Virus stopping my antivirus

Hi, I am really in a bind. I cannot run AVG. Any attempt to go to certain antivirus websites and my browser closes. I changed to Kaspersky, but it finds nothing. Windows defender finds nothing. I cannot run Hijackthis unless I am in safe mode with cmd prompt.

Here is my Hijackthis log. Thanks for your help in advanced.

Logfile of HijackThis v1.99.1
Scan saved at 11:38:30 AM, on 2/28/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\cmd.exe
G:\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page =
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - Default URLSearchHook is missing
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O4 - Global Startup: Belkin Wireless Utility.lnk = C:\Program Files\Belkin\PCI F5D7000\Wireless Utility\Belkinwcui.exe
O4 - Global Startup: HPAiODevice(hp officejet g series) - 1.lnk = C:\Program Files\Hewlett-Packard\AiO\hp officejet g series\Bin\hpoavn07.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O8 - Extra context menu item: &Download with &DAP - C:\Program Files\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\Program Files\DAP\dapextie2.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\npjpi150_10.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\npjpi150_10.dll
O9 - Extra button: (no name) - {2670000A-7350-4f3c-8081-5663EE0C6C49} - (no file)
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE12\MSOXMLMF.DLL
O20 - Winlogon Notify: aaauxydradkw - C:\WINDOWS\system32\aaauxydradkw.dll
O20 - Winlogon Notify: lnhbwqfqsjdn - C:\WINDOWS\system32\lnhbwqfqsjdn.dll
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\system32\acs.exe
O23 - Service: EloSystemService - Elo Touchsystems, Inc. - C:\WINDOWS\system32\EloSrvce.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: XSWI - Sysinternals - www.sysinternals.com - C:\DOCUME~1\Manuel\LOCALS~1\Temp\XSWI.exe




at 3:49 pm pst I found out that I am at least infected by win32: delf-dom. I loaded Avast and it was discovered during a boot time scan.

 

Hi and welcome

I would like to have a look at a different log. The program should run fine from safe mode although you may get an error that it cannot run sigcheck because it needs internet access.

Try running from normal mode first please.

Download ComboScan to your Desktop.:

http://www.techsupportforum.com/sectools/Deckard/comboscan.exe

Close all applications and windows.
Double-click on comboscan.exe to run it, and follow the prompts.
When the scan is complete, a text file will open - ComboScan.txt
Copy (Ctrl+A then Ctrl+C) and paste (Ctrl+V) the contents of ComboScan.txt here.
A folder, C:\ComboScan, will also open. In it will be another text file, Supplementary.txt.
Copy/paste contents of Supplementry.txt to your post.

These logs can be long and it may take a few posts to get both logs in.

If you had to run from safe mode you will need to post these logs later or transfer them to floppy, usb flash drive, etc and posted from good computer.
Both logs should reside in the c:\comboscan folder.

Note: some firewalls may warn that sigcheck.exe is trying to access the internet - please ensure that you allow sigcheck.exe permission to do so.

What ComboScan will do:
--create a new System Restore point in Windows XP and Vista.
--clean your Temporary Files, Downloaded Program Files, and Internet Cache Files, and also empty the Recycle Bin on all drives.
--check some important areas of your system and produce a report for your analyst to review.
--ComboScan automatically runs HijackThis for you, but it will also install and place a shortcut to HijackThis on your desktop if you do not already have HijackThis installed.

I would like a couple file samples if possible.
You have a couple dll files I have no clue what they are and need more info before I attempt removal. I also want to ensure they are distributed to AV companies.

Can you copy these to a folder called "samples ":

C:\WINDOWS\system32\aaauxydradkw.dll
C:\WINDOWS\system32\lnhbwqfqsjdn.dll

Zip up the folder and upload it here please:

http://www.bleepingcomputer.com/submit-malware.php?channel=20

Please be sure to include a link to this thread so I know who's files they are.

Once you uploaded samples.zip you can delete the folder and the zip file.

Thanks

 

Thanks for your help. Here is the combo scan

ComboScan v20070226.18 run by Manuel on 2007-03-01 at 10:14:32
Computer is in Normal Mode.
--------------------------------------------------------------------------------

Successfully created restore point.
Performed disk cleanup.


-- HijackThis (run as Manuel.exe) -----------------------------------------------

Unable to find log (file not found).

-- File Associations ------------------------------------------------------------

.bat - batfile - "%1" %*
.chm - chm.file - "C:\WINDOWS\hh.exe" %1
.cmd - cmdfile - "%1" %*
.com - comfile - "%1" %*
.exe - exefile - "%1" %*
.hlp - hlpfile - %SystemRoot%\System32\winhlp32.exe %1
.inf - inffile - %SystemRoot%\System32\NOTEPAD.EXE %1
.ini - inifile - %SystemRoot%\System32\NOTEPAD.EXE %1
.js - JSFile - %SystemRoot%\System32\WScript.exe "%1" %*
.lnk - lnkfile - {00021401-0000-0000-C000-000000000046}
.pif - piffile - "%1" %*
.reg - regfile - regedit.exe "%1 "
.scr - scrfile - "%1" /S
.txt - txtfile - %SystemRoot%\system32\NOTEPAD.EXE %1
.vbs - VBSFile - %SystemRoot%\System32\WScript.exe "%1" %*


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ----------------------

1R Aavmker4 (avast! Asynchronous Virus Monitor) - C:\WINDOWS\system32\drivers\aavmker4.sys
3R aeaudio - C:\WINDOWS\system32\drivers\aeaudio.sys
2R AegisP (AEGIS Protocol (IEEE 802.1x) v3.2.0.3) - C:\WINDOWS\system32\drivers\AegisP.sys
2R aswMon2 (avast! Standard Shield Support) - C:\WINDOWS\system32\drivers\aswmon2.sys
3R aswRdr - C:\WINDOWS\system32\drivers\aswRdr.sys
1R aswTdi (avast! Network Shield Support) - C:\WINDOWS\system32\drivers\aswTdi.sys
3S ati2mtaa - C:\WINDOWS\system32\drivers\ati2mtaa.sys
3S atinrvxx (ATI WDM Rage Theater Video (Microsoft)) - C:\WINDOWS\system32\drivers\ati1rvxx.sys
0R AVG Anti-Rootkit - C:\WINDOWS\system32\drivers\avgarkt.sys
1R AvgArCln (Avg Anti-Rootkit Clean Driver) - C:\WINDOWS\system32\drivers\AvgArCln.sys
3R BLKWGD (Belkin Wireless G Desktop Card Service) - C:\WINDOWS\system32\drivers\BLKWGD.sys
3S CCDECODE (Closed Caption Decoder) - C:\WINDOWS\system32\drivers\CCDECODE.sys
3R dot4 (MS IEEE-1284.4 Driver) - C:\WINDOWS\system32\drivers\Dot4.sys
3R Dot4Print (Print Class Driver for IEEE-1284.4) - C:\WINDOWS\system32\drivers\Dot4Prt.sys
3R Dot4Scan (Scan Class Driver for IEEE-1284.4) - C:\WINDOWS\system32\drivers\Dot4scan.sys
3R dot4usb (Dot4USB Filter Dot4USB Filter) - C:\WINDOWS\system32\drivers\Dot4usb.sys
3S ds1 (Yamaha DS1 Audio Driver (WDM)) - C:\WINDOWS\system32\drivers\ds1wdm.sys
3R E1000 (Intel(R) PRO/1000 Network Connection Driver) - C:\WINDOWS\system32\drivers\e1000325.sys
3R EloBus (Elobus Filter Driver) - C:\WINDOWS\system32\drivers\EloBus.sys
3R EloSer (Elo Serial Driver) - C:\WINDOWS\system32\drivers\EloSer.Sys
3R GEARAspiWDM - C:\WINDOWS\system32\drivers\GEARAspiWDM.sys
3R HSFHWBS2 - C:\WINDOWS\system32\drivers\HSFBS2S2.sys
3R HSF_DP - C:\WINDOWS\system32\drivers\HSFDPSP2.sys
1R intelppm (Intel Processor Driver) - C:\WINDOWS\system32\drivers\intelppm.sys
2R irda (IrDA Protocol) - C:\WINDOWS\system32\drivers\irda.sys
3R irsir (Microsoft Serial Infrared Driver) - C:\WINDOWS\system32\drivers\irsir.sys
2R mdmxsdk - C:\WINDOWS\system32\drivers\mdmxsdk.sys
3S MSTEE (Microsoft Streaming Tee/Sink-to-Sink Converter) - C:\WINDOWS\system32\drivers\MSTEE.sys
3R MTXPARH - C:\WINDOWS\system32\drivers\MTXPARHM.sys
2S MVDCODEC (ATI WDM Specialized MVD Codec (Microsoft)) - C:\WINDOWS\system32\drivers\ati1mdxx.sys
3S NABTSFEC (NABTS/FEC VBI Codec) - C:\WINDOWS\system32\drivers\NABTSFEC.sys
3S NdisIP (Microsoft TV/Video Connection) - C:\WINDOWS\system32\drivers\NdisIP.sys
3R pfc (Padus ASPI Shell) - C:\WINDOWS\system32\drivers\pfc.sys
2R PfModNT - C:\WINDOWS\system32\drivers\PFMODNT.SYS
0R PxHelp20 - C:\WINDOWS\system32\drivers\PxHelp20.sys
3R Rasirda (WAN Miniport (IrDA)) - C:\WINDOWS\system32\drivers\rasirda.sys
3S SLIP (BDA Slip De-Framer) - C:\WINDOWS\system32\drivers\SLIP.sys
3R smwdm - C:\WINDOWS\system32\drivers\smwdm.sys
3S SONYPVU1 (Sony USB Filter Driver (SONYPVU1)) - C:\WINDOWS\system32\drivers\SONYPVU1.SYS
3S streamip (BDA IPSink) - C:\WINDOWS\system32\drivers\StreamIP.sys
0R Symmpi - C:\WINDOWS\system32\drivers\symmpi.sys
3R usbehci (Microsoft USB 2.0 Enhanced Host Controller Miniport Driver) - C:\WINDOWS\system32\drivers\usbehci.sys
3S USBSTOR (USB Mass Storage Driver) - C:\WINDOWS\system32\drivers\USBSTOR.SYS
3S usb_rndisx (USB RNDIS Adapter) - C:\WINDOWS\system32\drivers\usb8023x.sys
3R winachsf - C:\WINDOWS\system32\drivers\HSFCXTS2.sys
3R wlanndi5 (wlanndi5 NDIS Protocol Driver) - C:\WINDOWS\system32\wlanndi5.sys
3S WSTCODEC (World Standard Teletext Codec) - C:\WINDOWS\system32\drivers\WSTCODEC.SYS


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

2R ACS (Atheros Configuration Service) - C:\WINDOWS\system32\acs.exe
3S aspnet_state (ASP.NET State Service) - C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\aspnet_state.exe
2R aswUpdSv (avast! iAVS4 Control Service) - "C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe "
2R avast! Antivirus - "C:\Program Files\Alwil Software\Avast4\ashServ.exe "
3R avast! Mail Scanner - "C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service
3R avast! Web Scanner - "C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service
2R EloSystemService - C:\WINDOWS\system32\EloSrvce.exe
2S Fax - C:\WINDOWS\system32\fxssvc.exe
3S iPod Service - "C:\Program Files\iPod\bin\iPodService.exe "
2R Irmon (Infrared Monitor) - C:\WINDOWS\system32\svchost.exe -k netsvcs
3S odserv (Microsoft Office Diagnostics Service) - "C:\Program Files\Common Files\Microsoft Shared\OFFICE12\ODSERV.EXE "
3S ose (Office Source Engine) - "C:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE "
2R UMWdf (Windows User Mode Driver Framework) - C:\WINDOWS\system32\wdfmgr.exe
2R WinDefend (Windows Defender) - "C:\Program Files\Windows Defender\MsMpEng.exe "
3S XSWI - C:\DOCUME~1\Manuel\LOCALS~1\Temp\XSWI.exe


-- Scheduled Tasks --------------------------------------------------------------

2007-03-01 01:51:48 330 --ah----- C:\WINDOWS\Tasks\MP Scheduled Scan.job<MPSCHE~1.JOB>
2007-02-19 16:13:00 284 --a------ C:\WINDOWS\Tasks\AppleSoftwareUpdate.job<APPLES~1.JOB>


-- Files created between 2007-02-01 and 2007-03-01 ------------------------------

2007-03-01 10:15:09 0 d-------- C:\Program Files\HijackThis<HIJACK~1>
2007-03-01 09:56:54 69120 --a------ C:\WINDOWS\system32\d3acdb.dll
2007-02-28 14:14:49 23352 --a------ C:\WINDOWS\system32\drivers\aswRdr.sys
2007-02-28 14:14:48 43176 --a------ C:\WINDOWS\system32\drivers\aswTdi.sys
2007-02-28 14:14:43 31560 --a------ C:\WINDOWS\system32\drivers\aavmker4.sys
2007-02-28 14:14:31 94424 --a------ C:\WINDOWS\system32\drivers\aswmon2.sys
2007-02-28 14:14:31 85952 --a------ C:\WINDOWS\system32\drivers\aswmon.sys
2007-02-28 14:14:21 90112 --a------ C:\WINDOWS\system32\AVASTSS.scr
2007-02-28 14:14:21 689280 --a------ C:\WINDOWS\system32\aswBoot.exe
2007-02-28 14:14:17 0 d-------- C:\Program Files\Alwil Software<ALWILS~1>
2007-02-28 12:44:50 0 d-------- C:\Program Files\Kaspersky Lab<KASPER~1>
2007-02-28 11:30:32 3968 --a------ C:\WINDOWS\system32\drivers\AvgArCln.sys
2007-02-26 13:20:52 0 d-------- C:\WINDOWS\pss
2007-02-26 12:52:56 26752 --a------ C:\WINDOWS\system32\drivers\ShldDrv.sys
2007-02-26 12:52:56 165120 --a------ C:\WINDOWS\system32\drivers\PavProc.sys
2007-02-26 12:47:14 0 d-------- C:\Program Files\Common Files\Panda Software<PANDAS~1>
2007-02-23 15:10:48 12800 --a------ C:\WINDOWS\system32\drivers\rspsc64.sys
2007-02-23 15:10:48 9728 --a------ C:\WINDOWS\system32\drivers\rspsc.sys
2007-02-23 15:08:42 0 d-------- C:\sillhox
2007-02-23 14:47:59 532480 --a------ C:\cwshredder.exe<CWSHRE~1.EXE>
2007-02-23 12:29:53 0 d-------- C:\kav
2007-02-23 10:14:05 218112 --a------ C:\HijackThis.exe<HIJACK~1.EXE>
2007-02-23 08:43:09 0 d-------- C:\Documents and Settings\Manuel\Application Data\Uniblue
2007-02-22 22:46:33 0 d-------- C:\Program Files\GoGoData.com
2007-02-22 21:35:42 0 d-------- C:\Program Files\RootKit Hook Analyzer<ROOTKI~1>
2007-02-22 13:00:01 0 d-------- C:\Program Files\Windows Defender<WIFD1F~1>
2007-02-22 12:04:14 0 d-------- C:\Documents and Settings\Administrator\Application Data\AVG7
2007-02-22 12:03:12 0 d--hs---- C:\WINDOWS\CSC
2007-02-22 11:26:33 69175 --a------ C:\WINDOWS\system32\wdywdhcgvqsf.dll<WDYWDH~1.DLL>
2007-02-22 11:26:28 69175 --a------ C:\WINDOWS\system32\xwerymuwyaak.dll<XWERYM~1.DLL>
2007-02-22 11:26:25 69175 --a------ C:\WINDOWS\system32\lnhbwqfqsjdn.dll<LNHBWQ~1.DLL>
2007-02-22 11:26:25 69175 -----n--- C:\WINDOWS\system32\aaauxydradkw.dll<AAAUXY~1.DLL>
2007-02-21 15:34:27 1261628 --a------ C:\WINDOWS\system32\ZDPlusCore.dll<ZDPLUS~1.DLL>
2007-02-21 15:34:15 274432 --a------ C:\WINDOWS\system32\DocuComAbout.dll<DOCUCO~1.DLL>
2007-02-21 15:19:40 0 d-------- C:\Documents and Settings\Manuel\Application Data\Zeon
2007-02-21 15:19:30 488 --a------ C:\WINDOWS\dorp.dat
2007-02-21 15:16:55 0 d-------- C:\Documents and Settings\All Users\Application Data\Zeon
2007-02-19 12:55:27 0 d-------- C:\Program Files\SoftWriting<SOFTWR~1>
2007-02-18 17:09:27 86528 --a------ C:\WINDOWS\system32\drivers\symmpi.sys
2007-02-14 13:08:40 1024 --a------ C:\WINDOWS\system32\pdfpg.dat
2007-02-14 13:08:27 0 d-------- C:\Program Files\PDF Split-Merge v2.0<PDFSPL~1.0>
2007-02-14 12:55:13 50688 --a------ C:\WINDOWS\system32\wbhelp2.dll
2007-02-14 12:55:13 0 d-------- C:\Program Files\DAP
2007-02-13 13:48:50 0 d-------- C:\WINDOWS\system32\FxsTmp
2007-02-13 13:48:16 11264 --a------ C:\WINDOWS\system32\fxssend.exe
2007-02-13 13:48:16 31744 --a------ C:\WINDOWS\system32\fxsroute.dll
2007-02-13 13:48:16 132608 --a------ C:\WINDOWS\system32\fxsclntR.dll
2007-02-13 13:48:16 111104 --a------ C:\WINDOWS\system32\fxscfgwz.dll
2007-02-13 13:48:15 23552 --a------ C:\WINDOWS\system32\fxsmon.dll
2007-02-13 13:48:15 55296 --a------ C:\WINDOWS\system32\fxsevent.dll
2007-02-09 13:22:34 0 d-------- C:\Documents and Settings\Manuel\Application Data\Microsoft Web Folders<MICROS~2>
2007-02-09 12:59:59 0 d-------- C:\Program Files\Windows Installer Clean Up<WINDOW~4>
2007-02-09 10:29:29 29384 --a------ C:\WINDOWS\system32\mdimon.dll
2007-02-09 10:28:23 0 d-------- C:\Program Files\MSBuild
2007-02-09 10:27:29 0 d-------- C:\Program Files\Microsoft Works<MICROS~4>
2007-02-09 10:27:22 0 d-------- C:\Program Files\Microsoft.NET<MICROS~1.NET>
2007-02-09 10:05:20 0 d-------- C:\Program Files\CCleaner
2007-02-09 09:48:47 0 d-------- C:\Program Files\MSECACHE
2007-02-08 10:01:55 0 d--h----- C:\WINDOWS\system32\GroupPolicy<GROUPP~1>
2007-02-08 09:32:18 32592 --a------ C:\WINDOWS\system32\msonpmon.dll
2007-02-08 09:31:40 1532101 --a------ C:\Documents and Settings\Manuel\Application Data\Install.dat
2007-02-08 09:31:33 16 --a------ C:\WINDOWS\system32\dlh9jkd1q8.exe<DLH9JK~1.EXE>
2007-02-08 09:21:09 0 dr-h----- C:\MSOCache
2007-02-07 12:57:39 178408 --a------ C:\WINDOWS\system32\muweb.dll
2007-02-07 12:57:38 127208 --a------ C:\WINDOWS\system32\mucltui.dll
2007-02-07 12:47:44 0 d-------- C:\Documents and Settings\All Users\Application Data\Microsoft Help<MICROS~2>


-- Find3M Report ----------------------------------------------------------------

2007-03-01 09:56:40 0 d-------- C:\Program Files\Mozilla Firefox<MOZILL~1>
2007-02-26 12:48:08 0 d-------- C:\Program Files\Common Files\InstallShield<INSTAL~1>
2007-02-23 12:34:30 0 d-------- C:\Documents and Settings\Manuel\Application Data\AVG7
2007-02-23 12:34:14 0 d-------- C:\Program Files\Grisoft
2007-02-20 13:34:15 0 d-------- C:\Program Files\Quicken Legal Business Pro 2006<QUICKE~1>
2007-02-12 12:04:43 0 d-------- C:\Documents and Settings\Manuel\Application Data\Azureus
2007-02-12 10:21:41 38470 --a------ C:\Documents and Settings\Manuel\Application Data\Comma Separated Values (Windows).ADR<COMMAS~1.ADR>
2007-02-09 10:25:52 0 d-------- C:\Program Files\Microsoft ActiveSync<MICROS~3>
2007-02-08 10:07:20 0 d-------- C:\Program Files\AMSys
2007-02-08 09:38:37 0 d-------- C:\Program Files\SpywareBlaster<SPYWAR~1>
2007-02-07 13:06:13 0 d---s---- C:\Documents and Settings\Manuel\Application Data\Microsoft<MICROS~1>
2007-02-06 14:31:52 0 d-------- C:\Program Files\Azureus
2007-02-05 17:17:09 0 d-------- C:\Program Files\QuickTime<QUICKT~1>
2007-01-29 09:01:34 0 --a------ C:\Documents and Settings\Manuel\Application Data\amopn.dat
2007-01-29 00:58:06 60416 -----n--- C:\WINDOWS\system32\tzchange.exe
2007-01-22 21:56:12 0 d-------- C:\Program Files\Common Files\Adobe
2007-01-16 12:19:11 0 d-------- C:\Documents and Settings\Manuel\Application Data\AdobeUM
2007-01-12 17:30:09 0 d-------- C:\Program Files\WinAce
2007-01-12 09:27:42 232960 --a------ C:\WINDOWS\system32\webcheck.dll
2007-01-12 09:27:42 51712 -----n--- C:\WINDOWS\system32\msfeedsbs.dll<MSFEED~1.DLL>
2007-01-12 09:27:42 458752 -----n--- C:\WINDOWS\system32\msfeeds.dll
2007-01-12 09:27:42 6054400 --a------ C:\WINDOWS\system32\ieframe.dll
2007-01-08 19:04:54 105984 --a------ C:\WINDOWS\system32\url.dll
2007-01-08 19:04:08 102400 --a------ C:\WINDOWS\system32\occache.dll
2007-01-08 19:02:04 266752 --a------ C:\WINDOWS\system32\iertutil.dll
2007-01-08 19:02:04 44544 --a------ C:\WINDOWS\system32\iernonce.dll
2007-01-08 19:02:02 384000 --a------ C:\WINDOWS\system32\iedkcs32.dll
2007-01-08 19:02:02 383488 -----n--- C:\WINDOWS\system32\ieapfltr.dll
2007-01-08 19:02:02 161792 --a------ C:\WINDOWS\system32\ieakui.dll
2007-01-08 19:02:02 230400 --a------ C:\WINDOWS\system32\ieaksie.dll
2007-01-08 19:02:02 153088 --a------ C:\WINDOWS\system32\ieakeng.dll
2007-01-08 19:01:14 17408 --a------ C:\WINDOWS\system32\corpol.dll
2007-01-08 19:00:48 124928 --a------ C:\WINDOWS\system32\advpack.dll
2007-01-08 18:08:14 56832 --a------ C:\WINDOWS\system32\ie4uinit.exe
2007-01-08 18:08:10 13824 -----n--- C:\WINDOWS\system32\ieudinit.exe
2007-01-07 16:19:54 0 d-------- C:\Program Files\HiDownload<HIDOWN~1>
2007-01-03 05:03:42 0 d-------- C:\Program Files\Java
2007-01-02 22:40:15 0 d-------- C:\Program Files\Intel
2007-01-01 23:41:44 0 d-------- C:\Documents and Settings\Manuel\Application Data\Apple Computer<APPLEC~1>
2007-01-01 23:41:40 0 d-------- C:\Program Files\iTunes
2007-01-01 23:41:36 0 d-------- C:\Program Files\iPod
2006-12-19 13:52:18 134656 --a------ C:\WINDOWS\system32\shsvcs.dll
2006-12-19 10:16:47 333824 --a------ C:\WINDOWS\system32\wiaservc.dll
2006-12-06 21:29:34 2374472 --a------ C:\WINDOWS\system32\wmvcore.dll


-- Registry Dump ----------------------------------------------------------------


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"ctfmon.exe "= "C:\\WINDOWS\\system32\\ctfmon.exe "

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"Windows Defender "= "\ "C:\\Program Files\\Windows Defender\\MSASCui.exe\" -hide "
"avast! "= "C:\\PROGRA~1\\ALWILS~1\\Avast4\\ashDisp.exe "

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed "= "1 "

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed "= "1 "
"NoChange "= "1 "

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed "= "1 "

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
"WinampAgent "= "C:\\Program Files\\Winamp\\winampa.exe "
"DownloadAccelerator "= "\ "C:\\Program Files\\DAP\\DAP.EXE\" /STARTUP "
"SunJavaUpdateSched "= "\ "C:\\Program Files\\Java\\jre1.5.0_10\\bin\\jusched.exe\" "


[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{2188CEDE-B239-484C-8EA6-B84DC1001001} "= "lnhbwqfqsjdn "
"{CEDE2188-484C-B239-A68E-DC1B84001001} "= "aaauxydradkw "

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{091EB208-39DD-417D-A5DD-7E2C2D8FB9CB} "= "Microsoft AntiMalware ShellExecuteHook "

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer]
"NoActiveDesktop "=dword:00000000
"ForceActiveDesktopOn "=dword:00000000

HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\aaauxydradkw
HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\lnhbwqfqsjdn

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
"SecurityProviders "= "msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll "

[HKEY_LOCAL_MACHINE\software\Microsoft\Windows NT\CurrentVersion\Svchost]
HTTPFilter REG_MULTI_SZ HTTPFilter\0\0
LocalService REG_MULTI_SZ Alerter\0WebClient\0LmHosts\0RemoteRegistry\0upnphost\0SSDPSRV\0\0
NetworkService REG_MULTI_SZ DnsCache\0\0
DcomLaunch REG_MULTI_SZ DcomLaunch\0TermService\0\0
rpcss REG_MULTI_SZ RpcSs\0\0
imgsvc REG_MULTI_SZ StiSvc\0\0
termsvcs REG_MULTI_SZ TermService\0\0


[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b73f16c2-63ad-11db-ac40-000bdb5c5bc3}]

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{b73f16c3-63ad-11db-ac40-000bdb5c5bc3}]
Shell\AutoRun\command setupSNK.exe


-- End of ComboScan: finished at 2007-03-01 at 10:17:35 -------------------------

And here is the supplementary.txt

ComboScan v20070226.18 run by Manuel on 2007-03-01 at 10:14:32
Supplementary logfile - please post this as an attachment with your post.
--------------------------------------------------------------------------------

-- System Information -----------------------------------------------------------

Microsoft Windows XP Professional (build 2600) SP 2.0
Architecture: X86; Language: English

CPU 0: Intel(R) Xeon(TM) CPU 2.66GHz
Percentage of Memory in Use: 28%
Physical Memory (total/avail): 2047 MiB / 1457.04 MiB
Pagefile Memory (total/avail): 3943.32 MiB / 3168.66 MiB
Virtual Memory (total/avail): 2047.88 MiB / 1988.64 MiB

A: is Removable (Unformatted)
C: is Fixed (NTFS) - 136.72 GiB total, 95.21 GiB free.
E: is CDROM (No Media)


-- Security Center --------------------------------------------------------------

AUOptions is scheduled to auto-install.
Windows Internal Firewall is enabled.

FirstRunDisabled is set.

AV: avast! antivirus 4.7.942 [VPS 000720-0] v4.7.942 (ALWIL Software)


-- Environment Variables --------------------------------------------------------

ALLUSERSPROFILE=C:\Documents and Settings\All Users
APPDATA=C:\Documents and Settings\Manuel\Application Data
ArmServerInfo=0005032E
ASLOGDIR=C:\Program Files\Intuit\QuickBooks 2006\
CLASSPATH=.;C:\Program Files\Java\jre1.5.0_09\lib\ext\QTJava.zip
CommonProgramFiles=C:\Program Files\Common Files
COMPUTERNAME=MANUEL-7C2366F1
ComSpec=C:\WINDOWS\system32\cmd.exe
FP_NO_HOST_CHECK=NO
HOMEDRIVE=C:
HOMEPATH=\Documents and Settings\Manuel
LOGONSERVER=\\MANUEL-7C2366F1
NUMBER_OF_PROCESSORS=1
OS=Windows_NT
Path=C:\PROGRA~1\Mozilla Firefox;C:\Program Files\Mozilla Firefox;C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem;C:\Program Files\QuickTime\QTSystem\;C:\Program Files\Intel\DMIX
PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH
PROCESSOR_ARCHITECTURE=x86
PROCESSOR_IDENTIFIER=x86 Family 15 Model 2 Stepping 7, GenuineIntel
PROCESSOR_LEVEL=15
PROCESSOR_REVISION=0207
ProgramFiles=C:\Program Files
PROMPT=$P$G
QTJAVA=C:\Program Files\Java\jre1.5.0_09\lib\ext\QTJava.zip
SESSIONNAME=Console
SystemDrive=C:
SystemRoot=C:\WINDOWS
TEMP=C:\DOCUME~1\Manuel\LOCALS~1\Temp
TMP=C:\DOCUME~1\Manuel\LOCALS~1\Temp
USERDOMAIN=MANUEL-7C2366F1
USERNAME=Manuel
USERPROFILE=C:\Documents and Settings\Manuel
windir=C:\WINDOWS


-- User Profiles ----------------------------------------------------------------

Manuel (admin)
Nichole (admin)
Administrator (admin)


-- Add/Remove Programs ----------------------------------------------------------

--> MsiExec.exe /I{403EF592-953B-4794-BCEF-ECAB835C2095}
--> MsiExec.exe /I{688A3383-3CE7-4094-9188-9C39D1E4FCB6}
--> MsiExec.exe /X{2642BE09-1F9F-4E18-AAD4-0258B9BCE611}
--> rundll32.exe setupapi.dll,InstallHinfSection DefaultUninstall 132 C:\WINDOWS\INF\PCHealth.inf
Ad-Aware SE Personal --> C:\PROGRA~1\Lavasoft\AD-AWA~1\UNWISE.EXE C:\PROGRA~1\Lavasoft\AD-AWA~1\INSTALL.LOG
Adobe Reader 8 --> MsiExec.exe /I{AC76BA86-7AD7-1033-7B44-A80000000002}
Adobe Shockwave Player --> C:\WINDOWS\system32\Macromed\SHOCKW~1\UNWISE.EXE C:\WINDOWS\system32\Macromed\SHOCKW~1\Install.log
Apple Software Update --> MsiExec.exe /I{A50C25D7-62E9-4511-AD70-8E2DA5E79B7D}
avast! Antivirus --> rundll32 C:\PROGRA~1\ALWILS~1\Avast4\Setup\setiface.dll,RunSetup
AVG Anti-Rootkit Beta --> C:\Program Files\GRISOFT\AVG Anti-Rootkit Beta\Uninstall.exe
Azureus --> C:\Program Files\Azureus\Uninstall.exe
Belkin Wireless Utility --> C:\Program Files\Common Files\InstallShield\Driver\8\Intel 32\IDriver.exe /M{5314FAC0-F8A5-4432-8980-251D055B2C5B}
CCleaner (remove only) --> "C:\Program Files\CCleaner\uninst.exe "
CleanUp! --> C:\Program Files\CleanUp!\uninstall.exe
Digital Photo Navigator 1.0 --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{B7EF4BD8-CA13-11D5-AE3D-005004B8E30C}\setup.exe" -l0x9
Download Accelerator Plus (DAP) --> C:\PROGRA~1\DAP\DAPREMOVE.EXE
DVD Solution --> "C:\Program Files\Uninstall_CDS.exe "
Elo XP Universal Driver --> C:\Program Files\EloTouchSystems\EloSetup /u
HijackThis 1.99.1 --> G:\HijackThis.exe /uninstall
hp officejet g series --> C:\WINDOWS\system32\hpocon09.exe /u 1163207164 /d "hp officejet g series "
Intel(R) PRO Network Connections 11.2.0.69 --> MsiExec.exe /i{2222B364-0854-4265-B32E-A142DB9DC7BB} ARPREMOVE=1
iTunes --> MsiExec.exe /I{446DBFFA-4088-48E3-8932-74316BA4CAE4}
J2SE Runtime Environment 5.0 Update 10 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150100}
J2SE Runtime Environment 5.0 Update 6 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150060}
J2SE Runtime Environment 5.0 Update 9 --> MsiExec.exe /I{3248F0A8-6813-11D6-A77B-00B0D0150090}
JumpStart Toddlers 2000 --> C:\WINDOWS\IsUninst.exe -fC:\KA\JST2000\DeIsL1.isu
Matrox PowerDesk-HF and Driver --> C:\WINDOWS\system32\PowerDesk8\ParheliaUninstaller.exe
Microsoft Access 2000 SR-1 --> MsiExec.exe /I{00100409-78E1-11D2-B60F-006097C998E7}
Microsoft ActiveSync 4.0 --> MsiExec.exe /I{B208806F-A231-4FA0-AB3F-5C1B8979223E}
Microsoft Office 2000 SR-1 Professional --> MsiExec.exe /I{00010409-78E1-11D2-B60F-006097C998E7}
Microsoft Outlook 2002 --> MsiExec.exe /I{911A0409-6000-11D3-8CFE-0050048383C9}
Mozilla Firefox (2.0.0.2) --> C:\PROGRA~1\Mozilla Firefox\uninstall\helper.exe
Palm Bluetooth ActiveSync Plug-in --> MsiExec.exe /X{CEAB0A77-E60B-40C3-A58A-7304177C6CC8}
PDF Split-Merge v2.0 --> "C:\Program Files\PDF Split-Merge v2.0\unins000.exe "
Picsel File Viewer --> C:\Program Files\Microsoft ActiveSync\picsel-2006-07-13-15-39-50\ifv\PicselUninstall.exe
PowerDirector Express --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{EDE721EC-870A-11D8-9D75-000129760D75}\setup.exe" -uninstall
PowerDVD --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{6811CAA0-BF12-11D4-9EA1-0050BAE317E1}\setup.exe" -uninstall
PowerProducer --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{B7A0CE06-068E-11D6-97FD-0050BACBF861}\setup.exe" -uninstall
QuickBooks Pro 2006 --> msiexec.exe /I {688A3383-3CE7-4094-9188-9C39D1E4FCB6} UNIQUE_NAME= "pro" QBFULLNAME= "QuickBooks Pro 2006" ADDREMOVE=1
Quicken Legal Business Pro 2006 --> C:\WINDOWS\unvise32.exe C:\Program Files\Quicken Legal Business Pro 2006\uninstal.log
QuickTime --> MsiExec.exe /I{50D8FFDD-90CD-4859-841F-AA1961C7767A}
RootKit Hook Analyzer 2.00 --> "C:\Program Files\RootKit Hook Analyzer\unins000.exe "
SoftWriting 4.1 --> C:\PROGRA~1\SOFTWR~1\UNWISE.EXE C:\PROGRA~1\SOFTWR~1\INSTALL.LOG
SoundMAX --> RunDll32 C:\PROGRA~1\COMMON~1\INSTAL~1\engine\6\INTEL3~1\Ctor.dll,LaunchSetup "C:\Program Files\InstallShield Installation Information\{F0A37341-D692-11D4-A984-009027EC0A9C}\Setup.exe"
Spybot - Search & Destroy 1.4 --> "C:\Program Files\Spybot - Search & Destroy\unins000.exe "
SpywareBlaster v3.5.1 --> "C:\Program Files\SpywareBlaster\unins000.exe "
Streamripper Plugin 1.61.24 (Remove only) --> C:\Program Files\Winamp\streamripper_uninstall.exe
Treo 700w User Guide --> MsiExec.exe /X{E962D5C3-6356-450D-AD38-471B3EA3923D}
WinAce Archiver --> "C:\Program Files\WinAce\SXUNINST.EXE" "C:\Program Files\WinAce\SXUNINST.INI "
Winamp (remove only) --> "C:\Program Files\Winamp\UninstWA.exe "
Windows Defender --> MsiExec.exe /I{A06275F4-324B-4E85-95E6-87B2CD729401}
Windows Installer Clean Up --> MsiExec.exe /X{121634B0-2F4B-11D3-ADA3-00C04F52DD52}
Yahoo! Anti-Spy --> C:\PROGRA~1\Yahoo!\Common\unypsr.exe
Yahoo! Browser Services --> C:\PROGRA~1\Yahoo!\Common\unyext.exe
Yahoo! Install Manager --> C:\WINDOWS\system32\regsvr32 /u C:\PROGRA~1\Yahoo!\Common\YINSTH~1.DLL
Yahoo! Internet Mail --> C:\WINDOWS\system32\regsvr32 /u /s C:\PROGRA~1\Yahoo!\Common\ymmapi.dll
Yahoo! Messenger --> C:\PROGRA~1\Yahoo!\MESSEN~1\UNWISE.EXE /U C:\PROGRA~1\Yahoo!\MESSEN~1\INSTALL.LOG
Yahoo! Toolbar for Internet Explorer --> C:\PROGRA~1\Yahoo!\Common\unyt.exe


-- End of ComboScan: finished at 2007-03-01 at 10:17:35 -------------------------

I'll upload the .dll files shortly and thanks again.

 

Hi

Thanks for the logs & files.
Sorry I couldn't get back earlier. We are having real nasty weather here & I'm having trouble staying online.

Can you upload these 2 files as well please? Same spot as the last ones:

C:\windows\system32\xwerymuwyaak.dll
C:\windows\system32\wdywdhcgvqsf.dll

Thanks!

Not much detection on those things but it looks to be a varient of this:

http://research.sunbelt-software.co...ame=Trojan.WinlogonHook.Delf.A&threatid=44394

I notice too that you have 2 user accounts on this machine. When we are done cleaning up your account I will want to check the other account.
Please try to avoid logging into the second account in case there is something nasty waiting for us over there.
We'll use another tool to check that account before we run it.

That comboscan should have run hijackthis using a different name. This didn't happen and I don't know why yet. Likely for the same reason you can't run HJT in normal mode.

What is in this folder? Anything you recognize?

C:\sillhox

Lets see what we can do here about those dlls:

WARNING: Be careful what you copy and paste. OTMoveIt is a powerful program designed to move highly persistent files and folders. Not following the directions exactly as instructed or carelessness could prevent your system from ever starting up again.



Please download the OTMoveIt by OldTimer.

• Save it to your desktop.
• Please double-click OTMoveIt.exe to run it.
• Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):
  
  C:\WINDOWS\system32\aaauxydradkw.dll
  C:\WINDOWS\system32\lnhbwqfqsjdn.dll
  C:\windows\system32\xwerymuwyaak.dll
  C:\windows\system32\wdywdhcgvqsf.dll
  C:\WINDOWS\system32\dlh9jkd1q8.exe
  
  
• Return to OTMoveIt, right click on the "Paste List of Files/Folders to be moved " window and choose Paste.
• Click the red Moveit! button.
• Copy everything on the Results window to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), save it to a new notepad file and copy/paste that log on your next reply.
• Close OTMoveIt

If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.
Reboot may take longer than usual. This is normal.

Once restarted please post a fresh hijackthis log along with the log you saved from OTMoveIT. (If Hijackthis runs properly this is a good sign)

Let me know how the machine is running.

Thanks

 

Hi again,

Sillhox is really killbox, but I was trying to hide the name to see if it could run, but it would not. I am going through with the otmoveit right now.

On another note, Avast has told me that d3acdb.dll is infected with with win32: delf-dom.

Thanks,
mg

 

Here it is:

Otmoveit

C:\WINDOWS\system32\aaauxydradkw.dll unregistered successfully.
File move failed. C:\WINDOWS\system32\aaauxydradkw.dll scheduled to be moved on reboot.
C:\WINDOWS\system32\lnhbwqfqsjdn.dll unregistered successfully.
File move failed. C:\WINDOWS\system32\lnhbwqfqsjdn.dll scheduled to be moved on reboot.
C:\WINDOWS\system32\wdywdhcgvqsf.dll unregistered successfully.
File move failed. C:\WINDOWS\system32\wdywdhcgvqsf.dll scheduled to be moved on reboot.
C:\WINDOWS\system32\xwerymuwyaak.dll unregistered successfully.
File move failed. C:\WINDOWS\system32\xwerymuwyaak.dll scheduled to be moved on reboot.
C:\WINDOWS\system32\dlh9jkd1q8.exe moved successfully.

Created on 03/02/2007 10:52:16

Hijackthis could not be run normally. I tried in safe mode and it could not be run. I then tried in safe mode w/ command prompt and it ran. Here are the results:

Logfile of HijackThis v1.99.1
Scan saved at 11:07:00 AM, on 3/2/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\cmd.exe
C:\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ycomp/defaults/sp/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Yahoo!
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O4 - Global Startup: Belkin Wireless Utility.lnk = C:\Program Files\Belkin\PCI F5D7000\Wireless Utility\Belkinwcui.exe
O4 - Global Startup: HPAiODevice(hp officejet g series) - 1.lnk = C:\Program Files\Hewlett-Packard\AiO\hp officejet g series\Bin\hpoavn07.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O8 - Extra context menu item: &Clean Traces - C:\Program Files\DAP\Privacy Package\dapcleanerie.htm
O8 - Extra context menu item: &Download with &DAP - C:\Program Files\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\Program Files\DAP\dapextie2.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: (no name) - {2670000A-7350-4f3c-8081-5663EE0C6C49} - (no file)
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE12\MSOXMLMF.DLL
O20 - Winlogon Notify: aaauxydradkw - C:\WINDOWS\system32\aaauxydradkw.dll
O20 - Winlogon Notify: lnhbwqfqsjdn - C:\WINDOWS\system32\lnhbwqfqsjdn.dll
O20 - Winlogon Notify: wdywdhcgvqsf - C:\WINDOWS\system32\wdywdhcgvqsf.dll (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: xwerymuwyaak - C:\WINDOWS\system32\xwerymuwyaak.dll (file missing)
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\system32\acs.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: EloSystemService - Elo Touchsystems, Inc. - C:\WINDOWS\system32\EloSrvce.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: XSWI - Unknown owner - C:\DOCUME~1\Manuel\LOCALS~1\Temp\XSWI.exe (file missing)

 

Hi

Thanks for the files.

Hmmm
That thing is firmly lodged isn't it!

Download win32delfkil.exe from here:

http://users.telenet.be/marcvn/tools/win32delfkil.exe

Save it on your desktop.
Close all windows.
Double click on win32delfkil.exe to start the removal tool.
The computer will reboot automatically.
After reboot a logfile will open: c:\windelf.txt
Post the contents of the logfile, along with a new HijackThis log.

Let me know how machine is running.
There will be more work to do likely.

Thanks

 

Hi

Me again...

Let me know please if win32delfkil would not work either. I do suspect it is being affected in similar method hijackthis and your AV is.

Thanks

Tammy

 

Here is the hijackthis log. It ran in normal mode and I can access antivirus websites. I am running avast again to see if it find the virus. The computer seems to be working well.

Logfile of HijackThis v1.99.1
Scan saved at 4:38:30 PM, on 3/3/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16414)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\acs.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\EloSrvce.exe
C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\userinit.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Windows Defender\MSASCui.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
C:\WINDOWS\system32\EloDkMon.exe
C:\WINDOWS\system32\EloTTray.exe
C:\Program Files\Belkin\PCI F5D7000\Wireless Utility\Belkinwcui.exe
C:\Program Files\Hewlett-Packard\AiO\hp officejet g series\Bin\hpoavn07.exe
C:\HijackThis.exe
C:\PROGRA~1\HEWLET~1\AiO\Shared\Bin\hpoevm07.exe
C:\WINDOWS\system32\hpoipm07.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapps.yahoo.com/customize/ycomp/defaults/sp/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr8/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://red.clientapps.yahoo.com/customize/ycomp/defaults/su/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Windows Internet Explorer provided by Yahoo!
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn0\yt.dll
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\reader_sl.exe
O4 - Global Startup: Adobe Reader Synchronizer.lnk = C:\Program Files\Adobe\Reader 8.0\Reader\AdobeCollabSync.exe
O4 - Global Startup: Belkin Wireless Utility.lnk = C:\Program Files\Belkin\PCI F5D7000\Wireless Utility\Belkinwcui.exe
O4 - Global Startup: HPAiODevice(hp officejet g series) - 1.lnk = C:\Program Files\Hewlett-Packard\AiO\hp officejet g series\Bin\hpoavn07.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O8 - Extra context menu item: &Clean Traces - C:\Program Files\DAP\Privacy Package\dapcleanerie.htm
O8 - Extra context menu item: &Download with &DAP - C:\Program Files\DAP\dapextie.htm
O8 - Extra context menu item: Download &all with DAP - C:\Program Files\DAP\dapextie2.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_10\bin\ssv.dll
O9 - Extra button: (no name) - {2670000A-7350-4f3c-8081-5663EE0C6C49} - (no file)
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\Program Files\Common Files\Microsoft Shared\OFFICE12\MSOXMLMF.DLL
O20 - Winlogon Notify: wdywdhcgvqsf - C:\WINDOWS\system32\wdywdhcgvqsf.dll (file missing)
O20 - Winlogon Notify: WgaLogon - C:\WINDOWS\SYSTEM32\WgaLogon.dll
O20 - Winlogon Notify: xwerymuwyaak - C:\WINDOWS\system32\xwerymuwyaak.dll (file missing)
O23 - Service: Atheros Configuration Service (ACS) - Unknown owner - C:\WINDOWS\system32\acs.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - Unknown owner - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe" /service (file missing)
O23 - Service: avast! Web Scanner - Unknown owner - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe" /service (file missing)
O23 - Service: EloSystemService - Elo Touchsystems, Inc. - C:\WINDOWS\system32\EloSrvce.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: XSWI - Unknown owner - C:\DOCUME~1\Manuel\LOCALS~1\Temp\XSWI.exe (file missing)

Thanks for all your help. Please let me know what to do with all of the notices from this log.

manuel

 

Hi

Looks like improvment for sure!

Did win32delfkil program I had you use work? I ask because it was one of the programs this trojan was instruccted to not allow run.
If delfkil did run can you please post this log:

C:\windelf.txt

Couple items to fix up with Hijackthis:
Start Hijackthis
Run system scan only and check the following items:

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
O20 - Winlogon Notify: wdywdhcgvqsf - C:\WINDOWS\system32\wdywdhcgvqsf.dll (file missing)
O20 - Winlogon Notify: xwerymuwyaak - C:\WINDOWS\system32\xwerymuwyaak.dll (file missing)


Close all open windows and hit "fix checked ", then OK.
Hijackthis might give errors on the 2 O20 items. This is because it is trying to back up non existant files. Just OK the errors.

Exit Hijackthis when done.

Next:

Click start> run> type cmd.exe and hit enter.
Type the following commands and hit enter after each one:

sc stop xswi
sc delete xswi


Might get error on first command. This is OK since file does not exist & is therefore not running.
Type in the second command anyway.
It should give you success message.

Reboot computer and post a fresh hijackthis log here please.
If you have the c:\windelf.txt post that also.
If that log is not present, I'll want to do a registry search for possible leftover related entries.

Thanks

Tammy

 

Tammy,

Here is the windelf log and Hijackthis log. after running win32delfkil, AVG has detected it and so has spybot and they both said that they removed it successfully. I am not sure what it up with that? but it has not beem detected since then.

WIN32DELFKIL LOGFILE - by Marckie


version 3.125
Sat 03/03/2007 15:17:29.15
running from: "C:\Documents and Settings\Manuel\Desktop "


--- File(s) found in Windows directory ---
gc_407.cnf
gsc_407.cnf

--- File(s) found in system32 folder ---
d3acdb.dll

--- Services ---

--- Export SharedTaskScheduler key ---
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1} "= "Browseui preloader "
"{8C7461EF-2B13-11d2-BE35-3078302C2030} "= "Component Categories cache daemon "
"{2188CEDE-B239-484C-8EA6-B84DC1001001} "= "lnhbwqfqsjdn "
"{CEDE2188-484C-B239-A68E-DC1B84001001} "= "aaauxydradkw "



--- sharedtaskkey (1): 2188CEDE-B239-484C-8EA6-B84DC1001001 ---
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2188CEDE-B239-484C-8EA6-B84DC1001001}]
@= "C:\\WINDOWS\\system32\\lnhbwqfqsjdn.dll "
"ThreadingModel "= "Apartment "

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{2188CEDE-B239-484C-8EA6-B84DC1001001}\InprocServer32]
@= "C:\\WINDOWS\\system32\\lnhbwqfqsjdn.dll "
"ThreadingModel "= "Apartment "

checking for file:
lnhbwqfqsjdn.dll found
lnhbwqfqsjdn.dll deleted!


--- sharedtaskkey (2): CEDE2188-484C-B239-A68E-DC1B84001001 ---
REGEDIT4

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CEDE2188-484C-B239-A68E-DC1B84001001}]
@= "C:\\WINDOWS\\system32\\aaauxydradkw.dll "
"ThreadingModel "= "Apartment "

[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{CEDE2188-484C-B239-A68E-DC1B84001001}\InprocServer32]
@= "C:\\WINDOWS\\system32\\aaauxydradkw.dll "
"ThreadingModel "= "Apartment "

checking for file:
aaauxydradkw.dll found
aaauxydradkw.dll deleted!

--- Notify key ---
subkey lnhbwqfqsjdn is present!
subkey aaauxydradkw is present!


--- rebooting the computer ---

 

Hi

Sorry for delay. Looks like win32delfkil did do OK.
As for why Spybot & your AV is flagging win32delfkil I dunno. Does the logs tell you what they are detecting?
I do suspect it has to do with a process killer/suspender built into delfkil in order to remove the infection.
This is common since AV programs have difficulty to tell the difference between bad/good use of such programs so they will alert the user with normally a "at risk" program alert.
It is Ok you had the file deleted. I don't think we will need it any more.
Just some registry cleanup (maybe)

Can I see a new hijackthis log please?

Also:

Download Bobbi Flekman's RegSearch from
http://www.xs4all.nl/~fstaal01/downloads/regsearch.zip

Create a folder for RegSearch on the C: drive called C:\RegSearch. You can do this by going to My Computer then double click on C: then right click and select New then Folder and name it RegSearch. Extract all the files from the zip archive into that folder.

Attached is a file called Options.txt
RegSearch has its own Options.txt but the one I created has the entries I am telling RegSearch to look for.

Please download this file and save it to your desktop.
Open the RegSearch folder and double click RegSearch.exe
Click the "Import" button.
Navigate to your desktop where you have the Options.txt
Hilight it & click "open ".
If you don't see Options.txt when you get to desktop just type in Options.txt then click open.
Then click OK.

Regsearch will scan the registry and a log will pop up when done.

Post results of log please.

You will need to close the log file before closing regsearch or program might hang.
Let me know if things are still working well.

Thanks

Tammy