run, copy and paste the following line in the box, click ok

combofix /u

2.Open Hijackthis, click the misc tools button, click uninstall

3. Create a new restore point

You must be logged on to an administrator account
Go to Start - All Programs - Accessories - System Tools - System Restore.
Click Create a restore point, and then click Next.
In the text box labeled Restore Point Description, type a name for this restore point , click create

Remove old restore points

4.Disk Cleanup

• Go to Start - All Programs - Accessories - system tools. Launch the Disk Cleanup tool and let it run. When it finishes a box with tabs will appear, select the more options tab. On this tab you will find a section for System Restore. If you press the Clean Up button for that section, Windows will delete all restore points except for the most recent one.

5. Download and run this clean up utility from the link below. You can use it regularly. When it’s first run, it is in demo mode to show you what it will remove. Review it and then rerun in real mode. It is configurable.

http://www.stevengould.org/downloads/cleanup/

6. It looks like you are using windows firewall. It doesn’t provide outbound protection. A third party firewall will.

A discussion on free firewalls can be found here.

http://forum.avast.com/index.php?topic=30808.0

You can also delete any logs,notepads,etc that you may have left that where created during this. RENV can also be deleted.

Take care and keep safe. 8)