Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Viruses. Lots Of Viruses.


  • This topic is locked This topic is locked
6 replies to this topic

#1 jjt3135

jjt3135

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:10:39 PM

Posted 28 July 2007 - 04:32 AM

Well folks, there I was sitting on the couch, and my girlfriend says, right out of the blue, "My computer isn't working."
My god, was she right.

After a lot of manual cleanup and other tricks, I've finally been able to get the machine to log on and not be completely overrun by viruses, and I even managed to install the free version of AVG and HiJackThis.

But that's more or less where it stops.
AVG scans, and detects 20 odd different viruses, and tries to remove them (deletion, from what i can tell) and then thinks everything is happy, until i restart. Then they're all back again.
HiJackThis results in a STOP 0x0000000A error unless I run it in safe mode, so here's what I've got:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 18:08:20, on 2007/07/28
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Safe mode

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - C:\Program Files\SurfSideKick 3\SskBho.dll
O2 - BHO: C:\WINDOWS\System32\mkkgf65h.dll - {25AD49A2-94F3-42BD-F434-2604812C897D} - C:\WINDOWS\System32\mkkgf65h.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\ja\msntb.dll
O3 - Toolbar: ƒ‰ƒWƒI(&R) - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: The–|–σƒCƒ“ƒ^[ƒlƒbƒg - {0A50AAD3-7B56-4480-99E6-D76DF37408A1} - C:\Program Files\TTI_V7_LE\def_bar.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\ja\msntb.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\System32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [CeEPOWER] C:\Program Files\TOSHIBA\Power Management\CePMTray.exe
O4 - HKLM\..\Run: [TPNF] C:\Program Files\TOSHIBA\TouchPad\TPTray.exe
O4 - HKLM\..\Run: [CeEKEY] C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
O4 - HKLM\..\Run: [MSPY2002] C:\WINDOWS\System32\IME\PINTLGNT\ImScInst.exe /SYNC
O4 - HKLM\..\Run: [CPLBTS88] C:\PROGRA~1\EzButton\CPLBTS88.EXE
O4 - HKLM\..\Run: [imjpmig] C:\Program Files\Common Files\Microsoft Shared\IME\IMJP\imjpmig.exe /RemAdvDef /AIMEREG /Migration /SetPreload
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [Drag'n Drop CD] C:\Program Files\Drag'n Drop CD\BinFiles\DragDrop.exe /StartUp
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [Winmplayer] "C:\WINDOWS\System32\KB_963491.exe"
O4 - HKLM\..\Run: [Microsoft Office] C:\WINDOWS\Twunk_16.exe
O4 - HKLM\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - HKLM\..\Run: [webHancer Survey Companion] C:\Program Files\webHancer\Programs\whsurvey.exe
O4 - HKLM\..\Run: [webHancer Agent] C:\Program Files\webHancer\Programs\whagent.exe
O4 - HKLM\..\Run: [newname] C:\\nwnmad_5.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\Mcafee\McAfee.com\Agent\McUpdate.exe
O4 - HKLM\..\Run: [MCAgentExe] C:\DOCUME~1\“n粁@~1\ƒfƒXƒN~1\Mcafee\McAfee.com\Agent\McAgent.exe
O4 - HKLM\..\Run: [keyboard] C:\\kybrdad_5.exe
O4 - HKLM\..\Run: [defender] c:\\dfndrad_5.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [XP restart system] h
O4 - HKCU\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] ctfmon.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [rrwq] C:\PROGRA~1\COMMON~1\rrwq\rrwqm.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [Tooc] "C:\PROGRA~1\COMMON~1\„@SSEM~1\wuauboot.exe" -vt yazr (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [Qgb] C:\Program Files\Common Files\s„ucurity\t„pskmgr.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] ctfmon.exe (User 'Default user')
O8 - Extra context menu item: Microsoft Excel ‚ΙƒGƒNƒXƒ|[ƒg(&X) - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: The–|–σ_ƒy[ƒW–|–σ - C:\Program Files\TTI_V7_LE\addins\Ie\afi_pagetran.htm
O8 - Extra context menu item: The–|–σ_”ΝˆΝŽw’θ–|–σ - C:\Program Files\TTI_V7_LE\addins\Ie\afi_seltran.htm
O8 - Extra context menu item: The–|–σ_–|–σέ’θ - C:\Program Files\TTI_V7_LE\addins\Ie\afi_setdlg.htm
O8 - Extra context menu item: The–|–σ_Ž«‘ŽQΖ - C:\Program Files\TTI_V7_LE\addins\Ie\ttp_showdic.htm
O9 - Extra button: ƒy[ƒW–|–σ - {D1A62E01-C347-4344-A362-9BCE5FA7E31D} - C:\Program Files\TTI_V7_LE\addins\Ie\afi_pagetran.htm
O9 - Extra 'Tools' menuitem: The–|–σ_ƒy[ƒW–|–σ - {D1A62E01-C347-4344-A362-9BCE5FA7E31D} - C:\Program Files\TTI_V7_LE\addins\Ie\afi_pagetran.htm
O9 - Extra button: (no name) - {D1A62E07-C347-4344-A362-9BCE5FA7E31D} - C:\Program Files\TTI_V7_LE\addins\Ie\ttp_showdic.htm
O9 - Extra 'Tools' menuitem: The–|–σ_Ž«‘ŽQΖ - {D1A62E07-C347-4344-A362-9BCE5FA7E31D} - C:\Program Files\TTI_V7_LE\addins\Ie\ttp_showdic.htm
O9 - Extra button: (no name) - {D1A62E08-C347-4344-A362-9BCE5FA7E31D} - C:\Program Files\TTI_V7_LE\addins\Ie\afi_seltran.htm
O9 - Extra 'Tools' menuitem: The–|–σ_”ΝˆΝŽw’θ–|–σ - {D1A62E08-C347-4344-A362-9BCE5FA7E31D} - C:\Program Files\TTI_V7_LE\addins\Ie\afi_seltran.htm
O9 - Extra button: (no name) - {D1A62E0A-C347-4344-A362-9BCE5FA7E31D} - C:\Program Files\TTI_V7_LE\addins\Ie\afi_setdlg.htm
O9 - Extra 'Tools' menuitem: The–|–σ_–|–σέ’θ - {D1A62E0A-C347-4344-A362-9BCE5FA7E31D} - C:\Program Files\TTI_V7_LE\addins\Ie\afi_setdlg.htm
O9 - Extra button: Ž«‘ƒo[ - {D1A62E0C-C347-4344-A362-9BCE5FA7E31D} - C:\Program Files\TTI_V7_LE\IeTbandTate.dll
O9 - Extra button: –|–σƒo[ - {D1A62E0E-C347-4344-A362-9BCE5FA7E31D} - C:\Program Files\TTI_V7_LE\IeTbandYoko.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O10 - Broken Internet access because of LSP provider 'rsvp32_2.dll' missing
O14 - IERESET.INF: START_PAGE_URL=http://dynabook.com/
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/12b9f79af6fb59...RdxIE601_ja.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O20 - AppInit_DLLs: repairs303169590.dll
O20 - Winlogon Notify: dxtpdx - dxtpdx.dll (file missing)
O20 - Winlogon Notify: IntlRun.OC - C:\WINDOWS\system32\q068laju1do8.dll
O21 - SSODL: DCOM Server 25319 - {2C1CD3D7-86AC-4068-93BC-A02304B25319} - (no file)
O21 - SSODL: LUVTBUmXO - {E4FBB947-4E51-13ED-9C8A-8A3EBC13DF75} - C:\WINDOWS\System32\lu.dll
O22 - SharedTaskScheduler: sdgfdgdgdtj - {25AD49A2-94F3-42BD-F434-2604812C897D} - C:\WINDOWS\System32\mkkgf65h.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: C-DillaCdaC11BA - C-Dilla Ltd - C:\WINDOWS\System32\drivers\CDAC11BA.EXE
O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\k27nsoFAl1KLTY59\command.exe (file missing)
O23 - Service: MD Simple Burner Service (NetMDSB) - Sony Corporation - C:\Program Files\Sony\MD Simple Burner\NetMDSB.exe
O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe (file missing)
O23 - Service: PACSPTISVR - Unknown owner - C:\Program Files\Common Files\Sony Shared\AVLib\Pacsptisvr.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\Sptisrv.exe
O23 - Service: Microsoft Windows Spooler Service (Windows Spooler Service) - Unknown owner - C:\WINDOWS\services.exe (file missing)

--
End of file - 8782 bytes

Now I'm going to manually type the full list of processes when running normally:

ApntEx.exe
Apoint.exe
ati2evxx.exe
atiptaxx.exe
avgamsvr.exe
avgupsvc.exe
CDAC11BA.EXE
CeEKey.exe
CePMTray.exe
conime.exe
CPLBTS88.exe <- Process ended by the time list was finished
csrss.exe
ctfmon.exe
DragDrop.exe
drwtsn32.exe
DtcEMail.exe
dumprep.exe
dwwin.exe <- Process ended by the time list was finished
explorer.exe
ezSP_Px.exe
hpwuSchd2.exe <- Process ended by the time list was finished
hprblog.exe
HPZipm12.exe
imapi.exe <- Process ended by the time list was finished
imekrmig.exe <- Process ended by the time list was finished
imjpmig.exe <- Process ended by the time list was finished
lsass.exe
mdm.exe
msnmsgr.exe
NetMDSB.exe
wowexec.exe
ntvdm.exe
services.exe
smss.exe
spoolsv.exe
svchost.exe
svchost.exe
svchost.exe
svchost.exe
svchost.exe
System
System Idle Process
taskmgr.exe
TosBtMng.exe
TPTray.exe
winlogon.exe

That's more or less it. It kept changing a lot, but that's what I got while it was staying relatively stable.

So, I beseech thee, help save my girlfriends computer. :/

BC AdBot (Login to Remove)

 


#2 rookie147

rookie147

  • Members
  • 5,321 posts
  • OFFLINE
  •  
  • Local time:01:39 PM

Posted 28 July 2007 - 12:40 PM

Hello there and welcome to BleepingComputer. My name is Charles and I will be dealing with your log today.
You have quite a heavily infected computer, it is likely that we will need to perform a few scans before you will be completely clean from malware, so please bear with me.

Download Brute Force Uninstaller.
Unzip it to a folder of its own (c:\BFU).
Start the Brute Force Uninstaller by doubleclicking BFU.exe

Next to 'scriptfile to execute' you'll see a little icon like this: Posted Image
When you click that icon, a little window will open that says: 'Please enter the full URL to the sript you want to execute'
In the field, copy and paste this:http://metallica.geekstogo.com/alcanshorty.bfu
Click OK.
Then click Execute to run the script.
Wait for the 'complete script execution' box to popup and press OK.
Press Exit to terminate the BFU program.

Download Combofix to your Desktop.
Double click combofix.exe
Follow the prompts that are displayed.
Don't click on the window while the fix is running, because that will cause your system to hang.
When finished, it should produce a log, combofix.txt. Post that in your next reply.

Please include the Combofix log along with a fresh HijackThis log in your next reply.
Thanks,
Charles

If you are pleased with the service I have offered, you may like to consider making a donation. Posted Image
Posted Image


#3 jjt3135

jjt3135
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:10:39 PM

Posted 29 July 2007 - 12:25 AM

I had a little bit of trouble with ComboFix, and I copied and pasted the BFU script onto the machine, and referenced it that way. A connection to the internet makes it almost impossible to do anything. ComboFix ran alright, but when it restarted the computer it went to normal (non-safe mode) and said 'don't run any programs while it writes the log.' A lot of programs automatically started, and I had to manually kill an automatic shutdown caused by the termination of services.exe (atleast, I think that's what it was.)

Anyway, here's the combofix log:

"“n粁@—R‹MŽ}" - 2007-07-29 13:38:30 - ComboFix 07-07-23.6 - Service Pack 1 NTFS [SAFE MODE]


(((((((((((((((((((((((((((((((((((((((( Look2Me's Log ))))))))))))))))))))))))))))))))))))))))))))))))))

REGISTRY ENTRIES REMOVED:

[HKEY_CLASSES_ROOT\clsid\{2559a1f0-21d7-11d4-bdaf-00c04f60b9f0}]
@="ŒŸυ"
"LocalizedString"="@explorer.exe,-7020"
"InfoTip"="@explorer.exe,-7000"

[HKEY_CLASSES_ROOT\clsid\{2559a1f0-21d7-11d4-bdaf-00c04f60b9f0}\DefaultIcon]
@=hex(2):25,53,79,73,74,65,6d,52,6f,6f,74,25,5c,73,79,73,74,65,6d,33,32,5c,73,\
68,65,6c,6c,33,32,2e,64,6c,6c,2c,2d,32,33,00

[HKEY_CLASSES_ROOT\clsid\{2559a1f0-21d7-11d4-bdaf-00c04f60b9f0}\InProcServer32]
@=hex(2):25,53,79,73,74,65,6d,52,6f,6f,74,25,5c,73,79,73,74,65,6d,33,32,5c,73,\
68,64,6f,63,76,77,2e,64,6c,6c,00
"ThreadingModel"="Apartment"

[HKEY_CLASSES_ROOT\clsid\{2559a1f0-21d7-11d4-bdaf-00c04f60b9f0}\Instance]
"CLSID"="{3f454f0e-42ae-4d7c-8ea3-328250d6e272}"

[HKEY_CLASSES_ROOT\clsid\{2559a1f0-21d7-11d4-bdaf-00c04f60b9f0}\Instance\InitPropertyBag]
"CLSID"="{13709620-C279-11CE-A49E-444553540000}"
"command"="@shell32.dll,-12708"
"method"="FindFiles"

[HKEY_CLASSES_ROOT\clsid\{2559a1f0-21d7-11d4-bdaf-00c04f60b9f0}\shellex]

[HKEY_CLASSES_ROOT\clsid\{2559a1f0-21d7-11d4-bdaf-00c04f60b9f0}\shellex\ContextMenuHandlers]

[HKEY_CLASSES_ROOT\clsid\{2559a1f0-21d7-11d4-bdaf-00c04f60b9f0}\shellex\ContextMenuHandlers\{2559a1f0-21d7-11d4-bdaf-00c04f60b9f0}]
@=""

[HKEY_CLASSES_ROOT\clsid\{2559a1f0-21d7-11d4-bdaf-00c04f60b9f0}\shellex\MayChangeDefaultMenu]
@=""

[HKEY_CLASSES_ROOT\clsid\{2559a1f0-21d7-11d4-bdaf-00c04f60b9f0}\ShellFolder]
"Attributes"=dword:00000000


[HKEY_CLASSES_ROOT\clsid\{FF393560-C2A7-11CF-BFF4-444553540000}]
@="—š—π"

[HKEY_CLASSES_ROOT\clsid\{FF393560-C2A7-11CF-BFF4-444553540000}\DefaultIcon]
@=hex(2):25,53,79,73,74,65,6d,52,6f,6f,74,25,5c,53,79,73,74,65,6d,33,32,5c,73,\
68,64,6f,63,76,77,2e,64,6c,6c,2c,2d,32,30,37,38,35,00

[HKEY_CLASSES_ROOT\clsid\{FF393560-C2A7-11CF-BFF4-444553540000}\InProcServer32]
@=hex(2):25,53,79,73,74,65,6d,52,6f,6f,74,25,5c,53,79,73,74,65,6d,33,32,5c,73,\
68,64,6f,63,76,77,2e,64,6c,6c,00
"ThreadingModel"="Apartment"

[HKEY_CLASSES_ROOT\clsid\{FF393560-C2A7-11CF-BFF4-444553540000}\ShellFolder]
"Attributes"=dword:a0000004


[HKEY_CLASSES_ROOT\clsid\{3DC7A020-0ACD-11CF-A9BB-00AA004AE837}]
@="²έΐ°Θ―Δ"

[HKEY_CLASSES_ROOT\clsid\{3DC7A020-0ACD-11CF-A9BB-00AA004AE837}\InProcServer32]
@=hex(2):25,53,79,73,74,65,6d,52,6f,6f,74,25,5c,53,79,73,74,65,6d,33,32,5c,73,\
68,64,6f,63,76,77,2e,64,6c,6c,00
"ThreadingModel"="Apartment"


[HKEY_CLASSES_ROOT\clsid\{F3ABA637-614E-4E7C-8489-95A9A5C1254A}]
@=""
"IDEx"="ADDR"

[HKEY_CLASSES_ROOT\clsid\{F3ABA637-614E-4E7C-8489-95A9A5C1254A}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\clsid\{F3ABA637-614E-4E7C-8489-95A9A5C1254A}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\clsid\{F3ABA637-614E-4E7C-8489-95A9A5C1254A}\InprocServer32]
@="C:\\WINDOWS\\system32\\kfdlv.dll"
"ThreadingModel"="Apartment"


[HKEY_CLASSES_ROOT\clsid\{E9E5071E-5064-426C-9ED7-A34305AC90F6}]
@=""
"IDEx"="ADDR"

[HKEY_CLASSES_ROOT\clsid\{E9E5071E-5064-426C-9ED7-A34305AC90F6}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\clsid\{E9E5071E-5064-426C-9ED7-A34305AC90F6}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\clsid\{E9E5071E-5064-426C-9ED7-A34305AC90F6}\InprocServer32]
@="C:\\WINDOWS\\system32\\unrsvpia.dll"
"ThreadingModel"="Apartment"


[HKEY_CLASSES_ROOT\clsid\{B531D6DD-A167-4240-9D5C-54F4CAD8030B}]
@=""

[HKEY_CLASSES_ROOT\clsid\{B531D6DD-A167-4240-9D5C-54F4CAD8030B}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\clsid\{B531D6DD-A167-4240-9D5C-54F4CAD8030B}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\clsid\{B531D6DD-A167-4240-9D5C-54F4CAD8030B}\InprocServer32]
@="C:\\WINDOWS\\system32\\notmsg.dll"
"ThreadingModel"="Apartment"


[HKEY_CLASSES_ROOT\clsid\{9498DFAE-7BBB-4F46-82DC-5264F052E0D2}]
@=""

[HKEY_CLASSES_ROOT\clsid\{9498DFAE-7BBB-4F46-82DC-5264F052E0D2}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\clsid\{9498DFAE-7BBB-4F46-82DC-5264F052E0D2}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\clsid\{9498DFAE-7BBB-4F46-82DC-5264F052E0D2}\InprocServer32]
@="C:\\WINDOWS\\system32\\rDschap.dll"
"ThreadingModel"="Apartment"


[HKEY_CLASSES_ROOT\clsid\{ECC70425-B3ED-4C08-B387-62C056657A64}]
@=""

[HKEY_CLASSES_ROOT\clsid\{ECC70425-B3ED-4C08-B387-62C056657A64}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\clsid\{ECC70425-B3ED-4C08-B387-62C056657A64}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\clsid\{ECC70425-B3ED-4C08-B387-62C056657A64}\InprocServer32]
@="C:\\WINDOWS\\system32\\er.dll"
"ThreadingModel"="Apartment"


[HKEY_CLASSES_ROOT\clsid\{73F38436-C09C-4FF5-A6D1-83BFC03EE74E}]
@=""
"IDEx"="AD"

[HKEY_CLASSES_ROOT\clsid\{73F38436-C09C-4FF5-A6D1-83BFC03EE74E}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\clsid\{73F38436-C09C-4FF5-A6D1-83BFC03EE74E}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\clsid\{73F38436-C09C-4FF5-A6D1-83BFC03EE74E}\InprocServer32]
@="C:\\WINDOWS\\system32\\guard.tmp"
"ThreadingModel"="Apartment"


[HKEY_CLASSES_ROOT\clsid\{92F214C7-8D2E-469A-9088-E4BFF7069EB6}]
@=""
"IDEx"="AD"

[HKEY_CLASSES_ROOT\clsid\{92F214C7-8D2E-469A-9088-E4BFF7069EB6}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\clsid\{92F214C7-8D2E-469A-9088-E4BFF7069EB6}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\clsid\{92F214C7-8D2E-469A-9088-E4BFF7069EB6}\InprocServer32]
@="C:\\WINDOWS\\system32\\iNspolcy.dll"
"ThreadingModel"="Apartment"


[HKEY_CLASSES_ROOT\clsid\{A7A7D73D-84DA-47BF-AED5-09DBC2FA5B11}]
@=""

[HKEY_CLASSES_ROOT\clsid\{A7A7D73D-84DA-47BF-AED5-09DBC2FA5B11}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\clsid\{A7A7D73D-84DA-47BF-AED5-09DBC2FA5B11}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\clsid\{A7A7D73D-84DA-47BF-AED5-09DBC2FA5B11}\InprocServer32]
@="C:\\WINDOWS\\system32\\qngr.dll"
"ThreadingModel"="Apartment"


[HKEY_CLASSES_ROOT\clsid\{F47F5190-40BD-440A-8652-CB94115BF3B0}]
@=""

[HKEY_CLASSES_ROOT\clsid\{F47F5190-40BD-440A-8652-CB94115BF3B0}\Implemented Categories]
@=""

[HKEY_CLASSES_ROOT\clsid\{F47F5190-40BD-440A-8652-CB94115BF3B0}\Implemented Categories\{00021492-0000-0000-C000-000000000046}]
@=""

[HKEY_CLASSES_ROOT\clsid\{F47F5190-40BD-440A-8652-CB94115BF3B0}\InprocServer32]
@="C:\\WINDOWS\\system32\\dSd9.dll"
"ThreadingModel"="Apartment"

* * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


FILES REMOVED:

C:\WINDOWS\system32\ahl.dll
C:\WINDOWS\system32\chb.dll
C:\WINDOWS\system32\dSd9.dll
C:\WINDOWS\system32\e4200efmeh2a0.dll
C:\WINDOWS\system32\er.dll
C:\WINDOWS\system32\hQl.dll
C:\WINDOWS\system32\ifuv_32.dll
C:\WINDOWS\system32\iNspolcy.dll
C:\WINDOWS\system32\iqwphbk.dll
C:\WINDOWS\system32\irpql5751.dll
C:\WINDOWS\system32\k062lajo1doc.dll
C:\WINDOWS\system32\kndlv1.dll
C:\WINDOWS\system32\LSIMG10N.DLL
C:\WINDOWS\system32\oiecli32.dll
C:\WINDOWS\system32\omeaut32.dll
C:\WINDOWS\system32\ormanage.dll
C:\WINDOWS\system32\phchdprf.dll
C:\WINDOWS\system32\pzh.dll
C:\WINDOWS\system32\qngr.dll
C:\WINDOWS\system32\snlgntfy.dll
C:\WINDOWS\system32\uadmxfrm.dll


Granting SeDebugPrivilege to Administrators ... successful


((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\DOCUME~1\“n粁@~1\APPLIC~1\Sskcwrd.dll
C:\DOCUME~1\“n粁@~1\APPLIC~1\Sskknwrd.dll
C:\DOCUME~1\“n粁@~1\APPLIC~1\Sskuknwrd.dll
C:\Program Files\network monitor
C:\Program Files\snowball wars
C:\Program Files\snowball wars\License.txt
C:\Program Files\snowball wars\uninstaller.exe
C:\Program Files\surfsidekick 3
C:\Program Files\surfsidekick 3\SskBho.dll
C:\Program Files\surfsidekick 3\SskCore.dll
C:\Program Files\webhancer
C:\Program Files\webhancer\Programs\license.txt
C:\Program Files\webhancer\Programs\readme.txt
C:\Program Files\webhancer\Programs\sporder.dll
C:\Program Files\webhancer\Programs\webhdll.dll
C:\Program Files\webhancer\Programs\whagent.exe
C:\Program Files\webhancer\Programs\whagent.ini
C:\Program Files\webhancer\Programs\whiehlpr.dll
C:\Program Files\webhancer\Programs\whinstaller.exe
C:\Program Files\webhancer\Programs\whsurvey.exe
C:\Program Files\webhancer\Programs\whSurvey.ini
C:\WINDOWS\keyboard1.dat
C:\WINDOWS\newname.dat
C:\WINDOWS\system32\3_exception.nls
C:\WINDOWS\system32\atmtd.dll
C:\WINDOWS\system32\atmtd.dll._
C:\WINDOWS\system32\bk.exe
C:\WINDOWS\system32\clcl13.exe
C:\WINDOWS\system32\diuqkpv.dll
C:\WINDOWS\system32\gmc.exe.exe
C:\WINDOWS\system32\repair~1.dll
C:\WINDOWS\system32\svcp.csv
C:\WINDOWS\system32\winsub.xml
C:\WINDOWS\system32\wnsapisv.exe
C:\WINDOWS\uninstall_nmon.vbs
C:\WINDOWS\warebundle.exe


((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))


-------\LEGACY_NDNET1
-------\LEGACY_POOF
-------\LEGACY_RUNTIME
-------\LEGACY_RUNTIME2
-------\kprof
-------\NDnet1
-------\poof
-------\Runtime


((((((((((((((((((((((((( Files Created from 2007-06-28 to 2007-07-29 )))))))))))))))))))))))))))))))


2007-07-29 13:37 51,200 --a------ C:\WINDOWS\nircmd.exe
2007-07-28 13:12 <DIR> d-------- C:\DOCUME~1\ADMINI~1.YOU\APPLIC~1\Lavasoft
2007-07-26 22:20 <DIR> d-------- C:\!KillBox
2007-07-26 18:52 3,968 --a------ C:\WINDOWS\system32\drivers\AvgArCln.sys
2007-07-26 18:49 <DIR> d-------- C:\Program Files\Trend Micro
2007-07-26 18:28 812,344 --a------ C:\ƒRƒs[ ` HiJackThisInstall.exe
2007-07-25 21:33 2,855 --a------ C:\WINDOWS\system32\win.PIF
2007-07-25 21:33 <DIR> d--h----- C:\WINDOWS\PIF
2007-07-25 20:29 92,672 --a------ C:\KillBox.exe
2007-07-25 20:29 532,480 --a------ C:\cwshredder.exe
2007-07-25 20:28 812,344 --a------ C:\HiJackThisInstall.exe
2007-07-25 20:28 423,736 --a------ C:\avgarkt-setup-1.1.0.42.exe
2007-07-25 20:28 23,649,352 --a------ C:\avg75free_476a1048.exe
2007-07-25 20:28 12,413,440 --a------ C:\avgas-setup-7.5.1.43.exe
2007-07-25 17:32 63,203,282 --a------ C:\backup.reg
2007-07-25 17:22 398,336 --a------ C:\WINDOWS\system32\_clcl14.exe
2007-07-25 17:21 34,560 --a------ C:\WINDOWS\system32\drivers\runtime2.sys
2007-07-19 21:37 1,048,576 --a------ C:\DOCUME~1\ADMINI~1.YOU\NTUSER.DAT
2007-07-19 21:37 <DIR> dr------- C:\DOCUME~1\ADMINI~1.YOU\ƒXƒ^[ƒg ƒƒjƒ…[
2007-07-19 21:37 <DIR> d-------- C:\DOCUME~1\ADMINI~1.YOU\ƒfƒXƒNƒgƒbƒv
2007-07-19 21:37 <DIR> d-------- C:\DOCUME~1\ADMINI~1.YOU\WINDOWS
2007-07-19 21:37 <DIR> d-------- C:\DOCUME~1\ADMINI~1.YOU\APPLIC~1\Toshiba
2007-07-19 21:37 <DIR> d-------- C:\DOCUME~1\ADMINI~1.YOU\APPLIC~1\InterTrust
2007-07-19 21:37 <DIR> d-------- C:\DOCUME~1\ADMINI~1.YOU\APPLIC~1\alpsmap
2007-07-19 13:18 31,744 --a------ C:\WINDOWS\system32\_svehost.exe
2007-07-19 13:05 245 --a------ C:\WINDOWS\tmp631027.bat
2007-07-19 13:02 4,096 --a------ C:\WINDOWS\system32\shadow.dll
2007-07-19 13:01 10,000 --a------ C:\WINDOWS\system32\mkkgf65h.dll
2007-07-18 23:29 33,342 --a------ C:\WINDOWS\system32\_rpcc.exe
2007-07-18 23:28 13,697 --a------ C:\WINDOWS\system32\_KB_963491.exe


(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))

2007-07-29 04:53:03 40,320 ----a-w C:\WINDOWS\system32\perfc011.dat
2007-07-29 04:53:03 152,208 ----a-w C:\WINDOWS\system32\perfh011.dat
2007-07-28 02:39:47 -------- d-----w C:\Program Files\Common Files\„pssembly
2007-07-26 13:07:33 3,348,102 ----a-w C:\WINDOWS\system32\klo5.sys
2007-07-26 10:04:11 5,894 ----a-w C:\a.bat
2007-07-25 10:45:06 812,344 ----a-w C:\ƒRƒs[ ` HiJackThisInstall.exe
2005-07-29 07:24:26 472 --sha-r C:\WINDOWS\k27nsoFAl1KLTY59\4ZeBPCIE5Y4Mnsc6.vbs


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{25AD49A2-94F3-42BD-F434-2604812C897D}]
2007-07-19 13:01 10000 --a------ C:\WINDOWS\System32\mkkgf65h.dll

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ATIModeChange"="Ati2mdxx.exe" [2001-09-04 16:24 C:\WINDOWS\system32\Ati2mdxx.exe]
"ATIPTA"="C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe" [2002-12-04 21:00]
"Apoint"="C:\Program Files\Apoint2K\Apoint.exe" [2002-03-29 14:40]
"CeEPOWER"="C:\Program Files\TOSHIBA\Power Management\CePMTray.exe" [2002-12-13 16:03]
"TPNF"="C:\Program Files\TOSHIBA\TouchPad\TPTray.exe" [2002-12-10 16:58]
"CeEKEY"="C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe" [2002-12-13 19:56]
"CPLBTS88"="C:\PROGRA~1\EzButton\CPLBTS88.EXE" [2002-12-13 17:08]
"imjpmig"="C:\Program Files\Common Files\Microsoft Shared\IME\IMJP\imjpmig.exe" [2001-02-20 10:54]
"Drag'n Drop CD"="C:\Program Files\Drag'n Drop CD\BinFiles\DragDrop.exe" [2002-10-07 12:47]
"HP Software Update"="C:\Program Files\HP\HP Software Update\HPWuSchd2.exe" [2005-05-11 23:12]
"MCUpdateExe"="C:\Mcafee\McAfee.com\Agent\McUpdate.exe" []
"MCAgentExe"="C:\DOCUME~1\“n粁@~1\ƒfƒXƒN~1\Mcafee\McAfee.com\Agent\McAgent.exe" []
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-07-26 19:14]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\System32\ctfmon.exe" [2002-08-31 21:00]
"MsnMsgr"="C:\Program Files\MSN Messenger\MsnMsgr.exe" [2005-06-14 17:05]

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"ctfmon.exe"=ctfmon.exe
"rrwq"=C:\PROGRA~1\COMMON~1\rrwq\rrwqm.exe
"Tooc"="C:\PROGRA~1\COMMON~1\„@SSEM~1\wuauboot.exe" -vt yazr
"Qgb"=C:\Program Files\Common Files\s„ucurity\t„pskmgr.exe

C:\Documents and Settings\All Users\ƒXƒ^[ƒg ƒƒjƒ…[\ƒvƒƒOƒ‰ƒ€\ƒXƒ^[ƒgƒAƒbƒv\
Bluetooth Manager.lnk - C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe [2002-12-13 17:17:52]
HP Digital Imaging Monitor.lnk - C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe [2005-05-11 23:23:26]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{25AD49A2-94F3-42BD-F434-2604812C897D}"= C:\WINDOWS\System32\mkkgf65h.dll [2007-07-19 13:01 10000]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad]
"LUVTBUmXO"= {E4FBB947-4E51-13ED-9C8A-8A3EBC13DF75} - C:\WINDOWS\system32\lu.dll [2002-08-31 21:00 32256]
"LUVTBUmXO"= {E4FBB947-4E51-13ED-9C8A-8A3EBC13DF75} - Apartment [ ]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\dxtpdx]
dxtpdx.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\dxtpdh.sys]

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\dxtpdx.sys]


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"ActiveLinkClient"=2 (0x2)


*Newly Created Service* - ALG
*Newly Created Service* - IPNAT

**************************************************************************

catchme 0.3.1061 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-07-29 13:58:55
Windows 5.1.2600 Service Pack 1 NTFS

scanning hidden processes ...

scanning hidden registry entries ...

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\D0M0j0\x30fbr\xf8f3\x30fb\x80\xf8f3p\xf8f3\x30fbo\xf8f3\x30fb]
"SlowInfoCache"=hex:28,02,00,00,01,00,00,00,00,b0,14,00,00,00,00,00,b0,20,d8,74,90,..
"Changed"=dword:00000000
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\\xff970\x30fb\xff620\xff880\x30fb\xff7907\xf8f3]
"SlowInfoCache"=hex:28,02,00,00,01,00,00,00,ff,ff,ff,ff,ff,ff,ff,ff,f0,ef,04,cc,96,..
"Changed"=dword:00000000
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\\xff9e0\xff830\xff970\xff750\x30fb\xff900\x30fb\xff790\xff640\xff830\xff810\x30fb\x30fb]
"SlowInfoCache"=hex:28,02,00,00,00,00,00,00,ff,ff,ff,ff,ff,ff,ff,ff,00,00,00,00,00,..
"Changed"=dword:00000000
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\App Management\ARPCache\\x30fb\x30fb\xf8f3z\xf8f3\x30fb\x30fb\x30fbm\xf8f3q\xf8f3\x30fb]
"SlowInfoCache"=hex:28,02,00,00,00,00,00,00,ff,ff,ff,ff,ff,ff,ff,ff,00,00,00,00,00,..
"Changed"=dword:00000000
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Control Panel\Cursors\Schemes]
"\31j\x58a8n0D}0\bT\x30fb[0??"="",,,,,,,,,,,,,""
"Kb ?1?"=""C:\WINDOWS\Cursors\harrow.cur,,C:\WINDOWS\Cursors\handapst.ani,C:\WINDOWS\Cursors\hand.ani,C:\WINDOWS\Cursors\hcross.cur,C:\WINDOWS\Cursors\hibeam.cur,,C:\WINDOWS\Cursors\hnodrop.cur,C:\WINDOWS\Cursors\hns.cur,C:\WINDOWS\Cursors\hwe.cur,C:\WINDOWS\Cursors\hnwse.cur,C:\WINDOWS\Cursors\hnesw.cur,C:\WINDOWS\Cursors\hmove.cur,""
"Kb ?2?"=""C:\WINDOWS\Cursors\harrow.cur,,C:\WINDOWS\Cursors\handapst.ani,C:\WINDOWS\Cursors\handwait.ani,C:\WINDOWS\Cursors\hcross.cur,C:\WINDOWS\Cursors\hibeam.cur,,C:\WINDOWS\Cursors\handno.ani,C:\WINDOWS\Cursors\handns.ani,C:\WINDOWS\Cursors\handwe.ani,C:\WINDOWS\Cursors\handnwse.ani,C:\WINDOWS\Cursors\handnesw.ani,C:\WINDOWS\Cursors\hmove.cur,""
"P`\xff9cz"=""C:\WINDOWS\Cursors\3dgarro.cur,,C:\WINDOWS\Cursors\dinosaur.ani,C:\WINDOWS\Cursors\dinosau2.ani,C:\WINDOWS\Cursors\cross.cur,,,C:\WINDOWS\Cursors\banana.ani,C:\WINDOWS\Cursors\3dsns.cur,C:\WINDOWS\Cursors\3dgwe.cur,C:\WINDOWS\Cursors\3dsnwse.cur,C:\WINDOWS\Cursors\3dgnesw.cur,C:\WINDOWS\Cursors\3dsmove.cur,""
"\xff6a0\x30fb\x30fb\xff890 ?\xff950\xff610\xff830\xff770\x30fb\x30fb????"=""C:\WINDOWS\Cursors\harrow.cur,,C:\WINDOWS\Cursors\horse.ani,C:\WINDOWS\Cursors\barber.ani,C:\WINDOWS\Cursors\hcross.cur,C:\WINDOWS\Cursors\hibeam.cur,,C:\WINDOWS\Cursors\coin.ani,C:\WINDOWS\Cursors\3dgns.cur,C:\WINDOWS\Cursors\3dgwe.cur,C:\WINDOWS\Cursors\3dgnwse.cur,C:\WINDOWS\Cursors\3dgnesw.cur,C:\WINDOWS\Cursors\3dgmove.cur,""
"\xff730\x30fb\xff800\xff6f0\xff7f0?"=""C:\WINDOWS\Cursors\harrow.cur,,C:\WINDOWS\Cursors\drum.ani,C:\WINDOWS\Cursors\metronom.ani,C:\WINDOWS\Cursors\hcross.cur,C:\WINDOWS\Cursors\hibeam.cur,,C:\WINDOWS\Cursors\piano.ani,C:\WINDOWS\Cursors\hns.cur,C:\WINDOWS\Cursors\hwe.cur,C:\WINDOWS\Cursors\hnwse.cur,C:\WINDOWS\Cursors\hnesw.cur,C:\WINDOWS\Cursors\hmove.cur,""
"\x7578'Y\xff9d0\xff640\x30fb\xff7f0??"=""C:\WINDOWS\Cursors\larrow.cur,,C:\WINDOWS\Cursors\lappstrt.cur,C:\WINDOWS\Cursors\lwait.cur,C:\WINDOWS\Cursors\lcross.cur,C:\WINDOWS\Cursors\libeam.cur,,C:\WINDOWS\Cursors\lnodrop.cur,C:\WINDOWS\Cursors\lns.cur,C:\WINDOWS\Cursors\lwe.cur,C:\WINDOWS\Cursors\lnwse.cur,C:\WINDOWS\Cursors\lnesw.cur,C:\WINDOWS\Cursors\lmove.cur,""
"D0\x30fbD0\x30fbj0\xff9d0\xff640\x30fb\xff7f0???"=""C:\WINDOWS\Cursors\fillitup.ani,,C:\WINDOWS\Cursors\raindrop.ani,C:\WINDOWS\Cursors\counter.ani,C:\WINDOWS\Cursors\cross.cur,,,C:\WINDOWS\Cursors\wagtail.ani,C:\WINDOWS\Cursors\sizens.ani,C:\WINDOWS\Cursors\sizewe.ani,C:\WINDOWS\Cursors\sizenwse.ani,C:\WINDOWS\Cursors\sizenesw.ani,""
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\DocFolderPaths]
"!n\x53f6?01u\xff74\x62f3g??"="C:\Documents and Settings\\x6e21\x908a\x3000\x7531\x8cb4\x679d\My Documents"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\VolumeCaches\\xff620\x30fb\xff640\x30fb\xff790\xff880\x30fb\x30fbn0\xff900\xff830\xff6f0\xff620\xff830\xff970 ]
@="{67cf8cbd-e5c0-44f7-9de5-e1d599d626d8}"
"Description"="\x3053\x306e\x30d0\x30fc\x30b8\x30e7\x30f3\x306e Windows \x3092\x30a2\x30f3\x30a4\x30f3\x30b9\x30c8\x30fc\x30eb\x3057\x3066\x524d\x306e\x30aa\x30da\x30ec\x30fc\x30c6\x30a3\x30f3\x30b0 \x30b7\x30b9\x30c6\x30e0\x306b\x623b\x308b\x5834\x5408\x306f\x3001\x3053\x308c\x3089\x306e\x30d5\x30a1\x30a4\x30eb\x304c\x5fc5\x8981\x3067\x3059\x3002"
"Display"="\x524d\x306e\x30aa\x30da\x30ec\x30fc\x30c6\x30a3\x30f3\x30b0 \x30b7\x30b9\x30c6\x30e0\x306e\x30d0\x30c3\x30af\x30a2\x30c3\x30d7 \x30d5\x30a1\x30a4\x30eb"
"IconPath"=str(2):"(null)ystemRoot\system32\osuninst.EXE,0"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Hints\!n\x53f6]
"PictureSource"="C:\Documents and Settings\All Users\Application Data\Microsoft\User Account Pictures\Default Pictures\\x96ea\x306e\x7d50\x6676.bmp"
@=""
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\D0M0j0\x30fbr\xf8f3\x30fb\x80\xf8f3p\xf8f3\x30fbo\xf8f3\x30fb]
"DisplayName"="\x3044\x304d\x306a\x308a\xff72\xff9d\xff80\xff70\xff88\xff6f\xff84"
"UninstallString"="C:\Program Files\infoPepper\install.exe -u -p "C:\Program Files\infoPepper ""
"DisplayIcon"="C:\Program Files\infoPepper\launcher.exe"
"InstallLocation"="C:\Program Files\infoPepper"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\\xff970\x30fb\xff620\xff880\x30fb\xff7907\xf8f3]
"DisplayName"="\x30d7\x30ed\x30a2\x30c8\x30e9\x30b9\xff37"
"DisplayIcon"="\x30d7\x30ed\x30a2\x30c8\x30e9\x30b9\xff37"
"UninstallString"="C:\WINDOWS\System32\pauninst.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\\xff9e0\xff830\xff970\xff750\x30fb\xff900\x30fb\xff790\xff640\xff830\xff810\x30fb\x30fb]
"DisplayName"="\x30de\x30c3\x30d7\x30b5\x30fc\x30d0\x30fc\x30b9\x30a4\x30c3\x30c1\x30e3\x30fc"
"UninstallString"="C:\WINDOWS\System32\MapSwitchUninst.exe"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\\x30fb\x30fb\xf8f3z\xf8f3\x30fb\x30fb\x30fbm\xf8f3q\xf8f3\x30fb]
"UninstallString"="C:\WINDOWS\IsUn0411.exe -fC:\Tosutils\Uninst.isu"
"DisplayName"="\x30d1\x30bd\x30b3\x30f3\x30de\x30cb\x30e5\x30a2\x30eb"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontMapper]
"-\xf8f33\xf8f3 ?\16f\35g"=dword:0000c080
"-\xf8f33\xf8f3 ?0\xf8f3\16f\35g"=dword:00004080
"-\xf8f33\xf8f3 ?\xff740\xff770\xff830\xff6f0"=dword:00008080
"-\xf8f33\xf8f3 ?0\xf8f3\xff740\xff770\xff830\xff6f0"=dword:00000080
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Fonts]
"-\xf8f33\xf8f3 ?\xff740\xff770\xff830\xff6f0 ?&? ?-\xf8f33\xf8f3 ?0\xf8f3\xff740\xff770\xff830\xff6f0 ?&? ?M?S? ?U?I? ?G?o?t?h?i?c? ?(?T?r?u?e?T?y?p?e?)?"="MSGOTHIC.TTC"
"-\xf8f33\xf8f3 ?\16f\35g ?&? ?-\xf8f33\xf8f3 ?0\xf8f3\16f\35g ?(?T?r?u?e?T?y?p?e?)?"="MSMINCHO.TTC"
"ck\xff7f\x5404yWSL\x5f15fSO ?&? ?ck\xff7f\x5404yWSL\x5f15fSOP? ?(?T?r?u?e?T?y?p?e?)?????"="FGTshgyU.ttc"
"ck\xff7f\x5404yWSL\x5f15fSOE?X? ?&? ?ck\xff7f\x5404yWSL\x5f15fSOE?X?P? ?(?T?r?u?e?T?y?p?e?)?????"="SyGyEx.ttc"
"\x7483Am\xff77\x9453f ?(?T?r?u?e?T?y?p?e?)???"="BGREIRR.TTF"
"_l8b\xff98R\xff6dNAm ?&? ?_l8b\xff98R\xff6dNAm0\xf8f3 ?(?T?r?u?e?T?y?p?e?)?"="Edokan.ttc"
"\tg\xff64oL\x5f15f ?(?T?r?u?e?T?y?p?e?)??"="FAGGM_0.TTF"
"\tg\xff64owi\xe606 ?(?T?r?u?e?T?y?p?e?)??"="FAKAIM_0.TTF"
"Z\x5e76wL\x5f15f ?(?T?r?u?e?T?y?p?e?)???"="FGGYM_0.TTF"
"eyWSL\x5f15fSO ?&? ?eyWSL\x5f15fSOP? ?(?T?r?u?e?T?y?p?e?)???"="FGTshgyo.ttc"
"K`\x3303\xff9a0\x30fbW[ ?(?T?r?u?e?T?y?p?e?)???"="BGPENKB.TTF"
"\xff8c[\x30fb\xff9d0\xff830\xff970 ?&? ?\xff8c[\x30fb\xff9d0\xff830\xff9700\xf8f3 ?(?T?r?u?e?T?y?p?e?)???"="FUJIPOP.TTC"
"\tg\xff64o*Ywi\xe606 ?&? ?\tg\xff64o*Ywi\xe606P? ?(?T?r?u?e?T?y?p?e?)???"="Fakaib_0.ttc"
"u00\xff740\xff770\xff830\xff6f0 ?(?T?r?u?e?T?y?p?e?)?"="FgFumi.ttf"
"*\xf8f33\xf8f3\xff740\xff770\xff830\xff6f0 ?&? ?*\xf8f33\xf8f30\xf8f3\xff740\xff770\xff830\xff6f0 ?(?T?r?u?e?T?y?p?e?)?"="JSGOTHIC.TTC"
"*\xf8f33\xf8f3\16f\35g ?&? ?*\xf8f33\xf8f30\xf8f3\16f\35g ?(?T?r?u?e?T?y?p?e?)?"="JSMINCHO.TTC"
"$\xf8f3&\xf8f3s^\20b\xff740\xff770\xff830\xff6f0SOW?5? ?&? ?$\xf8f3(\xf8f30\xf8f3s^\20b\xff740\xff770\xff830\xff6f0W?5? ?(?T?r?u?e?T?y?p?e?)?"="DFJHSGW5.TTC"
"$\xf8f3&\xf8f3yr*Y\xff740\xff770\xff830\xff6f0SO ?&? ?$\xf8f3(\xf8f30\xf8f3yr*Y\xff740\xff770\xff830\xff6f0SO ?(?T?r?u?e?T?y?p?e?)?"="DFJGOTEB.TTC"
"$\xf8f3&\xf8f3s^\20b\16f\35gSOW?3? ?&? ?$\xf8f3(\xf8f30\xf8f3s^\20b\16f\35gSOW?3? ?(?T?r?u?e?T?y?p?e?)?"="DFJHSMW3.TTC"
"$\xf8f3&\xf8f3s^\20b\16f\35gSOW?7? ?&? ?$\xf8f3(\xf8f30\xf8f3s^\20b\16f\35gSOW?7? ?(?T?r?u?e?T?y?p?e?)?"="DFJHSMW7.TTC"
"$\xf8f3&\xf8f3L\x5f15fSO ?&? ?$\xf8f3(\xf8f30\xf8f3L\x5f15fSO ?(?T?r?u?e?T?y?p?e?)???"="DFJGYOMD.TTC"
"*\xf8f33\xf8f3s^\20b\16f\35gSOW?3? ?(?T?r?u?e?T?y?p?e?)?"="JSHSM3U.TTF"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\FontSubstitutes]
"\31j\x58a8\16f\35g?"="\xff2d\xff33 \x660e\x671d"
"\31j\x58a8\xff740\xff770\xff830\xff6f0?"="\xff2d\xff33 \x30b4\x30b7\x30c3\x30af"
"\xff740\xff770\xff830\xff6f0"="\xff2d\xff33 \x30b4\x30b7\x30c3\x30af"
"z\xf8f3\x30fb|\xf8f3o\xf8f3x\xf8f3?"="\xff2d\xff33 \x30b4\x30b7\x30c3\x30af"
"x\xf8f3p\xf8f3\x30fbt\xf8f3?"="Courier"
"\x80\xf8f3r\xf8f3\x30fb}\xf8f3\x30fb\x30fb\x30fb\x30fb?????"="Times New Roman"
"\x30fb\x30fb\x30fb\x30fb\x30fbv\xf8f3?????"="Arial"
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Applets\Volume Control\Realtek AC97 Audio\\xff9c0\x30fb\x30fb\x30fb\x30fb ]
"LineStates"=hex:00,00,00,00,dc,30,ea,30,e5,30,fc,30,e0,30,20,00,b3,30,f3,30,c8,..
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Applets\Volume Control\Realtek AC97 Audio\2\x5f10\x7adc0\x30fb\xff880\x30fb\x30fb\x30fb]
"LineStates"=hex:04,00,00,00,32,93,f3,97,b3,30,f3,30,c8,30,ed,30,fc,30,eb,30,00,..
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MapGroups]
"}\xf8f3\x80\xf8f3p\xf8f3\x30fbq\xf8f3o\xf8f3\x30fb\x30fb???"="\x30b9\x30bf\x30fc\x30c8\x30a2\x30c3\x30d7"
"q\xf8f3x\xf8f3~\xf8f3{\xf8f3\x30fb?"="\x30a2\x30af\x30bb\x30b5\x30ea"
"y\xf8f3\x30fbp\xf8f3\x30fb??"="\x30b2\x30fc\x30e0"
"\x30fbr\xf8f3\x30fb??"="\x30e1\x30a4\x30f3"
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Favorites\\x30fb\x30fb\xff6f0]
"Order"=hex:08,00,00,00,02,00,00,00,8a,01,00,00,01,00,00,00,04,00,00,00,68,..
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu2\Programs\D0M0j0\x30fbr\xf8f3\x30fb\x80\xf8f3p\xf8f3\x30fbo\xf8f3\x30fb]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu2\Programs\o0X0\x30fbk0]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu2\Programs\\xff620\xff6f0\xff7b0\xff750\x30fb]
"Order"=hex:08,00,00,00,02,00,00,00,40,0a,00,00,01,00,00,00,11,00,00,00,90,..

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu2\Programs\\xff620\xff6f0\xff7b0\xff750\x30fb\Microsoft \x30a4\x30f3\x30bf\x30e9\x30af\x30c6\x30a3\x30d6 \x30c8\x30ec\x30fc\x30cb\x30f3\x30b0]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu2\Programs\\xff620\xff6f0\xff7b0\xff750\x30fb\\xff680\x30fb\xff7f0\x30fb\xff860\xff640\x30fb\x30fb\xff880]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu2\Programs\\xff620\xff6f0\xff7b0\xff750\x30fb\\xff770\xff790\xff860\x30fb ]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu2\Programs\\xff620\xff6f0\xff7b0\xff750\x30fb\\32\x96eaO]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu2\Programs\\xff720\x30fb\x30fb]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu2\Programs\\xff790\xff7f0\x30fb\xff880\xff620\xff830\xff970]
"Order"=hex:08,00,00,00,02,00,00,00,36,01,00,00,01,00,00,00,02,00,00,00,8c,..
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu2\Programs\\xff870\xff780\xff6b0\x30fbW]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu2\Programs\Bf\x8d77\32\x96eaO>y ]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu2\Programs\qg\x63e9P]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu2\Programs\F{P0\x30fb\x30fb ]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\MenuOrder\Start Menu2\Programs\\xff85\x51400q0B0h0 ]
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\GrpConv\MapGroups]
"\xff720\x30fb\x30fb??"="\x30a2\x30af\x30bb\x30b5\x30ea\\x30b2\x30fc\x30e0"

scanning hidden files ...

C:\WINDOWS\Temp
C:\WINDOWS\system32\ms87.dat
C:\WINDOWS\system32\vdo_6d17-45df.sys
C:\WINDOWS\system32\vdo_g.ini
C:\WINDOWS\system32\klgcptini.dat
C:\WINDOWS\system32\dxtpdh.sys
C:\WINDOWS\system32\redir2.a3d
C:\WINDOWS\system32\qz.dll
C:\WINDOWS\system32\qz.sys

scan completed successfully
hidden files: 9

**************************************************************************

[HKEY_LOCAL_MACHINE\system\ControlSet003\Services\vdo_6d17-45df]
"ImagePath"="\??\C:\WINDOWS\System32\vdo_6d17-45df.sys"

Completion time: 2007-07-29 14:09:41 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-07-29 14:05

--- E O F ---


And now here's the HiJackThis log, which I had to run from safe mode again:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 14:19:25, on 2007/07/29
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)
Boot mode: Safe mode

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

O2 - BHO: C:\WINDOWS\System32\mkkgf65h.dll - {25AD49A2-94F3-42BD-F434-2604812C897D} - C:\WINDOWS\System32\mkkgf65h.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\ja\msntb.dll
O3 - Toolbar: ƒ‰ƒWƒI(&R) - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: The–|–σƒCƒ“ƒ^[ƒlƒbƒg - {0A50AAD3-7B56-4480-99E6-D76DF37408A1} - C:\Program Files\TTI_V7_LE\def_bar.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\MSN Toolbar\01.02.5000.1021\ja\msntb.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [CeEPOWER] C:\Program Files\TOSHIBA\Power Management\CePMTray.exe
O4 - HKLM\..\Run: [TPNF] C:\Program Files\TOSHIBA\TouchPad\TPTray.exe
O4 - HKLM\..\Run: [CeEKEY] C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
O4 - HKLM\..\Run: [CPLBTS88] C:\PROGRA~1\EzButton\CPLBTS88.EXE
O4 - HKLM\..\Run: [imjpmig] C:\Program Files\Common Files\Microsoft Shared\IME\IMJP\imjpmig.exe /RemAdvDef /AIMEREG /Migration /SetPreload
O4 - HKLM\..\Run: [Drag'n Drop CD] C:\Program Files\Drag'n Drop CD\BinFiles\DragDrop.exe /StartUp
O4 - HKLM\..\Run: [HP Software Update] C:\Program Files\HP\HP Software Update\HPWuSchd2.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\Mcafee\McAfee.com\Agent\McUpdate.exe
O4 - HKLM\..\Run: [MCAgentExe] C:\DOCUME~1\“n粁@~1\ƒfƒXƒN~1\Mcafee\McAfee.com\Agent\McAgent.exe
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
O4 - HKUS\S-1-5-18\..\Run: [ctfmon.exe] ctfmon.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [rrwq] C:\PROGRA~1\COMMON~1\rrwq\rrwqm.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [Tooc] "C:\PROGRA~1\COMMON~1\„@SSEM~1\wuauboot.exe" -vt yazr (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [Qgb] C:\Program Files\Common Files\s„ucurity\t„pskmgr.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ctfmon.exe] ctfmon.exe (User 'Default user')
O8 - Extra context menu item: Microsoft Excel ‚ΙƒGƒNƒXƒ|[ƒg(&X) - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: The–|–σ_ƒy[ƒW–|–σ - C:\Program Files\TTI_V7_LE\addins\Ie\afi_pagetran.htm
O8 - Extra context menu item: The–|–σ_”ΝˆΝŽw’θ–|–σ - C:\Program Files\TTI_V7_LE\addins\Ie\afi_seltran.htm
O8 - Extra context menu item: The–|–σ_–|–σέ’θ - C:\Program Files\TTI_V7_LE\addins\Ie\afi_setdlg.htm
O8 - Extra context menu item: The–|–σ_Ž«‘ŽQΖ - C:\Program Files\TTI_V7_LE\addins\Ie\ttp_showdic.htm
O9 - Extra button: ƒy[ƒW–|–σ - {D1A62E01-C347-4344-A362-9BCE5FA7E31D} - C:\Program Files\TTI_V7_LE\addins\Ie\afi_pagetran.htm
O9 - Extra 'Tools' menuitem: The–|–σ_ƒy[ƒW–|–σ - {D1A62E01-C347-4344-A362-9BCE5FA7E31D} - C:\Program Files\TTI_V7_LE\addins\Ie\afi_pagetran.htm
O9 - Extra button: (no name) - {D1A62E07-C347-4344-A362-9BCE5FA7E31D} - C:\Program Files\TTI_V7_LE\addins\Ie\ttp_showdic.htm
O9 - Extra 'Tools' menuitem: The–|–σ_Ž«‘ŽQΖ - {D1A62E07-C347-4344-A362-9BCE5FA7E31D} - C:\Program Files\TTI_V7_LE\addins\Ie\ttp_showdic.htm
O9 - Extra button: (no name) - {D1A62E08-C347-4344-A362-9BCE5FA7E31D} - C:\Program Files\TTI_V7_LE\addins\Ie\afi_seltran.htm
O9 - Extra 'Tools' menuitem: The–|–σ_”ΝˆΝŽw’θ–|–σ - {D1A62E08-C347-4344-A362-9BCE5FA7E31D} - C:\Program Files\TTI_V7_LE\addins\Ie\afi_seltran.htm
O9 - Extra button: (no name) - {D1A62E0A-C347-4344-A362-9BCE5FA7E31D} - C:\Program Files\TTI_V7_LE\addins\Ie\afi_setdlg.htm
O9 - Extra 'Tools' menuitem: The–|–σ_–|–σέ’θ - {D1A62E0A-C347-4344-A362-9BCE5FA7E31D} - C:\Program Files\TTI_V7_LE\addins\Ie\afi_setdlg.htm
O9 - Extra button: Ž«‘ƒo[ - {D1A62E0C-C347-4344-A362-9BCE5FA7E31D} - C:\Program Files\TTI_V7_LE\IeTbandTate.dll
O9 - Extra button: –|–σƒo[ - {D1A62E0E-C347-4344-A362-9BCE5FA7E31D} - C:\Program Files\TTI_V7_LE\IeTbandYoko.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O14 - IERESET.INF: START_PAGE_URL=http://dynabook.com/
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab31267.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.real.com/12b9f79af6fb59...RdxIE601_ja.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn.com/download/MsnMesse...pDownloader.cab
O20 - Winlogon Notify: dxtpdx - dxtpdx.dll (file missing)
O21 - SSODL: DCOM Server 25319 - {2C1CD3D7-86AC-4068-93BC-A02304B25319} - (no file)
O21 - SSODL: LUVTBUmXO - {E4FBB947-4E51-13ED-9C8A-8A3EBC13DF75} - C:\WINDOWS\system32\lu.dll
O22 - SharedTaskScheduler: sdgfdgdgdtj - {25AD49A2-94F3-42BD-F434-2604812C897D} - C:\WINDOWS\System32\mkkgf65h.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: AVG7 Alert Manager Server (Avg7Alrt) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgamsvr.exe
O23 - Service: AVG7 Update Service (Avg7UpdSvc) - GRISOFT, s.r.o. - C:\PROGRA~1\Grisoft\AVG7\avgupsvc.exe
O23 - Service: C-DillaCdaC11BA - C-Dilla Ltd - C:\WINDOWS\System32\drivers\CDAC11BA.EXE
O23 - Service: MD Simple Burner Service (NetMDSB) - Sony Corporation - C:\Program Files\Sony\MD Simple Burner\NetMDSB.exe
O23 - Service: PACSPTISVR - Unknown owner - C:\Program Files\Common Files\Sony Shared\AVLib\Pacsptisvr.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\Sptisrv.exe
O23 - Service: Microsoft Windows Spooler Service (Windows Spooler Service) - Unknown owner - C:\WINDOWS\services.exe (file missing)

--
End of file - 6987 bytes


Thanks for anything that you might be able to do.

#4 rookie147

rookie147

  • Members
  • 5,321 posts
  • OFFLINE
  •  
  • Local time:01:39 PM

Posted 29 July 2007 - 03:20 PM

I'm afraid I have some bad news concerning your computer: one or more of the identified infections is a backdoor trojan, which is installed alongside a rootkit. This allows hackers to remotely control your computer, steal critical system information and download and execute files.

I would counsel you to disconnect this PC from the internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

Though the infection has been identified and can be killed, because of its backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with something this bad, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?
When Should I Format, How Should I Reinstall?

Let me know what you want to do.

If you are pleased with the service I have offered, you may like to consider making a donation. Posted Image
Posted Image


#5 jjt3135

jjt3135
  • Topic Starter

  • Members
  • 6 posts
  • OFFLINE
  •  
  • Local time:10:39 PM

Posted 29 July 2007 - 10:30 PM

Well, reformatting and re-installing the os is probably the last thing I want to do, and nothing like internet banking has ever been done on that computer.

I just want to remove it. I have also downloaded and installed the AVG anti-rootkit software, and, as you can probably see, the AVG free anti-virus.

Any advice though that could help me remove the viruses would be appreciated though.

#6 rookie147

rookie147

  • Members
  • 5,321 posts
  • OFFLINE
  •  
  • Local time:01:39 PM

Posted 30 July 2007 - 02:34 PM

Hello again.
Of course, I will try my best to get all the rubbish removed from your computer as soon as possible, I just think it is best to warn you that I cannot guarantee everything will go, or that your PC will be completely safe afterwards.
Please print off a copy of these instructions, and also save them to a Notepad file on your desktop, so they are easily accessible.
We are going to boot into Safe Mode later in the fix, and there is no internet access.

Please download the OTMoveIt by OldTimer.
  • Save it to your Desktop.
Don't run it yet.

Scan again with HijackThis and put a checkmark next to each of the following entries (if present):

O2 - BHO: C:\WINDOWS\System32\mkkgf65h.dll - {25AD49A2-94F3-42BD-F434-2604812C897D} - C:\WINDOWS\System32\mkkgf65h.dll
O4 - HKUS\S-1-5-18\..\Run: [rrwq] C:\PROGRA~1\COMMON~1\rrwq\rrwqm.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [Tooc] "C:\PROGRA~1\COMMON~1\„@SSEM~1\wuauboot.exe" -vt yazr (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [Qgb] C:\Program Files\Common Files\s„ucurity\t„pskmgr.exe (User 'SYSTEM')
O20 - Winlogon Notify: dxtpdx - dxtpdx.dll (file missing)
O21 - SSODL: DCOM Server 25319 - {2C1CD3D7-86AC-4068-93BC-A02304B25319} - (no file)
O21 - SSODL: LUVTBUmXO - {E4FBB947-4E51-13ED-9C8A-8A3EBC13DF75} - C:\WINDOWS\system32\lu.dll
O22 - SharedTaskScheduler: sdgfdgdgdtj - {25AD49A2-94F3-42BD-F434-2604812C897D} - C:\WINDOWS\System32\mkkgf65h.dll
O23 - Service: Microsoft Windows Spooler Service (Windows Spooler Service) - Unknown owner - C:\WINDOWS\services.exe (file missing)


Then close all other windows--you should only see HijackThis on your Desktop--and click the Fix checked button.

Please reboot your computer into Safe Mode.
This is done by rebooting Windows and pressing F8 at boot/Windows startup, usually right after the beep.
Then select Safe Mode from the list.
Make sure you choose the option without Networking Support.

Double-click OTMoveIt.exe to run it.
  • Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):
    • C:\WINDOWS\system32\qz.dll
      C:\WINDOWS\system32\qz.sys
      C:\WINDOWS\system32\redir2.a3d
      C:\WINDOWS\system32\dxtpdh.sys
      C:\WINDOWS\system32\klgcptini.dat
      C:\WINDOWS\system32\ms87.dat
      C:\WINDOWS\system32\win.PIF
      C:\WINDOWS\PIF
      C:\WINDOWS\system32\_clcl14.exe
      C:\WINDOWS\system32\drivers\runtime2.sys
      C:\WINDOWS\system32\_svehost.exe
      C:\WINDOWS\tmp631027.bat
      C:\WINDOWS\system32\shadow.dll
      C:\WINDOWS\system32\mkkgf65h.dll
      C:\WINDOWS\system32\_rpcc.exe
      C:\WINDOWS\system32\_KB_963491.exe
      C:\WINDOWS\system32\klo5.sys
      C:\WINDOWS\k27nsoFAl1KLTY59
      C:\Program files\Common files\rrwq
      C:\WINDOWS\system32\lu.dll
      C:\WINDOWS\services.exe
  • Return to OTMoveIt, right click on the "Paste List of Files/Folders to be moved" window and choose Paste.
  • Click the red Moveit! button.
  • Copy everything on the Results window to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it on your next reply.
  • Close OTMoveIt
If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose No. We will reboot in a little while.

The steps that I am about to suggest involve modifying the registry. Modifying the registry can be dangerous so we will make a backup of the registry first.

Backup the Registry:
Navigate to Start | Run and paste the following:
regedit /e c:\registrybackup.reg
Now click OK
It won't appear to be doing anything, that's normal.
Your mouse pointer may turn to an hour glass for a minute.
Please continue when it no longer has the hour glass.

Open Notepad and copy and paste the following quotebox into a new text document. (Don't forget to copy and paste REGEDIT4!)

REGEDIT4

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"rrwq"=-
"Tooc"=-
"Qgb"=-

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler]
"{25AD49A2-94F3-42BD-F434-2604812C897D}"=-

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\dxtpdx]

[-HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\dxtpdh.sys]

[-HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\dxtpdx.sys]

Save this as fix.reg Choose to save as *all files and place it on your Desktop.
It should look like this: Posted Image
Double-click on it and when it asks you if you want to merge the contents to the registry, click Yes/OK.

Reboot into Normal Mode again.

Download haxfix.exe.
Save it to your desktop.
Double click on haxfix.exe to install haxfix. (standard installation path is c:\program Files\haxfix)
Checkmark "Create a desktop icon". Click "Next".
When the installation is completed, make sure that the checkmark "Launch HaxFix" is placed.
Click "Finish". A red "dos window" (dos box) will open.
Select option 1. Make logfile by typing 1 and then pressing Enter.
Haxfix will start scanning the computer. When it is finished a logfile will open.
Copy the contents of that logfile and paste it into this thread.

Please include the following in your next reply:
1) New HijackThis log
2) New Combofix log
3) OTMoveIt report
4) Haxfix log
You may need more than one reply to fit them all in, use several if necessary.
Thanks,
Charles

If you are pleased with the service I have offered, you may like to consider making a donation. Posted Image
Posted Image


#7 rookie147

rookie147

  • Members
  • 5,321 posts
  • OFFLINE
  •  
  • Local time:01:39 PM

Posted 15 August 2007 - 03:04 AM

Due to lack of feedback, this topic is now closed.
If you need this topic reopened, please request this by sending me a Personal Message including a link to your thread.
This applies only to the original topic starter. Everyone else please begin a New Topic.

If you are pleased with the service I have offered, you may like to consider making a donation. Posted Image
Posted Image





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users