15 replies to this topic

[JohnDemolition]

this is something which is quite pissing me off. a few days ago, i downloaded a bad file(after not listening to google ) and it installed some kind of trojan(which AVG got rid of). but after that, a number of trojans keep appearing either in the Temp directory or in system32.

i have no idea what is causing this since there are no suspicious processes open(i have Process Explorer to check). Thankfully, i have a few lines of defence(AVG, Ad-Watch, SpywareBlaster). anyways, here's a HijackThis Log. Hopefully, you guys can figure something out.

Logfile of HijackThis v1.99.1
Scan saved at 2:09:09 PM, on 11/25/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Icecast2 Win32\icecastService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Programs\NTWind Software\TaskSwitchXP.exe
C:\Programs\utorrent-1.6.1-beta-build-483.exe
C:\PROGRA~1\Lavasoft\AD-AWA~1\Ad-Watch.exe
C:\Programs\RK Launcher\RKLauncher.exe
C:\Program Files\foobar2000\foobar2000.exe
C:\Program Files\X-Chat\xchat.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Programs\Miranda IM\miranda32.exe
C:\Program Files\Opera\Opera.exe
C:\Programs\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = 
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [TaskSwitchXP] C:\Programs\NTWind Software\TaskSwitchXP.exe
O4 - HKCU\..\Run: [µTorrent] "C:\Programs\utorrent-1.6.1-beta-build-483.exe"
O4 - HKCU\..\Run: [AWMON] "C:\PROGRA~1\Lavasoft\AD-AWA~1\Ad-Watch.exe"
O4 - Global Startup: RK Launcher.lnk = ?
O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM
O8 - Extra context menu item: Add to &Windows Live Favorites - http://favorites.live.com/quickadd.aspx
O8 - Extra context menu item: Check &Spelling - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM
O8 - Extra context menu item: Lookup on Merriam Webster - file://C:\Program Files\ieSpell\Merriam Webster.HTM
O8 - Extra context menu item: Lookup on Wikipedia - file://C:\Program Files\ieSpell\wikipedia.HTM
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {03B39B10-9AB9-4DBB-8189-7F76E0CE5F3F} (FavImport Class) - https://favorites.live.com/cab/ImportAx.cab?v=13,0,0831,02
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?LinkID=39204
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1141887043981
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} - 
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Skype\toolbars\Shared\Skype4ComAPI.dll
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Icecast Media Server (Icecast) - Unknown owner - C:\Program Files\Icecast2 Win32\icecastService.exe" "C:\Program Files\Icecast2 Win32 (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

Comments are always appreciated

[rridgely]

Its not showing in your log. Run kasperkys online scan and then bring me back the log file and I can help you clean it up. Heres directions if you need them:

Run Kaspersky WebScanner

• Please go HERE and click Kaspersky Online Scanner
  
• Read and Accept the Agreement
  
• You will be promted to install an ActiveX component from Kaspersky, Click Yes.
  
• If you see a Windows dialog asking if you want to install this software, click the Install button.
  
• The program will launch and then begin downloading the latest definition files,
  
• When the "Update progress" line changes to "Ready" and the "NEXT ->" button becomes available, please click on it.
  
• Click on the Scan Settings button, and in the next window select the Extended database, and click Ok.
  
• Under "Please select a target to scan:", click My Computer to start the scan.
  
• When the scan is finished, click the "Save as Text" button, and save the file as kavscan.txt to your Desktop, close the Kaspersky On-line Scanner window.
  
• Paste kaspersky log onto forum.

----------------

Also run combo fix and bring the log for that too:

Download this file - combofix.exe and save it to your desktop.
Double click combofix.exe & follow the prompts.
When it's finished, it will produce a log of what it found. Please post the contents of that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running as it may cause it to stall

[JohnDemolition]

will do.

edit: i tried the Kaspersky scan but that crashed IE7

edit2: here's ComboFix's report.

Owner - 06-11-25 18:29:52.60    Service Pack 2
ComboFix 06.11.22 - Running from: "C:\Documents and Settings\Owner\My Documents"

((((((((((((((((((((((((((((((((((((((((((((   Other Deletions   )))))))))))))))))))))))))))))))))))))))))))))))))
 

C:\WINDOWS\system32\ishost.exe
C:\Program Files\Common Files\{E8834EE9-0A28-1033-0827-040304030001}

 
(((((((((((((((((((((((((((((((   Files Created from 2006-10-25 to 2006-11-25  ))))))))))))))))))))))))))))))))))
 
 
2006-11-25	18:29	110,612	--a------	C:\WINDOWS\system32\yqxhiqym.exe
2006-11-25	18:29	<DIR>	d--------	C:\Program Files\VSAdd-in
2006-11-25	18:27	756,182	---hs----	C:\WINDOWS\system32\qqstv.bak1
2006-11-25	18:27	110,612	--a------	C:\WINDOWS\system32\mvayxmhd.exe
2006-11-25	18:20	<DIR>	d--------	C:\WINDOWS\system32\Kaspersky Lab
2006-11-25	18:19	<DIR>	d--------	C:\WINDOWS\LastGood
2006-11-25	17:32	110,612	--a------	C:\WINDOWS\system32\qrnstcwb.exe
2006-11-25	17:22	110,612	--a------	C:\WINDOWS\system32\ubsgbvdr.exe
2006-11-25	17:21	110,612	--a------	C:\WINDOWS\system32\fbarsexy.exe
2006-11-25	16:26	110,612	--a------	C:\WINDOWS\system32\hkdymlib.exe
2006-11-25	16:26	<DIR>	d--------	C:\Documents and Settings\Owner\Application Data\Azureus
2006-11-25	16:25	<DIR>	d--------	C:\Program Files\Azureus
2006-11-25	15:41	110,612	--a------	C:\WINDOWS\system32\bbfumjmb.exe
2006-11-25	15:39	110,612	--a------	C:\WINDOWS\system32\bxevtksu.exe
2006-11-25	15:37	110,612	--a------	C:\WINDOWS\system32\lyasxfrn.exe
2006-11-25	14:03	110,612	--a------	C:\WINDOWS\system32\gonedvfw.exe
2006-11-25	14:01	110,612	--a------	C:\WINDOWS\system32\keyolwgh.exe
2006-11-25	13:49	<DIR>	d--hs----	C:\Documents and Settings\Owner\Recent
2006-11-25	12:50	110,612	--a------	C:\WINDOWS\system32\mocrggnv.exe
2006-11-25	02:42	110,612	--a------	C:\WINDOWS\system32\ujlfuspt.exe
2006-11-25	00:20	110,612	--a------	C:\WINDOWS\system32\gjwldrqx.exe
2006-11-24	14:35	110,612	--a------	C:\WINDOWS\system32\vhwbtsch.exe
2006-11-24	14:22	38,420	--a------	C:\WINDOWS\system32\ikuwnihf.dll
2006-11-24	14:22	110,612	--a------	C:\WINDOWS\system32\pxcmxvuw.exe
2006-11-24	09:14	110,612	--a------	C:\WINDOWS\system32\ucbxlfgf.exe
2006-11-24	09:12	708,660	---------	C:\WINDOWS\system32\vtsqq.dll
2006-11-24	01:04	<DIR>	dr-h-----	C:\$VAULT$.AVG
2006-11-24	01:00	40,973	---hs----	C:\WINDOWS\system32\jkkifca.dll
2006-11-23	21:48	50,688	---------	C:\WINDOWS\system32\wbhelp2.dll
2006-11-23	17:22	138,752	--a------	C:\WINDOWS\system32\sndvol32.exe
2006-11-23	14:54	88,064	--a------	C:\WINDOWS\system32\AudioExCtl.dll
2006-11-22	20:57	<DIR>	d--------	C:\Program Files\Wesnoth
2006-11-22	19:44	<DIR>	d--------	C:\Program Files\Alcohol Soft
2006-11-22	13:45	<DIR>	d--------	C:\MinGW
2006-11-22	13:37	<DIR>	d--------	C:\msys
2006-11-22	11:51	<DIR>	d--------	C:\ABC-HR
2006-11-19	20:23	<DIR>	d--------	C:\Program Files\Microsoft.NET
2006-11-19	10:59	<DIR>	d--------	C:\Program Files\RegCompact.NET
2006-11-18	11:57	<DIR>	d--------	C:\Program Files\Microsoft Visual Studio 8
2006-11-18	11:52	<DIR>	dr--s----	C:\WINDOWS\assembly
2006-11-18	11:49	<DIR>	d--------	C:\WINDOWS\Microsoft.NET
2006-11-16	20:45	<DIR>	d--------	C:\Program Files\ffdshow
2006-11-15	18:36	3,968	--a------	C:\WINDOWS\system32\drivers\AvgAsCln.sys
2006-11-15	14:42	3,968	--a------	C:\WINDOWS\system32\drivers\avgclean.sys
2006-11-15	14:42	18,240	--a------	C:\WINDOWS\system32\drivers\avgmfx86.sys
2006-11-14	07:09	4,096	--a------	C:\WINDOWS\system32\timer.exe
2006-11-12	21:35	<DIR>	d--------	C:\Program Files\X-Chat
2006-11-11	21:58	<DIR>	d--------	C:\Documents and Settings\Owner\Application Data\codeblocks
2006-11-07	16:51	14,048	---------	C:\WINDOWS\system32\spmsg2.dll
2006-11-06	16:31	<DIR>	d--------	C:\Program Files\Icecast2 Win32
2006-11-04	20:25	1,321,744	--a------	C:\WINDOWS\system32\msxml6.dll
2006-11-04	14:14	1,245,696	--a------	C:\WINDOWS\system32\msxml4.dll
2006-11-04	11:28	1,170,944	--a------	C:\WINDOWS\system32\venc.exe
2006-11-03	07:18	<DIR>	d--------	C:\Documents and Settings\Owner\temporary_download
2006-10-31	21:30	<DIR>	d--------	C:\Program Files\Lavasoft
2006-10-31	21:30	<DIR>	d--------	C:\Documents and Settings\Owner\Application Data\Lavasoft
2006-10-30	20:03	<DIR>	d--------	C:\Documents and Settings\Owner\Application Data\ieSpell
2006-10-30	19:59	<DIR>	d--------	C:\Program Files\ieSpell
2006-10-30	16:20	<DIR>	d--------	C:\Program Files\Windows Media Connect 2
2006-10-28	14:06	<DIR>	d--------	C:\WINDOWS\SoftwareDistribution
2006-10-28	13:47	<DIR>	d--------	C:\Documents and Settings\Owner\Application Data\Adobe
2006-10-28	13:44	<DIR>	d--------	C:\Program Files\Common Files\Adobe
2006-10-25	12:01	16,128	--a------	C:\WINDOWS\system32\drivers\MODEMCSA.sys


((((((((((((((((((((((((((((((((((((((((((((((((   Find3M Report   )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-11-25 18:32	--------	d---s----	C:\Documents and Settings\Owner\Application Data\uTorrent
2006-11-25 18:31	--------	d--------	C:\Program Files\Common Files
2006-11-25 18:22	--------	d--------	C:\Documents and Settings\Owner\Application Data\Skype
2006-11-25 13:49	--------	d--------	C:\Program Files\foobar2000
2006-11-25 02:44	--------	d--------	C:\Program Files\SpywareBlaster
2006-11-24 15:53	--------	d--------	C:\Program Files\Opera
2006-11-23 21:48	--------	d--h-----	C:\Program Files\InstallShield Installation Information
2006-11-22 19:37	--------	d--------	C:\Documents and Settings\Owner\Application Data\X-Chat 2
2006-11-22 19:35	639224	--a------	C:\WINDOWS\system32\drivers\sptd.sys
2006-11-19 20:33	200704	--a------	C:\WINDOWS\system32\wavpack.exe
2006-11-19 20:23	--------	d--------	C:\Program Files\Microsoft Office
2006-11-17 15:38	--------	d--------	C:\Program Files\IrfanView
2006-11-16 20:42	--------	d--------	C:\Program Files\DScaler
2006-11-15 18:36	--------	d--------	C:\Program Files\Grisoft
2006-11-15 14:42	816672	--a------	C:\WINDOWS\system32\drivers\avg7core.sys
2006-11-15 14:42	4960	--a------	C:\WINDOWS\system32\drivers\avgtdi.sys
2006-11-15 14:42	4224	--a------	C:\WINDOWS\system32\drivers\avg7rsw.sys
2006-11-15 14:42	28416	--a------	C:\WINDOWS\system32\drivers\avg7rsxp.sys
2006-11-14 23:17	--------	d--------	C:\Program Files\Picasa2
2006-11-14 16:24	--------	d--------	C:\Program Files\Silkroad
2006-11-13 02:00	109568	--a------	C:\WINDOWS\system32\mppenc.exe
2006-11-12 19:50	--------	d---s----	C:\Documents and Settings\Owner\Application Data\Microsoft
2006-11-12 17:39	--------	d--------	C:\Program Files\ET Starter Pro
2006-11-10 09:25	501248	--a------	C:\WINDOWS\system32\oggenc.exe
2006-11-09 23:01	--------	d--------	C:\Program Files\Common Files\Wise Installation Wizard
2006-11-09 23:01	--------	d--------	C:\Documents and Settings\Owner\Application Data\SUPERAntiSpyware.com
2006-11-09 22:54	--------	d--------	C:\Program Files\Common Files\Acronis
2006-11-08 15:14	--------	d--------	C:\Documents and Settings\Owner\Application Data\Real
2006-11-08 08:41	581632	--a------	C:\WINDOWS\system32\lame.exe
2006-11-08 08:41	520192	--a------	C:\WINDOWS\system32\lame_enc.dll
2006-11-08 07:10	--------	d--------	C:\Program Files\Skype
2006-11-05 11:20	--------	d--------	C:\Program Files\Shareaza
2006-11-01 13:05	43520	--a------	C:\WINDOWS\system32\CmdLineExt03.dll
2006-10-30 16:20	--------	d--------	C:\Program Files\Windows Media Player
2006-10-29 19:48	--------	d--------	C:\Program Files\DVD Decrypter
2006-10-29 14:29	--------	d--------	C:\Program Files\Warcraft III
2006-10-24 15:52	286720	---------	C:\WINDOWS\Setup1.exe
2006-10-24 15:51	73216	--a------	C:\WINDOWS\ST6UNST.EXE
2006-10-23 19:50	--------	d--------	C:\Documents and Settings\Owner\Application Data\Sun
2006-10-22 19:16	--------	d--------	C:\Documents and Settings\Owner\Application Data\Acronis
2006-10-22 14:57	--------	d--------	C:\Program Files\QuickTime Alternative
2006-10-22 00:56	133632	--a------	C:\WINDOWS\system32\SpoonUninstall.exe
2006-10-22 00:56	--------	d--------	C:\Program Files\Illustrate
2006-10-21 22:56	--------	d--------	C:\Program Files\Aspell
2006-10-20 17:11	--------	d--------	C:\Documents and Settings\Owner\Application Data\RipIt4Me
2006-10-20 16:49	120	--a------	C:\Documents and Settings\Owner\Application Data\FixVTS.ini
2006-10-20 16:35	81280	--a------	C:\WINDOWS\system32\drivers\snapman.sys
2006-10-20 16:35	37888	--a------	C:\WINDOWS\system32\setupnt.dll
2006-10-20 16:35	28064	--a------	C:\WINDOWS\system32\drivers\tifsfilt.sys
2006-10-20 16:35	201984	--a------	C:\WINDOWS\system32\drivers\timntr.sys
2006-10-19 21:31	--------	d--------	C:\Program Files\Google
2006-10-19 13:07	--------	d--------	C:\Program Files\Logitech
2006-10-19 06:38	--------	d--------	C:\Program Files\Real Alternative
2006-10-18 22:58	8704	--a------	C:\WINDOWS\system32\wdfmgr.exe
2006-10-18 22:58	8704	--a------	C:\WINDOWS\system32\uwdf.exe
2006-10-18 22:47	99840	--a------	C:\WINDOWS\system32\wmpshell.dll
2006-10-18 22:47	991744	--a------	C:\WINDOWS\system32\drmv2clt.dll
2006-10-18 22:47	937984	--a------	C:\WINDOWS\system32\WMNetMgr.dll
2006-10-18 22:47	8231936	--a------	C:\WINDOWS\system32\wmploc.dll
2006-10-18 22:47	767488	---------	C:\WINDOWS\system32\WMVSENCD.dll
2006-10-18 22:47	757248	--a------	C:\WINDOWS\system32\WMADMOD.dll
2006-10-18 22:47	7168	--a------	C:\WINDOWS\system32\asferror.dll
2006-10-18 22:47	656896	---------	C:\WINDOWS\system32\WMVXENCD.dll
2006-10-18 22:47	63488	--a------	C:\WINDOWS\system32\wpdmtpus.dll
2006-10-18 22:47	629760	--a------	C:\WINDOWS\system32\wpd_ci.dll
2006-10-18 22:47	613376	---------	C:\WINDOWS\system32\wmpmde.dll
2006-10-18 22:47	603648	--a------	C:\WINDOWS\system32\WMSPDMOD.dll
2006-10-18 22:47	542720	--a------	C:\WINDOWS\system32\blackbox.dll
2006-10-18 22:47	535040	---------	C:\WINDOWS\system32\wmdrmsdk.dll
2006-10-18 22:47	429056	--a------	C:\WINDOWS\system32\wmdrmdev.dll
2006-10-18 22:47	414208	--a------	C:\WINDOWS\system32\msscp.dll
2006-10-18 22:47	4096	--a------	C:\WINDOWS\system32\wmvdmoe2.dll
2006-10-18 22:47	4096	--a------	C:\WINDOWS\system32\wmvdmod.dll
2006-10-18 22:47	4096	--a------	C:\WINDOWS\system32\WMVADVE.DLL
2006-10-18 22:47	4096	--a------	C:\WINDOWS\system32\WMVADVD.dll
2006-10-18 22:47	4096	--a------	C:\WINDOWS\system32\wmsdmoe2.dll
2006-10-18 22:47	4096	--a------	C:\WINDOWS\system32\wmsdmod.dll
2006-10-18 22:47	4096	--a------	C:\WINDOWS\system32\wdfapi.dll
2006-10-18 22:47	4096	--a------	C:\WINDOWS\system32\MPG4DMOD.dll
2006-10-18 22:47	4096	--a------	C:\WINDOWS\system32\MP4SDMOD.dll
2006-10-18 22:47	4096	--a------	C:\WINDOWS\system32\MP43DMOD.dll
2006-10-18 22:47	38400	---------	C:\WINDOWS\system32\wpdshextres.dll
2006-10-18 22:47	37376	--a------	C:\WINDOWS\system32\wmdmps.dll
2006-10-18 22:47	35840	--a------	C:\WINDOWS\system32\wpdconns.dll
2006-10-18 22:47	356352	--a------	C:\WINDOWS\system32\wpdsp.dll
2006-10-18 22:47	348672	--a------	C:\WINDOWS\system32\wmdrmnet.dll
2006-10-18 22:47	33792	--a------	C:\WINDOWS\system32\wmdmlog.dll
2006-10-18 22:47	321536	--a------	C:\WINDOWS\system32\mswmdm.dll
2006-10-18 22:47	317440	---------	C:\WINDOWS\system32\MP4SDECD.dll
2006-10-18 22:47	314880	--a------	C:\WINDOWS\system32\wmpdxm.dll
2006-10-18 22:47	295936	---------	C:\WINDOWS\system32\wmpeffects.dll
2006-10-18 22:47	284160	---------	C:\WINDOWS\system32\PortableDeviceApi.dll
2006-10-18 22:47	276992	--a------	C:\WINDOWS\system32\audiodev.dll
2006-10-18 22:47	27136	--a------	C:\WINDOWS\system32\mspmsnsv.dll
2006-10-18 22:47	2603008	---------	C:\WINDOWS\system32\WpdShext.dll
2006-10-18 22:47	259072	---------	C:\WINDOWS\system32\MPG4DECD.dll
2006-10-18 22:47	259072	---------	C:\WINDOWS\system32\MP43DECD.dll
2006-10-18 22:47	2450944	--a------	C:\WINDOWS\system32\wmvcore.dll
2006-10-18 22:47	242688	--a------	C:\WINDOWS\system32\wmpasf.dll
2006-10-18 22:47	229376	--a------	C:\WINDOWS\system32\cewmdm.dll
2006-10-18 22:47	227328	--a------	C:\WINDOWS\system32\wmerror.dll
2006-10-18 22:47	222208	--a------	C:\WINDOWS\system32\WMASF.dll
2006-10-18 22:47	212992	---------	C:\WINDOWS\system32\MFPLAT.dll
2006-10-18 22:47	211456	--a------	C:\WINDOWS\system32\qasf.dll
2006-10-18 22:47	204288	--a------	C:\WINDOWS\system32\wmpsrcwp.dll
2006-10-18 22:47	199168	---------	C:\WINDOWS\system32\PortableDeviceWMDRM.dll
2006-10-18 22:47	179712	--a------	C:\WINDOWS\system32\msnetobj.dll
2006-10-18 22:47	175616	--a------	C:\WINDOWS\system32\mspmsp.dll
2006-10-18 22:47	166912	---------	C:\WINDOWS\system32\PortableDeviceTypes.dll
2006-10-18 22:47	1661440	--a------	C:\WINDOWS\system32\wmpencen.dll
2006-10-18 22:47	1574912	---------	C:\WINDOWS\system32\WMVENCOD.dll
2006-10-18 22:47	157184	--a------	C:\WINDOWS\system32\wmidx.dll
2006-10-18 22:47	154624	--a------	C:\WINDOWS\system32\wpdmtp.dll
2006-10-18 22:47	1543680	---------	C:\WINDOWS\system32\WMVDECOD.dll
2006-10-18 22:47	1382912	---------	C:\WINDOWS\system32\WMVSDECD.dll
2006-10-18 22:47	133632	---------	C:\WINDOWS\system32\WPDShServiceObj.dll
2006-10-18 22:47	1329152	--a------	C:\WINDOWS\system32\WMSPDMOE.dll
2006-10-18 22:47	132096	---------	C:\WINDOWS\system32\PortableDeviceWiaCompat.dll
2006-10-18 22:47	130048	---------	C:\WINDOWS\system32\wmpps.dll
2006-10-18 22:47	11264	--a------	C:\WINDOWS\system32\LAPRXY.dll
2006-10-18 22:47	1117696	--a------	C:\WINDOWS\system32\WMADMOE.dll
2006-10-18 22:47	101888	---------	C:\WINDOWS\system32\PortableDeviceClassExtension.dll
2006-10-18 21:30	196608	--a------	C:\WINDOWS\system32\wvgain.exe
2006-10-18 21:30	188416	--a------	C:\WINDOWS\system32\wvunpack.exe
2006-10-18 21:03	100864	--a------	C:\WINDOWS\system32\logagent.exe
2006-10-18 21:00	38528	--a------	C:\WINDOWS\system32\drivers\wpdusb.sys
2006-10-18 21:00	249856	---------	C:\WINDOWS\system32\drmupgds.exe
2006-10-18 21:00	17408	---------	C:\WINDOWS\system32\wpdshextautoplay.exe
2006-10-18 18:42	--------	d--------	C:\Program Files\Common Files\Logitech
2006-10-18 18:19	--------	d--------	C:\Documents and Settings\Owner\Application Data\Orca Browser
2006-10-18 17:58	--------	d--------	C:\Documents and Settings\Owner\Application Data\Google
2006-10-18 15:22	--------	d--------	C:\Program Files\Internet Explorer
2006-10-17 21:52	--------	d--------	C:\Documents and Settings\Owner\Application Data\XnView
2006-10-17 19:57	--------	d--------	C:\Documents and Settings\Owner\Application Data\OpenOffice.org2
2006-10-17 19:51	112640	--a------	C:\WINDOWS\system32\flake.exe
2006-10-17 12:33	6049280	---------	C:\WINDOWS\system32\ieframe.dll
2006-10-17 12:33	50688	---------	C:\WINDOWS\system32\msfeedsbs.dll
2006-10-17 12:33	458752	---------	C:\WINDOWS\system32\msfeeds.dll
2006-10-17 12:33	413696	--a------	C:\WINDOWS\system32\vbscript.dll
2006-10-17 12:33	231424	--a------	C:\WINDOWS\system32\webcheck.dll
2006-10-17 12:33	180736	---------	C:\WINDOWS\system32\ieui.dll
2006-10-17 12:33	156160	--a------	C:\WINDOWS\system32\msls31.dll
2006-10-17 12:06	78336	--a------	C:\WINDOWS\system32\ieencode.dll
2006-10-17 12:05	40960	--a------	C:\WINDOWS\system32\licmgr10.dll
2006-10-17 12:05	206336	---------	C:\WINDOWS\system32\WinFXDocObj.exe
2006-10-17 12:05	105984	--a------	C:\WINDOWS\system32\url.dll
2006-10-17 12:04	101376	--a------	C:\WINDOWS\system32\occache.dll
2006-10-17 12:03	17408	--a------	C:\WINDOWS\system32\corpol.dll
2006-10-17 12:01	71680	--a------	C:\WINDOWS\system32\admparse.dll
2006-10-17 12:01	55296	--a------	C:\WINDOWS\system32\iesetup.dll
2006-10-17 12:01	382976	--a------	C:\WINDOWS\system32\iedkcs32.dll
2006-10-17 12:01	229376	--a------	C:\WINDOWS\system32\ieaksie.dll
2006-10-17 12:01	152064	--a------	C:\WINDOWS\system32\ieakeng.dll
2006-10-17 12:01	13312	--a------	C:\WINDOWS\system32\ieudinit.exe
2006-10-17 12:00	54784	--a------	C:\WINDOWS\system32\ie4uinit.exe
2006-10-17 12:00	43008	--a------	C:\WINDOWS\system32\iernonce.dll
2006-10-17 12:00	123904	--a------	C:\WINDOWS\system32\advpack.dll
2006-10-17 11:58	61952	---------	C:\WINDOWS\system32\icardie.dll
2006-10-17 11:58	12288	---------	C:\WINDOWS\system32\msfeedssync.exe
2006-10-17 11:57	36352	--a------	C:\WINDOWS\system32\imgutil.dll
2006-10-17 11:57	266752	---------	C:\WINDOWS\system32\iertutil.dll
2006-10-17 11:56	45568	--a------	C:\WINDOWS\system32\mshta.exe
2006-10-17 11:28	48128	--a------	C:\WINDOWS\system32\mshtmler.dll
2006-10-17 11:27	380928	---------	C:\WINDOWS\system32\ieapfltr.dll
2006-10-17 11:23	161792	--a------	C:\WINDOWS\system32\ieakui.dll
2006-10-16 16:10	23856	--a------	C:\WINDOWS\system32\spupdsvc.exe
2006-10-15 16:26	--------	d--------	C:\Documents and Settings\Owner\Application Data\SorensonMedia
2006-10-14 20:22	1698048	---------	C:\WINDOWS\system32\XpsSvcs.dll
2006-10-14 20:21	580352	---------	C:\WINDOWS\system32\XPSSHHDR.dll
2006-10-14 19:07	--------	d--------	C:\Documents and Settings\Owner\Application Data\Mozilla
2006-10-14 19:07	--------	d--------	C:\Documents and Settings\Owner\Application Data\extensions
2006-10-14 16:43	124416	---------	C:\WINDOWS\system32\prntvpt.dll
2006-10-14 12:33	--------	d--------	C:\Program Files\Java
2006-10-14 12:32	--------	d--------	C:\Program Files\Common Files\Java
2006-10-13 22:28	--------	d--------	C:\Program Files\OpenOffice.org 2.0
2006-10-13 21:59	--------	d--------	C:\Program Files\Common Files\Microsoft Shared
2006-10-13 04:35	142336	--a------	C:\WINDOWS\system32\nwprovau.dll
2006-10-12 16:31	--------	d--------	C:\Program Files\CD Art Display
2006-10-11 22:41	299008	--a------	C:\WINDOWS\system32\regxplor.dll
2006-10-11 08:24	58880	--a------	C:\WINDOWS\system32\pnrpnsp.dll
2006-10-11 08:24	553984	--a------	C:\WINDOWS\system32\p2psvc.dll
2006-10-11 08:24	313344	--a------	C:\WINDOWS\system32\p2pgraph.dll
2006-10-11 08:24	153088	--a------	C:\WINDOWS\system32\p2p.dll
2006-10-11 08:24	116224	--a------	C:\WINDOWS\system32\p2pnetsh.dll
2006-10-11 08:24	104960	--a------	C:\WINDOWS\system32\p2pgasvc.dll
2006-10-10 07:21	237568	--a------	C:\WINDOWS\system32\flac.exe
2006-10-10 07:21	135168	--a------	C:\WINDOWS\system32\metaflac.exe
2006-10-07 13:54	611705	--a------	C:\WINDOWS\system32\libssl32.exe
2006-10-07 13:48	159744	--a------	C:\WINDOWS\system32\libssl32.dll
2006-10-07 12:54	--------	d--------	C:\Documents and Settings\Owner\Application Data\.gaim
2006-10-06 16:55	--------	d--------	C:\Documents and Settings\Owner\Application Data\FileZilla
2006-10-04 19:54	--------	d--h-----	C:\Program Files\WindowsUpdate
2006-09-28 15:05	2414360	--a------	C:\WINDOWS\system32\d3dx9_31.dll
2006-09-28 15:05	237848	--a------	C:\WINDOWS\system32\xactengine2_4.dll
2006-09-28 15:04	68888	--a------	C:\WINDOWS\system32\xinput1_3.dll
2006-09-28 15:03	15128	--a------	C:\WINDOWS\system32\x3daudio1_1.dll
2006-09-27 18:57	--------	d--------	C:\Program Files\Microsoft Platform SDK for Windows Server 2003 R2
2006-09-27 18:13	--------	d--------	C:\Program Files\Common Files\Merge Modules
2006-09-27 18:11	--------	d--------	C:\Program Files\Common Files\Designer
2006-09-27 17:18	166400	--a------	C:\WINDOWS\system32\optipng.exe
2006-09-15 20:57	724992	--a------	C:\WINDOWS\iun6002.exe
2006-09-15 16:30	90112	--a------	C:\WINDOWS\system32\vorbisenc.dll
2006-09-15 16:30	37888	--a------	C:\WINDOWS\system32\vorbisfile.dll
2006-09-15 16:30	344064	--a------	C:\WINDOWS\system32\vorbis.dll
2006-09-15 16:30	29696	--a------	C:\WINDOWS\system32\ogg.dll
2006-09-12 21:01	1084416	--a------	C:\WINDOWS\system32\msxml3.dll
2006-09-11 19:59	51	--a------	C:\Documents and Settings\Owner\Application Data\xfire music plugin.ini
2006-08-26 22:24	40960	--a------	C:\WINDOWS\system32\pngout.exe
2006-08-25 07:45	617472	--a------	C:\WINDOWS\system32\comctl32.dll
 
 
((((((((((((((((((((((((((((((((((((((((((   Reg Loading Points   ))))))))))))))))))))))))))))))))))))))))))))))))
 
*Note* empty entries are not shown

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"ctfmon.exe"="C:\\WINDOWS\\system32\\ctfmon.exe"
"TaskSwitchXP"="C:\\Programs\\NTWind Software\\TaskSwitchXP.exe"
"µTorrent"="\"C:\\Programs\\utorrent-1.6.1-beta-build-483.exe\""
"AWMON"="\"C:\\PROGRA~1\\Lavasoft\\AD-AWA~1\\Ad-Watch.exe\""

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"NeroFilterCheck"="C:\\WINDOWS\\system32\\NeroCheck.exe"
"AVG7_CC"="C:\\PROGRA~1\\Grisoft\\AVGFRE~1\\avgcc.exe /STARTUP"
"LVCOMSX"="C:\\WINDOWS\\system32\\LVCOMSX.EXE"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000000

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"RunNarrator"="Narrator.exe"

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\runonce]
"RunNarrator"="Narrator.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="AVG Anti-Spyware 7.5"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
"ClearRecentDocsOnExit"=hex:01,00,00,00
"NoSMHelp"=hex:01,00,00,00

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\Run]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"dontdisplaylastusername"=dword:00000001
"legalnoticecaption"=""
"legalnoticetext"=""
"shutdownwithoutlogon"=dword:00000001
"undockwithoutlogon"=dword:00000001

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=hex:91,00,00,00

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=hex:91,00,00,00

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\shellserviceobjectdelayload]
"PostBootReminder"="{7849596a-48ea-486e-8937-a2a3009f31a9}"
"SysTray"="{35CEC8A3-2BE6-11D2-8773-92E220524153}"
"WebCheck"="{E6FB5E20-DE35-11CF-9C87-00AA005127ED}"
"WPDShServiceObj"="{AAA288BA-9A4C-45B0-95D7-94D524869DB5}"

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\vtsqq
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winghy32

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]	
"SecurityProviders"="msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll"


 
~ ~ ~ ~ ~ ~ ~ ~ Hijackthis Backups ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ 

backup-20061125-141005-918 
O16 - DPF: {6E5A37BF-FD42-463A-877C-4EB7002E68AE} - 
backup-20061125-141004-861 
O11 - Options group: [INTERNATIONAL] International*
Completion time: 06-11-25 18:33:52.32 
C:\ComboFix.txt ... 06-11-25 18:33

[rridgely]

Ut oh.. Now I know whats wrong with your computer. You have a pretty nasty infection. Can't believe I missed it.

Please download VundoFix.exe
to your desktop.

• Double-click VundoFix.exe to run it.
  
• Click the Scan for Vundo button.
  
• Once it's done scanning, click the Remove Vundo button.
  
• You will receive a prompt asking if you want to remove the files, click YES
  
• Once you click yes, your desktop will go blank as it starts removing Vundo.
  
• When completed, it will prompt that it will reboot your computer, click OK.
  
• Please post the contents of C:\vundofix.txt into your next reply

Note: It is possible that VundoFix encountered a file it could not remove.
In this case, VundoFix will run on reboot, simply follow the above
instructions starting from "Click the Scan for Vundo button." when
VundoFix appears at reboot.

Post the vundofix log and a new hijackthis log.

[JohnDemolition]

bleh. i found this out as well. it's hiding as vtsqq.dll in my system32 directory. i didn't want to kill winlogon.exe so i downloaded Unlocker but sadly, Unlocker didn't work . but just as a precaution, i got rid of every registry entry which contains vtsqq.dll

so i'll try out the tool that you gave me.

[rridgely]

Alright, that tool will clean up the first infection. There might still be one more that you might need to run another one. Post the logs that I wanted and I'll let you know.

Now people will know what I meant by its not always whats in the logs but whats not in them sometimes too. (vundo hides all 02 and 020 entries.)

[JohnDemolition]

just tried that tool and it didn't work. for some reason, AVG Anti-Spyware and AVG Anti-Virus can't find anything wrong with the file.

[rridgely]

What do you mean it didn't work? It wont run or it didn't find anything?

[JohnDemolition]

didn't find anything

[rridgely]

Really? Post a new hijackthis log.

[JohnDemolition]

Logfile of HijackThis v1.99.1
Scan saved at 7:44:29 PM, on 11/25/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.5730.0011)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
C:\Program Files\Icecast2 Win32\icecastService.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe
C:\WINDOWS\system32\LVCOMSX.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Programs\NTWind Software\TaskSwitchXP.exe
C:\Programs\utorrent-1.6.1-beta-build-483.exe
C:\PROGRA~1\Lavasoft\AD-AWA~1\Ad-Watch.exe
C:\Programs\RK Launcher\RKLauncher.exe
C:\Program Files\X-Chat\xchat.exe
C:\Program Files\Azureus\Azureus.exe
C:\Program Files\Opera\Opera.exe
C:\Program Files\foobar2000\foobar2000.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\WINDOWS\Explorer.EXE
C:\Programs\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = [url="http://go.microsoft.com/fwlink/?LinkId=54896"]http://go.microsoft.com/fwlink/?LinkId=54896[/url]
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = [url="http://go.microsoft.com/fwlink/?LinkId=54896"]http://go.microsoft.com/fwlink/?LinkId=54896[/url]
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = 
O1 - Hosts: 0 38.100.24.10
O1 - Hosts: 0 38.100.24.16
O1 - Hosts: 0 38.100.24.21
O1 - Hosts: 0 38.100.24.26
O1 - Hosts: 0 38.100.24.27
O1 - Hosts: 0 38.100.24.66
O1 - Hosts: 0 38.100.24.67
O1 - Hosts: 0 38.100.24.75
O1 - Hosts: 0 38.100.24.135
O1 - Hosts: 0 38.100.24.136
O1 - Hosts: 0 38.100.24.137
O1 - Hosts: 0 38.100.24.145
O1 - Hosts: 0 38.100.24.147
O1 - Hosts: 0 38.100.24.150
O1 - Hosts: 0 38.100.24.152
O1 - Hosts: 0 38.100.24.161
O1 - Hosts: 0 38.100.24.162
O1 - Hosts: 0 38.100.24.252
O1 - Hosts: 0 38.100.25.131
O1 - Hosts: 0 38.100.25.132
O1 - Hosts: 0 38.100.25.136
O1 - Hosts: 0 38.100.25.137
O1 - Hosts: 0 38.100.25.141
O1 - Hosts: 0 38.100.25.162
O1 - Hosts: 0 38.100.25.182
O1 - Hosts: 0 38.100.25.186
O1 - Hosts: 0 38.100.25.187
O1 - Hosts: 0 38.100.25.205
O1 - Hosts: 0 38.100.25.206
O1 - Hosts: 0 38.100.25.207
O1 - Hosts: 0 38.100.25.213
O1 - Hosts: 0 38.100.25.250
O1 - Hosts: 0 38.100.25.251
O1 - Hosts: 0 38.100.25.252
O1 - Hosts: 0 38.100.26.11
O1 - Hosts: 0 38.100.26.21
O1 - Hosts: 0 38.100.26.26
O1 - Hosts: 0 38.100.26.136
O1 - Hosts: 0 38.100.26.137
O1 - Hosts: 0 38.100.26.141
O1 - Hosts: 0 38.100.26.142
O1 - Hosts: 0 38.100.26.146
O1 - Hosts: 0 38.100.26.147
O1 - Hosts: 0 38.100.26.157
O1 - Hosts: 0 38.100.26.156
O1 - Hosts: 0 38.100.26.237
O1 - Hosts: 0 38.100.27.96
O1 - Hosts: 0 38.100.27.97
O1 - Hosts: 0 38.100.27.111
O1 - Hosts: 0 38.100.27.112
O2 - BHO: (no name) - {2F364306-AA45-47B5-9F9D-39A8B94E7EF7} - (no file)
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O2 - BHO: (no name) - {CC59E0F9-7E43-44FA-9FAA-8377850BF205} - (no file)
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [LVCOMSX] C:\WINDOWS\system32\LVCOMSX.EXE
O4 - HKLM\..\Run: [UnlockerAssistant] "C:\Program Files\Unlocker\UnlockerAssistant.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [TaskSwitchXP] C:\Programs\NTWind Software\TaskSwitchXP.exe
O4 - HKCU\..\Run: [µTorrent] "C:\Programs\utorrent-1.6.1-beta-build-483.exe"
O4 - HKCU\..\Run: [AWMON] "C:\PROGRA~1\Lavasoft\AD-AWA~1\Ad-Watch.exe"
O4 - HKCU\..\Run: [Uniblue SpeedUpMyPC] C:\Program Files\Uniblue\SpeedUpMyPC\SpeedUpMyPC.exe
O4 - Global Startup: RK Launcher.lnk = ?
O8 - Extra context menu item: &ieSpell Options - res://C:\Program Files\ieSpell\iespell.dll/SPELLOPTION.HTM
O8 - Extra context menu item: Add to &Windows Live Favorites - [url="http://favorites.live.com/quickadd.aspx"]http://favorites.live.com/quickadd.aspx[/url]
O8 - Extra context menu item: Check &Spelling - res://C:\Program Files\ieSpell\iespell.dll/SPELLCHECK.HTM
O8 - Extra context menu item: Lookup on Merriam Webster - file://C:\Program Files\ieSpell\Merriam Webster.HTM
O8 - Extra context menu item: Lookup on Wikipedia - file://C:\Program Files\ieSpell\wikipedia.HTM
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_09\bin\ssv.dll
O16 - DPF: {03B39B10-9AB9-4DBB-8189-7F76E0CE5F3F} (FavImport Class) - [url="https://favorites.live.com/cab/ImportAx.cab?v=13,0,0831,02"]https://favorites.live.com/cab/ImportAx.cab?v=13,0,0831,02[/url]
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - [url="http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab"]http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab[/url]
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - [url="http://go.microsoft.com/fwlink/?LinkID=39204"]http://go.microsoft.com/fwlink/?LinkID=39204[/url]
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - [url="http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1141887043981"]http://update.microsoft.com/microsoftupdat...b?1141887043981[/url]
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\Program Files\Skype\toolbars\Shared\Skype4ComAPI.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: klogon - C:\WINDOWS\
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: winghy32 - winghy32.dll (file missing)
O21 - SSODL: WPDShServiceObj - {AAA288BA-9A4C-45B0-95D7-94D524869DB5} - C:\WINDOWS\system32\WPDShServiceObj.dll
O23 - Service: AVG Anti-Spyware Guard - Anti-Malware Development a.s. - C:\Program Files\Grisoft\AVG Anti-Spyware 7.5\guard.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgupsvc.exe
O23 - Service: AVG E-mail Scanner (AVGEMS) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVGFRE~1\avgemc.exe
O23 - Service: Icecast Media Server (Icecast) - Unknown owner - C:\Program Files\Icecast2 Win32\icecastService.exe" "C:\Program Files\Icecast2 Win32 (file missing)
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe

ignore the 0 38.100* stuff. i just did that since uTorrent can't ban clients(an issue with torrent poisoners)

[rridgely]

I guess combofix fixed the entry that hides the 02 and 020 entries.(ishost.exe)

Run this and post the log:

Please download SmitfraudFix (by S!Ri)
Extract the content (a folder named SmitfraudFix) to your Desktop.

Open the SmitfraudFix folder and double-click smitfraudfix.cmd
Select option #1 - Search by typing 1 and press "Enter"; a text file will appear, which lists infected files (if present).
Please copy/paste the content of that report into your next reply.

[JohnDemolition]

SmitFraudFix v2.124

Scan done at 19:53:25.65, Sat 11/25/2006
Run from C:\Documents and Settings\Owner\My Documents\SmitfraudFix
OS: Microsoft Windows XP [Version 5.1.2600] - Windows_NT
Fix run in normal mode

»»»»»»»»»»»»»»»»»»»»»»»» C:\


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\Web


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32


»»»»»»»»»»»»»»»»»»»»»»»» C:\WINDOWS\system32\LogFiles


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Owner


»»»»»»»»»»»»»»»»»»»»»»»» C:\Documents and Settings\Owner\Application Data


»»»»»»»»»»»»»»»»»»»»»»»» Start Menu


»»»»»»»»»»»»»»»»»»»»»»»» C:\DOCUME~1\Owner\FAVORI~1


»»»»»»»»»»»»»»»»»»»»»»»» Desktop


»»»»»»»»»»»»»»»»»»»»»»»» C:\Program Files 


»»»»»»»»»»»»»»»»»»»»»»»» Corrupted keys


»»»»»»»»»»»»»»»»»»»»»»»» Desktop Components
 
 

»»»»»»»»»»»»»»»»»»»»»»»» Sharedtaskscheduler
!!!Attention, following keys are not inevitably infected!!!

SrchSTS.exe by S!Ri
Search SharedTaskScheduler's .dll


»»»»»»»»»»»»»»»»»»»»»»»» AppInit_DLLs
!!!Attention, following keys are not inevitably infected!!!

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows]
"AppInit_DLLs"=""


»»»»»»»»»»»»»»»»»»»»»»»» pe386-msguard-lzx32


»»»»»»»»»»»»»»»»»»»»»»»» Scanning wininet.dll infection


»»»»»»»»»»»»»»»»»»»»»»»» End

[rridgely]

Your sure when vundofix ran you let it scan all the way?
Do you have superantispyware?

Download Superantispyware

• Load Superantispyware and click the check for updates button.
  
• Once the update is finished click the scan your computer button.
  
• Check Perform Complete Scan and then next.
  
• Superantispyware will now scan your computer and when its finished it will list all the infections it has found.
  
• Make sure that they all have a check next to them and press next.
  
• Click finish and you will be taken back to the main interface.
  
• Click Preferences and then click the statistics/logs tab. Click the dated log and press view log and a text file will appear.
  
• Copy and paste the log onto the forum.

Run superantspyware and post back the log.

[JohnDemolition]

bleh. i used to but i don't anymore because it wasn't doing anything. and besides, i already have Spybot, Ad-Aware(which i haven't ran yet), AVG(AV and AS). anyways, i'll restart the comp and i'll check to see if that file is still there. if it is, then i'll install SUPERAntiSpyware and i'll do something after that

[rridgely]

SAS will catch vundo, smitfraud, and a few others that avg as wont.
I would run it just to make sure.