Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

I Have "virtumonde" Or Vundovirus Help!


  • This topic is locked This topic is locked
33 replies to this topic

#1 footstep101

footstep101

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:05:54 AM

Posted 04 June 2008 - 09:39 PM

I have virtumonde on my computer. I don't have virus software protection installed on this computer, so that's probably why I got it. I have spy sweeper and I used it to get rid of virtumonde with very limited success. There's a file in my system 32 file called geeda.dll that spy sweeper detects and sometimes removes. After running spy sweeper several times and several re-starts, the computer seems to work normally for a while. But if I re-start the computer or open Internet Explorer, the symptoms of infection come back and I have to do the spy sweeper again. That's why I'm not including a Kaspersky log - because I don't want to open IE. If you think it's necessary, I will. I ran the DSS program, but I'm not sure I followed the directions as well as I should have. I don't have a file called "extra." In fact, I re-named on of the files. I'll post both of them, but as it's all "greek" to me, they may be the same. Furthermore, I'm not sure if my running spy sweeper before running the DSS program will hinder your process of diagnosis. Please keep in mind I'm virtually a computer illiterate, but I'll try to my best to follow instructions. By the way, I've already called the spy sweeper people and tried Combo Fix, but that didn't work too well, and the spy sweeper people weren't that helpful after that. Please help if you can. Any help would be greatly appreciated.

The following is a copy and paste of my DSS log:

Deckard's System Scanner v20071014.68
Run by Owner on 2008-06-03 23:53:39
Computer is in Normal Mode.
--------------------------------------------------------------------------------

Percentage of Memory in Use: 76% (more than 75%).
Total Physical Memory: 255 MiB (512 MiB recommended).


-- HijackThis Clone ------------------------------------------------------------


Emulating logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2008-06-03 23:54:09
Platform: Windows XP Service Pack 2 (5.01.2600)
MSIE: Internet Explorer (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINNT\system32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\CCEVTMGR.EXE
C:\WINNT\system32\drivers\KodakCCS.exe
C:\WINNT\system32\nvsvc32.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Webroot\Washer\WasherSvc.exe
C:\Program Files\Logitech\MouseWare\system\EM_EXEC.EXE
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\WINNT\explorer.exe
C:\WINNT\system32\rundll32.exe
C:\WINNT\system32\rundll32.exe
C:\WINNT\system32\rundll32.exe
C:\Program Files\Logitech\MouseWare\system\EM_EXEC.EXE
C:\Program Files\Webroot\Spy Sweeper\ssu.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Documents and Settings\Owner\Desktop\dss.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.earthlink.net/partner/more/msie...ton/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.search.msn.com/{sub_rfc1766}/srchasst/srchasst.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.search.msn.com/{sub_rfc1766}/srchasst/srchasst.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
F0 - win.ini: load=C:\WINNT\system32\geeda.exe
F3 - REG:win.ini: Load=C:\WINNT\system32\userinit.exe,
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {1303982B-8F37-4512-91BF-CA9BF22865BD} - (no file)
O2 - BHO: TChkBHO Class - {2AA0B4EA-C6CB-4EB8-A7C7-6F282A894E31} - C:\WINNT\system32\wmbkuid.dll
O2 - BHO: (no name) - {2AFD338F-66F5-4AF8-8FFD-1FB5E4B0786C} - (no file)
O2 - BHO: (no name) - {376C8572-43A9-4FDB-8011-F0B7908DB849} - (no file)
O2 - BHO: (no name) - {3A8AA418-528A-46BD-BF0A-F2A2725B9665} - (no file)
O2 - BHO: (no name) - {3DAF6B60-B48B-4BED-ACC7-3DD1A8E567CB} - (no file)
O2 - BHO: PnIEBrowserHelperObj Class - {4B5F2E08-6F39-479a-B547-B2026E4C7EDF} - C:\Program Files\EarthLink TotalAccess\PnEL.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {A9070EA1-06C4-4B22-BA38-FE715A64CD09} - (no file)
O2 - BHO: (no name) - {AB7DD445-BE4C-455D-8FDA-EB105F64FCD0} - (no file)
O2 - BHO: (no name) - {AD18BDC2-6BD7-410A-8056-4169976C5538} - (no file)
O2 - BHO: (no name) - {B7581759-E465-4212-8BC1-CC7F6843D3EC} - (no file)
O2 - BHO: (no name) - {BB48DEC8-8186-4703-9B9F-4E908AFCEB87} - (no file)
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NAVSHEXT.DLL
O2 - BHO: (no name) - {CEBD7C35-034D-45BD-AE0A-FC9899CF5CCA} - (no file)
O2 - BHO: (no name) - {DC805B35-2227-4458-B249-349D399C16BE} - (no file)
O2 - BHO: (no name) - {F5BCFB93-A835-467D-B2FC-634C8F0BD5A4} - (no file)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NAVSHEXT.DLL
O3 - Toolbar: EarthLink Toolbar - {D7F30B62-8269-41AF-9539-B2697FA7D77E} - C:\Program Files\EarthLink TotalAccess\PnEL.dll
O4 - HKLM\..\Run: [MSConfig] "C:\WINNT\PCHealth\HelpCtr\Binaries\MSConfig .exe" /auto
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [f4474dda] "rundll32.exe" "C:\WINNT\system32\hheasxbl.dll",b
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKLM\..\Run: [BMf7747e46] Rundll32.exe "C:\WINNT\system32\ycctavyi.dll",s
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\Icq.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\Icq.exe
O9 - Extra button: Instant Messenger (SM) - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\earthlinkim\aim.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINNT\network diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINNT\network diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: https://online.musicmatch.com (HKLM)
O16 - DPF: {00000075-9980-0010-8000-00AA00389B71} () - http://codecs.microsoft.com/codecs/i386/voxacm.CAB
O16 - DPF: {28F00B0F-DC4E-11D3-ABEC-005004A44EEB} () - http://content.hiwirenetworks.net/inbrowse...5.26/Hiwire.cab
O16 - DPF: {29B2C103-AB53-4971-B765-FC1CE5D8B2D1} () - http://www.silvercrk.com/php/hweuchre_scec...5936_947432.cab
O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://wdownload.weatherbug.com/minibug/tr...Transporter.cab?
O16 - DPF: {33363249-0000-0010-8000-00AA00389B71} () - http://codecs.microsoft.com/codecs/i386/i263_32.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} () - http://a1540.g.akamai.net/7/1540/52/200212...meInstaller.exe
O16 - DPF: {511073AD-BE56-4D43-AE68-93390514385E} (TechToolsActivex.TechTools) - hcp://system/TechTools.CAB
O16 - DPF: {739E8D90-2F4C-43AD-A1B8-66C356FCEA35} (RunExeActiveX.RunExe) - hcp://system/RunExeActiveX.CAB
O16 - DPF: {7A32634B-029C-4836-A023-528983982A49} () - http://fdl.msn.com/public/chat/msnchat42.cab
O16 - DPF: {99CDFD87-F97A-42E1-9C13-D18220D90AD1} (StartFirstControl.CheckFirst) - hcp://system/StartFirstControl.CAB
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} () - http://v4.windowsupdate.microsoft.com/CAB/...7846.5909722222
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab
O18 - Protocol: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - C:\Program Files\Common Files\Microsoft Shared\Web Folders\PKMCDO.DLL
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\MSN Messenger\msgrapp.8.1.0178.00.dll
O18 - Protocol: ms-itss - {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Program Files\Common Files\Microsoft Shared\Information Retrieval\msitss.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\MSN Messenger\msgrapp.8.1.0178.00.dll
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~3\GOEC62~1.DLL
O20 - Winlogon Notify: crypt32chain - C:\WINNT\system32\crypt32.dll
O20 - Winlogon Notify: cryptnet - C:\WINNT\system32\cryptnet.dll
O20 - Winlogon Notify: cscdll - C:\WINNT\system32\cscdll.dll
O20 - Winlogon Notify: gebxyvw - C:\WINNT\system32\gebxyvw.dll (file missing)
O20 - Winlogon Notify: ScCertProp - C:\WINNT\system32\wlnotify.dll
O20 - Winlogon Notify: Schedule - C:\WINNT\system32\wlnotify.dll
O20 - Winlogon Notify: SensLogn - C:\WINNT\system32\WlNotify.dll
O20 - Winlogon Notify: termsrv - C:\WINNT\system32\wlnotify.dll
O20 - Winlogon Notify: wlballoon - C:\WINNT\system32\wlnotify.dll
O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - C:\WINNT\system32\webcheck.dll
O21 - SSODL: SysTray - {35CEC8A3-2BE6-11D2-8773-92E220524153} - C:\WINNT\system32\stobject.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCEVTMGR.EXE
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPWDSVC.EXE
O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINNT\system32\drivers\KodakCCS.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\NAVAPSVC.EXE
O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\WINNT\system32\NMSSvc.Exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\system32\HPZipm12.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
O23 - Service: Window Washer Engine (wwEngineSvc) - Webroot Software, Inc. - C:\Program Files\Webroot\Washer\WasherSvc.exe
O24 - Desktop Component 0: - http://a1259.g.akamai.net/f/1259/5586/1d/i...10090968.jpgO24 - Desktop Component 1: - http://a1259.g.akamai.net/f/1259/5586/1d/i...10032246.jpgO24 - Desktop Component 2: - http://a1259.g.akamai.net/f/1259/5586/1d/i...00/10091030.jpg

--
End of file - 12396 bytes

-- Files created between 2008-05-03 and 2008-06-03 -----------------------------

2008-06-01 20:46:40 101952 --a------ C:\WINNT\system32\ycctavyi.dll
2008-05-27 13:15:38 2624 --a------ C:\WINNT\system32\fkvpjycx.exe
2008-05-27 13:10:08 0 d-------- C:\Documents and Settings\Kevin\Application Data\Webroot
2008-05-17 17:45:52 2112 --a------ C:\WINNT\system32\pmuwkaiq.exe
2008-05-12 11:48:44 2112 --a------ C:\WINNT\system32\dfahxyih.exe
2008-05-09 11:40:00 2112 --a------ C:\WINNT\system32\ghmjeget.exe
2008-05-08 20:07:02 0 d-------- C:\Documents and Settings\LocalService\Application Data\Webroot
2008-05-08 11:44:54 2112 --a------ C:\WINNT\system32\snijnbgo.exe
2008-05-08 10:38:14 2112 --a------ C:\WINNT\system32\axldbakg.exe
2008-05-06 21:46:40 2112 --a------ C:\WINNT\system32\bmdqxkyl.exe


-- Find3M Report ---------------------------------------------------------------

2008-06-03 19:36:46 805793 --ahs---- C:\WINNT\system32\adeeg.ini2
2008-06-03 18:42:07 341504 --a------ C:\WINNT\system32\geeda.exe
2008-06-03 18:14:38 384 --a------ C:\WINNT\system32\DVCStateBkp-{00000002-00000000-00000002-00001102-00000004-00581102}.dat
2008-06-03 18:14:38 384 --a------ C:\WINNT\system32\DVCState-{00000002-00000000-00000002-00001102-00000004-00581102}.dat
2008-05-09 10:45:53 0 d-------- C:\Program Files\Java
2008-05-08 20:06:44 0 d-------- C:\Program Files\Webroot
2008-05-08 19:57:51 164 --a------ C:\install.dat
2008-05-08 19:56:44 0 d-------- C:\Documents and Settings\Owner\Application Data\Webroot
2008-04-27 18:43:08 15360 --a------ C:\WINNT\system32\ctfmon .exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-04-27 18:37:12 0 d-------- C:\Program Files\Windows NT
2008-04-24 21:39:51 0 d-------- C:\Program Files\Messenger
2008-04-17 10:50:38 0 d-------- C:\Documents and Settings\Owner\Application Data\WeatherBug
2008-04-14 18:43:17 2542 --a------ C:\WINNT\unins000.dat
2008-04-14 18:41:52 691545 --a------ C:\WINNT\unins000.exe
2008-04-14 17:05:24 3648 --a------ C:\WINNT\system32\odxrcihi.dll
2008-04-10 16:04:53 3648 --a------ C:\WINNT\system32\bvgxudga.dll
2008-04-09 16:01:54 3648 --a------ C:\WINNT\system32\llcobwej.dll


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1303982B-8F37-4512-91BF-CA9BF22865BD}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2AA0B4EA-C6CB-4EB8-A7C7-6F282A894E31}]
12/31/2001 08:00 PM 131072 --a------ C:\WINNT\system32\wmbkuid.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2AFD338F-66F5-4AF8-8FFD-1FB5E4B0786C}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{376C8572-43A9-4FDB-8011-F0B7908DB849}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3A8AA418-528A-46BD-BF0A-F2A2725B9665}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3DAF6B60-B48B-4BED-ACC7-3DD1A8E567CB}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A9070EA1-06C4-4B22-BA38-FE715A64CD09}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{AB7DD445-BE4C-455D-8FDA-EB105F64FCD0}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{AD18BDC2-6BD7-410A-8056-4169976C5538}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B7581759-E465-4212-8BC1-CC7F6843D3EC}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{BB48DEC8-8186-4703-9B9F-4E908AFCEB87}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{CEBD7C35-034D-45BD-AE0A-FC9899CF5CCA}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{DC805B35-2227-4458-B249-349D399C16BE}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F5BCFB93-A835-467D-B2FC-634C8F0BD5A4}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSConfig"="C:\WINNT\PCHealth\HelpCtr\Binaries\MSConfig .exe" []
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe" []
"Logitech Utility"="Logi_MwX.Exe" [11/07/2003 05:50 AM C:\WINNT\LOGI_MWX.EXE]
"f4474dda"="rundll32.exe" [08/04/2004 03:56 AM C:\WINNT\system32\rundll32.exe]
"SpySweeper"="C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" [01/04/2008 08:56 PM]
"BMf7747e46"="C:\WINNT\system32\ycctavyi.dll" [06/01/2008 08:46 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Microsoft Works Update Detection"="C:\Program Files\Microsoft Works\WkDetect.exe" []

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"MySpaceIM"=C:\Program Files\MySpace\IM\MySpaceIM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\gebxyvw]
gebxyvw.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=C:\PROGRA~1\Google\GOOGLE~3\GOEC62~1.DLL

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINNT\system32\geeda

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\svcWRSSSDK]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WebrootSpySweeperService]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HotSync Manager.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HotSync Manager.lnk
backup=C:\WINNT\pss\HotSync Manager.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^hp psc 2000 Series.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\hp psc 2000 Series.lnk
backup=C:\WINNT\pss\hp psc 2000 Series.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINNT\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^officejet 6100.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\officejet 6100.lnk
backup=C:\WINNT\pss\officejet 6100.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdaptecDirectCD]
"C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BMf7747e46]
Rundll32.exe "C:\WINNT\system32\oanprvft.dll",s

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]
"C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccRegVfy]
"C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
C:\WINNT\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTHelper]
CTHELPER.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\f4474dda]
rundll32.exe "C:\WINNT\system32\tcqfsscb.dll",b

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"C:\Program Files\iTunes\iTunesHelper.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Keyboard Preload Check]
C:\OEMDRVRS\KEYB\Preload.exe /DEVID: /CLASS:Keyboard /RunValue:"Keyboard Preload Check"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Load]
C:\WINNT\system32\geeda.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Logitech Utility]
Logi_MwX.Exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Works Portfolio]
"C:\Program Files\Microsoft Works\WksSb.exe" /AllUsers

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Works Update Detection]
C:\Program Files\Microsoft Works\WkDetect.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MimBoot]
C:\PROGRA~1\MUSICM~1\MUSICM~1\mimboot.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mmtask]
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MoneyStartUp10.0]
"C:\Program Files\Microsoft Money\System\Activation.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSConfig]
"C:\WINNT\PCHealth\HelpCtr\Binaries\MSConfig .exe" /auto

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Pop-Up Stopper]
"C:\Program Files\Panicware\Pop-Up Stopper\dpps2 .exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Share-to-Web Namespace Daemon]
"C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
"C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpySweeper]
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe /startintray

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Spyware remover]
C:\WINNT\Remove_spyware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Weather]
"C:\Program Files\AWS\WeatherBug\Weather .exe" 1

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WildTangent CDA]
"C:\Program Files\WildTangent\Apps\CDA\GameDrvr.exe" /startup "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0500.dll"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Window Washer]
"C:\Program Files\Webroot\Washer\wwDisp.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WorksFUD]
"C:\Program Files\Microsoft Works\wkfud.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\zBrowser Launcher]
"C:\Program Files\Logitech\iTouch\iTouch.exe"


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{447e3dbb-b322-11dc-af35-0007e9b53620}]
AutoRun\command- F:\LaunchU3.exe -a

*Newly Created Service* - NMSSVC



-- End of Deckard's System Scanner: finished at 2008-06-03 23:55:00 ------------

That is one log, here is another:

Deckard's System Scanner v20071014.68
Run by Owner on 2008-06-03 23:31:28
Computer is in Normal Mode.
--------------------------------------------------------------------------------

-- System Restore --------------------------------------------------------------

Successfully created a Deckard's System Scanner Restore Point.


-- Last 5 Restore Point(s) --
87: 2008-06-04 03:32:12 UTC - RP519 - Deckard's System Scanner Restore Point
86: 2008-06-04 02:19:48 UTC - RP518 - System Checkpoint
85: 2008-06-03 01:45:32 UTC - RP517 - System Checkpoint
84: 2008-06-02 01:36:12 UTC - RP516 - System Checkpoint
83: 2008-06-01 01:13:29 UTC - RP515 - System Checkpoint


-- First Restore Point --
1: 2008-03-06 04:12:42 UTC - RP433 - System Checkpoint


Backed up registry hives.
Performed disk cleanup.

Total Physical Memory: 255 MiB (512 MiB recommended).


-- HijackThis Clone ------------------------------------------------------------


Emulating logfile of Trend Micro HijackThis v2.0.2
Scan saved at 2008-06-03 23:35:06
Platform: Windows XP Service Pack 2 (5.01.2600)
MSIE: Internet Explorer (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINNT\system32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\CCEVTMGR.EXE
C:\WINNT\system32\drivers\KodakCCS.exe
C:\WINNT\system32\nvsvc32.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Webroot\Washer\WasherSvc.exe
C:\Program Files\Logitech\MouseWare\system\EM_EXEC.EXE
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\WINNT\explorer.exe
C:\WINNT\system32\rundll32.exe
C:\WINNT\system32\rundll32.exe
C:\WINNT\system32\rundll32.exe
C:\Program Files\Logitech\MouseWare\system\EM_EXEC.EXE
C:\Program Files\Webroot\Spy Sweeper\ssu.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Outlook Express\msimn.exe
C:\Documents and Settings\Owner\Desktop\dss.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.earthlink.net/partner/more/msie...ton/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.search.msn.com/{sub_rfc1766}/srchasst/srchasst.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://www.microsoft.com/isapi/redir.dll?p...amp;ar=iesearch
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://ie.search.msn.com/{sub_rfc1766}/srchasst/srchasst.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
F0 - win.ini: load=C:\WINNT\system32\geeda.exe
F3 - REG:win.ini: Load=C:\WINNT\system32\userinit.exe,
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {1303982B-8F37-4512-91BF-CA9BF22865BD} - (no file)
O2 - BHO: TChkBHO Class - {2AA0B4EA-C6CB-4EB8-A7C7-6F282A894E31} - C:\WINNT\system32\wmbkuid.dll
O2 - BHO: (no name) - {2AFD338F-66F5-4AF8-8FFD-1FB5E4B0786C} - (no file)
O2 - BHO: (no name) - {376C8572-43A9-4FDB-8011-F0B7908DB849} - (no file)
O2 - BHO: (no name) - {3A8AA418-528A-46BD-BF0A-F2A2725B9665} - (no file)
O2 - BHO: (no name) - {3DAF6B60-B48B-4BED-ACC7-3DD1A8E567CB} - (no file)
O2 - BHO: PnIEBrowserHelperObj Class - {4B5F2E08-6F39-479a-B547-B2026E4C7EDF} - C:\Program Files\EarthLink TotalAccess\PnEL.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {A9070EA1-06C4-4B22-BA38-FE715A64CD09} - (no file)
O2 - BHO: (no name) - {AB7DD445-BE4C-455D-8FDA-EB105F64FCD0} - (no file)
O2 - BHO: (no name) - {AD18BDC2-6BD7-410A-8056-4169976C5538} - (no file)
O2 - BHO: (no name) - {B7581759-E465-4212-8BC1-CC7F6843D3EC} - (no file)
O2 - BHO: (no name) - {BB48DEC8-8186-4703-9B9F-4E908AFCEB87} - (no file)
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NAVSHEXT.DLL
O2 - BHO: (no name) - {CEBD7C35-034D-45BD-AE0A-FC9899CF5CCA} - (no file)
O2 - BHO: (no name) - {DC805B35-2227-4458-B249-349D399C16BE} - (no file)
O2 - BHO: (no name) - {F5BCFB93-A835-467D-B2FC-634C8F0BD5A4} - (no file)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NAVSHEXT.DLL
O3 - Toolbar: EarthLink Toolbar - {D7F30B62-8269-41AF-9539-B2697FA7D77E} - C:\Program Files\EarthLink TotalAccess\PnEL.dll
O4 - HKLM\..\Run: [MSConfig] "C:\WINNT\PCHealth\HelpCtr\Binaries\MSConfig .exe" /auto
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [f4474dda] "rundll32.exe" "C:\WINNT\system32\hheasxbl.dll",b
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKLM\..\Run: [BMf7747e46] Rundll32.exe "C:\WINNT\system32\ycctavyi.dll",s
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\Icq.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\Icq.exe
O9 - Extra button: Instant Messenger (SM) - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\earthlinkim\aim.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINNT\network diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINNT\network diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: https://online.musicmatch.com (HKLM)
O16 - DPF: {00000075-9980-0010-8000-00AA00389B71} () - http://codecs.microsoft.com/codecs/i386/voxacm.CAB
O16 - DPF: {28F00B0F-DC4E-11D3-ABEC-005004A44EEB} () - http://content.hiwirenetworks.net/inbrowse...5.26/Hiwire.cab
O16 - DPF: {29B2C103-AB53-4971-B765-FC1CE5D8B2D1} () - http://www.silvercrk.com/php/hweuchre_scec...5936_947432.cab
O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://wdownload.weatherbug.com/minibug/tr...Transporter.cab?
O16 - DPF: {33363249-0000-0010-8000-00AA00389B71} () - http://codecs.microsoft.com/codecs/i386/i263_32.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} () - http://a1540.g.akamai.net/7/1540/52/200212...meInstaller.exe
O16 - DPF: {511073AD-BE56-4D43-AE68-93390514385E} (TechToolsActivex.TechTools) - hcp://system/TechTools.CAB
O16 - DPF: {739E8D90-2F4C-43AD-A1B8-66C356FCEA35} (RunExeActiveX.RunExe) - hcp://system/RunExeActiveX.CAB
O16 - DPF: {7A32634B-029C-4836-A023-528983982A49} () - http://fdl.msn.com/public/chat/msnchat42.cab
O16 - DPF: {99CDFD87-F97A-42E1-9C13-D18220D90AD1} (StartFirstControl.CheckFirst) - hcp://system/StartFirstControl.CAB
O16 - DPF: {9F1C11AA-197B-4942-BA54-47A8489BB47F} () - http://v4.windowsupdate.microsoft.com/CAB/...7846.5909722222
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://download.macromedia.com/pub/shockwa...ash/swflash.cab
O18 - Protocol: cdo - {CD00020A-8B95-11D1-82DB-00C04FB1625D} - C:\Program Files\Common Files\Microsoft Shared\Web Folders\PKMCDO.DLL
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\MSN Messenger\msgrapp.8.1.0178.00.dll
O18 - Protocol: ms-itss - {0A9007C0-4076-11D3-8789-0000F8105754} - C:\Program Files\Common Files\Microsoft Shared\Information Retrieval\msitss.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\Program Files\MSN Messenger\msgrapp.8.1.0178.00.dll
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~3\GOEC62~1.DLL
O20 - Winlogon Notify: crypt32chain - C:\WINNT\system32\crypt32.dll
O20 - Winlogon Notify: cryptnet - C:\WINNT\system32\cryptnet.dll
O20 - Winlogon Notify: cscdll - C:\WINNT\system32\cscdll.dll
O20 - Winlogon Notify: gebxyvw - C:\WINNT\system32\gebxyvw.dll (file missing)
O20 - Winlogon Notify: ScCertProp - C:\WINNT\system32\wlnotify.dll
O20 - Winlogon Notify: Schedule - C:\WINNT\system32\wlnotify.dll
O20 - Winlogon Notify: SensLogn - C:\WINNT\system32\WlNotify.dll
O20 - Winlogon Notify: termsrv - C:\WINNT\system32\wlnotify.dll
O20 - Winlogon Notify: wlballoon - C:\WINNT\system32\wlnotify.dll
O21 - SSODL: WebCheck - {E6FB5E20-DE35-11CF-9C87-00AA005127ED} - C:\WINNT\system32\webcheck.dll
O21 - SSODL: SysTray - {35CEC8A3-2BE6-11D2-8773-92E220524153} - C:\WINNT\system32\stobject.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCEVTMGR.EXE
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPWDSVC.EXE
O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINNT\system32\drivers\KodakCCS.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\NAVAPSVC.EXE
O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\WINNT\system32\NMSSvc.Exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINNT\system32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\system32\HPZipm12.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Script Blocking\SBServ.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
O23 - Service: Window Washer Engine (wwEngineSvc) - Webroot Software, Inc. - C:\Program Files\Webroot\Washer\WasherSvc.exe
O24 - Desktop Component 0: - http://a1259.g.akamai.net/f/1259/5586/1d/i...10090968.jpgO24 - Desktop Component 1: - http://a1259.g.akamai.net/f/1259/5586/1d/i...10032246.jpgO24 - Desktop Component 2: - http://a1259.g.akamai.net/f/1259/5586/1d/i...00/10091030.jpg

--
End of file - 12396 bytes

-- File Associations -----------------------------------------------------------

All associations okay.


-- Drivers: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled ---------------------

R1 Sk9920nt (PS/2 Keyboard Filter Driver for NT 4.0) - c:\winnt\system32\drivers\sk9920nt.sys <Not Verified; Silitek Corp.; Silitek PS/2 Keyboard>
R2 RioPNP - c:\winnt\system32\drivers\riopnp.sys <Not Verified; RioPort.com; >
R3 emupia (E-mu Plug-in Architecture Driver) - c:\winnt\system32\drivers\emupia2k.sys <Not Verified; Creative Technology Ltd; E-mu Plug-In Architecture>
R3 GTWModem (GTW V.92 Voicemodem) - c:\winnt\system32\drivers\gwmdm.sys <Not Verified; GTW; GTW Modem Driver>
R3 itchfltr (iTouch Keyboard Filter) - c:\winnt\system32\drivers\itchfltr.sys <Not Verified; Logitech, Inc.; Logitech iTouch™>
R3 MODEMCSA (Unimodem Streaming Filter Device) - c:\winnt\system32\drivers\modemcsa.sys <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>

S3 ac97intc (Intel® 82801 Audio Driver Install Service (WDM)) - c:\winnt\system32\drivers\ac97intc.sys <Not Verified; Intel Corporation; Intel® Integrated Controller Hub Audio Driver>
S3 BCMModem (BCM V.90 56K Modem) - c:\winnt\system32\drivers\bcmdm.sys <Not Verified; BCM; BCM Modem Driver>
S3 PCDRDRV (Pcdr Helper Driver) - c:\atf\qctest\pcdoc\pcdrdrv.sys (file missing)
S3 PcdrNt - c:\winnt\system32\drivers\pcdrnt.sys <Not Verified; PC-Doctor Inc.; PC-Doctor NT 3.0>
S3 Sk99202k (PS/2 Keyboard Filter Driver for Win2000) - c:\winnt\system32\drivers\sk99202k.sys <Not Verified; Silitek Corp.; Silitek PS/2 Keyboard>
S3 wanatw (WAN Miniport (ATW)) - c:\winnt\system32\drivers\wanatw4.sys (file missing)


-- Services: 0-Boot, 1-System, 2-Auto, 3-Demand, 4-Disabled --------------------

S2 NMSSvc (Intel® NMS) - c:\winnt\system32\nmssvc.exe <Not Verified; Intel Corporation; NMS>


-- Device Manager: Disabled ----------------------------------------------------

No disabled devices found.


-- Scheduled Tasks -------------------------------------------------------------

2008-05-30 20:00:04 464 --a------ C:\WINNT\Tasks\Norton AntiVirus - Scan my computer.job
2003-06-19 18:21:17 342 --a------ C:\WINNT\Tasks\FRU Task #Hewlett-Packard#hp psc 2200 series#1036796441.job
2002-11-12 18:21:55 412 --a------ C:\WINNT\Tasks\Symantec NetDetect.job


-- Files created between 2008-05-03 and 2008-06-03 -----------------------------

2008-06-01 20:46:40 101952 --a------ C:\WINNT\system32\ycctavyi.dll
2008-05-27 13:15:38 2624 --a------ C:\WINNT\system32\fkvpjycx.exe
2008-05-27 13:10:08 0 d-------- C:\Documents and Settings\Kevin\Application Data\Webroot
2008-05-17 17:45:52 2112 --a------ C:\WINNT\system32\pmuwkaiq.exe
2008-05-12 11:48:44 2112 --a------ C:\WINNT\system32\dfahxyih.exe
2008-05-09 11:40:00 2112 --a------ C:\WINNT\system32\ghmjeget.exe
2008-05-08 20:07:02 0 d-------- C:\Documents and Settings\LocalService\Application Data\Webroot
2008-05-08 11:44:54 2112 --a------ C:\WINNT\system32\snijnbgo.exe
2008-05-08 10:38:14 2112 --a------ C:\WINNT\system32\axldbakg.exe
2008-05-06 21:46:40 2112 --a------ C:\WINNT\system32\bmdqxkyl.exe


-- Find3M Report ---------------------------------------------------------------

2008-06-03 19:36:46 805793 --ahs---- C:\WINNT\system32\adeeg.ini2
2008-06-03 18:42:07 341504 --a------ C:\WINNT\system32\geeda.exe
2008-06-03 18:14:38 384 --a------ C:\WINNT\system32\DVCStateBkp-{00000002-00000000-00000002-00001102-00000004-00581102}.dat
2008-06-03 18:14:38 384 --a------ C:\WINNT\system32\DVCState-{00000002-00000000-00000002-00001102-00000004-00581102}.dat
2008-05-09 10:45:53 0 d-------- C:\Program Files\Java
2008-05-08 20:06:44 0 d-------- C:\Program Files\Webroot
2008-05-08 19:57:51 164 --a------ C:\install.dat
2008-05-08 19:56:44 0 d-------- C:\Documents and Settings\Owner\Application Data\Webroot
2008-04-27 18:43:08 15360 --a------ C:\WINNT\system32\ctfmon .exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-04-27 18:37:12 0 d-------- C:\Program Files\Windows NT
2008-04-24 21:39:51 0 d-------- C:\Program Files\Messenger
2008-04-17 10:50:38 0 d-------- C:\Documents and Settings\Owner\Application Data\WeatherBug
2008-04-14 18:43:17 2542 --a------ C:\WINNT\unins000.dat
2008-04-14 18:41:52 691545 --a------ C:\WINNT\unins000.exe
2008-04-14 17:05:24 3648 --a------ C:\WINNT\system32\odxrcihi.dll
2008-04-10 16:04:53 3648 --a------ C:\WINNT\system32\bvgxudga.dll
2008-04-09 16:01:54 3648 --a------ C:\WINNT\system32\llcobwej.dll


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1303982B-8F37-4512-91BF-CA9BF22865BD}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2AA0B4EA-C6CB-4EB8-A7C7-6F282A894E31}]
12/31/2001 08:00 PM 131072 --a------ C:\WINNT\system32\wmbkuid.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2AFD338F-66F5-4AF8-8FFD-1FB5E4B0786C}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{376C8572-43A9-4FDB-8011-F0B7908DB849}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3A8AA418-528A-46BD-BF0A-F2A2725B9665}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3DAF6B60-B48B-4BED-ACC7-3DD1A8E567CB}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A9070EA1-06C4-4B22-BA38-FE715A64CD09}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{AB7DD445-BE4C-455D-8FDA-EB105F64FCD0}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{AD18BDC2-6BD7-410A-8056-4169976C5538}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B7581759-E465-4212-8BC1-CC7F6843D3EC}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{BB48DEC8-8186-4703-9B9F-4E908AFCEB87}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{CEBD7C35-034D-45BD-AE0A-FC9899CF5CCA}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{DC805B35-2227-4458-B249-349D399C16BE}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F5BCFB93-A835-467D-B2FC-634C8F0BD5A4}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSConfig"="C:\WINNT\PCHealth\HelpCtr\Binaries\MSConfig .exe" []
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe" []
"Logitech Utility"="Logi_MwX.Exe" [11/07/2003 05:50 AM C:\WINNT\LOGI_MWX.EXE]
"f4474dda"="rundll32.exe" [08/04/2004 03:56 AM C:\WINNT\system32\rundll32.exe]
"SpySweeper"="C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" [01/04/2008 08:56 PM]
"BMf7747e46"="C:\WINNT\system32\ycctavyi.dll" [06/01/2008 08:46 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Microsoft Works Update Detection"="C:\Program Files\Microsoft Works\WkDetect.exe" []

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"MySpaceIM"=C:\Program Files\MySpace\IM\MySpaceIM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\gebxyvw]
gebxyvw.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=C:\PROGRA~1\Google\GOOGLE~3\GOEC62~1.DLL

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINNT\system32\geeda

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\svcWRSSSDK]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WebrootSpySweeperService]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HotSync Manager.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HotSync Manager.lnk
backup=C:\WINNT\pss\HotSync Manager.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^hp psc 2000 Series.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\hp psc 2000 Series.lnk
backup=C:\WINNT\pss\hp psc 2000 Series.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINNT\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^officejet 6100.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\officejet 6100.lnk
backup=C:\WINNT\pss\officejet 6100.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdaptecDirectCD]
"C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BMf7747e46]
Rundll32.exe "C:\WINNT\system32\oanprvft.dll",s

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]
"C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccRegVfy]
"C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
C:\WINNT\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTHelper]
CTHELPER.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\f4474dda]
rundll32.exe "C:\WINNT\system32\tcqfsscb.dll",b

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"C:\Program Files\iTunes\iTunesHelper.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Keyboard Preload Check]
C:\OEMDRVRS\KEYB\Preload.exe /DEVID: /CLASS:Keyboard /RunValue:"Keyboard Preload Check"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Load]
C:\WINNT\system32\geeda.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Logitech Utility]
Logi_MwX.Exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Works Portfolio]
"C:\Program Files\Microsoft Works\WksSb.exe" /AllUsers

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Works Update Detection]
C:\Program Files\Microsoft Works\WkDetect.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MimBoot]
C:\PROGRA~1\MUSICM~1\MUSICM~1\mimboot.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mmtask]
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MoneyStartUp10.0]
"C:\Program Files\Microsoft Money\System\Activation.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSConfig]
"C:\WINNT\PCHealth\HelpCtr\Binaries\MSConfig .exe" /auto

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Pop-Up Stopper]
"C:\Program Files\Panicware\Pop-Up Stopper\dpps2 .exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Share-to-Web Namespace Daemon]
"C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
"C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpySweeper]
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe /startintray

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Spyware remover]
C:\WINNT\Remove_spyware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Weather]
"C:\Program Files\AWS\WeatherBug\Weather .exe" 1

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WildTangent CDA]
"C:\Program Files\WildTangent\Apps\CDA\GameDrvr.exe" /startup "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0500.dll"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Window Washer]
"C:\Program Files\Webroot\Washer\wwDisp.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WorksFUD]
"C:\Program Files\Microsoft Works\wkfud.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\zBrowser Launcher]
"C:\Program Files\Logitech\iTouch\iTouch.exe"


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{447e3dbb-b322-11dc-af35-0007e9b53620}]
AutoRun\command- F:\LaunchU3.exe -a

*Newly Created Service* - NMSSVC



-- End of Deckard's System Scanner: finished at 2008-06-03 23:47:51 ------------

If I need to run another DSS and post that log or run a Kaspersky, I'd be glad to do it. Thank you in advance for any assistance you could give me.

Sincerely,
Chris Kellner

BC AdBot (Login to Remove)

 


#2 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:11:54 AM

Posted 05 June 2008 - 01:59 PM

Hi,

I understand that you need help in order to get rid of the malware that is present on your system - But you need to help us first..
I notice that you never scanned with an Antivirus previously before starting this thread - because you don't even have an Antivirus installed!
This is somewhat suicidal in today's digital world.
That's why I want you to install one first!!

* Please install Avira Antivirus: http://www.free-av.com/
This is a free Antivirus.

Perform a full scan with Avira and let it delete everything it is finding.
Then reboot.
After reboot, open your Avira and select "reports".
There doubleclick the report from the Full scan you have done. Click the "Report File" button and copy and paste this report in your next reply together with a new HijackThislog.
Then we'll start from there, because it really makes no sense otherwise that we clean this up manually if an Antivirusscan is not present which should be able to deal with most and prevent further reinfection.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#3 footstep101

footstep101
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:05:54 AM

Posted 06 June 2008 - 12:50 AM

Thanks for the response. Here is my Avira AntiVir report:



Avira AntiVir Personal
Report file date: Friday, June 06, 2008 00:53

Scanning for 1165085 virus strains and unwanted programs.

Licensed to: Avira AntiVir PersonalEdition Classic
Serial number: 0000149996-ADJIE-0001
Platform: Windows XP
Windows version: (Service Pack 2) [5.1.2600]
Boot mode: Normally booted
Username: Owner
Computer name: KELLNER

Version information:
BUILD.DAT : 8.1.00.295 16479 Bytes 4/9/2008 16:24:00
AVSCAN.EXE : 8.1.2.12 311553 Bytes 3/18/2008 15:02:56
AVSCAN.DLL : 8.1.1.0 53505 Bytes 2/7/2008 14:43:37
LUKE.DLL : 8.1.2.9 151809 Bytes 2/28/2008 14:41:23
LUKERES.DLL : 8.1.2.1 12033 Bytes 2/21/2008 14:28:40
ANTIVIR0.VDF : 6.40.0.0 11030528 Bytes 7/18/2007 16:33:34
ANTIVIR1.VDF : 7.0.3.2 5447168 Bytes 3/7/2008 19:08:58
ANTIVIR2.VDF : 7.0.3.62 337408 Bytes 3/21/2008 01:12:34
ANTIVIR3.VDF : 7.0.3.68 57856 Bytes 3/25/2008 14:27:50
Engineversion : 8.1.0.28
AEVDF.DLL : 8.1.0.5 102772 Bytes 2/25/2008 15:58:21
AESCRIPT.DLL : 8.1.0.19 229754 Bytes 4/7/2008 21:34:44
AESCN.DLL : 8.1.0.12 115060 Bytes 4/7/2008 21:34:44
AERDL.DLL : 8.1.0.19 418164 Bytes 4/7/2008 21:34:44
AEPACK.DLL : 8.1.1.0 364918 Bytes 3/18/2008 17:20:42
AEOFFICE.DLL : 8.1.0.15 192889 Bytes 4/7/2008 21:34:44
AEHEUR.DLL : 8.1.0.15 1147253 Bytes 4/7/2008 21:34:44
AEHELP.DLL : 8.1.0.11 115061 Bytes 4/7/2008 21:34:43
AEGEN.DLL : 8.1.0.15 299379 Bytes 4/7/2008 21:34:43
AEEMU.DLL : 8.1.0.5 430450 Bytes 4/7/2008 21:34:43
AECORE.DLL : 8.1.0.25 168309 Bytes 4/8/2008 15:58:32
AVWINLL.DLL : 1.0.0.7 14593 Bytes 1/23/2008 23:07:53
AVPREF.DLL : 8.0.0.1 25857 Bytes 2/18/2008 16:37:50
AVREP.DLL : 7.0.0.1 155688 Bytes 4/16/2007 19:26:47
AVREG.DLL : 8.0.0.0 30977 Bytes 1/23/2008 23:07:49
AVARKT.DLL : 1.0.0.23 307457 Bytes 2/12/2008 14:29:23
AVEVTLOG.DLL : 8.0.0.11 114945 Bytes 2/28/2008 14:31:31
SQLITE3.DLL : 3.3.17.1 339968 Bytes 1/22/2008 23:28:02
SMTPLIB.DLL : 1.2.0.19 28929 Bytes 1/23/2008 23:08:39
NETNT.DLL : 8.0.0.1 7937 Bytes 1/25/2008 18:05:10
RCIMAGE.DLL : 8.0.0.35 2371841 Bytes 3/10/2008 20:37:25
RCTEXT.DLL : 8.0.32.0 86273 Bytes 3/6/2008 18:02:11

Configuration settings for the scan:
Jobname..........................: Windows System Directory
Configuration file...............: C:\Program Files\Avira\AntiVir PersonalEdition Classic\setupprf.dat
Logging..........................: low
Primary action...................: interactive
Secondary action.................: ignore
Scan master boot sector..........: on
Scan boot sector.................: on
Boot sectors.....................: C:,
Scan memory......................: on
Process scan.....................: on
Scan registry....................: on
Search for rootkits..............: off
Scan all files...................: Intelligent file selection
Scan archives....................: on
Recursion depth..................: 20
Smart extensions.................: on
Macro heuristic..................: on
File heuristic...................: medium

Start of the scan: Friday, June 06, 2008 00:53

The scan of running processes will be started
Scan process 'avscan.exe' - '1' Module(s) have been scanned
Scan process 'avgnt.exe' - '1' Module(s) have been scanned
Scan process 'avguard.exe' - '1' Module(s) have been scanned
Scan process 'sched.exe' - '1' Module(s) have been scanned
Scan process 'antivir_workstation_winu_en_h.exe' - '1' Module(s) have been scanned
Scan process 'firefox.exe' - '1' Module(s) have been scanned
Scan process 'ssu.exe' - '1' Module(s) have been scanned
Scan process 'EM_EXEC.EXE' - '1' Module(s) have been scanned
Scan process 'rundll32.exe' - '1' Module(s) have been scanned
Scan process 'rundll32.exe' - '1' Module(s) have been scanned
Scan process 'rundll32.exe' - '1' Module(s) have been scanned
Scan process 'explorer.exe' - '1' Module(s) have been scanned
Scan process 'SpySweeperUI.exe' - '1' Module(s) have been scanned
Scan process 'EM_EXEC.EXE' - '1' Module(s) have been scanned
Scan process 'alg.exe' - '1' Module(s) have been scanned
Scan process 'WasherSvc.exe' - '1' Module(s) have been scanned
Scan process 'SpySweeper.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'nvsvc32.exe' - '1' Module(s) have been scanned
Scan process 'KodakCCS.exe' - '1' Module(s) have been scanned
Scan process 'CCEVTMGR.EXE' - '1' Module(s) have been scanned
Scan process 'spoolsv.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'lsass.exe' - '1' Module(s) have been scanned
Scan process 'services.exe' - '1' Module(s) have been scanned
Scan process 'winlogon.exe' - '1' Module(s) have been scanned
Scan process 'csrss.exe' - '1' Module(s) have been scanned
Scan process 'smss.exe' - '1' Module(s) have been scanned
32 processes with 32 modules were scanned

Starting master boot sector scan:
Master boot sector HD0
[INFO] No virus was found!
Master boot sector HD1
[INFO] No virus was found!
[WARNING] The device is not ready.

Start scanning boot sectors:
Boot sector 'C:\'
[INFO] No virus was found!

Starting to scan the registry.
C:\WINNT\system32\ycctavyi.dll
[DETECTION] Is the Trojan horse TR/Vundo.Gen
[WARNING] An error has occurred and the file was not deleted. ErrorID: 26003
[WARNING]
C:\WINNT\system32\geeda.exe
[0] Archive type: RSRC
--> Object
[DETECTION] Is the Trojan horse TR/Vundo.Gen
[NOTE] The file was moved to '48adc4e7.qua'!

The registry was scanned ( '27' files ).


Starting the file scan:

Begin scan in 'C:\WINNT\system32'
C:\WINNT\system32\axldbakg.exe
[DETECTION] Is the Trojan horse TR/Crypt.XPACK.Gen
[NOTE] The file was moved to '48b4c508.qua'!
C:\WINNT\system32\bmdqxkyl.exe
[DETECTION] Is the Trojan horse TR/Crypt.XPACK.Gen
[NOTE] The file was moved to '48acc4ff.qua'!
C:\WINNT\system32\ctfmon.exe.tmp
[0] Archive type: RSRC
--> Object
[DETECTION] Is the Trojan horse TR/Vundo.Gen
[NOTE] The file was moved to '48aec511.qua'!
C:\WINNT\system32\dfahxyih.exe
[DETECTION] Is the Trojan horse TR/Crypt.XPACK.Gen
[NOTE] The file was moved to '48a9c50a.qua'!
C:\WINNT\system32\ghmjeget.exe
[DETECTION] Is the Trojan horse TR/Crypt.XPACK.Gen
[NOTE] The file was moved to '48b5c519.qua'!
C:\WINNT\system32\mos.exe
[DETECTION] Contains detection pattern of the dropper DR/WurldMedia.C
[NOTE] The file was moved to '48bbc53f.qua'!
C:\WINNT\system32\pmuwkaiq.exe
[DETECTION] Is the Trojan horse TR/Crypt.XPACK.Gen
[NOTE] The file was moved to '48bdc564.qua'!
C:\WINNT\system32\RCX10.tmp
[0] Archive type: RSRC
--> Object
[DETECTION] Is the Trojan horse TR/Vundo.Gen
[NOTE] The file was moved to '48a0c541.qua'!
C:\WINNT\system32\RCX13.tmp
[0] Archive type: RSRC
--> Object
[DETECTION] Is the Trojan horse TR/Vundo.Gen
[NOTE] The file was moved to '48a0c542.qua'!
C:\WINNT\system32\RCX51.tmp
[0] Archive type: RSRC
--> Object
[DETECTION] Is the Trojan horse TR/Vundo.Gen
[NOTE] The file was moved to '49388f6b.qua'!
C:\WINNT\system32\RCX5CD.tmp
[0] Archive type: RSRC
--> Object
[DETECTION] Is the Trojan horse TR/Vundo.Gen
[NOTE] The file was moved to '48a0c543.qua'!
C:\WINNT\system32\RCX7C.tmp
[0] Archive type: RSRC
--> Object
[DETECTION] Is the Trojan horse TR/Vundo.Gen
[NOTE] The file was moved to '48a0c544.qua'!
C:\WINNT\system32\RCXE.tmp
[0] Archive type: RSRC
--> Object
[DETECTION] Is the Trojan horse TR/Vundo.Gen
[NOTE] The file was moved to '49388f6d.qua'!
C:\WINNT\system32\RCXF.tmp
[0] Archive type: RSRC
--> Object
[DETECTION] Is the Trojan horse TR/Vundo.Gen
[NOTE] The file was moved to '48a0c545.qua'!
C:\WINNT\system32\snijnbgo.exe
[DETECTION] Is the Trojan horse TR/Crypt.XPACK.Gen
[NOTE] The file was moved to '48b1c57e.qua'!
C:\WINNT\system32\ycctavyi.dll
[DETECTION] Is the Trojan horse TR/Vundo.Gen
[WARNING] An error has occurred and the file was not deleted. ErrorID: 26003
[WARNING]


End of the scan: Friday, June 06, 2008 01:10
Used time: 17:50 min

The scan has been done completely.

254 Scanning directories
6037 Files were scanned
18 viruses and/or unwanted programs were found
0 Files were classified as suspicious:
0 files were deleted
0 files were repaired
16 files were moved to quarantine
0 files were renamed
0 Files cannot be scanned
6019 Files not concerned
7 Archives were scanned
3 Warnings
16 Notes



And here is my Hijack This Log:

Deckard's System Scanner v20071014.68
Run by Owner on 2008-06-06 01:39:52
Computer is in Normal Mode.
--------------------------------------------------------------------------------

Total Physical Memory: 255 MiB (512 MiB recommended).


-- HijackThis (run as Owner.exe) -----------------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:41:25 AM, on 6/6/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\drivers\KodakCCS.exe
C:\WINNT\System32\NMSSvc.exe
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Webroot\Washer\WasherSvc.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\WINNT\system32\wuauclt.exe
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\WINNT\system32\wuauclt.exe
C:\WINNT\system32\notepad.exe
C:\Program Files\Outlook Express\msimn.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avcenter.exe
C:\Documents and Settings\Owner\Desktop\dss.exe
C:\PROGRA~1\TRENDM~1\HIJACK~1\Owner.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.earthlink.net/partner/more/msie...ton/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
N3 - Netscape 7: # Mozilla User Preferences

/* Do not edit this file.
*
* If you make changes to this file while the browser is running,
* the changes will be overwritten when the browser exits.
*
* To make a manual change to preferences, you can visit the URL about:config
* For more information, see http://www.mozilla.org/unix/customizing.html#prefs
*/

user_pref("browser.activation.checkedNNFlag", true);
user_pref("browser.bookmarks.added_static_root", true);
user_pref("browser.history.last_page_visited", "");
user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src");
user_pref("browser.startup.homepage_override.mstone", "rv:1.4");
user_pref("browser.turbo.showDialog", false);
user_pref("dom.disable_open_during_load", true);
user_pref("intl.charsetmenu.browser.cache", "windows-1252, UTF-8, ISO-8859-1");
user_pref("prefs.converted-to-utf8", true);
user_pref("privacy.popups.first_popup", false);
user_pref("privacy.popups.prefill_w
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {1303982B-8F37-4512-91BF-CA9BF22865BD} - (no file)
O2 - BHO: TChkBHO Class - {2AA0B4EA-C6CB-4EB8-A7C7-6F282A894E31} - C:\WINNT\system32\wmbkuid.dll
O2 - BHO: (no name) - {2AFD338F-66F5-4AF8-8FFD-1FB5E4B0786C} - (no file)
O2 - BHO: (no name) - {376C8572-43A9-4FDB-8011-F0B7908DB849} - (no file)
O2 - BHO: (no name) - {3A8AA418-528A-46BD-BF0A-F2A2725B9665} - (no file)
O2 - BHO: (no name) - {3DAF6B60-B48B-4BED-ACC7-3DD1A8E567CB} - (no file)
O2 - BHO: PnIEBrowserHelperObj Class - {4B5F2E08-6F39-479a-B547-B2026E4C7EDF} - C:\Program Files\EarthLink TotalAccess\PnEL.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {A9070EA1-06C4-4B22-BA38-FE715A64CD09} - (no file)
O2 - BHO: (no name) - {AB7DD445-BE4C-455D-8FDA-EB105F64FCD0} - (no file)
O2 - BHO: (no name) - {AD18BDC2-6BD7-410A-8056-4169976C5538} - (no file)
O2 - BHO: (no name) - {B7581759-E465-4212-8BC1-CC7F6843D3EC} - (no file)
O2 - BHO: (no name) - {BB48DEC8-8186-4703-9B9F-4E908AFCEB87} - (no file)
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {CEBD7C35-034D-45BD-AE0A-FC9899CF5CCA} - (no file)
O2 - BHO: (no name) - {DC805B35-2227-4458-B249-349D399C16BE} - (no file)
O2 - BHO: (no name) - {F5BCFB93-A835-467D-B2FC-634C8F0BD5A4} - (no file)
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: EarthLink Toolbar - {D7F30B62-8269-41AF-9539-B2697FA7D77E} - C:\Program Files\EarthLink TotalAccess\PnEL.dll
O4 - HKLM\..\Run: [MSConfig] "C:\WINNT\PCHealth\HelpCtr\Binaries\MSConfig .exe" /auto
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [f4474dda] "rundll32.exe" "C:\WINNT\system32\hheasxbl.dll",b
O4 - HKLM\..\Run: [BMf7747e46] "Rundll32.exe" "C:\WINNT\system32\ycctavyi.dll",s
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe /startintray
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra button: Instant Messenger (SM) - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\program files\earthlinkim\aim.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINNT\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINNT\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {28F00B0F-DC4E-11D3-ABEC-005004A44EEB} - http://content.hiwirenetworks.net/inbrowse...5.26/Hiwire.cab
O16 - DPF: {29B2C103-AB53-4971-B765-FC1CE5D8B2D1} - http://www.silvercrk.com/php/hweuchre_scec...5936_947432.cab
O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://wdownload.weatherbug.com/minibug/tr...Transporter.cab?
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200212...meInstaller.exe
O16 - DPF: {511073AD-BE56-4D43-AE68-93390514385E} (TechToolsActivex.TechTools) - hcp://system/TechTools.CAB
O16 - DPF: {739E8D90-2F4C-43AD-A1B8-66C356FCEA35} (RunExeActiveX.RunExe) - hcp://system/RunExeActiveX.CAB
O16 - DPF: {7A32634B-029C-4836-A023-528983982A49} - http://fdl.msn.com/public/chat/msnchat42.cab
O16 - DPF: {99CDFD87-F97A-42E1-9C13-D18220D90AD1} (StartFirstControl.CheckFirst) - hcp://system/StartFirstControl.CAB
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~3\GOEC62~1.DLL
O20 - Winlogon Notify: gebxyvw - gebxyvw.dll (file missing)
O23 - Service: Avira AntiVir Personal – Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal – Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINNT\system32\drivers\KodakCCS.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\WINNT\System32\NMSSvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\System32\HPZipm12.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
O23 - Service: Window Washer Engine (wwEngineSvc) - Webroot Software, Inc. - C:\Program Files\Webroot\Washer\WasherSvc.exe
O24 - Desktop Component 0: (no name) - http://a1259.g.akamai.net/f/1259/5586/1d/i...00/10090968.jpg
O24 - Desktop Component 1: (no name) - http://a1259.g.akamai.net/f/1259/5586/1d/i...00/10032246.jpg
O24 - Desktop Component 2: (no name) - http://a1259.g.akamai.net/f/1259/5586/1d/i...00/10091030.jpg

--
End of file - 11886 bytes

-- Files created between 2008-05-06 and 2008-06-06 -----------------------------

2008-06-06 01:40:47 0 d-------- C:\Program Files\Trend Micro
2008-06-06 00:49:04 0 d-------- C:\Program Files\Avira
2008-06-06 00:49:04 0 d-------- C:\Documents and Settings\All Users\Application Data\Avira
2008-05-27 13:15:38 2624 --a------ C:\WINNT\system32\fkvpjycx.exe
2008-05-27 13:10:08 0 d-------- C:\Documents and Settings\Kevin\Application Data\Webroot
2008-05-08 20:07:02 0 d-------- C:\Documents and Settings\LocalService\Application Data\Webroot


-- Find3M Report ---------------------------------------------------------------

2008-06-06 01:22:49 0 d-------- C:\Program Files\TrojanHunter 4.2
2008-06-06 01:21:19 0 d-------- C:\Program Files\EarthLink TotalAccess
2008-06-06 01:16:37 384 --a------ C:\WINNT\system32\DVCStateBkp-{00000002-00000000-00000002-00001102-00000004-00581102}.dat
2008-06-06 01:16:37 384 --a------ C:\WINNT\system32\DVCState-{00000002-00000000-00000002-00001102-00000004-00581102}.dat
2008-06-03 19:36:46 805793 --ahs---- C:\WINNT\system32\adeeg.ini2
2008-05-09 10:45:53 0 d-------- C:\Program Files\Java
2008-05-08 20:06:44 0 d-------- C:\Program Files\Webroot
2008-05-08 19:57:51 164 --a------ C:\install.dat
2008-05-08 19:56:44 0 d-------- C:\Documents and Settings\Owner\Application Data\Webroot
2008-04-27 18:43:08 15360 --a------ C:\WINNT\system32\ctfmon .exe <Not Verified; Microsoft Corporation; Microsoft® Windows® Operating System>
2008-04-27 18:37:12 0 d-------- C:\Program Files\Windows NT
2008-04-24 21:39:51 0 d-------- C:\Program Files\Messenger
2008-04-17 10:50:38 0 d-------- C:\Documents and Settings\Owner\Application Data\WeatherBug
2008-04-14 18:43:17 2542 --a------ C:\WINNT\unins000.dat
2008-04-14 18:41:52 691545 --a------ C:\WINNT\unins000.exe
2008-04-14 17:05:24 3648 --a------ C:\WINNT\system32\odxrcihi.dll
2008-04-10 16:04:53 3648 --a------ C:\WINNT\system32\bvgxudga.dll
2008-04-09 16:01:54 3648 --a------ C:\WINNT\system32\llcobwej.dll


-- Registry Dump ---------------------------------------------------------------

*Note* empty entries & legit default entries are not shown


[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{1303982B-8F37-4512-91BF-CA9BF22865BD}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2AA0B4EA-C6CB-4EB8-A7C7-6F282A894E31}]
12/31/2001 08:00 PM 131072 --a------ C:\WINNT\system32\wmbkuid.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{2AFD338F-66F5-4AF8-8FFD-1FB5E4B0786C}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{376C8572-43A9-4FDB-8011-F0B7908DB849}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3A8AA418-528A-46BD-BF0A-F2A2725B9665}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{3DAF6B60-B48B-4BED-ACC7-3DD1A8E567CB}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{A9070EA1-06C4-4B22-BA38-FE715A64CD09}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{AB7DD445-BE4C-455D-8FDA-EB105F64FCD0}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{AD18BDC2-6BD7-410A-8056-4169976C5538}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{B7581759-E465-4212-8BC1-CC7F6843D3EC}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{BB48DEC8-8186-4703-9B9F-4E908AFCEB87}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{CEBD7C35-034D-45BD-AE0A-FC9899CF5CCA}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{DC805B35-2227-4458-B249-349D399C16BE}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{F5BCFB93-A835-467D-B2FC-634C8F0BD5A4}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSConfig"="C:\WINNT\PCHealth\HelpCtr\Binaries\MSConfig .exe" []
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe" []
"Logitech Utility"="Logi_MwX.Exe" [11/07/2003 05:50 AM C:\WINNT\LOGI_MWX.EXE]
"f4474dda"="rundll32.exe" [08/04/2004 03:56 AM C:\WINNT\system32\rundll32.exe]
"BMf7747e46"="Rundll32.exe" [08/04/2004 03:56 AM C:\WINNT\system32\rundll32.exe]
"avgnt"="C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [02/12/2008 10:06 AM]
"SpySweeper"="C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" [01/04/2008 08:56 PM]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Microsoft Works Update Detection"="C:\Program Files\Microsoft Works\WkDetect.exe" []

[HKEY_USERS\.default\software\microsoft\windows\currentversion\run]
"MySpaceIM"=C:\Program Files\MySpace\IM\MySpaceIM.exe

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\gebxyvw]
gebxyvw.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"appinit_dlls"=C:\PROGRA~1\Google\GOOGLE~3\GOEC62~1.DLL

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINNT\system32\geeda

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\svcWRSSSDK]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vds]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\WebrootSpySweeperService]
@="Service"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\{533C5B84-EC70-11D2-9505-00C04F79DEAF}]
@="Volume shadow copy"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HotSync Manager.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HotSync Manager.lnk
backup=C:\WINNT\pss\HotSync Manager.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^hp psc 2000 Series.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\hp psc 2000 Series.lnk
backup=C:\WINNT\pss\hp psc 2000 Series.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINNT\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^officejet 6100.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\officejet 6100.lnk
backup=C:\WINNT\pss\officejet 6100.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdaptecDirectCD]
"C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BMf7747e46]
Rundll32.exe "C:\WINNT\system32\oanprvft.dll",s

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]
"C:\Program Files\Common Files\Symantec Shared\ccApp.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccRegVfy]
"C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
C:\WINNT\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTHelper]
CTHELPER.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\f4474dda]
rundll32.exe "C:\WINNT\system32\tcqfsscb.dll",b

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"C:\Program Files\iTunes\iTunesHelper.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Keyboard Preload Check]
C:\OEMDRVRS\KEYB\Preload.exe /DEVID: /CLASS:Keyboard /RunValue:"Keyboard Preload Check"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Load]
C:\WINNT\system32\geeda.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Logitech Utility]
Logi_MwX.Exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Works Portfolio]
"C:\Program Files\Microsoft Works\WksSb.exe" /AllUsers

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Works Update Detection]
C:\Program Files\Microsoft Works\WkDetect.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MimBoot]
C:\PROGRA~1\MUSICM~1\MUSICM~1\mimboot.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mmtask]
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MoneyStartUp10.0]
"C:\Program Files\Microsoft Money\System\Activation.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSConfig]
"C:\WINNT\PCHealth\HelpCtr\Binaries\MSConfig .exe" /auto

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Pop-Up Stopper]
"C:\Program Files\Panicware\Pop-Up Stopper\dpps2 .exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Share-to-Web Namespace Daemon]
"C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
"C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpySweeper]
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe /startintray

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Spyware remover]
C:\WINNT\Remove_spyware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Weather]
"C:\Program Files\AWS\WeatherBug\Weather .exe" 1

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WildTangent CDA]
"C:\Program Files\WildTangent\Apps\CDA\GameDrvr.exe" /startup "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0500.dll"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Window Washer]
"C:\Program Files\Webroot\Washer\wwDisp.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WorksFUD]
"C:\Program Files\Microsoft Works\wkfud.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\zBrowser Launcher]
"C:\Program Files\Logitech\iTouch\iTouch.exe"


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{447e3dbb-b322-11dc-af35-0007e9b53620}]
AutoRun\command- F:\LaunchU3.exe -a

*Newly Created Service* - NMSCFG
*Newly Created Service* - NMSSVC
*Newly Created Service* - SSMDRV



-- End of Deckard's System Scanner: finished at 2008-06-06 01:43:19 ------------

#4 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:11:54 AM

Posted 06 June 2008 - 02:32 AM

Hi,

I see you have PartyPoker installed.
If you didn't install it with intension to play with, I suggest you uninstall it, because in most cases, these programs are supported by malware, getting installed without asking for it and also lead you to sites where malware is lurking.
If you do play it, then leave it alone.


* Start HijackThis, close all open windows leaving only HijackThis running. Place a check against each of the following:

O2 - BHO: (no name) - {1303982B-8F37-4512-91BF-CA9BF22865BD} - (no file)
O2 - BHO: TChkBHO Class - {2AA0B4EA-C6CB-4EB8-A7C7-6F282A894E31} - C:\WINNT\system32\wmbkuid.dll
O2 - BHO: (no name) - {2AFD338F-66F5-4AF8-8FFD-1FB5E4B0786C} - (no file)
O2 - BHO: (no name) - {376C8572-43A9-4FDB-8011-F0B7908DB849} - (no file)
O2 - BHO: (no name) - {3A8AA418-528A-46BD-BF0A-F2A2725B9665} - (no file)
O2 - BHO: (no name) - {3DAF6B60-B48B-4BED-ACC7-3DD1A8E567CB} - (no file)
O2 - BHO: (no name) - {A9070EA1-06C4-4B22-BA38-FE715A64CD09} - (no file)
O2 - BHO: (no name) - {AB7DD445-BE4C-455D-8FDA-EB105F64FCD0} - (no file)
O2 - BHO: (no name) - {AD18BDC2-6BD7-410A-8056-4169976C5538} - (no file)
O2 - BHO: (no name) - {B7581759-E465-4212-8BC1-CC7F6843D3EC} - (no file)
O2 - BHO: (no name) - {BB48DEC8-8186-4703-9B9F-4E908AFCEB87} - (no file)
O2 - BHO: (no name) - {CEBD7C35-034D-45BD-AE0A-FC9899CF5CCA} - (no file)
O2 - BHO: (no name) - {DC805B35-2227-4458-B249-349D399C16BE} - (no file)
O2 - BHO: (no name) - {F5BCFB93-A835-467D-B2FC-634C8F0BD5A4} - (no file)
O4 - HKLM\..\Run: [f4474dda] "rundll32.exe" "C:\WINNT\system32\hheasxbl.dll",b
O4 - HKLM\..\Run: [BMf7747e46] "Rundll32.exe" "C:\WINNT\system32\ycctavyi.dll",s
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O16 - DPF: {28F00B0F-DC4E-11D3-ABEC-005004A44EEB} - http://content.hiwirenetworks.net/inbrowse...5.26/Hiwire.cab
O16 - DPF: {2B96D5CC-C5B5-49A5-A69D-CC0A30F9028C} (MiniBugTransporterX Class) - http://wdownload.weatherbug.com/minibug/tr...Transporter.cab?
O20 - Winlogon Notify: gebxyvw - gebxyvw.dll (file missing)


* Click on Fix Checked when finished and exit HijackThis.
Make sure your Internet Explorer is closed when you click Fix Checked!

Then, * Please visit this webpage for instructions for downloading and running ComboFix:

http://www.bleepingcomputer.com/combofix/how-to-use-combofix

This includes installing the Windows XP Recovery Console in case you have not installed it yet.

Post the log from ComboFix when you've accomplished that, along with a new HijackThis log.
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#5 footstep101

footstep101
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:05:54 AM

Posted 06 June 2008 - 12:35 PM

I used HijackThis to "fix" the files you requested. Then I ran ComboFix, then ran another HijackThis scan/log. First, here is the log from Combofix:

ComboFix 08-06-05.3 - Owner 2008-06-06 12:55:57.2 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.74 [GMT -4:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Owner\Desktop\WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\kmd.exe
C:\WINNT\BMf7747e46.xml
C:\WINNT\pskt.ini
C:\WINNT\smdat32m.sys
C:\WINNT\system32\aaafedlc.ini
C:\WINNT\system32\adeeg.ini
C:\WINNT\system32\adeeg.ini2
C:\WINNT\system32\bcssfqct.ini
C:\WINNT\system32\bvgxudga.dll
C:\WINNT\system32\fkvpjycx.exe
C:\WINNT\system32\gkekxvuc.ini
C:\WINNT\system32\ixkhkagx.ini
C:\WINNT\system32\lbxsaehh.ini
C:\WINNT\system32\llcobwej.dll
C:\WINNT\system32\lwtyjbwf.ini
C:\WINNT\system32\mcrh.tmp
C:\WINNT\system32\odxrcihi.dll
C:\WINNT\system32\uktesvkk.ini
C:\WINNT\system32\wfxivxkx.ini

.
((((((((((((((((((((((((( Files Created from 2008-05-06 to 2008-06-06 )))))))))))))))))))))))))))))))
.

2008-06-06 01:40 . 2008-06-06 01:40 <DIR> d-------- C:\Program Files\Trend Micro
2008-06-06 00:49 . 2008-06-06 00:49 <DIR> d-------- C:\Program Files\Avira
2008-06-06 00:49 . 2008-06-06 00:49 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avira
2008-06-03 23:31 . 2008-06-03 23:31 <DIR> d-------- C:\Deckard
2008-05-27 13:10 . 2008-05-27 13:10 <DIR> d-------- C:\Documents and Settings\Kevin\Application Data\Webroot
2008-05-09 10:48 . 2008-02-22 02:33 69,632 --a------ C:\WINNT\system32\javacpl.cpl
2008-05-08 20:07 . 2008-05-08 20:07 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\Webroot
2008-05-08 20:06 . 2008-01-04 20:56 1,526,640 --a------ C:\WINNT\WRSetup.dll
2008-05-08 20:06 . 2008-01-04 20:34 163,696 --a------ C:\WINNT\system32\drivers\ssidrv.sys
2008-05-08 20:06 . 2008-01-04 20:34 23,920 --a------ C:\WINNT\system32\drivers\sskbfd.sys
2008-05-08 20:06 . 2008-01-04 20:34 21,872 --a------ C:\WINNT\system32\drivers\sshrmd.sys
2008-05-08 20:06 . 2008-01-04 20:34 20,336 --a------ C:\WINNT\system32\drivers\SSFS0BB9.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-06 05:22 --------- d-----w C:\Program Files\TrojanHunter 4.2
2008-06-06 05:21 --------- d-----w C:\Program Files\EarthLink TotalAccess
2008-05-09 14:45 --------- d-----w C:\Program Files\Java
2008-05-09 00:06 --------- d-----w C:\Program Files\Webroot
2008-05-09 00:06 --------- d-----w C:\Documents and Settings\All Users\Application Data\Webroot
2008-05-08 23:57 164 ----a-w C:\install.dat
2008-05-08 23:56 --------- d-----w C:\Documents and Settings\Owner\Application Data\Webroot
2008-05-08 23:25 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-05-08 23:12 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-04-17 14:50 --------- d-----w C:\Documents and Settings\Owner\Application Data\WeatherBug
2008-04-14 22:41 691,545 ----a-w C:\WINNT\unins000.exe
2006-09-08 00:30 65,448 ----a-w C:\Documents and Settings\Owner\Application Data\GDIPFONTCACHEV1.DAT
2004-08-30 16:32 56,208 ----a-w C:\Documents and Settings\Kevin\Application Data\GDIPFONTCACHEV1.DAT
2003-05-29 01:09 251,600 ----a-w C:\Program Files\NSSetup.exe
2003-05-11 14:22 10,135,688 ----a-w C:\Program Files\MPSetupXP.exe
2003-01-13 02:07 1,903,749 ----a-w C:\Program Files\tetmania.exe
2003-01-09 02:01 29,026 ----a-w C:\Program Files\kfmaster.zip
2003-01-05 15:14 456,128 ----a-w C:\Program Files\popupstopper.exe
2002-10-02 20:33 32 --sha-w C:\WINNT\{9FAB8911-3BC4-493A-9D31-15B0694333AF}.dat
2002-10-02 20:33 32 --sha-w C:\WINNT\system32\{132DF614-59EA-4791-9A10-1D83F9D5DFF3}.dat
.
<pre>
----a-w		 1,730,048 2008-03-26 21:57:31  C:\Program Files\AWS\WeatherBug\Weather		  .exe
----a-w		 1,730,048 2008-04-15 03:30:31  C:\Program Files\AWS\WeatherBug\Weather		 .exe
----a-w		 1,730,048 2008-04-15 00:31:19  C:\Program Files\AWS\WeatherBug\Weather		.exe
----a-w		 1,730,048 2008-04-15 00:18:30  C:\Program Files\AWS\WeatherBug\Weather	   .exe
----a-w		 1,730,048 2008-04-14 22:37:24  C:\Program Files\AWS\WeatherBug\Weather	  .exe
----a-w		 1,339,392 2008-04-18 17:27:59  C:\Program Files\AWS\WeatherBug\Weather	 .exe
----a-w		 1,730,048 2008-04-18 17:27:22  C:\Program Files\AWS\WeatherBug\Weather	.exe
----a-w		 1,730,048 2008-04-18 15:40:36  C:\Program Files\AWS\WeatherBug\Weather   .exe
----a-w		 1,730,048 2008-04-16 17:16:48  C:\Program Files\AWS\WeatherBug\Weather  .exe
----a-w		 1,730,048 2008-04-16 17:03:13  C:\Program Files\AWS\WeatherBug\Weather .exe
----a-w			28,738 2008-02-07 22:40:22  C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind .exe
----a-w		   180,269 2008-02-07 22:40:04  C:\Program Files\Common Files\Real\Update_OB\realsched .exe
----a-w			54,976 2008-02-07 22:40:35  C:\Program Files\Common Files\Symantec Shared\ccApp .exe
----a-w			59,072 2008-02-07 22:40:33  C:\Program Files\Common Files\Symantec Shared\ccRegVfy .exe
----a-w		   290,816 2007-12-23 16:23:10  C:\Program Files\EarthLink 5.0\ConMgr .exe
----a-w		   913,408 2007-12-30 16:48:48  C:\Program Files\EarthLink TotalAccess\TaskPanl		.exe
----a-w		 1,281,536 2007-12-30 16:47:34  C:\Program Files\EarthLink TotalAccess\TaskPanl	   .exe
----a-w		 1,281,536 2007-12-29 16:17:55  C:\Program Files\EarthLink TotalAccess\TaskPanl	  .exe
----a-w		 1,281,536 2007-12-25 21:50:59  C:\Program Files\EarthLink TotalAccess\TaskPanl	 .exe
----a-w		 1,281,536 2007-12-25 21:26:55  C:\Program Files\EarthLink TotalAccess\TaskPanl	.exe
----a-w		 1,281,536 2007-12-25 20:30:41  C:\Program Files\EarthLink TotalAccess\TaskPanl   .exe
----a-w		 1,281,536 2007-12-24 16:32:22  C:\Program Files\EarthLink TotalAccess\TaskPanl  .exe
----a-w		 1,281,536 2007-12-23 16:52:15  C:\Program Files\EarthLink TotalAccess\TaskPanl .exe
----a-w		 3,781,632 2007-12-31 03:56:52  C:\Program Files\EarthLink TotalAccess\Spyware Blocker\SpySweeper	.exe
----a-w		 3,781,632 2007-12-31 03:48:59  C:\Program Files\EarthLink TotalAccess\Spyware Blocker\SpySweeper   .exe
----a-w		 3,781,632 2007-12-30 23:41:29  C:\Program Files\EarthLink TotalAccess\Spyware Blocker\SpySweeper  .exe
----a-w		 3,405,312 2007-12-30 23:17:52  C:\Program Files\EarthLink TotalAccess\Spyware Blocker\SpySweeper .exe
----a-w		 5,367,608 2007-12-31 17:09:12  C:\Program Files\EarthLink TotalAccess\Spyware Blocker\SpySweeperUI .exe
----a-w			69,632 2008-02-07 22:40:08  C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd .exe
----a-w		   278,528 2008-02-07 22:40:28  C:\Program Files\iTunes\iTunesHelper .exe
----a-w			49,263 2008-05-17 22:16:35  C:\Program Files\Java\jre1.5.0_09\bin\jusched .exe
----a-w		   892,928 2008-04-24 23:04:57  C:\Program Files\Logitech\iTouch\iTouch .exe
----a-w		 1,694,208 2008-04-25 01:39:44  C:\Program Files\Messenger\msmsgs .exe
----a-w		   241,714 2008-02-07 22:40:18  C:\Program Files\Microsoft Money\System\Activation .exe
----a-w			24,576 2008-02-07 22:40:08  C:\Program Files\Microsoft Works\wkfud .exe
----a-w		   331,830 2008-02-07 22:40:25  C:\Program Files\Microsoft Works\WksSb .exe
----a-w			11,776 2008-02-07 22:40:20  C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mimboot .exe
----a-w		   708,608 2008-02-07 22:40:10  C:\Program Files\Panicware\Pop-Up Stopper\dpps2  .exe
----a-w		 1,113,600 2008-02-07 22:39:43  C:\Program Files\Panicware\Pop-Up Stopper\dpps2 .exe
----a-w		   651,264 2007-12-23 16:24:21  C:\Program Files\QuickTime\qttask .exe
----a-w		   684,032 2008-02-07 22:40:40  C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD .exe
----a-w		 2,097,488 2008-04-18 17:28:00  C:\Program Files\Spybot - Search & Destroy\TeaTimer .exe
----a-w		 1,089,024 2007-12-30 16:47:55  C:\Program Files\TrojanHunter 4.2\THGuard	   .exe
----a-w		 1,435,648 2007-12-30 16:47:38  C:\Program Files\TrojanHunter 4.2\THGuard	  .exe
----a-w		 1,435,648 2007-12-29 16:18:05  C:\Program Files\TrojanHunter 4.2\THGuard	 .exe
----a-w		 1,435,648 2007-12-25 21:51:01  C:\Program Files\TrojanHunter 4.2\THGuard	.exe
----a-w		 1,435,648 2007-12-25 21:27:04  C:\Program Files\TrojanHunter 4.2\THGuard   .exe
----a-w		 1,435,648 2007-12-25 20:30:47  C:\Program Files\TrojanHunter 4.2\THGuard  .exe
----a-w		 1,435,648 2007-12-24 16:32:29  C:\Program Files\TrojanHunter 4.2\THGuard .exe
----a-w		 1,206,600 2008-04-27 22:51:47  C:\Program Files\Webroot\Washer\wwDisp .exe
----a-w		   153,698 2008-02-07 22:40:07  C:\WINNT\Remove_spyware .exe
----a-w		   158,208 2008-05-07 02:09:19  C:\WINNT\PCHealth\HelpCtr\Binaries\MSConfig	.exe
----a-w		   502,272 2008-04-30 17:07:40  C:\WINNT\PCHealth\HelpCtr\Binaries\MSConfig  .exe
----a-w		   502,272 2008-04-24 23:00:20  C:\WINNT\PCHealth\HelpCtr\Binaries\MSConfig .exe
----a-w			15,360 2008-04-27 22:43:08  C:\WINNT\system32\ctfmon .exe
</pre>


-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Microsoft Works Update Detection"="C:\Program Files\Microsoft Works\WkDetect.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSConfig"="C:\WINNT\PCHealth\HelpCtr\Binaries\MSConfig .exe" [ ]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe" [ ]
"Logitech Utility"="Logi_MwX.Exe" [2003-11-07 05:50 19968 C:\WINNT\LOGI_MWX.EXE]
"avgnt"="C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-02-12 10:06 262401]
"SpySweeper"="C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" [2008-01-04 20:56 5367664]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"MySpaceIM"="C:\Program Files\MySpace\IM\MySpaceIM.exe" [ ]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=C:\PROGRA~1\Google\GOOGLE~3\GOEC62~1.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.I263"= i263_32.drv

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HotSync Manager.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HotSync Manager.lnk
backup=C:\WINNT\pss\HotSync Manager.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^hp psc 2000 Series.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\hp psc 2000 Series.lnk
backup=C:\WINNT\pss\hp psc 2000 Series.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINNT\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^officejet 6100.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\officejet 6100.lnk
backup=C:\WINNT\pss\officejet 6100.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdaptecDirectCD]
--a------ 2008-02-07 18:40 1032192 C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BMf7747e46]
C:\WINNT\system32\oanprvft.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]
--a------ 2008-02-07 18:39 397312 C:\Program Files\Common Files\Symantec Shared\ccApp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccRegVfy]
--a------ 2008-02-07 18:39 401408 C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2004-08-04 03:56 15360 C:\WINNT\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTHelper]
--a------ 2003-10-06 14:57 24576 C:\WINNT\system32\CTHELPER.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\f4474dda]
C:\WINNT\system32\tcqfsscb.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-02-07 18:39 711680 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Keyboard Preload Check]
C:\OEMDRVRS\KEYB\Preload.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Load]
C:\WINNT\system32\geeda.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Logitech Utility]
--------- 2003-11-07 05:50 19968 C:\WINNT\LOGI_MWX.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Works Portfolio]
--a------ 2008-02-07 18:39 699904 C:\Program Files\Microsoft Works\WksSb.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Works Update Detection]
C:\Program Files\Microsoft Works\WkDetect.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MimBoot]
--a------ 2008-02-07 18:39 354304 C:\PROGRA~1\MUSICM~1\MUSICM~1\mimboot.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mmtask]
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MoneyStartUp10.0]
--a------ 2008-02-07 18:39 585728 C:\Program Files\Microsoft Money\System\Activation.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSConfig]
--a------ 2008-04-30 13:07 502272 C:\WINNT\PCHealth\HelpCtr\Binaries\MSConfig .exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Pop-Up Stopper]
--a------ 2008-02-07 18:39 1113600 C:\Program Files\Panicware\Pop-Up Stopper\dpps2 .exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Share-to-Web Namespace Daemon]
--a------ 2008-02-07 18:39 412160 C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
--a------ 2008-04-18 13:27 2442752 C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpySweeper]
--a------ 2008-01-04 20:56 5367664 C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Spyware remover]
--a------ 2008-02-07 18:39 496640 C:\WINNT\Remove_spyware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2008-02-07 18:39 522752 C:\Program Files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Weather]
--a------ 2008-04-18 13:27 1730048 C:\Program Files\AWS\WeatherBug\Weather .exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WildTangent CDA]
C:\Program Files\WildTangent\Apps\CDA\GameDrvr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Window Washer]
--a------ 2008-02-07 18:39 1642496 C:\Program Files\Webroot\Washer\wwDisp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WorksFUD]
--a------ 2008-02-07 18:39 367104 C:\Program Files\Microsoft Works\wkfud.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\zBrowser Launcher]
--a------ 2008-02-07 18:39 1236992 C:\Program Files\Logitech\iTouch\iTouch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

R2 NMSSvc;Intel® NMS;C:\WINNT\System32\NMSSvc.exe [2002-05-03 14:36]
R2 RioPNP;RioPNP;C:\WINNT\system32\drivers\RioPNP.sys [2000-06-06 12:29]
R2 wwEngineSvc;Window Washer Engine;C:\Program Files\Webroot\Washer\WasherSvc.exe [2007-11-26 15:47]
R3 NMSCFG;NIC Management Service Configuration Driver;C:\WINNT\system32\drivers\NMSCFG.SYS [2002-05-03 14:36]
S3 PCDRDRV;Pcdr Helper Driver;C:\Atf\Qctest\PCDoc\PCDRDRV.sys []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{447e3dbb-b322-11dc-af35-0007e9b53620}]
\Shell\AutoRun\command - F:\LaunchU3.exe -a

*Newly Created Service* - NMSSVC
.
Contents of the 'Scheduled Tasks' folder
"2003-06-19 22:21:17 C:\WINNT\Tasks\FRU Task #Hewlett-Packard#hp psc 2200 series#1036796441.job"
- C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe4-I
"2008-05-31 00:00:04 C:\WINNT\Tasks\Norton AntiVirus - Scan my computer.job"
- C:\PROGRA~1\NORTON~1\NAVW32.exeG/task:C:\DOCUME~1\ALLUSE~1\APPLIC~1\Symantec\NORTON~1\Tasks\mycomp.sca
"2002-11-12 22:21:55 C:\WINNT\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-06 13:06:40
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
------------------------ Other Running Processes ------------------------
.
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Common Files\Symantec Shared\CCEVTMGR.EXE
C:\WINNT\system32\drivers\KodakCCS.exe
C:\WINNT\system32\nvsvc32.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Logitech\MouseWare\system\EM_EXEC.EXE
C:\Program Files\Webroot\Spy Sweeper\ssu.exe
C:\WINNT\system32\verclsid.exe
.
**************************************************************************
.
Completion time: 2008-06-06 13:21:25 - machine was rebooted [Owner]
ComboFix-quarantined-files.txt 2008-06-06 17:20:55
ComboFix2.txt 2008-02-08 02:52:44

Pre-Run: 12,361,023,488 bytes free
Post-Run: 12,313,554,944 bytes free

WindowsXP-KB310994-SP2-Home-BootDisk-ENU.exe
[boot loader]
timeout=2
default=multi(0)disk(0)rdisk(0)partition(1)\WINNT
[operating systems]
multi(0)disk(0)rdisk(0)partition(1)\WINNT="Microsoft Windows XP Home Edition" /fastdetect /NoExecute=OptIn
C:\CMDCONS\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons

268 --- E O F --- 2008-01-09 08:06:39

Next, here is the log from HijackThis:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:32:22 PM, on 6/6/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\drivers\KodakCCS.exe
C:\WINNT\System32\NMSSvc.exe
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Webroot\Washer\WasherSvc.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\WINNT\explorer.exe
C:\WINNT\system32\notepad.exe
C:\WINNT\system32\NOTEPAD.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.earthlink.net/partner/more/msie...ton/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
N3 - Netscape 7: # Mozilla User Preferences

/* Do not edit this file.
*
* If you make changes to this file while the browser is running,
* the changes will be overwritten when the browser exits.
*
* To make a manual change to preferences, you can visit the URL about:config
* For more information, see http://www.mozilla.org/unix/customizing.html#prefs
*/

user_pref("browser.activation.checkedNNFlag", true);
user_pref("browser.bookmarks.added_static_root", true);
user_pref("browser.history.last_page_visited", "");
user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src");
user_pref("browser.startup.homepage_override.mstone", "rv:1.4");
user_pref("browser.turbo.showDialog", false);
user_pref("dom.disable_open_during_load", true);
user_pref("intl.charsetmenu.browser.cache", "windows-1252, UTF-8, ISO-8859-1");
user_pref("prefs.converted-to-utf8", true);
user_pref("privacy.popups.first_popup", false);
user_pref("privacy.popups.prefill_w
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: PnIEBrowserHelperObj Class - {4B5F2E08-6F39-479a-B547-B2026E4C7EDF} - C:\Program Files\EarthLink TotalAccess\PnEL.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: EarthLink Toolbar - {D7F30B62-8269-41AF-9539-B2697FA7D77E} - C:\Program Files\EarthLink TotalAccess\PnEL.dll
O4 - HKLM\..\Run: [MSConfig] "C:\WINNT\PCHealth\HelpCtr\Binaries\MSConfig .exe" /auto
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra button: Instant Messenger (SM) - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\program files\earthlinkim\aim.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINNT\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINNT\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe (file missing)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {29B2C103-AB53-4971-B765-FC1CE5D8B2D1} - http://www.silvercrk.com/php/hweuchre_scec...5936_947432.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200212...meInstaller.exe
O16 - DPF: {511073AD-BE56-4D43-AE68-93390514385E} (TechToolsActivex.TechTools) - hcp://system/TechTools.CAB
O16 - DPF: {739E8D90-2F4C-43AD-A1B8-66C356FCEA35} (RunExeActiveX.RunExe) - hcp://system/RunExeActiveX.CAB
O16 - DPF: {7A32634B-029C-4836-A023-528983982A49} - http://fdl.msn.com/public/chat/msnchat42.cab
O16 - DPF: {99CDFD87-F97A-42E1-9C13-D18220D90AD1} (StartFirstControl.CheckFirst) - hcp://system/StartFirstControl.CAB
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~3\GOEC62~1.DLL
O23 - Service: Avira AntiVir Personal – Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal – Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINNT\system32\drivers\KodakCCS.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\WINNT\System32\NMSSvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\System32\HPZipm12.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
O23 - Service: Window Washer Engine (wwEngineSvc) - Webroot Software, Inc. - C:\Program Files\Webroot\Washer\WasherSvc.exe
O24 - Desktop Component 0: (no name) - http://a1259.g.akamai.net/f/1259/5586/1d/i...00/10090968.jpg
O24 - Desktop Component 1: (no name) - http://a1259.g.akamai.net/f/1259/5586/1d/i...00/10032246.jpg
O24 - Desktop Component 2: (no name) - http://a1259.g.akamai.net/f/1259/5586/1d/i...00/10091030.jpg

--
End of file - 10156 bytes

I hope I did it correctly. Thanks

#6 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:11:54 AM

Posted 06 June 2008 - 01:33 PM

Hi,

* Open notepad - don't use any other texteditor than notepad or the script will fail.
Copy/paste the text in the code below into notepad:

File::
C:\WINNT\Remove_spyware .exe
C:\WINNT\PCHealth\HelpCtr\Binaries\MSConfig	.exe
C:\WINNT\PCHealth\HelpCtr\Binaries\MSConfig  .exe
C:\Program Files\TrojanHunter 4.2\THGuard	   .exe
C:\Program Files\TrojanHunter 4.2\THGuard	  .exe
C:\Program Files\TrojanHunter 4.2\THGuard	 .exe
C:\Program Files\TrojanHunter 4.2\THGuard	.exe
C:\Program Files\TrojanHunter 4.2\THGuard   .exe
C:\Program Files\TrojanHunter 4.2\THGuard  .exe
C:\Program Files\Panicware\Pop-Up Stopper\dpps2  .exe
C:\Program Files\EarthLink TotalAccess\TaskPanl		.exe
C:\Program Files\EarthLink TotalAccess\TaskPanl	   .exe
C:\Program Files\EarthLink TotalAccess\TaskPanl	  .exe
C:\Program Files\EarthLink TotalAccess\TaskPanl	 .exe
C:\Program Files\EarthLink TotalAccess\TaskPanl	.exe
C:\Program Files\EarthLink TotalAccess\TaskPanl   .exe
C:\Program Files\EarthLink TotalAccess\TaskPanl  .exe
C:\Program Files\EarthLink TotalAccess\Spyware Blocker\SpySweeper	.exe
C:\Program Files\EarthLink TotalAccess\Spyware Blocker\SpySweeper   .exe
C:\Program Files\EarthLink TotalAccess\Spyware Blocker\SpySweeper  .exe
C:\Program Files\AWS\WeatherBug\Weather		  .exe
C:\Program Files\AWS\WeatherBug\Weather		 .exe
C:\Program Files\AWS\WeatherBug\Weather		.exe
C:\Program Files\AWS\WeatherBug\Weather	   .exe
C:\Program Files\AWS\WeatherBug\Weather	  .exe
C:\Program Files\AWS\WeatherBug\Weather	 .exe
C:\Program Files\AWS\WeatherBug\Weather	.exe
C:\Program Files\AWS\WeatherBug\Weather   .exe
C:\Program Files\AWS\WeatherBug\Weather  .exe
Renv::
C:\Program Files\Common Files\Symantec Shared\ccRegVfy .exe
C:\Program Files\Panicware\Pop-Up Stopper\dpps2 .exe
C:\Program Files\QuickTime\qttask .exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD .exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer .exe
C:\WINNT\PCHealth\HelpCtr\Binaries\MSConfig .exe
C:\WINNT\system32\ctfmon .exe
C:\Program Files\TrojanHunter 4.2\THGuard .exe
C:\Program Files\Webroot\Washer\wwDisp .exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd .exe
C:\Program Files\iTunes\iTunesHelper .exe
C:\Program Files\Java\jre1.5.0_09\bin\jusched .exe
C:\Program Files\Logitech\iTouch\iTouch .exe
C:\Program Files\Messenger\msmsgs .exe
C:\Program Files\Microsoft Money\System\Activation .exe
C:\Program Files\Microsoft Works\wkfud .exe
C:\Program Files\Microsoft Works\WksSb .exe
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mimboot .exe
C:\Program Files\EarthLink TotalAccess\Spyware Blocker\SpySweeper .exe
C:\Program Files\EarthLink TotalAccess\Spyware Blocker\SpySweeperUI .exe
C:\Program Files\EarthLink TotalAccess\TaskPanl .exe
C:\Program Files\AWS\WeatherBug\Weather .exe
C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind .exe
C:\Program Files\Common Files\Real\Update_OB\realsched .exe
C:\Program Files\Common Files\Symantec Shared\ccApp .exe
C:\Program Files\EarthLink 5.0\ConMgr .exe
Registry::
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSConfig"=-
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BMf7747e46]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\f4474dda]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Load]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Spyware remover]

Save this as txtfile CFScript

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

Posted Image

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThislog.

Note, please DON't remove the extra spaces you see in above log before the exe. It is supposed to be like that.

Edited by miekiemoes, 06 June 2008 - 01:33 PM.

AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#7 footstep101

footstep101
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:05:54 AM

Posted 06 June 2008 - 03:05 PM

I did what you said, and after ComboFix ran and created a log, my windows screen went away and the computer froze. Then after a manual shut-down, it froze again when windows tried to get and install "updates." That may not be relevant to the issue at hand, but I thought I'd mention it. Here is the log from ComboFix:

ComboFix 08-06-05.3 - Owner 2008-06-06 14:48:41.3 - NTFSx86
Microsoft Windows XP Home Edition 5.1.2600.2.1252.1.1033.18.68 [GMT -4:00]
Running from: C:\Documents and Settings\Owner\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Owner\Desktop\CFScript.txt
* Created a new restore point

FILE ::
C:\Program Files\AWS\WeatherBug\Weather .exe
C:\Program Files\AWS\WeatherBug\Weather .exe
C:\Program Files\AWS\WeatherBug\Weather .exe
C:\Program Files\AWS\WeatherBug\Weather .exe
C:\Program Files\AWS\WeatherBug\Weather .exe
C:\Program Files\AWS\WeatherBug\Weather .exe
C:\Program Files\AWS\WeatherBug\Weather .exe
C:\Program Files\AWS\WeatherBug\Weather .exe
C:\Program Files\AWS\WeatherBug\Weather .exe
C:\Program Files\EarthLink TotalAccess\Spyware Blocker\SpySweeper .exe
C:\Program Files\EarthLink TotalAccess\Spyware Blocker\SpySweeper .exe
C:\Program Files\EarthLink TotalAccess\Spyware Blocker\SpySweeper .exe
C:\Program Files\EarthLink TotalAccess\TaskPanl .exe
C:\Program Files\EarthLink TotalAccess\TaskPanl .exe
C:\Program Files\EarthLink TotalAccess\TaskPanl .exe
C:\Program Files\EarthLink TotalAccess\TaskPanl .exe
C:\Program Files\EarthLink TotalAccess\TaskPanl .exe
C:\Program Files\EarthLink TotalAccess\TaskPanl .exe
C:\Program Files\EarthLink TotalAccess\TaskPanl .exe
C:\Program Files\Panicware\Pop-Up Stopper\dpps2 .exe
C:\Program Files\TrojanHunter 4.2\THGuard .exe
C:\Program Files\TrojanHunter 4.2\THGuard .exe
C:\Program Files\TrojanHunter 4.2\THGuard .exe
C:\Program Files\TrojanHunter 4.2\THGuard .exe
C:\Program Files\TrojanHunter 4.2\THGuard .exe
C:\Program Files\TrojanHunter 4.2\THGuard .exe
C:\WINNT\PCHealth\HelpCtr\Binaries\MSConfig .exe
C:\WINNT\PCHealth\HelpCtr\Binaries\MSConfig .exe
C:\WINNT\Remove_spyware .exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Program Files\AWS\WeatherBug\Weather .exe
C:\Program Files\AWS\WeatherBug\Weather .exe
C:\Program Files\AWS\WeatherBug\Weather .exe
C:\Program Files\AWS\WeatherBug\Weather .exe
C:\Program Files\AWS\WeatherBug\Weather .exe
C:\Program Files\AWS\WeatherBug\Weather .exe
C:\Program Files\AWS\WeatherBug\Weather .exe
C:\Program Files\AWS\WeatherBug\Weather .exe
C:\Program Files\AWS\WeatherBug\Weather .exe
C:\Program Files\EarthLink TotalAccess\Spyware Blocker\SpySweeper .exe
C:\Program Files\EarthLink TotalAccess\Spyware Blocker\SpySweeper .exe
C:\Program Files\EarthLink TotalAccess\Spyware Blocker\SpySweeper .exe
C:\Program Files\EarthLink TotalAccess\TaskPanl .exe
C:\Program Files\EarthLink TotalAccess\TaskPanl .exe
C:\Program Files\EarthLink TotalAccess\TaskPanl .exe
C:\Program Files\EarthLink TotalAccess\TaskPanl .exe
C:\Program Files\EarthLink TotalAccess\TaskPanl .exe
C:\Program Files\EarthLink TotalAccess\TaskPanl .exe
C:\Program Files\EarthLink TotalAccess\TaskPanl .exe
C:\Program Files\Panicware\Pop-Up Stopper\dpps2 .exe
C:\Program Files\TrojanHunter 4.2\THGuard .exe
C:\Program Files\TrojanHunter 4.2\THGuard .exe
C:\Program Files\TrojanHunter 4.2\THGuard .exe
C:\Program Files\TrojanHunter 4.2\THGuard .exe
C:\Program Files\TrojanHunter 4.2\THGuard .exe
C:\Program Files\TrojanHunter 4.2\THGuard .exe
C:\WINNT\mrofinu72.exe.tmp
C:\WINNT\PCHealth\HelpCtr\Binaries\MSConfig .exe
C:\WINNT\PCHealth\HelpCtr\Binaries\MSConfig .exe
C:\WINNT\Remove_spyware .exe

.
((((((((((((((((((((((((( Files Created from 2008-05-06 to 2008-06-06 )))))))))))))))))))))))))))))))
.

2008-06-06 01:40 . 2008-06-06 01:40 <DIR> d-------- C:\Program Files\Trend Micro
2008-06-06 00:49 . 2008-06-06 00:49 <DIR> d-------- C:\Program Files\Avira
2008-06-06 00:49 . 2008-06-06 00:49 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Avira
2008-06-03 23:31 . 2008-06-03 23:31 <DIR> d-------- C:\Deckard
2008-05-27 13:10 . 2008-05-27 13:10 <DIR> d-------- C:\Documents and Settings\Kevin\Application Data\Webroot
2008-05-09 10:48 . 2008-02-22 02:33 69,632 --a------ C:\WINNT\system32\javacpl.cpl
2008-05-08 20:07 . 2008-05-08 20:07 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\Webroot
2008-05-08 20:06 . 2008-01-04 20:56 1,526,640 --a------ C:\WINNT\WRSetup.dll
2008-05-08 20:06 . 2008-01-04 20:34 163,696 --a------ C:\WINNT\system32\drivers\ssidrv.sys
2008-05-08 20:06 . 2008-01-04 20:34 23,920 --a------ C:\WINNT\system32\drivers\sskbfd.sys
2008-05-08 20:06 . 2008-01-04 20:34 21,872 --a------ C:\WINNT\system32\drivers\sshrmd.sys
2008-05-08 20:06 . 2008-01-04 20:34 20,336 --a------ C:\WINNT\system32\drivers\SSFS0BB9.sys

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-06-06 18:51 --------- d-----w C:\Program Files\TrojanHunter 4.2
2008-06-06 18:51 --------- d-----w C:\Program Files\EarthLink TotalAccess
2008-06-06 18:49 --------- d-----w C:\Program Files\Spybot - Search & Destroy
2008-06-06 18:49 --------- d-----w C:\Program Files\QuickTime
2008-06-06 18:49 --------- d-----w C:\Program Files\Microsoft Works
2008-06-06 18:49 --------- d-----w C:\Program Files\iTunes
2008-06-06 18:48 --------- d-----w C:\Program Files\EarthLink 5.0
2008-06-06 18:48 --------- d-----w C:\Program Files\Common Files\Symantec Shared
2008-05-09 14:45 --------- d-----w C:\Program Files\Java
2008-05-09 00:06 --------- d-----w C:\Program Files\Webroot
2008-05-09 00:06 --------- d-----w C:\Documents and Settings\All Users\Application Data\Webroot
2008-05-08 23:57 164 ----a-w C:\install.dat
2008-05-08 23:56 --------- d-----w C:\Documents and Settings\Owner\Application Data\Webroot
2008-05-08 23:25 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2008-04-17 14:50 --------- d-----w C:\Documents and Settings\Owner\Application Data\WeatherBug
2008-04-14 22:41 691,545 ----a-w C:\WINNT\unins000.exe
2006-09-08 00:30 65,448 ----a-w C:\Documents and Settings\Owner\Application Data\GDIPFONTCACHEV1.DAT
2004-08-30 16:32 56,208 ----a-w C:\Documents and Settings\Kevin\Application Data\GDIPFONTCACHEV1.DAT
2003-05-29 01:09 251,600 ----a-w C:\Program Files\NSSetup.exe
2003-05-11 14:22 10,135,688 ----a-w C:\Program Files\MPSetupXP.exe
2003-01-13 02:07 1,903,749 ----a-w C:\Program Files\tetmania.exe
2003-01-09 02:01 29,026 ----a-w C:\Program Files\kfmaster.zip
2003-01-05 15:14 456,128 ----a-w C:\Program Files\popupstopper.exe
2002-10-02 20:33 32 --sha-w C:\WINNT\{9FAB8911-3BC4-493A-9D31-15B0694333AF}.dat
2002-10-02 20:33 32 --sha-w C:\WINNT\system32\{132DF614-59EA-4791-9A10-1D83F9D5DFF3}.dat
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Microsoft Works Update Detection"="C:\Program Files\Microsoft Works\WkDetect.exe" [ ]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSConfig"="C:\WINNT\PCHealth\HelpCtr\Binaries\MSConfig .exe" [ ]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe" [2008-05-17 18:16 49263]
"Logitech Utility"="Logi_MwX.Exe" [2003-11-07 05:50 19968 C:\WINNT\LOGI_MWX.EXE]
"avgnt"="C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" [2008-02-12 10:06 262401]
"SpySweeper"="C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" [2008-01-04 20:56 5367664]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Run]
"MySpaceIM"="C:\Program Files\MySpace\IM\MySpaceIM.exe" [ ]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=C:\PROGRA~1\Google\GOOGLE~3\GOEC62~1.DLL

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\drivers32]
"VIDC.I263"= i263_32.drv

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HotSync Manager.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HotSync Manager.lnk
backup=C:\WINNT\pss\HotSync Manager.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^hp psc 2000 Series.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\hp psc 2000 Series.lnk
backup=C:\WINNT\pss\hp psc 2000 Series.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINNT\pss\Microsoft Office.lnkCommon Startup

[HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^officejet 6100.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\officejet 6100.lnk
backup=C:\WINNT\pss\officejet 6100.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AdaptecDirectCD]
--a------ 2008-02-07 18:40 684032 C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BMf7747e46]
C:\WINNT\system32\oanprvft.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccApp]
--a------ 2008-02-07 18:40 54976 C:\Program Files\Common Files\Symantec Shared\ccApp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ccRegVfy]
--a------ 2008-02-07 18:40 59072 C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
--a------ 2008-04-27 18:43 15360 C:\WINNT\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CTHelper]
--a------ 2003-10-06 14:57 24576 C:\WINNT\system32\CTHELPER.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\f4474dda]
C:\WINNT\system32\tcqfsscb.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
--a------ 2008-02-07 18:40 278528 C:\Program Files\iTunes\iTunesHelper.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Keyboard Preload Check]
C:\OEMDRVRS\KEYB\Preload.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Load]
C:\WINNT\system32\geeda.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Logitech Utility]
--------- 2003-11-07 05:50 19968 C:\WINNT\LOGI_MWX.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Works Portfolio]
--a------ 2008-02-07 18:40 331830 C:\Program Files\Microsoft Works\WksSb.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Works Update Detection]
C:\Program Files\Microsoft Works\WkDetect.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MimBoot]
--a------ 2008-02-07 18:40 11776 C:\PROGRA~1\MUSICM~1\MUSICM~1\mimboot.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\mmtask]
C:\Program Files\MUSICMATCH\MUSICMATCH Jukebox\mmtask.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MoneyStartUp10.0]
--a------ 2008-02-07 18:40 241714 C:\Program Files\Microsoft Money\System\Activation.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSConfig]
C:\WINNT\PCHealth\HelpCtr\Binaries\MSConfig .exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Pop-Up Stopper]
C:\Program Files\Panicware\Pop-Up Stopper\dpps2 .exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Share-to-Web Namespace Daemon]
--a------ 2008-02-07 18:40 69632 C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
--a------ 2008-04-18 13:28 2097488 C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpySweeper]
--a------ 2008-01-04 20:56 5367664 C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Spyware remover]
--a------ 2008-02-07 18:39 496640 C:\WINNT\Remove_spyware.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
--a------ 2008-02-07 18:40 180269 C:\Program Files\Common Files\Real\Update_OB\realsched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Weather]
C:\Program Files\AWS\WeatherBug\Weather .exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WildTangent CDA]
C:\Program Files\WildTangent\Apps\CDA\GameDrvr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Window Washer]
--a------ 2008-04-27 18:51 1206600 C:\Program Files\Webroot\Washer\wwDisp.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WorksFUD]
--a------ 2008-02-07 18:40 24576 C:\Program Files\Microsoft Works\wkfud.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\zBrowser Launcher]
--a------ 2008-04-24 19:04 892928 C:\Program Files\Logitech\iTouch\iTouch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\security center]
"AntiVirusOverride"=dword:00000001

R2 NMSSvc;Intel® NMS;C:\WINNT\System32\NMSSvc.exe [2002-05-03 14:36]
R2 RioPNP;RioPNP;C:\WINNT\system32\drivers\RioPNP.sys [2000-06-06 12:29]
R2 wwEngineSvc;Window Washer Engine;C:\Program Files\Webroot\Washer\WasherSvc.exe [2007-11-26 15:47]
R3 NMSCFG;NIC Management Service Configuration Driver;C:\WINNT\system32\drivers\NMSCFG.SYS [2002-05-03 14:36]
S3 PCDRDRV;Pcdr Helper Driver;C:\Atf\Qctest\PCDoc\PCDRDRV.sys []

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{447e3dbb-b322-11dc-af35-0007e9b53620}]
\Shell\AutoRun\command - F:\LaunchU3.exe -a

*Newly Created Service* - NMSSVC
.
Contents of the 'Scheduled Tasks' folder
"2003-06-19 22:21:17 C:\WINNT\Tasks\FRU Task #Hewlett-Packard#hp psc 2200 series#1036796441.job"
- C:\Program Files\Hewlett-Packard\Digital Imaging\Bin\hpqfrucl.exe4-I
"2008-05-31 00:00:04 C:\WINNT\Tasks\Norton AntiVirus - Scan my computer.job"
- C:\PROGRA~1\NORTON~1\NAVW32.exeG/task:C:\DOCUME~1\ALLUSE~1\APPLIC~1\Symantec\NORTON~1\Tasks\mycomp.sca
"2002-11-12 22:21:55 C:\WINNT\Tasks\Symantec NetDetect.job"
- C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE
.
**************************************************************************

catchme 0.3.1361 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-06-06 14:56:28
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-06-06 15:03:53
ComboFix-quarantined-files.txt 2008-06-06 19:03:33
ComboFix2.txt 2008-06-06 17:21:27
ComboFix3.txt 2008-02-08 02:52:44

Pre-Run: 12,299,436,032 bytes free
Post-Run: 12,249,956,352 bytes free

235 --- E O F --- 2008-01-09 08:06:39


And here is my latest HighJackThis report:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:03:41 PM, on 6/6/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\drivers\KodakCCS.exe
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Webroot\Washer\WasherSvc.exe
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\WINNT\system32\wuauclt.exe
C:\WINNT\system32\NOTEPAD.EXE
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.earthlink.net/partner/more/msie...ton/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
N3 - Netscape 7: # Mozilla User Preferences

/* Do not edit this file.
*
* If you make changes to this file while the browser is running,
* the changes will be overwritten when the browser exits.
*
* To make a manual change to preferences, you can visit the URL about:config
* For more information, see http://www.mozilla.org/unix/customizing.html#prefs
*/

user_pref("browser.activation.checkedNNFlag", true);
user_pref("browser.bookmarks.added_static_root", true);
user_pref("browser.history.last_page_visited", "");
user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src");
user_pref("browser.startup.homepage_override.mstone", "rv:1.4");
user_pref("browser.turbo.showDialog", false);
user_pref("dom.disable_open_during_load", true);
user_pref("intl.charsetmenu.browser.cache", "windows-1252, UTF-8, ISO-8859-1");
user_pref("prefs.converted-to-utf8", true);
user_pref("privacy.popups.first_popup", false);
user_pref("privacy.popups.prefill_w
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: PnIEBrowserHelperObj Class - {4B5F2E08-6F39-479a-B547-B2026E4C7EDF} - C:\Program Files\EarthLink TotalAccess\PnEL.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: EarthLink Toolbar - {D7F30B62-8269-41AF-9539-B2697FA7D77E} - C:\Program Files\EarthLink TotalAccess\PnEL.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [SpySweeper] "C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe" /startintray
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra button: Instant Messenger (SM) - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\program files\earthlinkim\aim.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINNT\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINNT\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {29B2C103-AB53-4971-B765-FC1CE5D8B2D1} - http://www.silvercrk.com/php/hweuchre_scec...5936_947432.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200212...meInstaller.exe
O16 - DPF: {511073AD-BE56-4D43-AE68-93390514385E} (TechToolsActivex.TechTools) - hcp://system/TechTools.CAB
O16 - DPF: {739E8D90-2F4C-43AD-A1B8-66C356FCEA35} (RunExeActiveX.RunExe) - hcp://system/RunExeActiveX.CAB
O16 - DPF: {7A32634B-029C-4836-A023-528983982A49} - http://fdl.msn.com/public/chat/msnchat42.cab
O16 - DPF: {99CDFD87-F97A-42E1-9C13-D18220D90AD1} (StartFirstControl.CheckFirst) - hcp://system/StartFirstControl.CAB
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~3\GOEC62~1.DLL
O23 - Service: Avira AntiVir Personal – Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal – Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINNT\system32\drivers\KodakCCS.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\WINNT\System32\NMSSvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\System32\HPZipm12.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
O23 - Service: Window Washer Engine (wwEngineSvc) - Webroot Software, Inc. - C:\Program Files\Webroot\Washer\WasherSvc.exe
O24 - Desktop Component 0: (no name) - http://a1259.g.akamai.net/f/1259/5586/1d/i...00/10090968.jpg
O24 - Desktop Component 1: (no name) - http://a1259.g.akamai.net/f/1259/5586/1d/i...00/10032246.jpg
O24 - Desktop Component 2: (no name) - http://a1259.g.akamai.net/f/1259/5586/1d/i...00/10091030.jpg

--
End of file - 10058 bytes

#8 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:11:54 AM

Posted 06 June 2008 - 03:12 PM

Hi,

The freezing is most probably because Combofix enabled Windows updates and as you said, it was downloading and installing updates in a meanwhile.

Anyway.. almost done..


Open notepad and copy and paste next present in the quotebox below in it:
(don't forget to copy and paste REGEDIT4)

REGEDIT4

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BMf7747e46]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\f4474dda]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Load]

[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Spyware remover]

Save this as fix.reg Choose to save as *all files and place it on your desktop.
It should look like this: Posted Image
Doubleclick on it and when it asks you if you want to merge the contents to the registry, click yes/ok.
(In case you are unsure how to create a reg file, take a look here with screenshots.)

Then, * Go to start > run and copy and paste next command in the field:

ComboFix /u

Make sure there's a space between Combofix and /
Then hit enter.

This will uninstall Combofix, delete its related folders and files, reset your clock settings, hide file extensions, hide the system/hidden files and resets System Restore again.

As a final check.... Please perform this online scan: Kaspersky Webscan
1. Read the Requirements and Privacy statement, then select "Accept"
2. A dialogue box will appearing asking "Do you want to install this software?" Name: kavwebscan_unicode.cab
3. Select "Install" to download the ActiveX controls that allows ActiveScan to run.
4. If running MSAS beta you may receive an alert that an IE ActiveX program requires your approval. Click "Allow"
5. When the download is complete it will say ready, click "Next"
6. Select a target to scan: Click on "My Computer"
7. When the scan is complete choose to save the results as "Save as Text"
8. Post the Kaspersky scan results in your next reply.

Edited by miekiemoes, 06 June 2008 - 03:13 PM.

AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#9 footstep101

footstep101
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:05:54 AM

Posted 06 June 2008 - 04:33 PM

I merged the .geg file, and I un-installed combofix. But when I clicked on the hyperlink to Kaspersky in your last post, I got a 404 not found error. I'm using Mozilla Firefox; do I need to be using IE7?

#10 footstep101

footstep101
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:05:54 AM

Posted 06 June 2008 - 06:14 PM

Windows automatically wanted me to update to IE7, so I updated, and used it to try to go the the kaspersky website. I tried to do a scan, allowed it to install and approve active x etc. It said "Failed to load Kaspersky Online Scanner ActiveX controll. You must have administrative rights on this computer; you must also have the IE security settings to the medium level."

I then set the security setting to Medium and tried again. The second time, I got the very same message.

So I performed a scan with Spysweeper, and it found the presence of Virtumonde!

In a moment, I'll try to post an Avira log and a highack this log.

#11 footstep101

footstep101
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:05:54 AM

Posted 06 June 2008 - 08:02 PM

avira log:



Avira AntiVir Personal
Report file date: Friday, June 06, 2008 19:15

Scanning for 1311701 virus strains and unwanted programs.

Licensed to: Avira AntiVir PersonalEdition Classic
Serial number: 0000149996-ADJIE-0001
Platform: Windows XP
Windows version: (Service Pack 2) [5.1.2600]
Boot mode: Normally booted
Username: SYSTEM
Computer name: KELLNER

Version information:
BUILD.DAT : 8.1.00.295 16479 Bytes 4/9/2008 16:24:00
AVSCAN.EXE : 8.1.2.12 311553 Bytes 3/18/2008 15:02:56
AVSCAN.DLL : 8.1.1.0 53505 Bytes 2/7/2008 14:43:37
LUKE.DLL : 8.1.2.9 151809 Bytes 2/28/2008 14:41:23
LUKERES.DLL : 8.1.2.1 12033 Bytes 2/21/2008 14:28:40
ANTIVIR0.VDF : 6.40.0.0 11030528 Bytes 7/18/2007 16:33:34
ANTIVIR1.VDF : 7.0.3.2 5447168 Bytes 3/7/2008 19:08:58
ANTIVIR2.VDF : 7.0.4.120 2206720 Bytes 6/1/2008 05:36:17
ANTIVIR3.VDF : 7.0.4.150 124416 Bytes 6/5/2008 05:36:19
Engineversion : 8.1.0.51
AEVDF.DLL : 8.1.0.5 102772 Bytes 2/25/2008 15:58:21
AESCRIPT.DLL : 8.1.0.37 270715 Bytes 6/6/2008 05:36:33
AESCN.DLL : 8.1.0.20 119157 Bytes 6/6/2008 05:36:32
AERDL.DLL : 8.1.0.20 418165 Bytes 6/6/2008 05:36:31
AEPACK.DLL : 8.1.1.5 364918 Bytes 6/6/2008 05:36:29
AEOFFICE.DLL : 8.1.0.18 192890 Bytes 6/6/2008 05:36:27
AEHEUR.DLL : 8.1.0.29 1253750 Bytes 6/6/2008 05:36:26
AEHELP.DLL : 8.1.0.15 115063 Bytes 6/6/2008 05:36:23
AEGEN.DLL : 8.1.0.25 307573 Bytes 6/6/2008 05:36:23
AEEMU.DLL : 8.1.0.6 430451 Bytes 6/6/2008 05:36:21
AECORE.DLL : 8.1.0.30 168311 Bytes 6/6/2008 05:36:20
AVWINLL.DLL : 1.0.0.7 14593 Bytes 1/23/2008 23:07:53
AVPREF.DLL : 8.0.0.1 25857 Bytes 2/18/2008 16:37:50
AVREP.DLL : 7.0.0.1 155688 Bytes 4/16/2007 19:26:47
AVREG.DLL : 8.0.0.0 30977 Bytes 1/23/2008 23:07:49
AVARKT.DLL : 1.0.0.23 307457 Bytes 2/12/2008 14:29:23
AVEVTLOG.DLL : 8.0.0.11 114945 Bytes 2/28/2008 14:31:31
SQLITE3.DLL : 3.3.17.1 339968 Bytes 1/22/2008 23:28:02
SMTPLIB.DLL : 1.2.0.19 28929 Bytes 1/23/2008 23:08:39
NETNT.DLL : 8.0.0.1 7937 Bytes 1/25/2008 18:05:10
RCIMAGE.DLL : 8.0.0.35 2371841 Bytes 3/10/2008 20:37:25
RCTEXT.DLL : 8.0.32.0 86273 Bytes 3/6/2008 18:02:11

Configuration settings for the scan:
Jobname..........................: Complete system scan
Configuration file...............: c:\program files\avira\antivir personaledition classic\sysscan.avp
Logging..........................: low
Primary action...................: interactive
Secondary action.................: ignore
Scan master boot sector..........: on
Scan boot sector.................: on
Boot sectors.....................: C:,
Scan memory......................: on
Process scan.....................: on
Scan registry....................: on
Search for rootkits..............: off
Scan all files...................: Intelligent file selection
Scan archives....................: on
Recursion depth..................: 20
Smart extensions.................: on
Macro heuristic..................: on
File heuristic...................: medium

Start of the scan: Friday, June 06, 2008 19:15

The scan of running processes will be started
Scan process 'avwsc.exe' - '0' Module(s) have been scanned
Scan process 'avscan.exe' - '1' Module(s) have been scanned
Scan process 'avcenter.exe' - '1' Module(s) have been scanned
Scan process 'ssu.exe' - '1' Module(s) have been scanned
Scan process 'firefox.exe' - '1' Module(s) have been scanned
Scan process 'ctfmon.exe' - '1' Module(s) have been scanned
Scan process 'SpySweeperUI.exe' - '1' Module(s) have been scanned
Scan process 'avgnt.exe' - '1' Module(s) have been scanned
Scan process 'alg.exe' - '1' Module(s) have been scanned
Scan process 'EM_EXEC.EXE' - '1' Module(s) have been scanned
Scan process 'jusched.exe' - '1' Module(s) have been scanned
Scan process 'WasherSvc.exe' - '1' Module(s) have been scanned
Scan process 'SpySweeper.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'nvsvc32.exe' - '1' Module(s) have been scanned
Scan process 'NMSSvc.Exe' - '1' Module(s) have been scanned
Scan process 'KodakCCS.exe' - '1' Module(s) have been scanned
Scan process 'CCEVTMGR.EXE' - '1' Module(s) have been scanned
Scan process 'explorer.exe' - '1' Module(s) have been scanned
Scan process 'avguard.exe' - '1' Module(s) have been scanned
Scan process 'sched.exe' - '1' Module(s) have been scanned
Scan process 'spoolsv.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'svchost.exe' - '1' Module(s) have been scanned
Scan process 'lsass.exe' - '1' Module(s) have been scanned
Scan process 'services.exe' - '1' Module(s) have been scanned
Scan process 'winlogon.exe' - '1' Module(s) have been scanned
Scan process 'csrss.exe' - '1' Module(s) have been scanned
Scan process 'smss.exe' - '1' Module(s) have been scanned
31 processes with 31 modules were scanned

Starting master boot sector scan:
Master boot sector HD0
[INFO] No virus was found!
Master boot sector HD1
[INFO] No virus was found!
[WARNING] The device is not ready.

Start scanning boot sectors:
Boot sector 'C:\'
[INFO] No virus was found!

Starting to scan the registry.
The registry was scanned ( '17' files ).


Starting the file scan:

Begin scan in 'C:\'
C:\hiberfil.sys
[WARNING] The file could not be opened!
C:\pagefile.sys
[WARNING] The file could not be opened!
C:\Documents and Settings\Owner\.jpi_cache\jar\1.0\archive.jar-2e034747-6577ef03.zip
[0] Archive type: ZIP
--> BlackBox.class
[DETECTION] Contains detection pattern of the Java virus JAVA/ClassLoade.Z.1
--> VB.class
[DETECTION] Contains detection pattern of the Java virus JAVA/ClassLoade.Z.2
--> Dummy.class
[DETECTION] Contains detection pattern of the Java virus JAVA/ByteEver.B.2
--> Beyond.class
[DETECTION] Contains detection pattern of the Java virus JAVA/ByteEver.B.4
[DETECTION] Contains detection pattern of the Java virus JAVA/ClassLoade.Z.1
[NOTE] The file was deleted!
C:\Documents and Settings\Owner\.jpi_cache\jar\1.0\count.jar-290ed5ef-4a987bf2.zip
[0] Archive type: ZIP
--> BlackBox.class
[DETECTION] Contains detection pattern of the Java virus JAVA/BlackBox.AA.2
--> VerifierBug.class
[DETECTION] Contains detection pattern of the Java virus JAVA/BlackBox.AA.4
--> Dummy.class
[DETECTION] Contains detection pattern of the Java virus JAVA/BlackBox.AA.3
--> Beyond.class
[DETECTION] Contains detection pattern of the Java virus JAVA/BlackBox.AA.1
[DETECTION] Contains detection pattern of the Java virus JAVA/BlackBox.AA.2
[NOTE] The file was deleted!
C:\Documents and Settings\Owner\.jpi_cache\jar\1.0\javainstaller.jar-4514e5ea-30afa06e.zip
[0] Archive type: ZIP
--> javainstaller/InstallerApplet.class
[DETECTION] Contains detection pattern of the Java virus JAVA/OpenStream.W
[DETECTION] Contains detection pattern of the Java virus JAVA/OpenStream.W
[NOTE] The file was deleted!
C:\Program Files\Panicware\Pop-Up Stopper\dpps2.exe
[0] Archive type: RSRC
--> Object
[DETECTION] Is the Trojan horse TR/Vundo.Gen
[NOTE] The file was deleted!
C:\Program Files\QuickTime\qttask.exe
[0] Archive type: RSRC
--> Object
[DETECTION] Is the Trojan horse TR/Vundo.Gen
[NOTE] The file was deleted!
C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP529\A0083298.exe
[0] Archive type: RSRC
--> Object
[DETECTION] Is the Trojan horse TR/Vundo.Gen
[NOTE] The file was deleted!
C:\System Volume Information\_restore{30F71744-7195-4A81-BC43-76AFE6B4AF0F}\RP529\A0083299.exe
[0] Archive type: RSRC
--> Object
[DETECTION] Is the Trojan horse TR/Vundo.Gen
[NOTE] The file was deleted!
C:\WINNT\Remove_spyware.exe
[0] Archive type: RSRC
--> Object
[DETECTION] Is the Trojan horse TR/Vundo.Gen
[NOTE] The file was deleted!
C:\WINNT\PCHealth\HelpCtr\Binaries\msconfig.exe.tmp
[0] Archive type: RSRC
--> Object
[DETECTION] Is the Trojan horse TR/Vundo.Gen
[NOTE] The file was deleted!


End of the scan: Friday, June 06, 2008 20:35
Used time: 1:20:39 min

The scan has been done completely.

7487 Scanning directories
266434 Files were scanned
18 viruses and/or unwanted programs were found
0 Files were classified as suspicious:
9 files were deleted
0 files were repaired
0 files were moved to quarantine
0 files were renamed
2 Files cannot be scanned
266416 Files not concerned
7002 Archives were scanned
3 Warnings
9 Notes



HijackThis Log:

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:59:38 PM, on 6/6/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16640)
Boot mode: Normal

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\system32\spoolsv.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\drivers\KodakCCS.exe
C:\WINNT\System32\NMSSvc.exe
C:\WINNT\System32\nvsvc32.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
C:\Program Files\Webroot\Washer\WasherSvc.exe
C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe
C:\Program Files\Logitech\MouseWare\system\em_exec.exe
C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe
C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe
C:\WINNT\system32\ctfmon.exe
C:\Program Files\Webroot\Spy Sweeper\SSU.EXE
C:\WINNT\system32\notepad.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://www.earthlink.net/partner/more/msie...ton/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
N3 - Netscape 7: # Mozilla User Preferences

/* Do not edit this file.
*
* If you make changes to this file while the browser is running,
* the changes will be overwritten when the browser exits.
*
* To make a manual change to preferences, you can visit the URL about:config
* For more information, see http://www.mozilla.org/unix/customizing.html#prefs
*/

user_pref("browser.activation.checkedNNFlag", true);
user_pref("browser.bookmarks.added_static_root", true);
user_pref("browser.history.last_page_visited", "");
user_pref("browser.search.defaultengine", "engine://C%3A%5CProgram%20Files%5CNetscape%5CNetscape%5Csearchplugins%5CSBWeb_01.src");
user_pref("browser.startup.homepage_override.mstone", "rv:1.4");
user_pref("browser.turbo.showDialog", false);
user_pref("dom.disable_open_during_load", true);
user_pref("intl.charsetmenu.browser.cache", "windows-1252, UTF-8, ISO-8859-1");
user_pref("prefs.converted-to-utf8", true);
user_pref("privacy.popups.first_popup", false);
user_pref("privacy.popups.prefill_w
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: PnIEBrowserHelperObj Class - {4B5F2E08-6F39-479a-B547-B2026E4C7EDF} - C:\Program Files\EarthLink TotalAccess\PnEL.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: EarthLink Toolbar - {D7F30B62-8269-41AF-9539-B2697FA7D77E} - C:\Program Files\EarthLink TotalAccess\PnEL.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.5.0_09\bin\jusched.exe"
O4 - HKLM\..\Run: [Logitech Utility] Logi_MwX.Exe
O4 - HKLM\..\Run: [avgnt] "C:\Program Files\Avira\AntiVir PersonalEdition Classic\avgnt.exe" /min
O4 - HKLM\..\Run: [SpySweeper] C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe /startintray
O4 - HKCU\..\Run: [Microsoft Works Update Detection] C:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINNT\system32\ctfmon.exe
O4 - HKUS\S-1-5-18\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [MySpaceIM] C:\Program Files\MySpace\IM\MySpaceIM.exe (User 'Default user')
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MI1933~1\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_05\bin\ssv.dll
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\Program Files\ICQ\ICQ.exe
O9 - Extra button: Instant Messenger (SM) - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\program files\earthlinkim\aim.exe
O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - C:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINNT\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINNT\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {29B2C103-AB53-4971-B765-FC1CE5D8B2D1} - http://www.silvercrk.com/php/hweuchre_scec...5936_947432.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akamai.net/7/1540/52/200212...meInstaller.exe
O16 - DPF: {511073AD-BE56-4D43-AE68-93390514385E} (TechToolsActivex.TechTools) - hcp://system/TechTools.CAB
O16 - DPF: {739E8D90-2F4C-43AD-A1B8-66C356FCEA35} (RunExeActiveX.RunExe) - hcp://system/RunExeActiveX.CAB
O16 - DPF: {7A32634B-029C-4836-A023-528983982A49} - http://fdl.msn.com/public/chat/msnchat42.cab
O16 - DPF: {99CDFD87-F97A-42E1-9C13-D18220D90AD1} (StartFirstControl.CheckFirst) - hcp://system/StartFirstControl.CAB
O20 - AppInit_DLLs: C:\PROGRA~1\Google\GOOGLE~3\GOEC62~1.DLL
O23 - Service: Avira AntiVir Personal – Free Antivirus Scheduler (AntiVirScheduler) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\sched.exe
O23 - Service: Avira AntiVir Personal – Free Antivirus Guard (AntiVirService) - Avira GmbH - C:\Program Files\Avira\AntiVir PersonalEdition Classic\avguard.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: iPodService - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Kodak Camera Connection Software (KodakCCS) - Eastman Kodak Company - C:\WINNT\system32\drivers\KodakCCS.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\WINNT\System32\NMSSvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINNT\System32\nvsvc32.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINNT\System32\HPZipm12.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Webroot Spy Sweeper Engine (WebrootSpySweeperService) - Webroot Software, Inc. - C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe
O23 - Service: Window Washer Engine (wwEngineSvc) - Webroot Software, Inc. - C:\Program Files\Webroot\Washer\WasherSvc.exe
O24 - Desktop Component 0: (no name) - http://a1259.g.akamai.net/f/1259/5586/1d/i...00/10090968.jpg
O24 - Desktop Component 1: (no name) - http://a1259.g.akamai.net/f/1259/5586/1d/i...00/10032246.jpg
O24 - Desktop Component 2: (no name) - http://a1259.g.akamai.net/f/1259/5586/1d/i...00/10091030.jpg

--
End of file - 10097 bytes

#12 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:11:54 AM

Posted 07 June 2008 - 12:42 AM

I see that Avira already deleted the leftovers.

How are things now?
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.

#13 footstep101

footstep101
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:05:54 AM

Posted 07 June 2008 - 01:29 AM

the computer has been acting very slowly. As it has been for a while. Perhaps it's my paranoia, but it doesn't seem as though I've gotten rid of virtumonde. As I said in my last post, my last sweep with spy sweeper picked up evidence of the virus.

In addition. Why can't I run Kaspersky? I tried to do everything it asked, but I was not able to do it. Do you have any suggestions? I tried to follow your instructions very closely, but as I said, your hyperlink didn't work. And even when I put IE7's security level to medium, I couldn't make it run. Should I be worried about that?

It is just my opinion, but it seems as though every time I re-boot, the virus re-infects my computer.

I know very little about these things, and of course, I will listen to your expert advice. However, It seems to me that I'm still infected, but you seem to think that this latest scan by Avira has taken care of the problem.

#14 footstep101

footstep101
  • Topic Starter

  • Members
  • 33 posts
  • OFFLINE
  •  
  • Local time:05:54 AM

Posted 07 June 2008 - 01:35 AM

by the way, are you in the United States, or in Europe? I don't know what kind of hours you keep. When is the best time to work on my problem? Of course, I'd like to work with your schedule; whenever is most convenient to you. Thanks again.

#15 miekiemoes

miekiemoes

    Malware Killer Dog


  • Malware Response Team
  • 19,420 posts
  • OFFLINE
  •  
  • Gender:Female
  • Location:Belgium
  • Local time:11:54 AM

Posted 07 June 2008 - 03:08 PM

I'm in Europe, Belgium - and currently I can't run the Kaspersky scan either - so it's not your problem.

Try next please..

* Go here to run an online scannner from ESET.
  • Note: You will need to use Internet explorer for this scan
  • Tick the box next to YES, I accept the Terms of Use.
  • Click Start
  • When asked, allow the activex control to install
  • Click Start
  • Check next options: Remove found threats and Scan unwanted applications.
  • Click Scan
  • Wait for the scan to finish
  • Use notepad to open the logfile located at C:\Program Files\EsetOnlineScanner\log.txt
  • Copy and paste that log in your next reply and also let me know how things are now.
For the slow computer issue - well, Spysweeper is not my favo scanner either since I know it slows things down.
You may want to read the following links:
What Really Slows Windows Down
Help! My computer is slow!
AntispywareScanners---Antivirus Scanners---Firewalls---Online Scanners---Prevention---Help! My computer is slow---My Blog---Follow me on Twitter.
My help is ALWAYS FREE, but if you want to donate to help me continue my fight against malware -- click here!
Asking for help via Private Message or Mail will be ignored - So If you need help, post your problem in the forum.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users