Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Annoying Spyware/virus?


  • This topic is locked This topic is locked
8 replies to this topic

#1 Jordan64

Jordan64

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:06:20 PM

Posted 07 May 2008 - 09:17 PM

hey guys , yesterday night i ended up infecting myself with spyware or a virus i have no idea , i was looking for something online , downloaded a file which had .zip.exe without me noticing , and i ran it like an idiot. What happened exactly after i ran it is numerous " Windows Warnings " which can be seen in the picture i attached.

Posted Image


Is also launches tabs in firefox for some spyware removal site.

So far i have tried the following --

Ran Ad-Aware - Full System scan

Ran Spybot Search&Destroy - Full system scan

Ran AVG Free edition - Full Scan

Anyways , if any more information is needed just let me know , il provide it as needed , i hope someone can lead me in the right direction.


Hijackthis log ------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:57:34 PM, on 2008-05-07
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2600.0000)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
c:\xampp\apache\bin\apache.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
C:\WINDOWS\System32\taskmgr.exe
C:\Program Files\Winamp\winampa.exe
C:\WINDOWS\System32\ctfmon.exe
C:\xampp\apache\bin\apache.exe
C:\WINDOWS\TEMP\win28.exe
C:\Program Files\Winamp\winamp.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 8\SnagItIEAddin.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar5.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [MSDisp32] rundll32.exe C:\WINDOWS\System32\drvnav.dll,startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Startup: hamachi.lnk = D:\Program Files\Hamachi\hamachi.exe
O4 - Global Startup: Microsoft Broadband Networking.lnk = C:\Program Files\Microsoft Broadband Networking\MSBNTray.exe
O8 - Extra context menu item: CallClerk Dial - file://C:\Program Files\CallClerk\callclerkdial.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Shorten URL - http://www.cjb.net/menuext.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O16 - DPF: ChatSpace Full Java Client 4.0.0.320 - http://69.65.108.158/Java/cfs40320.cab
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab
O16 - DPF: {03D19749-C5FA-4CCC-99AB-00AB2AF45ACD} (LogMeIn File Transfer ActiveX Client) - https://homepc:2000/activex/filexfer.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_41.cab
O16 - DPF: {483EB14D-AF1C-4951-81B0-4E2B41829FF6} (QOLCheck Control) - https://www.select2perform.com/cabs/QOLCheck.ocx
O16 - DPF: {48884C41-EFAC-433D-958A-9FADAC41408E} (EGamesPlugin Class) - https://www.e-games.com.my/com/EGamesPlugin.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by113fd.bay113.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/200312...meInstaller.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1189005093648
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {665585FD-2068-4C5E-A6D3-53AC3270ECD4} (FileSharingCtrl Class) - http://appdirectory.messenger.msn.com/AppD...sharingctrl.cab
O16 - DPF: {68BCE50A-DC9B-4519-A118-6FDA19DB450D} (Info Class) - http://www.blizzard.com/support/includes/cabs/si.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1189118399933
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...StatsClient.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yahoo.com/...utocomplete.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/Solit...wn.cab31267.cab
O16 - DPF: {FE5D6722-826F-11D5-A24E-0060B0F1A5AE} (Tukati Launcher) - http://http.gamezone.tukati.com/tukati/1.7.20.20/tukati.cab
O23 - Service: Apache2.2 - Apache Software Foundation - c:\xampp\apache\bin\apache.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: mysql - Unknown owner - c:\xampp\mysql\bin\mysqld-nt.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 8601 bytes

BC AdBot (Login to Remove)

 


#2 Jordan64

Jordan64
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:06:20 PM

Posted 07 May 2008 - 10:40 PM

I would highly appreciate any feedback , i noticed my thread was bumped back to the 3rd page in less than an hour! busy busy :thumbsup:

#3 waterfalls

waterfalls

    Malware Exorcist


  • Staff Emeritus
  • 621 posts
  • OFFLINE
  •  
  • Local time:06:20 PM

Posted 07 May 2008 - 10:48 PM

Hi -

Please visit this webpage for instructions for downloading and running ComboFix:
http://www.bleepingcomputer.com/combofix/how-to-use-combofix

Please ensure that combofix is saved to (and run from) your desktop

Be sure to install the Windows XP Recovery Console in case you have not installed it yet. Instructions are provided for you.

Next:
Close all open Windows including this one.
Close or disable all running Antivirus, Antispyware, and Firewall programs as they may interfere with the proper running of ComboFix.
Double-click on the ComboFix icon found on your desktop. Please note that once you start ComboFix you should not click anywhere on the ComboFix window as it can cause the program to stall.

When ComboFix is finished, it will produce a report for you.
Be sure to re-enable your Antivirus, Antispyware and Firewall programs.

Post back with the log from ComboFix (C:\ComboFix.txt) and a new HijackThis log.
Take only memories, leave nothing but footprints.

Posted ImagePosted Image

#4 Jordan64

Jordan64
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:06:20 PM

Posted 07 May 2008 - 11:50 PM

hey waterfalls , i appreciate the reply! Ive done as requested , it seems as though the pop-ups have been eliminated.


Heres the combofix log -------------

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Guest\Local Settings\Temporary Internet Files\search.html
C:\WINDOWS\afxao.dat
C:\WINDOWS\afxcu.dat
C:\WINDOWS\ahuih.dat
C:\WINDOWS\ajrqk.dat
C:\WINDOWS\aofod.dat
C:\WINDOWS\apldf.dat
C:\WINDOWS\apmtp.dat
C:\WINDOWS\bfmzw.dat
C:\WINDOWS\bmqwn.dat
C:\WINDOWS\bzjxd.dat
C:\WINDOWS\cjrmy.dat
C:\WINDOWS\czkvc.dat
C:\WINDOWS\dhmvt.dat
C:\WINDOWS\dhuon.dat
C:\WINDOWS\efegp.dat
C:\WINDOWS\ehkai.dat
C:\WINDOWS\ekela.dat
C:\WINDOWS\epzsu.dat
C:\WINDOWS\fkdhr.dat
C:\WINDOWS\flhgr.dat
C:\WINDOWS\gekbd.dat
C:\WINDOWS\glerk.dat
C:\WINDOWS\glynq.dat
C:\WINDOWS\guprv.dat
C:\WINDOWS\gzqje.dat
C:\WINDOWS\hlvhi.dat
C:\WINDOWS\hvaii.dat
C:\WINDOWS\hxvrl.dat
C:\WINDOWS\iiyte.dat
C:\WINDOWS\ikecd.dat
C:\WINDOWS\ituww.dat
C:\WINDOWS\josfu.dat
C:\WINDOWS\jqrly.dat
C:\WINDOWS\jrcaa.dat
C:\WINDOWS\jziux.dat
C:\WINDOWS\keybk.dat
C:\WINDOWS\kkwjn.dat
C:\WINDOWS\lmbiw.dat
C:\WINDOWS\ltsvz.dat
C:\WINDOWS\mdxfn.dat
C:\WINDOWS\mjuti.dat
C:\WINDOWS\mpvlf.dat
C:\WINDOWS\mvxlc.dat
C:\WINDOWS\njxdn.dat
C:\WINDOWS\nlxcp.dat
C:\WINDOWS\nrjyg.dat
C:\WINDOWS\nrxks.dat
C:\WINDOWS\nutrv.dat
C:\WINDOWS\nyerm.dat
C:\WINDOWS\ohgpo.dat
C:\WINDOWS\oqnuq.dat
C:\WINDOWS\phcrz.dat
C:\WINDOWS\pocfp.dat
C:\WINDOWS\qmwin.dat
C:\WINDOWS\rjrbp.dat
C:\WINDOWS\rpgfx.dat
C:\WINDOWS\sdumj.dat
C:\WINDOWS\sjnuh.dat
C:\WINDOWS\snrvv.dat
C:\WINDOWS\system32\a.bat
C:\WINDOWS\system32\adpse.dat
C:\WINDOWS\system32\azzfp.dat
C:\WINDOWS\system32\bhwtv.dat
C:\WINDOWS\system32\bIhhQqss.ini
C:\WINDOWS\system32\bIhhQqss.ini2
C:\WINDOWS\system32\bjfpn.dat
C:\WINDOWS\system32\blrxl.dat
C:\WINDOWS\system32\chbxn.dat
C:\WINDOWS\system32\cvnem.dat
C:\WINDOWS\system32\dcklx.dat
C:\WINDOWS\system32\dklwc.dat
C:\WINDOWS\system32\dmrjn.dat
C:\WINDOWS\system32\donwa.dat
C:\WINDOWS\system32\dtkxi.dat
C:\WINDOWS\system32\dxzgm.dat
C:\WINDOWS\system32\efcDWOIX.dll
C:\WINDOWS\system32\eykhy.dat
C:\WINDOWS\system32\felkl.dat
C:\WINDOWS\system32\ffjvq.dat
C:\WINDOWS\system32\ffpgs.dat
C:\WINDOWS\system32\gcbnz.dat
C:\WINDOWS\system32\gfeqy.dat
C:\WINDOWS\system32\gfksc.dat
C:\WINDOWS\system32\ggtlr.dat
C:\WINDOWS\system32\gkxfl.dat
C:\WINDOWS\system32\gOqAHkkj.ini
C:\WINDOWS\system32\gOqAHkkj.ini2
C:\WINDOWS\system32\gtwze.dat
C:\WINDOWS\system32\gwcgn.dat
C:\WINDOWS\system32\gyrtf.dat
C:\WINDOWS\system32\hikcp.dat
C:\WINDOWS\system32\hswwt.dat
C:\WINDOWS\system32\huirr.dat
C:\WINDOWS\system32\iakvm.dat
C:\WINDOWS\system32\iarky.dat
C:\WINDOWS\system32\ibwek.dat
C:\WINDOWS\system32\igopt.dat
C:\WINDOWS\system32\iifdcBQI.dll
C:\WINDOWS\system32\jbrzs.dat
C:\WINDOWS\system32\jcqcb.dat
C:\WINDOWS\system32\jhihs.dat
C:\WINDOWS\system32\jhoqg.dat
C:\WINDOWS\system32\jkkHAqOg.dll
C:\WINDOWS\system32\jymla.dat
C:\WINDOWS\system32\kdfng.dat
C:\WINDOWS\system32\kncpx.dat
C:\WINDOWS\system32\knwnv.dat
C:\WINDOWS\system32\kxzdd.dat
C:\WINDOWS\system32\lcrin.dat
C:\WINDOWS\system32\lnzkb.dat
C:\WINDOWS\system32\lvwct.dat
C:\WINDOWS\system32\lvzlr.dat
C:\WINDOWS\system32\mklhq.dat
C:\WINDOWS\system32\nbadd.dat
C:\WINDOWS\system32\nndfi.dat
C:\WINDOWS\system32\nnfdb.dat
C:\WINDOWS\system32\nxiog.dat
C:\WINDOWS\system32\ohlrp.dat
C:\WINDOWS\system32\okkgi.dat
C:\WINDOWS\system32\opkib.dat
C:\WINDOWS\system32\owkbi.dat
C:\WINDOWS\system32\plakw.dat
C:\WINDOWS\system32\posti.dat
C:\WINDOWS\system32\prvcb.dat
C:\WINDOWS\system32\pwvaf.dat
C:\WINDOWS\system32\qpmel.dat
C:\WINDOWS\system32\qtnts.dat
C:\WINDOWS\system32\rkzzr.dat
C:\WINDOWS\system32\rlpjd.dat
C:\WINDOWS\system32\rqped.dat
C:\WINDOWS\system32\sfzcc.dat
C:\WINDOWS\system32\sgtdn.dat
C:\WINDOWS\system32\skmnn.dat
C:\WINDOWS\system32\smfoq.dat
C:\WINDOWS\system32\trapz.dat
C:\WINDOWS\system32\tvgpu.dat
C:\WINDOWS\system32\tvurt.dat
C:\WINDOWS\system32\txbwv.dat
C:\WINDOWS\system32\uawcz.dat
C:\WINDOWS\system32\uezdd.dat
C:\WINDOWS\system32\uhorn.dat
C:\WINDOWS\system32\ujdru.dat
C:\WINDOWS\system32\urqOHXrR.dll
C:\WINDOWS\system32\usfdq.dat
C:\WINDOWS\system32\uycva.dat
C:\WINDOWS\system32\vfzmn.dat
C:\WINDOWS\system32\vfzuc.dat
C:\WINDOWS\system32\vgzvo.dat
C:\WINDOWS\system32\vjdow.dat
C:\WINDOWS\system32\vjyid.dat
C:\WINDOWS\system32\vppxl.dat
C:\WINDOWS\system32\vsedr.dat
C:\WINDOWS\system32\welcr.dat
C:\WINDOWS\system32\whvoy.dat
C:\WINDOWS\system32\wilnn.dat
C:\WINDOWS\system32\winwsa32.dll
C:\WINDOWS\system32\wodgj.dat
C:\WINDOWS\system32\wuvsw.dat
C:\WINDOWS\system32\wxzjf.dat
C:\WINDOWS\system32\xissi.dat
C:\WINDOWS\system32\xwgel.dat
C:\WINDOWS\system32\xzcxy.dat
C:\WINDOWS\system32\yankm.dat
C:\WINDOWS\system32\ydofk.dat
C:\WINDOWS\system32\yhcxw.dat
C:\WINDOWS\system32\ymbns.dat
C:\WINDOWS\system32\ynzbc.dat
C:\WINDOWS\system32\ysjbt.dat
C:\WINDOWS\system32\zejud.dat
C:\WINDOWS\system32\zxllp.dat
C:\WINDOWS\tbgko.dat
C:\WINDOWS\tfmqb.dat
C:\WINDOWS\tfppd.dat
C:\WINDOWS\tfwfi.dat
C:\WINDOWS\tjvtm.dat
C:\WINDOWS\tklkg.dat
C:\WINDOWS\tlxzb.dat
C:\WINDOWS\tpzjr.dat
C:\WINDOWS\ttciu.dat
C:\WINDOWS\uewtw.dat
C:\WINDOWS\vchte.dat
C:\WINDOWS\vczqa.dat
C:\WINDOWS\vknon.dat
C:\WINDOWS\voobw.dat
C:\WINDOWS\vzukc.dat
C:\WINDOWS\wcrtw.dat
C:\WINDOWS\wgpwt.dat
C:\WINDOWS\wttbc.dat
C:\WINDOWS\wufcb.dat
C:\WINDOWS\wuvqy.dat
C:\WINDOWS\wuzuf.dat
C:\WINDOWS\wwxlz.dat
C:\WINDOWS\xokxu.dat
C:\WINDOWS\xonxy.dat
C:\WINDOWS\xqpys.dat
C:\WINDOWS\xqtho.dat
C:\WINDOWS\xtdoj.dat
C:\WINDOWS\yfhvy.dat
C:\WINDOWS\yhclo.dat
C:\WINDOWS\yhyew.dat
C:\WINDOWS\ymsuo.dat
C:\WINDOWS\yqyaa.dat
C:\WINDOWS\ytuzx.dat
C:\WINDOWS\yzbxl.dat
C:\WINDOWS\zhelc.dat
C:\WINDOWS\zkgmc.dat
C:\WINDOWS\zkmbz.dat
C:\WINDOWS\zwieh.dat

.
((((((((((((((((((((((((( Files Created from 2008-04-08 to 2008-05-08 )))))))))))))))))))))))))))))))
.

2008-05-07 05:13 . 2008-05-07 05:13 18,944 --a------ C:\WINDOWS\system32\drvnav.dll
2008-05-07 00:11 . 2008-05-07 00:11 <DIR> d-------- C:\Documents and Settings\Administrator
2008-05-07 00:11 . 2008-05-08 00:41 1,024 --ah----- C:\Documents and Settings\Administrator\NTUSER.DAT.LOG
2008-05-07 00:01 . 2008-05-07 00:01 281,600 --a------ C:\WINDOWS\system32\ssqQhhIb.dll_old
2008-05-06 23:56 . 2008-05-06 23:56 18,944 --a------ C:\WINDOWS\system32\drvvux.dll
2008-05-06 23:35 . 2008-05-06 23:35 68,096 --a------ C:\WINDOWS\ScUnin.exe
2008-05-06 23:35 . 2008-05-06 23:35 9,615 --a------ C:\WINDOWS\scunin.dat
2008-05-06 23:35 . 2008-05-06 23:35 967 --a------ C:\WINDOWS\ScUnin.pif
2008-04-24 00:22 . 2008-04-24 00:25 <DIR> d-------- C:\xampp

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-08 04:19 --------- d-----w C:\Documents and Settings\The Houssen's\Application Data\Hamachi
2008-05-08 04:17 --------- d-----w C:\Program Files\Microsoft AntiSpyware
2008-05-07 08:40 --------- d-----w C:\Documents and Settings\The Houssen's\Application Data\AVG7
2008-05-06 03:35 --------- d-----w C:\Program Files\Microsoft Broadband Networking
2008-04-24 07:13 --------- d-----w C:\Documents and Settings\The Houssen's\Application Data\Tibia
2008-04-23 23:17 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-04-08 19:12 --------- d-----w C:\Program Files\Tibia
2008-03-24 06:33 --------- d-----w C:\Documents and Settings\The Houssen's\Application Data\Azureus
2008-03-24 06:08 --------- d-----w C:\Documents and Settings\All Users\Application Data\Azureus
2008-03-15 00:05 --------- d-----w C:\Program Files\Easy CD DVD Copy
2008-03-14 05:14 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-03-14 05:13 --------- d-----w C:\Program Files\Samsung
2008-03-14 02:46 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-03-14 02:44 18,528,777 ----a-w C:\WINDOWS\Internet Logs\vsmon_on_demand_2008_03_12_17_57_44_full.dmp.zip
2008-03-03 05:22 691,545 ----a-w C:\WINDOWS\unins000.exe
2007-12-05 17:02 28,440 ----a-w C:\Documents and Settings\The Houssen's\Application Data\GDIPFONTCACHEV1.DAT
2006-08-15 19:55 168,432 ----a-w C:\Documents and Settings\The Houssen's\DynGate_Setup.exe
2005-07-09 00:41 50,762 ---ha-w C:\Documents and Settings\The Houssen's\Application Data\ptads.bin
2005-04-29 22:49 28,179 ---ha-w C:\Documents and Settings\Guest\Application Data\ptads.bin
2004-10-02 17:30 94,134,846 ---hatw C:\Documents and Settings\GameSpot DLX Secure Delivery\fable_521_wm.zip
2004-04-12 19:36 1,998 ----a-w C:\Documents and Settings\The Houssen's\winupdate.dat
2003-08-26 20:37 0 ----a-w C:\Documents and Settings\Guest\ub.dat
2003-08-26 20:37 0 ----a-w C:\Documents and Settings\Guest\ad.dat
2005-01-17 23:00 4,402 --sha-w C:\WINDOWS\hzgla.dat
2004-12-25 19:15 3,537 --sha-w C:\WINDOWS\system32\ekuvw.dat
2004-12-31 01:22 4,402 --sha-w C:\WINDOWS\system32\gduai.dat
2004-12-18 21:33 4,402 --sha-w C:\WINDOWS\system32\lpngv.dat
2005-01-22 08:25 3,537 --sha-w C:\WINDOWS\system32\wvoem.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D710E9B2-4D51-46D3-8C8F-8FF6D890DB99}]
C:\WINDOWS\System32\ssqQhhIb.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\System32\ctfmon.exe" [2001-10-26 21:34 13312]
"NvMediaCenter"="C:\WINDOWS\System32\NVMCTRAY.DLL" [2003-11-17 11:33 49152]
"Aim6"="C:\Program Files\AIM6\aim6.exe" [2008-01-03 13:15 50528]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 12:43 2097488]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [2003-11-17 11:33 3022848]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe" [2006-05-03 02:56 36975]
"NvMediaCenter"="C:\WINDOWS\System32\NvMcTray.dll" [2003-11-17 11:33 49152]
"WinampAgent"="C:\Program Files\Winamp\winampa.exe" [2007-05-14 19:22 35328]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-06-21 21:54 919016]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-09-04 23:02 416256]
"gcasServ"="C:\Program Files\Microsoft AntiSpyware\gcasServ.exe" [2005-07-12 16:35 473928]
"MSDisp32"="C:\WINDOWS\System32\drvnav.dll" [2008-05-07 05:13 18944]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ALUAlert"="C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe" [ ]
"Mabc"="C:\PROGRA~1\SMANTE~1\msiexec.exe" [ ]
"Tkdkd"="C:\Program Files\Common Files\s?mbols\ntvdm.exe" [ ]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-09-04 23:02 145920]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2001-10-26 21:35 51200 C:\WINDOWS\system32\narrator.exe]

C:\Documents and Settings\The Houssen's\Start Menu\Programs\Startup\
hamachi.lnk - D:\Program Files\Hamachi\hamachi.exe [2008-02-13 22:59:00 624416]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Broadband Networking.lnk - C:\Program Files\Microsoft Broadband Networking\MSBNTray.exe [2004-01-19 18:58:52 438272]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winwsa32]
winwsa32.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.l3acm"= L3codecp.acm
"VIDC.I263"= i263_32.drv
"VIDC.SP53"= SP5X_32.DLL
"VIDC.SP54"= SP5X_32.DLL
"VIDC.SP55"= SP5X_32.DLL
"VIDC.SP56"= SP5X_32.DLL
"VIDC.SP57"= SP5X_32.DLL
"VIDC.SP58"= SP5X_32.DLL
"VIDC.SP59"= SP5X_32.DLL
"msacm.divxa32"= DivXa32.acm

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, zwebauth.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Broadband Networking.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Broadband Networking.lnk
backup=C:\WINDOWS\pss\Microsoft Broadband Networking.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Trend Micro Anti-Spyware.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Trend Micro Anti-Spyware.lnk
backup=C:\WINDOWS\pss\Trend Micro Anti-Spyware.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^The Houssen's^Start Menu^Programs^Startup^Adobe Gamma.lnk]
path=C:\Documents and Settings\The Houssen's\Start Menu\Programs\Startup\Adobe Gamma.lnk
backup=C:\WINDOWS\pss\Adobe Gamma.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^The Houssen's^Start Menu^Programs^Startup^BitTorrent.lnk]
path=C:\Documents and Settings\The Houssen's\Start Menu\Programs\Startup\BitTorrent.lnk
backup=C:\WINDOWS\pss\BitTorrent.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^The Houssen's^Start Menu^Programs^Startup^CallClerk.lnk]
path=C:\Documents and Settings\The Houssen's\Start Menu\Programs\Startup\CallClerk.lnk
backup=C:\WINDOWS\pss\CallClerk.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\98D0CE0C16B1]


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\addsy32.exe]
C:\WINDOWS\system32\addsy32.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\apitn32.exe]
C:\WINDOWS\apitn32.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\apivt.exe]
C:\WINDOWS\apivt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\appgb32.exe]
C:\WINDOWS\system32\appgb32.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG7_CC]
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CloneCDElbyCDFL]
--a------ 2002-11-02 03:33 45056 C:\Program Files\Elaborate Bytes\CloneCD\ElbyCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2001-10-26 21:34 13312 C:\WINDOWS\System32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EnvyHFCPL]
C:\Program Files\Audio Deck\EnMixCPL.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ipfy32.exe]
C:\WINDOWS\ipfy32.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2006-10-30 10:36 256576 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LDM]
C:\Program Files\Desktop Messenger\8876480\Program\BackWeb-8876480.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechGalleryRepair]
--a------ 2002-12-10 18:32 155648 C:\Program Files\Logitech\ImageStudio\ISStart.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechImageStudioTray]
--a------ 2002-12-10 18:31 61440 C:\Program Files\Logitech\ImageStudio\LogiTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogMeIn GUI]
C:\Program Files\LogMeIn\ragui.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Mabc]
C:\Program Files\tnop\aaou.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MessengerPlus2]
C:\Program Files\Messenger Plus! 2\MsgPlus.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Tray]
C:\Program Files\KaZaA Lite\My Shared Folder\grand theft auto vice city setup launcher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mswu32.exe]
C:\WINDOWS\system32\mswu32.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nod32kui]
C:\Program Files\Eset\nod32kui.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
--a------ 2003-11-17 11:33 3022848 C:\WINDOWS\System32\NvCpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
--a------ 2006-10-22 13:22 1622016 C:\WINDOWS\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCTAVApp]
C:\Program Files\PC Tools AntiVirus\PCTAV.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2006-10-25 19:58 282624 C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RamBooster]
C:\Documents and Settings\The Houssen's\Desktop\Ram Boost\Rambooster.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RegistryMechanic]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\sdkut.exe]
C:\WINDOWS\system32\sdkut.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2004-12-06 21:31 36975 C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2006-05-23 12:20 180269 C:\Program Files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\type32]
--a------ 2004-06-03 05:51 172032 C:\Program Files\Microsoft IntelliType Pro\type32.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Zone Labs Client]
--a------ 2007-06-21 21:54 919016 C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"iPodService"=3 (0x3)
"MDM"=2 (0x2)
"AVGEMS"=2 (0x2)
"Avg7UpdSvc"=2 (0x2)
"Avg7Alrt"=2 (0x2)
"Adobe LM Service"=3 (0x3)
"wuauserv"=2 (0x2)
"WebClient"=2 (0x2)
"usnsvc"=3 (0x3)
"KPF4"=2 (0x2)
"iPod Service"=3 (0x3)
"ImapiService"=3 (0x3)
"gusvc"=3 (0x3)
"SPF4"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\WINDOWS\\system32\\winver.exe"=

R0 ElbyVCD;ElbyVCD;C:\WINDOWS\System32\DRIVERS\ElbyVCD.sys [2002-11-28 07:43]
R1 cpuidlep;CpuIdle Pro System Driver;C:\WINDOWS\System32\drivers\cpuidlep.sys [1999-11-16 09:48]
R2 Apache2.2;Apache2.2;"c:\xampp\apache\bin\apache.exe" -k runservice []
R2 SVKP;SVKP;C:\WINDOWS\System32\SVKP.sys [2005-07-22 14:56]
R2 Viewpoint Manager Service;Viewpoint Manager Service;"C:\Program Files\Viewpoint\Common\ViewpointService.exe" [2007-01-04 18:38]
R3 Envy24HFS;ICE Envy24 Family Audio Controller WDM;C:\WINDOWS\System32\drivers\Envy24HF.sys [2005-02-23 15:47]
S2 LMIInfo;LogMeIn Kernel Information Provider;C:\Program Files\LogMeIn\RaInfo.sys []
S3 cpuz128;cpuz128;C:\Program Files\PC Wizard 2008\pcwiz32.sys [2007-07-14 13:54]
S3 LVBulk;LVBulk Service;C:\WINDOWS\System32\DRIVERS\LVBulk.sys [2002-06-10 14:21]
S3 PID_0900_V;Logitech ClickSmart 310(PID_0900_V);C:\WINDOWS\System32\DRIVERS\LV551AV.sys [2002-06-10 14:24]
S3 PsSdk30;PsSdk30;C:\WINDOWS\System32\Drivers\PsSdk30.drv []

.
Contents of the 'Scheduled Tasks' folder
"2008-05-07 14:48:07 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-08 01:17:31
Windows 5.1.2600 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 26

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\PSSdk21]
"ImagePath"="\??\C:\WINDOWS\System32\Drivers\HNPsSdk.drv"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\PsSdk30]
"ImagePath"="\??\C:\WINDOWS\System32\Drivers\PsSdk30.drv"
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\xampp\mysql\bin\mysqld-nt.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Common Files\AOL\Loader\aolload.exe
.
**************************************************************************
.
Completion time: 2008-05-08 1:29:45 - machine was rebooted [The Houssen's]
ComboFix-quarantined-files.txt 2008-05-08 04:29:35

Pre-Run: 8,035,950,592 bytes free
Post-Run: 9,163,534,336 bytes free

457



hey waterfalls , i appreciate the reply! Ive done as requested , it seems as though the pop-ups have been eliminated.


Heres the combofix log -------------

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Guest\Local Settings\Temporary Internet Files\search.html
C:\WINDOWS\afxao.dat
C:\WINDOWS\afxcu.dat
C:\WINDOWS\ahuih.dat
C:\WINDOWS\ajrqk.dat
C:\WINDOWS\aofod.dat
C:\WINDOWS\apldf.dat
C:\WINDOWS\apmtp.dat
C:\WINDOWS\bfmzw.dat
C:\WINDOWS\bmqwn.dat
C:\WINDOWS\bzjxd.dat
C:\WINDOWS\cjrmy.dat
C:\WINDOWS\czkvc.dat
C:\WINDOWS\dhmvt.dat
C:\WINDOWS\dhuon.dat
C:\WINDOWS\efegp.dat
C:\WINDOWS\ehkai.dat
C:\WINDOWS\ekela.dat
C:\WINDOWS\epzsu.dat
C:\WINDOWS\fkdhr.dat
C:\WINDOWS\flhgr.dat
C:\WINDOWS\gekbd.dat
C:\WINDOWS\glerk.dat
C:\WINDOWS\glynq.dat
C:\WINDOWS\guprv.dat
C:\WINDOWS\gzqje.dat
C:\WINDOWS\hlvhi.dat
C:\WINDOWS\hvaii.dat
C:\WINDOWS\hxvrl.dat
C:\WINDOWS\iiyte.dat
C:\WINDOWS\ikecd.dat
C:\WINDOWS\ituww.dat
C:\WINDOWS\josfu.dat
C:\WINDOWS\jqrly.dat
C:\WINDOWS\jrcaa.dat
C:\WINDOWS\jziux.dat
C:\WINDOWS\keybk.dat
C:\WINDOWS\kkwjn.dat
C:\WINDOWS\lmbiw.dat
C:\WINDOWS\ltsvz.dat
C:\WINDOWS\mdxfn.dat
C:\WINDOWS\mjuti.dat
C:\WINDOWS\mpvlf.dat
C:\WINDOWS\mvxlc.dat
C:\WINDOWS\njxdn.dat
C:\WINDOWS\nlxcp.dat
C:\WINDOWS\nrjyg.dat
C:\WINDOWS\nrxks.dat
C:\WINDOWS\nutrv.dat
C:\WINDOWS\nyerm.dat
C:\WINDOWS\ohgpo.dat
C:\WINDOWS\oqnuq.dat
C:\WINDOWS\phcrz.dat
C:\WINDOWS\pocfp.dat
C:\WINDOWS\qmwin.dat
C:\WINDOWS\rjrbp.dat
C:\WINDOWS\rpgfx.dat
C:\WINDOWS\sdumj.dat
C:\WINDOWS\sjnuh.dat
C:\WINDOWS\snrvv.dat
C:\WINDOWS\system32\a.bat
C:\WINDOWS\system32\adpse.dat
C:\WINDOWS\system32\azzfp.dat
C:\WINDOWS\system32\bhwtv.dat
C:\WINDOWS\system32\bIhhQqss.ini
C:\WINDOWS\system32\bIhhQqss.ini2
C:\WINDOWS\system32\bjfpn.dat
C:\WINDOWS\system32\blrxl.dat
C:\WINDOWS\system32\chbxn.dat
C:\WINDOWS\system32\cvnem.dat
C:\WINDOWS\system32\dcklx.dat
C:\WINDOWS\system32\dklwc.dat
C:\WINDOWS\system32\dmrjn.dat
C:\WINDOWS\system32\donwa.dat
C:\WINDOWS\system32\dtkxi.dat
C:\WINDOWS\system32\dxzgm.dat
C:\WINDOWS\system32\efcDWOIX.dll
C:\WINDOWS\system32\eykhy.dat
C:\WINDOWS\system32\felkl.dat
C:\WINDOWS\system32\ffjvq.dat
C:\WINDOWS\system32\ffpgs.dat
C:\WINDOWS\system32\gcbnz.dat
C:\WINDOWS\system32\gfeqy.dat
C:\WINDOWS\system32\gfksc.dat
C:\WINDOWS\system32\ggtlr.dat
C:\WINDOWS\system32\gkxfl.dat
C:\WINDOWS\system32\gOqAHkkj.ini
C:\WINDOWS\system32\gOqAHkkj.ini2
C:\WINDOWS\system32\gtwze.dat
C:\WINDOWS\system32\gwcgn.dat
C:\WINDOWS\system32\gyrtf.dat
C:\WINDOWS\system32\hikcp.dat
C:\WINDOWS\system32\hswwt.dat
C:\WINDOWS\system32\huirr.dat
C:\WINDOWS\system32\iakvm.dat
C:\WINDOWS\system32\iarky.dat
C:\WINDOWS\system32\ibwek.dat
C:\WINDOWS\system32\igopt.dat
C:\WINDOWS\system32\iifdcBQI.dll
C:\WINDOWS\system32\jbrzs.dat
C:\WINDOWS\system32\jcqcb.dat
C:\WINDOWS\system32\jhihs.dat
C:\WINDOWS\system32\jhoqg.dat
C:\WINDOWS\system32\jkkHAqOg.dll
C:\WINDOWS\system32\jymla.dat
C:\WINDOWS\system32\kdfng.dat
C:\WINDOWS\system32\kncpx.dat
C:\WINDOWS\system32\knwnv.dat
C:\WINDOWS\system32\kxzdd.dat
C:\WINDOWS\system32\lcrin.dat
C:\WINDOWS\system32\lnzkb.dat
C:\WINDOWS\system32\lvwct.dat
C:\WINDOWS\system32\lvzlr.dat
C:\WINDOWS\system32\mklhq.dat
C:\WINDOWS\system32\nbadd.dat
C:\WINDOWS\system32\nndfi.dat
C:\WINDOWS\system32\nnfdb.dat
C:\WINDOWS\system32\nxiog.dat
C:\WINDOWS\system32\ohlrp.dat
C:\WINDOWS\system32\okkgi.dat
C:\WINDOWS\system32\opkib.dat
C:\WINDOWS\system32\owkbi.dat
C:\WINDOWS\system32\plakw.dat
C:\WINDOWS\system32\posti.dat
C:\WINDOWS\system32\prvcb.dat
C:\WINDOWS\system32\pwvaf.dat
C:\WINDOWS\system32\qpmel.dat
C:\WINDOWS\system32\qtnts.dat
C:\WINDOWS\system32\rkzzr.dat
C:\WINDOWS\system32\rlpjd.dat
C:\WINDOWS\system32\rqped.dat
C:\WINDOWS\system32\sfzcc.dat
C:\WINDOWS\system32\sgtdn.dat
C:\WINDOWS\system32\skmnn.dat
C:\WINDOWS\system32\smfoq.dat
C:\WINDOWS\system32\trapz.dat
C:\WINDOWS\system32\tvgpu.dat
C:\WINDOWS\system32\tvurt.dat
C:\WINDOWS\system32\txbwv.dat
C:\WINDOWS\system32\uawcz.dat
C:\WINDOWS\system32\uezdd.dat
C:\WINDOWS\system32\uhorn.dat
C:\WINDOWS\system32\ujdru.dat
C:\WINDOWS\system32\urqOHXrR.dll
C:\WINDOWS\system32\usfdq.dat
C:\WINDOWS\system32\uycva.dat
C:\WINDOWS\system32\vfzmn.dat
C:\WINDOWS\system32\vfzuc.dat
C:\WINDOWS\system32\vgzvo.dat
C:\WINDOWS\system32\vjdow.dat
C:\WINDOWS\system32\vjyid.dat
C:\WINDOWS\system32\vppxl.dat
C:\WINDOWS\system32\vsedr.dat
C:\WINDOWS\system32\welcr.dat
C:\WINDOWS\system32\whvoy.dat
C:\WINDOWS\system32\wilnn.dat
C:\WINDOWS\system32\winwsa32.dll
C:\WINDOWS\system32\wodgj.dat
C:\WINDOWS\system32\wuvsw.dat
C:\WINDOWS\system32\wxzjf.dat
C:\WINDOWS\system32\xissi.dat
C:\WINDOWS\system32\xwgel.dat
C:\WINDOWS\system32\xzcxy.dat
C:\WINDOWS\system32\yankm.dat
C:\WINDOWS\system32\ydofk.dat
C:\WINDOWS\system32\yhcxw.dat
C:\WINDOWS\system32\ymbns.dat
C:\WINDOWS\system32\ynzbc.dat
C:\WINDOWS\system32\ysjbt.dat
C:\WINDOWS\system32\zejud.dat
C:\WINDOWS\system32\zxllp.dat
C:\WINDOWS\tbgko.dat
C:\WINDOWS\tfmqb.dat
C:\WINDOWS\tfppd.dat
C:\WINDOWS\tfwfi.dat
C:\WINDOWS\tjvtm.dat
C:\WINDOWS\tklkg.dat
C:\WINDOWS\tlxzb.dat
C:\WINDOWS\tpzjr.dat
C:\WINDOWS\ttciu.dat
C:\WINDOWS\uewtw.dat
C:\WINDOWS\vchte.dat
C:\WINDOWS\vczqa.dat
C:\WINDOWS\vknon.dat
C:\WINDOWS\voobw.dat
C:\WINDOWS\vzukc.dat
C:\WINDOWS\wcrtw.dat
C:\WINDOWS\wgpwt.dat
C:\WINDOWS\wttbc.dat
C:\WINDOWS\wufcb.dat
C:\WINDOWS\wuvqy.dat
C:\WINDOWS\wuzuf.dat
C:\WINDOWS\wwxlz.dat
C:\WINDOWS\xokxu.dat
C:\WINDOWS\xonxy.dat
C:\WINDOWS\xqpys.dat
C:\WINDOWS\xqtho.dat
C:\WINDOWS\xtdoj.dat
C:\WINDOWS\yfhvy.dat
C:\WINDOWS\yhclo.dat
C:\WINDOWS\yhyew.dat
C:\WINDOWS\ymsuo.dat
C:\WINDOWS\yqyaa.dat
C:\WINDOWS\ytuzx.dat
C:\WINDOWS\yzbxl.dat
C:\WINDOWS\zhelc.dat
C:\WINDOWS\zkgmc.dat
C:\WINDOWS\zkmbz.dat
C:\WINDOWS\zwieh.dat

.
((((((((((((((((((((((((( Files Created from 2008-04-08 to 2008-05-08 )))))))))))))))))))))))))))))))
.

2008-05-07 05:13 . 2008-05-07 05:13 18,944 --a------ C:\WINDOWS\system32\drvnav.dll
2008-05-07 00:11 . 2008-05-07 00:11 <DIR> d-------- C:\Documents and Settings\Administrator
2008-05-07 00:11 . 2008-05-08 00:41 1,024 --ah----- C:\Documents and Settings\Administrator\NTUSER.DAT.LOG
2008-05-07 00:01 . 2008-05-07 00:01 281,600 --a------ C:\WINDOWS\system32\ssqQhhIb.dll_old
2008-05-06 23:56 . 2008-05-06 23:56 18,944 --a------ C:\WINDOWS\system32\drvvux.dll
2008-05-06 23:35 . 2008-05-06 23:35 68,096 --a------ C:\WINDOWS\ScUnin.exe
2008-05-06 23:35 . 2008-05-06 23:35 9,615 --a------ C:\WINDOWS\scunin.dat
2008-05-06 23:35 . 2008-05-06 23:35 967 --a------ C:\WINDOWS\ScUnin.pif
2008-04-24 00:22 . 2008-04-24 00:25 <DIR> d-------- C:\xampp

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-05-08 04:19 --------- d-----w C:\Documents and Settings\The Houssen's\Application Data\Hamachi
2008-05-08 04:17 --------- d-----w C:\Program Files\Microsoft AntiSpyware
2008-05-07 08:40 --------- d-----w C:\Documents and Settings\The Houssen's\Application Data\AVG7
2008-05-06 03:35 --------- d-----w C:\Program Files\Microsoft Broadband Networking
2008-04-24 07:13 --------- d-----w C:\Documents and Settings\The Houssen's\Application Data\Tibia
2008-04-23 23:17 --------- d---a-w C:\Documents and Settings\All Users\Application Data\TEMP
2008-04-08 19:12 --------- d-----w C:\Program Files\Tibia
2008-03-24 06:33 --------- d-----w C:\Documents and Settings\The Houssen's\Application Data\Azureus
2008-03-24 06:08 --------- d-----w C:\Documents and Settings\All Users\Application Data\Azureus
2008-03-15 00:05 --------- d-----w C:\Program Files\Easy CD DVD Copy
2008-03-14 05:14 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-03-14 05:13 --------- d-----w C:\Program Files\Samsung
2008-03-14 02:46 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-03-14 02:44 18,528,777 ----a-w C:\WINDOWS\Internet Logs\vsmon_on_demand_2008_03_12_17_57_44_full.dmp.zip
2008-03-03 05:22 691,545 ----a-w C:\WINDOWS\unins000.exe
2007-12-05 17:02 28,440 ----a-w C:\Documents and Settings\The Houssen's\Application Data\GDIPFONTCACHEV1.DAT
2006-08-15 19:55 168,432 ----a-w C:\Documents and Settings\The Houssen's\DynGate_Setup.exe
2005-07-09 00:41 50,762 ---ha-w C:\Documents and Settings\The Houssen's\Application Data\ptads.bin
2005-04-29 22:49 28,179 ---ha-w C:\Documents and Settings\Guest\Application Data\ptads.bin
2004-10-02 17:30 94,134,846 ---hatw C:\Documents and Settings\GameSpot DLX Secure Delivery\fable_521_wm.zip
2004-04-12 19:36 1,998 ----a-w C:\Documents and Settings\The Houssen's\winupdate.dat
2003-08-26 20:37 0 ----a-w C:\Documents and Settings\Guest\ub.dat
2003-08-26 20:37 0 ----a-w C:\Documents and Settings\Guest\ad.dat
2005-01-17 23:00 4,402 --sha-w C:\WINDOWS\hzgla.dat
2004-12-25 19:15 3,537 --sha-w C:\WINDOWS\system32\ekuvw.dat
2004-12-31 01:22 4,402 --sha-w C:\WINDOWS\system32\gduai.dat
2004-12-18 21:33 4,402 --sha-w C:\WINDOWS\system32\lpngv.dat
2005-01-22 08:25 3,537 --sha-w C:\WINDOWS\system32\wvoem.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D710E9B2-4D51-46D3-8C8F-8FF6D890DB99}]
C:\WINDOWS\System32\ssqQhhIb.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\System32\ctfmon.exe" [2001-10-26 21:34 13312]
"NvMediaCenter"="C:\WINDOWS\System32\NVMCTRAY.DLL" [2003-11-17 11:33 49152]
"Aim6"="C:\Program Files\AIM6\aim6.exe" [2008-01-03 13:15 50528]
"SpybotSD TeaTimer"="C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe" [2008-01-28 12:43 2097488]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"NvCplDaemon"="C:\WINDOWS\System32\NvCpl.dll" [2003-11-17 11:33 3022848]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe" [2006-05-03 02:56 36975]
"NvMediaCenter"="C:\WINDOWS\System32\NvMcTray.dll" [2003-11-17 11:33 49152]
"WinampAgent"="C:\Program Files\Winamp\winampa.exe" [2007-05-14 19:22 35328]
"ZoneAlarm Client"="C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe" [2007-06-21 21:54 919016]
"AVG7_CC"="C:\PROGRA~1\Grisoft\AVG7\avgcc.exe" [2007-09-04 23:02 416256]
"gcasServ"="C:\Program Files\Microsoft AntiSpyware\gcasServ.exe" [2005-07-12 16:35 473928]
"MSDisp32"="C:\WINDOWS\System32\drvnav.dll" [2008-05-07 05:13 18944]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"ALUAlert"="C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe" [ ]
"Mabc"="C:\PROGRA~1\SMANTE~1\msiexec.exe" [ ]
"Tkdkd"="C:\Program Files\Common Files\s?mbols\ntvdm.exe" [ ]
"AVG7_Run"="C:\PROGRA~1\Grisoft\AVG7\avgw.exe" [2007-09-04 23:02 145920]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"RunNarrator"="Narrator.exe" [2001-10-26 21:35 51200 C:\WINDOWS\system32\narrator.exe]

C:\Documents and Settings\The Houssen's\Start Menu\Programs\Startup\
hamachi.lnk - D:\Program Files\Hamachi\hamachi.exe [2008-02-13 22:59:00 624416]

C:\Documents and Settings\All Users\Start Menu\Programs\Startup\
Microsoft Broadband Networking.lnk - C:\Program Files\Microsoft Broadband Networking\MSBNTray.exe [2004-01-19 18:58:52 438272]

[hkey_local_machine\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{5AE067D3-9AFB-48E0-853A-EBB7F4A000DA}"= C:\Program Files\SUPERAntiSpyware\SASSEH.DLL [2006-12-20 13:55 77824]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\!SASWinLogon]
C:\Program Files\SUPERAntiSpyware\SASWINLO.dll 2007-04-19 13:41 294912 C:\Program Files\SUPERAntiSpyware\SASWINLO.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\winwsa32]
winwsa32.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"msacm.l3acm"= L3codecp.acm
"VIDC.I263"= i263_32.drv
"VIDC.SP53"= SP5X_32.DLL
"VIDC.SP54"= SP5X_32.DLL
"VIDC.SP55"= SP5X_32.DLL
"VIDC.SP56"= SP5X_32.DLL
"VIDC.SP57"= SP5X_32.DLL
"VIDC.SP58"= SP5X_32.DLL
"VIDC.SP59"= SP5X_32.DLL
"msacm.divxa32"= DivXa32.acm

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\securityproviders]
SecurityProviders msapsspc.dll, schannel.dll, digest.dll, msnsspc.dll, zwebauth.dll

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Broadband Networking.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Broadband Networking.lnk
backup=C:\WINDOWS\pss\Microsoft Broadband Networking.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Trend Micro Anti-Spyware.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Trend Micro Anti-Spyware.lnk
backup=C:\WINDOWS\pss\Trend Micro Anti-Spyware.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^The Houssen's^Start Menu^Programs^Startup^Adobe Gamma.lnk]
path=C:\Documents and Settings\The Houssen's\Start Menu\Programs\Startup\Adobe Gamma.lnk
backup=C:\WINDOWS\pss\Adobe Gamma.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^The Houssen's^Start Menu^Programs^Startup^BitTorrent.lnk]
path=C:\Documents and Settings\The Houssen's\Start Menu\Programs\Startup\BitTorrent.lnk
backup=C:\WINDOWS\pss\BitTorrent.lnkStartup

[HKLM\~\startupfolder\C:^Documents and Settings^The Houssen's^Start Menu^Programs^Startup^CallClerk.lnk]
path=C:\Documents and Settings\The Houssen's\Start Menu\Programs\Startup\CallClerk.lnk
backup=C:\WINDOWS\pss\CallClerk.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\98D0CE0C16B1]


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\addsy32.exe]
C:\WINDOWS\system32\addsy32.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\apitn32.exe]
C:\WINDOWS\apitn32.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\apivt.exe]
C:\WINDOWS\apivt.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\appgb32.exe]
C:\WINDOWS\system32\appgb32.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVG7_CC]
C:\PROGRA~1\Grisoft\AVGFRE~1\avgcc.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CloneCDElbyCDFL]
--a------ 2002-11-02 03:33 45056 C:\Program Files\Elaborate Bytes\CloneCD\ElbyCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2001-10-26 21:34 13312 C:\WINDOWS\System32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EnvyHFCPL]
C:\Program Files\Audio Deck\EnMixCPL.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ipfy32.exe]
C:\WINDOWS\ipfy32.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2006-10-30 10:36 256576 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LDM]
C:\Program Files\Desktop Messenger\8876480\Program\BackWeb-8876480.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechGalleryRepair]
--a------ 2002-12-10 18:32 155648 C:\Program Files\Logitech\ImageStudio\ISStart.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogitechImageStudioTray]
--a------ 2002-12-10 18:31 61440 C:\Program Files\Logitech\ImageStudio\LogiTray.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\LogMeIn GUI]
C:\Program Files\LogMeIn\ragui.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Mabc]
C:\Program Files\tnop\aaou.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MessengerPlus2]
C:\Program Files\Messenger Plus! 2\MsgPlus.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Tray]
C:\Program Files\KaZaA Lite\My Shared Folder\grand theft auto vice city setup launcher.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mswu32.exe]
C:\WINDOWS\system32\mswu32.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nod32kui]
C:\Program Files\Eset\nod32kui.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
--a------ 2003-11-17 11:33 3022848 C:\WINDOWS\System32\NvCpl.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
--a------ 2006-10-22 13:22 1622016 C:\WINDOWS\system32\nwiz.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PCTAVApp]
C:\Program Files\PC Tools AntiVirus\PCTAV.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
--a------ 2006-10-25 19:58 282624 C:\Program Files\QuickTime\qttask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RamBooster]
C:\Documents and Settings\The Houssen's\Desktop\Ram Boost\Rambooster.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RegistryMechanic]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\sdkut.exe]
C:\WINDOWS\system32\sdkut.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
--a------ 2004-12-06 21:31 36975 C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
C:\Program Files\Google\GoogleToolbarNotifier\1.2.1128.5462\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2006-05-23 12:20 180269 C:\Program Files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\type32]
--a------ 2004-06-03 05:51 172032 C:\Program Files\Microsoft IntelliType Pro\type32.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Zone Labs Client]
--a------ 2007-06-21 21:54 919016 C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"iPodService"=3 (0x3)
"MDM"=2 (0x2)
"AVGEMS"=2 (0x2)
"Avg7UpdSvc"=2 (0x2)
"Avg7Alrt"=2 (0x2)
"Adobe LM Service"=3 (0x3)
"wuauserv"=2 (0x2)
"WebClient"=2 (0x2)
"usnsvc"=3 (0x3)
"KPF4"=2 (0x2)
"iPod Service"=3 (0x3)
"ImapiService"=3 (0x3)
"gusvc"=3 (0x3)
"SPF4"=2 (0x2)

[HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
"C:\\WINDOWS\\system32\\winver.exe"=

R0 ElbyVCD;ElbyVCD;C:\WINDOWS\System32\DRIVERS\ElbyVCD.sys [2002-11-28 07:43]
R1 cpuidlep;CpuIdle Pro System Driver;C:\WINDOWS\System32\drivers\cpuidlep.sys [1999-11-16 09:48]
R2 Apache2.2;Apache2.2;"c:\xampp\apache\bin\apache.exe" -k runservice []
R2 SVKP;SVKP;C:\WINDOWS\System32\SVKP.sys [2005-07-22 14:56]
R2 Viewpoint Manager Service;Viewpoint Manager Service;"C:\Program Files\Viewpoint\Common\ViewpointService.exe" [2007-01-04 18:38]
R3 Envy24HFS;ICE Envy24 Family Audio Controller WDM;C:\WINDOWS\System32\drivers\Envy24HF.sys [2005-02-23 15:47]
S2 LMIInfo;LogMeIn Kernel Information Provider;C:\Program Files\LogMeIn\RaInfo.sys []
S3 cpuz128;cpuz128;C:\Program Files\PC Wizard 2008\pcwiz32.sys [2007-07-14 13:54]
S3 LVBulk;LVBulk Service;C:\WINDOWS\System32\DRIVERS\LVBulk.sys [2002-06-10 14:21]
S3 PID_0900_V;Logitech ClickSmart 310(PID_0900_V);C:\WINDOWS\System32\DRIVERS\LV551AV.sys [2002-06-10 14:24]
S3 PsSdk30;PsSdk30;C:\WINDOWS\System32\Drivers\PsSdk30.drv []

.
Contents of the 'Scheduled Tasks' folder
"2008-05-07 14:48:07 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1353 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-05-08 01:17:31
Windows 5.1.2600 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 26

**************************************************************************

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\PSSdk21]
"ImagePath"="\??\C:\WINDOWS\System32\Drivers\HNPsSdk.drv"

[HKEY_LOCAL_MACHINE\System\ControlSet001\Services\PsSdk30]
"ImagePath"="\??\C:\WINDOWS\System32\Drivers\PsSdk30.drv"
.
------------------------ Other Running Processes ------------------------
.
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\xampp\mysql\bin\mysqld-nt.exe
C:\WINDOWS\system32\nvsvc32.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Common Files\AOL\Loader\aolload.exe
.
**************************************************************************
.
Completion time: 2008-05-08 1:29:45 - machine was rebooted [The Houssen's]
ComboFix-quarantined-files.txt 2008-05-08 04:29:35

Pre-Run: 8,035,950,592 bytes free
Post-Run: 9,163,534,336 bytes free

457

---


I appreciate your reply!

I'll still be checking the thread if you have anything else to add.

#5 waterfalls

waterfalls

    Malware Exorcist


  • Staff Emeritus
  • 621 posts
  • OFFLINE
  •  
  • Local time:06:20 PM

Posted 08 May 2008 - 12:20 AM

Hi -

Please post a new HijackThis log.
Take only memories, leave nothing but footprints.

Posted ImagePosted Image

#6 Jordan64

Jordan64
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:06:20 PM

Posted 08 May 2008 - 02:05 PM

hey , sorry about that i forgot that part.



Hijackthis log after running combofix ------------------




Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
c:\xampp\apache\bin\apache.exe
c:\xampp\mysql\bin\mysqld-nt.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\xampp\apache\bin\apache.exe
C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
C:\WINDOWS\System32\RUNDLL32.EXE
C:\Program Files\Winamp\winampa.exe
C:\WINDOWS\System32\ctfmon.exe
C:\Program Files\Microsoft AntiSpyware\gcasDtServ.exe
C:\Program Files\Common Files\AOL\Loader\aolload.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Winamp\winamp.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\MSN Messenger\usnsvc.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {D710E9B2-4D51-46D3-8C8F-8FF6D890DB99} - C:\WINDOWS\System32\ssqQhhIb.dll (file missing)
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O3 - Toolbar: SnagIt - {8FF5E183-ABDE-46EB-B09E-D2AAB95CABE3} - C:\Program Files\TechSmith\SnagIt 8\SnagItIEAddin.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar5.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe
O4 - HKLM\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NvMcTray.dll,NvTaskbarInit
O4 - HKLM\..\Run: [WinampAgent] C:\Program Files\Winamp\winampa.exe
O4 - HKLM\..\Run: [ZoneAlarm Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [AVG7_CC] C:\PROGRA~1\Grisoft\AVG7\avgcc.exe /STARTUP
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [MSDisp32] rundll32.exe C:\WINDOWS\System32\drvnav.dll,startup
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\System32\ctfmon.exe
O4 - HKCU\..\Run: [NvMediaCenter] RUNDLL32.EXE C:\WINDOWS\System32\NVMCTRAY.DLL,NvTaskbarInit
O4 - HKCU\..\Run: [Aim6] "C:\Program Files\AIM6\aim6.exe" /d locale=en-US ee://aol/imApp
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\Run: [AVG7_Run] C:\PROGRA~1\Grisoft\AVG7\avgw.exe /RUNONCE (User 'SYSTEM')
O4 - HKUS\S-1-5-18\..\RunOnce: [RunNarrator] Narrator.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [ALUAlert] C:\Program Files\Symantec\LiveUpdate\ALUNotify.exe (User 'Default user')
O4 - HKUS\.DEFAULT\..\RunOnce: [RunNarrator] Narrator.exe (User 'Default user')
O4 - Startup: hamachi.lnk = D:\Program Files\Hamachi\hamachi.exe
O4 - Global Startup: Microsoft Broadband Networking.lnk = C:\Program Files\Microsoft Broadband Networking\MSBNTray.exe
O8 - Extra context menu item: CallClerk Dial - file://C:\Program Files\CallClerk\callclerkdial.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Shorten URL - http://www.cjb.net/menuext.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_07\bin\ssv.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search && Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
O16 - DPF: ChatSpace Full Java Client 4.0.0.320 - http://69.65.108.158/Java/cfs40320.cab
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zone.msn.com/binary/msgrchkr.cab
O16 - DPF: {03D19749-C5FA-4CCC-99AB-00AB2AF45ACD} (LogMeIn File Transfer ActiveX Client) - https://homepc:2000/activex/filexfer.cab
O16 - DPF: {14B87622-7E19-4EA8-93B3-97215F77A6BC} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...nt.cab31267.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zone.msn.com/binary/MineSweeper.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.symantec.com/sscv6/SharedC...bin/AvSniff.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {39B0684F-D7BF-4743-B050-FDC3F48F7E3B} (FilePlanet Download Control Class) - http://www.fileplanet.com/fpdlmgr/cabs/FPDC_1_0_0_41.cab
O16 - DPF: {483EB14D-AF1C-4951-81B0-4E2B41829FF6} (QOLCheck Control) - https://www.select2perform.com/cabs/QOLCheck.ocx
O16 - DPF: {48884C41-EFAC-433D-958A-9FADAC41408E} (EGamesPlugin Class) - https://www.e-games.com.my/com/EGamesPlugin.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://by113fd.bay113.hotmail.msn.com/resources/MsnPUpld.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/200312...meInstaller.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/windowsupd...b?1189005093648
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {665585FD-2068-4C5E-A6D3-53AC3270ECD4} (FileSharingCtrl Class) - http://appdirectory.messenger.msn.com/AppD...sharingctrl.cab
O16 - DPF: {68BCE50A-DC9B-4519-A118-6FDA19DB450D} (Info Class) - http://www.blizzard.com/support/includes/cabs/si.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/microsoftu...b?1189118399933
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zone.msn.com/binary/Messe...StatsClient.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.installengine.com/engine/isetup.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.com/download.yahoo.com/...utocomplete.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.symantec.com/sscv6/SharedC...n/bin/cabsa.cab
O16 - DPF: {F6BF0D00-0B2A-4A75-BF7B-F385591623AF} (Solitaire Showdown Class) - http://messenger.zone.msn.com/binary/Solit...wn.cab31267.cab
O16 - DPF: {FE5D6722-826F-11D5-A24E-0060B0F1A5AE} (Tukati Launcher) - http://http.gamezone.tukati.com/tukati/1.7.20.20/tukati.cab
O20 - Winlogon Notify: !SASWinLogon - C:\Program Files\SUPERAntiSpyware\SASWINLO.dll
O20 - Winlogon Notify: winwsa32 - winwsa32.dll (file missing)
O23 - Service: Apache2.2 - Apache Software Foundation - c:\xampp\apache\bin\apache.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: mysql - Unknown owner - c:\xampp\mysql\bin\mysqld-nt.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs, LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

--
End of file - 9878 bytes

#7 Jordan64

Jordan64
  • Topic Starter

  • Members
  • 22 posts
  • OFFLINE
  •  
  • Local time:06:20 PM

Posted 08 May 2008 - 09:45 PM

I spoke to soon , the pop-ups and taskbar icons re-appeared. Same as the picture in my first post , once i rebooted the computer the problem re-appeared.

#8 waterfalls

waterfalls

    Malware Exorcist


  • Staff Emeritus
  • 621 posts
  • OFFLINE
  •  
  • Local time:06:20 PM

Posted 09 May 2008 - 03:02 PM

Hi -

Download and scan with CCleaner.
1. Starting with v1.27.260, CCleaner installs the Yahoo Toolbar as an option which IS checkmarked by default during the installation. IF you do NOT want it, REMOVE the checkmark when provided with the option OR download the toolbar-free Basic or Slim versions instead of the Standard Build.
2. Before first use, select Options > Advanced and UNCHECK Only delete files in Windows Temp folder older than 48 hours
3. Then select the items you wish to clean up.

In the Windows Tab:
  • Clean all entries in the "Internet Explorer" section.
  • Clean all the entries in the "Windows Explorer" section.
  • Clean all entries in the "System" section.
  • Clean all entries in the "Advanced" section.
  • Clean any others that you choose.
In the Applications Tab:
  • Clean all entries in the Firefox/Mozilla section if you use it.
  • Clean all in the Opera section if you use it.
  • Clean Sun Java in the Internet Section.
  • Clean any others that you choose.
3. Click the "Run Cleaner" button.
4. A pop-up box will appear advising this process will permanently delete files from your system.
5. Click "OK" and it will scan and clean your system.
6. Click "exit" when done.

Start HijackThis, click System Scan Only and place a checkmark next to the following items:
O2 - BHO: (no name) - {D710E9B2-4D51-46D3-8C8F-8FF6D890DB99} - C:\WINDOWS\System32\ssqQhhIb.dll (file missing)
O4 - HKLM\..\Run: [MSDisp32] rundll32.exe C:\WINDOWS\System32\drvnav.dll,startup
O16 - DPF: {03D19749-C5FA-4CCC-99AB-00AB2AF45ACD} (LogMeIn File Transfer ActiveX Client) - https://homepc:2000/activex/filexfer.cab
O16 - DPF: {483EB14D-AF1C-4951-81B0-4E2B41829FF6} (QOLCheck Control) - https://www.select2perform.com/cabs/QOLCheck.ocx
O20 - Winlogon Notify: winwsa32 - winwsa32.dll (file missing)


Close ALL windows and open programs except HijackThis and click 'Fix checked'.

Download Malwarebytes' Anti-Malware from HERE or from HERE

Double-click mbam-setup.exe to install the application.
  • Make sure a checkmark is placed next to Update Malwarebytes' Anti-Malware and Launch Malwarebytes' Anti-Malware; then click Finish.
  • If an update is found, it will download and install the latest version.
  • Once the program has loaded, select "Perform full scan/"; then click Scan.
  • The scan may take some time to finish, so please be patient.
  • When the scan is complete, click OK, then Show Results to view the results.
  • Make sure that everything is checked and click Remove Selected.
  • When disinfection is completed, a log will open in Notepad. You may be prompted to Restart (See Extra Note).
  • The log is automatically saved by MBAM and can be viewed by clicking the Logs tab in MBAM.
  • Copy and paste the entire report in your next reply along with a fresh HijackThis log.
Extra Note:
If MBAM encounters a file that is difficult to remove, you will be presented with 1 of 2 prompts. Click OK to either and let MBAM proceed with the disinfection process. If asked to restart the computer, please do so immediately.

Post back with the log from MBAM and a new HijackThis log.
Take only memories, leave nothing but footprints.

Posted ImagePosted Image

#9 waterfalls

waterfalls

    Malware Exorcist


  • Staff Emeritus
  • 621 posts
  • OFFLINE
  •  
  • Local time:06:20 PM

Posted 12 May 2008 - 11:44 AM

Due to a lack of response ... this topic is closed.
Take only memories, leave nothing but footprints.

Posted ImagePosted Image




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users