HI all,
I need help to remove this win32.trojandownloader.zlob.
With the help of hijackthis i managed to remove most of the malware, but Avast still detects the following infected file, and put it in quarantaine.

Win32.Trojandownloader.Zlob (Malware)


Hereby a hijackthis log so that someone with more knowledge can have a look at it..

Please help me if you know what i should do from here.

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Macrogaming\SweetIM\SweetIM.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\Nokia\Nokia Software Launcher\NSLauncher.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\Fonts\svchost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\WINDOWS\Fonts\svchost.exe
C:\Program Files\BeInSync\BeInSync.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\PROGRA~1\BeInSync\BEINSYNCSERVER.EXE
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Java\jre1.6.0_02\bin\jucheck.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\Ad-Aware2007.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.si/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.sweetim.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :
R3 - URLSearchHook: SweetIM For Internet Explorer - {BC4FFE41-DE9F-46fa-B455-AAD49B9F9938} - C:\Program Files\Macrogaming\SweetIMBarForIE\toolbar.dll (file missing)
O3 - Toolbar: BeInSync - {4F2530BA-8C1D-4A6A-8BA0-74E93ADC9B12} - C:\PROGRA~1\BeInSync\BISShellEx.dll
O3 - Toolbar: SweetIM For Internet Explorer - {BC4FFE41-DE9F-46fa-B455-AAD49B9F9938} - C:\Program Files\Macrogaming\SweetIMBarForIE\toolbar.dll (file missing)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Security Toolbar - {11A69AE4-FBED-4832-A2BF-45AF82825583} - C:\WINDOWS\system32\njjoetbi.dll
O4 - HKLM\..\Run: [NVMixerTray] "C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_02\bin\jusched.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SweetIM] C:\Program Files\Macrogaming\SweetIM\SweetIM.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [NSLauncher] C:\Program Files\Nokia\Nokia Software Launcher\NSLauncher.exe /startup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Host Process] C:\WINDOWS\Fonts\svchost.exe
O4 - HKLM\..\Run: [58eaed39] rundll32.exe "C:\WINDOWS\system32\cmgtujgq.dll",b
O4 - HKCU\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AdobeUpdateManager.exe AcPro7_0_0
O4 - HKCU\..\Run: [BeInSync] "C:\Program Files\BeInSync\BeInSync.exe" /NOGUI
O4 - HKCU\..\Run: [SweetIM] C:\Program Files\Macrogaming\SweetIM\SweetIM.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O8 - Extra context menu item: I&zvoz v Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_02\bin\ssv.dll
O9 - Extra button: Raziskovanje - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: BeInSync - {EE84A04D-8992-4b19-970F-6EA7A01F7331} - C:\PROGRA~1\BeInSync\BISShellEx.dll
O9 - Extra 'Tools' menuitem: BeInSync - {EE84A04D-8992-4b19-970F-6EA7A01F7331} - C:\PROGRA~1\BeInSync\BISShellEx.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/200707...ex/qtplugin.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{F6A18514-CB1E-4F18-AB4F-4715EC0061E2}: NameServer = 192.168.0.1
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O21 - SSODL: sysdx - {976CD2F4-2F39-4602-A685-DBC91E010FEC} - C:\WINDOWS\sysdx.dll (file missing)
O21 - SSODL: msmhost - {FEA5EFE3-6036-4B3A-AB89-A838E01CD273} - C:\WINDOWS\msmhost.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe


Thanks

Welcome to the Lavasoft Support Forums jakdred

Download Deckard's System Scanner (dss.exe) and save it to your desktop.

Download VundoFix by Atribune, saving it to your desktop.

• Double-click VundoFix.exe to run it.
• Click the Scan for Vundo button.
• Once it's done scanning, click the Remove Vundo button.
• You will receive a prompt asking if you want to remove the files, click YES
• Once you click yes, your desktop will go blank as it starts removing Vundo.
• When completed, it will prompt that it will reboot your computer, click OK.

Note: It is possible that VundoFix encounters a file it could not remove. In this case, VundoFix will run on reboot. If that happens, follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears upon rebooting.

• Close all applications and windows.
• Double click on dss.exe to run it and follow the prompts.
• When the scan is complete, two text files will open; main.txt, which will be maximized and extra.txt, which will be minimized.

Post the contents of main.txt and C:\VundoFix.txt

Hi Dave,

Thank you very much for your reply. I've attached you two files which you specified.
Thanks

Marko

Please run dss again and post the maint.txt file. It will be very late before I get a chance to look it over ....... hang in there!

PS. Please copy and paste the contents of the log rather than attaching. Thanks!

Hello,

Here is the post of the log file:

Deckard's System Scanner v20071014.68
Run by amdx2 on 2007-11-22 18:58:31
Computer is in Normal Mode.
--------------------------------------------------------------------------------



-- HijackThis (run as amdx2.exe) -----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 18:58:32, on 22.11.2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\ckpgehyu.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Macrogaming\SweetIM\SweetIM.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\Nokia\Nokia Software Launcher\NSLauncher.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\BeInSync\BeInSync.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\PROGRA~1\BeInSync\BEINSYNCSERVER.EXE
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\notepad.exe
C:\Documents and Settings\amdx2\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\amdx2.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.si/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.sweetim.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {0D24B858-0E63-439A-8D20-86D0C353F9C6} - C:\WINDOWS\system32\mljji.dll
O2 - BHO: SWEETIE - {1A0AADCD-3A72-4b5f-900F-E3BB5A838E2A} - C:\PROGRA~1\MACROG~1\SWEETI~1\toolbar.dll (file missing)
O2 - BHO: {97c0de61-d7bd-0a78-f324-fc66c0e8e214} - {412e8e0c-66cf-423f-87a0-db7d16ed0c79} - C:\WINDOWS\system32\elbaaivq.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: MSVPS System - {88418AA3-16F5-4FC2-A9D8-90B1266DF841} - C:\WINDOWS\nsduo.dll (file missing)
O2 - BHO: Windows Live - Pomoc pri vpisu - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {A2ED5293-0123-46D1-B554-FB8B3E4250D9} - C:\WINDOWS\system32\mljji.dll
O2 - BHO: (no name) - {A95B2816-1D7E-4561-A202-68C0DE02353A} - C:\WINDOWS\system32\wvgwurpd.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: (no name) - {BBB05D9E-0297-404D-A6BF-D8F2876B84A6} - C:\WINDOWS\system32\mljhedd.dll
O3 - Toolbar: BeInSync - {4F2530BA-8C1D-4A6A-8BA0-74E93ADC9B12} - C:\PROGRA~1\BeInSync\BISShellEx.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Security Toolbar - {11A69AE4-FBED-4832-A2BF-45AF82825583} - C:\WINDOWS\system32\wvgwurpd.dll
O4 - HKLM\..\Run: [NVMixerTray] "C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SweetIM] C:\Program Files\Macrogaming\SweetIM\SweetIM.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [NSLauncher] C:\Program Files\Nokia\Nokia Software Launcher\NSLauncher.exe /startup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AdobeUpdateManager.exe AcPro7_0_0
O4 - HKCU\..\Run: [BeInSync] "C:\Program Files\BeInSync\BeInSync.exe" /NOGUI
O4 - HKCU\..\Run: [SweetIM] C:\Program Files\Macrogaming\SweetIM\SweetIM.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O8 - Extra context menu item: I&zvoz v Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Raziskovanje - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: BeInSync - {EE84A04D-8992-4b19-970F-6EA7A01F7331} - C:\PROGRA~1\BeInSync\BISShellEx.dll
O9 - Extra 'Tools' menuitem: BeInSync - {EE84A04D-8992-4b19-970F-6EA7A01F7331} - C:\PROGRA~1\BeInSync\BISShellEx.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/200707...ex/qtplugin.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{F6A18514-CB1E-4F18-AB4F-4715EC0061E2}: NameServer = 192.168.0.1
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: mljhedd - C:\WINDOWS\SYSTEM32\mljhedd.dll
O20 - Winlogon Notify: wvgwurpd - C:\WINDOWS\SYSTEM32\wvgwurpd.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: DomainService - - C:\WINDOWS\system32\ckpgehyu.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe

--
End of file - 9519 bytes

-- Files created between 2007-10-22 and 2007-11-22 -----------------------------

2007-11-22 18:58:23 85056 --a------ C:\WINDOWS\system32\jfjdqgtv.dll
2007-11-22 18:50:41 84544 --a------ C:\WINDOWS\system32\elbaaivq.dll
2007-11-22 18:48:00 71232 --a------ C:\WINDOWS\system32\petpiiyp.exe <Not Verified; ; DDC>
2007-11-21 10:40:02 84544 --a------ C:\WINDOWS\system32\aanxeium.dll
2007-11-21 10:37:02 85056 -----n--- C:\WINDOWS\system32\axfclbhq.dll
2007-11-21 10:31:02 71232 --a------ C:\WINDOWS\system32\ckpgehyu.exe <Not Verified; ; DDC>
2007-11-21 09:49:37 145984 --a------ C:\WINDOWS\system32\wvgwurpd.dll
2007-11-21 09:49:15 145984 --a------ C:\WINDOWS\system32\udbpaxny.dll
2007-11-21 09:25:05 0 d-------- C:\VundoFix Backups
2007-11-20 18:16:14 0 d-------- C:\WINDOWS\CSC
2007-11-20 10:28:25 85056 --a------ C:\WINDOWS\system32\mhuvqivk.dll
2007-11-20 10:28:24 84544 --a------ C:\WINDOWS\system32\wncxcrca.dll
2007-11-20 09:05:31 0 --a------ C:\x.dat
2007-11-20 09:05:16 0 --a------ C:\z.dat
2007-11-20 09:05:03 37376 --a------ C:\WINDOWS\system32\efcdefe.dll
2007-11-19 18:29:17 0 d-------- C:\!KillBox
2007-11-19 17:44:33 0 d-------- C:\Program Files\Trend Micro
2007-11-19 16:14:05 0 d-------- C:\Program Files\Lavasoft
2007-11-19 16:13:40 0 d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-11-19 11:43:30 0 d--h----- C:\WINDOWS\system32\GroupPolicy
2007-11-19 11:14:51 0 d--h----- C:\Documents and Settings\Administrator\Templates
2007-11-19 11:14:51 0 dr------- C:\Documents and Settings\Administrator\Start Menu
2007-11-19 11:14:51 0 dr-h----- C:\Documents and Settings\Administrator\SendTo
2007-11-19 11:14:51 0 d--h----- C:\Documents and Settings\Administrator\Recent
2007-11-19 11:14:51 0 d--h----- C:\Documents and Settings\Administrator\PrintHood
2007-11-19 11:14:51 786432 --ah----- C:\Documents and Settings\Administrator\NTUSER.DAT
2007-11-19 11:14:51 0 d--h----- C:\Documents and Settings\Administrator\NetHood
2007-11-19 11:14:51 0 d-------- C:\Documents and Settings\Administrator\My Documents
2007-11-19 11:14:51 0 d--h----- C:\Documents and Settings\Administrator\Local Settings
2007-11-19 11:14:51 0 d-------- C:\Documents and Settings\Administrator\Favorites
2007-11-19 11:14:51 0 d-------- C:\Documents and Settings\Administrator\Desktop
2007-11-19 11:14:51 0 d--hs---- C:\Documents and Settings\Administrator\Cookies
2007-11-19 11:14:51 0 dr-h----- C:\Documents and Settings\Administrator\Application Data
2007-11-19 11:14:51 0 d---s---- C:\Documents and Settings\Administrator\Application Data\Microsoft
2007-11-19 10:27:10 83008 --a------ C:\WINDOWS\system32\iypqadjn.dll
2007-11-19 08:40:33 0 --a------ C:\Documents and Settings\amdx2\x.dat
2007-11-19 08:40:17 256 --a------ C:\Documents and Settings\amdx2\z.dat
2007-11-19 08:40:09 36352 --a------ C:\WINDOWS\system32\wvutrqp.dll
2007-11-18 22:25:35 108043 --ahs---- C:\WINDOWS\system32\ijjlm.ini2
2007-11-18 22:25:31 320608 --a------ C:\WINDOWS\system32\mljji.dll
2007-11-18 22:24:09 147456 --a------ C:\WINDOWS\system32\vbzip10.dll <Not Verified; Info-ZIP; Info-ZIP's WiZ>
2007-11-18 22:24:06 0 d-------- C:\Program Files\Temporary
2007-11-18 22:21:16 120 --a------ C:\n.bat
2007-11-18 22:20:42 36352 --a------ C:\WINDOWS\system32\qommnlm.dll
2007-11-18 22:20:35 35840 --a------ C:\WINDOWS\mrofinu1188.exe
2007-11-18 22:20:28 36352 --a------ C:\WINDOWS\system32\mljhedd.dll
2007-11-18 22:19:06 0 d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2007-11-18 22:05:53 0 d-------- C:\Program Files\Common Files\Adobe Systems Shared
2007-11-16 13:27:51 0 d-------- C:\Program Files\iPod
2007-11-16 13:27:35 0 d-------- C:\Program Files\iTunes
2007-11-15 15:07:09 0 d-------- C:\Program Files\AVIConverter
2007-11-12 22:25:06 0 d--hs--c- C:\Program Files\Common Files\WindowsLiveInstaller
2007-11-12 22:24:54 0 d-------- C:\Program Files\Windows Live
2007-11-12 22:24:47 0 d-------- C:\Documents and Settings\All Users\Application Data\WLInstaller
2007-11-09 16:42:16 335872 --a------ C:\WINDOWS\system32\NCTAudioVisualization2.dll <Not Verified; NCT Company Ltd.; NCTAudioVisualization2 ActiveX DLL>
2007-11-09 16:42:16 311296 --a------ C:\WINDOWS\system32\NCTAudioRecord2.dll <Not Verified; NCT Company Ltd.; NCTAudioRecord2 ActiveX DLL>
2007-11-09 16:42:15 1843200 --a------ C:\WINDOWS\system32\NCTAudioFile2.dll <Not Verified; NCT Company Ltd.; NCTAudioFile2 ActiveX DLL>
2007-11-09 16:42:15 0 d-------- C:\Program Files\Free MP3 Sound Recorder
2007-11-09 10:28:06 0 d-------- C:\Documents and Settings\amdx2\Application Data\ivivo
2007-11-09 10:21:17 0 d-------- C:\Program Files\iViVo
2007-11-09 10:09:14 0 d-------- C:\Program Files\freebird
2007-11-09 09:57:12 0 d-------- C:\Program Files\Freecorder
2007-11-09 09:57:05 0 d-------- C:\WINDOWS\Freecorder Toolbar
2007-11-07 22:27:56 0 d-------- C:\boca cicha 2007
2007-11-06 16:12:57 0 d-------- C:\Documents and Settings\Marko\Application Data\Leadertech
2007-11-05 12:50:48 0 d-------- C:\Documents and Settings\amdx2\Application Data\Apple Computer
2007-11-05 12:49:58 0 d-------- C:\Program Files\Common Files\Apple
2007-11-05 12:39:57 0 d-------- C:\Program Files\Apple Software Update
2007-11-05 12:39:57 0 d-------- C:\Documents and Settings\All Users\Application Data\Apple
2007-11-04 22:43:07 0 d-------- C:\Documents and Settings\All Users\Application Data\Apple Computer
2007-10-31 14:03:14 0 d-------- C:\Documents and Settings\Guest\Application Data\Nokia
2007-10-31 14:03:03 0 d-------- C:\Documents and Settings\Guest\Application Data\PC Suite


-- Find3M Report ---------------------------------------------------------------

2007-11-22 18:48:29 0 dr------- C:\Documents and Settings\amdx2\Application Data\BeInSync Settings
2007-11-20 09:31:40 0 d-------- C:\Program Files\Java
2007-11-19 16:13:40 0 d-------- C:\Program Files\Common Files
2007-11-19 12:22:03 0 d-------- C:\Program Files\GfedEuroen86F
2007-11-19 10:56:34 0 d-------- C:\Program Files\Common Files\Adobe
2007-11-19 10:55:13 0 d-------- C:\Documents and Settings\amdx2\Application Data\Adobe
2007-11-19 10:47:40 0 d-------- C:\Program Files\LimeWire
2007-11-18 21:13:20 0 d-------- C:\Documents and Settings\amdx2\Application Data\Skype
2007-11-18 19:18:45 0 d-------- C:\Documents and Settings\amdx2\Application Data\Corel
2007-11-16 13:26:33 0 d-------- C:\Program Files\QuickTime
2007-11-14 15:28:34 0 d-------- C:\Program Files\eMule
2007-11-13 09:19:39 0 d-------- C:\Program Files\MSN Messenger
2007-10-03 11:44:30 258048 --a------ C:\WINDOWS\msvb.dll <Not Verified; ; msvb>
2007-10-03 11:44:30 270336 --a------ C:\WINDOWS\afxp.dll <Not Verified; ; afxp>
2007-10-03 02:00:16 0 d-------- C:\Program Files\MSXML 4.0
2007-10-01 12:35:51 44407 --a------ C:\Documents and Settings\amdx2\Application Data\NMM-MetaData.db
2007-10-01 12:35:04 79872 --a------ C:\WINDOWS\advpn.dll <Not Verified; ; advpn Module>
2007-10-01 12:34:44 270336 --a------ C:\WINDOWS\div32.dll <Not Verified; ; div32>
2007-10-01 12:34:30 249856 --a------ C:\WINDOWS\mssql.dll <Not Verified; ; mssql>
2007-10-01 12:15:06 0 d-------- C:\Documents and Settings\amdx2\Application Data\Nokia
2007-10-01 12:06:56 0 d-------- C:\Documents and Settings\amdx2\Application Data\PC Suite
2007-10-01 12:06:23 0 d-------- C:\Program Files\Nokia
2007-10-01 12:06:06 0 d-------- C:\Program Files\Common Files\PCSuite
2007-10-01 12:06:00 0 d-------- C:\Program Files\DIFX
2007-10-01 12:05:53 0 d-------- C:\Program Files\PC Connectivity Solution
2007-09-27 18:52:06 10 --a------ C:\WINDOWS\popcinfo.dat
2007-09-24 20:00:50 0 d-------- C:\Program Files\ABC Amber BlackBerry Converter
2007-09-24 19:17:55 0 d-------- C:\Documents and Settings\amdx2\Application Data\Research In Motion
2007-09-24 19:17:04 0 d-------- C:\Program Files\Common Files\Research In Motion
2007-09-24 19:16:48 0 d-------- C:\Program Files\Research In Motion
2007-09-24 19:15:10 0 d-------- C:\Program Files\Common Files\InstallShield


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0D24B858-0E63-439A-8D20-86D0C353F9C6}]
18.11.2007 22:25 320608 --a------ C:\WINDOWS\system32\mljji.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{412e8e0c-66cf-423f-87a0-db7d16ed0c79}]
22.11.2007 18:50 84544 --a------ C:\WINDOWS\system32\elbaaivq.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{88418AA3-16F5-4FC2-A9D8-90B1266DF841}]
C:\WINDOWS\nsduo.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A2ED5293-0123-46D1-B554-FB8B3E4250D9}]
18.11.2007 22:25 320608 --a------ C:\WINDOWS\system32\mljji.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A95B2816-1D7E-4561-A202-68C0DE02353A}]
21.11.2007 09:49 145984 --a------ C:\WINDOWS\system32\wvgwurpd.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{BBB05D9E-0297-404D-A6BF-D8F2876B84A6}]
18.11.2007 22:20 36352 --a------ C:\WINDOWS\system32\mljhedd.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NVMixerTray"="C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe" [20.12.2004 17:12]
"NvCplDaemon"="C:\WINDOWS\system32\NvCpl.dll" [22.10.2006 12:22]
"nwiz"="nwiz.exe" [22.10.2006 12:22 C:\WINDOWS\system32\nwiz.exe]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [06.09.2007 11:06]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [12.01.2006 16:40]
"NvMediaCenter"="C:\WINDOWS\system32\NvMcTray.dll" [22.10.2006 12:22]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [25.09.2007 01:11]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [21.01.2007 23:37]
"SweetIM"="C:\Program Files\Macrogaming\SweetIM\SweetIM.exe" [27.12.2006 16:53]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [11.05.2007 02:06]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [07.07.2005 17:41]
"NSLauncher"="C:\Program Files\Nokia\Nokia Software Launcher\NSLauncher.exe" [07.03.2007 09:58]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [19.10.2007 20:16]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [02.11.2007 18:36]
"58eaed39"="C:\WINDOWS\system32\jfjdqgtv.dll" [22.11.2007 18:58]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [09.10.2006 11:28]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\msnmsgr.exe" [18.10.2007 11:34]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AdobeUpdateManager.exe" []
"BeInSync"="C:\Program Files\BeInSync\BeInSync.exe" [14.12.2006 09:55]
"SweetIM"="C:\Program Files\Macrogaming\SweetIM\SweetIM.exe" [27.12.2006 16:53]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [13.08.2007 08:45]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [03.08.2004 23:56]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{561F5138-43B1-45D9-AEC9-478C51C1BD09}"= C:\PROGRA~1\BeInSync\BISShellEx.dll [14.12.2006 09:58 134656]
"{BBB05D9E-0297-404D-A6BF-D8F2876B84A6}"= C:\WINDOWS\system32\mljhedd.dll [18.11.2007 22:20 36352]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\mljhedd]
mljhedd.dll 18.11.2007 22:20 36352 C:\WINDOWS\system32\mljhedd.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\wvgwurpd]
wvgwurpd.dll 21.11.2007 09:49 145984 C:\WINDOWS\system32\wvgwurpd.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\mljji.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\aawservice]
@="Service"




-- End of Deckard's System Scanner: finished at 2007-11-22 18:58:52 ------------

Download ComboFix by sUBs from here or here, saving the file to your desktop.

Highlight and copy the contents of the code box below and paste it into a blank notepad, then save it to your desktop as;

Filename: CFScript.txt
Save As Type: All Files (*.*)



Close all other windows and programs. Now drag the CFScript.txt onto ComboFix.exe and drop it, using the left mouse button. Combofix should run and may reboot the computer when it's done. A log will open when it's complete. Post the contents of that log along with a fresh HijackThis log.

Please do not click on the ComboFix window while it is running a scan. This can cause it to stall.

Hello, here are the files. Thanks



ComboFix 07-11-19.4 - amdx2 2007-11-27 12:01:10.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1250.1.1033.18.144 [GMT 1:00]
Running from: C:\Documents and Settings\amdx2\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Administrator\Desktop\Live Safety Center.lnk
C:\Documents and Settings\Administrator\Desktop\Online Security Guide.lnk
C:\Documents and Settings\Administrator\Favorites\Online Security Guide.lnk
C:\Documents and Settings\All Users\Start Menu\Live Safety Center.lnk
C:\Documents and Settings\amdx2\Favorites\Online Security Guide.lnk
C:\Documents and Settings\Marko\Application Data\macromedia\Flash Player\#SharedObjects\F224FSYF\www.broadcaster.com
C:\Documents and Settings\Marko\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com
C:\Documents and Settings\Marko\Application Data\macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.broadcaster.com\settings.sol
C:\Program Files\Temporary
C:\WINDOWS\advpn.dll
C:\WINDOWS\afxp.dll
C:\WINDOWS\cookies.ini
C:\WINDOWS\div32.dll
C:\WINDOWS\mrofinu1188.exe
C:\WINDOWS\mssql.dll
C:\WINDOWS\msvb.dll
C:\WINDOWS\system32\ijjlm.ini
C:\WINDOWS\system32\ijjlm.ini2
C:\WINDOWS\system32\mljji.dll
C:\WINDOWS\system32\wvgwurpd.dllbox

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_DOMAINSERVICE
-------\DomainService


((((((((((((((((((((((((( Files Created from 2007-10-27 to 2007-11-27 )))))))))))))))))))))))))))))))
.

2007-11-27 11:09 85,056 --a------ C:\WINDOWS\system32\lsqxocmq.dll
2007-11-27 11:09 84,544 --a------ C:\WINDOWS\system32\joqqfleb.dll
2007-11-27 11:09 886 --ahs---- C:\WINDOWS\system32\qmcoxqsl.ini
2007-11-27 11:06 71,232 --a------ C:\WINDOWS\system32\nnxqotev.exe
2007-11-27 11:04 71,232 --a------ C:\WINDOWS\system32\rdcscdqy.exe
2007-11-23 19:00 826 --ahs---- C:\WINDOWS\system32\vfsclgkp.ini
2007-11-23 18:51 84,544 --a------ C:\WINDOWS\system32\noulvacq.dll
2007-11-23 18:48 71,232 --a------ C:\WINDOWS\system32\oejcbbbp.exe
2007-11-22 18:50 84,544 --a------ C:\WINDOWS\system32\elbaaivq.dll
2007-11-22 18:48 71,232 --a------ C:\WINDOWS\system32\petpiiyp.exe
2007-11-21 10:37 414 --ahs---- C:\WINDOWS\system32\qhblcfxa.ini
2007-11-21 09:49 145,984 --a------ C:\WINDOWS\system32\udbpaxny.dll
2007-11-21 09:33 <DIR> d-------- C:\Deckard
2007-11-21 09:25 <DIR> d-------- C:\VundoFix Backups
2007-11-20 10:28 688,780 --ahs---- C:\WINDOWS\system32\kviqvuhm.ini
2007-11-20 10:28 85,056 --a------ C:\WINDOWS\system32\mhuvqivk.dll
2007-11-20 09:05 37,376 --a------ C:\WINDOWS\system32\efcdefe.dll
2007-11-19 17:44 <DIR> d-------- C:\Program Files\Trend Micro
2007-11-19 16:14 <DIR> d-------- C:\Program Files\Lavasoft
2007-11-19 16:13 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-11-19 10:27 688,720 --ahs---- C:\WINDOWS\system32\qgjutgmc.ini
2007-11-19 10:27 83,008 --a------ C:\WINDOWS\system32\iypqadjn.dll
2007-11-19 08:40 256 --a------ C:\Documents and Settings\amdx2\z.dat
2007-11-19 08:40 0 --a------ C:\Documents and Settings\amdx2\x.dat
2007-11-18 22:24 147,456 --a------ C:\WINDOWS\system32\vbzip10.dll
2007-11-18 22:20 36,352 --a------ C:\WINDOWS\system32\qommnlm.dll
2007-11-18 22:20 36,352 --a------ C:\WINDOWS\system32\mljhedd.dll
2007-11-18 22:19 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2007-11-18 22:05 <DIR> d-------- C:\Program Files\Common Files\Adobe Systems Shared
2007-11-16 13:27 <DIR> d-------- C:\Program Files\iTunes
2007-11-16 13:27 <DIR> d-------- C:\Program Files\iPod
2007-11-15 15:07 <DIR> d-------- C:\Program Files\AVIConverter
2007-11-13 06:06 271,224 --a------ C:\WINDOWS\system32\mucltui.dll
2007-11-13 06:06 207,736 --a------ C:\WINDOWS\system32\muweb.dll
2007-11-13 06:06 30,072 --a------ C:\WINDOWS\system32\mucltui.dll.mui
2007-11-12 22:25 <DIR> d--hsc--- C:\Program Files\Common Files\WindowsLiveInstaller
2007-11-12 22:24 <DIR> d-------- C:\Program Files\Windows Live
2007-11-12 22:24 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\WLInstaller
2007-11-09 16:42 <DIR> d-------- C:\Program Files\Free MP3 Sound Recorder
2007-11-09 16:42 1,843,200 --a------ C:\WINDOWS\system32\NCTAudioFile2.dll
2007-11-09 16:42 344,064 --a------ C:\WINDOWS\system32\msvcr70.dll
2007-11-09 16:42 335,872 --a------ C:\WINDOWS\system32\NCTAudioVisualization2.dll
2007-11-09 16:42 311,296 --a------ C:\WINDOWS\system32\NCTAudioRecord2.dll
2007-11-09 10:28 <DIR> d-------- C:\Documents and Settings\amdx2\Application Data\ivivo
2007-11-09 10:21 <DIR> d-------- C:\Program Files\iViVo
2007-11-09 10:09 <DIR> d-------- C:\Program Files\freebird
2007-11-09 09:57 <DIR> d-------- C:\Program Files\Freecorder
2007-11-06 16:12 <DIR> d-------- C:\Documents and Settings\Marko\Application Data\Leadertech
2007-11-05 12:50 <DIR> d-------- C:\Documents and Settings\amdx2\Application Data\Apple Computer
2007-11-05 12:49 <DIR> d-------- C:\Program Files\Common Files\Apple
2007-11-05 12:39 <DIR> d-------- C:\Program Files\Apple Software Update
2007-11-05 12:39 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple
2007-11-04 22:43 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple Computer
2007-10-31 14:03 <DIR> d-------- C:\Documents and Settings\Guest\Application Data\PC Suite
2007-10-31 14:03 <DIR> d-------- C:\Documents and Settings\Guest\Application Data\Nokia
2007-10-29 19:55 90,624 --a------ C:\WINDOWS\system32\kswdmcap.ax
2007-10-29 19:55 61,952 --a------ C:\WINDOWS\system32\kstvtune.ax
2007-10-29 19:55 43,008 --a------ C:\WINDOWS\system32\ksxbar.ax
2007-10-29 19:55 17,024 --a------ C:\WINDOWS\system32\drivers\CCDECODE.sys
2007-10-29 19:55 16,384 --a------ C:\WINDOWS\system32\ipsink.ax

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-27 10:04 --------- d-----r C:\Documents and Settings\amdx2\Application Data\BeInSync Settings
2007-11-20 08:31 --------- d-----w C:\Program Files\Java
2007-11-20 08:05 120 ----a-w C:\n.bat
2007-11-20 08:05 0 ----a-w C:\z.dat
2007-11-20 08:05 0 ----a-w C:\x.dat
2007-11-19 11:22 --------- d-----w C:\Program Files\GfedEuroen86F
2007-11-19 09:56 --------- d-----w C:\Program Files\Common Files\Adobe
2007-11-19 09:47 --------- d-----w C:\Program Files\LimeWire
2007-11-18 20:13 --------- d-----w C:\Documents and Settings\amdx2\Application Data\Skype
2007-11-18 18:18 --------- d-----w C:\Documents and Settings\amdx2\Application Data\Corel
2007-11-16 12:26 --------- d-----w C:\Program Files\QuickTime
2007-11-14 14:28 --------- d-----w C:\Program Files\eMule
2007-11-13 08:19 --------- d-----w C:\Program Files\MSN Messenger
2007-10-29 09:52 --------- d-----w C:\Documents and Settings\All Users\Application Data\PC Suite
2007-10-03 01:00 --------- d-----w C:\Program Files\MSXML 4.0
2007-10-02 17:53 --------- d-----w C:\Documents and Settings\Marko\Application Data\Skype
2007-10-01 11:16 --------- d-----w C:\Documents and Settings\Marko\Application Data\PC Suite
2007-10-01 11:16 --------- d-----w C:\Documents and Settings\Marko\Application Data\Nokia
2007-10-01 11:15 --------- d-----w C:\Documents and Settings\amdx2\Application Data\Nokia
2007-10-01 11:06 --------- d-----w C:\Program Files\Nokia
2007-10-01 11:06 --------- d-----w C:\Program Files\DIFX
2007-10-01 11:06 --------- d-----w C:\Program Files\Common Files\PCSuite
2007-10-01 11:06 --------- d-----w C:\Documents and Settings\amdx2\Application Data\PC Suite
2007-10-01 11:05 --------- d-----w C:\Program Files\PC Connectivity Solution
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{a8a7957e-8c2a-4b51-80ac-e5a0b3a3729f}]
2007-11-27 11:09 84544 --a------ C:\WINDOWS\system32\joqqfleb.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A95B2816-1D7E-4561-A202-68C0DE02353A}]
2007-11-21 09:49 145984 --a------ C:\WINDOWS\system32\wvgwurpd.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{BBB05D9E-0297-404D-A6BF-D8F2876B84A6}]
2007-11-18 22:20 36352 --a------ C:\WINDOWS\system32\mljhedd.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{11A69AE4-FBED-4832-A2BF-45AF82825583}"= C:\WINDOWS\system32\wvgwurpd.dll [2007-11-21 09:49 145984]

[HKEY_CLASSES_ROOT\clsid\{11a69ae4-fbed-4832-a2bf-45af82825583}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2006-10-09 11:28]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\msnmsgr.exe" [2007-10-18 11:34]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AdobeUpdateManager.exe" []
"BeInSync"="C:\Program Files\BeInSync\BeInSync.exe" [2006-12-14 09:55]
"SweetIM"="C:\Program Files\Macrogaming\SweetIM\SweetIM.exe" [2006-12-27 16:53]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-08-13 08:45]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 23:56]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NVMixerTray"="C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe" [2004-12-20 17:12]
"NvCplDaemon"="RUNDLL32.exe" [2004-08-03 23:56 C:\WINDOWS\system32\rundll32.exe]
"nwiz"="nwiz.exe" [2006-10-22 12:22 C:\WINDOWS\system32\nwiz.exe]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-09-06 11:06]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 16:40]
"NvMediaCenter"="RUNDLL32.exe" [2004-08-03 23:56 C:\WINDOWS\system32\rundll32.exe]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-01-21 23:37]
"SweetIM"="C:\Program Files\Macrogaming\SweetIM\SweetIM.exe" [2006-12-27 16:53]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 02:06]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-07-07 17:41]
"NSLauncher"="C:\Program Files\Nokia\Nokia Software Launcher\NSLauncher.exe" [2007-03-07 09:58]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2007-10-19 20:16]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-11-02 18:36]
"58eaed39"="C:\WINDOWS\system32\lsqxocmq.dll" [2007-11-27 11:09]

[hklm\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{561F5138-43B1-45D9-AEC9-478C51C1BD09}"= C:\PROGRA~1\BeInSync\BISShellEx.dll [2006-12-14 09:58 134656]
"{BBB05D9E-0297-404D-A6BF-D8F2876B84A6}"= C:\WINDOWS\system32\mljhedd.dll [2007-11-18 22:20 36352]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\mljhedd]
mljhedd.dll 2007-11-18 22:20 36352 C:\WINDOWS\system32\mljhedd.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\wvgwurpd]
wvgwurpd.dll 2007-11-21 09:49 145984 C:\WINDOWS\system32\wvgwurpd.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\mljji.dll

R1 BIOS;BIOS;\??\C:\WINDOWS\system32\drivers\BIOS.sys
R3 RimSerPort;RIM Virtual Serial Port;C:\WINDOWS\system32\DRIVERS\RimSerial.sys

.
Contents of the 'Scheduled Tasks' folder
"2007-11-17 14:29:03 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1262 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-27 12:13:25
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-11-27 12:14:24 - machine was rebooted
.
--- E O F ---

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 12:40:47, on 27.11.2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Macrogaming\SweetIM\SweetIM.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\Nokia\Nokia Software Launcher\NSLauncher.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\BeInSync\BeInSync.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\PROGRA~1\BeInSync\BEINSYNCSERVER.EXE
C:\WINDOWS\System32\rundll32.exe
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.si/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.sweetim.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SWEETIE - {1A0AADCD-3A72-4b5f-900F-E3BB5A838E2A} - C:\PROGRA~1\MACROG~1\SWEETI~1\toolbar.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live - Pomoc pri vpisu - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: {f9273a3b-0a5e-ca08-15b4-a2c8e7597a8a} - {a8a7957e-8c2a-4b51-80ac-e5a0b3a3729f} - C:\WINDOWS\system32\joqqfleb.dll
O2 - BHO: (no name) - {A95B2816-1D7E-4561-A202-68C0DE02353A} - C:\WINDOWS\system32\wvgwurpd.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: (no name) - {BBB05D9E-0297-404D-A6BF-D8F2876B84A6} - C:\WINDOWS\system32\mljhedd.dll
O3 - Toolbar: BeInSync - {4F2530BA-8C1D-4A6A-8BA0-74E93ADC9B12} - C:\PROGRA~1\BeInSync\BISShellEx.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Security Toolbar - {11A69AE4-FBED-4832-A2BF-45AF82825583} - C:\WINDOWS\system32\wvgwurpd.dll
O4 - HKLM\..\Run: [NVMixerTray] "C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SweetIM] C:\Program Files\Macrogaming\SweetIM\SweetIM.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [NSLauncher] C:\Program Files\Nokia\Nokia Software Launcher\NSLauncher.exe /startup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [58eaed39] rundll32.exe "C:\WINDOWS\system32\lsqxocmq.dll",b
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [MsnMsgr] ~"C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AdobeUpdateManager.exe AcPro7_0_0
O4 - HKCU\..\Run: [BeInSync] "C:\Program Files\BeInSync\BeInSync.exe" /NOGUI
O4 - HKCU\..\Run: [SweetIM] C:\Program Files\Macrogaming\SweetIM\SweetIM.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O8 - Extra context menu item: I&zvoz v Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Raziskovanje - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: BeInSync - {EE84A04D-8992-4b19-970F-6EA7A01F7331} - C:\PROGRA~1\BeInSync\BISShellEx.dll
O9 - Extra 'Tools' menuitem: BeInSync - {EE84A04D-8992-4b19-970F-6EA7A01F7331} - C:\PROGRA~1\BeInSync\BISShellEx.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/200707...ex/qtplugin.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{F6A18514-CB1E-4F18-AB4F-4715EC0061E2}: NameServer = 192.168.0.1
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: mljhedd - C:\WINDOWS\SYSTEM32\mljhedd.dll
O20 - Winlogon Notify: wvgwurpd - C:\WINDOWS\SYSTEM32\wvgwurpd.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe

--
End of file - 9228 bytes

Highlight and copy the contents of the code box below and paste it into a blank notepad, then save it to your desktop as;

Filename: CFScript.txt
Save As Type: All Files (*.*)



Close all other windows and programs. Now drag the CFScript.txt onto ComboFix.exe and drop it, using the left mouse button. Combofix should run and may reboot the computer when it's done. A log will open when it's complete. Post the contents of that log and a fresh HijackThis log.

Please do not click on the ComboFix window while it is running a scan. This can cause it to stall.


Rename the following 4 .dat file to x.dat.txt and z.dat.txt, then open them with notepad. You may find passwords listed. If so, change those passwords for the appropriate login. If any are for banking or credit card purposes, be sure to change PIN numbers and keep a close eye on those accounts.

C:\Documents and Settings\amdx2\z.dat
C:\Documents and Settings\amdx2\x.dat
C:\z.dat
C:\x.dat

Hello,

I tried to open the renamed txt files, but nothing is in there. Here are the logs.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 13:48:45, on 28.11.2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe
C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe
C:\Program Files\Nokia\Nokia Software Launcher\NSLauncher.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Windows Live\Messenger\msnmsgr.exe
C:\Program Files\BeInSync\BeInSync.exe
C:\Program Files\Macrogaming\SweetIM\SweetIM.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\PROGRA~1\BeInSync\BEINSYNCSERVER.EXE
C:\Program Files\PC Connectivity Solution\ServiceLayer.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.si/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://home.sweetim.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = :
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: SWEETIE - {1A0AADCD-3A72-4b5f-900F-E3BB5A838E2A} - C:\PROGRA~1\MACROG~1\SWEETI~1\toolbar.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live - Pomoc pri vpisu - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O2 - BHO: (no name) - {A95B2816-1D7E-4561-A202-68C0DE02353A} - C:\WINDOWS\system32\wvgwurpd.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar1.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O3 - Toolbar: BeInSync - {4F2530BA-8C1D-4A6A-8BA0-74E93ADC9B12} - C:\PROGRA~1\BeInSync\BISShellEx.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O3 - Toolbar: Security Toolbar - {11A69AE4-FBED-4832-A2BF-45AF82825583} - C:\WINDOWS\system32\wvgwurpd.dll
O4 - HKLM\..\Run: [NVMixerTray] "C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe"
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\system32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [SweetIM] C:\Program Files\Macrogaming\SweetIM\SweetIM.exe
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe Photo Downloader] "C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe"
O4 - HKLM\..\Run: [NSLauncher] C:\Program Files\Nokia\Nokia Software Launcher\NSLauncher.exe /startup
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [updateMgr] C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AdobeUpdateManager.exe AcPro7_0_0
O4 - HKCU\..\Run: [BeInSync] "C:\Program Files\BeInSync\BeInSync.exe" /NOGUI
O4 - HKCU\..\Run: [SweetIM] C:\Program Files\Macrogaming\SweetIM\SweetIM.exe
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'NETWORK SERVICE')
O8 - Extra context menu item: I&zvoz v Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Raziskovanje - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: BeInSync - {EE84A04D-8992-4b19-970F-6EA7A01F7331} - C:\PROGRA~1\BeInSync\BISShellEx.dll
O9 - Extra 'Tools' menuitem: BeInSync - {EE84A04D-8992-4b19-970F-6EA7A01F7331} - C:\PROGRA~1\BeInSync\BISShellEx.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} (QuickTime Object) - http://a1540.g.akamai.net/7/1540/52/200707...ex/qtplugin.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{F6A18514-CB1E-4F18-AB4F-4715EC0061E2}: NameServer = 192.168.0.1
O18 - Protocol: skype4com - {FFC8B962-9B40-4DFF-9458-1830C7DD7F5D} - C:\PROGRA~1\COMMON~1\Skype\SKYPE4~1.DLL
O20 - Winlogon Notify: wvgwurpd - C:\WINDOWS\SYSTEM32\wvgwurpd.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
O23 - Service: ServiceLayer - Nokia. - C:\Program Files\PC Connectivity Solution\ServiceLayer.exe

--
End of file - 8868 bytes



ComboFix 07-11-19.4 - amdx2 2007-11-28 13:42:56.3 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1250.1.1033.18.214 [GMT 1:00]
Running from: C:\Documents and Settings\amdx2\Desktop\ComboFix.exe
Command switches used :: H:\CFScript.txt
* Created a new restore point

FILE
C:\n.bat
C:\WINDOWS\system32\efcdefe.dll
C:\WINDOWS\system32\elbaaivq.dll
C:\WINDOWS\system32\iypqadjn.dll
C:\WINDOWS\system32\joqqfleb.dll
C:\WINDOWS\system32\kviqvuhm.ini
C:\WINDOWS\system32\lsqxocmq.dll
C:\WINDOWS\system32\mhuvqivk.dll
C:\WINDOWS\system32\mljhedd.dll
C:\WINDOWS\system32\nnxqotev.exe
C:\WINDOWS\system32\noulvacq.dll
C:\WINDOWS\system32\oejcbbbp.exe
C:\WINDOWS\system32\petpiiyp.exe
C:\WINDOWS\system32\qgjutgmc.ini
C:\WINDOWS\system32\qhblcfxa.ini
C:\WINDOWS\system32\qmcoxqsl.ini
C:\WINDOWS\system32\qommnlm.dll
C:\WINDOWS\system32\rdcscdqy.exe
C:\WINDOWS\system32\udbpaxny.dll
C:\WINDOWS\system32\vbzip10.dll
C:\WINDOWS\system32\vfsclgkp.ini
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\wvgwurpd.dllbox
.
---- Previous Run -------
.
C:\n.bat
C:\WINDOWS\system32\efcdefe.dll
C:\WINDOWS\system32\elbaaivq.dll
C:\WINDOWS\system32\iypqadjn.dll
C:\WINDOWS\system32\joqqfleb.dll
C:\WINDOWS\system32\kviqvuhm.ini
C:\WINDOWS\system32\lsqxocmq.dll
C:\WINDOWS\system32\mhuvqivk.dll
C:\WINDOWS\system32\mljhedd.dll
C:\WINDOWS\system32\nnxqotev.exe
C:\WINDOWS\system32\noulvacq.dll
C:\WINDOWS\system32\oejcbbbp.exe
C:\WINDOWS\system32\petpiiyp.exe
C:\WINDOWS\system32\qgjutgmc.ini
C:\WINDOWS\system32\qhblcfxa.ini
C:\WINDOWS\system32\qmcoxqsl.ini
C:\WINDOWS\system32\qommnlm.dll
C:\WINDOWS\system32\rdcscdqy.exe
C:\WINDOWS\system32\udbpaxny.dll
C:\WINDOWS\system32\vbzip10.dll
C:\WINDOWS\system32\vfsclgkp.ini
C:\WINDOWS\system32\wvgwurpd.dllbox

.
((((((((((((((((((((((((( Files Created from 2007-10-28 to 2007-11-28 )))))))))))))))))))))))))))))))
.

2007-11-20 09:05 0 --a------ C:\z.dat
2007-11-20 09:05 0 --a------ C:\x.dat
2007-11-19 17:44 <DIR> d-------- C:\Program Files\Trend Micro
2007-11-19 16:14 <DIR> d-------- C:\Program Files\Lavasoft
2007-11-19 16:13 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-11-19 08:40 256 --a------ C:\Documents and Settings\amdx2\z.dat
2007-11-19 08:40 0 --a------ C:\Documents and Settings\amdx2\x.dat
2007-11-18 22:19 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2007-11-18 22:05 <DIR> d-------- C:\Program Files\Common Files\Adobe Systems Shared
2007-11-16 13:27 <DIR> d-------- C:\Program Files\iTunes
2007-11-16 13:27 <DIR> d-------- C:\Program Files\iPod
2007-11-15 15:07 <DIR> d-------- C:\Program Files\AVIConverter
2007-11-13 06:06 271,224 --a------ C:\WINDOWS\system32\mucltui.dll
2007-11-13 06:06 207,736 --a------ C:\WINDOWS\system32\muweb.dll
2007-11-13 06:06 30,072 --a------ C:\WINDOWS\system32\mucltui.dll.mui
2007-11-12 22:25 <DIR> d--hsc--- C:\Program Files\Common Files\WindowsLiveInstaller
2007-11-12 22:24 <DIR> d-------- C:\Program Files\Windows Live
2007-11-12 22:24 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\WLInstaller
2007-11-09 16:42 <DIR> d-------- C:\Program Files\Free MP3 Sound Recorder
2007-11-09 16:42 1,843,200 --a------ C:\WINDOWS\system32\NCTAudioFile2.dll
2007-11-09 16:42 344,064 --a------ C:\WINDOWS\system32\msvcr70.dll
2007-11-09 16:42 335,872 --a------ C:\WINDOWS\system32\NCTAudioVisualization2.dll
2007-11-09 16:42 311,296 --a------ C:\WINDOWS\system32\NCTAudioRecord2.dll
2007-11-09 10:28 <DIR> d-------- C:\Documents and Settings\amdx2\Application Data\ivivo
2007-11-09 10:21 <DIR> d-------- C:\Program Files\iViVo
2007-11-09 10:09 <DIR> d-------- C:\Program Files\freebird
2007-11-09 09:57 <DIR> d-------- C:\WINDOWS\Freecorder Toolbar
2007-11-09 09:57 <DIR> d-------- C:\Program Files\Freecorder
2007-11-07 22:27 <DIR> d-------- C:\boca cicha 2007
2007-11-06 16:12 <DIR> d-------- C:\Documents and Settings\Marko\Application Data\Leadertech
2007-11-05 12:50 <DIR> d-------- C:\Documents and Settings\amdx2\Application Data\Apple Computer
2007-11-05 12:49 <DIR> d-------- C:\Program Files\Common Files\Apple
2007-11-05 12:39 <DIR> d-------- C:\Program Files\Apple Software Update
2007-11-05 12:39 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple
2007-11-04 22:43 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Apple Computer
2007-10-31 14:03 <DIR> d-------- C:\Documents and Settings\Guest\Application Data\PC Suite
2007-10-31 14:03 <DIR> d-------- C:\Documents and Settings\Guest\Application Data\Nokia
2007-10-29 19:55 90,624 --a------ C:\WINDOWS\system32\kswdmcap.ax
2007-10-29 19:55 61,952 --a------ C:\WINDOWS\system32\kstvtune.ax
2007-10-29 19:55 43,008 --a------ C:\WINDOWS\system32\ksxbar.ax
2007-10-29 19:55 17,024 --a------ C:\WINDOWS\system32\drivers\CCDECODE.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-28 12:40 --------- d-----r C:\Documents and Settings\amdx2\Application Data\BeInSync Settings
2007-11-20 08:31 --------- d-----w C:\Program Files\Java
2007-11-19 11:22 --------- d-----w C:\Program Files\GfedEuroen86F
2007-11-19 09:56 --------- d-----w C:\Program Files\Common Files\Adobe
2007-11-19 09:47 --------- d-----w C:\Program Files\LimeWire
2007-11-18 20:13 --------- d-----w C:\Documents and Settings\amdx2\Application Data\Skype
2007-11-18 18:18 --------- d-----w C:\Documents and Settings\amdx2\Application Data\Corel
2007-11-16 12:26 --------- d-----w C:\Program Files\QuickTime
2007-11-14 14:28 --------- d-----w C:\Program Files\eMule
2007-11-13 08:19 --------- d-----w C:\Program Files\MSN Messenger
2007-10-29 09:52 --------- d-----w C:\Documents and Settings\All Users\Application Data\PC Suite
2007-10-03 01:00 --------- d-----w C:\Program Files\MSXML 4.0
2007-10-02 17:53 --------- d-----w C:\Documents and Settings\Marko\Application Data\Skype
2007-10-01 11:16 --------- d-----w C:\Documents and Settings\Marko\Application Data\PC Suite
2007-10-01 11:16 --------- d-----w C:\Documents and Settings\Marko\Application Data\Nokia
2007-10-01 11:15 839,690 ----a-w C:\WINDOWS\Fonts\Crack.exe
2007-10-01 11:15 839,689 --sh--w C:\WINDOWS\Fonts\svchost.exe
2007-10-01 11:15 --------- d-----w C:\Documents and Settings\amdx2\Application Data\Nokia
2007-10-01 11:06 --------- d-----w C:\Program Files\Nokia
2007-10-01 11:06 --------- d-----w C:\Program Files\DIFX
2007-10-01 11:06 --------- d-----w C:\Program Files\Common Files\PCSuite
2007-10-01 11:06 --------- d-----w C:\Documents and Settings\amdx2\Application Data\PC Suite
2007-10-01 11:05 --------- d-----w C:\Program Files\PC Connectivity Solution
.

(((((((((((((((((((((((((((((((((((((((((((( Look )))))))))))))))))))))))))))))))))))))))))))))))))))))))))
.

---- Directory of C:\Program Files\GfedEuroen86F ----



((((((((((((((((((((((((((((( snapshot@2007-11-28_13.40.34.51 )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-11-28 12:45:09 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_45c.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A95B2816-1D7E-4561-A202-68C0DE02353A}]
2007-11-21 09:49 145984 --a------ C:\WINDOWS\system32\wvgwurpd.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
"{11A69AE4-FBED-4832-A2BF-45AF82825583}"= C:\WINDOWS\system32\wvgwurpd.dll [2007-11-21 09:49 145984]

[HKEY_CLASSES_ROOT\clsid\{11a69ae4-fbed-4832-a2bf-45af82825583}]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2006-10-09 11:28]
"MsnMsgr"="C:\Program Files\Windows Live\Messenger\msnmsgr.exe" [2007-10-18 11:34]
"updateMgr"="C:\Program Files\Adobe\Acrobat 7.0\Acrobat\AdobeUpdateManager.exe" []
"BeInSync"="C:\Program Files\BeInSync\BeInSync.exe" [2006-12-14 09:55]
"SweetIM"="C:\Program Files\Macrogaming\SweetIM\SweetIM.exe" [2006-12-27 16:53]
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-08-13 08:45]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 23:56]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NVMixerTray"="C:\Program Files\NVIDIA Corporation\NvMixer\NVMixerTray.exe" [2004-12-20 17:12]
"NvCplDaemon"="RUNDLL32.exe" [2004-08-03 23:56 C:\WINDOWS\system32\rundll32.exe]
"nwiz"="nwiz.exe" [2006-10-22 12:22 C:\WINDOWS\system32\nwiz.exe]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-09-06 11:06]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2006-01-12 16:40]
"NvMediaCenter"="RUNDLL32.exe" [2004-08-03 23:56 C:\WINDOWS\system32\rundll32.exe]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 01:11]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2007-01-21 23:37]
"SweetIM"="C:\Program Files\Macrogaming\SweetIM\SweetIM.exe" [2006-12-27 16:53]
"Adobe Reader Speed Launcher"="C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe" [2007-05-11 02:06]
"Adobe Photo Downloader"="C:\Program Files\Adobe\Photoshop Album Starter Edition\3.0\Apps\apdproxy.exe" [2005-07-07 17:41]
"NSLauncher"="C:\Program Files\Nokia\Nokia Software Launcher\NSLauncher.exe" [2007-03-07 09:58]
"QuickTime Task"="C:\Program Files\QuickTime\QTTask.exe" [2007-10-19 20:16]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2007-11-02 18:36]

[hklm\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{561F5138-43B1-45D9-AEC9-478C51C1BD09}"= C:\PROGRA~1\BeInSync\BISShellEx.dll [2006-12-14 09:58 134656]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\wvgwurpd]
wvgwurpd.dll 2007-11-21 09:49 145984 C:\WINDOWS\system32\wvgwurpd.dll

R1 BIOS;BIOS;\??\C:\WINDOWS\system32\drivers\BIOS.sys
R3 RimSerPort;RIM Virtual Serial Port;C:\WINDOWS\system32\DRIVERS\RimSerial.sys

.
Contents of the 'Scheduled Tasks' folder
"2007-11-17 14:29:03 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1262 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-28 13:45:43
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-11-28 13:47:40 - machine was rebooted
C:\ComboFix2.txt ... 2007-11-27 12:14
.
--- E O F ---

Looking much better. One of the .dat files appears to have something in it. The following will open it for you.

Highlight and copy the contents of the quote box below to a blank notepad. Save it to the desktop as;

Filename: z.bat
Save as type: All Files (*.*)


Double click z.bat to run it. It will rename z.bat to z.txt, move it to your desktop, then open z.txt when it completes. If there are passwords listed, those are the ones you need to change.


Close that for now. Please delete the ComboFix.exe file you currently have and download a fresh copy from here, saving it to your desktop.

Highlight and copy the contents of the code box below and paste it into a blank notepad, then save it to your desktop as;

Filename: CFScript.txt
Save As Type: All Files (*.*)



Close all other windows and programs. Now drag the CFScript.txt onto ComboFix.exe and drop it, using the left mouse button. Combofix should run and may reboot the computer when it's done. A log will open when it's complete. Post the contents of that log.

Please do not click on the ComboFix window while it is running a scan. This can cause it to stall.

Note - Your internet connection will be terminated while ComboFix runs. Should ComboFix terminate prematurely, restart the computer to restore connectivity.