Page 1 of 5 123 ... LastLast
Results 1 to 10 of 48
  1. #1
    Member
    Join Date
    Jan 2008
    Posts
    32
    Points
    0

    Default Problem with Win32.Trojandownloader.Zlob

    Ok, so my Ad-Aware (free version) kept detecting this no matter how many times it deleted it, it kept coming back, so i couldnt get rid of it. I came on here followed instructions from other threads related to this same trojan, to try to clear my computer up from all this crap.
    I downloaded Vundo Fix and ran that, and removed what it found. I ran it until it said no infections found. Next i downloaded SUPERAntiSpyware free edition and ran a full system scan. Had it quarantine and terminate the stuff it found and lastly I downloaded ComboFix and ran that. I really didnt know what i was doing at that point :roll: Stupid choice on my part. Anyways im kind of stuck now and dont know where to go with this. I have no clue on how to read my logs to see if my computer is clean or not. Anyone willing to help here? Should i post the log ComboFix came up with?

  2. #2
    Member steamwiz's Avatar
    Join Date
    Sep 2003
    Location
    Yorkshire U.K.
    Posts
    14,022
    Points
    2335

    Default

    Hi

    Yes ... post the combofix log

    & the VundoFix log

    & the SUPERAntiSpyware

    & ...

    Download ...

    HiJackThis log - Trend Micro HijackThis 2.0.2
    Click here to download HJTInstall.exe
    • Save HJTInstall.exe to your desktop.
    • Doubleclick on the HJTInstall.exe icon on your desktop.
    • By default it will install to C:\Program Files\Trend Micro\HijackThis .
    • Click on Install.
    • It will create a HijackThis icon on the desktop.
    • Once installed, it will launch Hijackthis.
    • Click on the Do a system scan and save a logfile button. It will scan and the log should open in notepad.
    • Click on "Edit > Select All" then click on "Edit > Copy" and Paste the entire contents of the log (no attachments) into your next post.

    DO NOT use the AnalyseThis button, its findings are dangerous if misinterpreted.
    DO NOT have Hijackthis fix anything yet. Most of what HJT lists will be harmless or even required by your Operating System, a spyware fighter will guide you.
    Look here for Ways to keep your computer safe
    M'SOFT MVP -Windows Security 2004/8 .member ASAP -

  3. #3
    Member
    Join Date
    Jan 2008
    Posts
    32
    Points
    0

    Default

    Before i post any of the logs i'd like to add that on startup i get an error message saying Error Loading C:/WINDOWS/system32/Ibepybac.dll The Specified module could not be found. Also Norton Antivirus keeps on detecting and deleting a virus Downloader.MisleadApp on every startup. C:\WINDOWS\PerfInfo\t9qKF4k50psg.exe

    With that said here is the HijackThis log


    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 4:08:50 PM, on 1/14/2008
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.6000.16574)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
    C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
    C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    C:\WINDOWS\System32\WLTRYSVC.EXE
    C:\WINDOWS\System32\bcmwltry.exe
    C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
    C:\WINDOWS\system32\spoolsv.exe
    C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
    C:\Program Files\Dell Network Assistant\hnm_svc.exe
    C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\WINDOWS\system32\HPZipm12.exe
    C:\WINDOWS\system32\PnkBstrA.exe
    C:\WINDOWS\system32\PnkBstrB.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\WINDOWS\system32\RunDLL32.exe
    C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
    C:\WINDOWS\stsystra.exe
    C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
    C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe
    C:\Program Files\Dell\MediaDirect\PCMService.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9 .exe
    C:\Program Files\Java\jre1.6.0_02\bin\jusched .exe
    C:\Program Files\Common Files\InstallShield\UpdateService\issch .exe
    C:\Program Files\Dell\MediaDirect\PCMService .exe
    C:\WINDOWS\system32\rundll32.exe
    C:\Program Files\Digital Line Detect\DLG.exe
    C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware .exe
    C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\CPSHelpRunner.exe
    C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

    R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://partnerpage.google.com/smallb...mb&ibd=1070827
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Page_URL = partnerpage.google.com/smallbiz.dell.com/en_us?hl=en&client=dell-usuk&channel=us-smb&ibd=1070827
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://127.0.0.1:4664/&s=rMeKUP9CMA2l1gU741McqSoJGnI
    F3 - REG:win.ini: load=C:\WINDOWS\system32\ddayx.exe
    O3 - Toolbar: Norton Internet Security 2006 - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
    O3 - Toolbar: Norton AntiVirus - {C4069E3A-68F1-403E-B40E-20066696354B} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
    O4 - HKLM\..\Run: [SynTPEnh] C:\Program Files\Synaptics\SynTP\SynTPEnh.exe
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [nwiz] nwiz.exe /installquiet
    O4 - HKLM\..\Run: [NVHotkey] rundll32.exe nvHotkey.dll,Start
    O4 - HKLM\..\Run: [NvMediaCenter] RunDLL32.exe NvMCTray.dll,NvTaskbarInit
    O4 - HKLM\..\Run: [OEM02Mon.exe] C:\WINDOWS\OEM02Mon.exe
    O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
    O4 - HKLM\..\Run: [Broadcom Wireless Manager UI] C:\WINDOWS\system32\WLTRAY.exe
    O4 - HKLM\..\Run: [SigmatelSysTrayApp] stsystra.exe
    O4 - HKLM\..\Run: [KADxMain] C:\WINDOWS\system32\KADxMain.exe
    O4 - HKLM\..\Run: [ISUSPM Startup] C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe -startup
    O4 - HKLM\..\Run: [ISUSScheduler] "C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" -start
    O4 - HKLM\..\Run: [RoxWatchTray] "C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe"
    O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe"
    O4 - HKLM\..\Run: [PCMService] "C:\Program Files\Dell\MediaDirect\PCMService.exe"
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security\UrlLstCk.exe
    O4 - HKLM\..\Run: [Symantec PIF AlertEng] "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" /a /m "C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\AlertEng.dll"
    O4 - HKLM\..\Run: [Dell QuickSet] C:\Program Files\Dell\QuickSet\Quickset .exe .exe .exe .exe .exe .exe .exe .exe .exe .exe .exe .exe .exe .exe .exe .exe .exe .exe .exe .exe .exe .exe .exe .exe .exe .exe .exe .exe .exe .exe .exe .exe .exe .exe .exe .exe .exe .exe .exe .exe .exe .exe .exe .exe
    O4 - HKLM\..\Run: [bc53195c] rundll32.exe "C:\WINDOWS\system32\lbepybac.dll",b
    O4 - HKLM\..\Run: [ctfmona] C:\WINDOWS\system32\ctfmona.exe
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [AntiSpyware] C:\Program Files\AntiSpywareApp\AntiSpyware.exe -boot
    O4 - HKCU\..\Run: [SUPERAntiSpyware] C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe
    O4 - HKLM\..\Policies\Explorer\Run: [t9qKF4k50_] rundll32.exe "C:\WINDOWS\system32\ndaTqsVqrXs.dll",DllCleanServer
    O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
    O4 - Global Startup: Digital Line Detect.lnk = C:\Program Files\Digital Line Detect\DLG.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
    O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    O23 - Service: Symantec Internet Security Password Validation (ccISPwdSvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\ccPwdSvc.exe
    O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
    O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    O23 - Service: COM Host (comHost) - Symantec Corporation - C:\Program Files\Norton Internet Security\comHost.exe
    O23 - Service: Advanced Networking Service (hnmsvc) - SingleClick Systems - C:\Program Files\Dell Network Assistant\hnm_svc.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
    O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
    O23 - Service: LiveUpdate Notice Service - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe
    O23 - Service: Microsoft cache control (MSControlService) - Unknown owner - C:\WINDOWS\system32\windows (file missing)
    O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
    O23 - Service: Norton Protection Center Service (NSCService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Console\NSCSRVCE.EXE
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
    O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
    O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
    O23 - Service: PnkBstrB - Unknown owner - C:\WINDOWS\system32\PnkBstrB.exe
    O23 - Service: RoxMediaDB9 - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxMediaDB9.exe
    O23 - Service: Roxio Hard Drive Watcher 9 (RoxWatch9) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatch9.exe
    O23 - Service: Symantec AVScan (SAVScan) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
    O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
    O23 - Service: stllssvr - MicroVision Development, Inc. - C:\Program Files\Common Files\SureThing Shared\stllssvr.exe
    O23 - Service: Symantec Core LC - Unknown owner - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
    O23 - Service: Dell Wireless WLAN Tray Service (wltrysvc) - Unknown owner - C:\WINDOWS\System32\WLTRYSVC.EXE

    --
    End of file - 10631 bytes













    SUPERAntiSpyware log



    SUPERAntiSpyware Scan Log
    http://www.superantispyware.com

    Generated 01/14/2008 at 02:16 PM

    Application Version : 3.9.1008

    Core Rules Database Version : 3259
    Trace Rules Database Version: 1270

    Scan type : Complete Scan
    Total Scan Time : 02:43:07

    Memory items scanned : 172
    Memory threats detected : 0
    Registry items scanned : 6573
    Registry threats detected : 19
    File items scanned : 53305
    File threats detected : 15

    Adware.Vundo Variant
    HKLM\Software\Classes\CLSID\{F0811D48-37DE-4541-A15E-E918BA808D60}
    HKCR\CLSID\{F0811D48-37DE-4541-A15E-E918BA808D60}
    HKCR\CLSID\{F0811D48-37DE-4541-A15E-E918BA808D60}\InprocServer32
    HKCR\CLSID\{F0811D48-37DE-4541-A15E-E918BA808D60}\InprocServer32#ThreadingModel
    C:\WINDOWS\SYSTEM32\DDAYX.DLL
    HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{F0811D48-37DE-4541-A15E-E918BA808D60}

    Adware.Tracking Cookie
    C:\Documents and Settings\Gonzalez\Cookies\gonzalez@enhance[1].txt
    C:\Documents and Settings\Gonzalez\Cookies\gonzalez@nextag[1].txt
    C:\Documents and Settings\Gonzalez\Cookies\gonzalez@daron.nosubid.clickshield[1].txt
    C:\Documents and Settings\Gonzalez\Cookies\gonzalez@ad.yieldmanager[2].txt
    C:\Documents and Settings\Gonzalez\Cookies\gonzalez@adrevolver[3].txt
    C:\Documents and Settings\Gonzalez\Cookies\gonzalez@apmebf[1].txt
    C:\Documents and Settings\Gonzalez\Cookies\gonzalez@doubleclick[1].txt
    C:\Documents and Settings\Gonzalez\Cookies\gonzalez@statcounter[1].txt
    C:\Documents and Settings\Gonzalez\Cookies\gonzalez@tribalfusion[1].txt
    C:\Documents and Settings\Gonzalez\Cookies\gonzalez@windowsmedia[1].txt

    Trojan.Unknown Origin
    HKLM\SOFTWARE\Microsoft\MSSMGR
    HKLM\SOFTWARE\Microsoft\MSSMGR#Brnd
    HKLM\SOFTWARE\Microsoft\MSSMGR#BPTV
    HKLM\SOFTWARE\Microsoft\MSSMGR#LSTV
    HKLM\SOFTWARE\Microsoft\MSSMGR#PSTV
    HKLM\SOFTWARE\Microsoft\MSSMGR#BSTV
    HKLM\SOFTWARE\Microsoft\MSSMGR#SSTV
    HKLM\SOFTWARE\Microsoft\MSSMGR#SCLIST
    HKLM\SOFTWARE\Microsoft\MSSMGR#SSLIST
    HKLM\SOFTWARE\Microsoft\MSSMGR#Data
    HKLM\SOFTWARE\Microsoft\MSSMGR#MSLIST
    HKLM\SOFTWARE\Microsoft\MSSMGR#PID
    HKLM\SOFTWARE\Microsoft\MSSMGR#Rid

    Trojan.Downloader-DRVSAM
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run#CTDrive [ rundll32.exe C:\WINDOWS\system32\drvbud.dll,startup ]

    Trojan.Downloader-Gen/AVP
    C:\DOCUMENTS AND SETTINGS\GONZALEZ\LOCAL SETTINGS\TEMP\TMP68.TMP
    C:\DOCUMENTS AND SETTINGS\GONZALEZ\LOCAL SETTINGS\TEMP\TMP900.TMP
    C:\DOCUMENTS AND SETTINGS\GONZALEZ\LOCAL SETTINGS\TEMP\TMP956.TMP
    C:\DOCUMENTS AND SETTINGS\GONZALEZ\LOCAL SETTINGS\TEMP\TMPBAA.TMP

  4. #4
    Member
    Join Date
    Jan 2008
    Posts
    32
    Points
    0

    Default

    I appreciate the help

    VundoFix Log

    VundoFix V6.7.7

    Checking Java version...

    Java version is 1.5.0.6
    Old versions of java are exploitable and should be removed.

    Scan started at 8:07:02 PM 1/13/2008

    Listing files found while scanning....

    C:\WINDOWS\system32\awtssqp.dll
    C:\WINDOWS\system32\cabypebl.ini
    C:\WINDOWS\system32\ccsgnike.dll
    C:\WINDOWS\system32\cymxdfmo.dll
    C:\WINDOWS\system32\ddayx.dll
    C:\WINDOWS\system32\ddayx.exe
    C:\WINDOWS\system32\ekingscc.ini
    C:\WINDOWS\system32\exqyfthv.dll
    C:\WINDOWS\system32\grghqtjn.dll
    C:\WINDOWS\system32\iifedcy.dll
    C:\WINDOWS\system32\jkkllkl.dll
    C:\WINDOWS\system32\KADxMain.exe
    C:\WINDOWS\system32\lbepybac.dll
    C:\WINDOWS\system32\ssqoolk.dll
    C:\WINDOWS\system32\xyadd.ini
    C:\WINDOWS\system32\xyadd.ini2
    C:\WINDOWS\system32\yfjukcqo.dll
    C:\windows\system32\yfjukcqo.dllbox

    Beginning removal...

    Attempting to delete C:\WINDOWS\system32\awtssqp.dll
    C:\WINDOWS\system32\awtssqp.dll Has been deleted!

    Attempting to delete C:\WINDOWS\system32\cabypebl.ini
    C:\WINDOWS\system32\cabypebl.ini Has been deleted!

    Attempting to delete C:\WINDOWS\system32\ccsgnike.dll
    C:\WINDOWS\system32\ccsgnike.dll Has been deleted!

    Attempting to delete C:\WINDOWS\system32\cymxdfmo.dll
    C:\WINDOWS\system32\cymxdfmo.dll Has been deleted!

    Attempting to delete C:\WINDOWS\system32\ddayx.dll
    C:\WINDOWS\system32\ddayx.dll Has been deleted!

    Attempting to delete C:\WINDOWS\system32\ddayx.exe
    C:\WINDOWS\system32\ddayx.exe Has been deleted!

    Attempting to delete C:\WINDOWS\system32\ekingscc.ini
    C:\WINDOWS\system32\ekingscc.ini Has been deleted!

    Attempting to delete C:\WINDOWS\system32\exqyfthv.dll
    C:\WINDOWS\system32\exqyfthv.dll Has been deleted!

    Attempting to delete C:\WINDOWS\system32\grghqtjn.dll
    C:\WINDOWS\system32\grghqtjn.dll Has been deleted!

    Attempting to delete C:\WINDOWS\system32\iifedcy.dll
    C:\WINDOWS\system32\iifedcy.dll Has been deleted!

    Attempting to delete C:\WINDOWS\system32\jkkllkl.dll
    C:\WINDOWS\system32\jkkllkl.dll Has been deleted!

    Attempting to delete C:\WINDOWS\system32\KADxMain.exe
    C:\WINDOWS\system32\KADxMain.exe Could not be deleted.

    Attempting to delete C:\WINDOWS\system32\lbepybac.dll
    C:\WINDOWS\system32\lbepybac.dll Could not be deleted.

    Attempting to delete C:\WINDOWS\system32\ssqoolk.dll
    C:\WINDOWS\system32\ssqoolk.dll Has been deleted!

    Attempting to delete C:\WINDOWS\system32\xyadd.ini
    C:\WINDOWS\system32\xyadd.ini Has been deleted!

    Attempting to delete C:\WINDOWS\system32\xyadd.ini2
    C:\WINDOWS\system32\xyadd.ini2 Has been deleted!

    Attempting to delete C:\WINDOWS\system32\yfjukcqo.dll
    C:\WINDOWS\system32\yfjukcqo.dll Has been deleted!

    Attempting to delete C:\windows\system32\yfjukcqo.dllbox
    C:\windows\system32\yfjukcqo.dllbox Has been deleted!

    Performing Repairs to the registry.
    Done!

    Beginning removal...

    Attempting to delete C:\WINDOWS\system32\KADxMain.exe
    C:\WINDOWS\system32\KADxMain.exe Has been deleted!

    Attempting to delete C:\WINDOWS\system32\lbepybac.dll
    C:\WINDOWS\system32\lbepybac.dll Has been deleted!

    Performing Repairs to the registry.
    Done!

    VundoFix V6.7.7

    Checking Java version...

    Java version is 1.5.0.6
    Old versions of java are exploitable and should be removed.

    Scan started at 8:26:11 PM 1/13/2008

    Listing files found while scanning....

    C:\windows\system32\ddayx.dll
    C:\WINDOWS\system32\ddayx.exe
    C:\WINDOWS\system32\xyadd.ini
    C:\WINDOWS\system32\xyadd.ini2

    Beginning removal...

    Attempting to delete C:\windows\system32\ddayx.dll
    C:\windows\system32\ddayx.dll Has been deleted!

    Attempting to delete C:\WINDOWS\system32\ddayx.exe
    C:\WINDOWS\system32\ddayx.exe Has been deleted!

    Attempting to delete C:\WINDOWS\system32\xyadd.ini
    C:\WINDOWS\system32\xyadd.ini Has been deleted!

    Attempting to delete C:\WINDOWS\system32\xyadd.ini2
    C:\WINDOWS\system32\xyadd.ini2 Has been deleted!

    Performing Repairs to the registry.
    Done!

    Beginning removal...

    Attempting to delete C:\windows\system32\ddayx.dll
    C:\windows\system32\ddayx.dll Has been deleted!

    Attempting to delete C:\WINDOWS\system32\ddayx.exe
    C:\WINDOWS\system32\ddayx.exe Has been deleted!

    Attempting to delete C:\WINDOWS\system32\xyadd.ini
    C:\WINDOWS\system32\xyadd.ini Has been deleted!

    Attempting to delete C:\WINDOWS\system32\xyadd.ini2
    C:\WINDOWS\system32\xyadd.ini2 Has been deleted!

    Performing Repairs to the registry.
    Done!

    VundoFix V6.7.7

    Checking Java version...

    Java version is 1.5.0.6
    Old versions of java are exploitable and should be removed.

    Scan started at 11:50:53 PM 1/13/2008

    Listing files found while scanning....

    C:\WINDOWS\system32\ctfmon.exe
    C:\WINDOWS\system32\ddayx.dll
    C:\WINDOWS\system32\ddayx.exe
    C:\WINDOWS\system32\winbjt32.dll
    C:\WINDOWS\system32\xxywtqr.dll
    C:\windows\system32\xyadd.ini
    C:\windows\system32\xyadd.ini2
    C:\WINDOWS\system32\yrdwosgg.dll
    C:\WINDOWS\Temp\win8B4 .exe
    C:\WINDOWS\Temp\win8B4.exe
    C:\WINDOWS\Temp\winBDB .exe
    C:\WINDOWS\Temp\winBDB .exe
    C:\WINDOWS\Temp\winBDB.exe

    Beginning removal...

    Attempting to delete C:\WINDOWS\system32\ctfmon.exe
    C:\WINDOWS\system32\ctfmon.exe Has been deleted!

    Attempting to delete C:\WINDOWS\system32\ddayx.dll
    C:\WINDOWS\system32\ddayx.dll Has been deleted!

    Attempting to delete C:\WINDOWS\system32\ddayx.exe
    C:\WINDOWS\system32\ddayx.exe Has been deleted!

    Attempting to delete C:\WINDOWS\system32\winbjt32.dll
    C:\WINDOWS\system32\winbjt32.dll Could not be deleted.

    Attempting to delete C:\WINDOWS\system32\xxywtqr.dll
    C:\WINDOWS\system32\xxywtqr.dll Has been deleted!

    Attempting to delete C:\windows\system32\xyadd.ini
    C:\windows\system32\xyadd.ini Has been deleted!

    Attempting to delete C:\windows\system32\xyadd.ini2
    C:\windows\system32\xyadd.ini2 Has been deleted!

    Attempting to delete C:\WINDOWS\system32\yrdwosgg.dll
    C:\WINDOWS\system32\yrdwosgg.dll Has been deleted!

    Attempting to delete C:\WINDOWS\Temp\win8B4 .exe
    C:\WINDOWS\Temp\win8B4 .exe Has been deleted!

    Attempting to delete C:\WINDOWS\Temp\win8B4.exe
    C:\WINDOWS\Temp\win8B4.exe Has been deleted!

    Attempting to delete C:\WINDOWS\Temp\winBDB .exe
    C:\WINDOWS\Temp\winBDB .exe Has been deleted!

    Attempting to delete C:\WINDOWS\Temp\winBDB .exe
    C:\WINDOWS\Temp\winBDB .exe Has been deleted!

    Attempting to delete C:\WINDOWS\Temp\winBDB.exe
    C:\WINDOWS\Temp\winBDB.exe Has been deleted!

    Performing Repairs to the registry.
    Done!

    Beginning removal...

    Attempting to delete C:\WINDOWS\system32\ddayx.dll
    C:\WINDOWS\system32\ddayx.dll Has been deleted!

    Attempting to delete C:\WINDOWS\system32\winbjt32.dll
    C:\WINDOWS\system32\winbjt32.dll Has been deleted!

    Performing Repairs to the registry.
    Done!

    VundoFix V6.7.7

    Checking Java version...

    Java version is 1.5.0.6
    Old versions of java are exploitable and should be removed.

    Scan started at 12:26:31 AM 1/14/2008

    Listing files found while scanning....

    C:\windows\system32\ddayx.dll
    C:\WINDOWS\system32\ddayx.exe
    C:\WINDOWS\system32\xyadd.ini
    C:\WINDOWS\system32\xyadd.ini2

    Beginning removal...

    Attempting to delete C:\windows\system32\ddayx.dll
    C:\windows\system32\ddayx.dll Has been deleted!

    Attempting to delete C:\WINDOWS\system32\ddayx.exe
    C:\WINDOWS\system32\ddayx.exe Has been deleted!

    Attempting to delete C:\WINDOWS\system32\xyadd.ini
    C:\WINDOWS\system32\xyadd.ini Has been deleted!

    Attempting to delete C:\WINDOWS\system32\xyadd.ini2
    C:\WINDOWS\system32\xyadd.ini2 Has been deleted!

    Performing Repairs to the registry.
    Done!

    Beginning removal...

    Attempting to delete C:\windows\system32\ddayx.dll
    C:\windows\system32\ddayx.dll Has been deleted!

    Attempting to delete C:\WINDOWS\system32\ddayx.exe
    C:\WINDOWS\system32\ddayx.exe Has been deleted!

    Attempting to delete C:\WINDOWS\system32\xyadd.ini
    C:\WINDOWS\system32\xyadd.ini Has been deleted!

    Attempting to delete C:\WINDOWS\system32\xyadd.ini2
    C:\WINDOWS\system32\xyadd.ini2 Has been deleted!

    Performing Repairs to the registry.
    Done!

    VundoFix V6.7.7

    Checking Java version...

    Java version is 1.5.0.6
    Old versions of java are exploitable and should be removed.

    Scan started at 8:19:50 AM 1/14/2008

    Listing files found while scanning....

    C:\windows\system32\ddayx.dll
    C:\WINDOWS\system32\ddayx.exe
    C:\WINDOWS\system32\xyadd.ini
    C:\WINDOWS\system32\xyadd.ini2

    Beginning removal...

    Attempting to delete C:\windows\system32\ddayx.dll
    C:\windows\system32\ddayx.dll Has been deleted!

    Attempting to delete C:\WINDOWS\system32\ddayx.exe
    C:\WINDOWS\system32\ddayx.exe Has been deleted!

    Attempting to delete C:\WINDOWS\system32\xyadd.ini
    C:\WINDOWS\system32\xyadd.ini Has been deleted!

    Attempting to delete C:\WINDOWS\system32\xyadd.ini2
    C:\WINDOWS\system32\xyadd.ini2 Has been deleted!

    Performing Repairs to the registry.
    Done!

    VundoFix V6.7.7

    Checking Java version...

    Java version is 1.5.0.6
    Old versions of java are exploitable and should be removed.

    Scan started at 11:00:32 AM 1/14/2008

    Listing files found while scanning....

    No infected files were found.


    VundoFix V6.7.7

    Checking Java version...

    Java version is 1.5.0.6
    Old versions of java are exploitable and should be removed.

    Scan started at 1:25:27 PM 1/14/2008

    Listing files found while scanning....

    No infected files were found.




    ComboFix Log


    ComboFix 08-01-09.2 - Gonzalez 2008-01-14 15:00:00.1 - NTFSx86 MINIMAL
    Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.728 [GMT -6:00]
    Running from: C:\Documents and Settings\Gonzalez\Desktop\ComboFix.exe
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    C:\Documents and Settings\All Users\Application Data.\cpqrefmd.dll
    C:\Documents and Settings\All Users\Application Data.\evejgnit.dll
    C:\Documents and Settings\All Users\Application Data.\wfghydqb.dll
    C:\Documents and Settings\All Users\Application Data.\wnelireh.dll
    C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe
    C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe
    C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp.exe
    C:\Program Files\Dell\MediaDirect\PCMService.exe
    C:\Program Files\DELL\QuickSet\Quickset .exe
    C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
    C:\Program Files\Messenger\msmsgs .exe
    C:\Program Files\Norton Internet Security\UrlLstCk.exe
    C:\RECYCLER\S-1-5-21-1825433793-1827928747-2287314675-1006\Dc5833\AntiSpyware .exe
    C:\WINDOWS\cookies.ini
    C:\WINDOWS\mgrs.exe
    C:\WINDOWS\PerfInfo
    C:\WINDOWS\ppqvmpqr
    C:\WINDOWS\ppqvmpqr\1.png
    C:\WINDOWS\ppqvmpqr\2.png
    C:\WINDOWS\ppqvmpqr\3.png
    C:\WINDOWS\ppqvmpqr\4.png
    C:\WINDOWS\ppqvmpqr\5.png
    C:\WINDOWS\ppqvmpqr\6.png
    C:\WINDOWS\ppqvmpqr\bottom-rc.gif
    C:\WINDOWS\ppqvmpqr\content.png
    C:\WINDOWS\ppqvmpqr\download.gif
    C:\WINDOWS\ppqvmpqr\frame-bottom-left.gif
    C:\WINDOWS\ppqvmpqr\frame-h1bg.gif
    C:\WINDOWS\ppqvmpqr\head.png
    C:\WINDOWS\ppqvmpqr\indexuc.html
    C:\WINDOWS\ppqvmpqr\indexud.html
    C:\WINDOWS\ppqvmpqr\main.css
    C:\WINDOWS\ppqvmpqr\net.png
    C:\WINDOWS\ppqvmpqr\pc-mag.gif
    C:\WINDOWS\ppqvmpqr\pc.gif
    C:\WINDOWS\ppqvmpqr\poloska1.png
    C:\WINDOWS\ppqvmpqr\poloska2.png
    C:\WINDOWS\ppqvmpqr\poloska3.png
    C:\WINDOWS\ppqvmpqr\promouc1.html
    C:\WINDOWS\ppqvmpqr\promouc2.html
    C:\WINDOWS\ppqvmpqr\promouc3.html
    C:\WINDOWS\ppqvmpqr\promouc4.html
    C:\WINDOWS\ppqvmpqr\promouc5.html
    C:\WINDOWS\ppqvmpqr\promoud1.html
    C:\WINDOWS\ppqvmpqr\promoud2.html
    C:\WINDOWS\ppqvmpqr\promoud3.html
    C:\WINDOWS\ppqvmpqr\promoud4.html
    C:\WINDOWS\ppqvmpqr\promoud5.html
    C:\WINDOWS\ppqvmpqr\reg.png
    C:\WINDOWS\ppqvmpqr\repair.png
    C:\WINDOWS\ppqvmpqr\scr-1.png
    C:\WINDOWS\ppqvmpqr\scr-2.png
    C:\WINDOWS\ppqvmpqr\styles.css
    C:\WINDOWS\ppqvmpqr\top-rc.gif
    C:\WINDOWS\ppqvmpqr\vline.gif
    C:\WINDOWS\system32\_000006_.tmp.dll
    C:\WINDOWS\system32\_000007_.tmp.dll
    C:\WINDOWS\system32\_000008_.tmp.dll
    C:\WINDOWS\system32\_000009_.tmp.dll
    C:\WINDOWS\system32\ceofhpmu.ini
    C:\WINDOWS\system32\ctfmon.exe.tmp
    C:\WINDOWS\system32\ddccbya.dll
    C:\WINDOWS\system32\mcrh.tmp
    C:\WINDOWS\system32\ndaTqsVqrX.dll
    C:\WINDOWS\system32\windows

    Code:
     
    C:\Program Files\Common Files\InstallShield\UpdateService\issch .exe ---> issch.exe
    C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9 .exe ---> RoxWatchTray9.exe
    C:\Program Files\Common Files\Symantec Shared\ccApp .exe ---> ccApp.exe
    C:\Program Files\DELL\MediaDirect\PCMService .exe ---> PCMService.exe
    C:\Program Files\DELL\QuickSet\Quickset .exe ---> Quickset.exe
    C:\Program Files\Java\jre1.6.0_02\bin\jusched .exe ---> jusched.exe
    C:\Program Files\Messenger\msmsgs .exe ---> QooBox
    C:\RECYCLER\S-1-5-21-1825433793-1827928747-2287314675-1006\Dc5833\AntiSpyware .exe ---> QooBox
    .
    .
    ((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

    .
    -------\LEGACY_DOMAINSERVICE
    -------\DomainService


    ((((((((((((((((((((((((( Files Created from 2007-12-14 to 2008-01-14 )))))))))))))))))))))))))))))))
    .

    2008-01-14 15:09 . 2008-01-14 15:09 344,576 --a------ C:\WINDOWS\system32\ddayx.dll
    2008-01-14 14:58 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\NirCmd.exe
    2008-01-14 08:37 . 2008-01-14 08:37 d-------- C:\Documents and Settings\All Users\Application Data\SUPERAntiSpyware.com
    2008-01-14 08:36 . 2008-01-14 11:29 d-------- C:\Program Files\SUPERAntiSpyware
    2008-01-14 08:36 . 2008-01-14 08:36 d-------- C:\Documents and Settings\Gonzalez\Application Data\SUPERAntiSpyware.com
    2008-01-13 20:07 . 2008-01-14 11:00 d-------- C:\VundoFix Backups
    2008-01-13 19:47 . 2008-01-14 03:00 d-------- C:\Documents and Settings\Gonzalez\Application Data\AntiSpyware
    2008-01-13 19:42 . 2008-01-13 19:49 d-------- C:\Program Files\Spyware Doctor
    2008-01-13 19:42 . 2008-01-13 19:42 d-------- C:\Documents and Settings\Gonzalez\Application Data\PC Tools
    2008-01-13 17:35 . 2008-01-13 17:35 348,160 --a------ C:\WINDOWS\system32\RCXB37.tmp
    2008-01-12 13:37 . 2008-01-13 22:23 15,360 --a------ C:\WINDOWS\system32\ctfmon .exe
    2008-01-12 03:51 . 2008-01-12 03:51 103,424 --a------ C:\WINDOWS\system32\drvbud.dll
    2008-01-10 11:39 . 2008-01-13 19:45 d-------- C:\WINDOWS\gtvupprv
    2008-01-10 11:39 . 2008-01-10 11:39 204,800 --a------ C:\WINDOWS\system32\ndaTqsVqrXs.dll
    2008-01-01 00:46 . 2008-01-01 00:46 d-------- C:\Program Files\Xvid
    2008-01-01 00:46 . 2007-06-28 18:52 765,952 --a------ C:\WINDOWS\system32\xvidcore.dll
    2008-01-01 00:46 . 2007-06-28 18:54 180,224 --a------ C:\WINDOWS\system32\xvidvfw.dll
    2008-01-01 00:46 . 2007-06-28 18:55 77,824 --a------ C:\WINDOWS\system32\xvid.ax
    2007-12-28 15:39 . 2007-12-28 15:39 dr-h----- C:\Documents and Settings\Gonzalez\Application Data\SecuROM
    2007-12-28 15:12 . 2007-12-28 15:12 d-------- C:\Program Files\EA GAMES
    2007-12-28 15:12 . 2007-08-06 18:28 442,368 -ra------ C:\WINDOWS\system32\vp6vfw.dll
    2007-12-28 14:50 . 2007-12-28 14:50 104,448 --a------ C:\WINDOWS\system32\drvpak.dll
    2007-12-28 14:33 . 2007-12-28 14:33 104,448 --a------ C:\WINDOWS\system32\drvleg.dll
    2007-12-28 13:58 . 2007-12-28 13:58 d-------- C:\Program Files\Lavasoft
    2007-12-28 13:58 . 2007-12-28 13:58 d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
    2007-12-28 13:57 . 2008-01-14 08:36 d-------- C:\Program Files\Common Files\Wise Installation Wizard
    2007-12-27 02:50 . 2008-01-11 01:57 1,392,640 --a------ C:\WINDOWS\system32\WLTRAY .exe
    2007-12-27 02:50 . 2008-01-13 20:03 282,624 --a------ C:\WINDOWS\system32\KADxMain .exe
    2007-12-27 02:50 . 2008-01-11 11:53 36,864 --a------ C:\WINDOWS\OEM02Mon .exe
    2007-12-26 19:13 . 2007-12-26 19:13 4,128 --a------ C:\INFCACHE.1
    2007-12-26 18:59 . 2007-12-26 18:59 104,448 --a------ C:\WINDOWS\system32\drvkah.dll
    2007-12-24 13:44 . 2007-08-13 18:54 33,792 --a------ C:\WINDOWS\system32\dllcache\custsat.dll

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2008-01-14 21:09 --------- d-----w C:\Program Files\Common Files\Symantec Shared
    2008-01-14 21:04 --------- d-----w C:\Program Files\Norton Internet Security
    2008-01-13 17:28 --------- d-----w C:\Program Files\Microsoft Bootvis
    2007-12-24 20:16 --------- d-----w C:\Documents and Settings\Gonzalez\Application Data\LimeWire
    2007-12-14 01:38 --------- d-----w C:\Program Files\LimeWire
    2007-12-07 05:08 2,840 ----a-w C:\Documents and Settings\Gonzalez\Application Data\wklnhst.dat
    2007-11-07 09:26 721,920 ----a-w C:\WINDOWS\system32\lsasrv.dll
    2007-11-07 09:26 721,920 ------w C:\WINDOWS\system32\dllcache\lsasrv.dll
    2007-11-02 14:35 60,800 ----a-w C:\WINDOWS\system32\S32EVNT1.DLL
    2007-10-31 11:12 3,590,656 ------w C:\WINDOWS\system32\dllcache\mshtml.dll
    2007-10-30 17:20 360,064 ------w C:\WINDOWS\system32\dllcache\tcpip.sys
    2007-10-29 22:43 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
    2007-10-29 22:43 1,287,680 ------w C:\WINDOWS\system32\dllcache\quartz.dll
    2007-10-27 23:40 227,328 ----a-w C:\WINDOWS\system32\wmasf.dll
    2007-10-27 23:40 227,328 ----a-w C:\WINDOWS\system32\dllcache\wmasf.dll
    2007-10-26 03:34 8,460,288 ----a-w C:\WINDOWS\system32\dllcache\shell32.dll
    2007-09-13 12:39 22,328 ----a-w C:\Documents and Settings\Gonzalez\Application Data\PnkBstrK.sys
    2007-08-27 05:36 76 --sh--r C:\WINDOWS\CT4CET.bin
    .
    Code:
    ----a-w           221,184 2008-01-14 14:19:00  C:\Program Files\Common Files\InstallShield\UpdateService\ISUSPM .exe
    ----a-w         1,116,920 2008-01-11 17:54:11  C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc .exe
    ----a-w           851,968 2008-01-11 07:57:39  C:\Program Files\Synaptics\SynTP\SynTPEnh .exe
    ----a-w            36,864 2008-01-11 17:53:47  C:\WINDOWS\OEM02Mon .exe
    ----a-w            15,360 2008-01-14 04:23:39  C:\WINDOWS\system32\ctfmon .exe
    ----a-w           282,624 2008-01-14 02:03:56  C:\WINDOWS\system32\KADxMain .exe
    ----a-w         1,392,640 2008-01-11 07:57:59  C:\WINDOWS\system32\WLTRAY .exe

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1D30C764-7B3C-449C-AB75-9E3860C6B1E3}]
    2008-01-14 15:09 344576 --a------ C:\WINDOWS\system32\ddayx.dll

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2BAD0253-E6F1-0EB1-50C6-08D1DF0D4119}]
    C:\Program Files\Ghrgipoo\zqgkzuyt.dll

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9a689ed3-b084-4e5e-a282-206332a5cbac}]
    C:\WINDOWS\system32\grghqtjn.dll

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [ ]
    "AntiSpyware"="C:\Program Files\AntiSpywareApp\AntiSpyware.exe" [ ]
    "SUPERAntiSpyware"="C:\Program Files\SUPERAntiSpyware\SUPERAntiSpyware.exe" [2008-01-14 15:10 1780736]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "SynTPEnh"="C:\Program Files\Synaptics\SynTP\SynTPEnh.exe" [ ]
    "NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [2007-06-06 14:39 8429568]
    "nwiz"="nwiz.exe" [2007-06-06 14:40 1626112 C:\WINDOWS\system32\nwiz.exe]
    "NVHotkey"="nvHotkey.dll" [2007-06-06 14:39 67584 C:\WINDOWS\system32\nvhotkey.dll]
    "NvMediaCenter"="NvMCTray.dll" [2007-06-06 14:39 81920 C:\WINDOWS\system32\nvmctray.dll]
    "OEM02Mon.exe"="C:\WINDOWS\OEM02Mon.exe" [ ]
    "SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe" [2008-01-14 15:10 484864]
    "Broadcom Wireless Manager UI"="C:\WINDOWS\system32\WLTRAY.exe" [ ]
    "SigmatelSysTrayApp"="stsystra.exe" [2007-06-06 14:28 405504 C:\WINDOWS\stsystra.exe]
    "KADxMain"="C:\WINDOWS\system32\KADxMain.exe" [ ]
    "ISUSPM Startup"="C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\ISUSPM.exe" [ ]
    "ISUSScheduler"="C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe" [2008-01-14 15:10 432640]
    "RoxWatchTray"="C:\Program Files\Common Files\Roxio Shared\9.0\SharedCOM\RoxWatchTray9.exe" [2008-01-14 15:10 620544]
    "RoxioDragToDisc"="C:\Program Files\Roxio\Drag-to-Disc\DrgToDsc.exe" [ ]
    "PCMService"="C:\Program Files\Dell\MediaDirect\PCMService.exe" [2008-01-14 15:10 554496]
    "ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2008-01-14 08:19 52840]
    "URLLSTCK.exe"="C:\Program Files\Norton Internet Security\UrlLstCk.exe" [ ]
    "Symantec PIF AlertEng"="C:\Program Files\Common Files\Symantec Shared\PIF\{B8E1DD85-8582-4c61-B58F-2F227FCA9A08}\PIFSvc.exe" [2008-01-13 23:40 1223168]
    "Dell QuickSet"="C:\Program Files\Dell\QuickSet\Quickset .exe" [ ]
    "bc53195c"="C:\WINDOWS\system32\lbepybac.dll" [ ]
    "ctfmona"="C:\WINDOWS\system32\ctfmona.exe" [ ]

    C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
    Adobe Reader Speed Launch.lnk - C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe [2005-09-23 21:05:26]
    Digital Line Detect.lnk - C:\Program Files\Digital Line Detect\DLG.exe [2007-08-26 23:37:51]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run]
    "t9qKF4k50_"= rundll32.exe "C:\WINDOWS\system32\ndaTqsVqrXs.dll",DllCleanServer

    [hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
    "{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
    C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

    [HKEY_CURRENT_USER\software\microsoft\windows nt\currentversion\windows]
    "load"=C:\WINDOWS\system32\ddayx.exe

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
    Authentication Packages REG_MULTI_SZ msv1_0 C:\WINDOWS\system32\ddayx

    R1 DLARTL_M;DLARTL_M;C:\WINDOWS\system32\Drivers\DLARTL_M.SYS [2006-08-11 09:35]
    R3 DXEC02;DXEC02;C:\WINDOWS\system32\drivers\dxec02.sys [2006-11-02 11:31]
    R3 OEM02Dev;Creative Camera OEM002 Driver;C:\WINDOWS\system32\DRIVERS\OEM02Dev.sys [2007-05-09 09:01]
    R3 OEM02Vfx;Creative Camera OEM002 Video VFX Driver;C:\WINDOWS\system32\DRIVERS\OEM02Vfx.sys [2007-03-05 02:45]
    S3 MSControlService;Microsoft cache control;C:\WINDOWS\system32\windows []

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e0864b85-88b7-11dc-aba9-001c2630bed4}]
    \Shell\AutoRun\command - E:\Installer.exe

    *Newly Created Service* - COMHOST
    .
    Contents of the 'Scheduled Tasks' folder
    "2008-01-14 14:21:50 C:\WINDOWS\Tasks\AntiSpyware Scheduled Scan.job"
    - C:\Program Files\AntiSpywareApp\AntiSpyware .ex
    - C:\Program Files\AntiSpywareApp
    "2007-08-31 23:12:16 C:\WINDOWS\Tasks\Norton AntiVirus - Run Full System Scan - Gonzalez.job"
    - C:\PROGRA~1\NORTON~1\NORTON~1\Navw32.exeh/TASK:
    .
    **************************************************************************

    catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2008-01-14 15:09:50
    Windows 5.1.2600 Service Pack 2 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    C:\WINDOWS\system32\xyadd.ini 319 bytes
    C:\WINDOWS\system32\xyadd.ini2 319 bytes
    C:\WINDOWS\system32\ddayx.exe 348160 bytes executable

    scan completed successfully
    hidden files: 3

    **************************************************************************
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------

    PROCESS: C:\WINDOWS\Explorer.EXE [6.00.2900.3156]
    -> C:\WINDOWS\system32\ndaTqsVqrXs.dll
    -> C:\WINDOWS\system32\ddayx.dll
    .
    Completion time: 2008-01-14 15:13:47 - machine was rebooted
    ComboFix-quarantined-files.txt 2008-01-14 21:13:42
    .
    2008-01-10 19:04:26 --- E O F ---

  5. #5
    Member
    Join Date
    Jan 2008
    Posts
    32
    Points
    0

    Default

    Norton AntiVirus seemed to stop detecting the virus on startup, but im still getting the error messages.

  6. #6
    Member steamwiz's Avatar
    Join Date
    Sep 2003
    Location
    Yorkshire U.K.
    Posts
    14,022
    Points
    2335

    Default

    Hi

    Open notepad and copy/paste the text in the code box below into it:
    NOTE* make sure to only highlight and copy what is inside the code box nothing out side of it.
    Also ..

    Pay particular attention to this :-

    Make sure the word File:: is on the first line of the text file you save (no blank line above it, & no space in front of it)
    Code:
    File::
    C:\WINDOWS\system32\ddayx.dll
    C:\WINDOWS\system32\RCXB37.tmp 
    C:\WINDOWS\system32\drvkah.dll
    C:\WINDOWS\system32\drvpak.dll 
    C:\WINDOWS\system32\drvleg.dll
    C:\WINDOWS\system32\drvbud.dll 
    C:\WINDOWS\system32\ndaTqsVqrXs.dll 
    C:\WINDOWS\system32\ctfmona.exe 
    C:\WINDOWS\system32\xyadd.in
    C:\WINDOWS\system32\xyadd.ini2
    C:\WINDOWS\system32\ddayx.exe
    C:\WINDOWS\system32\grghqtjn.dll
    
    Folder::
    C:\WINDOWS\gtvupprv
    C:\Program Files\Ghrgipoo
    
    Registry::
    [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1D30C764-7B3C-449C-AB75-9E3860C6B1E3}] 
    [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2BAD0253-E6F1-0EB1-50C6-08D1DF0D4119}] 
    [-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9a689ed3-b084-4e5e-a282-206332a5cbac}] 
     
    
    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] 
    "bc53195c"=- 
    "ctfmona"=-
    
    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\run] 
    "t9qKF4k50_"=-
    
    [HKEY_CURRENT_USER\software\microsoft\windows nt\currentversion\windows] 
    "load"=""
    Save this as "CFScript.txt"

    Then drag the CFScript.txt into ComboFix.exe as you see in the screenshot below.


    This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.

    steam
    Look here for Ways to keep your computer safe
    M'SOFT MVP -Windows Security 2004/8 .member ASAP -

  7. #7
    Member
    Join Date
    Jan 2008
    Posts
    32
    Points
    0

    Default

    This doesnt work. I got Access violation at address 7C9111DE in module 'ntdll.dll'
    Read of address 00200064

  8. #8
    Member
    Join Date
    Jan 2008
    Posts
    32
    Points
    0

    Default

    Ok something very bad has happened. I now rebooted my computer and it took a ridiculous long time loading up. Exploder.exe wasn't even loading up. My laptop is now running very sluggish again, and i have new icons on my desktop, the old ones that lead me to advertisements to buy stuff (basically malware i guess) I'm afraid i might have the Trojan back or something. I don't know what i did though. I haven't even been on the internet.

  9. #9
    Member
    Join Date
    Jan 2008
    Posts
    32
    Points
    0

    Default

    Computer is running very sluggish again. When i boot it up, i have to start task manager and manually start explorer.exe, it doesn't seem to do it on its own or something. The My Documents folder is loaded with 1500 useless pos TMP files. And in my computer i have 2206 of these files just there.

    I think the best solution is starting all over in trying to fix this. Any suggestions? Should i just start all over and begin by posting a HijackThis log?

  10. #10
    Member steamwiz's Avatar
    Join Date
    Sep 2003
    Location
    Yorkshire U.K.
    Posts
    14,022
    Points
    2335

    Default

    Hi

    The Access violation in module 'ntdll.dll' is a very common error & could have thousands of causes ... Malware reacts differently on each machine, & there is no way of knowing what it may have done in the background to your system. If you have anything on the computer which you cannot afford to lose, it would be a good idea to back it up to removable media now, CD's DVD's flashdrive etc,

    I suggest you try to perform a system restore, then we'll take it from there ...

    steam
    Look here for Ways to keep your computer safe
    M'SOFT MVP -Windows Security 2004/8 .member ASAP -

Page 1 of 5 123 ... LastLast