I think my computer is infected...

spyscraper · 06-24-2008, 05:37 AM

Hi friendly peoples, this is my first post here, so please go gentle on me ;P

I think it all first began with me allowing an unknown .dll to run as an app or allowing an unknown registry entry to be added (Yeah, I don't know what I was thinking at that time).
Anyway, I think it installed a trojan and after that downloaded virtumonde virus (which my spybot picked up, seemed to remove, but it kept installing anyway).
So then I downloaded malwarebytes and troubles seemed to be gone, but alas, time to time my nod32 picked up various viruses (always on access scan method, never on demand).

I'll post some pics to clarify some of the errors / registry entries I didn't trust.

Spybot - I think this is the value that caused trouble (deleted on screen):

Spybot virtumonde scan result:

Spybot after malwarebytes:

And things after reboot:

NOD32:

HijackThis log ---> next post

spyscraper · 06-24-2008, 05:43 AM

the HJT log:
------------------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 14:43:54, on 24-Jun-08
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
D:\PROGRAMS\Intel Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\ESET\ESET Smart Security\ekrn.exe
D:\PROGRAMS\Intel Wireless\Bin\EvtEng.exe
D:\PROGRAMS\CDBurnerXP\NMSAccessU.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\O2Micro\o2flash.exe
D:\PROGRAMS\Intel Wireless\Bin\RegSrvc.exe
D:\PROGRAMS\Alcohol 120%\Alcohol 120\StarWind\StarWindService.exe
C:\Program Files\Common Files\Acronis\Fomatik\TrueImageTryStartService.exe
D:\PROGRAMS\Intel Wireless\Bin\WLKeeper.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\RunDLL32.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe
D:\PROGRAMS\Intel Wireless\bin\ZCfgSvc.exe
D:\PROGRAMS\Intel Wireless\Bin\ifrmewrk.exe
C:\Program Files\ESET\ESET Smart Security\egui.exe
D:\PROGRAMS\Acronis\TrueImageMonitor.exe
D:\PROGRAMS\Acronis\TimounterMonitor.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
D:\PROGRAMS\! Audio\iTunes\iTunesHelper.exe
D:\PROGRAMS\! Monitoring & Tweaking\Process XP\procexp.exe
D:\PROGRAMS\! Monitoring & Tweaking\SpeedFan\speedfan.exe
C:\WINDOWS\system32\ctfmon.exe
D:\PROGRAMS\! Maintenance & Security\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\sndvol32.exe
D:\PROGRAMS\Intel Wireless\Bin\Dot1XCfg.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\WINDOWS\system32\svchost.exe
D:\PROGRAMS\FireFox\firefox.exe
D:\PROGRAMS\! Maintenance & Security\HijackThis!\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: (no name) - {034B6926-3FF4-46E1-B2DA-6727D1662C18} - C:\WINDOWS\system32\wvUlkHbB.dll (file missing)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRAMS\!MAINT~1\SPYBOT~1\SDHelper.dll
O2 - BHO: {95251aad-2c91-c39a-64f4-2f5e5767ef06} - {60fe7675-e5f2-4f46-a93c-19c2daa15259} - (no file)
O2 - BHO: (no name) - {622B25AE-27A3-4121-B930-76FAEFF9FC5B} - (no file)
O2 - BHO: (no name) - {D8EDC5E4-EEBA-497D-B0CF-218296CC10EF} - (no file)
O2 - BHO: (no name) - {F2D02400-0183-42FD-BEE0-D3475DDC4521} - (no file)
O2 - BHO: (no name) - {F3068B4F-6EF3-4EC6-BDED-7BA10306CB49} - C:\WINDOWS\system32\byXQKaAs.dll (file missing)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [SMSERIAL] C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe
O4 - HKLM\..\Run: [IntelZeroConfig] "D:\PROGRAMS\Intel Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "D:\PROGRAMS\Intel Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [WinampAgent] "D:\PROGRAMS\! Audio\WinAMP\winampa.exe"
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET Smart Security\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [TrueImageMonitor.exe] D:\PROGRAMS\Acronis\TrueImageMonitor.exe
O4 - HKLM\..\Run: [AcronisTimounterMonitor] D:\PROGRAMS\Acronis\TimounterMonitor.exe
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe"
O4 - HKLM\..\Run: [QuickTime Task] "D:\PROGRAMS\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "D:\PROGRAMS\! Audio\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Process XP] D:\PROGRAMS\! Monitoring & Tweaking\Process XP\procexp.exe
O4 - HKLM\..\Run: [Speedfan] D:\PROGRAMS\! Monitoring & Tweaking\SpeedFan\speedfan.exe
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] D:\PROGRAMS\! Maintenance & Security\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Steam] "E:\GAMEZ\STEAM\Steam.exe" -silent
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\PROGRAMS\!MAINT~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\PROGRAMS\!MAINT~1\SPYBOT~1\SDHelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/wind...?1210872225968
O20 - Winlogon Notify: awtUlKDW - C:\WINDOWS\
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET Smart Security\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET Smart Security\ekrn.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - D:\PROGRAMS\Intel Wireless\Bin\EvtEng.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NMSAccessU - Unknown owner - D:\PROGRAMS\CDBurnerXP\NMSAccessU.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: O2Micro Flash Memory Card Service (o2flash) - O2Micro International - C:\Program Files\O2Micro\o2flash.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - D:\PROGRAMS\Intel Wireless\Bin\RegSrvc.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - D:\PROGRAMS\Intel Wireless\Bin\S24EvMon.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Unknown owner - C:\WINDOWS\
O23 - Service: Acronis Try And Decide Service (TryAndDecideService) - Unknown owner - C:\Program Files\Common Files\Acronis\Fomatik\TrueImageTryStartService.exe
O23 - Service: Intel(R) PROSet/Wireless SSO Service (WLANKEEPER) - Intel(R) Corporation - D:\PROGRAMS\Intel Wireless\Bin\WLKeeper.exe

--
End of file - 7384 bytes

------------------
Thanks very much in advance :)

**Angelfire777** · 06-27-2008, 01:54 PM

Hi, welcome to tsf!

Sorry for the delay.

If you still need assistance, please post a fresh hijackthis log

spyscraper · 07-06-2008, 10:20 AM

Quote:

Originally Posted by Angelfire777

Hi, welcome to tsf!

Sorry for the delay.

If you still need assistance, please post a fresh hijackthis log

Hi, I'm also sorry for my late reply, so I guess it makes even lol :P

anyway, as you requested:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 19:19:54, on 06-Jul-08
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
D:\PROGRAMS\Intel Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\ESET\ESET Smart Security\ekrn.exe
D:\PROGRAMS\Intel Wireless\Bin\EvtEng.exe
D:\PROGRAMS\CDBurnerXP\NMSAccessU.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\O2Micro\o2flash.exe
D:\PROGRAMS\Intel Wireless\Bin\RegSrvc.exe
D:\PROGRAMS\Alcohol 120%\Alcohol 120\StarWind\StarWindService.exe
C:\Program Files\Common Files\Acronis\Fomatik\TrueImageTryStartService.exe
D:\PROGRAMS\Intel Wireless\Bin\WLKeeper.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\RunDLL32.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe
D:\PROGRAMS\Intel Wireless\bin\ZCfgSvc.exe
D:\PROGRAMS\Intel Wireless\Bin\ifrmewrk.exe
C:\Program Files\ESET\ESET Smart Security\egui.exe
D:\PROGRAMS\Acronis\TrueImageMonitor.exe
D:\PROGRAMS\Acronis\TimounterMonitor.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
D:\PROGRAMS\! Audio\iTunes\iTunesHelper.exe
D:\PROGRAMS\! Monitoring & Tweaking\Process XP\procexp.exe
D:\PROGRAMS\! Monitoring & Tweaking\SpeedFan\speedfan.exe
C:\WINDOWS\system32\ctfmon.exe
D:\PROGRAMS\! Maintenance & Security\Spybot - Search & Destroy\TeaTimer.exe
D:\PROGRAMS\Intel Wireless\Bin\Dot1XCfg.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
D:\PROGRAMS\FireFox\firefox.exe
C:\WINDOWS\system32\sndvol32.exe
D:\PROGRAMS\DAEMON Tools\daemon.exe
D:\PROGRAMS\! Maintenance & Security\HijackThis!\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: (no name) - {034B6926-3FF4-46E1-B2DA-6727D1662C18} - C:\WINDOWS\system32\wvUlkHbB.dll (file missing)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRAMS\!MAINT~1\SPYBOT~1\SDHelper.dll
O2 - BHO: {95251aad-2c91-c39a-64f4-2f5e5767ef06} - {60fe7675-e5f2-4f46-a93c-19c2daa15259} - (no file)
O2 - BHO: (no name) - {622B25AE-27A3-4121-B930-76FAEFF9FC5B} - (no file)
O2 - BHO: (no name) - {D8EDC5E4-EEBA-497D-B0CF-218296CC10EF} - (no file)
O2 - BHO: (no name) - {F2D02400-0183-42FD-BEE0-D3475DDC4521} - (no file)
O2 - BHO: (no name) - {F3068B4F-6EF3-4EC6-BDED-7BA10306CB49} - C:\WINDOWS\system32\byXQKaAs.dll (file missing)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [SMSERIAL] C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe
O4 - HKLM\..\Run: [IntelZeroConfig] "D:\PROGRAMS\Intel Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "D:\PROGRAMS\Intel Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [WinampAgent] "D:\PROGRAMS\! Audio\WinAMP\winampa.exe"
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET Smart Security\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [TrueImageMonitor.exe] D:\PROGRAMS\Acronis\TrueImageMonitor.exe
O4 - HKLM\..\Run: [AcronisTimounterMonitor] D:\PROGRAMS\Acronis\TimounterMonitor.exe
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe"
O4 - HKLM\..\Run: [QuickTime Task] "D:\PROGRAMS\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "D:\PROGRAMS\! Audio\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Process XP] D:\PROGRAMS\! Monitoring & Tweaking\Process XP\procexp.exe
O4 - HKLM\..\Run: [Speedfan] D:\PROGRAMS\! Monitoring & Tweaking\SpeedFan\speedfan.exe
O4 - HKLM\..\Run: [DAEMON Tools] "D:\PROGRAMS\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] D:\PROGRAMS\! Maintenance & Security\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\PROGRAMS\!MAINT~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\PROGRAMS\!MAINT~1\SPYBOT~1\SDHelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/wind...?1210872225968
O20 - Winlogon Notify: awtUlKDW - C:\WINDOWS\
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET Smart Security\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET Smart Security\ekrn.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - D:\PROGRAMS\Intel Wireless\Bin\EvtEng.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NMSAccessU - Unknown owner - D:\PROGRAMS\CDBurnerXP\NMSAccessU.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: O2Micro Flash Memory Card Service (o2flash) - O2Micro International - C:\Program Files\O2Micro\o2flash.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - D:\PROGRAMS\Intel Wireless\Bin\RegSrvc.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - D:\PROGRAMS\Intel Wireless\Bin\S24EvMon.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Unknown owner - C:\WINDOWS\
O23 - Service: Acronis Try And Decide Service (TryAndDecideService) - Unknown owner - C:\Program Files\Common Files\Acronis\Fomatik\TrueImageTryStartService.exe
O23 - Service: Intel(R) PROSet/Wireless SSO Service (WLANKEEPER) - Intel(R) Corporation - D:\PROGRAMS\Intel Wireless\Bin\WLKeeper.exe

--
End of file - 7357 bytes

spyscraper · 07-09-2008, 06:43 AM

bumpey?

tetonbob · 07-10-2008, 09:42 PM

Hi, and sorry once again for the delay. Angelfire777 seems to be having some issues with the internet connections.

Since it's been a few days, and in the case you're not receiving help elsewhere, I'd like a new set of logs. I'm subscribed to this thread, and would be immediately notified of your reply. We can begin when I see the next logs....

Please do this:

Download Deckard's System Scanner (DSS) to your Desktop. Note: You must be logged onto an account with administrator privileges.

Close all applications and windows.
Double-click on dss.exe to run it, and follow the prompts.
When the scan is complete, two text files will open - main.txt <- this one will be maximized and extra.txt <-this one will be minimized
Copy (Ctrl+A then Ctrl+C) and paste (Ctrl+V) the contents of main.txt in your thread in the HijackThis Log Help Forum.
Please attach extra.txt to your post.

To attach a file to a new post, simply

Click the[Manage Attachments] button under Additional Options > Attach Files on the post composition page, and
copy and paste the following into the "Upload File from your Computer" box:
C:\Deckard\System Scanner\extra.txt
Click Upload.

What DSS will do:

create a new System Restore point in Windows XP and Vista.
clean your Temporary Files, Downloaded Program Files, and Internet Cache Files, and also empty the Recycle Bin on all drives.
check some important areas of your system and produce a report for your analyst to review. DSS automatically runs HijackThis for you, but it will also install and place a shortcut to HijackThis on your desktop if you do not already have HijackThis installed.

---------------------------------------------------------------------------------------------

spyscraper · 07-13-2008, 07:04 PM

Thanks tetonbob for your time and effort :)

Also, I'm going on a vacation for 2 weeks, so I'm not sure whether I'm gonna get some inet connection somewhere, so take your time :)

Here you go sir:

(I have to note that after the scanning, some virus / trojan alerts popped up via my Nod32 antivirus, some was virtumonde and others I can't remember, I will make a post of my NOD32 log if you'd want?)

Deckard's System Scanner v20071014.68
Run by ((( ~ ))) on 2008-07-14 03:50:37
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.

-- Last 5 Restore Point(s) --
61: 2008-07-14 01:50:40 UTC - RP61 - Deckard's System Scanner Restore Point
60: 2008-07-13 21:31:13 UTC - RP60 - Installed Blowfish Advanced CS
59: 2008-07-10 18:24:06 UTC - RP59 - System Checkpoint
58: 2008-07-09 12:41:16 UTC - RP58 - Software Distribution Service 3.0
57: 2008-07-08 14:22:51 UTC - RP57 - System Checkpoint

-- First Restore Point --
1: 2008-05-23 22:51:58 UTC - RP1 - System Checkpoint

Backed up registry hives.
Performed disk cleanup.

-- HijackThis (run as ((( ~ ))).exe) -------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 03:52:07, on 14-Jul-08
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
D:\PROGRAMS\Intel Wireless\Bin\S24EvMon.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\ESET\ESET Smart Security\ekrn.exe
D:\PROGRAMS\Intel Wireless\Bin\EvtEng.exe
D:\PROGRAMS\CDBurnerXP\NMSAccessU.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\Program Files\O2Micro\o2flash.exe
C:\WINDOWS\system32\PnkBstrA.exe
D:\PROGRAMS\Intel Wireless\Bin\RegSrvc.exe
D:\PROGRAMS\Alcohol 120%\Alcohol 120\StarWind\StarWindService.exe
C:\Program Files\Common Files\Acronis\Fomatik\TrueImageTryStartService.exe
D:\PROGRAMS\Intel Wireless\Bin\WLKeeper.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\RunDLL32.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe
D:\PROGRAMS\Intel Wireless\bin\ZCfgSvc.exe
D:\PROGRAMS\Intel Wireless\Bin\ifrmewrk.exe
C:\Program Files\ESET\ESET Smart Security\egui.exe
D:\PROGRAMS\Acronis\TrueImageMonitor.exe
D:\PROGRAMS\Acronis\TimounterMonitor.exe
C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe
D:\PROGRAMS\! Audio\iTunes\iTunesHelper.exe
D:\PROGRAMS\! Monitoring & Tweaking\Process XP\procexp.exe
D:\PROGRAMS\DAEMON Tools\daemon.exe
C:\WINDOWS\system32\ctfmon.exe
D:\PROGRAMS\! Maintenance & Security\Spybot - Search & Destroy\TeaTimer.exe
D:\PROGRAMS\Intel Wireless\Bin\Dot1XCfg.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
D:\PROGRAMS\! Maintenance & Security\Deckard's System Scanner\dss.exe
D:\PROGRAMS\!MAINT~1\HIJACK~1\((( ~ ))).exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: (no name) - {034B6926-3FF4-46E1-B2DA-6727D1662C18} - C:\WINDOWS\system32\wvUlkHbB.dll (file missing)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRAMS\!MAINT~1\SPYBOT~1\SDHelper.dll
O2 - BHO: {95251aad-2c91-c39a-64f4-2f5e5767ef06} - {60fe7675-e5f2-4f46-a93c-19c2daa15259} - (no file)
O2 - BHO: (no name) - {622B25AE-27A3-4121-B930-76FAEFF9FC5B} - (no file)
O2 - BHO: (no name) - {D8EDC5E4-EEBA-497D-B0CF-218296CC10EF} - (no file)
O2 - BHO: (no name) - {F2D02400-0183-42FD-BEE0-D3475DDC4521} - (no file)
O2 - BHO: (no name) - {F3068B4F-6EF3-4EC6-BDED-7BA10306CB49} - C:\WINDOWS\system32\byXQKaAs.dll (file missing)
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE
O4 - HKLM\..\Run: [SMSERIAL] C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe
O4 - HKLM\..\Run: [IntelZeroConfig] "D:\PROGRAMS\Intel Wireless\bin\ZCfgSvc.exe"
O4 - HKLM\..\Run: [IntelWireless] "D:\PROGRAMS\Intel Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless
O4 - HKLM\..\Run: [WinampAgent] "D:\PROGRAMS\! Audio\WinAMP\winampa.exe"
O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET Smart Security\egui.exe" /hide /waitservice
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [TrueImageMonitor.exe] D:\PROGRAMS\Acronis\TrueImageMonitor.exe
O4 - HKLM\..\Run: [AcronisTimounterMonitor] D:\PROGRAMS\Acronis\TimounterMonitor.exe
O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe"
O4 - HKLM\..\Run: [QuickTime Task] "D:\PROGRAMS\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "D:\PROGRAMS\! Audio\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Process XP] D:\PROGRAMS\! Monitoring & Tweaking\Process XP\procexp.exe
O4 - HKLM\..\Run: [Speedfan] D:\PROGRAMS\! Monitoring & Tweaking\SpeedFan\speedfan.exe
O4 - HKLM\..\Run: [DAEMON Tools] "D:\PROGRAMS\DAEMON Tools\daemon.exe" -lang 1033
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] D:\PROGRAMS\! Maintenance & Security\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\PROGRAMS\!MAINT~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\PROGRAMS\!MAINT~1\SPYBOT~1\SDHelper.dll
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/wind...?1210872225968
O20 - Winlogon Notify: awtUlKDW - C:\WINDOWS\
O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET Smart Security\EHttpSrv.exe
O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET Smart Security\ekrn.exe
O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - D:\PROGRAMS\Intel Wireless\Bin\EvtEng.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NMSAccessU - Unknown owner - D:\PROGRAMS\CDBurnerXP\NMSAccessU.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: O2Micro Flash Memory Card Service (o2flash) - O2Micro International - C:\Program Files\O2Micro\o2flash.exe
O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - D:\PROGRAMS\Intel Wireless\Bin\RegSrvc.exe
O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - D:\PROGRAMS\Intel Wireless\Bin\S24EvMon.exe
O23 - Service: StarWind iSCSI Service (StarWindService) - Unknown owner - C:\WINDOWS\
O23 - Service: Acronis Try And Decide Service (TryAndDecideService) - Unknown owner - C:\Program Files\Common Files\Acronis\Fomatik\TrueImageTryStartService.exe
O23 - Service: Intel(R) PROSet/Wireless SSO Service (WLANKEEPER) - Intel(R) Corporation - D:\PROGRAMS\Intel Wireless\Bin\WLKeeper.exe

--
End of file - 7444 bytes

-- File Associations -----------------------------------------------------------

.reg - regfile - shell\open\command - regedit.exe "%1" %*
.scr - scrfile - shell\open\command - "%1" %*

-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R0 Alcohol - c:\windows\system32\drivers\alcohol.sys
R0 AlcoholM - c:\windows\system32\drivers\alcoholm.sys
R0 giveio - c:\windows\system32\giveio.sys
R0 speedfan - c:\windows\system32\speedfan.sys <Not Verified; Windows (R) 2000 DDK provider; Windows (R) 2000 DDK driver>
R2 s24trans (WLAN Transport) - c:\windows\system32\drivers\s24trans.sys <Not Verified; Intel Corporation; Intel Wireless LAN Packet Driver>

S3 musbehco - c:\docume~1\(((~))~1\locals~1\temp\musbehco.sys (file missing)
S3 NvnUsbAudio (Novation USB Audio Driver) - c:\windows\system32\drivers\nvnusbaudio.sys <Not Verified; Novation DMS Ltd.; Novation USB Audio Driver>

-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

R2 Apple Mobile Device - "c:\program files\common files\apple\mobile device support\bin\applemobiledeviceservice.exe" <Not Verified; Apple, Inc.; Apple Mobile Device Service>
R2 Bonjour Service - "c:\program files\bonjour\mdnsresponder.exe" <Not Verified; Apple Inc.; Bonjour>
R2 ekrn (Eset Service) - "c:\program files\eset\eset smart security\ekrn.exe" <Not Verified; ESET; ESET Smart Security>
R2 o2flash (O2Micro Flash Memory Card Service) - "c:\program files\o2micro\o2flash.exe" <Not Verified; O2Micro International; O2 MS1/MP1 Service>
R2 RegSrvc (Intel(R) PROSet/Wireless Registry Service) - d:\programs\intel wireless\bin\regsrvc.exe <Not Verified; Intel Corporation; Intel(R) PROSet/Wireless Registry Service>
R2 WLANKEEPER (Intel(R) PROSet/Wireless SSO Service) - d:\programs\intel wireless\bin\wlkeeper.exe <Not Verified; Intel(R) Corporation; SSO Service>

-- Device Manager: Disabled ----------------------------------------------------

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: Intel(R) 82566MC Gigabit Network Connection
Device ID: PCI\VEN_8086&DEV_104D&SUBSYS_14021A46&REV_03\3&B1BFB68&0&C8
Manufacturer: Intel
Name: Intel(R) 82566MC Gigabit Network Connection
PNP Device ID: PCI\VEN_8086&DEV_104D&SUBSYS_14021A46&REV_03\3&B1BFB68&0&C8
Service: e1express

Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Description: USB 2.0 Image Capture Controller
Device ID: USB\VID_05E1&PID_0501\5&43F8BF9&0&3
Manufacturer:
Name: USB 2.0 Image Capture Controller
PNP Device ID: USB\VID_05E1&PID_0501\5&43F8BF9&0&3
Service:

Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Description: PCI Memory Controller
Device ID: PCI\VEN_8086&DEV_444E&SUBSYS_444E8086&REV_01\4&227633DA&0&00E2
Manufacturer:
Name: PCI Memory Controller
PNP Device ID: PCI\VEN_8086&DEV_444E&SUBSYS_444E8086&REV_01\4&227633DA&0&00E2
Service:

Class GUID: {4D36E97E-E325-11CE-BFC1-08002BE10318}
Description:
Device ID: ACPI\ACPIHIDMAPPER\5&15D725F4&0
Manufacturer:
Name:
PNP Device ID: ACPI\ACPIHIDMAPPER\5&15D725F4&0
Service:

-- Files created between 2008-06-14 and 2008-07-14 -----------------------------

2008-07-13 20:51:41 0 dr-h----- C:\Documents and Settings\((( ~ )))\Recent
2008-07-09 14:46:50 0 d-------- C:\Program Files\Common Files\Blizzard Entertainment
2008-07-07 20:35:33 0 d-------- C:\WINDOWS\system32\LogFiles
2008-07-04 01:10:34 0 d-------- C:\WINDOWS\system32\appmgmt
2008-06-28 01:47:53 0 d-------- C:\Documents and Settings\((( ~ )))\Application Data\Thinstall
2008-06-24 21:16:50 0 d-------- C:\Program Files\uTorrent
2008-06-24 21:16:45 0 d-------- C:\Documents and Settings\((( ~ )))\Application Data\uTorrent
2008-06-24 03:01:57 0 d-------- C:\Documents and Settings\All Users\Application Data\TEMP
2008-06-24 01:17:26 0 d-------- C:\Documents and Settings\((( ~ )))\Application Data\OpenArena
2008-06-24 01:07:38 118784 --a------ C:\WINDOWS\system32\MSSTDFMT.DLL <Not Verified; Microsoft Corporation; MSSTDFMT Object Library>
2008-06-19 17:56:30 0 d-------- C:\Documents and Settings\((( ~ )))\Contacts
2008-06-18 18:09:28 0 d--hs--c- C:\Program Files\Common Files\WindowsLiveInstaller
2008-06-18 18:08:58 0 d-------- C:\Program Files\Windows Live
2008-06-18 18:08:48 0 d-------- C:\Documents and Settings\All Users\Application Data\WLInstaller
2008-06-15 21:18:28 0 d-------- C:\Documents and Settings\((( ~ )))\Application Data\Malwarebytes
2008-06-15 21:18:20 0 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-06-15 17:33:37 0 d-------- C:\Documents and Settings\((( ~ )))\Application Data\Help

-- Find3M Report ---------------------------------------------------------------

2008-07-09 14:46:50 0 d-------- C:\Program Files\Common Files
2008-07-05 19:56:25 0 d--h----- C:\Program Files\InstallShield Installation Information
2008-06-15 21:41:44 673 --ahs---- C:\WINDOWS\system32\TCfhkUvw.ini2
2008-06-15 21:38:42 100864 -----n--- C:\WINDOWS\system32\sbwjdprc.dll
2008-06-11 01:15:08 0 d-------- C:\Program Files\Common Files\InstallShield
2008-06-11 00:26:06 109056 --a------ C:\WINDOWS\system32\garmmvrh.dll
2008-06-11 00:25:57 100864 --a------ C:\WINDOWS\system32\crjgkahn.dll
2008-06-09 20:00:49 109056 --a------ C:\WINDOWS\system32\gmdgqkdg.dll
2008-06-09 15:29:06 108544 --a------ C:\WINDOWS\system32\mgeinfmf.dll
2008-06-07 04:43:38 108544 --a------ C:\WINDOWS\system32\kfnohvli.dll
2008-06-01 22:52:28 0 d-------- C:\Documents and Settings\((( ~ )))\Application Data\Ableton
2008-06-01 00:13:45 0 d-------- C:\Program Files\Sierra On-Line
2008-05-29 23:37:30 893 --ahs---- C:\WINDOWS\system32\poUtDJjl.ini2
2008-05-27 12:58:34 277754 --ahs---- C:\WINDOWS\system32\sAaKQXyb.ini2
2008-05-26 23:57:43 292596 --ahs---- C:\WINDOWS\system32\BbHklUvw.ini2
2008-05-23 18:21:33 0 d-------- C:\Documents and Settings\((( ~ )))\Application Data\Apple Computer
2008-05-23 18:03:14 0 d-------- C:\Program Files\iPod
2008-05-23 18:02:58 0 d-------- C:\Program Files\Bonjour
2008-05-23 18:01:40 0 d-------- C:\Program Files\Apple Software Update
2008-05-23 18:01:04 0 d-------- C:\Program Files\Common Files\Apple
2008-05-18 12:58:06 43520 --a------ C:\WINDOWS\system32\CmdLineExt03.dll
2008-05-18 12:55:05 16407 --a------ C:\WINDOWS\DIIUnin.dat
2008-05-18 12:49:14 21840 --a------ C:\WINDOWS\system32\SIntfNT.dll
2008-05-18 12:49:13 17212 --a------ C:\WINDOWS\system32\SIntf32.dll
2008-05-18 12:49:13 12067 --a------ C:\WINDOWS\system32\SIntf16.dll
2008-05-18 12:48:22 2829 --a------ C:\WINDOWS\DIIUnin.pif
2008-05-18 12:48:22 94208 --a------ C:\WINDOWS\DIIUnin.exe <Not Verified; Blizzard Entertainment; Diablo II Uninstaller>
2008-05-17 23:41:36 47104 --a------ C:\WINDOWS\system32\KMVIDC32.DLL
2008-05-17 23:40:43 0 d-------- C:\Documents and Settings\((( ~ )))\Application Data\Sony
2008-05-17 23:40:36 0 d-------- C:\Documents and Settings\((( ~ )))\Application Data\Publish Providers
2008-05-17 23:40:36 0 d-------- C:\Documents and Settings\((( ~ )))\Application Data\NetMedia Providers
2008-05-17 12:37:11 0 d-------- C:\Documents and Settings\((( ~ )))\Application Data\DAEMON Tools Pro
2008-05-15 20:13:55 0 d-------- C:\Program Files\MSXML 6.0
2008-05-15 19:56:46 0 d-------- C:\Documents and Settings\((( ~ )))\Application Data\Macromedia
2008-05-15 19:56:46 0 d-------- C:\Documents and Settings\((( ~ )))\Application Data\Adobe
2008-05-15 19:56:44 1216 --a------ C:\WINDOWS\mozver.dat
2008-05-15 18:35:24 0 d-------- C:\Documents and Settings\((( ~ )))\Application Data\Talkback
2008-05-15 18:35:17 0 --a------ C:\WINDOWS\nsreg.dat
2008-05-15 18:35:09 0 d-------- C:\Documents and Settings\((( ~ )))\Application Data\Mozilla
2008-05-14 23:37:25 0 d-------- C:\Documents and Settings\((( ~ )))\Application Data\Acronis
2008-05-14 23:27:36 0 d-------- C:\Program Files\Common Files\Acronis
2008-05-07 13:01:51 356352 --a------ C:\WINDOWS\system32\AegisI5Installer.exe <Not Verified; ; AegisInstall Application>
2008-05-06 02:18:58 315392 --a------ C:\WINDOWS\HideWin.exe <Not Verified; Realtek Semiconductor Corp.; HD Audio Hide windows program>
2008-05-06 02:04:47 62 --ahs---- C:\Documents and Settings\((( ~ )))\Application Data\desktop.ini
2008-05-06 01:00:54 0 -rahs---- C:\MSDOS.SYS
2008-05-06 01:00:54 0 -rahs---- C:\IO.SYS
2008-05-06 01:00:54 0 --a------ C:\CONFIG.SYS
2008-05-06 01:00:54 0 --a------ C:\AUTOEXEC.BAT
2008-05-06 00:58:04 21640 --a------ C:\WINDOWS\system32\emptyregdb.dat

-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{034B6926-3FF4-46E1-B2DA-6727D1662C18}]
C:\WINDOWS\system32\wvUlkHbB.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{60fe7675-e5f2-4f46-a93c-19c2daa15259}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{622B25AE-27A3-4121-B930-76FAEFF9FC5B}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D8EDC5E4-EEBA-497D-B0CF-218296CC10EF}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F2D02400-0183-42FD-BEE0-D3475DDC4521}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F3068B4F-6EF3-4EC6-BDED-7BA10306CB49}]
C:\WINDOWS\system32\byXQKaAs.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [25-Jun-07 23:39]
"nwiz"="nwiz.exe" [25-Jun-07 23:39 C:\WINDOWS\system32\nwiz.exe]
"NvMediaCenter"="NvMCTray.dll" [25-Jun-07 23:39 C:\WINDOWS\system32\nvmctray.dll]
"RTHDCPL"="RTHDCPL.EXE" [20-Dec-07 16:47 C:\WINDOWS\RTHDCPL.exe]
"Alcmtr"="ALCMTR.EXE" [03-May-05 18:43 C:\WINDOWS\Alcmtr.exe]
"SMSERIAL"="C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe" [13-Jul-07 13:32]
"IntelZeroConfig"="D:\PROGRAMS\Intel Wireless\bin\ZCfgSvc.exe" [16-Apr-07 11:24]
"IntelWireless"="D:\PROGRAMS\Intel Wireless\Bin\ifrmewrk.exe" [16-Apr-07 11:22]
"WinampAgent"="D:\PROGRAMS\! Audio\WinAMP\winampa.exe" []
"egui"="C:\Program Files\ESET\ESET Smart Security\egui.exe" [13-Mar-08 16:48]
"KernelFaultCheck"="C:\WINDOWS\system32\dumprep 0 -k" []
"TrueImageMonitor.exe"="D:\PROGRAMS\Acronis\TrueImageMonitor.exe" [30-Oct-07 20:06]
"AcronisTimounterMonitor"="D:\PROGRAMS\Acronis\TimounterMonitor.exe" [30-Oct-07 20:11]
"Acronis Scheduler2 Service"="C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe" [30-Oct-07 20:07]
"QuickTime Task"="D:\PROGRAMS\QuickTime\QTTask.exe" [28-Mar-08 23:37]
"iTunesHelper"="D:\PROGRAMS\! Audio\iTunes\iTunesHelper.exe" [30-Mar-08 10:36]
"Process XP"="D:\PROGRAMS\! Monitoring & Tweaking\Process XP\procexp.exe" [22-Feb-06 16:31]
"Speedfan"="D:\PROGRAMS\! Monitoring & Tweaking\SpeedFan\speedfan.exe" [22-Apr-08 09:59]
"DAEMON Tools"="D:\PROGRAMS\DAEMON Tools\daemon.exe" [14-Sep-06 22:09]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"CTFMON.EXE"="C:\WINDOWS\system32\ctfmon.exe" [04-Aug-04 14:00]
"SpybotSD TeaTimer"="D:\PROGRAMS\! Maintenance & Security\Spybot - Search & Destroy\TeaTimer.exe" [28-Jan-08 11:43]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"NoRecentDocsMenu"=1 (0x1)
"NoRecentDocsHistory"=1 (0x1)
"NoRecentDocsNetHood"=1 (0x1)
"NoInstrumentation"=1 (0x1)

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoRecentDocsMenu"=1 (0x1)
"NoRecentDocsHistory"=1 (0x1)
"ClearRecentDocsOnExit"=1 (0x1)
"NoRecentDocsNetHood"=1 (0x1)
"NoInstrumentation"=1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\awtUlKDW]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WBSrv]
D:\PROGRAMS\! Monitoring

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=wbsys.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll,

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"8c7815f9"=rundll32.exe "C:\WINDOWS\system32\qbcdtlso.dll",b
"BM8f4b2665"=Rundll32.exe "C:\WINDOWS\system32\hbmeimiy.dll",s

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{0a3f7257-4a92-11dd-a016-0013e8157e33}]
AutoRun\command- Q:\autorun.exe

-- Hosts -----------------------------------------------------------------------

127.0.0.1 www.007guard.com
127.0.0.1 007guard.com
127.0.0.1 008i.com
127.0.0.1 www.008k.com
127.0.0.1 008k.com
127.0.0.1 www.00hq.com
127.0.0.1 00hq.com
127.0.0.1 010402.com
127.0.0.1 www.032439.com
127.0.0.1 032439.com

8520 more entries in hosts file.

-- End of Deckard's System Scanner: finished at 2008-07-14 03:52:34 ------------

Thanks again!

tetonbob · 07-14-2008, 07:39 AM

It doesn't appear as though your Vundo infection is active.

S& D Spybot's Tea Timer

While TeaTimer is an excellent tool for the prevention of spyware, it can sometimes prevent HijackThis from fixing certain things.
Please disable TeaTimer for now until you are clean. TeaTimer can be re-activated once your HijackThis log is clean.

Open Spybot Search & Destroy.
In the Mode menu click "Advanced mode" if not already selected.
Choose "Yes" at the Warning prompt.
Expand the "Tools" menu.
Click "Resident".
Uncheck the "Resident "TeaTimer" (Protection of overall system settings) active." box.
In the File menu click "Exit" to exit Spybot Search & Destroy.
See this link for a tutorial

Download ResetTeaTimer.bat by right-clicking on the link, and choosing Save As. Save it to your desktop, or somewhere you can find it easily.
Double click ResetTeaTimer.bat to remove all entries set by TeaTimer.

---------------------------------------------------------------------------------------------

Open HijackThis and click on 'Do a System Scan Only'. Place a check next to the following entries if they exist (make sure you do not miss any) and click Fix Checked

O2 - BHO: (no name) - {034B6926-3FF4-46E1-B2DA-6727D1662C18} - C:\WINDOWS\system32\wvUlkHbB.dll (file missing)
O2 - BHO: {95251aad-2c91-c39a-64f4-2f5e5767ef06} - {60fe7675-e5f2-4f46-a93c-19c2daa15259} - (no file)
O2 - BHO: (no name) - {622B25AE-27A3-4121-B930-76FAEFF9FC5B} - (no file)
O2 - BHO: (no name) - {D8EDC5E4-EEBA-497D-B0CF-218296CC10EF} - (no file)
O2 - BHO: (no name) - {F2D02400-0183-42FD-BEE0-D3475DDC4521} - (no file)
O2 - BHO: (no name) - {F3068B4F-6EF3-4EC6-BDED-7BA10306CB49} - C:\WINDOWS\system32\byXQKaAs.dll (file missing)
O20 - Winlogon Notify: awtUlKDW - C:\WINDOWS\

Close HijackThis now.

---------------------------------------------------------------------------------------------

Open NOTEPAD.exe and copy/paste the text in the codebox below into it:

Code:

@echo off
if exist "%temp%\log.txt" del "%temp%\log.txt"

for %%g in (

C:\WINDOWS\system32\TCfhkUvw.ini2
C:\WINDOWS\system32\sbwjdprc.dll
C:\WINDOWS\system32\garmmvrh.dll
C:\WINDOWS\system32\crjgkahn.dll
C:\WINDOWS\system32\gmdgqkdg.dll
C:\WINDOWS\system32\mgeinfmf.dll
C:\WINDOWS\system32\kfnohvli.dll
C:\WINDOWS\system32\poUtDJjl.ini2
C:\WINDOWS\system32\sAaKQXyb.ini2
C:\WINDOWS\system32\BbHklUvw.ini2

) do (
del /a/f %%g >nul 2>&1
if exist %%g echo.%%g>>"%temp%\log.txt"
)

if exist "%temp%\log.txt" ( start notepad "%temp%\log.txt"
) else echo.Deleted Successfully !!

pause
del %0

Save this as fix.bat Choose to "Save type as - All Files"
It should look like this:

Double click on fix.bat & allow it to run

Post back to tell me what it says

---------------------------------------------------------------------------------------------

Run DSS once again, and post it's log.

06-24-2008, 05:37 AM	#1 (permalink)
spyscraper Registered User Join Date: Jun 2008 Posts: 5 OS: Windows XP SP2	I think my computer is infected... Hi friendly peoples, this is my first post here, so please go gentle on me ;P I think it all first began with me allowing an unknown .dll to run as an app or allowing an unknown registry entry to be added (Yeah, I don't know what I was thinking at that time). Anyway, I think it installed a trojan and after that downloaded virtumonde virus (which my spybot picked up, seemed to remove, but it kept installing anyway). So then I downloaded malwarebytes and troubles seemed to be gone, but alas, time to time my nod32 picked up various viruses (always on access scan method, never on demand). I'll post some pics to clarify some of the errors / registry entries I didn't trust. Spybot - I think this is the value that caused trouble (deleted on screen): Spybot virtumonde scan result: Spybot after malwarebytes: And things after reboot: NOD32: HijackThis log ---> next post

06-24-2008, 05:43 AM	#2 (permalink)
spyscraper Registered User Join Date: Jun 2008 Posts: 5 OS: Windows XP SP2	Re: I think my computer is infected... the HJT log: ------------------------------------------------------------ Logfile of Trend Micro HijackThis v2.0.2 Scan saved at 14:43:54, on 24-Jun-08 Platform: Windows XP SP2 (WinNT 5.01.2600) MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180) Boot mode: Normal Running processes: C:\WINDOWS\System32\smss.exe C:\WINDOWS\system32\winlogon.exe C:\WINDOWS\system32\services.exe C:\WINDOWS\system32\lsass.exe C:\WINDOWS\system32\svchost.exe C:\WINDOWS\System32\svchost.exe D:\PROGRAMS\Intel Wireless\Bin\S24EvMon.exe C:\WINDOWS\system32\spoolsv.exe C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe C:\Program Files\Bonjour\mDNSResponder.exe C:\Program Files\ESET\ESET Smart Security\ekrn.exe D:\PROGRAMS\Intel Wireless\Bin\EvtEng.exe D:\PROGRAMS\CDBurnerXP\NMSAccessU.exe C:\WINDOWS\system32\nvsvc32.exe C:\Program Files\O2Micro\o2flash.exe D:\PROGRAMS\Intel Wireless\Bin\RegSrvc.exe D:\PROGRAMS\Alcohol 120%\Alcohol 120\StarWind\StarWindService.exe C:\Program Files\Common Files\Acronis\Fomatik\TrueImageTryStartService.exe D:\PROGRAMS\Intel Wireless\Bin\WLKeeper.exe C:\WINDOWS\Explorer.EXE C:\WINDOWS\system32\RunDLL32.exe C:\WINDOWS\RTHDCPL.EXE C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe D:\PROGRAMS\Intel Wireless\bin\ZCfgSvc.exe D:\PROGRAMS\Intel Wireless\Bin\ifrmewrk.exe C:\Program Files\ESET\ESET Smart Security\egui.exe D:\PROGRAMS\Acronis\TrueImageMonitor.exe D:\PROGRAMS\Acronis\TimounterMonitor.exe C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe D:\PROGRAMS\! Audio\iTunes\iTunesHelper.exe D:\PROGRAMS\! Monitoring & Tweaking\Process XP\procexp.exe D:\PROGRAMS\! Monitoring & Tweaking\SpeedFan\speedfan.exe C:\WINDOWS\system32\ctfmon.exe D:\PROGRAMS\! Maintenance & Security\Spybot - Search & Destroy\TeaTimer.exe C:\Program Files\iPod\bin\iPodService.exe C:\WINDOWS\system32\wuauclt.exe C:\WINDOWS\system32\sndvol32.exe D:\PROGRAMS\Intel Wireless\Bin\Dot1XCfg.exe C:\Program Files\Windows Live\Messenger\usnsvc.exe C:\WINDOWS\system32\svchost.exe D:\PROGRAMS\FireFox\firefox.exe D:\PROGRAMS\! Maintenance & Security\HijackThis!\HijackThis.exe R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local O2 - BHO: (no name) - {034B6926-3FF4-46E1-B2DA-6727D1662C18} - C:\WINDOWS\system32\wvUlkHbB.dll (file missing) O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - D:\PROGRAMS\!MAINT~1\SPYBOT~1\SDHelper.dll O2 - BHO: {95251aad-2c91-c39a-64f4-2f5e5767ef06} - {60fe7675-e5f2-4f46-a93c-19c2daa15259} - (no file) O2 - BHO: (no name) - {622B25AE-27A3-4121-B930-76FAEFF9FC5B} - (no file) O2 - BHO: (no name) - {D8EDC5E4-EEBA-497D-B0CF-218296CC10EF} - (no file) O2 - BHO: (no name) - {F2D02400-0183-42FD-BEE0-D3475DDC4521} - (no file) O2 - BHO: (no name) - {F3068B4F-6EF3-4EC6-BDED-7BA10306CB49} - C:\WINDOWS\system32\byXQKaAs.dll (file missing) O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup O4 - HKLM\..\Run: [nwiz] nwiz.exe /install O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE O4 - HKLM\..\Run: [Alcmtr] ALCMTR.EXE O4 - HKLM\..\Run: [SMSERIAL] C:\Program Files\Motorola\SMSERIAL\sm56hlpr.exe O4 - HKLM\..\Run: [IntelZeroConfig] "D:\PROGRAMS\Intel Wireless\bin\ZCfgSvc.exe" O4 - HKLM\..\Run: [IntelWireless] "D:\PROGRAMS\Intel Wireless\Bin\ifrmewrk.exe" /tf Intel PROSet/Wireless O4 - HKLM\..\Run: [WinampAgent] "D:\PROGRAMS\! Audio\WinAMP\winampa.exe" O4 - HKLM\..\Run: [egui] "C:\Program Files\ESET\ESET Smart Security\egui.exe" /hide /waitservice O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k O4 - HKLM\..\Run: [TrueImageMonitor.exe] D:\PROGRAMS\Acronis\TrueImageMonitor.exe O4 - HKLM\..\Run: [AcronisTimounterMonitor] D:\PROGRAMS\Acronis\TimounterMonitor.exe O4 - HKLM\..\Run: [Acronis Scheduler2 Service] "C:\Program Files\Common Files\Acronis\Schedule2\schedhlp.exe" O4 - HKLM\..\Run: [QuickTime Task] "D:\PROGRAMS\QuickTime\QTTask.exe" -atboottime O4 - HKLM\..\Run: [iTunesHelper] "D:\PROGRAMS\! Audio\iTunes\iTunesHelper.exe" O4 - HKLM\..\Run: [Process XP] D:\PROGRAMS\! Monitoring & Tweaking\Process XP\procexp.exe O4 - HKLM\..\Run: [Speedfan] D:\PROGRAMS\! Monitoring & Tweaking\SpeedFan\speedfan.exe O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe O4 - HKCU\..\Run: [SpybotSD TeaTimer] D:\PROGRAMS\! Maintenance & Security\Spybot - Search & Destroy\TeaTimer.exe O4 - HKCU\..\Run: [Steam] "E:\GAMEZ\STEAM\Steam.exe" -silent O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE') O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE') O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM') O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user') O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\PROGRAMS\!MAINT~1\SPYBOT~1\SDHelper.dll O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - D:\PROGRAMS\!MAINT~1\SPYBOT~1\SDHelper.dll O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/wind...?1210872225968 O20 - Winlogon Notify: awtUlKDW - C:\WINDOWS\ O23 - Service: Acronis Scheduler2 Service (AcrSch2Svc) - Acronis - C:\Program Files\Common Files\Acronis\Schedule2\schedul2.exe O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe O23 - Service: Eset HTTP Server (EhttpSrv) - ESET - C:\Program Files\ESET\ESET Smart Security\EHttpSrv.exe O23 - Service: Eset Service (ekrn) - ESET - C:\Program Files\ESET\ESET Smart Security\ekrn.exe O23 - Service: Intel(R) PROSet/Wireless Event Log (EvtEng) - Intel Corporation - D:\PROGRAMS\Intel Wireless\Bin\EvtEng.exe O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe O23 - Service: NMSAccessU - Unknown owner - D:\PROGRAMS\CDBurnerXP\NMSAccessU.exe O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe O23 - Service: O2Micro Flash Memory Card Service (o2flash) - O2Micro International - C:\Program Files\O2Micro\o2flash.exe O23 - Service: Intel(R) PROSet/Wireless Registry Service (RegSrvc) - Intel Corporation - D:\PROGRAMS\Intel Wireless\Bin\RegSrvc.exe O23 - Service: Intel(R) PROSet/Wireless Service (S24EventMonitor) - Intel Corporation - D:\PROGRAMS\Intel Wireless\Bin\S24EvMon.exe O23 - Service: StarWind iSCSI Service (StarWindService) - Unknown owner - C:\WINDOWS\ O23 - Service: Acronis Try And Decide Service (TryAndDecideService) - Unknown owner - C:\Program Files\Common Files\Acronis\Fomatik\TrueImageTryStartService.exe O23 - Service: Intel(R) PROSet/Wireless SSO Service (WLANKEEPER) - Intel(R) Corporation - D:\PROGRAMS\Intel Wireless\Bin\WLKeeper.exe -- End of file - 7384 bytes ------------------ Thanks very much in advance :)

06-27-2008, 01:54 PM	#3 (permalink)
Angelfire777 Moderator/Analyst, Security Team ; Rangemaster, TSF Academy Join Date: Oct 2006 Location: BC, Canada Posts: 2,727 OS: XP	Re: I think my computer is infected... Hi, welcome to tsf! Sorry for the delay. If you still need assistance, please post a fresh hijackthis log __________________ Proud member of UNITE and ASAP since 2006 If we have helped you, please consider donating. The past won't be able to hurt you unless you keep on looking back at it.

07-09-2008, 06:43 AM	#5 (permalink)
spyscraper Registered User Join Date: Jun 2008 Posts: 5 OS: Windows XP SP2	Re: I think my computer is infected... bumpey?

07-10-2008, 09:42 PM	#6 (permalink)
tetonbob Manager, Security Center, TSF Academy; Analyst, Security Team Join Date: Jan 2005 Location: Transylvania County, North Carolina, USA Posts: 25,395 OS: 2000 Pro; XP Pro; XP Home	Re: I think my computer is infected... Hi, and sorry once again for the delay. Angelfire777 seems to be having some issues with the internet connections. Since it's been a few days, and in the case you're not receiving help elsewhere, I'd like a new set of logs. I'm subscribed to this thread, and would be immediately notified of your reply. We can begin when I see the next logs.... Please do this: Download Deckard's System Scanner (DSS) to your Desktop. Note: You must be logged onto an account with administrator privileges. Close all applications and windows. Double-click on dss.exe to run it, and follow the prompts. When the scan is complete, two text files will open - main.txt <- this one will be maximized and extra.txt <-this one will be minimized Copy (Ctrl+A then Ctrl+C) and paste (Ctrl+V) the contents of main.txt in your thread in the HijackThis Log Help Forum. Please attach extra.txt to your post. To attach a file to a new post, simply Click the[Manage Attachments] button under Additional Options > Attach Files on the post composition page, and copy and paste the following into the "Upload File from your Computer" box: C:\Deckard\System Scanner\extra.txt Click Upload. What DSS will do: create a new System Restore point in Windows XP and Vista. clean your Temporary Files, Downloaded Program Files, and Internet Cache Files, and also empty the Recycle Bin on all drives. check some important areas of your system and produce a report for your analyst to review. DSS automatically runs HijackThis for you, but it will also install and place a shortcut to HijackThis on your desktop if you do not already have HijackThis installed. --------------------------------------------------------------------------------------------- __________________ Practice Safe Surfing PC Safety and Security--What Do I Need? Because what you don't know, CAN hurt you. Proud Member of ASAP since 2005 Proud Member of UNITE since 2006 Our help is voluntary, but this site needs donations to operate. Please consider Donating to the Forum. Please do not ask for help via Private Message. Ask in the forums, so all may gain from the experience.

07-14-2008, 07:39 AM	#8 (permalink)
tetonbob Manager, Security Center, TSF Academy; Analyst, Security Team Join Date: Jan 2005 Location: Transylvania County, North Carolina, USA Posts: 25,395 OS: 2000 Pro; XP Pro; XP Home	Re: I think my computer is infected... It doesn't appear as though your Vundo infection is active. S& D Spybot's Tea Timer While TeaTimer is an excellent tool for the prevention of spyware, it can sometimes prevent HijackThis from fixing certain things. Please disable TeaTimer for now until you are clean. TeaTimer can be re-activated once your HijackThis log is clean. Open Spybot Search & Destroy. In the Mode menu click "Advanced mode" if not already selected. Choose "Yes" at the Warning prompt. Expand the "Tools" menu. Click "Resident". Uncheck the "Resident "TeaTimer" (Protection of overall system settings) active." box. In the File menu click "Exit" to exit Spybot Search & Destroy. See this link for a tutorial Download ResetTeaTimer.bat by right-clicking on the link, and choosing Save As. Save it to your desktop, or somewhere you can find it easily. Double click ResetTeaTimer.bat to remove all entries set by TeaTimer. --------------------------------------------------------------------------------------------- Open HijackThis and click on 'Do a System Scan Only'. Place a check next to the following entries if they exist (make sure you do not miss any) and click Fix Checked O2 - BHO: (no name) - {034B6926-3FF4-46E1-B2DA-6727D1662C18} - C:\WINDOWS\system32\wvUlkHbB.dll (file missing) O2 - BHO: {95251aad-2c91-c39a-64f4-2f5e5767ef06} - {60fe7675-e5f2-4f46-a93c-19c2daa15259} - (no file) O2 - BHO: (no name) - {622B25AE-27A3-4121-B930-76FAEFF9FC5B} - (no file) O2 - BHO: (no name) - {D8EDC5E4-EEBA-497D-B0CF-218296CC10EF} - (no file) O2 - BHO: (no name) - {F2D02400-0183-42FD-BEE0-D3475DDC4521} - (no file) O2 - BHO: (no name) - {F3068B4F-6EF3-4EC6-BDED-7BA10306CB49} - C:\WINDOWS\system32\byXQKaAs.dll (file missing) O20 - Winlogon Notify: awtUlKDW - C:\WINDOWS\ Close HijackThis now. --------------------------------------------------------------------------------------------- Open NOTEPAD.exe and copy/paste the text in the codebox below into it: Code: @echo off if exist "%temp%\log.txt" del "%temp%\log.txt" for %%g in ( C:\WINDOWS\system32\TCfhkUvw.ini2 C:\WINDOWS\system32\sbwjdprc.dll C:\WINDOWS\system32\garmmvrh.dll C:\WINDOWS\system32\crjgkahn.dll C:\WINDOWS\system32\gmdgqkdg.dll C:\WINDOWS\system32\mgeinfmf.dll C:\WINDOWS\system32\kfnohvli.dll C:\WINDOWS\system32\poUtDJjl.ini2 C:\WINDOWS\system32\sAaKQXyb.ini2 C:\WINDOWS\system32\BbHklUvw.ini2 ) do ( del /a/f %%g >nul 2>&1 if exist %%g echo.%%g>>"%temp%\log.txt" ) if exist "%temp%\log.txt" ( start notepad "%temp%\log.txt" ) else echo.Deleted Successfully !! pause del %0 Save this as fix.bat Choose to "Save type as - All Files" It should look like this: Double click on fix.bat & allow it to run Post back to tell me what it says --------------------------------------------------------------------------------------------- Run DSS once again, and post it's log. __________________ Practice Safe Surfing PC Safety and Security--What Do I Need? Because what you don't know, CAN hurt you. Proud Member of ASAP since 2005 Proud Member of UNITE since 2006 Our help is voluntary, but this site needs donations to operate. Please consider Donating to the Forum. Please do not ask for help via Private Message. Ask in the forums, so all may gain from the experience.