# Solved: What Is aswAhAScr.dll? Spybot Keeps Saying It Was Deleated



## Dr.Moo (May 27, 2008)

Hello, im new here. my spybot resident protection keeps telling me that aswAhAScr.dll was deleted, i wasnt doing anything at the time so i denyed the change, but did not make it remember the change, and after my computer has been on for about 10 minutes, it will say that aswAhAScr.dll has been deleted should i let this delete? i do have Avast! 4.8 Pro and i thought that that .dll was needed for it what should i do?


----------



## Dr.Moo (May 27, 2008)

and i was just looking around and apperentaly i also have the vundo trojan as well. what do i need to do to get this off my computer (i also just updated java.....)???


----------



## Dr.Moo (May 27, 2008)

avast! Warning

A Trojan Horse Was Found!

There is no reason to panic, though. Try to follow the given advice
and links.

File name: C:\Windows\system32\byXRjihf.dll*(other random names also)
Malware name: Win32:[email protected] [Trj]
Malware type: Trojan Horse
VPS version: 080527-0,05/27/2008

[insert other stuff here]

what do i need to do? plz help!!!


----------



## Dr.Moo (May 27, 2008)

it also found another one 20mins later 

C:\WINDOWS\system32\geBRIxWN.dll

and this one 5minutes after i posted this 

C:\WINDOWS\system32\geBrppnM.dll


----------



## dvk01 (Dec 14, 2002)

Please visit *Combofix Guide & Instructions * for instructions for downloading and running ComboFix: especially follow the advice about installing the recovery console

Post the log from ComboFix when you've accomplished that, along with a new HijackThis log.

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Note: ComboFix may reset a number of Internet Explorer's settings, including making it the default browser.
Note: Combofix prevents autorun of ALL CDs, floppies and USB devices to assist with malware removal & increase security. If this is an issue or makes it difficult for you -- please tell us when you reply


----------



## Dr.Moo (May 27, 2008)

ok thank you i will do that and post the logs let me install the programs and i will get back to you


----------



## Dr.Moo (May 27, 2008)

ComboFix 08-05-26.2 - Dr.Moo 2008-05-27 15:41:45.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.499 [GMT -5:00]
Running from: C:\Documents and Settings\Dr.Moo\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\BM5316671a.xml
C:\WINDOWS\cookies.ini
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\gupkpdhu.ini
C:\WINDOWS\system32\mcifkrkw.ini
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\yFhPAJlm.ini
C:\WINDOWS\system32\yFhPAJlm.ini2

.
((((((((((((((((((((((((( Files Created from 2008-04-27 to 2008-05-27 )))))))))))))))))))))))))))))))
.

2008-05-27 15:37 . 2008-05-27 15:37 d-------- C:\Program Files\Trend Micro
2008-05-27 02:56 . 2008-05-27 02:56 d-------- C:\Program Files\Secunia
2008-05-27 02:50 . 2008-05-27 02:50 d-------- C:\WINDOWS\Sun
2008-05-27 02:30 . 2008-03-25 02:37 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-05-27 02:28 . 2008-05-27 02:30 d-------- C:\Program Files\Java
2008-05-27 02:28 . 2008-05-27 02:28 d-------- C:\Program Files\Common Files\Java
2008-05-27 01:50 . 2008-05-27 15:22 d-------- C:\Documents and Settings\Dr.Moo\Application Data\SiteAdvisor
2008-05-27 01:50 . 2008-05-27 01:50 d-------- C:\Documents and Settings\All Users\Application Data\SiteAdvisor
2008-05-27 01:50 . 2008-05-27 01:50 d-------- C:\Documents and Settings\All Users\Application Data\McAfee
2008-05-27 01:35 . 2008-05-27 01:37 d-------- C:\Program Files\SpywareGuard
2008-05-27 01:06 . 2008-05-27 01:25 d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-05-27 01:05 . 2008-05-27 01:21 d-------- C:\Program Files\SpywareBlaster
2008-05-27 01:05 . 2005-04-15 19:58 1,071,088 --a------ C:\WINDOWS\system32\MSCOMCTL.OCX
2008-05-27 01:05 . 2005-08-25 18:18 118,784 --a------ C:\WINDOWS\system32\MSSTDFMT.DLL
2008-05-27 01:05 . 2005-08-25 18:19 115,920 --a------ C:\WINDOWS\system32\MSINET.OCX
2008-05-26 21:17 . 2008-05-26 23:14 d-------- C:\VundoFix Backups
2008-05-26 03:24 . 2008-05-26 03:24 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-05-26 03:24 . 2008-05-26 03:24 1,409 --a------ C:\WINDOWS\QTFont.for
2008-05-26 03:13 . 2008-05-26 03:13 d-------- C:\Program Files\AliveMedia
2008-05-26 02:55 . 2008-05-26 02:55 d-------- C:\Program Files\OJOsoft
2008-05-26 02:44 . 2008-05-26 02:50 d-------- C:\Program Files\MediaCoder
2008-05-25 22:52 . 2008-05-25 22:52 d-------- C:\Program Files\sMooVePoD
2008-05-25 20:39 . 2008-05-25 20:40 d-------- C:\DVDVideoSoft
2008-05-25 20:38 . 2008-05-25 20:38 d-------- C:\Program Files\DVDVideoSoft
2008-05-25 20:38 . 2008-05-25 20:38 d-------- C:\Program Files\Common Files\DVDVideoSoft
2008-05-25 20:38 . 2002-01-05 15:37 344,064 --a------ C:\WINDOWS\system32\msvcr70.dll
2008-05-25 18:00 . 2008-05-25 18:00 58,880 --a------ C:\WINDOWS\system32\yayyATjJ.dll
2008-05-25 16:02 . 2008-05-25 16:02 127 --a------ C:\WINDOWS\system32\MRT.INI
2008-05-24 23:26 . 2008-05-26 01:02 d-------- C:\Program Files\iPod Linux-Installer-2.2
2008-05-24 23:19 . 2008-05-24 23:19 0 --a------ C:\_short_deepsleep
2008-05-24 23:16 . 2008-05-26 01:02 d-------- C:\Program Files\iPod Wizard 1.3
2008-04-29 21:45 . 2008-04-25 05:00 719,872 --a------ C:\WINDOWS\system32\devil.dll
2008-04-29 21:45 . 2008-04-25 05:00 349,184 --a------ C:\WINDOWS\system32\avisynth.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-27 20:28 --------- d-----w C:\Documents and Settings\Dr.Moo\Application Data\DNA
2008-05-27 07:22 --------- d-----w C:\Documents and Settings\Dr.Moo\Application Data\BitTorrent
2008-04-24 15:56 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-04-24 15:52 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-04-24 07:16 --------- d-----w C:\Documents and Settings\Dr.Moo\Application Data\Ahead
2008-04-23 11:56 7,808 ----a-w C:\WINDOWS\system32\drivers\psi_mf.sys
2008-04-23 06:00 --------- d-----w C:\Program Files\MSXML 6.0
2008-04-23 05:57 --------- d-----w C:\Program Files\MSXML 4.0
2008-04-23 05:31 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-04-23 05:17 --------- d-----w C:\Program Files\Lavasoft
2008-04-23 05:09 --------- d-----w C:\Documents and Settings\All Users\Application Data\Ahead
2008-04-23 05:08 --------- d-----w C:\Program Files\Common Files\Ahead
2008-04-23 05:07 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-04-23 05:07 --------- d-----w C:\Program Files\7-Zip
2008-04-23 05:05 --------- d-----w C:\Program Files\Nero
2008-04-23 05:05 --------- d-----w C:\Documents and Settings\All Users\Application Data\Nero
2008-04-23 04:58 --------- d-----w C:\Program Files\DNA
2008-04-23 04:58 --------- d-----w C:\Program Files\BitTorrent
2008-04-23 04:43 --------- d-----w C:\Program Files\MSBuild
2008-04-23 04:36 --------- d-----w C:\Program Files\Reference Assemblies
2008-04-23 04:30 ---------  d-----w C:\Program Files\CONEXANT
2008-04-23 03:45 --------- d-----w C:\Program Files\Windows Media Connect 2
2008-04-23 03:36 315,392 ----a-w C:\WINDOWS\HideWin.exe
2008-04-23 03:36 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-04-23 03:36 --------- d-----w C:\Program Files\Realtek
2008-04-23 03:36 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-04-23 03:15 --------- d-----w C:\Program Files\Belarc
2008-04-22 10:13 --------- d-----w C:\Program Files\Logitech
2008-04-22 10:13 --------- d-----w C:\Documents and Settings\All Users\Application Data\Logitech
2008-04-22 09:52 --------- d-----w C:\Program Files\iTunes
2008-04-22 09:52 --------- d-----w C:\Program Files\iPod
2008-04-22 09:52 --------- d-----w C:\Documents and Settings\Dr.Moo\Application Data\Apple Computer
2008-04-22 09:52 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-04-22 09:51 --------- d-----w C:\Program Files\QuickTime
2008-04-22 09:51 --------- d-----w C:\Program Files\Bonjour
2008-04-22 09:50 --------- d-----w C:\Program Files\Apple Software Update
2008-04-22 09:49 --------- d-----w C:\Program Files\Common Files\Apple
2008-04-22 09:49 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple
2008-04-22 09:13 --------- d-----w C:\Program Files\Alwil Software
2008-04-22 09:05 --------- d-----w C:\Program Files\microsoft frontpage
2008-04-17 21:33 4,707,328 ----a-w C:\WINDOWS\system32\drivers\RtkHDAud.sys
2008-04-10 21:52 16,861,184 ----a-w C:\WINDOWS\RTHDCPL.exe
2008-04-02 14:27 1,196,032 ----a-w C:\WINDOWS\RtlUpd.exe
2008-03-27 08:12 151,583 ----a-w C:\WINDOWS\system32\msjint40.dll
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-12 18:10 633,344 ----a-w C:\WINDOWS\system32\gpprefcl.dll
2008-03-05 23:07 520,192 ----a-w C:\WINDOWS\RtlExUpd.dll
2008-03-01 13:06 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{522E0112-EDD9-413D-A99E-C311A54B6676}]
2008-05-25 18:00 58880 --a------ C:\WINDOWS\system32\yayyATjJ.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{CA4A69A6-827C-4D45-80AD-3A23412A7974}]
C:\WINDOWS\system32\mlJAPhFy.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 07:00 15360]
"BitTorrent DNA"="C:\Program Files\DNA\btdna.exe" [2008-05-25 16:28 289088]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2007-06-27 19:03 152872]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43 2097488]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"="RTHDCPL.EXE" [2008-04-10 16:52 16861184 C:\WINDOWS\RTHDCPL.exe]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-01 15:57 153136]
"SecurDisc"="C:\Program Files\Nero\Nero 7\InCD\NBHGui.exe" [2007-06-25 08:47 1629480]
"InCD"="C:\Program Files\Nero\Nero 7\InCD\InCD.exe" [2007-06-25 08:47 1057064]
"50255486"="C:\WINDOWS\system32\wkrkficm.dll" [ ]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe" [2008-03-25 04:28 144784]
"Ad-Watch"="C:\Program Files\Lavasoft\Ad-Aware 2007\Ad-Watch2007.exe" [2008-01-24 09:22 2476408]

C:\Documents and Settings\Dr.Moo\Start Menu\Programs\Startup\
Secunia PSI (RC2).lnk - C:\Program Files\Secunia\PSI (RC2)\psi.exe [2008-05-26 03:49:10 667648]
SpywareGuard.lnk - C:\Program Files\SpywareGuard\sgmain.exe [2003-08-29 19:05:35 360448]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{522E0112-EDD9-413D-A99E-C311A54B6676}"= C:\WINDOWS\system32\yayyATjJ.dll [2008-05-25 18:00 58880]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\byXNddda]
byXNddda.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\yayyATjJ]
yayyATjJ.dll 2008-05-25 18:00 58880 C:\WINDOWS\system32\yayyATjJ.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\DNA\\btdna.exe"=
"C:\\Program Files\\BitTorrent\\bittorrent.exe"=

R1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys [2008-05-15 18:20]
R2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-05-15 18:16]
R3 PSI;PSI;C:\WINDOWS\system32\DRIVERS\psi_mf.sys [2008-04-23 06:56]

*Newly Created Service* - AD-WATCH_REAL-TIME_SCANNER
*Newly Created Service* - AD-WATCH_REGISTRY_FILTER
.
Contents of the 'Scheduled Tasks' folder
"2008-04-22 09:50:27 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-27 15:46:11
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\yayyATjJ.dll
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\ati2evxx.exe
C:\WINDOWS\system32\ati2evxx.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Alwil Software\Avast4\Setup\avast.setup
.
**************************************************************************
.
Completion time: 2008-05-27 15:51:42 - machine was rebooted
ComboFix-quarantined-files.txt 2008-05-27 20:51:23

Pre-Run: 77,522,329,600 bytes free
Post-Run: 78,183,628,800 bytes free

192 --- E O F --- 2008-05-27 20:28:16
___________________

when i run hijack this do i need to disable my antivirus/firewall/adwatch/ and tea timer again?


----------



## Dr.Moo (May 27, 2008)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:12:15 PM, on 5/27/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Nero\Nero 7\InCD\NBHGui.exe
C:\Program Files\Nero\Nero 7\InCD\InCD.exe
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\DNA\btdna.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\Ad-Watch2007.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\Secunia\PSI (RC2)\psi.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {522E0112-EDD9-413D-A99E-C311A54B6676} - C:\WINDOWS\system32\yayyATjJ.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O2 - BHO: (no name) - {CA4A69A6-827C-4D45-80AD-3A23412A7974} - C:\WINDOWS\system32\mlJAPhFy.dll (file missing)
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [SecurDisc] C:\Program Files\Nero\Nero 7\InCD\NBHGui.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Nero\Nero 7\InCD\InCD.exe
O4 - HKLM\..\Run: [50255486] rundll32.exe "C:\WINDOWS\system32\wkrkficm.dll",b
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKLM\..\Run: [Ad-Watch] C:\Program Files\Lavasoft\Ad-Aware 2007\Ad-Watch2007.exe
O4 - HKLM\..\Run: [runner1] C:\WINDOWS\mrofinu1535.exe 61A847B5BBF7281337983D466188719AB689201522886B092CBD44BD8689220221DD3257
O4 - HKLM\..\RunOnce: [aswAhAScr.dll] C:\PROGRA~1\ALWILS~1\Avast4\ASWREG~1.EXE "C:\Program Files\Alwil Software\Avast4\AhAScr.dll"
O4 - HKLM\..\RunOnce: [GrpConv] grpconv -o
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe"
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: Secunia PSI (RC2).lnk = C:\Program Files\Secunia\PSI (RC2)\psi.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5AE58FCF-6F6A-49B2-B064-02492C66E3F4} (MUCatalogWebControl Class) - http://catalog.update.microsoft.com.../en/x86/MuCatalogWebControl.cab?1208925991578
O20 - Winlogon Notify: byXNddda - byXNddda.dll (file missing)
O20 - Winlogon Notify: yayyATjJ - C:\WINDOWS\SYSTEM32\yayyATjJ.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe

--
End of file - 6820 bytes

__________________

here is my HJT Log and thankyou so much for your help


----------



## Dr.Moo (May 27, 2008)

also just knoticed....

O4 - HKLM\..\Run: [50255486] rundll32.exe "C:\WINDOWS\system32\wkrkficm.dll",b

my computer gives an error msg about "wkrkficm.dll" it says it cant find it or something. want me to re-boot to show you the error msg?


----------



## Dr.Moo (May 27, 2008)

hey, umm my avast! just detected this....

C:\WINDOWS\system32\geBrpoOi.dll

vundo.....


----------



## Dr.Moo (May 27, 2008)

also i had some .net account under my control panel user accounts it was like (name).net machine a....... it was password protected i didnt create it so i deleated it.... hope fully it wasnt a hacker hacking my system what should i do????


----------



## dvk01 (Dec 14, 2002)

the dot net account is an account created by windows normally & is OK but does no harm to delete it

next

Please disable AdWatch, as it may hinder the removal of some entries.
To disable AdWatch:

right-click the AW icon in the sys tray and select "Unload Ad-Watch" and also untick load adwatch at system start and automatic when you have finished cleaning open adaware and click on the adwatch button and then reverse the settings

lets see how much this one fixes before we go digging around

Download  Malwarebytes Antimalware 

Full instructions for use are shown here
http://thespykiller.co.uk/index.php/topic,5946.0.html

follow all instructions & post back its log & a new HJT log when finished


----------



## Dr.Moo (May 27, 2008)

Ok Thankyou For Your help. It is scanning now but when i booted up my computer right after avast! updated it found this.

C:\Documents and Settings\Dr.Moo\Local Settings\Temporary Internet Files\Content.IE5\Y592BPVX\css4[5] (1)
C:\WINDOWS\system32\efcATJBT.dll (2)
C:\WINDOWS\system32\yayyATjJ.dll (3)
C:\WINDOWS\system32\yayyATjJ.dll (4)

Win32:VunDrop [Drp]

Dropper

.... Content.IE5? i never had IE5 On This Computer. .....


----------



## Dr.Moo (May 27, 2008)

Malwarebytes' Anti-Malware 1.12
Database version: 794

Scan type: Full Scan (C:\|E:\|G:\|)
Objects scanned: 82169
Time elapsed: 31 minute(s), 12 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 3
Registry Values Infected: 2
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 21

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\Software\Microsoft\affri (Malware.Trace) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affri (Malware.Trace) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> No action taken.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\runner1 (Trojan.Agent) -> No action taken.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\50255486 (Trojan.Vundo) -> No action taken.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\Dr.Moo\Local Settings\Temporary Internet Files\Content.IE5\DQVH7PG8\css4[1] (Trojan.Vundo) -> No action taken.
C:\Documents and Settings\Dr.Moo\Local Settings\Temporary Internet Files\Content.IE5\DQVH7PG8\css4[2] (Trojan.Vundo) -> No action taken.
C:\Documents and Settings\Dr.Moo\Local Settings\Temporary Internet Files\Content.IE5\NJ2TKRED\css4[1] (Trojan.Vundo) -> No action taken.
C:\Documents and Settings\Dr.Moo\Local Settings\Temporary Internet Files\Content.IE5\NJ2TKRED\css4[2] (Trojan.Vundo) -> No action taken.
C:\Documents and Settings\Dr.Moo\Local Settings\Temporary Internet Files\Content.IE5\NJ2TKRED\css4[3] (Trojan.Vundo) -> No action taken.
C:\Documents and Settings\Dr.Moo\Local Settings\Temporary Internet Files\Content.IE5\P6NCQK2W\css4[1] (Trojan.Vundo) -> No action taken.
C:\Documents and Settings\Dr.Moo\Local Settings\Temporary Internet Files\Content.IE5\P6NCQK2W\css4[2] (Trojan.Vundo) -> No action taken.
C:\Documents and Settings\Dr.Moo\Local Settings\Temporary Internet Files\Content.IE5\Y592BPVX\css4[1] (Trojan.Vundo) -> No action taken.
C:\Documents and Settings\Dr.Moo\Local Settings\Temporary Internet Files\Content.IE5\Y592BPVX\css4[2] (Trojan.Vundo) -> No action taken.
C:\Documents and Settings\Dr.Moo\Local Settings\Temporary Internet Files\Content.IE5\Y592BPVX\css4[3] (Trojan.Vundo) -> No action taken.
C:\Documents and Settings\Dr.Moo\Local Settings\Temporary Internet Files\Content.IE5\Y592BPVX\css4[4] (Trojan.Vundo) -> No action taken.
C:\System Volume Information\_restore{9F499270-1662-4CA0-8D33-771C4A9C9727}\RP24\A0008038.dll (Trojan.Vundo) -> No action taken.
C:\WINDOWS\system32\byXOhfDw.dll (Trojan.Vundo) -> No action taken.
C:\WINDOWS\system32\fccDTNET.dll (Trojan.Vundo) -> No action taken.
C:\WINDOWS\system32\ljJBrOig.dll (Trojan.Vundo) -> No action taken.
C:\WINDOWS\system32\nnnnNETj.dll (Trojan.Vundo) -> No action taken.
C:\WINDOWS\system32\ssqQkLDU.dll (Trojan.Vundo) -> No action taken.
C:\WINDOWS\system32\vtUkLfFW.dll (Trojan.Vundo) -> No action taken.
C:\WINDOWS\system32\vtUliGAq.dll (Trojan.Vundo) -> No action taken.
C:\WINDOWS\system32\vtUolMfe.dll (Trojan.Vundo) -> No action taken.
C:\WINDOWS\system32\wvUnKEts.dll (Trojan.Vundo) -> No action taken.

wow..... vundo..... a umm a uhh alot of vundo... im gona remove them now....


----------



## Dr.Moo (May 27, 2008)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:54:49 PM, on 5/28/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Nero\Nero 7\InCD\NBHGui.exe
C:\Program Files\Nero\Nero 7\InCD\InCD.exe
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\DNA\btdna.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Alwil Software\Avast4\ashDisp.exe
C:\Program Files\Secunia\PSI (RC2)\psi.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: (no name) - {522E0112-EDD9-413D-A99E-C311A54B6676} - C:\WINDOWS\system32\yayyATjJ.dll (file missing)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O2 - BHO: (no name) - {CA4A69A6-827C-4D45-80AD-3A23412A7974} - C:\WINDOWS\system32\mlJAPhFy.dll (file missing)
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [SecurDisc] C:\Program Files\Nero\Nero 7\InCD\NBHGui.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Nero\Nero 7\InCD\InCD.exe
O4 - HKLM\..\Run: [50255486] rundll32.exe "C:\WINDOWS\system32\wkrkficm.dll",b
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKLM\..\Run: [runner1] C:\WINDOWS\mrofinu1535.exe 61A847B5BBF7281337983D466188719AB689201522886B092CBD44BD8689220221DD3257
O4 - HKLM\..\RunOnce: [aswAhAScr.dll] C:\PROGRA~1\ALWILS~1\Avast4\ASWREG~1.EXE "C:\Program Files\Alwil Software\Avast4\AhAScr.dll"
O4 - HKLM\..\RunOnce: [GrpConv] grpconv -o
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe"
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - Startup: avast! On access scanner.lnk = C:\Program Files\Alwil Software\Avast4\ashDisp.exe
O4 - Startup: Secunia PSI (RC2).lnk = C:\Program Files\Secunia\PSI (RC2)\psi.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5AE58FCF-6F6A-49B2-B064-02492C66E3F4} (MUCatalogWebControl Class) - http://catalog.update.microsoft.com.../en/x86/MuCatalogWebControl.cab?1208925991578
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1211956558796
O20 - Winlogon Notify: byXNddda - byXNddda.dll (file missing)
O20 - Winlogon Notify: yayyATjJ - yayyATjJ.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe

--
End of file - 7203 bytes

HJT Log


----------



## Dr.Moo (May 27, 2008)

here is the log it gave me after i deleated the items

Malwarebytes' Anti-Malware 1.12
Database version: 794

Scan type: Full Scan (C:\|E:\|G:\|)
Objects scanned: 82169
Time elapsed: 31 minute(s), 12 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 3
Registry Values Infected: 2
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 21

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
HKEY_CURRENT_USER\Software\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\affri (Malware.Trace) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\MS Juan (Malware.Trace) -> Quarantined and deleted successfully.

Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\runner1 (Trojan.Agent) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\50255486 (Trojan.Vundo) -> Quarantined and deleted successfully.

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
C:\Documents and Settings\Dr.Moo\Local Settings\Temporary Internet Files\Content.IE5\DQVH7PG8\css4[1] (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\Dr.Moo\Local Settings\Temporary Internet Files\Content.IE5\DQVH7PG8\css4[2] (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\Dr.Moo\Local Settings\Temporary Internet Files\Content.IE5\NJ2TKRED\css4[1] (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\Dr.Moo\Local Settings\Temporary Internet Files\Content.IE5\NJ2TKRED\css4[2] (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\Dr.Moo\Local Settings\Temporary Internet Files\Content.IE5\NJ2TKRED\css4[3] (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\Dr.Moo\Local Settings\Temporary Internet Files\Content.IE5\P6NCQK2W\css4[1] (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\Dr.Moo\Local Settings\Temporary Internet Files\Content.IE5\P6NCQK2W\css4[2] (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\Dr.Moo\Local Settings\Temporary Internet Files\Content.IE5\Y592BPVX\css4[1] (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\Dr.Moo\Local Settings\Temporary Internet Files\Content.IE5\Y592BPVX\css4[2] (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\Dr.Moo\Local Settings\Temporary Internet Files\Content.IE5\Y592BPVX\css4[3] (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\Documents and Settings\Dr.Moo\Local Settings\Temporary Internet Files\Content.IE5\Y592BPVX\css4[4] (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\System Volume Information\_restore{9F499270-1662-4CA0-8D33-771C4A9C9727}\RP24\A0008038.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\byXOhfDw.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\fccDTNET.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ljJBrOig.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\nnnnNETj.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\ssqQkLDU.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\vtUkLfFW.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\vtUliGAq.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\vtUolMfe.dll (Trojan.Vundo) -> Quarantined and deleted successfully.
C:\WINDOWS\system32\wvUnKEts.dll (Trojan.Vundo) -> Quarantined and deleted successfully.


----------



## dvk01 (Dec 14, 2002)

that looks like it got most of it

run combofix again & post its new log so we can see if there is anything left


----------



## Dr.Moo (May 27, 2008)

ComboFix 08-05-26.2 - Dr.Moo 2008-05-29 4:09:10.2 - NTFSx86
Running from: C:\Documents and Settings\Dr.Moo\Desktop\ComboFix.exe
.

((((((((((((((((((((((((( Files Created from 2008-04-28 to 2008-05-29 )))))))))))))))))))))))))))))))
.

2008-05-29 03:13 . 2008-05-29 03:13 d-------- C:\Program Files\Common Files\DirectX
2008-05-28 21:16 . 2008-05-28 21:16 d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-05-28 21:15 . 2008-05-28 21:21 d-------- C:\Program Files\SUPERAntiSpyware
2008-05-28 21:15 . 2008-05-28 21:15 d-------- C:\Documents and Settings\Dr.Moo\Application Data\SUPERAntiSpyware.com
2008-05-28 15:18 . 2008-05-05 20:46 27,048 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys
2008-05-28 15:18 . 2008-05-05 20:46 15,864 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-05-28 15:17 . 2008-05-28 15:18 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-05-28 15:13 . 2008-05-28 15:13 d-------- C:\Documents and Settings\Administrator
2008-05-28 15:10 . 2008-05-28 15:10 d-------- C:\Documents and Settings\Dr.Moo\Application Data\Malwarebytes
2008-05-28 15:10 . 2008-05-28 15:10 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-05-28 15:03 . 2007-07-30 19:19 271,224 --a------ C:\WINDOWS\system32\mucltui.dll
2008-05-28 15:03 . 2007-07-30 19:19 30,072 --a------ C:\WINDOWS\system32\mucltui.dll.mui
2008-05-28 01:23 . 2008-05-28 01:43 d-------- C:\Documents and Settings\Dr.Moo\SecurityScans
2008-05-28 01:22 . 2008-05-28 01:22 d-------- C:\Program Files\Microsoft Baseline Security Analyzer 2
2008-05-28 00:49 . 2008-05-28 00:49 d-------- C:\Program Files\Common Files\Adobe
2008-05-28 00:44 . 2008-05-28 00:44 151 --a------ C:\WINDOWS\PhotoSnapViewer.INI
2008-05-27 22:58 . 2008-05-27 22:59 d-------- C:\Program Files\MagicDVDRipper
2008-05-27 22:56 . 2008-05-29 03:15 d-------- C:\Need for Speed Underground 2
2008-05-27 15:37 . 2008-05-27 15:37 d-------- C:\Program Files\Trend Micro
2008-05-27 02:56 . 2008-05-27 02:56 d-------- C:\Program Files\Secunia
2008-05-27 02:50 . 2008-05-27 02:50 d-------- C:\WINDOWS\Sun
2008-05-27 02:30 . 2008-03-25 02:37 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-05-27 02:28 . 2008-05-27 02:30 d-------- C:\Program Files\Java
2008-05-27 02:28 . 2008-05-27 02:28 d-------- C:\Program Files\Common Files\Java
2008-05-27 01:50 . 2008-05-29 03:47 d-------- C:\Documents and Settings\Dr.Moo\Application Data\SiteAdvisor
2008-05-27 01:50 . 2008-05-27 01:50 d-------- C:\Documents and Settings\All Users\Application Data\SiteAdvisor
2008-05-27 01:50 . 2008-05-27 01:50 d-------- C:\Documents and Settings\All Users\Application Data\McAfee
2008-05-27 01:35 . 2008-05-27 01:37 d-------- C:\Program Files\SpywareGuard
2008-05-27 01:06 . 2008-05-27 01:25 d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-05-27 01:05 . 2008-05-27 01:21 d-------- C:\Program Files\SpywareBlaster
2008-05-27 01:05 . 2005-04-15 19:58 1,071,088 --a------ C:\WINDOWS\system32\MSCOMCTL.OCX
2008-05-27 01:05 . 2005-08-25 18:18 118,784 --a------ C:\WINDOWS\system32\MSSTDFMT.DLL
2008-05-27 01:05 . 2005-08-25 18:19 115,920 --a------ C:\WINDOWS\system32\MSINET.OCX
2008-05-26 21:17 . 2008-05-26 23:14 d-------- C:\VundoFix Backups
2008-05-26 03:24 . 2008-05-26 03:24 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-05-26 03:24 . 2008-05-26 03:24 1,409 --a------ C:\WINDOWS\QTFont.for
2008-05-26 03:13 . 2008-05-26 03:13 d-------- C:\Program Files\AliveMedia
2008-05-26 02:55 . 2008-05-26 02:55 d-------- C:\Program Files\OJOsoft
2008-05-26 02:44 . 2008-05-26 02:50 d-------- C:\Program Files\MediaCoder
2008-05-25 22:52 . 2008-05-25 22:52 d-------- C:\Program Files\sMooVePoD
2008-05-25 20:39 . 2008-05-25 20:40 d-------- C:\DVDVideoSoft
2008-05-25 20:38 . 2008-05-25 20:38 d-------- C:\Program Files\DVDVideoSoft
2008-05-25 20:38 . 2008-05-25 20:38 d-------- C:\Program Files\Common Files\DVDVideoSoft
2008-05-25 20:38 . 2002-01-05 15:37 344,064 --a------ C:\WINDOWS\system32\msvcr70.dll
2008-05-25 16:02 . 2008-05-25 16:02 127 --a------ C:\WINDOWS\system32\MRT.INI
2008-05-24 23:26 . 2008-05-26 01:02 d-------- C:\Program Files\iPod Linux-Installer-2.2
2008-05-24 23:19 . 2008-05-24 23:19 0 --a------ C:\_short_deepsleep
2008-05-24 23:16 . 2008-05-26 01:02 d-------- C:\Program Files\iPod Wizard 1.3
2008-04-29 21:45 . 2008-04-25 05:00 719,872 --a------ C:\WINDOWS\system32\devil.dll
2008-04-29 21:45 . 2008-04-25 05:00 349,184 --a------ C:\WINDOWS\system32\avisynth.dll

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-29 09:03 --------- d-----w C:\Documents and Settings\Dr.Moo\Application Data\DNA
2008-05-29 02:15 --------- d-----w C:\Program Files\Common Files\Wise Installation Wizard
2008-05-28 23:06 --------- d-----w C:\Documents and Settings\Dr.Moo\Application Data\BitTorrent
2008-05-28 21:58 --------- d-----w C:\Documents and Settings\Dr.Moo\Application Data\Ahead
2008-04-24 15:56 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-04-24 15:52 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-04-23 11:56 7,808 ----a-w C:\WINDOWS\system32\drivers\psi_mf.sys
2008-04-23 06:00 --------- d-----w C:\Program Files\MSXML 6.0
2008-04-23 05:57 --------- d-----w C:\Program Files\MSXML 4.0
2008-04-23 05:31 --------- d-----w C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-04-23 05:17 --------- d-----w C:\Program Files\Lavasoft
2008-04-23 05:09 --------- d-----w C:\Documents and Settings\All Users\Application Data\Ahead
2008-04-23 05:08 --------- d-----w C:\Program Files\Common Files\Ahead
2008-04-23 05:07 --------- d-----w C:\Program Files\7-Zip
2008-04-23 05:05 --------- d-----w C:\Program Files\Nero
2008-04-23 05:05 --------- d-----w C:\Documents and Settings\All Users\Application Data\Nero
2008-04-23 04:58 --------- d-----w C:\Program Files\DNA
2008-04-23 04:58 --------- d-----w C:\Program Files\BitTorrent
2008-04-23 04:43 --------- d-----w C:\Program Files\MSBuild
2008-04-23 04:36 --------- d-----w C:\Program Files\Reference Assemblies
2008-04-23 04:30 --------- d-----w C:\Program Files\CONEXANT
2008-04-23 03:45 --------- d-----w C:\Program Files\Windows Media Connect 2
2008-04-23 03:36 315,392 ----a-w C:\WINDOWS\HideWin.exe
2008-04-23 03:36 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-04-23 03:36 --------- d-----w C:\Program Files\Realtek
2008-04-23 03:36 --------- d-----w C:\Program Files\Common Files\InstallShield
2008-04-23 03:15 --------- d-----w C:\Program Files\Belarc
2008-04-22 10:13 --------- d-----w C:\Program Files\Logitech
2008-04-22 10:13 --------- d-----w C:\Documents and Settings\All Users\Application Data\Logitech
2008-04-22 09:52 --------- d-----w C:\Program Files\iTunes
2008-04-22 09:52 --------- d-----w C:\Program Files\iPod
2008-04-22 09:52 --------- d-----w C:\Documents and Settings\Dr.Moo\Application Data\Apple Computer
2008-04-22 09:52 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-04-22 09:51 --------- d-----w C:\Program Files\QuickTime
2008-04-22 09:51 --------- d-----w C:\Program Files\Bonjour
2008-04-22 09:50 --------- d-----w C:\Program Files\Apple Software Update
2008-04-22 09:49 --------- d-----w C:\Program Files\Common Files\Apple
2008-04-22 09:49 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple
2008-04-22 09:13 --------- d-----w C:\Program Files\Alwil Software
2008-04-22 09:05 --------- d-----w C:\Program Files\microsoft frontpage
2008-04-17 21:33 4,707,328 ----a-w C:\WINDOWS\system32\drivers\RtkHDAud.sys
2008-04-10 21:52 16,861,184 ----a-w C:\WINDOWS\RTHDCPL.exe
2008-04-02 14:27 1,196,032 ----a-w C:\WINDOWS\RtlUpd.exe
2008-03-27 08:12 151,583 ----a-w C:\WINDOWS\system32\msjint40.dll
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-12 18:10 633,344 ----a-w C:\WINDOWS\system32\gpprefcl.dll
2008-03-05 23:07 520,192 ----a-w C:\WINDOWS\RtlExUpd.dll
2008-03-01 13:06 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
.

((((((((((((((((((((((((((((( [email protected]_15.49.46.59 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-05-27 20:44:47 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-05-29 03:31:50 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-05-28 06:23:16 30,240 ----a-r C:\WINDOWS\Installer\{6AF5CAB9-FD0A-494F-8AA6-784D4B5D06C5}\mbsa.exe
+ 2008-05-29 02:15:51 34,304 ----a-r C:\WINDOWS\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF1.exe
+ 2007-07-31 00:18:34 207,736 ----a-w C:\WINDOWS\system32\muweb.dll
+ 2008-05-29 03:32:04 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_648.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{CA4A69A6-827C-4D45-80AD-3A23412A7974}]
C:\WINDOWS\system32\mlJAPhFy.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 07:00 15360]
"BitTorrent DNA"="C:\Program Files\DNA\btdna.exe" [2008-05-25 16:28 289088]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2007-06-27 19:03 152872]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43 2097488]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-05-28 21:17 1510640]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"="RTHDCPL.EXE" [2008-04-10 16:52 16861184 C:\WINDOWS\RTHDCPL.exe]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-01 15:57 153136]
"SecurDisc"="C:\Program Files\Nero\Nero 7\InCD\NBHGui.exe" [2007-06-25 08:47 1629480]
"InCD"="C:\Program Files\Nero\Nero 7\InCD\InCD.exe" [2007-06-25 08:47 1057064]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe" [2008-03-25 04:28 144784]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"aswAhAScr.dll"="C:\PROGRA~1\ALWILS~1\Avast4\ASWREG~1.exe" [2003-09-16 05:27 22016]
"GrpConv"="grpconv -o" []

C:\Documents and Settings\Dr.Moo\Start Menu\Programs\Startup\
avast! On access scanner.lnk - C:\Program Files\Alwil Software\Avast4\ashDisp.exe [2008-04-22 04:13:08 79224]
Secunia PSI (RC2).lnk - C:\Program Files\Secunia\PSI (RC2)\psi.exe [2008-05-26 03:49:10 667648]
SpywareGuard.lnk - C:\Program Files\SpywareGuard\sgmain.exe [2003-08-29 19:05:35 360448]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2008-05-13 10:13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\byXNddda]
byXNddda.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\yayyATjJ]
yayyATjJ.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\DNA\\btdna.exe"=
"C:\\Program Files\\BitTorrent\\bittorrent.exe"=

R1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys [2008-05-15 18:20]
R2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-05-15 18:16]
R3 PSI;PSI;C:\WINDOWS\system32\DRIVERS\psi_mf.sys [2008-04-23 06:56]

*Newly Created Service* - CATCHME
.
Contents of the 'Scheduled Tasks' folder
"2008-04-22 09:50:27 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-29 04:10:28
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-05-29 4:11:10
ComboFix-quarantined-files.txt 2008-05-29 09:11:02
ComboFix2.txt 2008-05-27 20:51:46

Pre-Run: 75,011,637,248 bytes free
Post-Run: 75,026,378,752 bytes free

182 --- E O F --- 2008-05-27 20:28:16


----------



## Dr.Moo (May 27, 2008)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:12:24 AM, on 5/29/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Nero\Nero 7\InCD\NBHGui.exe
C:\Program Files\Nero\Nero 7\InCD\InCD.exe
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\DNA\btdna.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\Alwil Software\Avast4\ashDisp.exe
C:\Program Files\Secunia\PSI (RC2)\psi.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O2 - BHO: (no name) - {CA4A69A6-827C-4D45-80AD-3A23412A7974} - C:\WINDOWS\system32\mlJAPhFy.dll (file missing)
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [SecurDisc] C:\Program Files\Nero\Nero 7\InCD\NBHGui.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Nero\Nero 7\InCD\InCD.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKLM\..\RunOnce: [aswAhAScr.dll] C:\PROGRA~1\ALWILS~1\Avast4\ASWREG~1.EXE "C:\Program Files\Alwil Software\Avast4\AhAScr.dll"
O4 - HKLM\..\RunOnce: [GrpConv] grpconv -o
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe"
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Startup: avast! On access scanner.lnk = C:\Program Files\Alwil Software\Avast4\ashDisp.exe
O4 - Startup: Secunia PSI (RC2).lnk = C:\Program Files\Secunia\PSI (RC2)\psi.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5AE58FCF-6F6A-49B2-B064-02492C66E3F4} (MUCatalogWebControl Class) - http://catalog.update.microsoft.com.../en/x86/MuCatalogWebControl.cab?1208925991578
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1211956558796
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: byXNddda - byXNddda.dll (file missing)
O20 - Winlogon Notify: yayyATjJ - yayyATjJ.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe

--
End of file - 7063 bytes

There Is My ComboFix Log And HJT Log  My Computer Is Running SO MUCH BETTER now


----------



## Dr.Moo (May 27, 2008)

ok also i have ONE MAJOR problem well for me.... i have Windows XP installed on one partition and Ubuntu 7.10 (Linux) Installed on another partition..... when i installed the recovery console from my disk when i installed combo fix.... my MBR changed i no longer see 

grub loading stage 2...

Please Select One

Ubuntu 7.10
Ubuntu 7.10 Generic
Ubuntu 7.10 Recovery
Other Operating Systems:
Windows XP

i just see

Select One

Windows XP
Recovery Console


umm.... what do i do to get my "grub" back so i can either boot in to Ubuntu,Windows XP,And Recovery console???

also what do you recommend for making Linux "safer" like anti-virus/spyware and sruff like that...

and one other question....

Should i Install SP3 when i get the "All Clean"? or should i wait?


----------



## Dr.Moo (May 27, 2008)

also my SpywareGuard will not open... i dont know whats wrong with it should i re-install it?


----------



## dvk01 (Dec 14, 2002)

Run hijackthis, put a tick in the box beside these entries listed below and *ONLY these entries*, double check to make sure, then make sure all browser & email windows are closed and press fix checked

O2 - BHO: (no name) - {CA4A69A6-827C-4D45-80AD-3A23412A7974} - C:\WINDOWS\system32\mlJAPhFy.dll (file missing)
O20 - Winlogon Notify: byXNddda - byXNddda.dll (file missing)
O20 - Winlogon Notify: yayyATjJ - yayyATjJ.dll (file missing)

reinstall spyware guard as that was probably damaged by the malware

I have not previously known installing RC to remove grub bootloader but I haven't tried a dual boot with ubuntu & windows & RC

this looks like how to fix it

http://www.howtogeek.com/howto/ubuntu/reinstall-ubuntu-grub-bootloader-after-windows-wipes-it-out/

Ask in linux forum about protection for linux as I know almost nothing about that

let me know how you get on


----------



## Dr.Moo (May 27, 2008)

ComboFix 08-05-26.2 - Dr.Moo 2008-05-30 5:45:11.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.393 [GMT -5:00]
Running from: C:\Documents and Settings\Dr.Moo\Desktop\ComboFix.exe
.

((((((((((((((((((((((((( Files Created from 2008-04-28 to 2008-05-30 )))))))))))))))))))))))))))))))
.

2008-05-30 01:24 . 2008-05-30 01:24 d-------- C:\Program Files\prjMegaTrain
2008-05-30 01:17 . 2008-05-30 01:23 286,720 --------- C:\WINDOWS\Setup1.exe
2008-05-30 01:16 . 2008-05-30 01:23 73,216 --a------ C:\WINDOWS\ST6UNST.EXE
2008-05-30 00:24 . 2008-05-30 00:24 d-------- C:\Program Files\Activision Value
2008-05-30 00:21 . 2008-05-30 00:21 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-05-30 00:21 . 2008-05-30 00:21 1,409 --a------ C:\WINDOWS\QTFont.for
2008-05-30 00:13 . 2008-05-30 00:13 d--h----- C:\WINDOWS\PIF
2008-05-29 23:14 . 2008-05-29 23:14 d-------- C:\Program Files\Symantec
2008-05-29 21:41 . 2008-05-29 21:41 d-------- C:\Program Files\IcoFX 1.6
2008-05-29 21:41 . 2008-05-29 21:44 d-------- C:\Documents and Settings\Dr.Moo\Application Data\IcoFX
2008-05-29 03:13 . 2008-05-29 03:13 d-------- C:\Program Files\Common Files\DirectX
2008-05-28 21:16 . 2008-05-28 21:16 d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
2008-05-28 21:15 . 2008-05-28 21:21 d-------- C:\Program Files\SUPERAntiSpyware
2008-05-28 21:15 . 2008-05-28 21:15 d-------- C:\Documents and Settings\Dr.Moo\Application Data\SUPERAntiSpyware.com
2008-05-28 15:18 . 2008-05-05 20:46 27,048 --a------ C:\WINDOWS\system32\drivers\mbamcatchme.sys
2008-05-28 15:18 . 2008-05-05 20:46 15,864 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-05-28 15:17 . 2008-05-28 15:18 d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-05-28 15:13 . 2008-05-28 15:13 d-------- C:\Documents and Settings\Administrator
2008-05-28 15:10 . 2008-05-28 15:10 d-------- C:\Documents and Settings\Dr.Moo\Application Data\Malwarebytes
2008-05-28 15:10 . 2008-05-28 15:10 d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-05-28 15:03 . 2007-07-30 19:19 271,224 --a------ C:\WINDOWS\system32\mucltui.dll
2008-05-28 15:03 . 2007-07-30 19:19 30,072 --a------ C:\WINDOWS\system32\mucltui.dll.mui
2008-05-28 01:23 . 2008-05-30 00:13 d-------- C:\Documents and Settings\Dr.Moo\SecurityScans
2008-05-28 01:22 . 2008-05-28 01:22 d-------- C:\Program Files\Microsoft Baseline Security Analyzer 2
2008-05-28 00:49 . 2008-05-28 00:49 d-------- C:\Program Files\Common Files\Adobe
2008-05-28 00:44 . 2008-05-28 00:44 151 --a------ C:\WINDOWS\PhotoSnapViewer.INI
2008-05-27 22:58 . 2008-05-27 22:59 d-------- C:\Program Files\MagicDVDRipper
2008-05-27 22:56 . 2008-05-29 03:15 d-------- C:\Need for Speed Underground 2
2008-05-27 15:37 . 2008-05-27 15:37 d-------- C:\Program Files\Trend Micro
2008-05-27 02:56 . 2008-05-27 02:56 d-------- C:\Program Files\Secunia
2008-05-27 02:50 . 2008-05-27 02:50 d-------- C:\WINDOWS\Sun
2008-05-27 02:30 . 2008-03-25 02:37 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-05-27 02:28 . 2008-05-27 02:30 d-------- C:\Program Files\Java
2008-05-27 02:28 . 2008-05-27 02:28 d-------- C:\Program Files\Common Files\Java
2008-05-27 01:50 . 2008-05-30 05:36 d-------- C:\Documents and Settings\Dr.Moo\Application Data\SiteAdvisor
2008-05-27 01:50 . 2008-05-27 01:50 d-------- C:\Documents and Settings\All Users\Application Data\SiteAdvisor
2008-05-27 01:50 . 2008-05-27 01:50 d-------- C:\Documents and Settings\All Users\Application Data\McAfee
2008-05-27 01:35 . 2008-05-29 04:50 d-------- C:\Program Files\SpywareGuard
2008-05-27 01:06 . 2008-05-29 04:49 d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-05-27 01:05 . 2008-05-27 01:21 d-------- C:\Program Files\SpywareBlaster
2008-05-27 01:05 . 2005-04-15 19:58 1,071,088 --a------ C:\WINDOWS\system32\MSCOMCTL.OCX
2008-05-27 01:05 . 2005-08-25 18:18 118,784 --a------ C:\WINDOWS\system32\MSSTDFMT.DLL
2008-05-27 01:05 . 2005-08-25 18:19 115,920 --a------ C:\WINDOWS\system32\MSINET.OCX
2008-05-26 21:17 . 2008-05-26 23:14 d-------- C:\VundoFix Backups
2008-05-26 03:13 . 2008-05-26 03:13 d-------- C:\Program Files\AliveMedia
2008-05-26 02:55 . 2008-05-26 02:55 d-------- C:\Program Files\OJOsoft
2008-05-26 02:44 . 2008-05-26 02:50 d-------- C:\Program Files\MediaCoder
2008-05-25 22:52 . 2008-05-25 22:52 d-------- C:\Program Files\sMooVePoD
2008-05-25 20:39 . 2008-05-25 20:40 d-------- C:\DVDVideoSoft
2008-05-25 20:38 . 2008-05-25 20:38 d-------- C:\Program Files\DVDVideoSoft
2008-05-25 20:38 . 2008-05-25 20:38 d-------- C:\Program Files\Common Files\DVDVideoSoft
2008-05-25 20:38 . 2002-01-05 15:37 344,064 --a------ C:\WINDOWS\system32\msvcr70.dll
2008-05-25 16:02 . 2008-05-25 16:02 127 --a------ C:\WINDOWS\system32\MRT.INI
2008-05-24 23:26 . 2008-05-26 01:02 d-------- C:\Program Files\iPod Linux-Installer-2.2
2008-05-24 23:19 . 2008-05-24 23:19 0 --a------ C:\_short_deepsleep
2008-05-24 23:16 . 2008-05-26 01:02 d-------- C:\Program Files\iPod Wizard 1.3
2008-04-29 21:45 . 2008-04-25 05:00 719,872 --a------ C:\WINDOWS\system32\devil.dll
2008-04-29 21:45 . 2008-04-25 05:00 349,184 --a------ C:\WINDOWS\system32\avisynth.dll
2008-04-24 16:23 . 2008-04-24 16:24 153 --a------ C:\WINDOWS\wininit.ini
2008-04-24 10:52 . 2008-04-24 10:52 d-------- C:\Program Files\Spybot - Search & Destroy
2008-04-24 10:52 . 2008-04-24 10:56 d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-04-23 23:48 . 2008-05-30 05:41 69 --a------ C:\WINDOWS\NeroDigital.ini
2008-04-23 06:56 . 2008-04-23 06:56 7,808 --a------ C:\WINDOWS\system32\drivers\psi_mf.sys
2008-04-23 01:51 . 2008-04-23 02:26 d-------- C:\Rockstar Games
2008-04-23 01:00 . 2008-04-23 01:00 d-------- C:\Program Files\MSXML 6.0
2008-04-23 00:57 . 2008-04-23 00:57 d-------- C:\Program Files\MSXML 4.0
2008-04-23 00:17 . 2008-04-23 00:17 d-------- C:\Program Files\Lavasoft
2008-04-23 00:17 . 2008-04-23 00:31 d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-04-23 00:10 . 2008-05-29 21:16 d-------- C:\Documents and Settings\Dr.Moo\Application Data\Ahead
2008-04-23 00:09 . 2008-04-23 00:09 d-------- C:\Documents and Settings\All Users\Application Data\Ahead
2008-04-23 00:07 . 2008-05-28 21:15 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2008-04-23 00:06 . 2008-04-23 00:07 d-------- C:\Program Files\7-Zip
2008-04-23 00:05 . 2008-04-23 00:05 d-------- C:\Program Files\Nero
2008-04-23 00:05 . 2008-04-23 00:08 d-------- C:\Program Files\Common Files\Ahead
2008-04-23 00:05 . 2008-04-23 00:05 d-------- C:\Documents and Settings\All Users\Application Data\Nero
2008-04-22 23:58 . 2008-04-22 23:58 d-------- C:\Program Files\DNA
2008-04-22 23:58 . 2008-04-22 23:58 d-------- C:\Program Files\BitTorrent
2008-04-22 23:58 . 2008-05-30 05:42 d-------- C:\Documents and Settings\Dr.Moo\Application Data\DNA
2008-04-22 23:58 . 2008-05-28 18:06 d-------- C:\Documents and Settings\Dr.Moo\Application Data\BitTorrent
2008-04-22 23:45 . 2008-04-22 23:45 0 --a------ C:\WINDOWS\ativpsrm.bin
2008-04-22 23:43 . 2008-04-22 23:43 d-------- C:\Program Files\MSBuild
2008-04-22 23:37 . 2008-04-23 16:13 d-------- C:\WINDOWS\system32\XPSViewer
2008-04-22 23:36 . 2008-04-22 23:36 d-------- C:\Program Files\Reference Assemblies
2008-04-22 23:35 . 2008-04-22 23:35 d-------- C:\e53e444ffe805bb699fd9050d3f7
2008-04-22 23:35 . 2006-06-29 13:07 14,048 --a------ C:\WINDOWS\system32\spmsg2.dll
2008-04-22 23:30 . 2008-04-22 23:30 d-------- C:\Program Files\CONEXANT
2008-04-22 23:29 . 2008-04-22 23:29 d-------- C:\WINDOWS\system32\URTTemp
2008-04-22 23:25 . 2006-11-13 01:02 288,768 --a------ C:\WINDOWS\system32\rhttpaa.dll
2008-04-22 23:25 . 2006-11-13 01:02 116,736 --a------ C:\WINDOWS\system32\aaclient.dll
2008-04-22 23:25 . 2006-11-13 01:02 36,352 --a------ C:\WINDOWS\system32\tsgqec.dll
2008-04-22 22:45 . 2008-04-22 22:45 d-------- C:\Program Files\Windows Media Connect 2
2008-04-22 22:44 . 2008-04-22 22:44 d-------- C:\WINDOWS\system32\LogFiles
2008-04-22 22:44 . 2008-04-22 22:44 d-------- C:\WINDOWS\system32\drivers\UMDF
2008-04-22 22:39 . 2008-04-22 22:39 d-------- C:\WINDOWS\system32\Lang
2008-04-22 22:36 . 2008-04-22 22:36 d-------- C:\Program Files\Realtek
2008-04-22 22:36 . 2008-05-29 23:15 d--h----- C:\Program Files\InstallShield Installation Information
2008-04-22 22:36 . 2008-05-29 23:12 d-------- C:\Program Files\Common Files\InstallShield
2008-04-22 22:35 . 2008-04-22 22:35 d-------- C:\Documents and Settings\Dr~Moo\LOCALS~1
2008-04-22 22:35 . 2008-04-22 22:35 d-------- C:\Documents and Settings\Dr~Moo
2008-04-22 22:15 . 2008-04-22 22:15 d-------- C:\Program Files\Belarc
2008-04-22 22:15 . 2008-02-27 13:49 3,840 --a------ C:\WINDOWS\system32\drivers\BANTExt.sys
2008-04-22 22:14 . 2008-04-22 22:14 0 --a------ C:\WINDOWS\nsreg.dat
2008-04-22 05:13 . 2008-04-22 05:13 d-------- C:\Program Files\Logitech
2008-04-22 05:13 . 2008-04-22 05:13 d-------- C:\Documents and Settings\All Users\Application Data\Logitech
2008-04-22 05:13 . 2008-03-01 08:06 6,066,176 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll
2008-04-22 05:13 . 2007-06-30 22:31 2,455,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dat
2008-04-22 05:13 . 2007-06-30 22:36 991,232 -----c--- C:\WINDOWS\system32\dllcache\ieframe.dll.mui
2008-04-22 05:13 . 2008-03-01 08:06 459,264 -----c--- C:\WINDOWS\system32\dllcache\msfeeds.dll
2008-04-22 05:13 . 2008-03-01 08:06 383,488 -----c--- C:\WINDOWS\system32\dllcache\ieapfltr.dll
2008-04-22 05:13 . 2008-03-01 08:06 267,776 -----c--- C:\WINDOWS\system32\dllcache\iertutil.dll
2008-04-22 05:13 . 2008-03-01 08:06 63,488 -----c--- C:\WINDOWS\system32\dllcache\icardie.dll
2008-04-22 05:13 . 2008-03-01 08:06 52,224 -----c--- C:\WINDOWS\system32\dllcache\msfeedsbs.dll
2008-04-22 05:13 . 2008-02-22 05:00 13,824 -----c--- C:\WINDOWS\system32\dllcache\ieudinit.exe

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-04-23 03:36 315,392 ----a-w C:\WINDOWS\HideWin.exe
2008-04-22 09:52 --------- d-----w C:\Program Files\iTunes
2008-04-22 09:52 --------- d-----w C:\Program Files\iPod
2008-04-22 09:52 --------- d-----w C:\Documents and Settings\Dr.Moo\Application Data\Apple Computer
2008-04-22 09:52 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer
2008-04-22 09:51 --------- d-----w C:\Program Files\QuickTime
2008-04-22 09:51 --------- d-----w C:\Program Files\Bonjour
2008-04-22 09:50 --------- d-----w C:\Program Files\Apple Software Update
2008-04-22 09:49 --------- d-----w C:\Program Files\Common Files\Apple
2008-04-22 09:49 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple
2008-04-22 09:13 --------- d-----w C:\Program Files\Alwil Software
2008-04-22 09:05 --------- d-----w C:\Program Files\microsoft frontpage
2008-04-17 21:33 4,707,328 ----a-w C:\WINDOWS\system32\drivers\RtkHDAud.sys
2008-04-10 21:52 16,861,184 ----a-w C:\WINDOWS\RTHDCPL.exe
2008-04-02 14:27 1,196,032 ----a-w C:\WINDOWS\RtlUpd.exe
2008-03-27 08:12 151,583 ----a-w C:\WINDOWS\system32\msjint40.dll
2008-03-19 09:47 1,845,248 ----a-w C:\WINDOWS\system32\win32k.sys
2008-03-12 18:10 633,344 ----a-w C:\WINDOWS\system32\gpprefcl.dll
2008-03-05 23:07 520,192 ----a-w C:\WINDOWS\RtlExUpd.dll
2008-03-01 13:06 826,368 ----a-w C:\WINDOWS\system32\wininet.dll
2008-02-26 11:59 294,912 ----a-w C:\WINDOWS\system32\msctf.dll
2008-02-20 06:51 282,624 ----a-w C:\WINDOWS\system32\gdi32.dll
2008-02-20 05:32 45,568 ----a-w C:\WINDOWS\system32\dnsrslvr.dll
.

((((((((((((((((((((((((((((( [email protected]_15.49.46.59 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-05-27 20:44:47 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-05-30 04:21:46 2,048 --s-a-w C:\WINDOWS\bootstat.dat
+ 2008-05-30 04:14:40 22,486 ----a-r C:\WINDOWS\Installer\{21DBBDD6-93A5-4326-9A04-C9A5C9148502}\ARPPRODUCTICON.exe
+ 2008-05-28 06:23:16 30,240 ----a-r C:\WINDOWS\Installer\{6AF5CAB9-FD0A-494F-8AA6-784D4B5D06C5}\mbsa.exe
+ 2008-05-29 02:15:51 34,304 ----a-r C:\WINDOWS\Installer\{CDDCBBF1-2703-46BC-938B-BCC81A1EEAAA}\IconCDDCBBF1.exe
+ 2004-05-06 02:48:40 4,228 ----a-w C:\WINDOWS\system32\drivers\PQNTDRV.sys
+ 2007-07-31 00:18:34 207,736 ----a-w C:\WINDOWS\system32\muweb.dll
+ 2001-06-18 06:00:00 101,888 ----a-w C:\WINDOWS\system32\VB6STKIT.DLL
+ 2004-05-06 02:52:10 1,359,420 ----a-w C:\WINDOWS\system32\XMNT2002.exe
+ 2008-05-30 04:22:00 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_638.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown 
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 07:00 15360]
"BitTorrent DNA"="C:\Program Files\DNA\btdna.exe" [2008-05-25 16:28 289088]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2007-06-27 19:03 152872]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 11:43 2097488]
"SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-05-28 21:17 1510640]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"RTHDCPL"="RTHDCPL.EXE" [2008-04-10 16:52 16861184 C:\WINDOWS\RTHDCPL.exe]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2007-03-01 15:57 153136]
"SecurDisc"="C:\Program Files\Nero\Nero 7\InCD\NBHGui.exe" [2007-06-25 08:47 1629480]
"InCD"="C:\Program Files\Nero\Nero 7\InCD\InCD.exe" [2007-06-25 08:47 1057064]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe" [2008-03-25 04:28 144784]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce]
"aswAhAScr.dll"="C:\PROGRA~1\ALWILS~1\Avast4\ASWREG~1.exe" [2003-09-16 05:27 22016]
"GrpConv"="grpconv -o" []

C:\Documents and Settings\Dr.Moo\Start Menu\Programs\Startup\
avast! On access scanner.lnk - C:\Program Files\Alwil Software\Avast4\ashDisp.exe [2008-04-22 04:13:08 79224]
Secunia PSI (RC2).lnk - C:\Program Files\Secunia\PSI (RC2)\psi.exe [2008-05-26 03:49:10 667648]
SpywareGuard.lnk - C:\Program Files\SpywareGuard\sgmain.exe [2003-08-29 19:05:35 360448]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2008-05-13 10:13 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"%windir%\\system32\\sessmgr.exe"=
"C:\\Program Files\\Bonjour\\mDNSResponder.exe"=
"C:\\Program Files\\iTunes\\iTunes.exe"=
"%windir%\\Network Diagnostic\\xpnetdiag.exe"=
"C:\\Program Files\\DNA\\btdna.exe"=
"C:\\Program Files\\BitTorrent\\bittorrent.exe"=

R1 aswSP;avast! Self Protection;C:\WINDOWS\system32\drivers\aswSP.sys [2008-05-15 18:20]
R2 aswFsBlk;aswFsBlk;C:\WINDOWS\system32\DRIVERS\aswFsBlk.sys [2008-05-15 18:16]
R3 PSI;PSI;C:\WINDOWS\system32\DRIVERS\psi_mf.sys [2008-04-23 06:56]

*Newly Created Service* - PQNTDRV
.
Contents of the 'Scheduled Tasks' folder
"2008-04-22 09:50:27 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-30 05:46:40
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

C:\WINDOWS\explorer.exe [860] 0x8491E398

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-05-30 5:47:21
ComboFix-quarantined-files.txt 2008-05-30 10:47:15
ComboFix2.txt 2008-05-29 09:11:11
ComboFix3.txt 2008-05-27 20:51:46

Pre-Run: 51,542,253,568 bytes free
Post-Run: 51,549,777,920 bytes free

221 --- E O F --- 2008-05-27 20:28:16


----------



## Dr.Moo (May 27, 2008)

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 5:49:17 AM, on 5/30/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
C:\WINDOWS\RTHDCPL.EXE
C:\Program Files\Nero\Nero 7\InCD\NBHGui.exe
C:\Program Files\Nero\Nero 7\InCD\InCD.exe
C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\DNA\btdna.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
C:\Program Files\Alwil Software\Avast4\ashDisp.exe
C:\Program Files\Secunia\PSI (RC2)\psi.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\SpywareGuard\sgmain.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\SpywareGuard\sgbhp.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = www.google.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: SpywareGuard Download Protection - {4A368E80-174F-4872-96B5-0B27DDD11DB2} - C:\Program Files\SpywareGuard\dlprotect.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O4 - HKLM\..\Run: [RTHDCPL] RTHDCPL.EXE
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [SecurDisc] C:\Program Files\Nero\Nero 7\InCD\NBHGui.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Nero\Nero 7\InCD\InCD.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_06\bin\jusched.exe"
O4 - HKLM\..\RunOnce: [aswAhAScr.dll] C:\PROGRA~1\ALWILS~1\Avast4\ASWREG~1.EXE "C:\Program Files\Alwil Software\Avast4\AhAScr.dll"
O4 - HKLM\..\RunOnce: [GrpConv] grpconv -o
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BitTorrent DNA] "C:\Program Files\DNA\btdna.exe"
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
O4 - Startup: avast! On access scanner.lnk = C:\Program Files\Alwil Software\Avast4\ashDisp.exe
O4 - Startup: Secunia PSI (RC2).lnk = C:\Program Files\Secunia\PSI (RC2)\psi.exe
O4 - Startup: SpywareGuard.lnk = C:\Program Files\SpywareGuard\sgmain.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_06\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5AE58FCF-6F6A-49B2-B064-02492C66E3F4} (MUCatalogWebControl Class) - http://catalog.update.microsoft.com.../en/x86/MuCatalogWebControl.cab?1208925991578
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1211956558796
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Nero\Nero 7\InCD\InCDsrv.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe

--
End of file - 6792 bytes


----------



## Dr.Moo (May 27, 2008)

Malwarebytes' Anti-Malware 1.12
Database version: 795

Scan type: Full Scan (C:\|E:\|)
Objects scanned: 76424
Time elapsed: 24 minute(s), 25 second(s)

Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0

Memory Processes Infected:
(No malicious items detected)

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
(No malicious items detected)

Registry Data Items Infected:
(No malicious items detected)

Folders Infected:
(No malicious items detected)

Files Infected:
(No malicious items detected)
___________

should i plug my PSP/USBHDD/And iPod in and run the scans again to make sure they arn't infected? (the "E" drive is my OS-Share partition for my win/lin partitions and i got my GRUB back  thank you for all your help


----------



## Dr.Moo (May 27, 2008)

ComboFix 08-05-26.2 - Dr.Moo 2008-05-30 5:45:11.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.393 [GMT -5:00]
Running from: C:\Documents and Settings\Dr.Moo\Desktop\ComboFix.exe
.

((((((((((((((((((((((((( Files Created from 2008-04-28 to 2008-05-30 )))))))))))))))))))))))))))))))

*** 2008-05-29 23:14 . 2008-05-29 23:14 d-------- C:\Program Files\Symantec was acctualy on my USB HDD it dosent exist in my C Drive \


----------



## dvk01 (Dec 14, 2002)

Please disable SpybotSD TeaTimer, as it may hinder the removal of the infection. You can enable it after you're clean.
To disable SpybotSD TeaTimer:

Open Spybot and click on Mode and check Advanced Mode
Check yes to next window.
Click on Tools in bottom left hand corner.
Click on System Startup icon.
Uncheck Teatimer box.
Click Allow Change box.

You can follow this link if you need help: http://russelltexas.com/malware/teatimer.htm
_ _ _ _

Run hijackthis, put a tick in the box beside these entries listed below and *ONLY these entries*, double check to make sure, then make sure all browser & email windows are closed and press fix checked

O4 - HKLM\..\RunOnce: [aswAhAScr.dll] C:\PROGRA~1\ALWILS~1\Avast4\ASWREG~1.EXE "C:\Program Files\Alwil Software\Avast4\AhAScr.dll"
O4 - HKLM\..\RunOnce: [GrpConv] grpconv -o

reboot &

*Follow these steps to uninstall Combofix and tools used in the removal of malware*
* Click *START* then *RUN*
* Now type *Combofix /u* in the runbox and click *OK*. Note the *space* between the *X* and the *U*, it needs to be there.









Please *download* the *OTMoveIt by OldTimer*.

 *Save* it to your *desktop*.
 Please double-click *OTMoveIt.exe* to run it.
press cleanup & it will download a list then search for and when you say yes to the pop,up prompt it will delete/uninstall all the tools we have used to fix your problems and all their backup folders and then delete itself when you next reboot

then 
Turn off system restore by following instructions here 
for XP http://www.thespykiller.co.uk/index.php?page=8
or for Vista http://www.bleepingcomputer.com/tutorials/tutorial143.html

That will purge the restore folder and clear any malware that has been put in there. Then reboot & then re-enable system restore & create a new restore point. Now Empty Recycle bin on desktop

go here* http://www.thespykiller.co.uk/index.php?page=3 *for info on how to tighten your security settings and how to help prevent future attacks.

and scan here* http://secunia.com/software_inspector/ * for out of date & vulnerable common applications on your computer

Then pay an urgent visit to windows update & make sure you are fully updated, that will help to plug the security holes that let these pests on in the first place

I see no reason why you shouldn't install SP3 now if it is offered to you by windows update


----------



## Dr.Moo (May 27, 2008)

" go here* http://www.thespykiller.co.uk/index.php?page=3 *for info on how to tighten your security settings and how to help prevent future attacks.

and scan here* http://secunia.com/software_inspector/ * for out of date & vulnerable common applications on your computer "

LOL Already Did That 

im going to go update to SP3 in a little bit just wana make sure im clean


----------



## dvk01 (Dec 14, 2002)

you should be fine now


----------



## Dr.Moo (May 27, 2008)

so go update and mark as solved?


----------



## dvk01 (Dec 14, 2002)

yes


----------



## Dr.Moo (May 27, 2008)

WOW thank you So Much!!!!     i wish i could donate :'(


----------

