Results 1 to 9 of 9

Thread: need help with adware/trojan

  1. #1
    Junior Member
    Join Date
    Jan 2009
    Posts
    4

    Default need help with adware/trojan

    Recently I downloaded a trial version of kaspersky anti-virus and the day it expired it started finding a ton of adware/trojans etc. I thought this was terribly ironic and I figured it could be a sign to just pay for the full version to clean it all up. It cleaned up most of them but there are a couple that just won't go away. Here are the symptoms: For a couple days I wasn't able to log into windows as the user selection screen would just freeze up and it would take 2 or 3 reboots for it to let me in. A ton of pop-up ads every couple of minutes. 3 times I've gotten the screen that says your computer is going to reboot in 60 seconds. Firefox crashes about once every 30 minutes or so when used continuously.

    Thanks for any help!

    Here is my HJT log:

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 11:06:09 PM, on 1/14/2009
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.5700.0006)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\LEXBCES.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\LEXPPS.EXE
    C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\Program Files\Seagate\SeagateManager\Sync\FreeAgentService.exe
    C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\WINDOWS\system32\PnkBstrA.exe
    C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\TUProgSt.exe
    C:\PROGRA~1\COMMON~1\Stardock\SDMCP.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe
    C:\WINDOWS\Philips\SPC230NC\Monitor.exe
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\Seagate\SeagateManager\FreeAgent Status\StxMenuMgr.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
    C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
    C:\Program Files\Philips\Philips SPC230NC Webcam\TrayMin230.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\mIRC\mirc.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\WINDOWS\system32\msiexec.exe
    C:\Documents and Settings\Lester\Desktop\HiJackThis.exe

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=54729
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=55245&clcid={SUB_CLCID}
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://us.mcafee.com/root/campaign.asp?cid=16314
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
    O3 - Toolbar: Ask Toolbar - {3041d03e-fd4b-44e0-b742-2d9b88305f98} - C:\Program Files\AskBarDis\bar\bin\askBar.dll
    O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
    O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe"
    O4 - HKLM\..\Run: [SPC230NC_Monitor] C:\WINDOWS\Philips\SPC230NC\Monitor.exe
    O4 - HKLM\..\Run: [SPC_Monitor] C:\WINDOWS\Philips\SPC230NC\Monitor.exe
    O4 - HKLM\..\Run: [MaxMenuMgr] "C:\Program Files\Seagate\SeagateManager\FreeAgent Status\StxMenuMgr.exe"
    O4 - HKLM\..\Run: [Ugiwavecazucu] rundll32.exe "C:\WINDOWS\abutijokilomini.dll",e
    O4 - HKLM\..\Run: [0c77c675] rundll32.exe "C:\WINDOWS\system32\krhsgcyu.dll",b
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
    O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
    O4 - Global Startup: TrayMin230.lnk = ?
    O8 - Extra context menu item: Add to Banner Ad Blocker - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\ie_banner_deny.htm
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
    O9 - Extra button: Web traffic protection statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\SCIEPlgn.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
    O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
    O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
    O15 - Trusted Zone: www.vectorvest.com
    O15 - Trusted Zone: http://www.vectorvest.com
    O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} (Citrix ICA Client) - http://a516.g.akamai.net/f/516/25175...at-no-eula.cab
    O16 - DPF: {4D7F48C0-CB49-4EA6-97D4-04F4EACC2F3B} - http://www.vectorvest.com/install/vvonlineus/setup.exe
    O20 - AppInit_DLLs: c:\progra~1\google\google~1\goec62~1.dll,wbsys.dll c:\progra~1\google\google~1\goec62~1.dll,c:\progra~1\kasper~1\kasper~1\mzvkbd.dll,c:\progra~1\kasper~1\kasper~1\mzvkbd3.dll,c:\progra~1\kasper~1\kasper~1\adialhk.dll,c:\progra~1\kasper~1\kasper~1\kloehk.dll gwqwuj.dll
    O22 - SharedTaskScheduler: IE Component Categories cache daemon - {553858A7-4922-4e7e-B1C1-97140C1C16EF} - C:\WINDOWS\system32\ieframe.dll
    O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
    O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
    O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
    O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
    O23 - Service: Kaspersky Internet Security (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe
    O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
    O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
    O23 - Service: Seagate Service (FreeAgentGoNext Service) - Seagate Technology LLC - C:\Program Files\Seagate\SeagateManager\Sync\FreeAgentService.exe
    O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
    O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
    O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
    O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
    O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
    O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software - C:\WINDOWS\System32\TuneUpDefragService.exe
    O23 - Service: TuneUp Program Statistics Service (TuneUp.ProgramStatisticsSvc) - TuneUp Software - C:\WINDOWS\System32\TUProgSt.exe

    --
    End of file - 9254 bytes

  2. #2
    Security Expert-Emeritus
    Join Date
    Oct 2006
    Location
    Finland
    Posts
    3,934

    Default

    Hello kinggfx and welcome to the Forums
    Sorry for the wait.

    You got something there.


    Okay we'll start with this:

    Rename HijackThis.exe to skanneri.exe by doing the following;

    Create a new folder to the desktop named HijackThis.
    Copy & paste HiJackThis.exe file into the folder.

    • Right-click on the HijackThis.exe
    • Choose from the pull-down menu; "Rename"
    • And now Rename HijackThis.exe to skanneri.exe
    • When you've renamed HijackThis, open HijackThis again.
    • Take a fresh HijackThis log (click Do a system scan and save a log file)
    • Post the fresh HijackThis log here.
    MalWare Removal University - You too could train to help others
    UNITE & ASAP member since 2006

  3. #3
    Junior Member
    Join Date
    Jan 2009
    Posts
    4

    Default

    Here is the new log file from the skanneri.exe HJT -->

    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 5:41:47 PM, on 1/19/2009
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.5700.0006)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\The Skins Factory\Hyperdesk\Common\HDThemeEnabler.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\LEXBCES.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\Program Files\Seagate\SeagateManager\Sync\FreeAgentService.exe
    C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\WINDOWS\system32\PnkBstrA.exe
    C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\TUProgSt.exe
    C:\WINDOWS\Explorer.EXE
    C:\WINDOWS\System32\svchost.exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\WINDOWS\System32\TuneUpDefragService.exe
    C:\WINDOWS\system32\wisptis.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\WINDOWS\system32\rundll32.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Documents and Settings\Lester\Desktop\HijackThis\skanneri.exe.exe

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=54729
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=55245&clcid={SUB_CLCID}
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://us.mcafee.com/root/campaign.asp?cid=16314
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C} - C:\WINDOWS\system32\hgGwtQhf.dll
    O2 - BHO: {0e6d94dd-d2bf-d098-7d14-1e64b5d4b13a} - {a31b4d5b-46e1-41d7-890d-fb2ddd49d6e0} - C:\WINDOWS\system32\kzdftj.dll
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
    O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.1.807.1746\swg.dll
    O2 - BHO: (no name) - {C1790ADF-BBE8-4A17-8C97-FDE6541E6258} - C:\WINDOWS\system32\awtrSLdC.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
    O3 - Toolbar: Ask Toolbar - {3041d03e-fd4b-44e0-b742-2d9b88305f98} - C:\Program Files\AskBarDis\bar\bin\askBar.dll
    O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
    O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe"
    O4 - HKLM\..\Run: [SPC230NC_Monitor] C:\WINDOWS\Philips\SPC230NC\Monitor.exe
    O4 - HKLM\..\Run: [SPC_Monitor] C:\WINDOWS\Philips\SPC230NC\Monitor.exe
    O4 - HKLM\..\Run: [MaxMenuMgr] "C:\Program Files\Seagate\SeagateManager\FreeAgent Status\StxMenuMgr.exe"
    O4 - HKLM\..\Run: [Ugiwavecazucu] rundll32.exe "C:\WINDOWS\abutijokilomini.dll",e
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [Swaqezu] rundll32.exe "C:\WINDOWS\Fcisoceq.dll",e
    O4 - HKLM\..\Run: [0c77c675] rundll32.exe "C:\WINDOWS\system32\pjuktagi.dll",b
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
    O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
    O4 - Startup: Yahoo! Widgets.lnk = C:\Program Files\Yahoo!\Widgets\YahooWidgets.exe
    O4 - Global Startup: TrayMin230.lnk = ?
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
    O9 - Extra button: Web traffic protection statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\SCIEPlgn.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
    O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
    O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
    O15 - Trusted Zone: www.vectorvest.com
    O15 - Trusted Zone: http://www.vectorvest.com
    O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} (Citrix ICA Client) - http://a516.g.akamai.net/f/516/25175...at-no-eula.cab
    O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
    O16 - DPF: {4D7F48C0-CB49-4EA6-97D4-04F4EACC2F3B} - http://www.vectorvest.com/install/vvonlineus/setup.exe
    O20 - AppInit_DLLs: c:\progra~1\google\google~1\goec62~1.dll,wbsys.dll c:\progra~1\google\google~1\goec62~1.dll,c:\progra~1\kasper~1\kasper~1\mzvkbd.dll,c:\progra~1\kasper~1\kasper~1\mzvkbd3.dll,c:\progra~1\kasper~1\kasper~1\adialhk.dll,c:\progra~1\kasper~1\kasper~1\kloehk.dll kzdftj.dll
    O20 - Winlogon Notify: hgGwtQhf - C:\WINDOWS\SYSTEM32\hgGwtQhf.dll
    O22 - SharedTaskScheduler: IE Component Categories cache daemon - {553858A7-4922-4e7e-B1C1-97140C1C16EF} - C:\WINDOWS\system32\ieframe.dll
    O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
    O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
    O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
    O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
    O23 - Service: Kaspersky Internet Security (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe
    O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
    O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
    O23 - Service: Seagate Service (FreeAgentGoNext Service) - Seagate Technology LLC - C:\Program Files\Seagate\SeagateManager\Sync\FreeAgentService.exe
    O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
    O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: Hyperdesk Theme Enabler (HdThemeEnabler) - The Skins Factory, Inc. - C:\Program Files\The Skins Factory\Hyperdesk\Common\HDThemeEnabler.exe
    O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
    O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
    O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
    O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
    O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software - C:\WINDOWS\System32\TuneUpDefragService.exe
    O23 - Service: TuneUp Program Statistics Service (TuneUp.ProgramStatisticsSvc) - TuneUp Software - C:\WINDOWS\System32\TUProgSt.exe

    --
    End of file - 10032 bytes

  4. #4
    Security Expert-Emeritus
    Join Date
    Oct 2006
    Location
    Finland
    Posts
    3,934

    Default

    Okay let's start the cleanings...

    We will begin with ComboFix.exe. Please visit this webpage for download links, and instructions for running the tool:

    http://www.bleepingcomputer.com/comb...o-use-combofix


    * Ensure you have disabled all anti virus and anti malware programs so they do not interfere with the running of ComboFix.

    Please include the C:\ComboFix.txt in your next reply for further review along with a fresh HijackThis log.
    MalWare Removal University - You too could train to help others
    UNITE & ASAP member since 2006

  5. #5
    Junior Member
    Join Date
    Jan 2009
    Posts
    4

    Default

    -- fresh HJT log --
    Logfile of Trend Micro HijackThis v2.0.2
    Scan saved at 11:57:49 PM, on 1/20/2009
    Platform: Windows XP SP2 (WinNT 5.01.2600)
    MSIE: Internet Explorer v7.00 (7.00.5700.0006)
    Boot mode: Normal

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\Program Files\The Skins Factory\Hyperdesk\Common\HDThemeEnabler.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\system32\LEXBCES.EXE
    C:\WINDOWS\system32\spoolsv.exe
    C:\WINDOWS\system32\LEXPPS.EXE
    C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
    C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe
    C:\Program Files\Bonjour\mDNSResponder.exe
    C:\Program Files\Seagate\SeagateManager\Sync\FreeAgentService.exe
    C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
    C:\WINDOWS\system32\nvsvc32.exe
    C:\WINDOWS\system32\PnkBstrA.exe
    C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\TUProgSt.exe
    C:\PROGRA~1\COMMON~1\Stardock\SDMCP.exe
    C:\WINDOWS\system32\wscntfy.exe
    C:\WINDOWS\Explorer.EXE
    C:\Program Files\iTunes\iTunesHelper.exe
    C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe
    C:\WINDOWS\System32\svchost.exe
    C:\WINDOWS\Philips\SPC230NC\Monitor.exe
    C:\Program Files\Seagate\SeagateManager\FreeAgent Status\StxMenuMgr.exe
    C:\WINDOWS\system32\ctfmon.exe
    C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
    C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
    C:\Program Files\iPod\bin\iPodService.exe
    C:\Program Files\Philips\Philips SPC230NC Webcam\TrayMin230.exe
    C:\Program Files\Yahoo!\Widgets\YahooWidgets.exe
    C:\Program Files\Yahoo!\Widgets\YahooWidgets.exe
    C:\Program Files\Mozilla Firefox\firefox.exe
    C:\Program Files\Yahoo!\Widgets\YahooWidgets.exe
    C:\Program Files\Yahoo!\Widgets\YahooWidgets.exe
    C:\Program Files\Yahoo!\Widgets\YahooWidgets.exe
    C:\Documents and Settings\Lester\Desktop\HijackThis\skanneri.exe.exe

    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
    R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
    R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=55245&clcid={SUB_CLCID}
    R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://us.mcafee.com/root/campaign.asp?cid=16314
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
    O2 - BHO: (no name) - {0105A3B6-6E75-4B34-9B9E-5DAA8434E460} - C:\WINDOWS\system32\awtrSLdC.dll
    O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
    O2 - BHO: (no name) - {6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C} - C:\WINDOWS\system32\hgGwtQhf.dll
    O2 - BHO: {41ce8d87-3e90-5ada-76c4-cc1fbda93e87} - {78e39adb-f1cc-4c67-ada5-09e378d8ec14} - C:\WINDOWS\system32\rvvgqo.dll (file missing)
    O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar4.dll
    O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\3.1.807.1746\swg.dll
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar4.dll
    O3 - Toolbar: Ask Toolbar - {3041d03e-fd4b-44e0-b742-2d9b88305f98} - C:\Program Files\AskBarDis\bar\bin\askBar.dll
    O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
    O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\QTTask.exe" -atboottime
    O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
    O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
    O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe"
    O4 - HKLM\..\Run: [SPC230NC_Monitor] C:\WINDOWS\Philips\SPC230NC\Monitor.exe
    O4 - HKLM\..\Run: [SPC_Monitor] C:\WINDOWS\Philips\SPC230NC\Monitor.exe
    O4 - HKLM\..\Run: [MaxMenuMgr] "C:\Program Files\Seagate\SeagateManager\FreeAgent Status\StxMenuMgr.exe"
    O4 - HKLM\..\Run: [Ugiwavecazucu] rundll32.exe "C:\WINDOWS\abutijokilomini.dll",e
    O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\system32\NvCpl.dll,NvStartup
    O4 - HKLM\..\Run: [0c77c675] rundll32.exe "C:\WINDOWS\system32\bvoerscx.dll",b
    O4 - HKLM\..\Run: [combofix] C:\WINDOWS\system32\CF32029.exe /c C:\ComboFix\Combobatch.bat
    O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
    O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
    O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
    O4 - Startup: Yahoo! Widgets.lnk = C:\Program Files\Yahoo!\Widgets\YahooWidgets.exe
    O4 - Global Startup: TrayMin230.lnk = ?
    O8 - Extra context menu item: Add to Banner Ad Blocker - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\ie_banner_deny.htm
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office12\EXCEL.EXE/3000
    O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
    O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0\bin\npjpi150.dll
    O9 - Extra button: Web traffic protection statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\SCIEPlgn.dll
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~4\OFFICE11\REFIEBAR.DLL
    O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
    O9 - Extra button: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
    O9 - Extra 'Tools' menuitem: PartyPoker.com - {B7FE5D70-9AA2-40F1-9C6B-12A255F085E1} - C:\Program Files\PartyGaming\PartyPoker\RunApp.exe (file missing)
    O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\system32\Shdocvw.dll
    O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
    O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
    O10 - Unknown file in Winsock LSP: c:\windows\system32\nwprovau.dll
    O15 - Trusted Zone: www.vectorvest.com
    O15 - Trusted Zone: http://www.vectorvest.com
    O16 - DPF: {238F6F83-B8B4-11CF-8771-00A024541EE3} (Citrix ICA Client) - http://a516.g.akamai.net/f/516/25175...at-no-eula.cab
    O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
    O16 - DPF: {4D7F48C0-CB49-4EA6-97D4-04F4EACC2F3B} - http://www.vectorvest.com/install/vvonlineus/setup.exe
    O20 - Winlogon Notify: hgGwtQhf - C:\WINDOWS\SYSTEM32\hgGwtQhf.dll
    O22 - SharedTaskScheduler: IE Component Categories cache daemon - {553858A7-4922-4e7e-B1C1-97140C1C16EF} - C:\WINDOWS\system32\ieframe.dll
    O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
    O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
    O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
    O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
    O23 - Service: Kaspersky Internet Security (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe
    O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
    O23 - Service: DSBrokerService - Unknown owner - C:\Program Files\DellSupport\brkrsvc.exe
    O23 - Service: Seagate Service (FreeAgentGoNext Service) - Seagate Technology LLC - C:\Program Files\Seagate\SeagateManager\Sync\FreeAgentService.exe
    O23 - Service: GoogleDesktopManager - Google - C:\Program Files\Google\Google Desktop Search\GoogleDesktop.exe
    O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
    O23 - Service: Hyperdesk Theme Enabler (HdThemeEnabler) - The Skins Factory, Inc. - C:\Program Files\The Skins Factory\Hyperdesk\Common\HDThemeEnabler.exe
    O23 - Service: Intel(R) Matrix Storage Event Monitor (IAANTMon) - Intel Corporation - C:\Program Files\Intel\Intel Matrix Storage Manager\iaantmon.exe
    O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
    O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
    O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
    O23 - Service: Intel NCS NetService (NetSvc) - Intel(R) Corporation - C:\Program Files\Intel\PROSetWired\NCS\Sync\NetSvc.exe
    O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\system32\nvsvc32.exe
    O23 - Service: PnkBstrA - Unknown owner - C:\WINDOWS\system32\PnkBstrA.exe
    O23 - Service: StarWind iSCSI Service (StarWindService) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
    O23 - Service: TuneUp Drive Defrag Service (TuneUp.Defrag) - TuneUp Software - C:\WINDOWS\System32\TuneUpDefragService.exe
    O23 - Service: TuneUp Program Statistics Service (TuneUp.ProgramStatisticsSvc) - TuneUp Software - C:\WINDOWS\System32\TUProgSt.exe

    --
    End of file - 10585 bytes


    -- combofix log --

    ComboFix 09-01-19.05 - Lester 2009-01-20 23:10:19.1 - NTFSx86
    Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.2046.1565 [GMT -5:00]
    Running from: c:\documents and settings\Lester\Desktop\ComboFix.exe
    AV: Kaspersky Internet Security *On-access scanning disabled* (Updated)
    FW: Kaspersky Internet Security *enabled*
    .

    ((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    c:\windows\system32\acowxlku.ini
    c:\windows\system32\arjhoilf.ini
    c:\windows\system32\bjosduqb.ini
    c:\windows\system32\bszip.dll
    c:\windows\system32\bvoerscx.dll
    c:\windows\system32\bwgwpfvb.dll
    c:\windows\system32\CdLSrtwa.ini
    c:\windows\system32\CdLSrtwa.ini2
    c:\windows\system32\drivers\seneka.sys
    c:\windows\system32\drivers\senekakdcriyli.sys
    c:\windows\system32\evbldq.dll
    c:\windows\system32\fhwqqoba.ini
    c:\windows\system32\frmwrk32.exe
    c:\windows\system32\fsoibxln.ini
    c:\windows\system32\gfqfsh.dll
    c:\windows\system32\igatkujp.ini
    c:\windows\system32\iqrqutph.ini
    c:\windows\system32\itenjyuh.dll
    c:\windows\system32\jxdlvbce.ini
    c:\windows\system32\kftsahmy.ini
    c:\windows\system32\kqtgaa.dll
    c:\windows\system32\kzdftj.dll
    c:\windows\system32\mcrh.tmp
    c:\windows\system32\nmyechth.ini
    c:\windows\system32\oruabbfy.ini
    c:\windows\system32\rpytvtwx.ini
    c:\windows\system32\rvvgqo.dll
    c:\windows\system32\senekadf.dat
    c:\windows\system32\senekadsmprkrk.dat
    c:\windows\system32\senekafeiitcom.dll
    c:\windows\system32\senekakwwrpidx.dll
    c:\windows\system32\senekalog.dat
    c:\windows\system32\tteloxie.dll
    c:\windows\system32\uDJTAaKj.ini
    c:\windows\system32\uDJTAaKj.ini2
    c:\windows\system32\udqwejgl.dll
    c:\windows\system32\uycgshrk.ini
    c:\windows\system32\wxjugmjs.dll
    c:\windows\system32\xcsreovb.ini
    c:\windows\system32\yvvigidg.ini
    G:\Autorun.inf
    c:\windows\system32\awtrSLdC.dll . . . . failed to delete

    .
    ((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))
    .

    -------\Service_SENEKA


    ((((((((((((((((((((((((( Files Created from 2008-12-21 to 2009-01-21 )))))))))))))))))))))))))))))))
    .

    2009-01-20 23:06 . 2009-01-20 23:24 180 --ahs---- c:\windows\klif.spi
    2009-01-17 18:33 . 2009-01-17 18:33 <DIR> d-------- c:\program files\Microsoft Silverlight
    2009-01-17 08:35 . 2009-01-17 08:35 268 --ah----- C:\sqmdata13.sqm
    2009-01-17 08:35 . 2009-01-17 08:35 244 --ah----- C:\sqmnoopt13.sqm
    2009-01-16 20:40 . 2009-01-20 23:25 127,488 --a------ c:\windows\system32\qpklmvkg.dll
    2009-01-16 20:40 . 2009-01-20 23:26 127,488 --a------ c:\windows\system32\mtbryu.dll
    2009-01-16 12:00 . 2009-01-16 12:00 268 --ah----- C:\sqmdata12.sqm
    2009-01-16 12:00 . 2009-01-16 12:00 244 --ah----- C:\sqmnoopt12.sqm
    2009-01-16 08:04 . 2009-01-16 08:04 41,984 --a------ c:\windows\system32\chert5-998.exe
    2009-01-15 23:51 . 2009-01-15 23:51 <DIR> d-------- c:\documents and settings\Lester\Application Data\Skinux
    2009-01-15 23:40 . 2009-01-15 23:40 268 --ah----- C:\sqmdata11.sqm
    2009-01-15 23:40 . 2009-01-15 23:40 244 --ah----- C:\sqmnoopt11.sqm
    2009-01-15 23:39 . 2006-10-04 09:06 1,197,294 --------- c:\windows\system32\dllcache\sysmain.sdb
    2009-01-15 23:39 . 2006-10-04 09:06 764,868 --------- c:\windows\system32\dllcache\apph_sp.sdb
    2009-01-15 23:39 . 2006-10-04 09:06 217,118 --------- c:\windows\system32\dllcache\apphelp.sdb
    2009-01-15 23:38 . 2009-01-15 23:38 <DIR> d-------- c:\program files\Windows Media Connect 2
    2009-01-15 23:37 . 2009-01-15 23:37 <DIR> d-------- c:\windows\system32\drivers\UMDF
    2009-01-15 23:37 . 2009-01-15 23:39 1,374 --a------ c:\windows\imsins.BAK
    2009-01-15 23:35 . 2009-01-15 23:35 <DIR> d-------- c:\program files\The Skins Factory
    2009-01-14 20:35 . 2009-01-20 23:25 125,440 --a------ c:\windows\system32\kdgnufan.dll
    2009-01-14 20:35 . 2009-01-20 23:26 125,440 --a------ c:\windows\system32\gwqwuj.dll
    2009-01-13 23:43 . 2009-01-13 23:43 <DIR> d--h----- c:\windows\PIF
    2009-01-13 23:33 . 2009-01-13 23:33 <DIR> d-------- c:\program files\Disk Size Manager 2.0
    2009-01-13 20:38 . 2009-01-20 23:25 123,904 --a------ c:\windows\system32\qlopoeha.dll
    2009-01-13 20:38 . 2009-01-20 23:26 123,904 --a------ c:\windows\system32\lhdkxi.dll
    2009-01-13 18:56 . 2009-01-13 18:56 <DIR> d-------- c:\program files\Seagate
    2009-01-13 18:56 . 2009-01-13 18:56 <DIR> d-------- c:\documents and settings\All Users\Application Data\Seagate
    2009-01-13 18:55 . 2009-01-13 18:55 <DIR> d--hs---- c:\windows\ftpcache
    2009-01-13 18:55 . 2009-01-13 18:55 <DIR> d-------- c:\program files\MSXML 6.0
    2009-01-13 04:43 . 2009-01-13 04:43 31,232 --a------ c:\windows\system32\pcload.exe
    2009-01-12 20:26 . 2009-01-12 20:26 268 --ah----- C:\sqmdata10.sqm
    2009-01-12 20:26 . 2009-01-12 20:26 244 --ah----- C:\sqmnoopt10.sqm
    2009-01-12 00:14 . 2009-01-20 23:26 123,392 --a------ c:\windows\system32\wyxwni.dll
    2009-01-12 00:14 . 2009-01-20 23:25 123,392 --a------ c:\windows\system32\meauofgc.dll
    2009-01-12 00:11 . 2009-01-20 23:36 280,576 --a------ c:\windows\system32\awtrSLdC.dll
    2009-01-12 00:04 . 2009-01-12 00:04 268 --ah----- C:\sqmdata09.sqm
    2009-01-12 00:04 . 2009-01-12 00:04 244 --ah----- C:\sqmnoopt09.sqm
    2009-01-11 19:27 . 2009-01-20 23:25 123,392 --a------ c:\windows\system32\jlcnegcx.dll
    2009-01-11 19:27 . 2009-01-20 23:26 123,392 --a------ c:\windows\system32\anzfer.dll
    2009-01-09 23:59 . 2009-01-09 23:59 268 --ah----- C:\sqmdata08.sqm
    2009-01-09 23:59 . 2009-01-09 23:59 244 --ah----- C:\sqmnoopt08.sqm
    2009-01-09 22:51 . 2009-01-09 22:51 268 --ah----- C:\sqmdata07.sqm
    2009-01-09 22:51 . 2009-01-09 22:51 244 --ah----- C:\sqmnoopt07.sqm
    2009-01-09 22:27 . 2009-01-09 22:27 <DIR> d-------- c:\program files\CCleaner
    2009-01-09 22:22 . 2009-01-20 23:26 133,120 --a------ c:\windows\system32\rojqdqgr.dll
    2009-01-09 00:42 . 2009-01-09 00:42 268 --ah----- C:\sqmdata06.sqm
    2009-01-09 00:42 . 2009-01-09 00:42 244 --ah----- C:\sqmnoopt06.sqm
    2009-01-08 08:58 . 2009-01-08 08:58 268 --ah----- C:\sqmdata05.sqm
    2009-01-08 08:58 . 2009-01-08 08:58 244 --ah----- C:\sqmnoopt05.sqm
    2009-01-07 04:04 . 2009-01-07 04:04 268 --ah----- C:\sqmdata04.sqm
    2009-01-07 04:04 . 2009-01-07 04:04 244 --ah----- C:\sqmnoopt04.sqm
    2009-01-06 01:29 . 2009-01-06 01:29 268 --ah----- C:\sqmdata03.sqm
    2009-01-06 01:29 . 2009-01-06 01:29 244 --ah----- C:\sqmnoopt03.sqm
    2009-01-06 00:32 . 2009-01-06 00:32 268 --ah----- C:\sqmdata02.sqm
    2009-01-06 00:32 . 2009-01-06 00:32 244 --ah----- C:\sqmnoopt02.sqm
    2009-01-05 23:18 . 2009-01-05 23:18 268 --ah----- C:\sqmdata01.sqm
    2009-01-05 23:18 . 2009-01-05 23:18 244 --ah----- C:\sqmnoopt01.sqm
    2009-01-05 19:32 . 2009-01-05 19:32 134,656 --a------ c:\windows\abutijokilomini.dll
    2009-01-05 19:05 . 2009-01-15 23:43 50,176 --a------ c:\windows\system32\hgGwtQhf.dll
    2009-01-03 16:44 . 2009-01-03 16:44 <DIR> d-------- c:\program files\AskBarDis
    2009-01-03 16:44 . 2009-01-03 16:44 <DIR> d-------- c:\documents and settings\All Users\Application Data\Azureus
    2008-12-30 12:02 . 2008-12-30 12:06 <DIR> d-------- C:\Lester
    2008-12-27 01:15 . 2008-12-27 14:03 921,632 --a------ C:\SPC230NC.DAT
    2008-12-27 01:14 . 2008-12-27 01:14 <DIR> d-------- c:\program files\CaptureWebCam
    2008-12-27 01:14 . 1999-12-17 09:13 86,016 --a------ c:\windows\unvise32.exe

    .
    (((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    2009-01-21 04:38 --------- d-----w c:\documents and settings\All Users\Application Data\Kaspersky Lab
    2009-01-21 04:37 4,598,304 --sha-w c:\windows\system32\drivers\fidbox.dat
    2009-01-21 04:37 38,052 --sha-w c:\windows\system32\drivers\fidbox.idx
    2009-01-21 04:27 729,120 --sha-w c:\windows\system32\drivers\fidbox2.dat
    2009-01-21 04:27 4,620 --sha-w c:\windows\system32\drivers\fidbox2.idx
    2009-01-16 17:01 --------- d-----w c:\program files\mIRC
    2009-01-16 04:54 --------- d-----w c:\program files\Yahoo!
    2009-01-14 03:49 --------- d-----w c:\program files\Steam
    2009-01-13 23:56 --------- d--h--w c:\program files\InstallShield Installation Information
    2009-01-05 05:06 --------- d-----w c:\documents and settings\Lester\Application Data\Azureus
    2009-01-03 21:44 --------- d-----w c:\program files\Azureus
    2008-12-16 02:01 --------- dcsh--w c:\program files\Common Files\WindowsLiveInstaller
    2008-12-16 02:01 --------- d-----w c:\program files\Windows Live
    2008-12-16 01:59 --------- d-----w c:\documents and settings\All Users\Application Data\WLInstaller
    2008-12-16 01:29 --------- d-----w c:\program files\Philips
    2008-12-16 01:29 --------- d-----w c:\documents and settings\All Users\Application Data\Philips
    2008-12-16 01:26 --------- d-----w c:\program files\ArcSoft
    2008-12-16 01:24 --------- d-----w c:\documents and settings\Lester\Application Data\InstallShield
    2008-12-09 03:38 603,904 ----a-w c:\windows\system32\TUProgSt.exe
    2008-12-09 03:38 362,240 ----a-w c:\windows\system32\TuneUpDefragService.exe
    2008-12-09 03:38 --------- d-----w c:\program files\TuneUp Utilities 2009
    2008-12-09 03:36 --------- d-sh--w c:\documents and settings\All Users\Application Data\{55A29068-F2CE-456C-9148-C869879E2357}
    2008-12-09 03:35 --------- d-----w c:\program files\TuneUp Utilities 2007
    2008-12-01 03:09 96,976 ----a-w c:\windows\system32\drivers\klin.dat
    2008-12-01 02:51 87,855 ----a-w c:\windows\system32\drivers\klick.dat
    2008-12-01 02:50 --------- d-----w c:\program files\Kaspersky Lab
    2008-12-01 02:40 --------- d-----w c:\documents and settings\All Users\Application Data\McAfee.com
    2008-12-01 02:09 --------- d-----w c:\documents and settings\All Users\Application Data\Kaspersky Lab Setup Files
    2008-11-23 06:03 --------- d-----w c:\program files\iTunes
    2008-11-23 06:03 --------- d-----w c:\documents and settings\All Users\Application Data\{3276BE95_AF08_429F_A64F_CA64CB79BCF6}
    2008-11-23 06:02 --------- d-----w c:\program files\iPod
    2008-11-23 06:01 --------- d-----w c:\program files\QuickTime
    2008-11-23 05:54 --------- d-----w c:\program files\Bonjour
    2008-11-12 21:44 27,904 ----a-w c:\windows\system32\uxtuneup.dll
    2008-10-24 11:10 453,632 ------w c:\windows\system32\dllcache\mrxsmb.sys
    2008-10-23 13:01 283,648 ----a-w c:\windows\system32\gdi32.dll
    2008-10-23 13:01 283,648 ------w c:\windows\system32\dllcache\gdi32.dll
    2007-12-28 04:54 22,328 ----a-w c:\documents and settings\Lester\Application Data\PnkBstrK.sys
    2005-12-23 03:04 251 ----a-w c:\program files\wt3d.ini
    2005-05-02 23:45 1,677 ----a-w c:\program files\ReadMe.txt
    2003-06-07 19:33 135,747 -c--a-w c:\program files\flexyswads.jpg
    2003-06-07 18:58 640 -c--a-w c:\program files\R34D M3.txt
    2007-08-11 12:08 135,680 ----a-w c:\program files\mozilla firefox\components\GoogleDesktopMozilla.dll
    2006-02-06 14:10 104 --sh--r c:\windows\system32\7BD5DDE2EC.sys
    .

    ((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
    .
    .
    *Note* empty entries & legit default entries are not shown
    REGEDIT4

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{0105A3B6-6E75-4B34-9B9E-5DAA8434E460}]
    2009-01-20 23:36 280576 --a------ c:\windows\system32\awtrSLdC.dll

    [HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C}]
    2009-01-15 23:43 50176 --a------ c:\windows\system32\hgGwtQhf.dll

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
    "{3041d03e-fd4b-44e0-b742-2d9b88305f98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2008-12-09 333192]

    [HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
    [HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]

    [HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\Webbrowser]
    "{3041D03E-FD4B-44E0-B742-2D9B88305F98}"= "c:\program files\AskBarDis\bar\bin\askBar.dll" [2008-12-09 333192]

    [HKEY_CLASSES_ROOT\clsid\{3041d03e-fd4b-44e0-b742-2d9b88305f98}]
    [HKEY_CLASSES_ROOT\TypeLib\{4b1c1e16-6b34-430e-b074-5928eca4c150}]

    [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "ctfmon.exe"="c:\windows\system32\ctfmon.exe" [2004-08-10 15360]
    "swg"="c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-05-28 68856]
    "AIM"="c:\program files\AIM\aim.exe" [2005-08-05 67160]
    "MsnMsgr"="c:\program files\Windows Live\Messenger\MsnMsgr.Exe" [2007-10-18 5724184]

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
    "MSConfig"="c:\windows\PCHealth\HelpCtr\Binaries\MSConfig.exe" [2005-09-26 169984]
    "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" [2008-11-04 413696]
    "AppleSyncNotifier"="c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe" [2008-11-07 111936]
    "iTunesHelper"="c:\program files\iTunes\iTunesHelper.exe" [2008-11-20 290088]
    "AVP"="c:\program files\Kaspersky Lab\Kaspersky Internet Security 2009\avp.exe" [2008-07-29 206088]
    "SPC230NC_Monitor"="c:\windows\Philips\SPC230NC\Monitor.exe" [2007-12-10 323584]
    "SPC_Monitor"="c:\windows\Philips\SPC230NC\Monitor.exe" [2007-12-10 323584]
    "MaxMenuMgr"="c:\program files\Seagate\SeagateManager\FreeAgent Status\StxMenuMgr.exe" [2008-07-30 177448]
    "Ugiwavecazucu"="c:\windows\abutijokilomini.dll" [2009-01-05 134656]
    "NvCplDaemon"="c:\windows\system32\NvCpl.dll" [2007-11-06 8523776]

    c:\documents and settings\Lester\Start Menu\Programs\Startup\
    Yahoo! Widgets.lnk - c:\program files\Yahoo!\Widgets\YahooWidgets.exe [2008-03-18 4742184]

    c:\documents and settings\All Users\Start Menu\Programs\Startup\
    TrayMin230.lnk - c:\program files\Philips\Philips SPC230NC Webcam\TrayMin230.exe [2008-12-15 241664]

    [hkey_local_machine\software\microsoft\windows\currentversion\explorer\ShellExecuteHooks]
    "{6D794CB4-C7CD-4c6f-BFDC-9B77AFBDC02C}"= "c:\windows\system32\hgGwtQhf.dll" [2009-01-15 50176]

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon]
    "UIHost"="c:\documents and settings\All Users\Application Data\TuneUp Software\TuneUp Utilities\WinStyler\tu_logonui.exe"

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\MCPClient]
    2005-01-31 15:13 49152 c:\progra~1\COMMON~1\Stardock\MCPStub.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\WB]
    2001-12-20 23:34 24576 c:\progra~1\Stardock\OBJECT~2\WINDOW~1\fastload.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\hgGwtQhf]
    2009-01-15 23:43 50176 c:\windows\system32\hgGwtQhf.dll

    [HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
    Authentication Packages REG_MULTI_SZ msv1_0 c:\windows\system32\awtrSLdC

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^America Online 9.0 Tray Icon.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\America Online 9.0 Tray Icon.lnk
    backup=c:\windows\pss\America Online 9.0 Tray Icon.lnkCommon Startup

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Digital Line Detect.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Digital Line Detect.lnk
    backup=c:\windows\pss\Digital Line Detect.lnkCommon Startup

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^dlbcserv.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\dlbcserv.lnk
    backup=c:\windows\pss\dlbcserv.lnkCommon Startup

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
    backup=c:\windows\pss\Microsoft Office.lnkCommon Startup

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickBooks Update Agent.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\QuickBooks Update Agent.lnk
    backup=c:\windows\pss\QuickBooks Update Agent.lnkCommon Startup

    [HKLM\~\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^ZDWLan Utility.lnk]
    path=c:\documents and settings\All Users\Start Menu\Programs\Startup\ZDWLan Utility.lnk
    backup=c:\windows\pss\ZDWLan Utility.lnkCommon Startup

    [HKLM\~\startupfolder\C:^Documents and Settings^Lester^Start Menu^Programs^Startup^Adobe Gamma.lnk]
    path=c:\documents and settings\Lester\Start Menu\Programs\Startup\Adobe Gamma.lnk
    backup=c:\windows\pss\Adobe Gamma.lnkStartup

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AIM]
    --a------ 2005-08-05 14:08 67160 c:\program files\AIM\aim.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]
    --a------ 2006-05-09 19:24 50760 c:\program files\Common Files\AOL\Launch\aollaunch.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ATIPTA]
    --a------ 2005-08-05 22:05 344064 c:\program files\ATI Technologies\ATI Control Panel\atiptaxx.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
    --a------ 2004-08-10 06:00 15360 c:\windows\system32\ctfmon.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\dla]
    --a------ 2004-12-06 02:05 127035 c:\windows\system32\dla\tfswctrl.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DVDLauncher]
    --------- 2005-02-23 17:19 53248 c:\program files\CyberLink\PowerDVD\DVDLauncher.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ehTray]
    --a--c--- 2005-09-29 15:01 67584 c:\windows\ehome\ehtray.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Google Desktop Search]
    --a------ 2007-08-14 18:12 1838592 c:\program files\Google\Google Desktop Search\GoogleDesktop.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HostManager]
    --a------ 2006-05-09 19:24 50760 c:\program files\Common Files\AOL\1153603640\ee\aolsoftware.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IAAnotif]
    --a------ 2005-06-17 08:56 139264 c:\program files\Intel\Intel Matrix Storage Manager\IAAnotif.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IPHSend]
    --a------ 2006-02-17 11:59 124520 c:\program files\Common Files\AOL\IPHSend\IPHSend.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSPM Startup]
    --a------ 2005-06-10 11:44 249856 c:\program files\Common Files\InstallShield\UpdateService\ISUSPM.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ISUSScheduler]
    --a------ 2005-06-10 11:44 81920 c:\program files\Common Files\InstallShield\UpdateService\issch.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
    --a------ 2008-11-20 13:20 290088 c:\program files\iTunes\iTunesHelper.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSKDetectorExe]
    --a------ 2006-11-07 14:49 1121280 c:\program files\McAfee\SpamKiller\MSKDetct.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
    --a------ 2004-10-13 11:24 1694208 c:\program files\Messenger\msmsgs.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
    --a------ 2007-11-06 20:30 8523776 c:\windows\system32\nvcpl.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvMediaCenter]
    --a------ 2007-11-06 20:30 81920 c:\windows\system32\nvmctray.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
    --a------ 2008-11-04 10:30 413696 c:\program files\QuickTime\QTTask.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
    --a------ 2005-12-20 12:26 26112 c:\program files\Real\RealPlayer\realplay.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Registry Cleaner Scheduler]
    --a------ 2006-10-13 05:16 393432 c:\program files\CleanMyPC\Registry Cleaner\RCHelper.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
    --a------ 2006-02-28 00:20 36972 c:\program files\Java\jre1.5.0\bin\jusched.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
    --a------ 2007-05-28 02:30 68856 c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Ugiwavecazucu]
    --a------ 2009-01-05 19:32 134656 c:\windows\abutijokilomini.dll

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
    --a------ 2007-02-13 13:29 35328 c:\program files\Winamp\winampa.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
    --a------ 2007-11-06 20:30 1626112 c:\windows\system32\nwiz.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SigmatelSysTrayApp]
    --a--c--- 2005-03-23 01:20 339968 c:\windows\stsystra.exe

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
    "AIM"=c:\program files\AIM\aim.exe -cnetwait.odl
    "Comrade.exe"=c:\program files\GameSpy\Comrade\Comrade.exe
    "ctfmon.exe"=c:\windows\system32\ctfmon.exe
    "swg"=c:\program files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run-]
    "QuickTime Task"="c:\program files\QuickTime\QTTask.exe" -atboottime
    "StartCCC"="c:\program files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe"
    "Google Desktop Search"="c:\program files\Google\Google Desktop Search\GoogleDesktop.exe" /startup

    [HKEY_LOCAL_MACHINE\software\microsoft\security center\Monitoring\KasperskyAntiVirus]
    "DisableMonitoring"=dword:00000001

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile]
    "EnableFirewall"= 0 (0x0)

    [HKLM\~\services\sharedaccess\parameters\firewallpolicy\standardprofile\AuthorizedApplications\List]
    "%windir%\\system32\\sessmgr.exe"=
    "c:\\Program Files\\Common Files\\AOL\\ACS\\AOLDial.exe"=
    "c:\\Program Files\\Common Files\\AOL\\ACS\\AOLacsd.exe"=
    "c:\\Program Files\\Messenger\\msmsgs.exe"=
    "c:\\Program Files\\America Online 9.0\\waol.exe"=
    "c:\\Program Files\\Common Files\\AOL\\Loader\\aolload.exe"=
    "c:\\Program Files\\Common Files\\AOL\\1153603640\\ee\\aolsoftware.exe"=
    "c:\\Program Files\\Common Files\\AOL\\1153603640\\ee\\aim6.exe"=
    "%windir%\\Network Diagnostic\\xpnetdiag.exe"=
    "c:\\WINDOWS\\system32\\LEXPPS.EXE"=
    "c:\\Program Files\\LimeWire\\LimeWire.exe"=
    "c:\\StubInstaller.exe"=
    "c:\\Program Files\\Steam\\SteamApps\\kinggfx\\counter-strike source\\hl2.exe"=
    "c:\\Program Files\\Azureus\\Azureus.exe"=
    "c:\\Program Files\\THQ\\Company of Heroes\\RelicCOH.exe"=
    "c:\\Program Files\\Electronic Arts\\Crytek\\Crysis\\Bin32\\Crysis.exe"=
    "c:\\Program Files\\Electronic Arts\\Crytek\\Crysis\\Bin32\\CrysisDedicatedServer.exe"=
    "c:\\WINDOWS\\system32\\PnkBstrA.exe"=
    "c:\\WINDOWS\\system32\\PnkBstrB.exe"=
    "c:\\Program Files\\Bonjour\\mDNSResponder.exe"=
    "c:\\Program Files\\iTunes\\iTunes.exe"=
    "c:\\Program Files\\AIM\\aim.exe"=
    "c:\\Program Files\\Windows Live\\Messenger\\msnmsgr.exe"=
    "c:\\Program Files\\Windows Live\\Messenger\\livecall.exe"=

    R0 klbg;Kaspersky Lab Boot Guard Driver;c:\windows\system32\drivers\klbg.sys [2008-01-29 32784]
    R3 KLFLTDEV;Kaspersky Lab KLFltDev;c:\windows\system32\drivers\klfltdev.sys [2008-03-13 26640]
    R3 klim5;Kaspersky Anti-Virus NDIS Filter;c:\windows\system32\drivers\klim5.sys [2008-04-30 24592]
    R3 NTProcDrv;Process creation detector for NT.;\??\c:\windows\TEMP\drv1.tmp --> c:\windows\TEMP\drv1.tmp [?]
    R3 PAEAFLT.sys;USB Composite Device;c:\windows\system32\drivers\PAEAFLT.sys [2008-12-15 8576]
    R3 SPC230NC;Philips SPC230NC Webcam;c:\windows\system32\drivers\SPC230NC.SYS [2008-12-15 461056]
    R4 FreeAgentGoNext Service;Seagate Service;c:\program files\Seagate\SeagateManager\Sync\FreeAgentService.exe [2008-07-30 161064]
    R4 HdThemeEnabler;Hyperdesk Theme Enabler;c:\program files\The Skins Factory\Hyperdesk\Common\HDThemeEnabler.exe [2008-07-23 106496]
    R4 LF30FS;LF30FS;c:\program files\Everstrike Software\Lock Folder XP 3.6\LF30XP.sys [2004-11-19 101488]
    R4 TuneUp.ProgramStatisticsSvc;TuneUp Program Statistics Service;c:\windows\system32\TUProgSt.exe [2008-12-08 603904]

    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
    UxTuneUp

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{361ac05d-0e0d-11da-9aa9-806d6172696f}]
    \Shell\AutoRun\command - E:\setup.exe

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{76641b88-8349-11db-b13f-00120e04141f}]
    \Shell\AutoRun\command - f:\jdsecure\Windows\JDSecure31.exe

    [HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{e5229703-94dc-11da-b0ec-00038a000015}]
    \Shell\AutoRun\command - setupSNK.exe

    [HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{1578F1DA-7365-0FBE-0507-030407050804}]
    c:\windows\system32\RegMen.exe
    .
    Contents of the 'Scheduled Tasks' folder

    2009-01-21 c:\windows\Tasks\1-Click Maintenance.job
    - c:\program files\TuneUp Utilities 2009\OneClickStarter.exe [2008-11-20 16:28]

    2009-01-18 c:\windows\Tasks\AppleSoftwareUpdate.job
    - c:\program files\Apple Software Update\SoftwareUpdate.exe [2008-07-30 11:34]

    2009-01-20 c:\windows\Tasks\User_Feed_Synchronization-{908D8F0F-442E-4BE4-A6FE-4447BEFED3AB}.job
    - c:\windows\system32\msfeedssync.exe [2006-08-22 23:11]
    .
    - - - - ORPHANS REMOVED - - - -

    BHO-{78e39adb-f1cc-4c67-ada5-09e378d8ec14} - c:\windows\system32\rvvgqo.dll
    HKLM-Run-0c77c675 - c:\windows\system32\bvoerscx.dll
    MSConfigStartUp-0c77c675 - c:\windows\system32\xwtvtypr.dll
    MSConfigStartUp-Active Desktop Calendar - c:\program files\XemiComputers\Active Desktop Calendar\ADC.exe
    MSConfigStartUp-ATICCC - c:\program files\ATI Technologies\ATI.ACE\CLIStart.exe
    MSConfigStartUp-Corel Photo Downloader - c:\program files\Corel\Corel Photo Album 6\MediaDetect.exe
    MSConfigStartUp-DellSupport - c:\program files\Dell Support\DSAgnt.exe
    MSConfigStartUp-MCAgentExe - c:\progra~1\mcafee.com\agent\McAgent.exe
    MSConfigStartUp-MCUpdateExe - c:\progra~1\mcafee.com\agent\mcupdate.exe
    MSConfigStartUp-MimBoot - c:\progra~1\MUSICM~1\MUSICM~3\mimboot.exe
    MSConfigStartUp-MPFExe - c:\progra~1\McAfee.com\PERSON~1\MpfTray.exe
    MSConfigStartUp-MSKAGENTEXE - c:\progra~1\McAfee\SPAMKI~1\MskAgent.exe
    MSConfigStartUp-OASClnt - c:\program files\McAfee.com\VSO\oasclnt.exe
    MSConfigStartUp-Skype - c:\program files\Skype\Phone\Skype.exe
    MSConfigStartUp-Spyware Doctor - c:\program files\Spyware Doctor\swdoctor.exe
    MSConfigStartUp-VirusScan Online - c:\program files\McAfee.com\VSO\mcvsshld.exe
    MSConfigStartUp-VSOCheckTask - c:\progra~1\McAfee.com\VSO\mcmnhdlr.exe
    MSConfigStartUp-Framework Windows - frmwrk32.exe


    .
    ------- Supplementary Scan -------
    .
    uStart Page = hxxp://www.google.com/
    uInternet Connection Wizard,ShellNext = hxxp://us.mcafee.com/root/campaign.asp?cid=16314
    uInternet Settings,ProxyOverride = *.local
    uSearchURL,(Default) = hxxp://www.google.com/keyword/%s
    IE: Add to Banner Ad Blocker - c:\program files\Kaspersky Lab\Kaspersky Internet Security 2009\ie_banner_deny.htm
    IE: E&xport to Microsoft Excel - c:\progra~1\MICROS~4\Office12\EXCEL.EXE/3000
    Trusted Zone: www.vectorvest.com
    FF - ProfilePath - c:\documents and settings\Lester\Application Data\Mozilla\Firefox\Profiles\25d51k9r.default\
    FF - prefs.js: browser.search.defaulturl - hxxp://www.google.com/search?lr=&ie=UTF-8&oe=UTF-8&q=
    FF - prefs.js: browser.search.selectedEngine - Google
    FF - prefs.js: browser.startup.homepage - hxxp://www.google.com/
    FF - prefs.js: keyword.URL - hxxp://toolbar.ask.com/toolbarv/askRedirect?o=10607&gct=&gc=1&q=
    FF - component: c:\documents and settings\Lester\Application Data\Mozilla\Firefox\Profiles\25d51k9r.default\extensions\{463F6CA5-EE3C-4be1-B7E6-7FEE11953374}\platform\WINNT\components\FoxyTunes.dll
    FF - component: c:\documents and settings\Lester\Application Data\Mozilla\Firefox\Profiles\25d51k9r.default\extensions\{a7c6cf7f-112c-4500-a7ea-39801a327e5f}\platform\WINNT_x86-msvc\components\ipc.dll
    FF - component: c:\program files\Mozilla Firefox\components\GoogleDesktopMozilla.dll
    FF - plugin: c:\program files\Java\jre1.5.0\bin\NPJava11.dll
    FF - plugin: c:\program files\Java\jre1.5.0\bin\NPJava12.dll
    FF - plugin: c:\program files\Java\jre1.5.0\bin\NPJava13.dll
    FF - plugin: c:\program files\Java\jre1.5.0\bin\NPJava14.dll
    FF - plugin: c:\program files\Java\jre1.5.0\bin\NPJava32.dll
    FF - plugin: c:\program files\Java\jre1.5.0\bin\NPJPI150.dll
    FF - plugin: c:\program files\Java\jre1.5.0\bin\NPOJI610.dll
    FF - plugin: c:\program files\Mozilla Firefox\plugins\npdbplug.dll
    FF - plugin: c:\program files\Mozilla Firefox\plugins\npmozax.dll
    FF - plugin: c:\program files\Mozilla Firefox\plugins\npunagi2.dll
    FF - plugin: c:\program files\Mozilla Firefox\plugins\npyaxmpb.dll
    FF - plugin: c:\program files\Viewpoint\Viewpoint Experience Technology\npViewpoint.dll
    .

    **************************************************************************

    catchme 0.3.1367 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
    Rootkit scan 2009-01-20 23:37:03
    Windows 5.1.2600 Service Pack 2 NTFS

    scanning hidden processes ...

    scanning hidden autostart entries ...

    scanning hidden files ...

    scan completed successfully
    hidden files: 0

    **************************************************************************

    [HKEY_LOCAL_MACHINE\System\ControlSet003\Services\NTProcDrv]
    "ImagePath"="\??\c:\windows\TEMP\drv1.tmp"
    .
    --------------------- LOCKED REGISTRY KEYS ---------------------

    [HKEY_USERS\S-1-5-21-798930543-3715100497-612524952-1005\Software\Microsoft\Windows\CurrentVersion\Explorer\CLSID]
    @Denied: (Full) (LocalSystem)
    @SACL=

    [HKEY_USERS\S-1-5-21-798930543-3715100497-612524952-1005\Software\SecuROM\!CAUTION! NEVER A OR CHANGE ANY KEY*]
    "??"=hex:07,df,f0,6d,ed,5d,9d,f9,cc,d1,01,40,24,69,6f,01,ca,53,83,f1,91,c0,c8,
    91,2f,89,2f,79,6c,ba,cd,c3,f2,b9,e1,5f,6a,88,e1,76,aa,ae,26,3f,e9,2e,55,0c,\
    "??"=hex:a1,5e,47,db,25,65,bb,27,8b,92,55,34,10,3f,d9,49
    .
    --------------------- DLLs Loaded Under Running Processes ---------------------

    - - - - - - - > 'winlogon.exe'(1572)
    c:\windows\system32\Ati2evxx.dll
    c:\progra~1\COMMON~1\Stardock\mcpstub.dll
    c:\progra~1\Stardock\OBJECT~2\WINDOW~1\fastload.dll
    c:\windows\system32\hgGwtQhf.dll

    - - - - - - - > 'lsass.exe'(1628)
    c:\windows\system32\awtrSLdC.dll

    - - - - - - - > 'Explorer.EXE'(2280)
    c:\windows\system32\awtrSLdC.dll
    c:\windows\system32\ieframe.dll
    c:\progra~1\COMMON~1\Stardock\MCPCore.dll
    c:\windows\system32\WPDShServiceObj.dll
    c:\windows\system32\PortableDeviceTypes.dll
    c:\windows\system32\PortableDeviceApi.dll
    c:\windows\abutijokilomini.dll
    .
    ------------------------ Other Running Processes ------------------------
    .
    c:\windows\system32\LEXBCES.EXE
    c:\progra~1\COMMON~1\AOL\ACS\AOLacsd.exe
    c:\program files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
    c:\program files\Bonjour\mDNSResponder.exe
    c:\program files\Intel\Intel Matrix Storage Manager\IAANTMon.exe
    c:\windows\system32\nvsvc32.exe
    c:\windows\system32\PnkBstrA.exe
    c:\program files\Alcohol Soft\Alcohol 120\StarWind\StarWindService.exe
    c:\program files\iPod\bin\iPodService.exe
    .
    **************************************************************************
    .
    Completion time: 2009-01-20 23:40:40 - machine was rebooted
    ComboFix-quarantined-files.txt 2009-01-21 04:40:37

    Pre-Run: 52,798,971,904 bytes free
    Post-Run: 53,153,685,504 bytes free

    WindowsXP-KB310994-SP2-Pro-BootDisk-ENU.exe
    [boot loader]
    timeout=2
    default=multi(0)disk(0)rdisk(0)partition(2)\WINDOWS
    [operating systems]
    c:\cmdcons\BOOTSECT.DAT="Microsoft Windows Recovery Console" /cmdcons
    multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Windows XP Media Center Edition" /noexecute=optin /fastdetect /TUTag=YYXZIG /Kernel=TUKernel.exe
    multi(0)disk(0)rdisk(0)partition(2)\WINDOWS="Windows XP Media Center Edition (TuneUp Backup)" /noexecute=optin /fastdetect /TUTag=YYXZIG-BAK

    475 --- E O F --- 2008-12-11 08:02:39

  6. #6
    Security Expert-Emeritus
    Join Date
    Oct 2006
    Location
    Finland
    Posts
    3,934

    Default

    Hello and sorry for the delay.

    I must warn you that one or more of the identified infections is a backdoor trojan.

    This allows hackers to remotely control your computer, steal critical system information and Download and Execute files

    I would counsel you to disconnect this PC from the Internet immediately. If you do any banking or other financial transactions on the PC or if it should contain any other sensitive information, please get to a known clean computer and change all passwords where applicable, and it would be wise to contact those same financial institutions to apprise them of your situation.

    Though the Trojan has been identified and can be killed, because of it's backdoor functionality, your PC is very likely compromised and there is no way to be sure your computer can ever again be trusted. Many experts in the security community believe that once infected with this type of Trojan, the best course of action would be a reformat and reinstall of the OS. Please read these for more information:

    How Do I Handle Possible Identify Theft, Internet Fraud and CC Fraud?

    When Should I Format, How Should I Reinstall

    We can attempt to clean this machine but i can't guarantee that it will be 100% secure afterwards.

    Should you have any questions, please feel free to ask.

    Please let us know what you have decided to do in your next post
    MalWare Removal University - You too could train to help others
    UNITE & ASAP member since 2006

  7. #7
    Junior Member
    Join Date
    Jan 2009
    Posts
    4

    Default

    I have a Dell machine so there is an easy way to reset the machine back to factory settings. I was thinking about doing this before coming to this forum for help and one of the things I did was buy an external hard drive to start backing up some of my files. What can I do to ensure the files on the hard drive are clean so I don't re-infect my machine once I re-format?

    Thanks

  8. #8
    Security Expert-Emeritus
    Join Date
    Oct 2006
    Location
    Finland
    Posts
    3,934

    Default

    Hello

    Okay, wise choice.

    Well text, music, pictures should be safe to backup. Don't backup any system files, like .exe or .dll files. Then scan the external harddrive with an antivirus software before copying any files to the clean machine.

    Please make sure that you know what to do before beginning the operation.

    Here are a few links that propably help.

    Reformatting Windows XP by wng_z3r0
    When should I re-format? How should I reinstall?
    Windows XP Clean install

    Then there are a couple of things you should do immediately after installing Windows and before surfing the net...
    • Install an antivirus and firewall (you should download and have those on a CD or USB drive, all ready to be installed).

      These are good (free) firewalls:
      - Kerio
      - Sygate
      - Outpost

      These are good (free) antiviruses:
      - Antivir
      - Avast
      - AVG
    • Get all Windows updates installed!

    Please ask me if you have any questions

    Then here are a few things that you can do in order to make your fresh computer more secure:
    • Clear your system restore
      This will clear the system restore folders from possible malware that was left behind during the cleaning process.
    • Use ATF Cleaner
      Download and install ATF Cleaner. Clean your temporary files & folders with it regularly.
    • Use Spybot S&D
      Download and install Spybot S&D. Update it and scan your computer regularly with it.
    • Install SpywareBlaster
      SpywareBlaster will prevent spyware from being installed.
    • Install MVPS Hosts file
      This prevents your computer from connecting to harmful sites.
    • Use Firefox browser
      Firefox is faster, safer and better browser than Internet Explorer.
    • Keep your systen up-to-date
      Visit Windows Update regularly.
    • Keep your antivirus and firewall up-to-date
      Scan your computer regularly with your antivirus.
    • Read this article by TonyKlein
      So how did I get infected in the first place?
    • Stand Up and Be Counted !
      The site offers people who have been (or are) victims of malware the opportunity to document their story and, in that way, launch a complaint against the malware and the makers of the malware.


    Stay clean and be safe
    MalWare Removal University - You too could train to help others
    UNITE & ASAP member since 2006

  9. #9
    Security Expert-Emeritus
    Join Date
    Oct 2006
    Location
    Finland
    Posts
    3,934

    Default

    As the problem appears to be resolved this topic has been archived.

    If you need it re-opened please send a private message (pm) to a forum staff member and provide a link to the thread; this applies only to the original topic starter.

    Note: If it has been four days or more since your last post, and the helper assisting you posted a response to that post to which you did not reply, your topic will not be reopened. At that point, if you still require help, please start a new topic and include a fresh HijackThis log and a link to your previous thread.

    If it has been less than four days since your last response and you need the thread re-opened, please send me or your helper a private message (pm). A valid, working link to the closed topic is required.


    Glad we could help
    MalWare Removal University - You too could train to help others
    UNITE & ASAP member since 2006

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •