I really need some help. My computer’s been running slow for a few weeks now…and just lately avast has been picking up the Win32: Trojan almost every scan. I"m also getting pop-ups when I never almost EVER got them. I ran a log, can someone tell me what exactly I should do? I did a virscan and that came out clean.

Here’s the log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:55:58 PM, on 4/28/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\spm\spmd.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\lxdwcoms.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Softimage\XSI_5.11\Application\bin\raysat3_4_6_18server.exe
C:\Program Files\CyberLink\Shared files\RichVideo.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Tablet.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Google\Gmail Notifier\gnotify.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Lexmark 7600 Series\lxdwmon.exe
C:\Program Files\Lexmark 7600 Series\ezprint.exe
C:\Program Files\CyberLink\PowerDVD8\PDVD8Serv.exe
C:\WINDOWS\system32\wltray.exe
C:\Program Files\AIM6\aim6.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Dynex Enhanced G USB Network Adapter\DynexWCUI.exe
C:\WINDOWS\system32\WTablet\TabUserW.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\Program Files\Alwil Software\Avast4\ashSimpl.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=6061102
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=6061102
O1 - Hosts: 82.98.231.89 url.adtrgt.com
O1 - Hosts: 82.98.231.89 googleads2.gdoubleclick.net
O1 - Hosts: scanner.info
O1 - Hosts: 82.98.231.89 antivirus-xp-pro-2009.com
O1 - Hosts: 82.98.231.89 microsoft.infosecuritycenter.com
O1 - Hosts: 82.98.231.89 microsoft.softwaresecurityhelp.com
O1 - Hosts: 82.98.231.89 onlinenotifyq.net
O1 - Hosts: 82.98.231.89 antivirusxp-pro-2009.com
O1 - Hosts: 82.98.231.89 microsoft.browser-security-center.com
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MI1933~1\Office12\GRA8E1~1.DLL
O2 - BHO: Lexmark Printable Web - {D2C5E510-BE6D-42CC-9F61-E4F939078474} - C:\Program Files\Lexmark Printable Web\bho.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: (no name) - {e66dbc85-8940-47ea-8104-0feb1ae311f6} - C:\WINDOWS\system32\botusale.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
O4 - HKLM..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM..\Run: [ISUSScheduler] “C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe” -start
O4 - HKLM..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM..\Run: [TkBellExe] “C:\Program Files\Common Files\Real\Update_OB\realsched.exe” -osboot
O4 - HKLM..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\gnotify.exe
O4 - HKLM..\Run: [QuickTime Task] “C:\Program Files\QuickTime\QTTask.exe” -atboottime
O4 - HKLM..\Run: [GrooveMonitor] “C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe”
O4 - HKLM..\Run: [SunJavaUpdateSched] “C:\Program Files\Java\jre6\bin\jusched.exe”
O4 - HKLM..\Run: [lxdwmon.exe] “C:\Program Files\Lexmark 7600 Series\lxdwmon.exe”
O4 - HKLM..\Run: [EzPrint] “C:\Program Files\Lexmark 7600 Series\ezprint.exe”
O4 - HKLM..\Run: [RemoteControl8] “C:\Program Files\CyberLink\PowerDVD8\PDVD8Serv.exe”
O4 - HKLM..\Run: [PDVD8LanguageShortcut] “C:\Program Files\CyberLink\PowerDVD8\Language\Language.exe”
O4 - HKLM..\Run: [kaloleroha] Rundll32.exe “C:\WINDOWS\system32\nisinupo.dll”,s
O4 - HKLM..\Run: [Broadcom Wireless Manager] C:\WINDOWS\system32\wltray.exe
O4 - HKLM..\Run: [9426a7be] rundll32.exe “C:\WINDOWS\system32\divimuvo.dll”,b
O4 - HKLM..\Run: [CPM97159422] Rundll32.exe “c:\windows\system32\fefiyiri.dll”,a
O4 - HKCU..\Run: [Aim6] “C:\Program Files\AIM6\aim6.exe” /d locale=en-US ee://aol/imApp
O4 - HKCU..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU..\Run: [MSMSGS] “C:\Program Files\Messenger\msmsgs.exe” /background
O4 - HKUS\S-1-5-19..\Run: [kaloleroha] Rundll32.exe “C:\WINDOWS\system32\nisinupo.dll”,s (User ‘LOCAL SERVICE’)
O4 - HKUS\S-1-5-20..\Run: [kaloleroha] Rundll32.exe “C:\WINDOWS\system32\nisinupo.dll”,s (User ‘NETWORK SERVICE’)
O4 - HKUS\S-1-5-18..\RunOnce: [RunNarrator] Narrator.exe (User ‘SYSTEM’)
O4 - HKUS.DEFAULT..\RunOnce: [RunNarrator] Narrator.exe (User ‘Default user’)
O4 - S-1-5-18 Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe (User ‘SYSTEM’)
O4 - S-1-5-18 Startup: Adobe Media Player.lnk = C:\Program Files\Adobe Media Player\Adobe Media Player.exe (User ‘SYSTEM’)
O4 - .DEFAULT Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe (User ‘Default user’)
O4 - .DEFAULT Startup: Adobe Media Player.lnk = C:\Program Files\Adobe Media Player\Adobe Media Player.exe (User ‘Default user’)
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: Adobe Media Player.lnk = C:\Program Files\Adobe Media Player\Adobe Media Player.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Dynex Wireless Networking Utility.lnk = ?
O4 - Global Startup: TabUserW.exe.lnk = C:\WINDOWS\system32\WTablet\TabUserW.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MI1933~1\Office12\ONBttnIE.dll
O9 - Extra ‘Tools’ menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MI1933~1\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\Office12\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra ‘Tools’ menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MI1933~1\Office12\GR99D3~1.DLL
O20 - AppInit_DLLs: C:\WINDOWS\system32\ruyebana.dll c:\windows\system32\meyeyihi.dll c:\windows\system32\fefiyiri.dll
O21 - SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\fefiyiri.dll
O22 - SharedTaskScheduler: STS - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\fefiyiri.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: lxdwCATSCustConnectService - Lexmark International, Inc. - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\lxdwserv.exe
O23 - Service: lxdw_device - - C:\WINDOWS\system32\lxdwcoms.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: RaySat3_4_6_18 Server (RaySat3_4_6_18Server) - Unknown owner - C:\Softimage\XSI_5.11\Application\bin\raysat3_4_6_18server.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe
O23 - Service: SPM License Server (spmd) - mental images GmbH - C:\WINDOWS\system32\spm\spmd.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\system32\Tablet.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: Broadcom Wireless LAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe

End of file - 11893 bytes

K, Just used an “Automated” way of scanning Hijackthis, because I’m tired.

These should be fixed though:

O1 - Hosts: 82.98.231.89 url.adtrgt.com
Must be fixed!

O1 - Hosts: 82.98.231.89 googleads2.gdoubleclick.net
O4 - HKLM..\Run: [9426a7be] rundll32.exe “C:\WINDOWS\system32\divimuvo.dll”,b
Nasty (1.67 / 5.00)

O1 - Hosts: scanner.info
Unknown URLs should be fixed. Unknown entries within the HOSTS-file should be fixed.
O1 - Hosts: 82.98.231.89 antivirus-xp-pro-2009.com

Must be fixed!
O1 - Hosts: 82.98.231.89 microsoft.infosecuritycenter.com

Must be fixed!
O1 - Hosts: 82.98.231.89 microsoft.softwaresecurityhelp.com

Must be fixed!
O1 - Hosts: 82.98.231.89 onlinenotifyq.net

Unknown URLs should be fixed. Unknown entries within the HOSTS-file should be fixed.
O1 - Hosts: 82.98.231.89 antivirusxp-pro-2009.com

Must be fixed!
O1 - Hosts: 82.98.231.89 microsoft.browser-security-center.com

And I’m wondering about these, they should probably be removed as well:

O20 - AppInit_DLLs: C:\WINDOWS\system32\ruyebana.dll c:\windows\system32\meyeyihi.dll c:\windows\system32\fefiyiri.dll

O21 - SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\fefiyiri.dll

O22 - SharedTaskScheduler: STS - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\fefiyiri.dll

The “fefiyiri.dll” points to a virtumundo infection. Here’s a link to help out with that: http://wiki.answers.com/Q/How_do_you_get_rid_of_Adware_Virtumondo

Or better yet, follow Tech’s suggestion on this page: http://forum.avast.com/index.php?topic=35865.0

Shoot, sorry. Welcome to the forum! ;D

xD Thanks. I’m going to go ahead and do that and see what happens. Just plain sick of the suckers attacking and slowing things down.

No kiddin’. Best of luck to ya!

I also suggest using a firewall, if you’re not using Windows’ built-in one. Your router (if you have one) is OK, but not as good as an additional software firewall.

ok. Ran the Vundofix and it came up clean, it didn’t scan during the boot, so i’m not sure if there’s something that I need to set up or not. I fixed the files that were suggested to fix in the Hijackthis and got a log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:16:46 PM, on 4/28/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\spm\spmd.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\lxdwcoms.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Softimage\XSI_5.11\Application\bin\raysat3_4_6_18server.exe
C:\Program Files\CyberLink\Shared files\RichVideo.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Tablet.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Lexmark 7600 Series\lxdwmon.exe
C:\Program Files\Lexmark 7600 Series\ezprint.exe
C:\Program Files\CyberLink\PowerDVD8\PDVD8Serv.exe
C:\WINDOWS\system32\wltray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Dynex Enhanced G USB Network Adapter\DynexWCUI.exe
C:\WINDOWS\system32\WTablet\TabUserW.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\eHome\ehmsas.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=6061102
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=6061102
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MI1933~1\Office12\GRA8E1~1.DLL
O2 - BHO: Lexmark Printable Web - {D2C5E510-BE6D-42CC-9F61-E4F939078474} - C:\Program Files\Lexmark Printable Web\bho.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: (no name) - {e66dbc85-8940-47ea-8104-0feb1ae311f6} - C:\WINDOWS\system32\botusale.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
O4 - HKLM..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM..\Run: [ISUSScheduler] “C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe” -start
O4 - HKLM..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM..\Run: [TkBellExe] “C:\Program Files\Common Files\Real\Update_OB\realsched.exe” -osboot
O4 - HKLM..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\gnotify.exe
O4 - HKLM..\Run: [QuickTime Task] “C:\Program Files\QuickTime\QTTask.exe” -atboottime
O4 - HKLM..\Run: [GrooveMonitor] “C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe”
O4 - HKLM..\Run: [SunJavaUpdateSched] “C:\Program Files\Java\jre6\bin\jusched.exe”
O4 - HKLM..\Run: [lxdwmon.exe] “C:\Program Files\Lexmark 7600 Series\lxdwmon.exe”
O4 - HKLM..\Run: [EzPrint] “C:\Program Files\Lexmark 7600 Series\ezprint.exe”
O4 - HKLM..\Run: [RemoteControl8] “C:\Program Files\CyberLink\PowerDVD8\PDVD8Serv.exe”
O4 - HKLM..\Run: [PDVD8LanguageShortcut] “C:\Program Files\CyberLink\PowerDVD8\Language\Language.exe”
O4 - HKLM..\Run: [kaloleroha] Rundll32.exe “C:\WINDOWS\system32\nisinupo.dll”,s
O4 - HKLM..\Run: [Broadcom Wireless Manager] C:\WINDOWS\system32\wltray.exe
O4 - HKLM..\Run: [CPM97159422] Rundll32.exe “c:\windows\system32\fefiyiri.dll”,a
O4 - HKLM..\Run: [9426a7be] rundll32.exe “C:\WINDOWS\system32\divimuvo.dll”,b
O4 - HKCU..\Run: [Aim6] “C:\Program Files\AIM6\aim6.exe” /d locale=en-US ee://aol/imApp
O4 - HKCU..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU..\Run: [MSMSGS] “C:\Program Files\Messenger\msmsgs.exe” /background
O4 - HKUS\S-1-5-19..\Run: [kaloleroha] Rundll32.exe “C:\WINDOWS\system32\nisinupo.dll”,s (User ‘LOCAL SERVICE’)
O4 - HKUS\S-1-5-20..\Run: [kaloleroha] Rundll32.exe “C:\WINDOWS\system32\nisinupo.dll”,s (User ‘NETWORK SERVICE’)
O4 - HKUS\S-1-5-18..\RunOnce: [RunNarrator] Narrator.exe (User ‘SYSTEM’)
O4 - HKUS.DEFAULT..\RunOnce: [RunNarrator] Narrator.exe (User ‘Default user’)
O4 - S-1-5-18 Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe (User ‘SYSTEM’)
O4 - S-1-5-18 Startup: Adobe Media Player.lnk = C:\Program Files\Adobe Media Player\Adobe Media Player.exe (User ‘SYSTEM’)
O4 - .DEFAULT Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe (User ‘Default user’)
O4 - .DEFAULT Startup: Adobe Media Player.lnk = C:\Program Files\Adobe Media Player\Adobe Media Player.exe (User ‘Default user’)
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: Adobe Media Player.lnk = C:\Program Files\Adobe Media Player\Adobe Media Player.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Dynex Wireless Networking Utility.lnk = ?
O4 - Global Startup: TabUserW.exe.lnk = C:\WINDOWS\system32\WTablet\TabUserW.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MI1933~1\Office12\ONBttnIE.dll
O9 - Extra ‘Tools’ menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MI1933~1\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\Office12\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra ‘Tools’ menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MI1933~1\Office12\GR99D3~1.DLL
O20 - AppInit_DLLs: c:\windows\system32\fefiyiri.dll,C:\WINDOWS\system32\ruyebana.dll
O21 - SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\fefiyiri.dll
O22 - SharedTaskScheduler: STS - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\fefiyiri.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: lxdwCATSCustConnectService - Lexmark International, Inc. - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\lxdwserv.exe
O23 - Service: lxdw_device - - C:\WINDOWS\system32\lxdwcoms.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: RaySat3_4_6_18 Server (RaySat3_4_6_18Server) - Unknown owner - C:\Softimage\XSI_5.11\Application\bin\raysat3_4_6_18server.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe
O23 - Service: SPM License Server (spmd) - mental images GmbH - C:\WINDOWS\system32\spm\spmd.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\system32\Tablet.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: Broadcom Wireless LAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe

Hi guys,

If you don’t mind, I’ll lend a hand with this one.

Open hijackthis, do a system scan only and checkmark these lines, if present

O2 - BHO: (no name) - {e66dbc85-8940-47ea-8104-0feb1ae311f6} - C:\WINDOWS\system32\botusale.dll
O4 - HKLM..\Run: [kaloleroha] Rundll32.exe “C:\WINDOWS\system32\nisinupo.dll”,s
O4 - HKLM..\Run: [CPM97159422] Rundll32.exe “c:\windows\system32\fefiyiri.dll”,a
O4 - HKLM..\Run: [9426a7be] rundll32.exe “C:\WINDOWS\system32\divimuvo.dll”,b
O4 - HKUS\S-1-5-19..\Run: [kaloleroha] Rundll32.exe “C:\WINDOWS\system32\nisinupo.dll”,s (User ‘LOCAL SERVICE’)
O4 - HKUS\S-1-5-20..\Run: [kaloleroha] Rundll32.exe “C:\WINDOWS\system32\nisinupo.dll”,s (User ‘NETWORK SERVICE’)
O20 - AppInit_DLLs: c:\windows\system32\fefiyiri.dll,C:\WINDOWS\system32\ruyebana.dll
O21 - SSODL: SSODL - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\fefiyiri.dll
O22 - SharedTaskScheduler: STS - {EC43E3FD-5C60-46a6-97D7-E0B85DBDD6C4} - c:\windows\system32\fefiyiri.dll

Close ALL other windows/browsers and click Fix Checked. Answer Yes if prompted. Close HJT.

.

It’s important to allow this next tool to reboot your computer when prompted

Please download OTMoveIt3 by OldTimer.

[*] Save it to your desktop.
[*] Please double-click OTMoveIt3.exe to run it. (Note: If you are running on Vista, right-click on the file and choose Run As Administrator).
[*]Copy the lines in the codebox below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose Copy):

Do Not copy the word CODE note the fix starts with the :

:Processes
explorer.exe

:Services

:Reg

:Files
c:\windows\system32\fefiyiri.dll
C:\WINDOWS\system32\ruyebana.dll
C:\WINDOWS\system32\nisinupo.dll
C:\WINDOWS\system32\botusale.dll
C:\WINDOWS\system32\divimuvo.dll

:Commands
[Purity]
[emptytemp]
[start explorer]
[Reboot]

[*] Return to OTMoveIt3, right click in the “Paste Instructions for Items to be Moved” window (under the yellow bar) and choose Paste.

[*]Click the red Moveit! button.
[*]Copy everything in the Results window (under the green bar) to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it in your next reply.
[*]Close OTMoveIt3

Note: If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes. In this case, after the reboot, open Notepad (Start->All Programs->Accessories->Notepad), click File->Open, in the File Name box enter *.log and press the Enter key, navigate to the C:_OTMoveIt\MovedFiles folder, and open the newest .log file present, and copy/paste the contents of that document back here in your next post.

.
Next

Download and save to your desktop Malwarebytes Anti-Malware

Double Click mbam-setup.exe to install the application.
[*]Make sure a checkmark is placed next to Update Malwarebytes’ Anti-Malware and Launch Malwarebytes’ Anti-Malware, then click Finish.
[*]If an update is found, it will download and install the latest version.
[*]Once the program has loaded, select “Perform Quick Scan”, then click Scan.
[*]The scan may take some time to finish,so please be patient.
[*]When the scan is complete, click OK, then Show Results to view the results.
[*]Make sure that everything is checked, and click Remove Selected.
[]When disinfection is completed, a log will open in Notepad and you may be prompted to Restart.(See Extra Note)
[]The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
[*]Copy&Paste the entire report in your next reply.

Extra Note:
If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediatly.

.
Please post back with
[]OTMOVEIT3 log
[]MBAM log
[*]HJT log taken last

Thanks

========== PROCESSES ==========
Process explorer.exe killed successfully.
========== SERVICES/DRIVERS ==========
========== REGISTRY ==========
========== FILES ==========
File/Folder c:\windows\system32\fefiyiri.dll not found.
File/Folder C:\WINDOWS\system32\ruyebana.dll not found.
File/Folder C:\WINDOWS\system32\nisinupo.dll not found.
File/Folder C:\WINDOWS\system32\botusale.dll not found.
File/Folder C:\WINDOWS\system32\divimuvo.dll not found.
========== COMMANDS ==========
File delete failed. C:\DOCUME~1\Katrina\LOCALS~1\Temp\etilqs_wTS0S1w33YVF6AwhC9xK scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\Katrina\LOCALS~1\Temp~DFD198.tmp scheduled to be deleted on reboot.
File delete failed. C:\DOCUME~1\Katrina\LOCALS~1\Temp~DFF1B7.tmp scheduled to be deleted on reboot.
User’s Temp folder emptied.
User’s Internet Explorer cache folder emptied.
File delete failed. C:\Documents and Settings\Katrina\Local Settings\Temporary Internet Files\Content.IE5\KOB9SPKM\tcodewads[1].htm scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Katrina\Local Settings\Temporary Internet Files\Content.IE5\1ZYKBRWH\aimradio_streamops_aol_com[1].htm scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Katrina\Local Settings\Temporary Internet Files\Content.IE5\1ZYKBRWH\AIM_UAC_v2[1].htm scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Katrina\Local Settings\Temporary Internet Files\Content.IE5\1ZYKBRWH\tcodebl[1].htm scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Katrina\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
User’s Temporary Internet Files folder emptied.
Local Service Temp folder emptied.
File delete failed. C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
Local Service Temporary Internet Files folder emptied.
Network Service Temp folder emptied.
File delete failed. C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat scheduled to be deleted on reboot.
Network Service Temporary Internet Files folder emptied.
File delete failed. C:\WINDOWS\temp_avast4_\Webshlock.txt scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\Perflib_Perfdata_500.dat scheduled to be deleted on reboot.
File delete failed. C:\WINDOWS\temp\Perflib_Perfdata_768.dat scheduled to be deleted on reboot.
Windows Temp folder emptied.
Java cache emptied.
File delete failed. C:\Documents and Settings\Katrina\Local Settings\Application Data\Mozilla\Firefox\Profiles\h07nod8p.default\Cache_CACHE_001_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Katrina\Local Settings\Application Data\Mozilla\Firefox\Profiles\h07nod8p.default\Cache_CACHE_002_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Katrina\Local Settings\Application Data\Mozilla\Firefox\Profiles\h07nod8p.default\Cache_CACHE_003_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Katrina\Local Settings\Application Data\Mozilla\Firefox\Profiles\h07nod8p.default\Cache_CACHE_MAP_ scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Katrina\Local Settings\Application Data\Mozilla\Firefox\Profiles\h07nod8p.default\urlclassifier3.sqlite scheduled to be deleted on reboot.
File delete failed. C:\Documents and Settings\Katrina\Local Settings\Application Data\Mozilla\Firefox\Profiles\h07nod8p.default\XUL.mfl scheduled to be deleted on reboot.
FireFox cache emptied.
Temp folders emptied.
Explorer started successfully

OTMoveIt3 by OldTimer - Version 1.0.11.0 log created on 04292009_201219

Files moved on Reboot…
File C:\DOCUME~1\Katrina\LOCALS~1\Temp\etilqs_wTS0S1w33YVF6AwhC9xK not found!
C:\DOCUME~1\Katrina\LOCALS~1\Temp~DFD198.tmp moved successfully.
C:\DOCUME~1\Katrina\LOCALS~1\Temp~DFF1B7.tmp moved successfully.
C:\Documents and Settings\Katrina\Local Settings\Temporary Internet Files\Content.IE5\KOB9SPKM\tcodewads[1].htm moved successfully.
C:\Documents and Settings\Katrina\Local Settings\Temporary Internet Files\Content.IE5\1ZYKBRWH\aimradio_streamops_aol_com[1].htm moved successfully.
C:\Documents and Settings\Katrina\Local Settings\Temporary Internet Files\Content.IE5\1ZYKBRWH\AIM_UAC_v2[1].htm moved successfully.
C:\Documents and Settings\Katrina\Local Settings\Temporary Internet Files\Content.IE5\1ZYKBRWH\tcodebl[1].htm moved successfully.
File C:\WINDOWS\temp_avast4_\Webshlock.txt not found!
File C:\WINDOWS\temp\Perflib_Perfdata_500.dat not found!
File C:\WINDOWS\temp\Perflib_Perfdata_768.dat not found!
C:\Documents and Settings\Katrina\Local Settings\Application Data\Mozilla\Firefox\Profiles\h07nod8p.default\Cache_CACHE_001_ moved successfully.
C:\Documents and Settings\Katrina\Local Settings\Application Data\Mozilla\Firefox\Profiles\h07nod8p.default\Cache_CACHE_002_ moved successfully.
C:\Documents and Settings\Katrina\Local Settings\Application Data\Mozilla\Firefox\Profiles\h07nod8p.default\Cache_CACHE_003_ moved successfully.
C:\Documents and Settings\Katrina\Local Settings\Application Data\Mozilla\Firefox\Profiles\h07nod8p.default\Cache_CACHE_MAP_ moved successfully.
C:\Documents and Settings\Katrina\Local Settings\Application Data\Mozilla\Firefox\Profiles\h07nod8p.default\urlclassifier3.sqlite moved successfully.
C:\Documents and Settings\Katrina\Local Settings\Application Data\Mozilla\Firefox\Profiles\h07nod8p.default\XUL.mfl moved successfully.

Malwarebytes’ Anti-Malware 1.36
Database version: 2060
Windows 5.1.2600 Service Pack 3

4/29/2009 8:31:24 PM
mbam-log-2009-04-29 (20-31-24).txt

Scan type: Quick Scan
Objects scanned: 86278
Time elapsed: 6 minute(s), 21 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 6
Registry Values Infected: 5
Registry Data Items Infected: 1
Folders Infected: 0
Files Infected: 8

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects{e66dbc85-8940-47ea-8104-0feb1ae311f6} (Trojan.Vundo.H) → Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID{e66dbc85-8940-47ea-8104-0feb1ae311f6} (Trojan.Vundo.H) → Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID{ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} (Trojan.BHO) → Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\contim (Trojan.Vundo) → Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\dslcnnct (Trojan.Vundo) → Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\rdfa (Trojan.Vundo) → Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\9426a7be (Trojan.Vundo.H) → Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\cpm97159422 (Trojan.Vundo.H) → Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\kaloleroha (Trojan.Vundo.H) → Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler{ec43e3fd-5c60-46a6-97d7-e0b85dbdd6c4} (Trojan.BHO) → Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\ssodl (Trojan.BHO) → Quarantined and deleted successfully.

Registry Data Items Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\UpdatesDisableNotify (Disabled.SecurityCenter) → Bad: (1) Good: (0) → Quarantined and deleted successfully.

Folders Infected:
(No malicious items detected)

Files Infected:
C:\WINDOWS\system32\hawinigi.dll (Trojan.Vundo.H) → Quarantined and deleted successfully.
C:\WINDOWS\system32\iginiwah.ini (Trojan.Vundo.H) → Quarantined and deleted successfully.
C:\WINDOWS\system32\jodenosi.dll (Trojan.Vundo.H) → Quarantined and deleted successfully.
C:\WINDOWS\system32\isonedoj.ini (Trojan.Vundo.H) → Quarantined and deleted successfully.
C:\WINDOWS\system32\tomeruga.dll (Trojan.Vundo.H) → Quarantined and deleted successfully.
C:\WINDOWS\system32\aguremot.ini (Trojan.Vundo.H) → Quarantined and deleted successfully.
C:\WINDOWS\system32\tuyalaze.dll (Trojan.Vundo.H) → Quarantined and deleted successfully.
C:\WINDOWS\system32\ezalayut.ini (Trojan.Vundo.H) → Quarantined and deleted successfully.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:35:13 PM, on 4/29/2009
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16791)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\wltrysvc.exe
C:\WINDOWS\System32\bcmwltry.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\spm\spmd.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\WINDOWS\eHome\ehRecvr.exe
C:\WINDOWS\eHome\ehSched.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
C:\Program Files\Java\jre6\bin\jqs.exe
C:\WINDOWS\system32\lxdwcoms.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\Softimage\XSI_5.11\Application\bin\raysat3_4_6_18server.exe
C:\Program Files\CyberLink\Shared files\RichVideo.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\Tablet.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\system32\fxssvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\ehome\ehtray.exe
C:\WINDOWS\stsystra.exe
C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Google\Gmail Notifier\gnotify.exe
C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe
C:\Program Files\Java\jre6\bin\jusched.exe
C:\Program Files\Lexmark 7600 Series\lxdwmon.exe
C:\Program Files\Lexmark 7600 Series\ezprint.exe
C:\Program Files\CyberLink\PowerDVD8\PDVD8Serv.exe
C:\WINDOWS\system32\wltray.exe
C:\Program Files\AIM6\aim6.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\Dynex Enhanced G USB Network Adapter\DynexWCUI.exe
C:\WINDOWS\system32\WTablet\TabUserW.exe
C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
C:\Program Files\AIM6\aolsoftware.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\imapi.exe
C:\WINDOWS\system32\wscntfy.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=6061102
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = www.google.com/ig/dell?hl=en&client=dell-usuk&channel=us&ibd=6061102
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\PROGRA~1\MI1933~1\Office12\GRA8E1~1.DLL
O2 - BHO: Lexmark Printable Web - {D2C5E510-BE6D-42CC-9F61-E4F939078474} - C:\Program Files\Lexmark Printable Web\bho.dll
O2 - BHO: Java™ Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: JQSIEStartDetectorImpl - {E7E6F031-17CE-4C07-BC86-EABFE594F69C} - C:\Program Files\Java\jre6\lib\deploy\jqs\ie\jqs_plugin.dll
O4 - HKLM..\Run: [ehTray] C:\WINDOWS\ehome\ehtray.exe
O4 - HKLM..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM..\Run: [SigmatelSysTrayApp] stsystra.exe
O4 - HKLM..\Run: [IAAnotif] C:\Program Files\Intel\Intel Matrix Storage Manager\Iaanotif.exe
O4 - HKLM..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
O4 - HKLM..\Run: [ISUSScheduler] “C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe” -start
O4 - HKLM..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM..\Run: [TkBellExe] “C:\Program Files\Common Files\Real\Update_OB\realsched.exe” -osboot
O4 - HKLM..\Run: [{0228e555-4f9c-4e35-a3ec-b109a192b4c2}] C:\Program Files\Google\Gmail Notifier\gnotify.exe
O4 - HKLM..\Run: [QuickTime Task] “C:\Program Files\QuickTime\QTTask.exe” -atboottime
O4 - HKLM..\Run: [GrooveMonitor] “C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe”
O4 - HKLM..\Run: [SunJavaUpdateSched] “C:\Program Files\Java\jre6\bin\jusched.exe”
O4 - HKLM..\Run: [lxdwmon.exe] “C:\Program Files\Lexmark 7600 Series\lxdwmon.exe”
O4 - HKLM..\Run: [EzPrint] “C:\Program Files\Lexmark 7600 Series\ezprint.exe”
O4 - HKLM..\Run: [RemoteControl8] “C:\Program Files\CyberLink\PowerDVD8\PDVD8Serv.exe”
O4 - HKLM..\Run: [PDVD8LanguageShortcut] “C:\Program Files\CyberLink\PowerDVD8\Language\Language.exe”
O4 - HKLM..\Run: [Broadcom Wireless Manager] C:\WINDOWS\system32\wltray.exe
O4 - HKCU..\Run: [Aim6] “C:\Program Files\AIM6\aim6.exe” /d locale=en-US ee://aol/imApp
O4 - HKCU..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU..\Run: [MSMSGS] “C:\Program Files\Messenger\msmsgs.exe” /background
O4 - HKUS\S-1-5-19..\Run: [kaloleroha] Rundll32.exe “C:\WINDOWS\system32\nisinupo.dll”,s (User ‘LOCAL SERVICE’)
O4 - HKUS\S-1-5-20..\Run: [kaloleroha] Rundll32.exe “C:\WINDOWS\system32\nisinupo.dll”,s (User ‘NETWORK SERVICE’)
O4 - HKUS\S-1-5-18..\RunOnce: [RunNarrator] Narrator.exe (User ‘SYSTEM’)
O4 - HKUS.DEFAULT..\RunOnce: [RunNarrator] Narrator.exe (User ‘Default user’)
O4 - S-1-5-18 Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe (User ‘SYSTEM’)
O4 - S-1-5-18 Startup: Adobe Media Player.lnk = C:\Program Files\Adobe Media Player\Adobe Media Player.exe (User ‘SYSTEM’)
O4 - .DEFAULT Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe (User ‘Default user’)
O4 - .DEFAULT Startup: Adobe Media Player.lnk = C:\Program Files\Adobe Media Player\Adobe Media Player.exe (User ‘Default user’)
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Startup: Adobe Media Player.lnk = C:\Program Files\Adobe Media Player\Adobe Media Player.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Dynex Wireless Networking Utility.lnk = ?
O4 - Global Startup: TabUserW.exe.lnk = C:\WINDOWS\system32\WTablet\TabUserW.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\Office12\EXCEL.EXE/3000
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MI1933~1\Office12\ONBttnIE.dll
O9 - Extra ‘Tools’ menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MI1933~1\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\Office12\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra ‘Tools’ menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra ‘Tools’ menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O18 - Protocol: grooveLocalGWS - {88FED34C-F0CA-4636-A375-3CB6248B04CD} - C:\PROGRA~1\MI1933~1\Office12\GR99D3~1.DLL
O20 - AppInit_DLLs: c:\windows\system32\pusupuro.dll,C:\WINDOWS\system32\ruyebana.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: FLEXnet Licensing Service - Acresso Software Inc. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMON) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\Iaantmon.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: Java Quick Starter (JavaQuickStarterService) - Sun Microsystems, Inc. - C:\Program Files\Java\jre6\bin\jqs.exe
O23 - Service: lxdwCATSCustConnectService - Lexmark International, Inc. - C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\lxdwserv.exe
O23 - Service: lxdw_device - - C:\WINDOWS\system32\lxdwcoms.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: RaySat3_4_6_18 Server (RaySat3_4_6_18Server) - Unknown owner - C:\Softimage\XSI_5.11\Application\bin\raysat3_4_6_18server.exe
O23 - Service: Cyberlink RichVideo Service(CRVS) (RichVideo) - Unknown owner - C:\Program Files\CyberLink\Shared files\RichVideo.exe
O23 - Service: SPM License Server (spmd) - mental images GmbH - C:\WINDOWS\system32\spm\spmd.exe
O23 - Service: TabletService - Wacom Technology, Corp. - C:\WINDOWS\system32\Tablet.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: Broadcom Wireless LAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\wltrysvc.exe

–
End of file - 10919 bytes

There. It turned on alot quicker, have to admit that. But when I was doing all of those, I kept getting Win32:MoPack [cryo] popping up like crazy…to the point that I was utterly frustrated. :-X Should I be worried about those too? Or would what I did have taken care of that?

Edit: Now all of a sudden my windows is updating when I thought I had all the updates that were out. I know I had it set on automatic updates. ???

Hi

We got a chunk of it. now we hit it harder.

.
Open hijackthis, do a system scan only and checkmark these lines, if present

O20 - AppInit_DLLs: c:\windows\system32\pusupuro.dll,C:\WINDOWS\system32\ruyebana.dll

Close ALL other windows/browsers and click Fix Checked. Answer Yes if prompted. Close HJT.

.

Download ComboFix from one of these locations:

Link 1
Link 2
Link 3

* IMPORTANT !!! Save ComboFix.exe to your Desktop

[*]Disable your AntiVirus and AntiSpyware applications, usually via a right click on the System Tray icon. They may otherwise interfere with our tools. Note: If you are having difficulty properly disabling your protective programs, or are unsure as to what programs need to be disabled, please refer to the information available through this link : How to Disable your Security Programs

[*]Double click on ComboFix.exe & follow the prompts.

[*]As part of it’s process, ComboFix will check to see if the Microsoft Windows Recovery Console is installed. With malware infections being as they are today, it’s strongly recommended to have this pre-installed on your machine before doing any malware removal. It will allow you to boot up into a special recovery/repair mode that will allow us to more easily help you should your computer have a problem after an attempted removal of malware.

[*]Follow the prompts to allow ComboFix to download and install the Microsoft Windows Recovery Console, and when prompted, agree to the End-User License Agreement to install the Microsoft Windows Recovery Console.

**Please note: If the Microsoft Windows Recovery Console is already installed, ComboFix will continue it’s malware removal procedures.

http://img.photobucket.com/albums/v706/ried7/RcAuto1.gif

Once the Microsoft Windows Recovery Console is installed using ComboFix, you should see the following message:

http://img.photobucket.com/albums/v706/ried7/whatnext.png

Click on Yes, to continue scanning for malware.

When finished, it shall produce a log for you. Please include the C:\ComboFix.txt in your next reply.

Notes:

1.Do not mouse-click Combofix’s window while it is running. That may cause it to stall.
2. ComboFix may reset a number of Internet Explorer’s settings, including making I-E the default browser.
3. Combofix prevents autorun of ALL CD, floppy and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you – please tell your helper.
4. CF disconnects your machine from the internet. The connection is automatically restored before CF completes its run. If CF runs into difficulty and terminates prematurely, the connection can be manually restored by restarting your machine.

.
Please post back with the combofix log and a new HJT log.

Thanks

ComboFix 09-05-02.4 - Katrina 05/01/2009 21:36.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.3.1252.1.1033.18.2046.1452 [GMT -7:00]
Running from: c:\documents and settings\Katrina\Desktop\ComboFix.exe
AV: avast! antivirus 4.8.1335 [VPS 090501-0] On-access scanning disabled (Updated)
AV: McAfee VirusScan On-access scanning enabled (Updated)
FW: disabled
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
c:\windows\IE4 Error Log.txt
c:\windows\system32\aduhemol.ini
c:\windows\system32\aleboyid.ini
c:\windows\system32\enoyures.ini
c:\windows\system32\etahijan.ini
c:\windows\system32\ewumivuv.ini
c:\windows\system32\fahokipa.exe
c:\windows\system32\fufakili.exe
c:\windows\system32\gipidiwu.exe
c:\windows\system32\imitoheg.ini
c:\windows\system32\iyeyavej.ini
c:\windows\system32\malufige.exe
c:\windows\system32\mesekaho.exe
c:\windows\system32\ovalejat.ini
c:\windows\system32\ovumivid.ini
c:\windows\system32\ubuyesuz.ini
c:\windows\system32\unoyemib.ini
c:\windows\system32\utoyulew.ini
c:\windows\system32\uvojiduz.ini
c:\windows\system32\uwohorij.ini
c:\windows\system32\wiboniza.exe
c:\windows\system32\wunipilo.exe
c:\windows\system32\yohujoku.exe
c:\windows\system32\zazuyito.exe
((((((((((((((((((((((((( Files Created from 2009-04-02 to 2009-05-02 )))))))))))))))))))))))))))))))
2009-05-02 04:27 . 2009-05-02 04:27 -------- d–h–w c:\windows\system32\GroupPolicy
2009-04-30 04:50 . 2009-04-30 04:50 -------- d-sh–w c:\documents and settings\LocalService\IETldCache
2009-04-30 03:49 . 2009-04-30 03:49 -------- d-sh–w c:\documents and settings\Katrina\IETldCache
2009-04-30 03:44 . 2009-04-30 03:44 -------- d-----w c:\windows\ie8updates
2009-04-30 03:44 . 2009-02-28 04:55 105984 ------w c:\windows\system32\dllcache\iecompat.dll
2009-04-30 03:44 . 2009-04-30 03:44 -------- dc-h–w c:\windows\ie8
2009-04-30 03:37 . 2009-03-06 14:22 284160 ------w c:\windows\system32\dllcache\pdh.dll
2009-04-30 03:37 . 2009-02-06 10:39 35328 ------w c:\windows\system32\dllcache\sc.exe
2009-04-30 03:37 . 2009-02-09 12:10 401408 ------w c:\windows\system32\dllcache\rpcss.dll
2009-04-30 03:37 . 2009-02-06 11:11 110592 ------w c:\windows\system32\dllcache\services.exe
2009-04-30 03:37 . 2009-02-09 12:10 473600 ------w c:\windows\system32\dllcache\fastprox.dll
2009-04-30 03:37 . 2009-02-06 10:10 227840 ------w c:\windows\system32\dllcache\wmiprvse.exe
2009-04-30 03:37 . 2009-02-09 12:10 453120 ------w c:\windows\system32\dllcache\wmiprvsd.dll
2009-04-30 03:37 . 2009-02-09 12:10 729088 ------w c:\windows\system32\dllcache\lsasrv.dll
2009-04-30 03:37 . 2009-02-09 12:10 617472 ------w c:\windows\system32\dllcache\advapi32.dll
2009-04-30 03:37 . 2009-02-09 12:10 714752 ------w c:\windows\system32\dllcache\ntdll.dll
2009-04-30 03:36 . 2008-05-03 11:55 2560 ------w c:\windows\system32\xpsp4res.dll
2009-04-30 03:36 . 2008-04-21 12:08 215552 ------w c:\windows\system32\dllcache\wordpad.exe
2009-04-30 03:23 . 2009-04-30 03:23 -------- d-----w c:\documents and settings\Katrina\Application Data\Malwarebytes
2009-04-30 03:23 . 2009-04-06 22:32 15504 ----a-w c:\windows\system32\drivers\mbam.sys
2009-04-30 03:23 . 2009-04-06 22:32 38496 ----a-w c:\windows\system32\drivers\mbamswissarmy.sys
2009-04-30 03:23 . 2009-04-30 03:23 -------- d-----w c:\documents and settings\All Users\Application Data\Malwarebytes
2009-04-30 03:23 . 2009-04-30 03:23 -------- d-----w c:\program files\Malwarebytes’ Anti-Malware
2009-04-30 03:12 . 2009-04-30 03:12 -------- d-----w C:_OTMoveIt
2009-04-29 04:40 . 2009-04-29 04:40 -------- d-----w C:\VundoFix Backups
2009-04-29 03:55 . 2009-04-29 03:55 -------- d-----w c:\program files\Trend Micro
2009-04-23 02:54 . 2007-10-09 21:33 198144 ----a-w c:\windows\system32\drivers\NdisWDM.sys
2009-04-12 01:14 . 2009-04-12 01:14 410984 ----a-w c:\windows\system32\deploytk.dll

(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
2009-05-02 04:40 . 2007-02-17 23:41 12925 ----a-w c:\windows\system32\tablet.dat
2009-05-02 04:40 . 2005-08-16 10:49 6 —ha-w c:\windows\Tasks\SA.DAT
2009-05-02 04:13 . 2006-11-03 05:24 -------- d-----w c:\program files\Dell
2009-04-30 03:35 . 2006-11-07 06:00 79760 ----a-w c:\documents and settings\Katrina\Local Settings\Application Data\GDIPFONTCACHEV1.DAT
2009-04-23 02:54 . 2009-04-23 02:53 -------- d-----w c:\program files\Dynex Enhanced G USB Network Adapter
2009-04-23 02:53 . 2006-11-03 05:23 -------- d–h–w c:\program files\InstallShield Installation Information
2009-04-12 01:14 . 2006-11-03 05:18 -------- d-----w c:\program files\Java
2009-04-10 03:06 . 2006-11-23 06:35 10374 ----a-w c:\documents and settings\Katrina\Application Data\wklnhst.dat
2009-03-08 11:34 . 2005-08-16 10:18 914944 ----a-w c:\windows\system32\wininet.dll
2009-03-08 11:34 . 2005-08-16 10:18 43008 ----a-w c:\windows\system32\licmgr10.dll
2009-03-08 11:33 . 2005-08-16 10:18 18944 ----a-w c:\windows\system32\corpol.dll
2009-03-08 11:33 . 2005-08-16 10:18 420352 ----a-w c:\windows\system32\vbscript.dll
2009-03-08 11:32 . 2005-08-16 10:18 72704 ----a-w c:\windows\system32\admparse.dll
2009-03-08 11:32 . 2005-08-16 10:18 71680 ----a-w c:\windows\system32\iesetup.dll
2009-03-08 11:31 . 2005-08-16 10:18 34816 ----a-w c:\windows\system32\imgutil.dll
2009-03-08 11:31 . 2005-08-16 10:18 48128 ----a-w c:\windows\system32\mshtmler.dll
2009-03-08 11:31 . 2005-08-16 10:18 45568 ----a-w c:\windows\system32\mshta.exe
2009-03-08 11:22 . 2005-08-16 10:18 156160 ----a-w c:\windows\system32\msls31.dll
2009-03-06 14:22 . 2005-08-16 10:18 284160 ----a-w c:\windows\system32\pdh.dll
2009-02-20 18:09 . 2009-02-20 18:09 78336 ------w c:\windows\system32\ieencode.dll
2009-02-12 05:44 . 2009-02-12 05:45 29480 ----a-w c:\windows\system32\msxml3a.dll
2009-02-09 12:10 . 2005-08-16 10:18 729088 ----a-w c:\windows\system32\lsasrv.dll
2009-02-09 12:10 . 2005-08-16 10:18 401408 ----a-w c:\windows\system32\rpcss.dll
2009-02-09 12:10 . 2005-08-16 10:18 714752 ----a-w c:\windows\system32\ntdll.dll
2009-02-09 12:10 . 2005-08-16 10:18 617472 ----a-w c:\windows\system32\advapi32.dll
2009-02-09 11:13 . 2005-08-16 10:18 1846784 ----a-w c:\windows\system32\win32k.sys
2009-02-06 11:11 . 2005-08-16 10:18 110592 ----a-w c:\windows\system32\services.exe
2009-02-06 11:06 . 2005-08-16 10:18 2145280 ----a-w c:\windows\system32\ntoskrnl.exe
2009-02-06 10:39 . 2005-08-16 10:18 35328 ----a-w c:\windows\system32\sc.exe
2009-02-06 10:32 . 2004-08-04 04:59 2023936 ----a-w c:\windows\system32\ntkrnlpa.exe
2009-02-03 19:59 . 2005-08-16 10:18 56832 ----a-w c:\windows\system32\secur32.dll
2007-06-05 03:23 . 2006-11-13 06:30 88 --sh–r c:\windows\system32\F6E91FFCA4.sys
2007-06-05 03:23 . 2006-11-13 06:30 2828 --sha-w c:\windows\system32\KGyGaAvL.sys
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
Note empty entries & legit default entries are not shown
REGEDIT4
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“Aim6”=“c:\program files\AIM6\aim6.exe” [2008-10-31 50480]
“ctfmon.exe”=“c:\windows\system32\ctfmon.exe” [2008-04-14 15360]
“MSMSGS”=“c:\program files\Messenger\msmsgs.exe” [2008-04-14 1695232]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
“ehTray”=“c:\windows\ehome\ehtray.exe” [2005-09-29 67584]
“NvCplDaemon”=“c:\windows\system32\NvCpl.dll” [2006-06-16 7323648]
“IAAnotif”=“c:\program files\Intel\Intel Matrix Storage Manager\Iaanotif.exe” [2006-07-06 151552]
“ISUSPM Startup”=“c:\progra~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe” [2004-07-27 221184]
“ISUSScheduler”=“c:\program files\Common Files\InstallShield\UpdateService\issch.exe” [2004-07-27 81920]
“avast!”=“c:\progra~1\ALWILS~1\Avast4\ashDisp.exe” [2009-02-05 81000]
“TkBellExe”=“c:\program files\Common Files\Real\Update_OB\realsched.exe” [2007-02-21 185784]
“{0228e555-4f9c-4e35-a3ec-b109a192b4c2}”=“c:\program files\Google\Gmail Notifier\gnotify.exe” [2005-07-15 479232]
“QuickTime Task”=“c:\program files\QuickTime\QTTask.exe” [2008-03-29 413696]
“GrooveMonitor”=“c:\program files\Microsoft Office\Office12\GrooveMonitor.exe” [2006-10-27 31016]
“SunJavaUpdateSched”=“c:\program files\Java\jre6\bin\jusched.exe” [2009-04-12 148888]
“lxdwmon.exe”=“c:\program files\Lexmark 7600 Series\lxdwmon.exe” [2008-05-21 676520]
“EzPrint”=“c:\program files\Lexmark 7600 Series\ezprint.exe” [2008-05-21 131752]
“RemoteControl8”=“c:\program files\CyberLink\PowerDVD8\PDVD8Serv.exe” [2008-03-21 83240]
“PDVD8LanguageShortcut”=“c:\program files\CyberLink\PowerDVD8\Language\Language.exe” [2007-12-14 50472]
“Broadcom Wireless Manager”=“c:\windows\system32\wltray.exe” [2007-06-14 1282048]
“SigmatelSysTrayApp”=“stsystra.exe” - c:\windows\stsystra.exe [2006-07-24 282624]
[HKEY_USERS.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
“RunNarrator”=“Narrator.exe” - c:\windows\system32\narrator.exe [2008-04-14 53760]

c:\documents and settings\Katrina\Start Menu\Programs\Startup
Adobe Gamma.lnk - c:\program files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe [2005-3-16 113664]
c:\documents and settings\All Users\Start Menu\Programs\Startup
Adobe Reader Speed Launch.lnk - c:\program files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-9-23 29696]
Digital Line Detect.lnk - c:\program files\Digital Line Detect\DLG.exe [2006-11-2 24576]
Dynex Wireless Networking Utility.lnk - c:\program files\Dynex Enhanced G USB Network Adapter\DynexWCUI.exe [2009-4-22 1462272]
TabUserW.exe.lnk - c:\windows\system32\WTablet\TabUserW.exe [2007-2-17 114688]
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32
“wave”= serwvdrv.dll
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeAntiVirus]
“DisableMonitoring”=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\McAfeeFirewall]
“DisableMonitoring”=dword:00000001
[HKLM~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
“%windir%\system32\sessmgr.exe”=
“c:\Program Files\Common Files\AOL\ACS\AOLacsd.exe”=
“c:\Program Files\Common Files\AOL\ACS\AOLDial.exe”=
“c:\Program Files\Messenger\msmsgs.exe”=
“c:\Program Files\AIM\aim.exe”=
“c:\Softimage\XSI_5.11\Application\bin\XSI.exe”=
“c:\Program Files\Common Files\AOL\Loader\aolload.exe”=
“c:\Program Files\AIM6\aim6.exe”=
“c:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE”=
“c:\Program Files\Microsoft Office\Office12\GROOVE.EXE”=
“c:\Program Files\Microsoft Office\Office12\ONENOTE.EXE”=
“%windir%\Network Diagnostic\xpnetdiag.exe”=
“c:\WINDOWS\system32\lxdwcoms.exe”=
“c:\Program Files\Alwil Software\Avast4\ashMaiSv.exe”=
“c:\Program Files\Dynex Enhanced G USB Network Adapter\DynexWCUI.exe”=
R2 lxdwCATSCustConnectService;lxdwCATSCustConnectService;c:\windows\System32\spool\DRIVERS\W32X86\3\lxdwserv.exe [2008-05-16 98984]
R3 A5AGU;D-Link USB Wireless Network Adapter Service;c:\windows\system32\DRIVERS\A5AGU.sys [2005-07-26 348352]
R3 ATHFMWDL;D-Link predator Bootloader driver;c:\windows\system32\Drivers\ATHFMWDL.sys [2005-07-26 43392]
R3 BCMWLNPF;Broadcom Netgroup Packet Filter;c:\windows\system32\drivers\bcmwlnpf.sys [2007-04-26 33664]
R3 BLKWGD;Belkin Wireless G Desktop Card Service;
R3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\mbamswissarmy.sys [2009-04-06 38496]
R3 wlanndi5;wlanndi5 NDIS Protocol Driver;c:\windows\system32\wlanndi5.SYS [2004-04-22 16384]
S1 aswSP;avast! Self Protection;
S2 aswFsBlk;aswFsBlk;c:\windows\system32\DRIVERS\aswFsBlk.sys [2009-02-05 20560]
S2 lxdw_device;lxdw_device;c:\windows\system32\lxdwcoms.exe [2008-05-16 594600]
S2 Viewpoint Manager Service;Viewpoint Manager Service;c:\program files\Viewpoint\Common\ViewpointService.exe [2007-01-04 24652]
S3 NdisWDM;Dynex Enhanced Wireless G USB Network Adapter Service;c:\windows\system32\DRIVERS\ndiswdm.sys [2007-10-09 198144]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2{361ac05d-0e0d-11da-9aa9-806d6172696f}]
\Shell\AutoRun\command - E:\setup.exe
[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components>{60B49E34-C7CC-11D0-8953-00A0C90347FF}]
“c:\windows\system32\rundll32.exe” “c:\windows\system32\iedkcs32.dll”,BrandIEActiveSetup SIGNUP
------- Supplementary Scan -------
uInternet Connection Wizard,ShellNext = iexplore
IE: E&xport to Microsoft Excel - c:\progra~1\MI1933~1\Office12\EXCEL.EXE/3000
DPF: Microsoft XML Parser for Java - file:///C:/WINDOWS/Java/classes/xmldso.cab
FF - ProfilePath - c:\documents and settings\Katrina\Application Data\Mozilla\Firefox\Profiles\h07nod8p.default
FF - prefs.js: browser.startup.homepage - hxxp://www.msn.com/
FF - plugin: c:\documents and settings\Katrina\Application Data\Mozilla\Firefox\Profiles\h07nod8p.default\extensions\flashplugin@idm\platform\WINNT\plugins\npidmdcp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\np-mswmp.dll
FF - plugin: c:\program files\Mozilla Firefox\plugins\npViewpoint.dll
FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll

catchme 0.3.1398 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2009-05-01 21:42
Windows 5.1.2600 Service Pack 3 NTFS
scanning hidden processes …
scanning hidden autostart entries …
scanning hidden files …
scan completed successfully
hidden files: 0

--------------------- LOCKED REGISTRY KEYS ---------------------
[HKEY_LOCAL_MACHINE\software\Adobe\Premiere Pro\2.0\DefaultPreset]
@DACL=(02 0000)
@=“DV - NTSC\Standard 48kHz.prpreset”
[HKEY_LOCAL_MACHINE\software\Adobe\Premiere Pro\2.0\Help]
@DACL=(02 0000)
“Support”=“http://www.adobe.com/support/products/premiere.html”
“Search”=“c:\Program Files\Adobe\Adobe Premiere Pro 2.0\Help\search.html”
“Keyboard”=“c:\Program Files\Adobe\Adobe Premiere Pro 2.0\Help\1_21_0_0.html”
“HowToUse”=“c:\Program Files\Adobe\Adobe Premiere Pro 2.0\Help\0_0_0_0.html”
“ExportToDVD”=“c:\Program Files\Adobe\Adobe Premiere Pro 2.0\Help\1_19_2_0.html”
“AdobeMediaEncoder”=“c:\Program Files\Adobe\Adobe Premiere Pro 2.0\Help\1_0_0_0.html”
“Contents”=“c:\Program Files\Adobe\Adobe Premiere Pro 2.0\Help\1_0_0_0.html”
“Registration”=“"http://store.adobe.com/cgi-bin/WebObjects/WEC?pageID=RegMp1\”"
--------------------- DLLs Loaded Under Running Processes ---------------------

• • • • • • • ‘explorer.exe’(1040)
              c:\program files\Windows Media Player\wmpband.dll
              c:\windows\system32\ieframe.dll
              c:\windows\system32\OneX.DLL
              c:\windows\system32\eappprxy.dll
              c:\windows\system32\webcheck.dll
              c:\windows\system32\WPDShServiceObj.dll
              c:\windows\system32\PortableDeviceTypes.dll
              c:\windows\system32\PortableDeviceApi.dll

------------------------ Other Running Processes ------------------------
c:\windows\system32\wltrysvc.exe
c:\windows\system32\bcmwltry.exe
c:\program files\Alwil Software\Avast4\aswUpdSv.exe
c:\program files\Alwil Software\Avast4\ashServ.exe
c:\windows\system32\spm\spmd.exe
c:\progra~1\COMMON~1\AOL\ACS\AOLacsd.exe
c:\windows\ehome\ehrecvr.exe
c:\windows\ehome\ehSched.exe
c:\program files\Intel\Intel Matrix Storage Manager\IAANTmon.exe
c:\program files\Java\jre6\bin\jqs.exe
c:\program files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
c:\windows\system32\nvsvc32.exe
c:\softimage\XSI_5.11\Application\bin\raysat3_4_6_18server.exe
c:\program files\CyberLink\Shared files\RichVideo.exe
c:\windows\system32\Tablet.exe
c:\windows\ehome\mcrdsvc.exe
c:\program files\Viewpoint\Viewpoint Manager\ViewMgr.exe
c:\program files\Alwil Software\Avast4\ashMaiSv.exe
c:\program files\Alwil Software\Avast4\ashWebSv.exe
c:\windows\system32\dllhost.exe
c:\windows\ehome\ehmsas.exe
c:\windows\system32\fxssvc.exe

Completion time: 2009-05-02 21:46 - machine was rebooted
ComboFix-quarantined-files.txt 2009-05-02 04:45

Pre-Run: 132,875,939,840 bytes free
Post-Run: 132,766,851,072 bytes free

WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
[operating systems]
c:\cmdcons\BOOTSECT.DAT=“Microsoft Windows Recovery Console” /cmdcons
multi(0)disk(0)rdisk(0)partition(2)\WINDOWS=“Windows XP Media Center Edition” /noexecute=optin /fastdetect

264 — E O F — 2009-04-30 03:47