Can't Remove Trojan.Vundo

Computing.Net > Forums > Security and Virus > Can't Remove Trojan.Vundo

Computer Problems? Computing.Net has over 1,000,000 posts about all things technology related! Over 90% answered within 24 hours! Click here to start participating now! Also, be sure to check out the New User Guide.

Can't Remove Trojan.Vundo

Name: TheDay
Date: July 31, 2008 at 14:42:36 Pacific
OS: WinXP
CPU/Ram: 1.80GHz
Product: Gateway

Comment:

I have this virus called Trojan.Vundo and can't remove it. I've tried Notorn's removal options, downloaded software to remove it etc. and nothing worked. Can someone who had this same problem with Trojan.Vundo help me to remove it. I'm novice on a computer (programming) so the easiest way would help. Thanks and I'd appreciate it. Also I tried downloading removals from MajorGeeks and they didn't work either. Thanks again!

Sponsored Link

Ads by Google

Response Number 1

Name: mavis007
Date: August 1, 2008 at 12:30:52 Pacific

Reply:

... have you tried this?:
http://www.computing.net/answers/se...
Grrrr
wat do I know?
... got brain freeze

Response Number 2

Name: TheDay
Date: August 1, 2008 at 16:18:00 Pacific

Reply:

Thanks Mavis. I tried that also but here's the problem now. It says that there is no Trojan.Vundo virus found but when I turn on or restart my computer Norton always opens with a message overlapping the screen saying my computer is infected with a virus (Trojan.Vundo). So now I don't know what's going on. It's says there's no virus and it also says it's there. If it is no virus how do I keep that from popping up each time Norton runs? Thanks again!

Response Number 3

Name: Jack Frost46
Date: August 1, 2008 at 18:35:27 Pacific

Reply:

Try VundoFix from Atribune.org
http://vundofix.atribune.org/
In your first post you did not say it was Vundo .you probably got your trogan from the same place your brother got his ,
However if your Java is not uptodate you are still vunerable 1.6.7 is the current version
good luck
A reply can be helpful to others

Response Number 4

Name: TheDay
Date: August 2, 2008 at 09:14:01 Pacific

Reply:

Thanks Jack. I ran the program and it says the same "no virus found" message. As mentioned above when Norton opens it says "High Risk your computer is infected." And it says it's Trojan.Vundo. Also, now when I go from one website to the next using IE or Aol the toolbar and my desktop completely disappears. I don't even see Start. All I can do is continue online or use Ctrl, Alt and Del to use Task Manager to restart my computer. Any help would be appreciated. Thanks!

Response Number 5

Name: Jack Frost46
Date: August 2, 2008 at 10:20:07 Pacific

Reply:

Try System restore
start>run>msconfig system restore
this should bring your system back to what it was,
to see if you are really infected get a second opinion at
http://www.bitdefender.com/scan8/ie...
it may be a false positive .You see Atibune.org are the best people I know to deal with Vundo & if they say its not Vundo then it may well not be . I dont\wont use norton myself so i cannot say how frequent false pos.s are .
Person best to deal with Vundo no longer seems to post here alas .
as ever good luck
A reply can be helpful to others

ess.sys trojan bho.jew trojan vundo removal	remove trojan vundo can't remove vundo trojan vundo virus
See More

Response Number 6

Name: jabuck
Date: August 2, 2008 at 12:33:15 Pacific

Reply:

If you haven't ran "system restore" yet I may be able to help you. We will need to run a few scans.

Please download and install the latest version of HijackThis v2.0.2:

Download the "HijackThis" Installer from this link:
Hijack This

1. Save " HJTInstall.exe" to your desktop.
2. Double click on HJTInstall.exe to run the program.
3. By default it will install to C:\Program Files\Trend Micro\HijackThis.
4. Accept the license agreement by clicking the "I Accept" button.
5.Click on the "Do a system scan and save a log file" button. It will scan and then ask you to save the log.
6. Click "Save log" to save the log file and then the log will open in Notepad.
7. Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
8. Paste the log in your next reply.
9. Do NOT have HijackThis fix anything yet! Most of what it finds will be harmless or even required.

Response Number 7

Name: TheDay
Date: August 2, 2008 at 19:47:03 Pacific

Reply:

I've tried Malwarebytes and after running it the same thing pops up and nothing has changed. This is the object name and again the virus name that can't be removed

Object Name c:\WINDOWS\system32\tuvWnLDv.ll
Virus Name Trojan.Vundo
I'm still trying the other suggestions but wanted to add the object name if it'll help. Thanks again!!!

Response Number 8

Name: jabuck
Date: August 2, 2008 at 21:05:15 Pacific

Reply:

To remove Vundo we need the Hijack This scan then another scan or two to help find the baddies. Depending on the version other tools may be needed.
There is usually no one quick method the get rid of it there but has been a single tool in a few variants that worked alone to remove Vundo.

Response Number 9

Name: Jack Frost46
Date: August 3, 2008 at 06:51:13 Pacific

Reply:

hello THE DAY
If you look at last post ( post 5 ) I mentioned that the best person to deal with Vundo has not posted for some time , well he has now the posters is "JABUCK" so you are now in good hands .
regards (luck may not be needed)
A reply can be helpful to others

Response Number 10

Name: TheDay
Date: August 4, 2008 at 10:20:55 Pacific

Reply:

Here's the log. Thanks and hope it helps!
Logfile
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
C:\WINDOWS\system32\LEXBCES.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\AOL\1103181270\ee\AOLSoftware.exe
C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe
C:\Program Files\Lexmark X74-X75\lxbbbmon.exe
C:\Program Files\Verizon\McciTrayApp.exe
C:\Program Files\Verizon\VSP\VerizonServicepoint.exe
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
C:\Program Files\Logitech\QuickCam\Quickcam.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\Rundll32.exe
C:\Program Files\AWS\WeatherBug\Weather.exe
C:\Program Files\America Online 9.0c\waol.exe
C:\Program Files\Microsoft Office\Office10\msoffice.exe
C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\America Online 9.0c\shellmon.exe
C:\Documents and Settings\Day\Desktop\HiJackThis.exe
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = About:Blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = About:Blank
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://verizon-online.aol.com/
R3 - URLSearchHook: AOLTBSearch Class - {EA756889-2338-43DB-8F07-D1CA6FB9C90D} - C:\Program Files\AOL\AOL Toolbar 4.0\aoltb.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 4.0\aoltb.dll
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1103181270\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [DesktopSnooper] C:\Program Files\MTI\Desktop Snooper\MSDesksn.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_03\bin\jusched.exe
O4 - HKLM\..\Run: [Lexmark X74-X75] "C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe"
O4 - HKLM\..\Run: [PC-Checkup] "C:\Program Files\Speeditup Free\PCCheckUp\PCCheckUp.exe" -mini
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Verizon_McciTrayApp] C:\Program Files\Verizon\McciTrayApp.exe
O4 - HKLM\..\Run: [VerizonServicepoint.exe] "C:\Program Files\Verizon\VSP\VerizonServicepoint.exe" /AUTORUN
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [ScanSoft PaperPort 7 Registration Reminder] "C:\Program Files\ScanSoft\PaperPort\NAVBrowser.exe" /r /i "C:\Program Files\ScanSoft\PaperPort\NavLoad.ini"
O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe"
O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "C:\Program Files\Logitech\QuickCam\Quickcam.exe" /hide
O4 - HKLM\..\Run: [a220afcf] rundll32.exe "C:\WINDOWS\system32\crakduln.dll",b
O4 - HKLM\..\Run: [BMa1139c53] Rundll32.exe "C:\WINDOWS\system32\qcacegou.dll",s
O4 - HKCU\..\Run: [SpeedItUpEX] C:\Program Files\Speeditup Free\SpeedItUp.exe -MINI
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - HKCU\..\Run: [AOL Fast Start] "C:\Program Files\America Online 9.0c\AOL.exe" -b
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 4.0\resources\en-US\local\search.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 4.0\aoltb.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyPoker.net\partypokernet.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyPoker.net\partypokernet.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (HKCU)
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - https://activatemydsl.verizon.net/sdcCommon/download/DSL/tgctlcm.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/res...
O16 - DPF: {69EF49E5-FE46-4B92-B5FA-2193AB7A6B8A} (GameLauncher Control) - http://www.acclaim.com/cabs/acclaim...
O16 - DPF: {C606BA60-AB76-48B6-96A7-2C4D5C386F70} (PreQualifier Class) - http://www.verizon.net/checkmypc/in...
O16 - DPF: {DC187740-46A9-11D5-A815-00B0D0428C0C} - http://ds1.downloadtech.net/cn1060/...
O20 - AppInit_DLLs: xaninr.dll jpphpg.dll hpxgmt.dll
O23 - Service: Lavasoft Ad-Aware Service (aawservice) - Lavasoft - C:\Program Files\Lavasoft\Ad-Aware\aawservice.exe
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: DvpApi (dvpapi) - Authentium, Inc. - C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.exe
O23 - Service: LVCOMSer - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Radialpoint Unicorn Update Service (RPSUpdaterR) - Radialpoint Inc. - C:\Program Files\Verizon\PC Security Checkup\rpsupdaterR.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
--
End of file - 10804 bytes

Response Number 11

Name: jabuck
Date: August 4, 2008 at 15:06:29 Pacific

Reply:

Your java is out of date and has been exploited.
Download the latest version of java from this link Java
Click on the JRE 6 Update 7 download button.
Check the box that says: "Accept License Agreement". The page will refresh.
Click on the link to download Windows Offline Installation with or without Multi-language and save to your desktop.
Close any programs you may have running - especially your web browser.
Go to Start > Control Panel double-click on Add/Remove programs and remove all older versions of Java. Check any item with Java Runtime Environment (JRE or J2SE) in the name. It should have the "coffee cup" icon next to it.
Click the Remove or Change/Remove button. Repeat as many times as necessary to remove each Java versions.
Reboot your computer once all Java components are removed
Then from your desktop double-click on jre-6u7-windows-i586-p.exe to install the newest version.
Then we need to temporarily turn off Norton's "script blocking" and any real time protection that you have as it will interfere with the fix and reinstall the bad files.
Start Norton AntiVirus.
If Norton AntiVirus is installed as part of Norton SystemWorks or Norton Internet Security, then start that program.
2 Click Options.
If you see a menu, click Norton AntiVirus.
3 In the left pane, click Script Blocking.
4 In the right pane, uncheck Enable Script Blocking (recommended).
5 Click OK.
Go to the this link:
Disable Realtime Protection
Follow their directions to disable any realtime protection that you have.
Next, the following tool is dangerous in the wrong hands so follow the instructions exactly. Please download ComboFix to the desktop from one of the following links:
Link1
Link 2
Link 3

Double-click combofix.exe
Follow the prompts.
(Don't click on the window while the program is running or move the mouse, it will cause your system to hang.)
Please post the log it produces.

Response Number 12

Name: TheDay
Date: August 4, 2008 at 19:48:49 Pacific

Reply:

Here's the log that appeared
ComboFix 08-08-04.01 - 2008-08-04 21:33:20.1 - NTFSx86
Running from: C:\Documents and Settings\Desktop\ComboFix.exe
* Created a new restore point
[color=red][b]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/b][/color]
.
((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
C:\Temp\1cb
C:\Temp\fse
C:\Temp\fse\tmpZTF.log
C:\WINDOWS\BMa1139c53.txt
C:\WINDOWS\BMa1139c53.xml
C:\WINDOWS\cookies.ini
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\actskn43.ocx
C:\WINDOWS\system32\hewkmqel.ini
C:\WINDOWS\system32\jjmeedwu.ini
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\mlauibjo.ini
C:\WINDOWS\system32\MSINET.oca
C:\WINDOWS\system32\nludkarc.ini
C:\WINDOWS\system32\oleortvl.ini
C:\WINDOWS\system32\quogaoys.ini
C:\WINDOWS\system32\rYFLUvut.ini
C:\WINDOWS\system32\rYFLUvut.ini2
C:\WINDOWS\system32\tsgeyusk.ini
.
((((((((((((((((((((((((( Files Created from 2008-07-05 to 2008-08-05 )))))))))))))))))))))))))))))))
.
2008-08-04 20:45 . 2008-06-10 02:32 73,728 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-08-04 20:34 . 2008-08-04 20:34 <DIR> d-------- C:\Program Files\Common Files\Java
2008-08-04 15:00 . 2008-08-04 15:00 2,048 --a------ C:\WINDOWS\system32\efolubqx.exe
2008-08-04 14:57 . 2008-08-04 14:57 83,456 --a------ C:\WINDOWS\system32\ksuyegst.dll
2008-08-04 14:54 . 2008-08-04 14:54 105,472 --a------ C:\WINDOWS\system32\ylfbsa.dll
2008-08-04 14:54 . 2008-08-04 14:54 105,472 --a------ C:\WINDOWS\system32\sixqelpp.dll
2008-08-04 14:48 . 2008-08-04 14:48 91,648 --a------ C:\WINDOWS\system32\ndcddwir.dll
2008-08-04 12:42 . 2008-08-04 12:42 <DIR> d-------- C:\Program Files\Vuze
2008-08-04 12:42 . 2008-08-04 12:42 <DIR> d-------- C:\Program Files\McAfee.com
2008-08-04 12:42 . 2008-08-04 12:42 <DIR> d-------- C:\Program Files\Common Files\McAfee
2008-08-04 12:41 . 2008-08-04 12:42 <DIR> d-------- C:\Program Files\McAfee
2008-08-04 12:41 . 2008-08-04 12:41 <DIR> d-------- C:\Program Files\HP RecordNow
2008-08-04 12:41 . 2008-08-04 12:41 <DIR> d-------- C:\Program Files\HP CD-DVD
2008-08-04 12:41 . 2008-08-04 12:41 <DIR> d-------- C:\Program Files\Ares
2008-08-04 12:41 . 2008-08-04 12:41 <DIR> d-------- C:\Program Files\Absolute Poker
2008-08-03 20:59 . 2008-08-03 20:59 <DIR> d-------- C:\Program Files\Lavasoft
2008-08-03 20:59 . 2008-08-04 13:48 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-08-03 14:56 . 2008-08-03 14:56 114,176 --a------ C:\WINDOWS\system32\hpxgmt.dll
2008-08-03 14:56 . 2008-08-03 14:56 114,176 --a------ C:\WINDOWS\system32\gjluongh.dll
2008-08-03 14:47 . 2008-08-03 14:47 91,648 --a------ C:\WINDOWS\system32\qcacegou.dll
2008-08-02 19:43 . 2008-08-02 19:43 <DIR> d-------- C:\Documents and Settings\Application Data\Malwarebytes
2008-08-02 19:41 . 2008-07-30 20:07 38,472 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-08-02 19:41 . 2008-07-30 20:07 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-08-02 19:40 . 2008-08-02 19:42 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-08-02 19:40 . 2008-08-02 19:40 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-08-02 14:50 . 2008-08-02 14:50 114,176 --a------ C:\WINDOWS\system32\jpphpg.dll
2008-08-02 14:38 . 2008-08-02 14:45 <DIR> d-------- C:\WINDOWS\BDOSCAN8
2008-08-02 11:04 . 2008-08-02 11:04 <DIR> d-------- C:\VundoFix Backups
2008-08-01 14:51 . 2008-08-01 14:51 114,176 --a------ C:\WINDOWS\system32\xaninr.dll
2008-08-01 14:51 . 2008-08-01 14:51 114,176 --a------ C:\WINDOWS\system32\wtgyvdye.dll
2008-08-01 14:45 . 2008-08-01 14:45 91,648 --a------ C:\WINDOWS\system32\fukyhxvi.dll
2008-08-01 00:34 . 2008-08-01 00:34 <DIR> d-------- C:\Program Files\CCleaner
2008-07-31 21:36 . 2008-07-31 21:36 <DIR> d--h----- C:\WINDOWS\PIF
2008-07-31 12:03 . 2008-07-31 12:03 105,472 --a------ C:\WINDOWS\system32\iiwtzl.dll
2008-07-31 12:02 . 2008-07-31 12:03 105,472 --a------ C:\WINDOWS\system32\rhflqyim.dll
2008-07-31 11:57 . 2008-07-31 11:57 91,648 --a------ C:\WINDOWS\system32\iddtrtdv.dll
2008-07-31 02:28 . 2008-07-31 02:29 <DIR> d-------- C:\WINDOWS\_VXUInst
2008-07-31 00:39 . 2008-07-31 02:01 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-07-30 11:57 . 2008-07-30 11:57 105,472 --a------ C:\WINDOWS\system32\tojqbg.dll
2008-07-30 11:57 . 2008-07-30 11:57 105,472 --a------ C:\WINDOWS\system32\pjerxlyl.dll
2008-07-30 11:55 . 2008-07-30 11:55 91,648 --a------ C:\WINDOWS\system32\kieplvxx.dll
2008-07-28 23:00 . 2008-07-28 23:00 105,472 --a------ C:\WINDOWS\system32\oiarhppn.dll
2008-07-28 23:00 . 2008-07-28 23:00 105,472 --a------ C:\WINDOWS\system32\hrpxmd.dll
2008-07-28 22:51 . 2008-07-28 22:51 91,648 --a------ C:\WINDOWS\system32\uiecgpba.dll
2008-07-28 00:59 . 2008-07-28 00:59 314,880 --a------ C:\WINDOWS\system32\tuvULFYr.dll
2008-07-28 00:54 . 2008-07-28 00:54 <DIR> d-------- C:\Temp\epr1
2008-07-28 00:54 . 2008-07-28 00:54 26,112 --a------ C:\WINDOWS\system32\tuvWnLDv.dll
2008-07-27 23:10 . 2008-07-29 00:21 <DIR> d-------- C:\Documents and Settings\Application Data\Azureus
2008-07-27 23:10 . 2008-07-27 23:10 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Azureus
2008-07-13 23:42 . 2008-07-13 23:42 <DIR> d-------- C:\Program Files\Steinberg
2008-07-13 23:29 . 2001-08-17 14:02 9,600 --a------ C:\WINDOWS\system32\drivers\hidusb.sys
2008-07-13 23:29 . 2001-08-17 14:02 9,600 --a--c--- C:\WINDOWS\system32\dllcache\hidusb.sys
2008-07-13 23:28 . 2004-08-03 23:08 31,616 --a------ C:\WINDOWS\system32\drivers\usbccgp.sys
2008-07-13 23:28 . 2004-08-03 23:08 31,616 --a--c--- C:\WINDOWS\system32\dllcache\usbccgp.sys
2008-07-08 02:57 . 2002-01-01 03:28 860,211 --a-s---- C:\WINDOWS\system32\XSIFtk-3.6.2.1.dll
2008-07-05 02:39 . 2008-07-05 02:39 <DIR> d-------- C:\Games
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-05 00:45 --------- d-----w C:\Program Files\Java
2008-08-04 23:24 --------- d-----w C:\Program Files\PokerStars
2008-08-02 05:45 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-08-01 02:35 --------- d-----w C:\Program Files\Common Files\Scanner
2008-07-31 03:51 --------- d-----w C:\Program Files\Norton AntiVirus
2008-07-27 08:49 --------- d-----w C:\Program Files\UltimateBet
2008-07-27 08:49 --------- d-----w C:\Program Files\Full Tilt Poker
2008-07-23 20:23 --------- d-----w C:\Documents and Settings\All Users\Application Data\DVD Shrink
2008-07-21 12:13 --------- d-----w C:\Program Files\LimeWire
2008-06-22 02:38 --------- d-----w C:\Program Files\Common Files\LogiShrd
2008-06-22 02:34 --------- d-----w C:\Program Files\Logitech
2008-06-22 02:34 --------- d-----w C:\Documents and Settings\All Users\Application Data\Logitech
2008-06-22 02:34 --------- d-----w C:\Documents and Settings\All Users\Application Data\LogiShrd
2008-06-22 02:15 --------- d-----w C:\Program Files\Common Files\Logitech
2008-06-14 04:36 --------- d--h--r C:\Documents and Settings\Application Data\yahoo!
2008-06-14 04:36 --------- d-----w C:\Documents and Settings\All Users\Application Data\yahoo!
2008-06-05 04:35 --------- d-----w C:\Documents and Settings\Application Data\ArcSoft
2005-03-03 05:45 784 ----a-w C:\Documents and Settings\Application Data\mpauth.dat
2004-09-14 22:14 10,022 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{42BFABD3-B070-4053-9485-30D7E000D3D3}]
2008-07-28 00:54 26112 --a------ C:\WINDOWS\system32\tuvWnLDv.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5812238A-67CC-4318-A9AB-30BACB767C7F}]
2008-07-28 00:59 314880 --a------ C:\WINDOWS\system32\tuvULFYr.dll
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{e54bf0c9-787e-404e-aef7-db4de836f010}]
2008-08-04 14:54 105472 --a------ C:\WINDOWS\system32\ylfbsa.dll
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 18:56 15360]
"Weather"="C:\Program Files\AWS\WeatherBug\Weather.exe" [2007-08-29 11:55 1347584]
"NBJ"="C:\Program Files\Ahead\Nero BackItUp\NBJ.exe" [2005-06-02 16:03 1957888]
"AOL Fast Start"="C:\Program Files\America Online 9.0c\AOL.exe" [2005-07-12 07:17 50776]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-10-19 21:16 286720]
"HostManager"="C:\Program Files\Common Files\AOL\1103181270\ee\AOLSoftware.exe" [2007-04-12 17:23 42032]
"AOLDialer"="C:\Program Files\Common Files\AOL\ACS\AOLDial.exe" [2006-10-23 08:50 71216]
"Lexmark X74-X75"="C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe" [2002-10-14 16:09 57344]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2008-01-17 11:42 58728]
"Symantec NetDriver Monitor"="C:\PROGRA~1\SYMNET~1\SNDMon.exe" [2007-11-27 08:54 100056]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 11:50 155648]
"Verizon_McciTrayApp"="C:\Program Files\Verizon\McciTrayApp.exe" [2007-09-28 14:30 936960]
"VerizonServicepoint.exe"="C:\Program Files\Verizon\VSP\VerizonServicepoint.exe" [2007-05-11 16:20 2061816]
"AOL Spyware Protection"="C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe" [2004-10-18 18:42 79448]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2008-04-01 14:14 185896]
"LogitechCommunicationsManager"="C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [2007-07-25 16:02 563984]
"LogitechQuickCamRibbon"="C:\Program Files\Logitech\QuickCam\Quickcam.exe" [2007-07-25 16:06 2027792]
"a220afcf"="C:\WINDOWS\system32\ksuyegst.dll" [2008-08-04 14:57 83456]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 04:27 144784]
"BMa1139c53"="C:\WINDOWS\system32\ndcddwir.dll" [2008-08-04 14:48 91648]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.exe [2001-02-13 02:01:04 83360]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{42BFABD3-B070-4053-9485-30D7E000D3D3}"= "C:\WINDOWS\system32\tuvWnLDv.dll" [2008-07-28 00:54 26112]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tuvWnLDv]
2008-07-28 00:54 26112 C:\WINDOWS\system32\tuvWnLDv.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.MJPG"= pvmjpg21.dll
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\WINDOWS\\system32\\sessmgr.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\Common Files\\AolCoach\\en_en\\player\\AOLNySEV.exe"=
"C:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltsmon.exe"=
"C:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltpspd.exe"=
"C:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"C:\\Program Files\\Common Files\\AOL\\AOL Spyware Protection\\asp.exe"=
"C:\\Program Files\\Common Files\\AOL\\AOL Spyware Protection\\AOLSP Scheduler.exe"=
"C:\\Program Files\\Common Files\\AOL\\1103181270\\EE\\AOLServiceHost.exe"=
"C:\\Program Files\\America Online 9.0c\\waol.exe"=
S3 ess;ESS Audio Driver (WDM);C:\WINDOWS\system32\drivers\ess.sys [2001-08-17 08:19]
S3 netflx3;Compaq NetFlex-3/Netelligent Adapter Driver;C:\WINDOWS\system32\DRIVERS\netflx3.sys []
S3 NETGEAR NETGEAR_MA101_USB_Adapter(R);NETGEAR NETGEAR_MA101_USB_Adapter(R) Service for NETGEAR MA101 USB Adapter;C:\WINDOWS\system32\DRIVERS\ma1012kr.sys [2007-07-04 17:20]
S3 s3m;s3m;C:\WINDOWS\system32\DRIVERS\s3m.sys [2001-08-17 08:50]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{51691660-a4e9-11d8-b97d-806d6172696f}]
\shell\play\Command - "C:\Program Files\Windows Media Player\wmplayer.exe" /prefetch:3 /device:AudioCD "%L"
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{65f4e9bb-4ab9-11dd-a296-00038a000015}]
\Shell\AutoRun\command - F:\wd_windows_tools\WDEULA.exe
.
Contents of the 'Scheduled Tasks' folder
2008-07-15 C:\WINDOWS\Tasks\McDefragTask.job
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe []
2008-08-01 C:\WINDOWS\Tasks\McQcTask.job
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe []
2008-07-25 C:\WINDOWS\Tasks\Norton AntiVirus - Scan my computer - Day.job
- C:\PROGRA~1\NORTON~1\Navw32.exe [2005-10-19 12:54]
.
- - - - ORPHANS REMOVED - - - -
HKCU-Run-SpeedItUpEX - C:\Program Files\Speeditup Free\SpeedItUp.exe
HKLM-Run-Microsoft Works Update Detection - C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
HKLM-Run-DesktopSnooper - C:\Program Files\MTI\Desktop Snooper\MSDesksn.exe
HKLM-Run-PC-Checkup - C:\Program Files\Speeditup Free\PCCheckUp\PCCheckUp.exe
HKLM-Run-ScanSoft PaperPort 7 Registration Reminder - C:\Program Files\ScanSoft\PaperPort\NAVBrowser.exe

.
------- Supplementary Scan -------
.
R0 -: HKCU-Main,Start Page = hxxp://verizon-online.aol.com/
O8 -: &AIM Search - C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 -: &AOL Toolbar Search - c:\program files\aol\aol toolbar 4.0\resources\en-US\local\search.html
O8 -: E&xport to Microsoft Excel - C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 -: {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 -: {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyPoker.net\partypokernet.exe
O16 -: {DC187740-46A9-11D5-A815-00B0D0428C0C} - hxxp://ds1.downloadtech.net/cn1060/pcpowerscan.cab
C:\WINDOWS\Downloaded Program Files\SETUP.INF
C:\WINDOWS\Downloaded Program Files\pcpowerscan.exe

**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-04 21:57:39
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\tuvWnLDv.dll
PROCESS: C:\WINDOWS\explorer.exe
-> C:\WINDOWS\system32\ksuyegst.dll
-> C:\WINDOWS\system32\ndcddwir.dll
.
r Running Proce
.
C:\Program Files\Common Files\Symantec Shared\CCSETMGR.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\CCEVTMGR.exe
C:\WINDOWS\system32\LEXBCES.exe
C:\WINDOWS\system32\LEXPPS.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\Program Files\Common Files\AOL\ACS\AOLacsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\Symantec\LiveUpdate\AluSchedulerSvc.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltpspd.exe
C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton AntiVirus\NAVAPSVC.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMNTOR.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\Lexmark X74-X75\lxbbbmon.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\America Online 9.0c\waol.exe
C:\Program Files\Microsoft Office\Office10\MSOFFICE.exe
C:\Program Files\Common Files\LogiShrd\LQCVFX\COCIManager.exe
C:\Program Files\America Online 9.0c\shellmon.exe
.
**************************************************************************
.
Completion time: 2008-08-04 22:23:40 - machine was rebooted
ComboFix-quarantined-files.txt 2008-08-05 02:21:33
Pre-Run: 16,946,941,952 bytes free
Post-Run: 16,944,328,704 bytes free
256

Thanks again Jabuck!

Response Number 13

Name: jabuck
Date: August 4, 2008 at 20:32:25 Pacific

Reply:

Open Notepad and copy/paste everything between the X"s into it and make sure "File::" is at the very top of the page.
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
File::
C:\Temp\1cb
C:\Temp\fse
C:\Temp\fse\tmpZTF.log
C:\WINDOWS\BMa1139c53.txt
C:\WINDOWS\BMa1139c53.xml
C:\WINDOWS\cookies.ini
C:\WINDOWS\pskt.ini
C:\WINDOWS\system32\actskn43.ocx
C:\WINDOWS\system32\hewkmqel.ini
C:\WINDOWS\system32\jjmeedwu.ini
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\mlauibjo.ini
C:\WINDOWS\system32\MSINET.oca
C:\WINDOWS\system32\nludkarc.ini
C:\WINDOWS\system32\oleortvl.ini
C:\WINDOWS\system32\quogaoys.ini
C:\WINDOWS\system32\rYFLUvut.ini
C:\WINDOWS\system32\rYFLUvut.ini2
C:\WINDOWS\system32\tsgeyusk.ini
C:\WINDOWS\system32\efolubqx.exe
C:\WINDOWS\system32\ksuyegst.dll
C:\WINDOWS\system32\ylfbsa.dll
C:\WINDOWS\system32\sixqelpp.dll
C:\WINDOWS\system32\ndcddwir.dll
C:\WINDOWS\system32\hpxgmt.dll
C:\WINDOWS\system32\gjluongh.dll
C:\WINDOWS\system32\qcacegou.dll
C:\WINDOWS\system32\jpphpg.dll
C:\WINDOWS\system32\xaninr.dll
C:\WINDOWS\system32\wtgyvdye.dll
C:\WINDOWS\system32\fukyhxvi.dl
C:\WINDOWS\system32\iiwtzl.dll
C:\WINDOWS\system32\rhflqyim.dll
C:\WINDOWS\system32\iddtrtdv.dll
C:\WINDOWS\system32\tojqbg.dll
C:\WINDOWS\system32\pjerxlyl.dll
C:\WINDOWS\system32\kieplvxx.dll
C:\WINDOWS\system32\oiarhppn.dll
C:\WINDOWS\system32\hrpxmd.dll
C:\WINDOWS\system32\uiecgpba.dll
C:\WINDOWS\system32\tuvULFYr.dll
C:\WINDOWS\system32\tuvWnLDv.dll
C:\WINDOWS\system32\ksuyegst.dll
C:\WINDOWS\system32\ndcddwir.dll
C:\WINDOWS\Downloaded Program Files\SETUP.INF
C:\WINDOWS\Downloaded Program Files\pcpowerscan.exe
C:\WINDOWS\system32\qcacegou.dll
Folder::
C:\Temp\epr1

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{42BFABD3-B070-4053-9485-30D7E000D3D3}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{5812238A-67CC-4318-A9AB-30BACB767C7F}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{e54bf0c9-787e-404e-aef7-db4de836f010}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"a220afcf"=-
"BMa1139c53"=-
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{42BFABD3-B070-4053-9485-30D7E000D3D3}"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tuvWnLDv]

XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Go to File on the top bar and choose" Save As", Change the "Save As Type" to All Files, Name it CFScript.txt then save it to your desktop.
Then drag/drop the CFScript.txt onto ComboFix.exe (the red X on your desktop) if combofix does not auto start click "run".
Post a new Combofix log and a new Hijack This log please..

Response Number 14

Name: TheDay
Date: August 5, 2008 at 12:44:40 Pacific

Reply:

Jabuck, here's the log file from Combofix and below it the log from Hijackthis

ComboFix 08-08-04.01 - Day 2008-08-05 14:56:41.3 - NTFSx86
Running from: C:\Documents and Settings\Day\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Day\Desktop\CFScript.txt
* Created a new restore point
[color=red][b]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/b][/color]
.
((((((((((((((((((((((((( Files Created from 2008-07-05 to 2008-08-05 )))))))))))))))))))))))))))))))
.
2008-08-04 20:45 . 2008-06-10 02:32 73,728 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-08-04 20:34 . 2008-08-04 20:34 <DIR> d-------- C:\Program Files\Common Files\Java
2008-08-04 15:00 . 2008-08-04 15:00 2,048 --a------ C:\WINDOWS\system32\efolubqx.exe
2008-08-04 12:42 . 2008-08-04 12:42 <DIR> d-------- C:\Program Files\Vuze
2008-08-04 12:42 . 2008-08-04 12:42 <DIR> d-------- C:\Program Files\McAfee.com
2008-08-04 12:42 . 2008-08-04 12:42 <DIR> d-------- C:\Program Files\Common Files\McAfee
2008-08-04 12:41 . 2008-08-04 12:42 <DIR> d-------- C:\Program Files\McAfee
2008-08-04 12:41 . 2008-08-04 12:41 <DIR> d-------- C:\Program Files\HP RecordNow
2008-08-04 12:41 . 2008-08-04 12:41 <DIR> d-------- C:\Program Files\HP CD-DVD
2008-08-04 12:41 . 2008-08-04 12:41 <DIR> d-------- C:\Program Files\Ares
2008-08-04 12:41 . 2008-08-04 12:41 <DIR> d-------- C:\Program Files\Absolute Poker
2008-08-03 20:59 . 2008-08-03 20:59 <DIR> d-------- C:\Program Files\Lavasoft
2008-08-03 20:59 . 2008-08-04 13:48 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-08-03 14:56 . 2008-08-03 14:56 114,176 --a------ C:\WINDOWS\system32\hpxgmt.dll
2008-08-03 14:56 . 2008-08-03 14:56 114,176 --a------ C:\WINDOWS\system32\gjluongh.dll
2008-08-03 14:47 . 2008-08-03 14:47 91,648 --a------ C:\WINDOWS\system32\qcacegou.dll
2008-08-02 19:43 . 2008-08-02 19:43 <DIR> d-------- C:\Documents and Settings\Day\Application Data\Malwarebytes
2008-08-02 19:41 . 2008-07-30 20:07 38,472 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-08-02 19:41 . 2008-07-30 20:07 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-08-02 19:40 . 2008-08-02 19:42 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-08-02 19:40 . 2008-08-02 19:40 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-08-02 14:50 . 2008-08-02 14:50 114,176 --a------ C:\WINDOWS\system32\jpphpg.dll
2008-08-02 14:38 . 2008-08-02 14:45 <DIR> d-------- C:\WINDOWS\BDOSCAN8
2008-08-02 11:04 . 2008-08-02 11:04 <DIR> d-------- C:\VundoFix Backups
2008-08-01 14:51 . 2008-08-01 14:51 114,176 --a------ C:\WINDOWS\system32\xaninr.dll
2008-08-01 14:51 . 2008-08-01 14:51 114,176 --a------ C:\WINDOWS\system32\wtgyvdye.dll
2008-08-01 14:45 . 2008-08-01 14:45 91,648 --a------ C:\WINDOWS\system32\fukyhxvi.dll
2008-08-01 00:34 . 2008-08-01 00:34 <DIR> d-------- C:\Program Files\CCleaner
2008-07-31 21:36 . 2008-07-31 21:36 <DIR> d--h----- C:\WINDOWS\PIF
2008-07-31 12:03 . 2008-07-31 12:03 105,472 --a------ C:\WINDOWS\system32\iiwtzl.dll
2008-07-31 12:02 . 2008-07-31 12:03 105,472 --a------ C:\WINDOWS\system32\rhflqyim.dll
2008-07-31 11:57 . 2008-07-31 11:57 91,648 --a------ C:\WINDOWS\system32\iddtrtdv.dll
2008-07-31 02:28 . 2008-07-31 02:29 <DIR> d-------- C:\WINDOWS\_VXUInst
2008-07-31 00:39 . 2008-07-31 02:01 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-07-30 11:57 . 2008-07-30 11:57 105,472 --a------ C:\WINDOWS\system32\tojqbg.dll
2008-07-30 11:57 . 2008-07-30 11:57 105,472 --a------ C:\WINDOWS\system32\pjerxlyl.dll
2008-07-30 11:55 . 2008-07-30 11:55 91,648 --a------ C:\WINDOWS\system32\kieplvxx.dll
2008-07-28 23:00 . 2008-07-28 23:00 105,472 --a------ C:\WINDOWS\system32\oiarhppn.dll
2008-07-28 23:00 . 2008-07-28 23:00 105,472 --a------ C:\WINDOWS\system32\hrpxmd.dll
2008-07-28 22:51 . 2008-07-28 22:51 91,648 --a------ C:\WINDOWS\system32\uiecgpba.dll
2008-07-28 00:54 . 2008-07-28 00:54 <DIR> d-------- C:\Temp\epr1
2008-07-28 00:54 . 2008-07-28 00:54 26,112 --a------ C:\WINDOWS\system32\tuvWnLDv.dll
2008-07-27 23:10 . 2008-07-29 00:21 <DIR> d-------- C:\Documents and Settings\Day\Application Data\Azureus
2008-07-27 23:10 . 2008-07-27 23:10 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Azureus
2008-07-13 23:42 . 2008-07-13 23:42 <DIR> d-------- C:\Program Files\Steinberg
2008-07-13 23:29 . 2001-08-17 14:02 9,600 --a------ C:\WINDOWS\system32\drivers\hidusb.sys
2008-07-13 23:29 . 2001-08-17 14:02 9,600 --a--c--- C:\WINDOWS\system32\dllcache\hidusb.sys
2008-07-13 23:28 . 2004-08-03 23:08 31,616 --a------ C:\WINDOWS\system32\drivers\usbccgp.sys
2008-07-13 23:28 . 2004-08-03 23:08 31,616 --a--c--- C:\WINDOWS\system32\dllcache\usbccgp.sys
2008-07-08 02:57 . 2002-01-01 03:28 860,211 --a-s---- C:\WINDOWS\system32\XSIFtk-3.6.2.1.dll
2008-07-05 02:39 . 2008-07-05 02:39 <DIR> d-------- C:\Games
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-05 05:20 --------- d-----w C:\Program Files\PokerStars
2008-08-05 00:45 --------- d-----w C:\Program Files\Java
2008-08-02 05:45 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-08-01 02:35 --------- d-----w C:\Program Files\Common Files\Scanner
2008-07-31 03:51 --------- d-----w C:\Program Files\Norton AntiVirus
2008-07-27 08:49 --------- d-----w C:\Program Files\UltimateBet
2008-07-27 08:49 --------- d-----w C:\Program Files\Full Tilt Poker
2008-07-23 20:23 --------- d-----w C:\Documents and Settings\All Users\Application Data\DVD Shrink
2008-07-21 12:13 --------- d-----w C:\Program Files\LimeWire
2008-06-22 02:38 --------- d-----w C:\Program Files\Common Files\LogiShrd
2008-06-22 02:34 --------- d-----w C:\Program Files\Logitech
2008-06-22 02:34 --------- d-----w C:\Documents and Settings\All Users\Application Data\Logitech
2008-06-22 02:34 --------- d-----w C:\Documents and Settings\All Users\Application Data\LogiShrd
2008-06-22 02:15 --------- d-----w C:\Program Files\Common Files\Logitech
2008-06-14 04:36 --------- d--h--r C:\Documents and Settings\Day\Application Data\yahoo!
2008-06-14 04:36 --------- d-----w C:\Documents and Settings\All Users\Application Data\yahoo!
2008-06-05 04:35 --------- d-----w C:\Documents and Settings\Day\Application Data\ArcSoft
2005-03-03 05:45 784 ----a-w C:\Documents and Settings\Day\Application Data\mpauth.dat
2004-09-14 22:14 10,022 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{42BFABD3-B070-4053-9485-30D7E000D3D3}]
2008-07-28 00:54 26112 --a------ C:\WINDOWS\system32\tuvWnLDv.dll
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 18:56 15360]
"Weather"="C:\Program Files\AWS\WeatherBug\Weather.exe" [2007-08-29 11:55 1347584]
"NBJ"="C:\Program Files\Ahead\Nero BackItUp\NBJ.exe" [2005-06-02 16:03 1957888]
"AOL Fast Start"="C:\Program Files\America Online 9.0c\AOL.exe" [2005-07-12 07:17 50776]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-10-19 21:16 286720]
"HostManager"="C:\Program Files\Common Files\AOL\1103181270\ee\AOLSoftware.exe" [2007-04-12 17:23 42032]
"AOLDialer"="C:\Program Files\Common Files\AOL\ACS\AOLDial.exe" [2006-10-23 08:50 71216]
"Lexmark X74-X75"="C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe" [2002-10-14 16:09 57344]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2008-01-17 11:42 58728]
"Symantec NetDriver Monitor"="C:\PROGRA~1\SYMNET~1\SNDMon.exe" [2007-11-27 08:54 100056]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 11:50 155648]
"Verizon_McciTrayApp"="C:\Program Files\Verizon\McciTrayApp.exe" [2007-09-28 14:30 936960]
"VerizonServicepoint.exe"="C:\Program Files\Verizon\VSP\VerizonServicepoint.exe" [2007-05-11 16:20 2061816]
"AOL Spyware Protection"="C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe" [2004-10-18 18:42 79448]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2008-04-01 14:14 185896]
"LogitechCommunicationsManager"="C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [2007-07-25 16:02 563984]
"LogitechQuickCamRibbon"="C:\Program Files\Logitech\QuickCam\Quickcam.exe" [2007-07-25 16:06 2027792]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 04:27 144784]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.exe [2001-02-13 02:01:04 83360]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{42BFABD3-B070-4053-9485-30D7E000D3D3}"= "C:\WINDOWS\system32\tuvWnLDv.dll" [2008-07-28 00:54 26112]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tuvWnLDv]
2008-07-28 00:54 26112 C:\WINDOWS\system32\tuvWnLDv.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.MJPG"= pvmjpg21.dll
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\WINDOWS\\system32\\sessmgr.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\Common Files\\AolCoach\\en_en\\player\\AOLNySEV.exe"=
"C:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltsmon.exe"=
"C:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltpspd.exe"=
"C:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"C:\\Program Files\\Common Files\\AOL\\AOL Spyware Protection\\asp.exe"=
"C:\\Program Files\\Common Files\\AOL\\AOL Spyware Protection\\AOLSP Scheduler.exe"=
"C:\\Program Files\\Common Files\\AOL\\1103181270\\EE\\AOLServiceHost.exe"=
"C:\\Program Files\\America Online 9.0c\\waol.exe"=
S3 ess;ESS Audio Driver (WDM);C:\WINDOWS\system32\drivers\ess.sys [2001-08-17 08:19]
S3 netflx3;Compaq NetFlex-3/Netelligent Adapter Driver;C:\WINDOWS\system32\DRIVERS\netflx3.sys []
S3 NETGEAR NETGEAR_MA101_USB_Adapter(R);NETGEAR NETGEAR_MA101_USB_Adapter(R) Service for NETGEAR MA101 USB Adapter;C:\WINDOWS\system32\DRIVERS\ma1012kr.sys [2007-07-04 17:20]
S3 Radialpoint Security Services;Radialpoint Security Services;C:\WINDOWS\system32\dllhost.exe [2004-08-03 18:56]
S3 s3m;s3m;C:\WINDOWS\system32\DRIVERS\s3m.sys [2001-08-17 08:50]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{51691660-a4e9-11d8-b97d-806d6172696f}]
\shell\play\Command - "C:\Program Files\Windows Media Player\wmplayer.exe" /prefetch:3 /device:AudioCD "%L"
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{65f4e9bb-4ab9-11dd-a296-00038a000015}]
\Shell\AutoRun\command - F:\wd_windows_tools\WDEULA.exe
*Newly Created Service* - CATCHME
.
Contents of the 'Scheduled Tasks' folder
2008-07-15 C:\WINDOWS\Tasks\McDefragTask.job
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe []
2008-08-01 C:\WINDOWS\Tasks\McQcTask.job
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe []
2008-07-25 C:\WINDOWS\Tasks\Norton AntiVirus - Scan my computer - Day.job
- C:\PROGRA~1\NORTON~1\Navw32.exe [2005-10-19 12:54]
.
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-05 15:15:34
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\tuvWnLDv.dll
.
Completion time: 2008-08-05 15:28:49
ComboFix-quarantined-files.txt 2008-08-05 19:27:53
ComboFix2.txt 2008-08-05 18:27:23
ComboFix3.txt 2008-08-05 02:23:51
Pre-Run: 16,899,391,488 bytes free
Post-Run: 16,890,630,144 bytes free
178
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:34:04 PM, on 8/5/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\LEXBCES.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\AOL\1103181270\ee\AOLSoftware.exe
C:\Program Files\Verizon\McciTrayApp.exe
C:\Program Files\Verizon\VSP\VerizonServicepoint.exe
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\America Online 9.0c\waol.exe
C:\Program Files\Microsoft Office\Office10\msoffice.exe
C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
C:\Program Files\America Online 9.0c\shellmon.exe
C:\WINDOWS\explorer.exe
C:\Documents and Settings\Day\Desktop\HiJackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://verizon-online.aol.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?Lin...
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?Lin...
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?Lin...
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: (no name) - {42BFABD3-B070-4053-9485-30D7E000D3D3} - C:\WINDOWS\system32\tuvWnLDv.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 4.0\aoltb.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1103181270\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [Lexmark X74-X75] "C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Verizon_McciTrayApp] C:\Program Files\Verizon\McciTrayApp.exe
O4 - HKLM\..\Run: [VerizonServicepoint.exe] "C:\Program Files\Verizon\VSP\VerizonServicepoint.exe" /AUTORUN
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe"
O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "C:\Program Files\Logitech\QuickCam\Quickcam.exe" /hide
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - HKCU\..\Run: [AOL Fast Start] "C:\Program Files\America Online 9.0c\AOL.exe" -b
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 4.0\resources\en-US\local\search.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 4.0\aoltb.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyPoker.net\partypokernet.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyPoker.net\partypokernet.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (HKCU)
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - https://activatemydsl.verizon.net/sdcCommon/download/DSL/tgctlcm.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/res...
O16 - DPF: {69EF49E5-FE46-4B92-B5FA-2193AB7A6B8A} (GameLauncher Control) - http://www.acclaim.com/cabs/acclaim...
O16 - DPF: {C606BA60-AB76-48B6-96A7-2C4D5C386F70} (PreQualifier Class) - http://www.verizon.net/checkmypc/in...
O16 - DPF: {DC187740-46A9-11D5-A815-00B0D0428C0C} - http://ds1.downloadtech.net/cn1060/...
O20 - Winlogon Notify: tuvWnLDv - C:\WINDOWS\SYSTEM32\tuvWnLDv.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: DvpApi (dvpapi) - Authentium, Inc. - C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.exe
O23 - Service: LVCOMSer - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Radialpoint Unicorn Update Service (RPSUpdaterR) - Radialpoint Inc. - C:\Program Files\Verizon\PC Security Checkup\rpsupdaterR.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
--
End of file - 10587 bytes

Thanx!

Response Number 15

Name: jabuck
Date: August 5, 2008 at 16:32:30 Pacific

Reply:

I believe script blocking is still running causing the reinstallation of the infected files. We need to make sure it is turned off, so please verify that you can turn it off.
Open Notepad and copy/paste everything between the X"s into it and make sure "File::" is at the very top of the page.
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
File::
C:\WINDOWS\system32\efolubqx.exe
C:\WINDOWS\system32\hpxgmt.dll
C:\WINDOWS\system32\gjluongh.dll
C:\WINDOWS\system32\qcacegou.dll
C:\WINDOWS\system32\jpphpg.dll
C:\WINDOWS\system32\xaninr.dll
C:\WINDOWS\system32\wtgyvdye.dll
C:\WINDOWS\system32\fukyhxvi.dl
C:\WINDOWS\system32\iiwtzl.dll
C:\WINDOWS\system32\rhflqyim.dll
C:\WINDOWS\system32\iddtrtdv.dll
C:\WINDOWS\system32\tojqbg.dll
C:\WINDOWS\system32\pjerxlyl.dll
C:\WINDOWS\system32\kieplvxx.dll
C:\WINDOWS\system32\oiarhppn.dll
C:\WINDOWS\system32\hrpxmd.dll
C:\WINDOWS\system32\uiecgpba.dll
C:\WINDOWS\system32\tuvULFYr.dll
C:\WINDOWS\system32\tuvWnLDv.dll
Folder::
C:\Temp\epr1
C:\WINDOWS\_VXUInst
Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{42BFABD3-B070-4053-9485-30D7E000D3D3}]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{42BFABD3-B070-4053-9485-30D7E000D3D3}"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tuvWnLDv]

XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
Go to File on the top bar and choose" Save As", Change the "Save As Type" to All Files, Name it CFScript.txt then save it to your desktop.
Then drag/drop the CFScript.txt onto ComboFix.exe (the red X on your desktop) if combofix does not auto start click "run".
Post a new Combofix log and a new Hijack This log please..
Please download Malwarebytes' Anti-Malware from one of these sites:
MalwareBytes1
MalwareBytes2
1. Double Click mbam-setup.exe to install the application.
2. Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware, then click Finish.
3. If an update is found, it will download and install the latest version.
4. Once the program has loaded, select "Perform Quick Scan", then click Scan. The scan may take some time to finish,so please be patient.
5. When the scan is complete, click OK, then Show Results to view the results.
6. Make sure that everything found is checked, and click Remove Selected.
7. When disinfection is completed, a log will open in Notepad and you may be prompted to Restart. If MBAM encounters a file that is difficult to remove,you will be presented with 1 of 2 prompts,click OK to either and let MBAM proceed with the disinfection process,if asked to restart the computer,please do so immediately.
8. The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
9. Copy&Paste the entire report in your next reply.

Response Number 16

Name: TheDay
Date: August 5, 2008 at 22:51:29 Pacific

Reply:

Here's the Combofix log and below it the HiJ log. Now I'm about to run Malewarebytes.

ComboFix 08-08-04.01 - Day 2008-08-06 0:54:26.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.146 [GMT -4:00]Running from: C:\Documents and Settings\Day\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Day\Desktop\CFScript.txt
* Created a new restore point
[color=red][b]WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !![/b][/color]
.
((((((((((((((((((((((((( Files Created from 2008-07-06 to 2008-08-06 )))))))))))))))))))))))))))))))
.
2008-08-04 20:45 . 2008-06-10 02:32 73,728 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-08-04 20:34 . 2008-08-04 20:34 <DIR> d-------- C:\Program Files\Common Files\Java
2008-08-04 15:00 . 2008-08-04 15:00 2,048 --a------ C:\WINDOWS\system32\efolubqx.exe
2008-08-04 12:42 . 2008-08-04 12:42 <DIR> d-------- C:\Program Files\Vuze
2008-08-04 12:42 . 2008-08-04 12:42 <DIR> d-------- C:\Program Files\McAfee.com
2008-08-04 12:42 . 2008-08-04 12:42 <DIR> d-------- C:\Program Files\Common Files\McAfee
2008-08-04 12:41 . 2008-08-04 12:42 <DIR> d-------- C:\Program Files\McAfee
2008-08-04 12:41 . 2008-08-04 12:41 <DIR> d-------- C:\Program Files\HP RecordNow
2008-08-04 12:41 . 2008-08-04 12:41 <DIR> d-------- C:\Program Files\HP CD-DVD
2008-08-04 12:41 . 2008-08-04 12:41 <DIR> d-------- C:\Program Files\Ares
2008-08-04 12:41 . 2008-08-04 12:41 <DIR> d-------- C:\Program Files\Absolute Poker
2008-08-03 20:59 . 2008-08-03 20:59 <DIR> d-------- C:\Program Files\Lavasoft
2008-08-03 20:59 . 2008-08-04 13:48 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2008-08-03 14:56 . 2008-08-03 14:56 114,176 --a------ C:\WINDOWS\system32\hpxgmt.dll
2008-08-03 14:56 . 2008-08-03 14:56 114,176 --a------ C:\WINDOWS\system32\gjluongh.dll
2008-08-03 14:47 . 2008-08-03 14:47 91,648 --a------ C:\WINDOWS\system32\qcacegou.dll
2008-08-02 19:43 . 2008-08-02 19:43 <DIR> d-------- C:\Documents and Settings\Day\Application Data\Malwarebytes
2008-08-02 19:41 . 2008-07-30 20:07 38,472 --a------ C:\WINDOWS\system32\drivers\mbamswissarmy.sys
2008-08-02 19:41 . 2008-07-30 20:07 17,144 --a------ C:\WINDOWS\system32\drivers\mbam.sys
2008-08-02 19:40 . 2008-08-02 19:42 <DIR> d-------- C:\Program Files\Malwarebytes' Anti-Malware
2008-08-02 19:40 . 2008-08-02 19:40 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Malwarebytes
2008-08-02 14:50 . 2008-08-02 14:50 114,176 --a------ C:\WINDOWS\system32\jpphpg.dll
2008-08-02 14:38 . 2008-08-02 14:45 <DIR> d-------- C:\WINDOWS\BDOSCAN8
2008-08-02 11:04 . 2008-08-02 11:04 <DIR> d-------- C:\VundoFix Backups
2008-08-01 14:51 . 2008-08-01 14:51 114,176 --a------ C:\WINDOWS\system32\xaninr.dll
2008-08-01 14:51 . 2008-08-01 14:51 114,176 --a------ C:\WINDOWS\system32\wtgyvdye.dll
2008-08-01 14:45 . 2008-08-01 14:45 91,648 --a------ C:\WINDOWS\system32\fukyhxvi.dll
2008-08-01 00:34 . 2008-08-01 00:34 <DIR> d-------- C:\Program Files\CCleaner
2008-07-31 21:36 . 2008-07-31 21:36 <DIR> d--h----- C:\WINDOWS\PIF
2008-07-31 12:03 . 2008-07-31 12:03 105,472 --a------ C:\WINDOWS\system32\iiwtzl.dll
2008-07-31 12:02 . 2008-07-31 12:03 105,472 --a------ C:\WINDOWS\system32\rhflqyim.dll
2008-07-31 11:57 . 2008-07-31 11:57 91,648 --a------ C:\WINDOWS\system32\iddtrtdv.dll
2008-07-31 02:28 . 2008-07-31 02:29 <DIR> d-------- C:\WINDOWS\_VXUInst
2008-07-31 00:39 . 2008-07-31 02:01 <DIR> d-a------ C:\Documents and Settings\All Users\Application Data\TEMP
2008-07-30 11:57 . 2008-07-30 11:57 105,472 --a------ C:\WINDOWS\system32\tojqbg.dll
2008-07-30 11:57 . 2008-07-30 11:57 105,472 --a------ C:\WINDOWS\system32\pjerxlyl.dll
2008-07-30 11:55 . 2008-07-30 11:55 91,648 --a------ C:\WINDOWS\system32\kieplvxx.dll
2008-07-28 23:00 . 2008-07-28 23:00 105,472 --a------ C:\WINDOWS\system32\oiarhppn.dll
2008-07-28 23:00 . 2008-07-28 23:00 105,472 --a------ C:\WINDOWS\system32\hrpxmd.dll
2008-07-28 22:51 . 2008-07-28 22:51 91,648 --a------ C:\WINDOWS\system32\uiecgpba.dll
2008-07-28 00:54 . 2008-07-28 00:54 <DIR> d-------- C:\Temp\epr1
2008-07-28 00:54 . 2008-07-28 00:54 26,112 --a------ C:\WINDOWS\system32\tuvWnLDv.dll
2008-07-27 23:10 . 2008-07-29 00:21 <DIR> d-------- C:\Documents and Settings\Day\Application Data\Azureus
2008-07-27 23:10 . 2008-07-27 23:10 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Azureus
2008-07-13 23:42 . 2008-07-13 23:42 <DIR> d-------- C:\Program Files\Steinberg
2008-07-13 23:29 . 2001-08-17 14:02 9,600 --a------ C:\WINDOWS\system32\drivers\hidusb.sys
2008-07-13 23:29 . 2001-08-17 14:02 9,600 --a--c--- C:\WINDOWS\system32\dllcache\hidusb.sys
2008-07-13 23:28 . 2004-08-03 23:08 31,616 --a------ C:\WINDOWS\system32\drivers\usbccgp.sys
2008-07-13 23:28 . 2004-08-03 23:08 31,616 --a--c--- C:\WINDOWS\system32\dllcache\usbccgp.sys
2008-07-08 02:57 . 2002-01-01 03:28 860,211 --a-s---- C:\WINDOWS\system32\XSIFtk-3.6.2.1.dll
.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-06 04:23 --------- d-----w C:\Program Files\PokerStars
2008-08-05 00:45 --------- d-----w C:\Program Files\Java
2008-08-02 05:45 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-08-01 02:35 --------- d-----w C:\Program Files\Common Files\Scanner
2008-07-31 03:51 --------- d-----w C:\Program Files\Norton AntiVirus
2008-07-27 08:49 --------- d-----w C:\Program Files\UltimateBet
2008-07-27 08:49 --------- d-----w C:\Program Files\Full Tilt Poker
2008-07-23 20:23 --------- d-----w C:\Documents and Settings\All Users\Application Data\DVD Shrink
2008-07-21 12:13 --------- d-----w C:\Program Files\LimeWire
2008-06-22 02:38 --------- d-----w C:\Program Files\Common Files\LogiShrd
2008-06-22 02:34 --------- d-----w C:\Program Files\Logitech
2008-06-22 02:34 --------- d-----w C:\Documents and Settings\All Users\Application Data\Logitech
2008-06-22 02:34 --------- d-----w C:\Documents and Settings\All Users\Application Data\LogiShrd
2008-06-22 02:15 --------- d-----w C:\Program Files\Common Files\Logitech
2008-06-14 04:36 --------- d--h--r C:\Documents and Settings\Day\Application Data\yahoo!
2008-06-14 04:36 --------- d-----w C:\Documents and Settings\All Users\Application Data\yahoo!
2005-03-03 05:45 784 ----a-w C:\Documents and Settings\Day\Application Data\mpauth.dat
2004-09-14 22:14 10,022 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4
[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{42BFABD3-B070-4053-9485-30D7E000D3D3}]
2008-07-28 00:54 26112 --a------ C:\WINDOWS\system32\tuvWnLDv.dll
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 18:56 15360]
"Weather"="C:\Program Files\AWS\WeatherBug\Weather.exe" [2007-08-29 11:55 1347584]
"NBJ"="C:\Program Files\Ahead\Nero BackItUp\NBJ.exe" [2005-06-02 16:03 1957888]
"AOL Fast Start"="C:\Program Files\America Online 9.0c\AOL.exe" [2005-07-12 07:17 50776]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2007-10-19 21:16 286720]
"HostManager"="C:\Program Files\Common Files\AOL\1103181270\ee\AOLSoftware.exe" [2007-04-12 17:23 42032]
"AOLDialer"="C:\Program Files\Common Files\AOL\ACS\AOLDial.exe" [2006-10-23 08:50 71216]
"Lexmark X74-X75"="C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe" [2002-10-14 16:09 57344]
"ccApp"="C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2008-01-17 11:42 58728]
"Symantec NetDriver Monitor"="C:\PROGRA~1\SYMNET~1\SNDMon.exe" [2007-11-27 08:54 100056]
"NeroFilterCheck"="C:\WINDOWS\system32\NeroCheck.exe" [2001-07-09 11:50 155648]
"Verizon_McciTrayApp"="C:\Program Files\Verizon\McciTrayApp.exe" [2007-09-28 14:30 936960]
"VerizonServicepoint.exe"="C:\Program Files\Verizon\VSP\VerizonServicepoint.exe" [2007-05-11 16:20 2061816]
"AOL Spyware Protection"="C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe" [2004-10-18 18:42 79448]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2008-04-01 14:14 185896]
"LogitechCommunicationsManager"="C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe" [2007-07-25 16:02 563984]
"LogitechQuickCamRibbon"="C:\Program Files\Logitech\QuickCam\Quickcam.exe" [2007-07-25 16:06 2027792]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe" [2008-06-10 04:27 144784]
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Office.lnk - C:\Program Files\Microsoft Office\Office10\OSA.exe [2001-02-13 02:01:04 83360]
[hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
"{42BFABD3-B070-4053-9485-30D7E000D3D3}"= "C:\WINDOWS\system32\tuvWnLDv.dll" [2008-07-28 00:54 26112]
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\tuvWnLDv]
2008-07-28 00:54 26112 C:\WINDOWS\system32\tuvWnLDv.dll
[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.MJPG"= pvmjpg21.dll
[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusDisableNotify"=dword:00000001
"UpdatesDisableNotify"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecAntiVirus]
"DisableMonitoring"=dword:00000001
[HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\SymantecFirewall]
"DisableMonitoring"=dword:00000001
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
"EnableFirewall"= 0 (0x0)
[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\WINDOWS\\system32\\sessmgr.exe"=
"C:\\Program Files\\LimeWire\\LimeWire.exe"=
"C:\\Program Files\\Common Files\\AolCoach\\en_en\\player\\AOLNySEV.exe"=
"C:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltsmon.exe"=
"C:\\Program Files\\Common Files\\AOL\\TopSpeed\\2.0\\aoltpspd.exe"=
"C:\\Program Files\\Common Files\\AOL\\System Information\\sinf.exe"=
"C:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
"C:\\Program Files\\Common Files\\AOL\\AOL Spyware Protection\\asp.exe"=
"C:\\Program Files\\Common Files\\AOL\\AOL Spyware Protection\\AOLSP Scheduler.exe"=
"C:\\Program Files\\Common Files\\AOL\\1103181270\\EE\\AOLServiceHost.exe"=
"C:\\Program Files\\America Online 9.0c\\waol.exe"=
S3 ess;ESS Audio Driver (WDM);C:\WINDOWS\system32\drivers\ess.sys [2001-08-17 08:19]
S3 netflx3;Compaq NetFlex-3/Netelligent Adapter Driver;C:\WINDOWS\system32\DRIVERS\netflx3.sys []
S3 NETGEAR NETGEAR_MA101_USB_Adapter(R);NETGEAR NETGEAR_MA101_USB_Adapter(R) Service for NETGEAR MA101 USB Adapter;C:\WINDOWS\system32\DRIVERS\ma1012kr.sys [2007-07-04 17:20]
S3 Radialpoint Security Services;Radialpoint Security Services;C:\WINDOWS\system32\dllhost.exe [2004-08-03 18:56]
S3 s3m;s3m;C:\WINDOWS\system32\DRIVERS\s3m.sys [2001-08-17 08:50]
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{51691660-a4e9-11d8-b97d-806d6172696f}]
\shell\play\Command - "C:\Program Files\Windows Media Player\wmplayer.exe" /prefetch:3 /device:AudioCD "%L"
[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{65f4e9bb-4ab9-11dd-a296-00038a000015}]
\Shell\AutoRun\command - F:\wd_windows_tools\WDEULA.exe
*Newly Created Service* - CATCHME
.
Contents of the 'Scheduled Tasks' folder
2008-07-15 C:\WINDOWS\Tasks\McDefragTask.job
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe []
2008-08-01 C:\WINDOWS\Tasks\McQcTask.job
- c:\PROGRA~1\mcafee\mqc\QcConsol.exe []
2008-07-25 C:\WINDOWS\Tasks\Norton AntiVirus - Scan my computer - Day.job
- C:\PROGRA~1\NORTON~1\Navw32.exe [2005-10-19 12:54]
.
**************************************************************************
catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-06 01:13:27
Windows 5.1.2600 Service Pack 2 NTFS
scanning hidden processes ...
scanning hidden autostart entries ...
scanning hidden files ...
scan completed successfully
hidden files: 0
**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------
PROCESS: C:\WINDOWS\system32\winlogon.exe
-> C:\WINDOWS\system32\tuvWnLDv.dll
.
Completion time: 2008-08-06 1:26:40
ComboFix-quarantined-files.txt 2008-08-06 05:25:15
ComboFix2.txt 2008-08-05 19:29:15
ComboFix3.txt 2008-08-05 18:27:23
ComboFix4.txt 2008-08-05 02:23:51
Pre-Run: 16,857,739,264 bytes free
Post-Run: 16,856,338,432 bytes free
177
Logfile of Trend Micro Hij v2.0.2
Scan saved at 1:36:20 AM, on 8/6/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\LEXBCES.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\AOL\1103181270\ee\AOLSoftware.exe
C:\Program Files\Verizon\McciTrayApp.exe
C:\Program Files\Verizon\VSP\VerizonServicepoint.exe
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\America Online 9.0c\waol.exe
C:\Program Files\Microsoft Office\Office10\msoffice.exe
C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
C:\Program Files\America Online 9.0c\shellmon.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Microsoft Office\Office10\WINWORD.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\Day\Desktop\HiJackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://verizon-online.aol.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?Lin...
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?Lin...
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?Lin...
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: (no name) - {42BFABD3-B070-4053-9485-30D7E000D3D3} - C:\WINDOWS\system32\tuvWnLDv.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 4.0\aoltb.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1103181270\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [Lexmark X74-X75] "C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Verizon_McciTrayApp] C:\Program Files\Verizon\McciTrayApp.exe
O4 - HKLM\..\Run: [VerizonServicepoint.exe] "C:\Program Files\Verizon\VSP\VerizonServicepoint.exe" /AUTORUN
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe"
O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "C:\Program Files\Logitech\QuickCam\Quickcam.exe" /hide
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Weather] C:\Program Files\AWS\WeatherBug\Weather.exe 1
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - HKCU\..\Run: [AOL Fast Start] "C:\Program Files\America Online 9.0c\AOL.exe" -b
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 4.0\resources\en-US\local\search.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 4.0\aoltb.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyPoker.net\partypokernet.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyPoker.net\partypokernet.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (HKCU)
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - https://activatemydsl.verizon.net/sdcCommon/download/DSL/tgctlcm.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/res...
O16 - DPF: {69EF49E5-FE46-4B92-B5FA-2193AB7A6B8A} (GameLauncher Control) - http://www.acclaim.com/cabs/acclaim...
O16 - DPF: {C606BA60-AB76-48B6-96A7-2C4D5C386F70} (PreQualifier Class) - http://www.verizon.net/checkmypc/in...
O16 - DPF: {DC187740-46A9-11D5-A815-00B0D0428C0C} - http://ds1.downloadtech.net/cn1060/...
O20 - Winlogon Notify: tuvWnLDv - C:\WINDOWS\SYSTEM32\tuvWnLDv.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: DvpApi (dvpapi) - Authentium, Inc. - C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.exe
O23 - Service: LVCOMSer - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Radialpoint Unicorn Update Service (RPSUpdaterR) - Radialpoint Inc. - C:\Program Files\Verizon\PC Security Checkup\rpsupdaterR.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
--
End of file - 10682 bytes

I'll post the MWB report next. Thanx!!

Response Number 17

Name: TheDay
Date: August 6, 2008 at 00:38:12 Pacific

Reply:

Here's the MWB report after rebooting. By the way before I did the entire process I made sure the script blocking was still disabled on Nortan. Thanks for all of your help Jabuck. You and Mavis have really been helpful and I know it's getting to be a pain for you too. I appreciate it.

Response Number 18

Name: jabuck
Date: August 6, 2008 at 15:11:38 Pacific

Reply:

A stubborn variant of Vundo you have but we will get it. Looks the Malwarebytes report did not post, please run it again and post the report.
Run the following scan. Please download Atribune's VundoFix.exe from the following site to your desktop:
Vundofix.exe

Double-click VundoFix.exe to run it.
Click the Scan for Vundo button.
Once it's done scanning, click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files,
click "yes".
Once you click yes, your desktop will go blank as it starts removing
Vundo.
When completed, it will prompt that it will reboot your computer,
click "ok".
Post a new Hijack This log please.

Response Number 19

Name: TheDay
Date: August 7, 2008 at 14:23:14 Pacific

Reply:

Here' the MWB report. I'll do the Vundofix now.
Malwarebytes' Anti-Malware 1.24
Database version: 1017
Windows 5.1.2600 Service Pack 2
3:10:15 AM 8/6/2008
mbam-log-8-6-2008 (03-10-15).txt
Scan type: Quick Scan
Objects scanned: 39075
Time elapsed: 28 minute(s), 31 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 3
Registry Values Infected: 1
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 1
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{42bfabd3-b070-4053-9485-30d7e000d3d3} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_CLASSES_ROOT\CLSID\{42bfabd3-b070-4053-9485-30d7e000d3d3} (Trojan.BHO) -> Quarantined and deleted successfully.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\tuvwnldv (Trojan.Vundo) -> Quarantined and deleted successfully.
Registry Values Infected:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\{42bfabd3-b070-4053-9485-30d7e000d3d3} (Trojan.Vundo) -> Quarantined and deleted successfully.
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
C:\WINDOWS\system32\tuvWnLDv.dll (Trojan.BHO) -> Delete on reboot.

Response Number 20

Name: TheDay
Date: August 7, 2008 at 15:25:25 Pacific

Reply:

And here's the HJT report. Thanks again Jabuck. It must be annoying to you too.

Scan saved at 6:20:40 PM, on 8/7/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\WINDOWS\Explorer.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\LEXBCES.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.exe
C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Common Files\AOL\1103181270\ee\AOLSoftware.exe
C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe
C:\Program Files\Lexmark X74-X75\lxbbbmon.exe
C:\Program Files\Verizon\McciTrayApp.exe
C:\Program Files\Verizon\VSP\VerizonServicepoint.exe
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe
C:\Program Files\Logitech\QuickCam\Quickcam.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\America Online 9.0c\waol.exe
C:\Program Files\Microsoft Office\Office10\msoffice.exe
C:\Program Files\Common Files\Logishrd\LQCVFX\COCIManager.exe
C:\Program Files\America Online 9.0c\shellmon.exe
C:\Program Files\internet explorer\iexplore.exe
C:\Documents and Settings\Day\Desktop\HiJackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://verizon-online.aol.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?Lin...
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?Lin...
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?Lin...
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\Program Files\Real\RealPlayer\rpbrowserrecordplugin.dll
O2 - BHO: (no name) - {42BFABD3-B070-4053-9485-30D7E000D3D3} - C:\WINDOWS\system32\tuvWnLDv.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O3 - Toolbar: (no name) - {BA52B914-B692-46c4-B683-905236F6F655} - (no file)
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: AOL Toolbar - {DE9C389F-3316-41A7-809B-AA305ED9D922} - C:\Program Files\AOL\AOL Toolbar 4.0\aoltb.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1103181270\ee\AOLSoftware.exe
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [Lexmark X74-X75] "C:\Program Files\Lexmark X74-X75\lxbbbmgr.exe"
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [Verizon_McciTrayApp] C:\Program Files\Verizon\McciTrayApp.exe
O4 - HKLM\..\Run: [VerizonServicepoint.exe] "C:\Program Files\Verizon\VSP\VerizonServicepoint.exe" /AUTORUN
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [LogitechCommunicationsManager] "C:\Program Files\Common Files\LogiShrd\LComMgr\Communications_Helper.exe"
O4 - HKLM\..\Run: [LogitechQuickCamRibbon] "C:\Program Files\Logitech\QuickCam\Quickcam.exe" /hide
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [NBJ] "C:\Program Files\Ahead\Nero BackItUp\NBJ.exe"
O4 - HKCU\..\Run: [AOL Fast Start] "C:\Program Files\America Online 9.0c\AOL.exe" -b
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &AOL Toolbar Search - c:\program files\aol\aol toolbar 4.0\resources\en-US\local\search.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: AOL Toolbar - {3369AF0D-62E9-4bda-8103-B4C75499B578} - C:\Program Files\AOL\AOL Toolbar 4.0\aoltb.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyPoker.net\partypokernet.exe (file missing)
O9 - Extra 'Tools' menuitem: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyPoker.net\partypokernet.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (HKCU)
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - https://activatemydsl.verizon.net/sdcCommon/download/DSL/tgctlcm.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/res...
O16 - DPF: {69EF49E5-FE46-4B92-B5FA-2193AB7A6B8A} (GameLauncher Control) - http://www.acclaim.com/cabs/acclaim...
O16 - DPF: {C606BA60-AB76-48B6-96A7-2C4D5C386F70} (PreQualifier Class) - http://www.verizon.net/checkmypc/in...
O16 - DPF: {DC187740-46A9-11D5-A815-00B0D0428C0C} - http://ds1.downloadtech.net/cn1060/...
O20 - Winlogon Notify: tuvWnLDv - C:\WINDOWS\SYSTEM32\tuvWnLDv.dll
O23 - Service: AOL Connectivity Service (AOL ACS) - AOL LLC - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AOL TopSpeed Monitor (AOL TopSpeedMonitor) - America Online, Inc - C:\Program Files\Common Files\AOL\TopSpeed\2.0\aoltsmon.exe
O23 - Service: Automatic LiveUpdate Scheduler - Symantec Corporation - C:\Program Files\Symantec\LiveUpdate\ALUSchedulerSvc.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: DvpApi (dvpapi) - Authentium, Inc. - C:\Program Files\Common Files\Authentium\AntiVirus\dvpapi.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.exe
O23 - Service: LVCOMSer - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVCOMSER\LVComSer.exe
O23 - Service: Process Monitor (LVPrcSrv) - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\LVMVFM\LVPrcSrv.exe
O23 - Service: LVSrvLauncher - Logitech Inc. - C:\Program Files\Common Files\LogiShrd\SrvLnch\SrvLnch.exe
O23 - Service: Norton AntiVirus Auto-Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Norton AntiVirus Firewall Monitor Service (NPFMntor) - Symantec Corporation - C:\Program Files\Norton AntiVirus\IWP\NPFMntor.exe
O23 - Service: Radialpoint Unicorn Update Service (RPSUpdaterR) - Radialpoint Inc. - C:\Program Files\Verizon\PC Security Checkup\rpsupdaterR.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
--
End of file - 10704 bytes

Response Number 21

Name: jabuck
Date: August 7, 2008 at 15:56:52 Pacific

Reply:

Go to start> control panel> add remove programs and uninstall this program:
Limewire
Run Hijack This again, place a check tot he left of the following items and press "fix checked":
O2 - BHO: (no name) - {42BFABD3-B070-4053-9485-30D7E000D3D3} - C:\WINDOWS\system32\tuvWnLDv.dll
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)

O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
O9 - Extra button: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyPoker.net\partypokernet.exe (file missing)

O9 - Extra 'Tools' menuitem: PartyPoker.net - {F4430FE8-2638-42e5-B849-800749B94EED} - C:\Program Files\PartyPoker.net\partypokernet.exe (file missing)
O20 - Winlogon Notify: tuvWnLDv - C:\WINDOWS\SYSTEM32\tuvWnLDv.dll
Exit Hijack This
Download SDFix.exe and save it to your Desktop.
Very Important! Temporarily disable your anti-virus, script blocking and any anti-malware real-time protection before performing a scan. They can interfere with SDFix or Combofix and remove some of its embedded files which may cause "unpredictable results".
Click on This Link to see a list of programs that should be disabled. The list is not all inclusive. If yours is not listed and you don't know how to disable it, please ask.
Remember to re-enable the protection again afterwards before connecting to the Internet.
1.Double click SDFix.exe and choose Install to extract it to its own folder on the Desktop. Please then reboot your computer in Safe Mode by doing the following :
Restart your computer
After hearing your computer beep once during startup, but before the Windows icon appears, tap the F8 key continually;
Instead of Windows loading as normal, a menu with options should appear;
Select the first option, to run Windows in Safe Mode, then press "Enter".
Choose your usual account.
2. Open the c:\SDFix folder and double click RunThis.cmd to start the script.
Type Y to begin the script.
It will remove the Trojan Services then make some repairs to the registry and prompt you to press any key to Reboot.
Press any Key and it will restart the PC.
3. Your system will take longer that normal to restart as the fixtool will be running and removing files.
When the desktop loads the Fixtool will complete the removal and display Finished, then press any key to end the script and load your desktop icons.
4. Finally open the SDFix folder on your desktop and copy and paste the contents of the results file Report.txt

Response Number 22

Name: TheDay
Date: August 8, 2008 at 12:06:36 Pacific

Reply:

Thanks Jabuck. It seems to have worked using the SDFix. It's running like it should be. You've been a huge help and again Thanks. If anything should show up unexpected. I'll let you know. In the meantime, I can stop pulling out my hair now. I must admit this is an outstanding site. Have a good one!

Response Number 23

Name: jabuck
Date: August 8, 2008 at 14:00:33 Pacific

Reply:

Glad we could help.

Sponsored Link

Ads by Google

Infected with Trojan.Inje...

Attacked by my own IP add...

Post Locked

This post is quite old and has been locked from receiving new replies. Please create a new posting instead.

Go to Security and Virus Forum Home

Sponsored links

Ads by Google

Results for: Can't Remove Trojan.Vundo

Can't remove Trojan HELP!!!!!!!!!!!

Summary

www.computing.net/answers/security/cant-remove-trojan-help/7360.html

Can't remove downloader.trojan

Summary

www.computing.net/answers/security/cant-remove-downloadertrojan/11723.html

Can't remove a trojan virus

Summary

www.computing.net/answers/security/cant-remove-a-trojan-virus/21556.html

From the Geek Dictionary
DDoS - Distributed Denial of Service

Ask a Question!

Weekly Poll
What do you think of the new preview of Chrome OS?

Poll Finishes In 5 Days.
Discuss in The Lounge
Poll History

Recent Posts
Power Button, connection broke

Hyper-V kills all other wireless clients

server busy

internet explorer script error

gaberiel knight 3

All Awaiting Reply

Tom's News
Woman Tracks Down Club Attacker on Facebook

Geolocation Functions Come to Twitter

New Craigslist Trend: Trade Sex for Rent?

Law Firm Investigates MS Over Xbox Live Bans

Amazon Charges $25 for Palm Pixi and $80 for Pre

More Tom's Guide News

Data Recovery

Manufacturer List | About Us | Advertising Info | Contact Us
The information on Computing.Net is the opinions of its users. Such opinions may not be accurate and they are to be used at your own risk. Computing.Net cannot verify the validity of the statements made on this site. Computing.Net and Computing.Net LLC hereby disclaim all responsibility and liability for the content of Computing.Net and its accuracy.
PLEASE READ THE FULL DISCLAIMER AND LEGAL TERMS BY CLICKING HERE