HJT Log Flatfoot

Below is my HJT Log. The only weird problems I have been having is on start up I get the blue screen, but not the Blue Screen of Death. It is just blank blue with no writing but the curser still moves. I have to restart - Hit F-12 and make it run diagnostic to check the windows blue screen. Then it the desktop comes up fine.
regards, Flatfoot
- - - - - - - - - - - - - - - - - - - - - - - - - - - -
Logfile of HijackThis v1.99.1
Scan saved at 3:01:43 AM, on 8/9/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Documents and Settings\Owner\Desktop\HijackThis.exe

O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O20 - AppInit_DLLs: c:\windows\system32\awvvsrs.dll
O23 - Service: Local Security Authority Subsystem Service (lsass) - Unknown owner - C:\WINDOWS\lsass.exe (file missing)
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

 

Hi flatfoot,

Click Start>Run and type (or paste) the following command, then hit Enter.

sc stop lsass

Now repeat with this command.

sc delete lsass

Reboot and see if the behavior persists.

Now, you're using an outdated version of HijackThis, so lets update. Please download the HijackThis Installer from here, then run a scan and save the log. Close that log and HijackThis for now. We're going to use another tool that will provide a more comprehensive look at things..

Download Deckard's System Scanner (dss.exe) and save it to your desktop.

• Close all applications and windows.
• Double click on dss.exe to run it and follow the prompts.
• When the scan is complete, two text files will open; main.txt, which will be maximized and extra.txt, which will be minimized.

Post the contents of main.txt only for now.

 

Thanks Noah
I had downloaded the newest HJT last week but the old one is the one that runs. I will correct that.
Will let you know when I have completed your instructions.

 

Noah, here is the status...

1. Have not done the delete stop lass yet.

2. Attempted to download new version of HJT but my browser blocks the trendsecure website. I can go to the front page but then it dumps it. Even when I allow it on my mozilla browser.

3. Here are the results of DSS main.txt

Deckard's System Scanner v20071014.68
Run by Owner on 2008-08-11 13:51:57
Computer is in Normal Mode.
----------------------------------------------------------------

-- System Restore ----------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.

-- Last 5 Restore Point(s) --
85: 2008-08-11 18:52:04 UTC - RP878 - Deckard's System Scanner Restore Point
84: 2008-08-11 02:36:23 UTC - RP877 - System Checkpoint
83: 2008-08-10 02:16:05 UTC - RP876 - System Checkpoint
82: 2008-08-09 01:48:15 UTC - RP875 - System Checkpoint
81: 2008-08-07 10:10:17 UTC - RP874 - System Checkpoint

-- First Restore Point --
1: 2008-05-14 06:13:21 UTC - RP794 - System Checkpoint

Backed up registry hives.
Performed disk cleanup.

Total Physical Memory: 247 MiB (512 MiB recommended).

-- HijackThis (run as Owner.exe) ---------------------------------------

Unable to find log (file not found); running clone.
-- HijackThis Clone -----------------------------------------------------

Emulating logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2008-08-11 13:52:40
Platform: Windows XP Service Pack 2 (5.01.2600)
MSIE: Internet Explorer (6.00.2800.1106)
Boot mode: Normal

Running processes:
C:\WINDOWS\system32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Logitech\MouseWare\system\EM_EXEC.EXE
C:\Documents and Settings\Owner\Desktop\dss.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.google.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://home.microsoft.com/access/autosearch.asp?p=%s
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.google.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.google.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.google.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://www.google.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,Default_Search_URL = http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://www.google.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = http://www.google.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://www.google.com
O2 - BHO: (no name) - {182B90A3-F372-438A-800C-6814B4DE417B} - C:\WINDOWS\system32\efcdbby.dll
O2 - BHO: (no name) - {82E60915-986E-4FDC-9C92-7D1A5A8A0FEF} - C:\WINDOWS\system32\awvts.dll
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O16 - DPF: {8FFBE65D-2C9C-4669-84BD-5829DC0B603C} () - http://fpdownload.macromedia.com/get/flashplayer/current/ultrashim.cab
O18 - Protocol: cetihpz - {CF184AD3-CDCB-4168-A3F7-8E447D129300} - C:\Program Files\HP\hpcoretech\comp\hpuiprot.dll
O20 - AppInit_DLLs: c:\windows\system32\awvvsrs.dll
O20 - Winlogon Notify: awvts - C:\WINDOWS\system32\awvts.dll
O20 - Winlogon Notify: crypt32chain - C:\WINDOWS\System32\crypt32.dll
O20 - Winlogon Notify: efcdbby - C:\WINDOWS\System32\efcdbby.dll
O20 - Winlogon Notify: wzcnotif - C:\WINDOWS\System32\wzcdlg.dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: dllmgr64 - Unknown owner - C:\WINDOWS\dllmgr64.exe
O23 - Service: Local Security Authority Subsystem Service (lsass) - Unknown owner - C:\WINDOWS\lsass.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe
--
End of file - 3634 bytes

-- HijackThis Fixed Entries (C:\DOCUME~1\Owner\Desktop\backups\) ------

backup-20080418-021741-327 O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
backup-20080418-021741-697 O4 - Global Startup: Smart Wizard Wireless Settings.lnk = ?
backup-20080418-021746-543 O23 - Service: Local Security Authority Subsystem Service (lsass) - Unknown owner - C:\WINDOWS\lsass.exe (file missing)
backup-20080418-021814-102 O23 - Service: Local Security Authority Subsystem Service (lsass) - Unknown owner - C:\WINDOWS\lsass.exe (file missing)
backup-20080809-030127-530 O17 - HKLM\System\CCS\Services\Tcpip\..\{8FC21E06-E6E4-4145-94B5-37AB4A3FCB7F}: NameServer = 85.255.114.12 85.255.112.68

-- File Associations ---------------------------------------------------
All associations okay.

-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled -------------

R1 OMCI - c:\windows\system32\drivers\omci.sys <Not Verified; Dell Computer Corporation; OMCI Driver>

S0 FltMgr - c:\windows\system32\drivers\fltmgr.sys (file missing)
S1 intelppm (Intel Processor Driver) - c:\windows\system32\drivers\intelppm.sys (file missing)
S3 HTTP - c:\windows\system32\drivers\http.sys (file missing)
S3 ip6fw (IPv6 Windows Firewall Driver) - c:\windows\system32\drivers\ip6fw.sys (file missing)
S3 mssmbios (Microsoft System Management BIOS Driver) - c:\windows\system32\drivers\mssmbios.sys (file missing)
S3 PCANDIS5 (PCANDIS5 Protocol Driver) - c:\windows\system32\pcandis5.sys <Not Verified; Printing Communications Assoc., Inc. (PCAUSA); PCAUSA Rawether for Windows>

-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ------------

S2 lsass (Local Security Authority Subsystem Service) - "c:\windows\lsass.exe" (file missing)
S4 dllmgr64 - "c:\windows\dllmgr64.exe "

-- Device Manager: Disabled ------------------------------------------

Class GUID: {50127DC3-0F36-415E-A6CC-4CB3BE910B65}
Description: Intel Processor
Device ID: ACPI\GENUINEINTEL_-_X86_FAMILY_15_MODEL_2\_0
Manufacturer: Intel
Name: Intel(R) Celeron(R) CPU 2.40GHz
PNP Device ID: ACPI\GENUINEINTEL_-_X86_FAMILY_15_MODEL_2\_0
Service: intelppm

Class GUID: {4D36E972-E325-11CE-BFC1-08002BE10318}
Description: Broadcom 440x 10/100 Integrated Controller
Device ID: PCI\VEN_14E4&DEV_4401&SUBSYS_81271028&REV_01\4&3B1CAF2B&0&48F0
Manufacturer: Broadcom
Name: Broadcom 440x 10/100 Integrated Controller
PNP Device ID: PCI\VEN_14E4&DEV_4401&SUBSYS_81271028&REV_01\4&3B1CAF2B&0&48F0
Service: bcm4sbxp

Class GUID: {4D36E97D-E325-11CE-BFC1-08002BE10318}
Description: Microsoft System Management BIOS Driver
Device ID: ROOT\SYSTEM\0002
Manufacturer: (Standard system devices)
Name: Microsoft System Management BIOS Driver
PNP Device ID: ROOT\SYSTEM\0002
Service: mssmbios

-- Files created between 2008-07-11 and 2008-08-11 --------------------

2008-08-10 01:37:44 0 dr-h----- C:\Documents and Settings\Owner\Recent

-- Find3M Report -------------------------------------------------------

2008-08-02 06:03:46 0 d-------- C:\Program Files\NCH Swift Sound
2008-07-10 21:29:20 0 d-------- C:\Program Files\SpywareBlaster
2008-06-14 16:37:54 0 d-------- C:\Documents and Settings\Owner\Application Data\NCH Swift Sound
2008-06-14 16:37:53 0 d-------- C:\Documents and Settings\Owner\Application Data\Recordpad
2008-06-14 16:36:44 0 d-------- C:\Program Files\NCH Software
2008-05-18 00:33:21 1160 --a------ C:\WINDOWS\mozver.dat

-- Registry Dump --------------------------------------------------

*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{182B90A3-F372-438A-800C-6814B4DE417B}]
03/26/2007 10:37 PM 26730 --------- C:\WINDOWS\system32\efcdbby.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{82E60915-986E-4FDC-9C92-7D1A5A8A0FEF}]
08/04/2006 09:34 AM 573492 ---h----- C:\WINDOWS\System32\awvts.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Logitech Utility "= "Logi_MwX.Exe" [11/26/2003 12:50 PM C:\WINDOWS\LOGI_MWX.EXE]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer "= "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [05/31/2005 01:04 AM]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoBandCustomize "=1 (0x1)

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{182B90A3-F372-438A-800C-6814B4DE417B} "= C:\WINDOWS\system32\efcdbby.dll [03/26/2007 10:37 PM 26730]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
"System "= "csawh.exe "

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\awvts]
C:\WINDOWS\System32\awvts.dll 08/04/2006 09:34 AM 573492 C:\WINDOWS\system32\awvts.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\efcdbby]
efcdbby.dll 03/26/2007 10:37 PM 26730 C:\WINDOWS\system32\efcdbby.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls "=c:\windows\system32\awvvsrs.dll

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@= "Service "

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@= "Volume shadow copy "

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
hpdevmgmt hpqcxs08 hpqddsvc

-- End of Deckard's System Scanner: finished at 2008-08-11 13:53:51 -----

 

Ummm, the sc stop and sc delete commands were supposed to have been done first .... doesn't matter now I guess. Skip doing the commands. In the future, please do things in the order given (there is a method to my madness ).



Download ComboFix by sUBs from here, saving the file to your desktop.


Please disable realtime protection applications as they sometimes interfere with the tool. Check this link for your applicable programs.

• Close all open programs and windows
• Double click combofix.exe and follow the prompts.
• It may reboot your computer and resume running when you logon. Wait for it to complete. When finished, it will open a log for you. Post that log and a new HijackThis log in your next reply.

Note: Do not mouseclick combofix's window while its running. That may cause it to stall

 

OK I was wrong not doing it in order. I was scared to turn it off.
Will have to wait till late at night to DL the 2.6 MB combo fix.
I am on dial up and when many users are on, my connection is slow.

Thanks for your paitence Mr. Noah

 

No problem. We'll be here whenever you're ready.

 

Tuesday Evening Update
1. Combo Fix did not correct the blank blue screen.
2. I think I have the updated HJT installed. Below are the results.
3. Thanks for your help and patience. I am a mechanic in the real world.

Logfile of HijackThis v1.99.1
Scan saved at 11:11, on 2008-08-12
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Documents and Settings\Owner\Desktop\dss.exe
C:\DOCUME~1\Owner\Desktop\Owner.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
O2 - BHO: (no name) - {182B90A3-F372-438A-800C-6814B4DE417B} - C:\WINDOWS\system32\efcdbby.dll (file missing)
O2 - BHO: (no name) - {33105713-DE30-46D0-AF4B-F6C88E79D4AA} - C:\WINDOWS\System32\awvts.dll (file missing)
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O20 - Winlogon Notify: awvts - C:\WINDOWS\System32\awvts.dll (file missing)
O20 - Winlogon Notify: efcdbby - efcdbby.dll (file missing)
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

 

That log was made using the outdated version. If you used the HijackThis Installer, there should now be a shortcut for the newer version on your Start>All Programs list. Please create a new log and post it here.

I also requested the ComboFix log. Please post the contents of C:\ComboFix.txt

 

OK Thanks for reminding me. Here is the Combo Fix Log

ComboFix 08-08-11.01 - Owner 2008-08-12 11:14:03.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.114 [GMT -5:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.
.
---- Previous Run -------
.
C:\WINDOWS\netdx.dat
C:\WINDOWS\sstray.exe
C:\WINDOWS\system32\{6E90F3DF-7248-4450-8260-1DB5434EED7B}.exe
C:\WINDOWS\system32\{EB34DEB1-55CA-4235-A603-D8BB44258AB7}.exe
C:\WINDOWS\system32\awtqrom.dll
C:\WINDOWS\system32\awtrqqp.dll
C:\WINDOWS\system32\awtrrom.dll
C:\WINDOWS\system32\awtussr.dll
C:\WINDOWS\system32\awvts.dll
C:\WINDOWS\system32\byxvust.dll
C:\WINDOWS\system32\byxvvsr.dll
C:\WINDOWS\system32\byxwwwx.dll
C:\WINDOWS\system32\byxxvsp.dll
C:\WINDOWS\system32\byxywtt.dll
C:\WINDOWS\system32\byxyxuv.dll
C:\WINDOWS\system32\cbxuroo.dll
C:\WINDOWS\system32\cbxuurs.dll
C:\WINDOWS\system32\ddcawts.dll
C:\WINDOWS\system32\ddcdcyx.dll
C:\WINDOWS\system32\ddcyxwv.dll
C:\WINDOWS\system32\dnipbltk.dll
C:\WINDOWS\system32\drivers\fad.sys
C:\WINDOWS\system32\efcbayx.dll
C:\WINDOWS\system32\efccaxw.dll
C:\WINDOWS\system32\efcdbby.dll
C:\WINDOWS\system32\eventwvr.exe
C:\WINDOWS\system32\fccbyyx.dll
C:\WINDOWS\system32\fcccaxy.dll
C:\WINDOWS\system32\fcccbcy.dll
C:\WINDOWS\system32\fcccdaw.dll
C:\WINDOWS\system32\fccyvtr.dll
C:\WINDOWS\system32\fccywxx.dll
C:\WINDOWS\system32\fkqvvcet.dll
C:\WINDOWS\system32\hggebcd.dll
C:\WINDOWS\system32\hgghgda.dll
C:\WINDOWS\system32\ib14.dll
C:\WINDOWS\system32\ib7.dll
C:\WINDOWS\system32\iifdddc.dll
C:\WINDOWS\system32\jkkifcd.dll
C:\WINDOWS\system32\jkkijgd.dll
C:\WINDOWS\system32\khfeedb.dll
C:\WINDOWS\system32\kooerxti.dll
C:\WINDOWS\system32\ljjgded.dll
C:\WINDOWS\system32\ljjiigh.dll
C:\WINDOWS\system32\lpkfesjq.dll
C:\WINDOWS\system32\mljgeff.dll
C:\WINDOWS\system32\mljghge.dll
C:\WINDOWS\system32\mljiijh.dll
C:\WINDOWS\system32\mljijkk.dll
C:\WINDOWS\system32\mljjhhf.dll
C:\WINDOWS\system32\mljjihf.dll
C:\WINDOWS\system32\mljjijj.dll
C:\WINDOWS\system32\mstskmgr.exe
C:\WINDOWS\system32\nnnkjih.dll
C:\WINDOWS\system32\nnnliji.dll
C:\WINDOWS\system32\nnnlkij.dll
C:\WINDOWS\system32\nnnomlj.dll
C:\WINDOWS\system32\nnnommk.dll
C:\WINDOWS\system32\opnkifc.dll
C:\WINDOWS\system32\opnmkii.dll
C:\WINDOWS\system32\opnmmml.dll
C:\WINDOWS\system32\opnmnki.dll
C:\WINDOWS\system32\opnmnlk.dll
C:\WINDOWS\system32\pppcgm.exe
C:\WINDOWS\system32\qomkhee.dll
C:\WINDOWS\system32\qomkkig.dll
C:\WINDOWS\system32\qomklij.dll
C:\WINDOWS\system32\qommnkh.dll
C:\WINDOWS\system32\rqrqpom.dll
C:\WINDOWS\system32\ssqnkkk.dll
C:\WINDOWS\system32\ssqoomj.dll
C:\WINDOWS\system32\ssqpolk.dll
C:\WINDOWS\system32\ssqppon.dll
C:\WINDOWS\system32\ssqqpmj.dll
C:\WINDOWS\system32\stvwa.ini
C:\WINDOWS\system32\stvwa.ini2
C:\WINDOWS\system32\tohnshnc.dll
C:\WINDOWS\system32\tuvsttq.dll
C:\WINDOWS\system32\tuvwxvu.dll
C:\WINDOWS\system32\vturqnk.dll
C:\WINDOWS\system32\vtusqpq.dll
C:\WINDOWS\system32\vtutroo.dll
C:\WINDOWS\system32\wvuvwtt.dll
C:\WINDOWS\system32\xxyxvsq.dll
C:\WINDOWS\tskmgr.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
.

-------\Legacy_CMDSERVICE
-------\Legacy_NETWORK_MONITOR
-------\Legacy_NPF
-------\Legacy_CMDSERVICE
-------\Legacy_NETWORK_MONITOR
-------\Legacy_NPF


((((((((((((((((((((((((( Files Created from 2008-07-12 to 2008-08-12 )))))))))))))))))))))))))))))))
.

2008-08-11 13:51 . 2008-08-11 13:51 <DIR> d-------- C:\Deckard

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-08-12 00:01 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-08-09 08:25 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-08-02 11:03 --------- d-----w C:\Program Files\NCH Swift Sound
2008-07-11 02:29 --------- d-----w C:\Program Files\SpywareBlaster
2008-06-14 21:37 --------- d-----w C:\Documents and Settings\Owner\Application Data\Recordpad
2008-06-14 21:37 --------- d-----w C:\Documents and Settings\Owner\Application Data\NCH Swift Sound
2008-06-14 21:37 --------- d-----w C:\Documents and Settings\All Users\Application Data\NCH Swift Sound
2008-06-14 21:36 --------- d-----w C:\Program Files\NCH Software
2006-07-23 10:54 4,265 ----a-w C:\Program Files\gftjng.exe
2004-03-17 22:13 1,028,368 ----a-w C:\Program Files\vbrun60sp6.exe
2003-07-16 20:36 339,968 ----a-w C:\Program Files\mspaint.exe
2007-11-09 02:08 40,960 --sh--r C:\WINDOWS\dllmgr64.exe
2006-08-25 15:25 29,875 --sha-w C:\WINDOWS\system32\cbxxxyv.dll
2008-01-16 23:32 19,389 --sha-w C:\WINDOWS\system32\ddcya.exe
2008-01-26 23:20 19,389 --sha-w C:\WINDOWS\system32\geeby.exe
2008-01-28 10:00 19,389 --sha-w C:\WINDOWS\system32\geede.exe
2008-02-08 01:38 19,389 --sha-w C:\WINDOWS\system32\jkhhf.exe
2008-02-01 00:00 19,389 --sha-w C:\WINDOWS\system32\jkhhi.exe
2006-09-11 17:53 2,135 --sha-w C:\WINDOWS\system32\jkkiihh.dll
2007-10-24 03:37 848 --sha-w C:\WINDOWS\system32\KGyGaAvL.sys
2008-02-06 03:37 19,389 --sha-w C:\WINDOWS\system32\mlljj.exe
2008-02-07 02:02 19,389 --sha-w C:\WINDOWS\system32\pmkhe.exe
2008-01-30 09:54 19,389 --sha-w C:\WINDOWS\system32\pmkjg.exe
2006-08-10 16:14 19,655 --sha-w C:\WINDOWS\system32\qommnnn.dll
2006-09-12 14:36 13,815 --sha-w C:\WINDOWS\system32\rqrspqn.dll
2006-08-26 20:39 15,275 --sha-w C:\WINDOWS\system32\ssqpmno.dll
2008-01-23 04:43 19,389 --sha-w C:\WINDOWS\system32\sstqn.exe
2008-01-18 04:35 19,389 --sha-w C:\WINDOWS\system32\vtsqq.exe
2008-02-03 01:26 19,389 --sha-w C:\WINDOWS\system32\vturs.exe
.

------- Sigcheck -------

2005-06-18 02:49 574976 ece5d8e5c4b797f057e6933b539a7982 C:\WINDOWS\$NtServicePackUninstall$\wininet.dll
2004-08-04 02:56 656384 c0823fc5469663ba63e7db88f9919d70 C:\WINDOWS\SoftwareDistribution\Download\16b2c96a0c41f4dfdb4d3cc228a4f819\wininet.dll
2005-09-02 18:52 658432 af61ebb1f550175eff406d545d6ab086 C:\WINDOWS\SoftwareDistribution\Download\22c734c12ba2228809e817e4675732a3\sp2gdr\wininet.dll
2005-09-02 18:53 660480 97a6fd7cafd688cf2c78939ebaf0cd0c C:\WINDOWS\SoftwareDistribution\Download\22c734c12ba2228809e817e4675732a3\sp2qfe\wininet.dll
2005-06-18 02:49 574976 ece5d8e5c4b797f057e6933b539a7982 C:\WINDOWS\system32\wininet.dll
2005-06-18 02:49 574976 ece5d8e5c4b797f057e6933b539a7982 C:\WINDOWS\system32\dllcache\wininet.dll

2003-10-04 02:54 168192 d999ce17681d7d074d534fc5bc662e0a C:\WINDOWS\$NtServicePackUninstall$\ndis.sys
2003-10-04 02:54 168192 d999ce17681d7d074d534fc5bc662e0a C:\WINDOWS\Driver Cache\i386\ndis.sys
2004-08-04 01:14 182912 558635d3af1c7546d26067d5d9b6959e C:\WINDOWS\SoftwareDistribution\Download\16b2c96a0c41f4dfdb4d3cc228a4f819\ndis.sys
2003-10-04 02:54 168192 d999ce17681d7d074d534fc5bc662e0a C:\WINDOWS\system32\dllcache\ndis.sys
2003-10-04 02:54 168192 d999ce17681d7d074d534fc5bc662e0a C:\WINDOWS\system32\drivers\ndis.sys
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SpybotSD TeaTimer "= "C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2005-05-31 01:04 1415824]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Logitech Utility "= "Logi_MwX.Exe" [2003-11-26 12:50 19968 C:\WINDOWS\LOGI_MWX.EXE]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoBandCustomize "= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs "=c:\windows\system32\awvvsrs.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.dvacm "= dvacm.acm
"VIDC.VDOM "= vdowave.drv
"VIDC.TR20 "= tr2032.dll
"vidc.vivo "= ivvideo.dll

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"<NO NAME> "= :svc

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\GloballyOpenPorts\List]
"3370:TCP "= 3370:TCP:Microsoft standard protector

S4 dllmgr64;dllmgr64;C:\WINDOWS\dllmgr64.exe [2007-11-08 21:08]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
hpdevmgmt REG_MULTI_SZ hpqcxs08 hpqddsvc
.
- - - - ORPHANS REMOVED - - - -

BHO-{33105713-DE30-46D0-AF4B-F6C88E79D4AA} - C:\WINDOWS\System32\awvts.dll
Notify-awvts - C:\WINDOWS\System32\awvts.dll
Notify-efcdbby - efcdbby.dll


.
------- Supplementary Scan -------
.
FireFox -: Profile - C:\Documents and Settings\Owner\Application Data\Mozilla\Firefox\Profiles\vuaco10v.Default User\
FireFox -: prefs.js - STARTUP.HOMEPAGE - hxxp://www.google.com/intl/en_ALL/images/logo.gif


**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-08-12 11:20:08
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Logitech\MouseWare\system\EM_EXEC.EXE
.
**************************************************************************
.
Completion time: 2008-08-12 11:25:15 - machine was rebooted [Owner]
ComboFix-quarantined-files.txt 2008-08-12 16:25:09

Pre-Run: 26,014,900,224 bytes free
Post-Run: 25,962,176,512 bytes free

210

 

Once again, please disable any realtime protection applications. Highlight and copy the contents of the code box below and paste it into a blank notepad, then save it to your desktop as;

Filename: CFScript.txt
Save As Type: All Files (*.*)

Code:

KillAll::
Extra::
File::
C:\Program Files\gftjng.exe
C:\Program Files\vbrun60sp6.exe
C:\Program Files\mspaint.exe
C:\WINDOWS\dllmgr64.exe
C:\WINDOWS\system32\cbxxxyv.dll
C:\WINDOWS\system32\ddcya.exe
C:\WINDOWS\system32\geeby.exe
C:\WINDOWS\system32\geede.exe
C:\WINDOWS\system32\jkhhf.exe
C:\WINDOWS\system32\jkhhi.exe
C:\WINDOWS\system32\jkkiihh.dll
C:\WINDOWS\system32\mlljj.exe
C:\WINDOWS\system32\pmkhe.exe
C:\WINDOWS\system32\pmkjg.exe
C:\WINDOWS\system32\qommnnn.dll
C:\WINDOWS\system32\rqrspqn.dll
C:\WINDOWS\system32\ssqpmno.dll
C:\WINDOWS\system32\sstqn.exe
C:\WINDOWS\system32\vtsqq.exe
C:\WINDOWS\system32\vturs.exe
Driver::
dllmgr64

Close all other windows and programs. Now drag the CFScript.txt onto ComboFix.exe and drop it, using the left mouse button. Combofix should run and may reboot the computer when it's done. A log will open when it's complete. Post the contents of that log.

Please do not click on the ComboFix window while it is running a scan. This can cause it to stall.