Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Hijackthis Log Sanity Check ~~ When Ie7 Is Open, Pop-ups Appear Almost Continuously...


  • Please log in to reply
7 replies to this topic

#1 iFRED

iFRED

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:05:25 AM

Posted 25 December 2007 - 01:22 AM

Basically, I need a sanity check on this log file. I am competent enough to remove potential malware, but I am unsure what on this list may be causing problems.

Do any entries stand out or throw up any red flags?

-------------------------------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:14:59 PM, on 12/24/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\FreezeScreenSaver.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\WINDOWS\system32\kpydvubt.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn7\yt.dll
R3 - URLSearchHook: (no name) - - (no file)
R3 - URLSearchHook: (no name) - {D3DEE18F-DB64-4BEB-9FF1-E1F0A5033E4A} - (no file)
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn7\yt.dll
O3 - Toolbar: Google Web Accelerator - {DB87BFA2-A2E3-451E-8E5A-C89982D87CBF} - C:\Program Files\Google\Web Accelerator\GoogleWebAccToolbar.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [107b1c80] rundll32.exe "C:\WINDOWS\system32\vcuqkiwk.dll",b
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-18\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O8 - Extra context menu item: &Search - ?p=ZN
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: PartyCasino.com - {B4B52284-A248-4c51-9F7C-F0A0C67FCC9D} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: PartyCasino.com - {B4B52284-A248-4c51-9F7C-F0A0C67FCC9D} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: PartyBingo.com - {B987E7E7-5997-4330-A5F9-9FFEFC1CCFD0} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: PartyBingo.com - {B987E7E7-5997-4330-A5F9-9FFEFC1CCFD0} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: DomainService - - C:\WINDOWS\system32\kpydvubt.exe
O23 - Service: FreezeScreenSaver - Unknown owner - C:\WINDOWS\system32\FreezeScreenSaver.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: PictureTaker - LANovation - C:\WINDOWS\system32\PCTKRNT.SYS
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

--
End of file - 7644 bytes

BC AdBot (Login to Remove)

 


#2 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:12:25 AM

Posted 25 December 2007 - 10:04 AM

Welcome to the BleepingComputer HijackThis Logs and Analysis forum iFRED
My name is Richie and i'll be helping you to fix your problems.

Please download VundoFix.exe to your desktop.
Double-click VundoFix.exe to run it.
When VundoFix re-opens,click the "Scan for Vundo" button.
Once it's done scanning,click the "Remove Vundo" button.
You will receive a prompt asking if you want to remove the files, click "YES".
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed,it will prompt that it will reboot your computer,click "OK".
Post the contents of C:\vundofix.txt into your next reply.
Note:
It is possible that VundoFix encountered a file it could not remove.
In this case,VundoFix will run on reboot,simply follow the above instructions starting from "Click the Scan for Vundo button." when VundoFix appears at reboot.


If you have previously downloaded ComboFix,please delete that version now.
Warning
You should NOT use Combofix unless you have been instructed to do so by a Malware Removal Expert.
It is intended by its creator to be used under the guidance and supervision of an expert,not for private use.
Using this tool incorrectly could render your system/pc inoperable.

Now download Combofix and save to your desktop:
Note
It is important that it is saved directly to your desktop

Close any open browsers.
Double click on combofix.exe and follow the prompts.
When it's finished it will produce a log.
Post the entire contents of C:\ComboFix.txt into your next reply.
Note
Do not mouseclick combofix's window while it's running.
That may cause the program to freeze/hang.

Do NOT post the ComboFix-quarantined-files.txt unless I ask.
Note
In case your Antivirus or any other realtime scanner is displaying an alert after you downloaded Combofix or while you use Combofix,please disable your scanner and redownload Combofix again.
Some scanners may see some combofix related components as suspicious and block or delete them while there's nothing wrong with them.

Now go to:
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
Right click on Hijackthis.exe and select 'Rename', rename it to abc.bat
Double click on abc.bat(which is still Hijackthis.exe),post that log into your next reply please.
Posted Image
Posted Image

#3 iFRED

iFRED
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:05:25 AM

Posted 25 December 2007 - 07:33 PM

Thank you so much RichieUK, the pop-ups appear to have stopped!

MERRY CHRISTMAS!!!

Here are the logs that you requested.

Post the contents of C:\vundofix.txt into your next reply.


VundoFix V6.7.7

Checking Java version...

Java version is 1.5.0.6
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.10

Java version is 1.5.0.11

Scan started at 11:38:52 AM 12/25/2007

Listing files found while scanning....

C:\WINDOWS\FSX Flight Weather Report\uninstall.exe
C:\WINDOWS\system32\abmwnyir.dll
C:\WINDOWS\system32\dfhkj.ini
C:\WINDOWS\system32\dfhkj.ini2
C:\WINDOWS\system32\itmfegel.dll
C:\WINDOWS\system32\jkhfd.dll
C:\WINDOWS\system32\jwsquakk.dll
C:\WINDOWS\system32\kkkyohym.dll
C:\WINDOWS\system32\ktcroeqb.dll
C:\WINDOWS\system32\rtbxgxvm.dll
C:\WINDOWS\system32\vcuqkiwk.dll
C:\WINDOWS\system32\wmioankf.dll
C:\WINDOWS\system32\xtflqcfk.dll

Beginning removal...

VundoFix V6.7.7

Checking Java version...

Java version is 1.5.0.6
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.10

Java version is 1.5.0.11

Scan started at 4:55:27 PM 12/25/2007

Listing files found while scanning....

C:\WINDOWS\FSX Flight Weather Report\uninstall.exe
C:\WINDOWS\system32\abmwnyir.dll
C:\WINDOWS\system32\dfhkj.ini
C:\WINDOWS\system32\dfhkj.ini2
C:\WINDOWS\system32\itmfegel.dll
C:\WINDOWS\system32\jkhfd.dll
C:\WINDOWS\system32\jwsquakk.dll
C:\WINDOWS\system32\kkkyohym.dll
C:\WINDOWS\system32\ktcroeqb.dll
C:\WINDOWS\system32\rtbxgxvm.dll
C:\WINDOWS\system32\vcuqkiwk.dll
C:\WINDOWS\system32\wmioankf.dll
C:\WINDOWS\system32\xtflqcfk.dll

Beginning removal...

Attempting to delete C:\WINDOWS\FSX Flight Weather Report\uninstall.exe
C:\WINDOWS\FSX Flight Weather Report\uninstall.exe Has been deleted!

Attempting to delete C:\WINDOWS\system32\abmwnyir.dll
C:\WINDOWS\system32\abmwnyir.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\dfhkj.ini
C:\WINDOWS\system32\dfhkj.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\dfhkj.ini2
C:\WINDOWS\system32\dfhkj.ini2 Has been deleted!

Attempting to delete C:\WINDOWS\system32\itmfegel.dll
C:\WINDOWS\system32\itmfegel.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\jkhfd.dll
C:\WINDOWS\system32\jkhfd.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\jwsquakk.dll
C:\WINDOWS\system32\jwsquakk.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\kkkyohym.dll
C:\WINDOWS\system32\kkkyohym.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\ktcroeqb.dll
C:\WINDOWS\system32\ktcroeqb.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\rtbxgxvm.dll
C:\WINDOWS\system32\rtbxgxvm.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\vcuqkiwk.dll
C:\WINDOWS\system32\vcuqkiwk.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\wmioankf.dll
C:\WINDOWS\system32\wmioankf.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\xtflqcfk.dll
C:\WINDOWS\system32\xtflqcfk.dll Has been deleted!

Performing Repairs to the registry.
Done!

















Post the entire contents of C:\ComboFix.txt into your next reply.


ComboFix 07-12-26.3 - User 2007-12-25 17:45:13.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1549 [GMT -6:00]
Running from: C:\Documents and Settings\User\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Temp\1cb
C:\Temp\1cb\syscheck.log
C:\Temp\bkR11
C:\Temp\bkR11\ftCa.log
C:\temp\tn3
C:\WINDOWS\cookies.ini
C:\WINDOWS\Fonts\a.zip
C:\WINDOWS\system32\bbc5
C:\WINDOWS\system32\bbc5\gstdrvr8.exe
C:\WINDOWS\system32\doc4
C:\WINDOWS\system32\drivers\core.cache.dsk
C:\WINDOWS\system32\drivers\core.sys
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\pac.txt
C:\WINDOWS\system32\peapwkpt.ini
C:\WINDOWS\system32\rex2
C:\WINDOWS\system32\siduqgu.dll
C:\WINDOWS\system32\wlalcoyl.ini
C:\winlogon.exe
C:\x.dat
C:\z.dat

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_CORE
-------\LEGACY_DOMAINSERVICE
-------\core


((((((((((((((((((((((((( Files Created from 2007-11-26 to 2007-12-26 )))))))))))))))))))))))))))))))
.

2007-12-24 20:13 . 2007-12-24 20:13 <DIR> d-------- C:\Program Files\Trend Micro
2007-12-24 20:06 . 2007-12-25 16:53 1,014,743 ---hs---- C:\WINDOWS\system32\kwikqucv.ini
2007-12-21 18:17 . 2007-12-21 18:18 1,192,418 ---hs---- C:\WINDOWS\system32\kfcqlftx.ini
2007-12-19 22:59 . 2007-12-19 22:59 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Sandlot Games
2007-12-19 19:28 . 2007-12-21 09:51 1,192,358 ---hs---- C:\WINDOWS\system32\daybbmhd.ini
2007-12-18 17:27 . 2007-12-19 19:27 1,364,186 ---hs---- C:\WINDOWS\system32\kouaifcc.ini
2007-12-17 19:04 . 2007-12-17 19:05 <DIR> d-------- C:\Program Files\LimeWire
2007-12-17 11:49 . 2007-12-18 17:25 1,588,565 ---hs---- C:\WINDOWS\system32\tdyxtosl.ini
2007-12-14 23:37 . 2007-12-14 23:37 147,456 --a------ C:\WINDOWS\system32\vbzip10.dll
2007-12-14 23:34 . 2007-12-15 20:02 <DIR> d-------- C:\WINDOWS\system32\ripd1
2007-12-14 23:34 . 2007-12-14 23:34 <DIR> d-------- C:\WINDOWS\system32\daSgo18
2007-12-14 23:34 . 2007-12-14 23:47 <DIR> d-------- C:\WINDOWS\system32\ashell3
2007-12-14 23:34 . 2007-12-14 23:34 134 --a------ C:\n.bat
2007-12-11 21:00 . 2007-12-11 21:02 1,393 --a------ C:\WINDOWS\imsins.BAK
2007-12-07 22:35 . 1997-04-01 15:25 277,504 --a------ C:\WINDOWS\system32\crypt32e.dll
2007-12-07 22:35 . 1997-04-01 15:25 45,056 --a------ C:\WINDOWS\system32\ssl32.dll
2007-12-07 16:59 . 2007-12-07 16:59 <DIR> d-------- C:\Program Files\Elf Bowling 3
2007-12-02 23:24 . 2007-12-02 23:24 <DIR> d-------- C:\Program Files\directx
2007-12-02 17:35 . 2007-12-21 21:45 <DIR> d-------- C:\Documents and Settings\User\Application Data\LimeWire
2007-11-26 20:24 . 2007-11-26 20:24 <DIR> d-------- C:\Program Files\iPod
2007-11-26 20:23 . 2007-11-26 20:25 <DIR> d-------- C:\Program Files\iTunes
2007-11-26 20:21 . 2007-11-26 20:22 <DIR> d-------- C:\Program Files\QuickTime

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-25 16:16 --------- d-----w C:\Documents and Settings\User\Application Data\OpenOffice.org2
2007-12-24 02:23 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2007-12-20 04:58 --------- d-----w C:\Program Files\Oberon Media
2007-12-09 03:01 --------- d-----w C:\Program Files\Dvd-cloner
2007-12-09 01:54 --------- d-----w C:\Documents and Settings\User\Application Data\Ulead Systems
2007-12-07 20:52 --------- d-----w C:\Documents and Settings\User\Application Data\Azureus
2007-12-05 17:17 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-12-03 05:24 --------- d-----w C:\Program Files\Microsoft Games
2007-12-02 23:17 --------- d-----w C:\Program Files\Incomplete
2007-11-30 03:01 --------- d-----w C:\Program Files\Windows Live Toolbar
2007-11-24 05:42 --------- d-----w C:\Documents and Settings\User\Application Data\U3
2007-11-15 03:19 --------- d-----w C:\Program Files\Azureus
2007-11-15 03:06 --------- d-----w C:\Program Files\PartyGaming
2007-11-14 06:41 --------- d-----w C:\Program Files\MSN Messenger
2007-11-14 03:24 --------- d-----w C:\Program Files\MSBuild
2007-11-14 03:21 --------- d-----w C:\Program Files\Reference Assemblies
2007-11-14 03:20 --------- d-----w C:\Program Files\MSXML 6.0
2007-11-14 03:01 --------- d-----w C:\Program Files\ArcadeRockstar
2007-11-13 23:34 --------- d-----w C:\Program Files\Antivirus Protection
2007-11-13 10:25 20,480 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
2007-11-07 15:47 --------- d-----w C:\Program Files\Absolute Poker
2007-11-01 20:52 --------- d-----w C:\Program Files\Activision Value
2007-11-01 20:37 --------- d-----w C:\Documents and Settings\User\Application Data\WeatherBug
2007-10-28 04:07 --------- d-----w C:\Documents and Settings\All Users\Application Data\Yahoo! Companion
2007-10-28 03:30 --------- d-----w C:\Program Files\Yahoo!
2007-10-28 03:30 --------- d-----w C:\Documents and Settings\All Users\Application Data\yahoo!
2007-10-27 19:14 --------- d-----w C:\Program Files\3D Blocks
2006-06-24 19:35 774,144 ----a-w C:\Program Files\RngInterstitial.dll
2006-05-07 17:30 65 ----a-w C:\Program Files\Common Files\appop.log
1999-10-22 14:21 2,310,625 ----a-w C:\Documents and Settings\DSI\DSI.EXE
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{561b0e36-af72-4287-a71e-4db3619d1470}]
C:\WINDOWS\system32\rtbxgxvm.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C7EA91AE-9CC0-4F68-8EDA-854A4BF64964}]
C:\WINDOWS\system32\jkhfd.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{DC77F23E-1D48-4238-9776-B705F92073FB}]
2007-06-28 16:20 1249280 --a------ C:\Program Files\DesktopFun Toolbar\desktopfuntoolbar.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 06:00]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2007-08-30 16:43]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 20:05]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"107b1c80"="C:\WINDOWS\system32\vcuqkiwk.dll" []

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Picasa Media Detector"="C:\Program Files\Picasa2\PicasaMediaDetector.exe" [2007-09-27 19:17]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2006-10-04 02:48 C:\WINDOWS\system32\narrator.exe]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ljjjjhh]
ljjjjhh.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Event Reminder.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Event Reminder.lnk
backup=C:\WINDOWS\pss\Event Reminder.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Install Pending Files.LNK]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Install Pending Files.LNK
backup=C:\WINDOWS\pss\Install Pending Files.LNKCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^InterVideo WinCinema Manager.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\InterVideo WinCinema Manager.lnk
backup=C:\WINDOWS\pss\InterVideo WinCinema Manager.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Reality Fusion GameCam SE.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Reality Fusion GameCam SE.lnk
backup=C:\WINDOWS\pss\Reality Fusion GameCam SE.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^ymetray.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ymetray.lnk
backup=C:\WINDOWS\pss\ymetray.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^User^Start Menu^Programs^Startup^RollerCoaster Tycoon 3 Registration.lnk]
path=C:\Documents and Settings\User\Start Menu\Programs\Startup\RollerCoaster Tycoon 3 Registration.lnk
backup=C:\WINDOWS\pss\RollerCoaster Tycoon 3 Registration.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
ALCMTR.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\au]
2007-06-27 11:46 238936 --a------ C:\Program Files\Dealio\DealioAU.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG7_CC]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2004-08-04 06:00 15360 --a------ C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DIRECTCD]
2005-10-24 23:49 299008 --a------ C:\Program Files\InterVideo\Disc Master 2.5\DirectCD.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EPSON Stylus CX6000 Series]
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIBIA.EXE /FU C:\WINDOWS\TEMP\E_SDA.tmp /EF HKLM

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FLMOFFICE4DMOUSE]
2007-10-17 22:28 894976 --a------ C:\Program Files\Micro Innovations\Wireless Laser Mouse\office.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Desktop Search]
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe /startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\gtsrp]
2007-07-27 05:32 159744 --a------ C:\Program Files\gtsrp\gtsrp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2007-11-15 13:11 267048 --a------ C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Lexmark X1100 Series]
2003-08-19 10:43 57344 --a------ C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Logitech Utility]
Logi_MwX.Exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LVCOMS]
2001-06-26 17:49 86016 --a------ C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MimBoot]
2006-01-19 10:06 11776 --a------ C:\PROGRA~1\MUSICM~1\MUSICM~1\mimboot.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MMTray]
2006-01-19 10:06 110592 --a------ C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
C:\Program Files\MSN Messenger\MsnMsgr.Exe /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\My Web Search Bar]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PersonalWeb]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
C:\Program Files\QuickTime\qttask.exe -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
RTHDCPL.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2007-09-25 00:11 132496 --a------ C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
C:\Program Files\Common Files\Real\Update_OB\realsched.exe -osboot

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Ulead Quick-Drop]
C:\Program Files\Ulead Systems\Ulead DVD MovieFactory 4.0 Suite\Ulead Quick-Drop 1.0\Quick-Drop.exe WINDOWCALL

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\USIUDF_Eject_Monitor]
2004-12-23 16:27 81920 --------- C:\Program Files\Common Files\Ulead Systems\DVD\USISrv.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Weather]
C:\Program Files\AWS\WeatherBug\Weather.exe 1

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WINCINEMAMGR]
2005-01-21 01:47 270336 --a------ C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinFast Schedule]
2006-03-20 13:53 327680 --a------ C:\Program Files\WinFast\WFTVFM\WFWIZ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WMPNSCFG]
2006-10-18 20:05 204288 --------- C:\Program Files\Windows Media Player\WMPNSCFG.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE -quiet

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\YSearchProtection]
2007-06-08 08:59 224248 --a------ C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe

R0 ivicd;Ivi CDVD Filter Driver;C:\WINDOWS\system32\drivers\ivicd.sys [2005-01-12 05:29]
R2 CX23880;WinFast CX2388x WDM Video Capture.;C:\WINDOWS\system32\drivers\cx88vid.sys [2005-06-28 08:24]
R2 CXTUNE;WinFast CX2388x WDM TVTuner.;C:\WINDOWS\system32\drivers\CX88TUNE.sys [2005-06-28 08:22]
R2 FreezeScreenSaver;FreezeScreenSaver;C:\WINDOWS\system32\FreezeScreenSaver.exe [2005-09-29 14:55]
R3 CXAVXBAR;WinFast CX2388x WDM Crossbar.;C:\WINDOWS\system32\drivers\cxavxbar.sys [2005-06-28 08:21]
S3 iviudf;iviudf;C:\WINDOWS\system32\drivers\IviUdf.sys [2005-06-23 01:09]
S3 KMW_USB;%Kensington_KMW_USB_SvcDesc%;C:\WINDOWS\system32\DRIVERS\tkfilter.sys [2007-10-17 22:28]
S3 moufiltr;Mouse Filter;C:\WINDOWS\system32\DRIVERS\moufiltr.sys [2007-10-17 22:28]
S3 WFIOCTL;WFIOCTL;C:\Program Files\WinFast\WFTVFM\WFIOCTL.SYS [2005-01-06 15:55]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f7399676-d780-11db-8f56-001731129ee6}]
\Shell\AutoRun\command - F:\LaunchU3.exe -a

.
Contents of the 'Scheduled Tasks' folder
"2007-12-18 01:30:02 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2007-12-25 23:10:04 C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job"
- C:\Program Files\Windows Live Toolbar\MSNTBUP.EXE
"2007-11-14 15:00:00 C:\WINDOWS\Tasks\rpc.job"
- C:\Program Files\Winferno\RegistryPowerCleaner\RegPowerClean.exe
.
**************************************************************************

catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-26 17:53:09
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-12-26 17:54:37 - machine was rebooted
.
2007-12-12 03:04:08 --- E O F ---






















Double click on abc.bat(which is still Hijackthis.exe),post that log into your next reply please.


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 18:06, on 2007-12-26
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\FreezeScreenSaver.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\internet explorer\iexplore.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\abc.bat.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn7\yt.dll
R3 - URLSearchHook: (no name) - - (no file)
R3 - URLSearchHook: (no name) - {D3DEE18F-DB64-4BEB-9FF1-E1F0A5033E4A} - (no file)
O2 - BHO: (no name) - orer - (no file)
O2 - BHO: (no name) - rsion - (no file)
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn7\yt.dll
O2 - BHO: {0741d916-3bd4-e17a-7824-27fa63e0b165} - {561b0e36-af72-4287-a71e-4db3619d1470} - C:\WINDOWS\system32\rtbxgxvm.dll (file missing)
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: (no name) - {C7EA91AE-9CC0-4F68-8EDA-854A4BF64964} - C:\WINDOWS\system32\jkhfd.dll (file missing)
O2 - BHO: TBSB09819 - {DC77F23E-1D48-4238-9776-B705F92073FB} - C:\Program Files\DesktopFun Toolbar\desktopfuntoolbar.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn7\yt.dll
O3 - Toolbar: Google Web Accelerator - {DB87BFA2-A2E3-451E-8E5A-C89982D87CBF} - C:\Program Files\Google\Web Accelerator\GoogleWebAccToolbar.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKLM\..\Run: [107b1c80] rundll32.exe "C:\WINDOWS\system32\vcuqkiwk.dll",b
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-18\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O8 - Extra context menu item: &Search - ?p=ZN
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: PartyCasino.com - {B4B52284-A248-4c51-9F7C-F0A0C67FCC9D} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: PartyCasino.com - {B4B52284-A248-4c51-9F7C-F0A0C67FCC9D} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: PartyBingo.com - {B987E7E7-5997-4330-A5F9-9FFEFC1CCFD0} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: PartyBingo.com - {B987E7E7-5997-4330-A5F9-9FFEFC1CCFD0} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O20 - Winlogon Notify: ljjjjhh - ljjjjhh.dll (file missing)
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: FreezeScreenSaver - Unknown owner - C:\WINDOWS\system32\FreezeScreenSaver.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: PictureTaker - LANovation - C:\WINDOWS\system32\PCTKRNT.SYS
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

--
End of file - 8469 bytes



#4 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:12:25 AM

Posted 25 December 2007 - 08:56 PM

Copy and paste ALL the following text in the Quote box below into Notepad.
Click on File(in the menu at the top)>Save as../Save as Type: 'All Files' /File name: CFScript to your desktop.

File::
C:\WINDOWS\system32\kwikqucv.ini
C:\WINDOWS\system32\kfcqlftx.ini
C:\WINDOWS\system32\daybbmhd.ini
C:\WINDOWS\system32\kouaifcc.ini
C:\WINDOWS\system32\tdyxtosl.ini
C:\WINDOWS\system32\vbzip10.dll
C:\n.bat
Folder::
C:\WINDOWS\system32\ripd1
C:\WINDOWS\system32\daSgo18
C:\WINDOWS\system32\ashell3
C:\Documents and Settings\User\Application Data\WeatherBug
Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{561b0e36-af72-4287-a71e-4db3619d1470}]
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{C7EA91AE-9CC0-4F68-8EDA-854A4BF64964}]
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"107b1c80"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\ljjjjhh]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\gtsrp]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\My Web Search Bar]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Weather]
Service::
FreezeScreenSaver

Now drag then drop the CFScript file onto ComboFix.exe as seen in the image below.

Posted Image

This will start ComboFix again.
After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply along with a new HijackThis log.
Posted Image
Posted Image

#5 iFRED

iFRED
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:05:25 AM

Posted 25 December 2007 - 11:13 PM

Done and done.

FYI, I get the following error message every time I have run ComboFix. The error does not stop the process, but i thought you might want to know.

Attached File  onload_combofix_error.JPG   14.67KB   5 downloads

Here are the logs.

ComboFix 07-12-26.3 - User 2007-12-26 21:42:23.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.1604 [GMT -6:00]
Running from: C:\Documents and Settings\User\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\User\Desktop\CFScript.txt
* Created a new restore point

FILE
C:\n.bat
C:\WINDOWS\system32\daybbmhd.ini
C:\WINDOWS\system32\kfcqlftx.ini
C:\WINDOWS\system32\kouaifcc.ini
C:\WINDOWS\system32\kwikqucv.ini
C:\WINDOWS\system32\tdyxtosl.ini
C:\WINDOWS\system32\vbzip10.dll
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\User\Application Data\WeatherBug
C:\Documents and Settings\User\Application Data\WeatherBug\0107_Winter.jpg
C:\Documents and Settings\User\Application Data\WeatherBug\0107_Winter_Mask.bmp
C:\Documents and Settings\User\Application Data\WeatherBug\06_Winter_BUBBLE_Mask.bmp
C:\Documents and Settings\User\Application Data\WeatherBug\06_Winter_BUBBLE_Mask_updated.bmp
C:\Documents and Settings\User\Application Data\WeatherBug\06_Winter_Bubble_Wrap.jpg
C:\Documents and Settings\User\Application Data\WeatherBug\06_Winter_Bubble_Wrap_updated.jpg
C:\Documents and Settings\User\Application Data\WeatherBug\102x96_ActiveStorms.jpg
C:\Documents and Settings\User\Application Data\WeatherBug\102x96_ColdAndFlu.jpg
C:\Documents and Settings\User\Application Data\WeatherBug\102x96_Hurricane_09252007.jpg
C:\Documents and Settings\User\Application Data\WeatherBug\102x96_Hurricane_Dean.jpg
C:\Documents and Settings\User\Application Data\WeatherBug\102x96_HurricaneCommandCenter.jpg
C:\Documents and Settings\User\Application Data\WeatherBug\102x96_HurricaneCommandCenterWithFlag.jpg
C:\Documents and Settings\User\Application Data\WeatherBug\102x96_NST_3-22-07.jpg
C:\Documents and Settings\User\Application Data\WeatherBug\102x96_VZW.jpg
C:\Documents and Settings\User\Application Data\WeatherBug\102x96DisneyQuestforGold.jpg
C:\Documents and Settings\User\Application Data\WeatherBug\102x96FarmersAlmanacOutlookTile.jpg
C:\Documents and Settings\User\Application Data\WeatherBug\102x96HurricaneNameVideo_Plus_Mobile.jpg
C:\Documents and Settings\User\Application Data\WeatherBug\102x96HurricaneVideo.jpg
C:\Documents and Settings\User\Application Data\WeatherBug\102x96LiveTrafficCameras.jpg
C:\Documents and Settings\User\Application Data\WeatherBug\102x96Mobile2_0507.jpg
C:\Documents and Settings\User\Application Data\WeatherBug\102x96New_Disney.jpg
C:\Documents and Settings\User\Application Data\WeatherBug\102x96New_Disney_2.jpg
C:\Documents and Settings\User\Application Data\WeatherBug\102x96PlusNVerizon.jpg
C:\Documents and Settings\User\Application Data\WeatherBug\102x96Professional.jpg
C:\Documents and Settings\User\Application Data\WeatherBug\102x96SponsorTileMobileVideo.jpg
C:\Documents and Settings\User\Application Data\WeatherBug\102x96TP-MA-FF.jpg
C:\Documents and Settings\User\Application Data\WeatherBug\102x96Verizon.jpg
C:\Documents and Settings\User\Application Data\WeatherBug\102x96video.jpg
C:\Documents and Settings\User\Application Data\WeatherBug\102x96video1_mobile2.jpg
C:\Documents and Settings\User\Application Data\WeatherBug\60_blueyellow.jpg
C:\Documents and Settings\User\Application Data\WeatherBug\60_blueyellow_mask.bmp
C:\Documents and Settings\User\Application Data\WeatherBug\60_brand_delta_approved.jpg
C:\Documents and Settings\User\Application Data\WeatherBug\60_brand_delta_mask.bmp
C:\Documents and Settings\User\Application Data\WeatherBug\60_brand_IceAgeAPPROVED.jpg
C:\Documents and Settings\User\Application Data\WeatherBug\60_brand_IceAgeMASK.bmp
C:\Documents and Settings\User\Application Data\WeatherBug\60_brandwrap_spring2.jpg
C:\Documents and Settings\User\Application Data\WeatherBug\60_brandwrap_spring2_mask.bmp
C:\Documents and Settings\User\Application Data\WeatherBug\60_Default_Fall_1007.jpg
C:\Documents and Settings\User\Application Data\WeatherBug\60_Default_Fall_1007_Mask.bmp
C:\Documents and Settings\User\Application Data\WeatherBug\60_Default_Spring_Mobile_BG_0506.jpg
C:\Documents and Settings\User\Application Data\WeatherBug\60_Default_Spring_Mobile_MASK_0506.bmp
C:\Documents and Settings\User\Application Data\WeatherBug\60_generic_summerAPPROVED.jpg
C:\Documents and Settings\User\Application Data\WeatherBug\60_generic_summerMASK.bmp
C:\Documents and Settings\User\Application Data\WeatherBug\60_Generic_Sun_0306_Final.bmp
C:\Documents and Settings\User\Application Data\WeatherBug\60_Generic_Sun_0306_Final.jpg
C:\Documents and Settings\User\Application Data\WeatherBug\60_Generic2006_Fall_091406.bmp
C:\Documents and Settings\User\Application Data\WeatherBug\60_Generic2006_Fall_091406.jpg
C:\Documents and Settings\User\Application Data\WeatherBug\60_Generic2007_Summe_0807r.jpg
C:\Documents and Settings\User\Application Data\WeatherBug\60_Generic2007_Summer.jpg
C:\Documents and Settings\User\Application Data\WeatherBug\60_Generic2007_Summer_070507.jpg
C:\Documents and Settings\User\Application Data\WeatherBug\60_Generic2007_Summer_070507_Mask.bmp
C:\Documents and Settings\User\Application Data\WeatherBug\60_Generic2007_Summer_Mask.bmp
C:\Documents and Settings\User\Application Data\WeatherBug\60_Generic2007_Summer_Mask_0807.bmp
C:\Documents and Settings\User\Application Data\WeatherBug\60_GenericPLUS_approved.jpg
C:\Documents and Settings\User\Application Data\WeatherBug\60_GenericPLUS_MASK.bmp
C:\Documents and Settings\User\Application Data\WeatherBug\60_GenericPLUS_Summer_082906.bmp
C:\Documents and Settings\User\Application Data\WeatherBug\60_GenericPLUS_Summer_082906.jpg
C:\Documents and Settings\User\Application Data\WeatherBug\60_GeorgPac_Mask.bmp
C:\Documents and Settings\User\Application Data\WeatherBug\60_GeorgPacific.jpg
C:\Documents and Settings\User\Application Data\WeatherBug\60_nav_light_round_0706.jpg
C:\Documents and Settings\User\Application Data\WeatherBug\60_nav_light_square_0206.jpg
C:\Documents and Settings\User\Application Data\WeatherBug\60_nav_light_square_0706.jpg
C:\Documents and Settings\User\Application Data\WeatherBug\60_Protonix_Approved2.jpg
C:\Documents and Settings\User\Application Data\WeatherBug\60_Protonix_MASK.bmp
C:\Documents and Settings\User\Application Data\WeatherBug\60_Spring_Bubble_0507.jpg
C:\Documents and Settings\User\Application Data\WeatherBug\60_Spring_Bubble_Mask_0507.bmp
C:\Documents and Settings\User\Application Data\WeatherBug\60Sales-Ace-June28.bmp
C:\Documents and Settings\User\Application Data\WeatherBug\60Sales-Ace-June28.jpg
C:\Documents and Settings\User\Application Data\WeatherBug\60Sales-Ace_Hurricane.bmp
C:\Documents and Settings\User\Application Data\WeatherBug\60Sales-Ace_Hurricane.jpg
C:\Documents and Settings\User\Application Data\WeatherBug\60Sales-NationWideEST647.jpg
C:\Documents and Settings\User\Application Data\WeatherBug\60Sales-NationWideEST647_mask.bmp
C:\Documents and Settings\User\Application Data\WeatherBug\60Sales-OralB.jpg
C:\Documents and Settings\User\Application Data\WeatherBug\60Sales-OralB_Mask.bmp
C:\Documents and Settings\User\Application Data\WeatherBug\60Sales-trane2_mask.bmp
C:\Documents and Settings\User\Application Data\WeatherBug\60Sales-trane3_shell.jpg
C:\Documents and Settings\User\Application Data\WeatherBug\60Sales_Bank_of_America_Mask.bmp
C:\Documents and Settings\User\Application Data\WeatherBug\60Sales_Bank_of_America_shell.jpg
C:\Documents and Settings\User\Application Data\WeatherBug\60Sales_Mucinex_Mask.bmp
C:\Documents and Settings\User\Application Data\WeatherBug\60Sales_Mucinex_shell.jpg
C:\Documents and Settings\User\Application Data\WeatherBug\Allstate.jpg
C:\Documents and Settings\User\Application Data\WeatherBug\Allstate_Mask.bmp
C:\Documents and Settings\User\Application Data\WeatherBug\Army_background.jpg
C:\Documents and Settings\User\Application Data\WeatherBug\Army_mask.bmp
C:\Documents and Settings\User\Application Data\WeatherBug\Fall-VZWbubble_APPROVED.jpg
C:\Documents and Settings\User\Application Data\WeatherBug\Fall-VZWbubble_APPROVED_102407.jpg
C:\Documents and Settings\User\Application Data\WeatherBug\Fall-VZWbubble_MASK.bmp
C:\Documents and Settings\User\Application Data\WeatherBug\Fall-VZWbubble_MASK_102407.bmp
C:\Documents and Settings\User\Application Data\WeatherBug\Fall.jpg
C:\Documents and Settings\User\Application Data\WeatherBug\Fall_Mask.bmp
C:\Documents and Settings\User\Application Data\WeatherBug\Fox_Theatrical_approved.jpg
C:\Documents and Settings\User\Application Data\WeatherBug\Fox_Theatrical_MASK.bmp
C:\Documents and Settings\User\Application Data\WeatherBug\GE_Eco.jpg
C:\Documents and Settings\User\Application Data\WeatherBug\GE_Eco_MASK.bmp
C:\Documents and Settings\User\Application Data\WeatherBug\Georgia_Pacific.jpg
C:\Documents and Settings\User\Application Data\WeatherBug\Georgia_Pacific_Mask.bmp
C:\Documents and Settings\User\Application Data\WeatherBug\Hartford_Insurance_Approved.jpg
C:\Documents and Settings\User\Application Data\WeatherBug\Hartford_Insurance_MASK.bmp
C:\Documents and Settings\User\Application Data\WeatherBug\Memorial_Generic_07.jpg
C:\Documents and Settings\User\Application Data\WeatherBug\Memorial_Generic_07_MASK.bmp
C:\Documents and Settings\User\Application Data\WeatherBug\MSNBC.jpg
C:\Documents and Settings\User\Application Data\WeatherBug\MSNBC_Mask.bmp
C:\Documents and Settings\User\Application Data\WeatherBug\nav_07182007.jpg
C:\Documents and Settings\User\Application Data\WeatherBug\nav_Generic2005_032907.jpg
C:\Documents and Settings\User\Application Data\WeatherBug\nav_Generic2006.jpg
C:\Documents and Settings\User\Application Data\WeatherBug\nav_Generic2006_0706.jpg
C:\Documents and Settings\User\Application Data\WeatherBug\New_Spring_Bubble_052007.jpg
C:\Documents and Settings\User\Application Data\WeatherBug\New_Spring_Bubble_052007_Mask.bmp
C:\Documents and Settings\User\Application Data\WeatherBug\NghtAtTheMus_back.jpg
C:\Documents and Settings\User\Application Data\WeatherBug\NghtAtTheMus_mask.bmp
C:\Documents and Settings\User\Application Data\WeatherBug\SharpSolar.jpg
C:\Documents and Settings\User\Application Data\WeatherBug\SharpSolar_Mask.bmp
C:\Documents and Settings\User\Application Data\WeatherBug\SponsorTile42.jpg
C:\Documents and Settings\User\Application Data\WeatherBug\Spring_2007.jpg
C:\Documents and Settings\User\Application Data\WeatherBug\Spring_2007_Mask.bmp
C:\Documents and Settings\User\Application Data\WeatherBug\Summer_Hurricane_Bubble_071707.jpg
C:\Documents and Settings\User\Application Data\WeatherBug\Summer_Hurricane_Bubble_071707_Mask.bmp
C:\Documents and Settings\User\Application Data\WeatherBug\Tamiflu.jpg
C:\Documents and Settings\User\Application Data\WeatherBug\Tamiflu_mask.bmp
C:\Documents and Settings\User\Application Data\WeatherBug\topnav_Generic2005.jpg
C:\Documents and Settings\User\Application Data\WeatherBug\topnav_Generic2005_121505.jpg
C:\Documents and Settings\User\Application Data\WeatherBug\topnav_Generic2007.jpg
C:\Documents and Settings\User\Application Data\WeatherBug\topnav_square.jpg
C:\Documents and Settings\User\Application Data\WeatherBug\topnav_square_121505.jpg
C:\Documents and Settings\User\Application Data\WeatherBug\VerizonWrap_Approved.jpg
C:\Documents and Settings\User\Application Data\WeatherBug\VerizonWrap_MASK.bmp
C:\Documents and Settings\User\Application Data\WeatherBug\Visa_Mask_revised.bmp
C:\Documents and Settings\User\Application Data\WeatherBug\Visa_revised.jpg
C:\Documents and Settings\User\Application Data\WeatherBug\Windows_Live.jpg
C:\Documents and Settings\User\Application Data\WeatherBug\Windows_Live_Mask.bmp
C:\Documents and Settings\User\Application Data\WeatherBug\Winter_BUBBLE2.bmp
C:\Documents and Settings\User\Application Data\WeatherBug\Winter_BUBBLE2.jpg
C:\n.bat
C:\WINDOWS\system32\ashell3
C:\WINDOWS\system32\daSgo18
C:\WINDOWS\system32\daSgo18\daSgo182328.exe
C:\WINDOWS\system32\daybbmhd.ini
C:\WINDOWS\system32\kfcqlftx.ini
C:\WINDOWS\system32\kouaifcc.ini
C:\WINDOWS\system32\kwikqucv.ini
C:\WINDOWS\system32\ripd1
C:\WINDOWS\system32\tdyxtosl.ini
C:\WINDOWS\system32\vbzip10.dll

.
((((((((((((((((((((((((( Files Created from 2007-11-27 to 2007-12-27 )))))))))))))))))))))))))))))))
.

2007-12-24 20:13 . 2007-12-24 20:13 <DIR> d-------- C:\Program Files\Trend Micro
2007-12-19 22:59 . 2007-12-19 22:59 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Sandlot Games
2007-12-17 19:04 . 2007-12-17 19:05 <DIR> d-------- C:\Program Files\LimeWire
2007-12-11 21:00 . 2007-12-11 21:02 1,393 --a------ C:\WINDOWS\imsins.BAK
2007-12-07 22:35 . 1997-04-01 15:25 277,504 --a------ C:\WINDOWS\system32\crypt32e.dll
2007-12-07 22:35 . 1997-04-01 15:25 45,056 --a------ C:\WINDOWS\system32\ssl32.dll
2007-12-07 16:59 . 2007-12-07 16:59 <DIR> d-------- C:\Program Files\Elf Bowling 3
2007-12-02 23:24 . 2007-12-02 23:24 <DIR> d-------- C:\Program Files\directx
2007-12-02 17:35 . 2007-12-21 21:45 <DIR> d-------- C:\Documents and Settings\User\Application Data\LimeWire

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-25 16:16 --------- d-----w C:\Documents and Settings\User\Application Data\OpenOffice.org2
2007-12-24 02:23 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2007-12-20 04:58 --------- d-----w C:\Program Files\Oberon Media
2007-12-09 03:01 --------- d-----w C:\Program Files\Dvd-cloner
2007-12-09 01:54 --------- d-----w C:\Documents and Settings\User\Application Data\Ulead Systems
2007-12-07 20:52 --------- d-----w C:\Documents and Settings\User\Application Data\Azureus
2007-12-05 17:17 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-12-03 05:24 --------- d-----w C:\Program Files\Microsoft Games
2007-12-02 23:17 --------- d-----w C:\Program Files\Incomplete
2007-11-30 03:01 --------- d-----w C:\Program Files\Windows Live Toolbar
2007-11-27 02:25 --------- d-----w C:\Program Files\iTunes
2007-11-27 02:24 --------- d-----w C:\Program Files\iPod
2007-11-27 02:22 --------- d-----w C:\Program Files\QuickTime
2007-11-24 05:42 --------- d-----w C:\Documents and Settings\User\Application Data\U3
2007-11-15 03:19 --------- d-----w C:\Program Files\Azureus
2007-11-15 03:06 --------- d-----w C:\Program Files\PartyGaming
2007-11-14 06:41 --------- d-----w C:\Program Files\MSN Messenger
2007-11-14 03:24 --------- d-----w C:\Program Files\MSBuild
2007-11-14 03:21 --------- d-----w C:\Program Files\Reference Assemblies
2007-11-14 03:20 --------- d-----w C:\Program Files\MSXML 6.0
2007-11-14 03:01 --------- d-----w C:\Program Files\ArcadeRockstar
2007-11-13 23:34 --------- d-----w C:\Program Files\Antivirus Protection
2007-11-13 10:25 20,480 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
2007-11-07 15:47 --------- d-----w C:\Program Files\Absolute Poker
2007-11-01 20:52 --------- d-----w C:\Program Files\Activision Value
2007-10-29 22:43 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2007-10-28 04:07 --------- d-----w C:\Documents and Settings\All Users\Application Data\Yahoo! Companion
2007-10-28 03:30 --------- d-----w C:\Program Files\Yahoo!
2007-10-28 03:30 --------- d-----w C:\Documents and Settings\All Users\Application Data\yahoo!
2007-10-27 23:40 222,720 ----a-w C:\WINDOWS\system32\wmasf.dll
2007-10-27 19:14 --------- d-----w C:\Program Files\3D Blocks
2007-10-25 16:24 815,480 ----a-w C:\WINDOWS\system32\aswBoot.exe
2007-10-25 16:14 95,608 ----a-w C:\WINDOWS\system32\AvastSS.scr
2007-10-04 04:55 119,848 ----a-w C:\WINDOWS\system32\SilSupp.dll
2007-09-29 09:21 9,854,976 ----a-w C:\WINDOWS\system32\atioglx2.dll
2007-09-29 09:07 356,352 ----a-w C:\WINDOWS\system32\ATIDEMGX.dll
2007-09-29 09:06 268,800 ----a-w C:\WINDOWS\system32\ati2dvag.dll
2007-09-29 08:58 43,520 ----a-w C:\WINDOWS\system32\ati2edxx.dll
2007-09-29 08:58 26,112 ----a-w C:\WINDOWS\system32\Ati2mdxx.exe
2007-09-29 08:58 143,360 ----a-w C:\WINDOWS\system32\atipdlxx.dll
2007-09-29 08:58 122,880 ----a-w C:\WINDOWS\system32\Oemdspif.dll
2007-09-29 08:57 122,880 ----a-w C:\WINDOWS\system32\ati2evxx.dll
2007-09-29 08:56 483,328 ----a-w C:\WINDOWS\system32\ati2evxx.exe
2007-09-29 08:55 53,248 ----a-w C:\WINDOWS\system32\ATIDDC.DLL
2007-09-29 08:49 307,200 ----a-w C:\WINDOWS\system32\atiiiexx.dll
2007-09-29 08:47 3,130,720 ----a-w C:\WINDOWS\system32\ati3duag.dll
2007-09-29 08:47 172,032 ----a-w C:\WINDOWS\system32\atiok3x2.dll
2007-09-29 08:36 1,593,600 ----a-w C:\WINDOWS\system32\ativvaxx.dll
2007-09-29 08:23 5,435,392 ----a-w C:\WINDOWS\system32\atioglxx.dll
2007-09-29 08:22 376,832 ----a-w C:\WINDOWS\system32\atikvmag.dll
2007-09-29 08:20 17,408 ----a-w C:\WINDOWS\system32\atitvo32.dll
2007-09-29 08:14 499,712 ----a-w C:\WINDOWS\system32\ati2cqag.dll
2006-06-24 19:35 774,144 ----a-w C:\Program Files\RngInterstitial.dll
2006-05-07 17:30 65 ----a-w C:\Program Files\Common Files\appop.log
1999-10-22 14:21 2,310,625 ----a-w C:\Documents and Settings\DSI\DSI.EXE
.

((((((((((((((((((((((((((((( snapshot@2007-12-26_17.54.11.29 )))))))))))))))))))))))))))))))))))))))))
.
+ 2007-12-27 00:40:33 16,384 ----atw C:\WINDOWS\Temp\Perflib_Perfdata_98.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{DC77F23E-1D48-4238-9776-B705F92073FB}]
2007-06-28 16:20 1249280 --a------ C:\Program Files\DesktopFun Toolbar\desktopfuntoolbar.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 06:00]
"Yahoo! Pager"="C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" [2007-08-30 16:43]
"WMPNSCFG"="C:\Program Files\Windows Media Player\WMPNSCFG.exe" [2006-10-18 20:05]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"Picasa Media Detector"="C:\Program Files\Picasa2\PicasaMediaDetector.exe" [2007-09-27 19:17]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2006-10-04 02:48 C:\WINDOWS\system32\narrator.exe]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Event Reminder.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Event Reminder.lnk
backup=C:\WINDOWS\pss\Event Reminder.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Install Pending Files.LNK]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Install Pending Files.LNK
backup=C:\WINDOWS\pss\Install Pending Files.LNKCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^InterVideo WinCinema Manager.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\InterVideo WinCinema Manager.lnk
backup=C:\WINDOWS\pss\InterVideo WinCinema Manager.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Reality Fusion GameCam SE.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Reality Fusion GameCam SE.lnk
backup=C:\WINDOWS\pss\Reality Fusion GameCam SE.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^ymetray.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ymetray.lnk
backup=C:\WINDOWS\pss\ymetray.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^User^Start Menu^Programs^Startup^RollerCoaster Tycoon 3 Registration.lnk]
path=C:\Documents and Settings\User\Start Menu\Programs\Startup\RollerCoaster Tycoon 3 Registration.lnk
backup=C:\WINDOWS\pss\RollerCoaster Tycoon 3 Registration.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Alcmtr]
ALCMTR.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\au]
2007-06-27 11:46 238936 --a------ C:\Program Files\Dealio\DealioAU.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG7_CC]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
2004-08-04 06:00 15360 --a------ C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DIRECTCD]
2005-10-24 23:49 299008 --a------ C:\Program Files\InterVideo\Disc Master 2.5\DirectCD.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EPSON Stylus CX6000 Series]
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIBIA.EXE /FU C:\WINDOWS\TEMP\E_SDA.tmp /EF HKLM

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\FLMOFFICE4DMOUSE]
2007-10-17 22:28 894976 --a------ C:\Program Files\Micro Innovations\Wireless Laser Mouse\office.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Desktop Search]
C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe /startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
2007-11-15 13:11 267048 --a------ C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Lexmark X1100 Series]
2003-08-19 10:43 57344 --a------ C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Logitech Utility]
Logi_MwX.Exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LVCOMS]
2001-06-26 17:49 86016 --a------ C:\Program Files\Common Files\Logitech\QCDriver\LVCOMS.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MimBoot]
2006-01-19 10:06 11776 --a------ C:\PROGRA~1\MUSICM~1\MUSICM~1\mimboot.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MMTray]
2006-01-19 10:06 110592 --a------ C:\Program Files\Musicmatch\Musicmatch Jukebox\mm_tray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsnMsgr]
C:\Program Files\MSN Messenger\MsnMsgr.Exe /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PersonalWeb]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
C:\Program Files\QuickTime\qttask.exe -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RTHDCPL]
RTHDCPL.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2007-09-25 00:11 132496 --a------ C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
C:\Program Files\Common Files\Real\Update_OB\realsched.exe -osboot

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Ulead Quick-Drop]
C:\Program Files\Ulead Systems\Ulead DVD MovieFactory 4.0 Suite\Ulead Quick-Drop 1.0\Quick-Drop.exe WINDOWCALL

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\USIUDF_Eject_Monitor]
2004-12-23 16:27 81920 --------- C:\Program Files\Common Files\Ulead Systems\DVD\USISrv.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WINCINEMAMGR]
2005-01-21 01:47 270336 --a------ C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinFast Schedule]
2006-03-20 13:53 327680 --a------ C:\Program Files\WinFast\WFTVFM\WFWIZ.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WMPNSCFG]
2006-10-18 20:05 204288 --------- C:\Program Files\Windows Media Player\WMPNSCFG.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
C:\PROGRA~1\Yahoo!\MESSEN~1\YAHOOM~1.EXE -quiet

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\YSearchProtection]
2007-06-08 08:59 224248 --a------ C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe

R0 ivicd;Ivi CDVD Filter Driver;C:\WINDOWS\system32\drivers\ivicd.sys [2005-01-12 05:29]
R2 CX23880;WinFast CX2388x WDM Video Capture.;C:\WINDOWS\system32\drivers\cx88vid.sys [2005-06-28 08:24]
R2 CXTUNE;WinFast CX2388x WDM TVTuner.;C:\WINDOWS\system32\drivers\CX88TUNE.sys [2005-06-28 08:22]
R2 FreezeScreenSaver;FreezeScreenSaver;C:\WINDOWS\system32\FreezeScreenSaver.exe [2005-09-29 14:55]
R3 CXAVXBAR;WinFast CX2388x WDM Crossbar.;C:\WINDOWS\system32\drivers\cxavxbar.sys [2005-06-28 08:21]
S3 iviudf;iviudf;C:\WINDOWS\system32\drivers\IviUdf.sys [2005-06-23 01:09]
S3 KMW_USB;%Kensington_KMW_USB_SvcDesc%;C:\WINDOWS\system32\DRIVERS\tkfilter.sys [2007-10-17 22:28]
S3 moufiltr;Mouse Filter;C:\WINDOWS\system32\DRIVERS\moufiltr.sys [2007-10-17 22:28]
S3 WFIOCTL;WFIOCTL;C:\Program Files\WinFast\WFTVFM\WFIOCTL.SYS [2005-01-06 15:55]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{f7399676-d780-11db-8f56-001731129ee6}]
\Shell\AutoRun\command - F:\LaunchU3.exe -a

.
Contents of the 'Scheduled Tasks' folder
"2007-12-18 01:30:02 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
"2007-12-27 03:10:01 C:\WINDOWS\Tasks\Check Updates for Windows Live Toolbar.job"
- C:\Program Files\Windows Live Toolbar\MSNTBUP.EXE
"2007-11-14 15:00:00 C:\WINDOWS\Tasks\rpc.job"
- C:\Program Files\Winferno\RegistryPowerCleaner\RegPowerClean.exe
.
**************************************************************************

catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-26 21:49:00
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-12-26 21:49:33
C:\ComboFix2.txt ... 2007-12-26 17:54
.
2007-12-12 03:04:08 --- E O F ---









Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 22:00, on 2007-12-26
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\Program Files\Windows Media Player\WMPNSCFG.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Program Files\Yahoo!\Messenger\ymsgr_tray.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\FreezeScreenSaver.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Trend Micro\HijackThis\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaul...rch/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaul...//www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn7\yt.dll
R3 - URLSearchHook: (no name) - - (no file)
R3 - URLSearchHook: (no name) - {D3DEE18F-DB64-4BEB-9FF1-E1F0A5033E4A} - (no file)
O2 - BHO: (no name) - orer - (no file)
O2 - BHO: (no name) - rsion - (no file)
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn7\yt.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: Windows Live Toolbar Helper - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O2 - BHO: TBSB09819 - {DC77F23E-1D48-4238-9776-B705F92073FB} - C:\Program Files\DesktopFun Toolbar\desktopfuntoolbar.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn7\yt.dll
O3 - Toolbar: Google Web Accelerator - {DB87BFA2-A2E3-451E-8E5A-C89982D87CBF} - C:\Program Files\Google\Web Accelerator\GoogleWebAccToolbar.dll
O3 - Toolbar: Windows Live Toolbar - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\Windows Live Toolbar\msntb.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - HKCU\..\Run: [WMPNSCFG] C:\Program Files\Windows Media Player\WMPNSCFG.exe
O4 - HKUS\S-1-5-18\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [Picasa Media Detector] C:\Program Files\Picasa2\PicasaMediaDetector.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O8 - Extra context menu item: &Search - ?p=ZN
O8 - Extra context menu item: &Windows Live Search - res://C:\Program Files\Windows Live Toolbar\msntb.dll/search.htm
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: PartyCasino.com - {B4B52284-A248-4c51-9F7C-F0A0C67FCC9D} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: PartyCasino.com - {B4B52284-A248-4c51-9F7C-F0A0C67FCC9D} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: PartyBingo.com - {B987E7E7-5997-4330-A5F9-9FFEFC1CCFD0} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: PartyBingo.com - {B987E7E7-5997-4330-A5F9-9FFEFC1CCFD0} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~1\GOEC62~1.DLL
O23 - Service: Apple Mobile Device - Apple, Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: FreezeScreenSaver - Unknown owner - C:\WINDOWS\system32\FreezeScreenSaver.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: PictureTaker - LANovation - C:\WINDOWS\system32\PCTKRNT.SYS
O23 - Service: Ulead Burning Helper (UleadBurningHelper) - Ulead Systems, Inc. - C:\Program Files\Common Files\Ulead Systems\DVD\ULCDRSvr.exe

--
End of file - 8032 bytes



#6 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:12:25 AM

Posted 26 December 2007 - 04:27 AM

First enable the viewing of hidden files and folders,reverse the process once you've done below:
http://www.bleepingcomputer.com/tutorials/how-to-see-hidden-files-in-windows/

Click on Start>Run and type Services.msc then hit Ok.
Scroll down and find the service called:
FreezeScreenSaver
When you find it, double-click on it.
In the next window that opens, click the 'Stop' button.
Then change the 'Startup Type:' to 'Disabled'.
Now press Apply and then Ok and close any open windows.

Click Start>Run and type regedit then click OK.
Navigate to HKEY_LOCAL_MACHINE>SYSTEM>CurrentControlSet>Services
Scroll down the left pane,locate the service name:
FreezeScreenSaver
Right click on it 'Delete'.
Exit regedit,then restart your pc.


Download ATF Cleaner by Atribune:
http://www.atribune.org/ccount/click.php?id=1
Do not run it just yet.

Download\install 'SuperAntiSpyware Home Edition Free Version' from here:
http://www.superantispyware.com/downloadfi...ANTISPYWAREFREE

Launch SuperAntiSpyware and click on 'Check for updates'.
Once the updates have been installed,exit SuperAntiSpyware.
Do not run it just yet.

You might want to print/copy the following as you need to be in Safe Mode from here on.

Reboot your computer into SAFE MODE using the F8 method.
To do this,restart your computer and after hearing your computer beep once during startup (but before the Windows icon appears) press the F8 key repeatedly.
A menu will appear with several options.
Use the arrow keys on your keyboard to navigate and select the option to run Windows in "Safe Mode".

Have Hijack This fix the following by placing a check in the appropriate boxes and selecting 'Fix checked'.
Make sure all browser and all Windows Explorer windows are closed before fixing:
R3 - URLSearchHook: (no name) - - (no file)
R3 - URLSearchHook: (no name) - {D3DEE18F-DB64-4BEB-9FF1-E1F0A5033E4A} - (no file)
O2 - BHO: (no name) - orer - (no file)
O2 - BHO: (no name) - rsion - (no file)
O8 - Extra context menu item: &Search - ?p=ZN
O9 - Extra button: PartyCasino.com - {B4B52284-A248-4c51-9F7C-F0A0C67FCC9D} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: PartyCasino.com - {B4B52284-A248-4c51-9F7C-F0A0C67FCC9D} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra button: PartyBingo.com - {B987E7E7-5997-4330-A5F9-9FFEFC1CCFD0} - C:\WINDOWS\system32\shdocvw.dll
O9 - Extra 'Tools' menuitem: PartyBingo.com - {B987E7E7-5997-4330-A5F9-9FFEFC1CCFD0} - C:\WINDOWS\system32\shdocvw.dll
O23 - Service: FreezeScreenSaver - Unknown owner - C:\WINDOWS\system32\FreezeScreenSaver.exe

Exit Hijackthis.

Find and delete:
C:\WINDOWS\system32\FreezeScreenSaver.exe

Now double-click ATF-Cleaner.exe to run the program.
Click 'Select All' found at the bottom of the list.
Click the 'Empty Selected' button.

If you use Firefox browser, do this also:
Click Firefox at the top and choose 'Select All' from the list.
Click the 'Empty Selected' button.
NOTE:
If you would like to keep your saved passwords,please click 'No' at the prompt.

If you use Opera browser,do this also:
Click Opera at the top and choose 'Select All' from the list.
Click the 'Empty Selected' button.
NOTE:
If you would like to keep your saved passwords,please click 'No' at the prompt.
Click 'Exit' on the Main menu to close the program.

Now Start SuperAntiSpyware.
On the main screen click on 'Scan your computer'.
Check: 'Perform Complete Scan'.
Click 'Next' to start the scan.

Superantispyware will now scan your computer,when it's finished it will list all/any infections found.
Make sure everything found has a checkmark next to it,then press 'Next'.
Click on 'Finish' when you've done.

It's possible that the program will ask you to reboot in order to delete some files.

Obtain the SuperAntiSpyware log as follows:
Click on 'Preferences'.
Click on the 'Statistics/Logs' tab.
Under 'Scanner Logs' double click on 'SuperAntiSpyware Scan Log'.
It will then open in your default text editor,such as Notepad.
Copy and paste the contents of that report into your next reply.
Also post a new Hijackthis log,let me know how your pc is running now.

Posted Image
Posted Image

#7 iFRED

iFRED
  • Topic Starter

  • Members
  • 5 posts
  • OFFLINE
  •  
  • Local time:05:25 AM

Posted 26 December 2007 - 07:50 AM

...let me know how your pc is running now.


Your first set instructions corrected the 'constant random pop-ups' issue that caused me to start this thread. I can not thank you enough. The amount of time you saved me in bug research and trial and error is massive. Seriously, THANK YOU!!!

However, I am about to get on a plane and go home and the user of the pc is still in bed asleep. The user has a friend that will most likely will be able to follow these instructions. I will forward the information in this thread to him. I wish I could take care of this myself, but alas, I am out of time. :thumbsup:

Thanks again,

iFRED

#8 RichieUK

RichieUK

    Malware Assassin


  • Malware Response Team
  • 13,614 posts
  • OFFLINE
  •  
  • Local time:12:25 AM

Posted 26 December 2007 - 07:54 AM

Ok iFRED,thanks for the update,i'll leave this topic open then :thumbsup:
Posted Image
Posted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users