PDA

View Full Version : Smitfraud-C.Toolbar + Virtumonde



Underd0g
2007-07-02, 08:11
I need help removing some spywares. They are Smitfraud-C.Toolbar888 and Virtumonde. My dad started to notice his computer slowing down when someone got onto it. I tried both Avast and Spybot in safe mode and no die. Here is my HijackThis file.

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 12:55:12 AM, on 7/2/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\System32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\JDay\Desktop\HiJackThis_v2.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\poolsv.exe
C:\WINDOWS\svhost.exe
C:\Program Files\Common Files\WinAntiSpyware 2007\WAS7Mon.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\Reality Fusion\Reality Fusion GameCam SE\Program\RFTRay.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\System32\ypspacsp.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\svhost\wr-1-0000077.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\Alwil Software\Avast4\setup\avast.setup

R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: (no name) - SOFTWARE - (no file)
O2 - BHO: PopThis BHO - {0549E6CB-9985-42F6-8FD6-4EC017E6AAE1} - C:\Program Files\Surfapps.com\PopThis! Free Version\PopThis.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1FFD75BE-29C8-489A-A1A4-77523DD47266} - \
O2 - BHO: (no name) - {280B7CF7-DA8A-4C6B-9277-5EC63F006E03} - C:\WINDOWS\System32\vqdykujy.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5ADF3862-9E2E-4ad3-86F7-4510E6550CD0} - C:\WINDOWS\System32\lcefanjh.dll
O2 - BHO: (no name) - {868865EC-0295-4C7D-B25D-9F65314145E9} - C:\WINDOWS\System32\xxyayab.dll
O2 - BHO: (no name) - {98811dab-dce4-40c7-bf6c-883c4370cf07} - C:\WINDOWS\System32\vdcfmcs.dll
O2 - BHO: (no name) - {CB0FC394-FB23-4480-BA26-843459EE5700} - C:\WINDOWS\System32\efcyy.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [poolsv] "C:\WINDOWS\poolsv.exe"
O4 - HKLM\..\Run: [svhost] "C:\WINDOWS\svhost.exe"
O4 - HKLM\..\Run: [Salestart] "C:\Program Files\Common Files\WinAntiSpyware 2007\WAS7Mon.exe"
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [{ZN}] C:\Documents and Settings\JDay\Local Settings\Temp\thinksnet.exe CHD003
O4 - HKLM\..\Run: [GPLv3] rundll32.exe "C:\WINDOWS\system32\drcgsqhy.dll",realset
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [WebBuying] C:\Program Files\Web Buying\v1.7.4\webbuying.exe
O4 - Startup: TA_Start.lnk = C:\Documents and Settings\JDay\Local Settings\Temp\thinksnet.exe
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Reality Fusion GameCam SE.lnk = ?
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearch.html?p=ZRxdm185XXUS
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {91663649-416A-42A5-8E54-B63C1ECA0548} - C:\Program Files\Surfapps.com\PopThis! Free Version\PopThis.dll
O9 - Extra 'Tools' menuitem: PopThis! Options... - {91663649-416A-42A5-8E54-B63C1ECA0548} - C:\Program Files\Surfapps.com\PopThis! Free Version\PopThis.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: Yahoo! Pool 2 - http://download2.games.yahoo.com/games/clients/y/poti_x.cab
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {4F5E4276-C120-11D6-A1FD-00508B9D48EA} (dldisplay Class) - http://www.gamehouse.com/ghdlctl.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://software-dl.real.com/1243ffc437065dabb703/netzip/RdxIE601.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/20040427/qtinstall.info.apple.com/saba/us/win/QuickTimeInstaller.exe
O16 - DPF: {65E7DB1D-0101-4100-BD66-C5C78C917F93} - http://install.wildtangent.com/bgn/partners/aolim/install.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {75D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin.SecureControl) - http://secure2.comned.com/signuptemplates/ActiveSecurity.cab
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} - http://www.nick.com/common/groove/gx/GrooveAX25.cab
O16 - DPF: {8F24DE00-0D66-4F93-9405-3F21E97AFFA6} (TestingCtl Control) - http://esb.alcena.com/ESBBundleInstaller2.ocx
O16 - DPF: {D6FCA8ED-4715-43DE-9BD2-2789778A5B09} (NPKCX Control) - http://guard.gunbound.net/nProtect/keyCrypt/npkcx.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite.net/detection/ITDetector.cab
O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! Webcam Viewer Wrapper) - http://chat.yahoo.com/cab/yvwrctl.cab
O16 - DPF: {EFAEF0E4-F044-4D57-9900-1C3FF18524C9} (AV Class) - http://www.pcpitstop.com/antivirus/PitPav.cab
O16 - DPF: {F0BC061F-DAF9-4533-8011-53BCB4C10307} (Installations Assistent) - http://install.stardialer.de/InstallationsAssistent.ocx
O20 - Winlogon Notify: efcyy - C:\WINDOWS\System32\efcyy.dll
O20 - Winlogon Notify: xxyayab - C:\WINDOWS\SYSTEM32\xxyayab.dll
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: DomainService - - C:\WINDOWS\System32\ypspacsp.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: npkcsvc - INCA Internet Co., Ltd. - C:\WINDOWS\System32\npkcsvc.exe

--
End of file - 7909 bytes

Angelfire777
2007-07-02, 14:33
Hi, welcome to Safer Networking Forums!

You got quite a few bugs there..

*Click Start > Control Panel > Add or Remove Programs and uninstall the items I listed in bold if found.

WinAntiSpyware 2007

Web Buying

ThinkADZ

MyWebSearch

*Reboot


Download combofix.exe (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)

1. Save it to your desktop.
2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you. Post that log in your next reply along with a fresh HijackThis log.

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall.

Underd0g
2007-07-03, 00:26
"JDay" - 2007-07-02 16:38:39 - ComboFix 07-06-27.7 - Service Pack 2 NTFS

( V Log )


C:\WINDOWS\system32\avwubnqb.dll
C:\WINDOWS\system32\drcgsqhy.dll
C:\WINDOWS\system32\iahnsqgb.dll
C:\WINDOWS\system32\ijfepekt.dll
C:\WINDOWS\system32\ipubgmie.dll
C:\WINDOWS\system32\kjlysvrn.dll
C:\WINDOWS\system32\lcefanjh.dll
C:\WINDOWS\system32\mgtgsuqe.dll
C:\WINDOWS\system32\nlydajwl.dll
C:\WINDOWS\system32\pbdejwbg.dll
C:\WINDOWS\system32\sfimxvgx.dll
C:\WINDOWS\system32\tstfmkbu.dll
C:\WINDOWS\system32\vqdykujy.dll
C:\WINDOWS\system32\wfmbdmri.dll
C:\WINDOWS\system32\bqnbuwva.ini
C:\WINDOWS\system32\yhqsgcrd.ini
C:\WINDOWS\system32\yycfe.bak1
C:\WINDOWS\system32\yycfe.bak2
C:\WINDOWS\system32\yycfe.ini
C:\WINDOWS\system32\yycfe.ini2
C:\WINDOWS\system32\yycfe.tmp
C:\WINDOWS\system32\tkepefji.ini
C:\WINDOWS\system32\eimgbupi.ini
C:\WINDOWS\system32\nrvsyljk.ini
C:\WINDOWS\system32\equsgtgm.ini
C:\WINDOWS\system32\lwjadyln.ini
C:\WINDOWS\system32\gbwjedbp.ini
C:\WINDOWS\system32\xgvxmifs.ini
C:\WINDOWS\system32\ubkmftst.ini
C:\WINDOWS\system32\irmdbmfw.ini
C:\WINDOWS\system32\yycfe.bak1
C:\WINDOWS\system32\yycfe.bak2
C:\WINDOWS\system32\yycfe.ini
C:\WINDOWS\system32\yycfe.ini2
C:\WINDOWS\system32\yycfe.tmp
C:\WINDOWS\system32\yycfe.bak1
C:\WINDOWS\system32\yycfe.bak2
C:\WINDOWS\system32\yycfe.ini
C:\WINDOWS\system32\yycfe.ini2
C:\WINDOWS\system32\yycfe.tmp
C:\WINDOWS\system32\efcyy.dll
C:\WINDOWS\system32\xxyayab.dll


* POST RUN FILES/FOLDERS *

( Other Deletions )


C:\DOCUME~1\ALLUSE~1\APPLIC~1.\salesmonitor
C:\DOCUME~1\ALLUSE~1\APPLIC~1.\winantispyware 2007
C:\DOCUME~1\ALLUSE~1\APPLIC~1.\winantispyware 2007\Data\Abbr
C:\DOCUME~1\ALLUSE~1\APPLIC~1.\winantispyware 2007\Data\ProductCode
C:\DOCUME~1\JDay\APPLIC~1.\winantispyware 2007
C:\DOCUME~1\JDay\APPLIC~1.\winantispyware 2007\Logs\update.log
C:\DOCUME~1\JDay\Desktop.\internet explorer.lnk
C:\Documents and Settings\JDay.\err.log
C:\Program Files\Common Files\winantispyware 2007
C:\Program Files\Common Files\winantispyware 2007\err.log
C:\Program Files\Common Files\winantispyware 2007\uwas7cw.exe
C:\Program Files\Common Files\winantispyware 2007\WAS7Mon.exe
C:\Program Files\Common Files\Yazzle1549OinUninstaller.exe
C:\Program Files\poolsv
C:\Program Files\poolsv\svhost.exe
C:\Program Files\poolsv\WinAntiSpyware2007FreeInstall.exe
C:\Program Files\svhost
C:\Program Files\svhost\wr-1-0000077.exe
C:\temp\0b9
C:\temp\0b9\tmpTF.log
C:\temp\iee
C:\temp\iee\tmpZTF.log
C:\temp\tn3
C:\WINDOWS\cs_cache.ini
C:\WINDOWS\poolsv.exe
C:\WINDOWS\retadpu77.exe
C:\WINDOWS\svhost.exe
C:\WINDOWS\system32\arlhcwca.exe
C:\WINDOWS\system32\daxhyyfv.exe
C:\WINDOWS\system32\dpyafsxu.exe
C:\WINDOWS\system32\drivers\fopn.sys
C:\WINDOWS\system32\fomlarkx.exe
C:\WINDOWS\system32\gynlhcmb.exe
C:\WINDOWS\system32\haciosje.exe
C:\WINDOWS\system32\kinwqwji.exe
C:\WINDOWS\system32\lyswwkgm.exe
C:\WINDOWS\system32\o09PrEz
C:\WINDOWS\system32\o09PrEz\o09PrEz1099.exe
C:\WINDOWS\system32\pptxsalj.exe
C:\WINDOWS\system32\psncynuk.exe
C:\WINDOWS\system32\qbadiqvq.exe
C:\WINDOWS\system32\S0
C:\WINDOWS\system32\S0\cogyaga58441.exe
C:\WINDOWS\system32\S4
C:\WINDOWS\system32\S6
C:\WINDOWS\system32\S7
C:\WINDOWS\system32\uuktvudv.exe
C:\WINDOWS\system32\uvlxqqww.exe
C:\WINDOWS\system32\vdcfmcs.dll
C:\WINDOWS\system32\win
C:\WINDOWS\system32\wnsapisv32.exe
C:\WINDOWS\system32\woiippqw.exe
C:\WINDOWS\system32\wtrjsgyq.exe
C:\WINDOWS\system32\ypspacsp.exe


( Drivers/Services )


-------\LEGACY_CORE
-------\LEGACY_DOMAINSERVICE
-------\DomainService


( Files Created from 2007-06-02 to 2007-07-02 )


2007-07-02 16:33 49,152 --a------ C:\WINDOWS\nircmd.exe
2007-06-29 04:40 <DIR> d-------- C:\WINDOWS\Prefetch
2007-06-28 16:37 <DIR> d-------- C:\WINDOWS\provisioning
2007-06-28 16:37 <DIR> d-------- C:\WINDOWS\peernet
2007-06-28 16:31 <DIR> d-------- C:\WINDOWS\ServicePackFiles
2007-06-28 12:39 <DIR> d--h-c--- C:\WINDOWS\$SQLUninstallMDAC28-KB911562-x86-ENU$
2007-06-28 00:51 <DIR> d-------- C:\Program Files\RarZilla Free Unrar
2007-06-28 00:29 53,248 --a------ C:\WINDOWS\system32\Process.exe
2007-06-28 00:29 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2007-06-28 00:29 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2007-06-24 11:01 4,628 --a------ C:\WINDOWS\system32\ojvpvghq.exe
2007-06-17 14:33 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Windows Genuine Advantage
2007-06-16 23:48 95,872 --a------ C:\WINDOWS\system32\AvastSS.scr
2007-06-16 23:48 43,176 --a------ C:\WINDOWS\system32\drivers\aswTdi.sys
2007-06-16 23:48 26,888 --a------ C:\WINDOWS\system32\drivers\aavmker4.sys
2007-06-16 23:48 23,416 --a------ C:\WINDOWS\system32\drivers\aswRdr.sys
2007-06-16 23:47 94,552 --a------ C:\WINDOWS\system32\drivers\aswmon2.sys
2007-06-16 23:47 85,952 --a------ C:\WINDOWS\system32\drivers\aswmon.sys
2007-06-16 23:47 745,600 --a------ C:\WINDOWS\system32\aswBoot.exe
2007-06-16 23:47 <DIR> d-------- C:\Program Files\Alwil Software
2007-06-16 18:26 <DIR> d-------- C:\Temp
2007-06-14 07:54 163,840 --a------ C:\Program Files\TTC.dll


( Find3M Report )

2007-07-02 19:47:57 -------- d-----w C:\Program Files\Messenger
2007-06-28 20:37:25 -------- d-----w C:\Program Files\Movie Maker
2007-06-28 20:30:11 -------- d-----w C:\Program Files\Windows NT
2007-06-18 01:18:41 -------- d-----w C:\Program Files\CSBB
2007-06-17 17:05:32 -------- d-----w C:\Program Files\CA
2007-06-17 02:58:34 -------- d-----w C:\DOCUME~1\JDay\APPLIC~1\AdobeUM
2007-05-16 15:12:02 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
2007-04-25 14:21:15 144,896 ----a-w C:\WINDOWS\system32\schannel.dll
2007-04-18 16:12:23 2,854,400 ----a-w C:\WINDOWS\system32\msi.dll
2007-04-17 02:47:36 33,624 ----a-w C:\WINDOWS\system32\wups.dll
2007-04-17 02:45:54 1,710,936 ----a-w C:\WINDOWS\system32\wuaueng.dll
2007-04-17 02:45:48 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll
2007-04-17 02:45:42 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll
2007-04-17 02:45:36 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll
2007-04-17 02:45:28 92,504 ----a-w C:\WINDOWS\system32\cdm.dll
2007-04-17 02:45:20 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe
2007-04-17 02:45:20 43,352 ----a-w C:\WINDOWS\system32\wups2.dll


( Reg Loading Points )


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{0549E6CB-9985-42F6-8FD6-4EC017E6AAE1}=C:\Program Files\Surfapps.com\PopThis! Free Version\PopThis.dll [2003-12-19 11:52]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}=C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll [2006-01-12 21:38]
{1FFD75BE-29C8-489A-A1A4-77523DD47266}=\ [2007-07-02 17:10]
{53707962-6F74-2D53-2644-206D7942484F}=C:\PROGRA~1\SPYBOT~1\SDHelper.dll [2005-05-31 01:04]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2005-04-20 17:37]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2004-12-18 00:20]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2006-05-07 12:36]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-04-30 11:42]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 12:24]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^JDay^Start Menu^Programs^Startup^PowerReg Scheduler V3.exe]
path=C:\Documents and Settings\JDay\Start Menu\Programs\Startup\PowerReg Scheduler V3.exe
backup=C:\WINDOWS\pss\PowerReg Scheduler V3.exeStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AIM]
C:\Program Files\AIM\aim.exe -cnetwait.odl

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BullsEye Network]
C:\Program Files\BullsEye Network\bin\bargains.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\bxxs5]
RunDLL32.EXE C:\WINDOWS\bxxs5.dll,DllRun

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CSV7P87]
C:\Program Files\CSBB\CSV7P87.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
C:\WINDOWS\System32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EssSpkPhone]
essspk.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Tray]
C:\My Shared Folder\Biko.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroCheck]
C:\WINDOWS\System32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ViewMgr]
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WhatPulse]
C:\PROGRA~1\WHATPU~1\WHATPU~1.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WildTangent CDA]
RUNDLL32.exe "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll",cdaEngineMain

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet


**************************************************************************

catchme 0.3.721 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-07-02 17:10:59
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

disk error: C:\WINDOWS\

please note that you need administrator rights to perform deep scan
**************************************************************************

Completion time: 2007-07-02 17:16:58 - machine was rebooted
C:\ComboFix-quarantined-files.txt ... 2007-07-02 17:16

--- E O F ---

---------------------------------------------------------

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 5:25:55 PM, on 7/2/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\System32\svchost.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Reality Fusion\Reality Fusion GameCam SE\Program\RFTRay.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\JDay\Desktop\HiJackThis_v2.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: (no name) - SOFTWARE - (no file)
O2 - BHO: PopThis BHO - {0549E6CB-9985-42F6-8FD6-4EC017E6AAE1} - C:\Program Files\Surfapps.com\PopThis! Free Version\PopThis.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {1FFD75BE-29C8-489A-A1A4-77523DD47266} - \
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Reality Fusion GameCam SE.lnk = ?
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present
O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearch.html?p=ZRxdm185XXUS
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {91663649-416A-42A5-8E54-B63C1ECA0548} - C:\Program Files\Surfapps.com\PopThis! Free Version\PopThis.dll
O9 - Extra 'Tools' menuitem: PopThis! Options... - {91663649-416A-42A5-8E54-B63C1ECA0548} - C:\Program Files\Surfapps.com\PopThis! Free Version\PopThis.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: Yahoo! Pool 2 - http://download2.games.yahoo.com/games/clients/y/poti_x.cab
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {4F5E4276-C120-11D6-A1FD-00508B9D48EA} (dldisplay Class) - http://www.gamehouse.com/ghdlctl.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://software-dl.real.com/1243ffc437065dabb703/netzip/RdxIE601.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/20040427/qtinstall.info.apple.com/saba/us/win/QuickTimeInstaller.exe
O16 - DPF: {65E7DB1D-0101-4100-BD66-C5C78C917F93} - http://install.wildtangent.com/bgn/partners/aolim/install.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {75D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin.SecureControl) - http://secure2.comned.com/signuptemplates/ActiveSecurity.cab
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} - http://www.nick.com/common/groove/gx/GrooveAX25.cab
O16 - DPF: {8F24DE00-0D66-4F93-9405-3F21E97AFFA6} (TestingCtl Control) - http://esb.alcena.com/ESBBundleInstaller2.ocx
O16 - DPF: {D6FCA8ED-4715-43DE-9BD2-2789778A5B09} (NPKCX Control) - http://guard.gunbound.net/nProtect/keyCrypt/npkcx.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite.net/detection/ITDetector.cab
O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! Webcam Viewer Wrapper) - http://chat.yahoo.com/cab/yvwrctl.cab
O16 - DPF: {EFAEF0E4-F044-4D57-9900-1C3FF18524C9} (AV Class) - http://www.pcpitstop.com/antivirus/PitPav.cab
O16 - DPF: {F0BC061F-DAF9-4533-8011-53BCB4C10307} (Installations Assistent) - http://install.stardialer.de/InstallationsAssistent.ocx
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: npkcsvc - INCA Internet Co., Ltd. - C:\WINDOWS\System32\npkcsvc.exe

--
End of file - 6477 bytes

Angelfire777
2007-07-03, 13:36
Hi,

Have you used CA Antivirus before?

*Click Start > Control Panel > Add or Remove Programs and uninstall the items I listed in bold if found.

BullsEye Network

BargainBuddy

The following are optionals:

Viewpoint

Viewpoint, Viewpoint Manager, Viewpoint Media Player are Viewpoint components which are installed as a side effect of installing other software, most notably AOL and AOL Instant Messenger (AIM). Viewpoint Manager is responsible for managing and updating Viewpoint Media Player’s components. Viewpoint Manager is considered as foistware instead of malware since it is installed without user's approval but doesn't spy or do anything "bad". In 2006, this may change, read Viewpoint to Plunge Into Adware (http://www.clickz.com/showPage.html?page=3561546).

WildTangent
WildTangent asserts that the software bundle is safe, but many antispyware programs classify it as adware/spyware, mainly because it reports activity and games played to various servers. Some experts feel that WildTangent's software is safe but consider it to be foistware because it is often installed without the user's knowledge or express consent. It doesn't spy or deliver advertising, but it is generally unwanted. I recommend that you remove it.
__________________

Since HijackThis creates backups of all it fixes and we want them safe and secured should they be required later, we need to move HijackThis to a permanent folder.

a.) While in your Desktop, right click in the background > Go to New > click Folder > Name the Folder HJT

b.) After creating the folder, find your HijackThis.exe (it looks like a detonator with some dynamites). Then, drag and drop that file to the new folder you created.

*Open HijackThis > choose Scan Only > Place a checkmark in the boxes beside these entries in bold.

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = about:blank
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = about:blank
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - (no file)
O2 - BHO: (no name) - SOFTWARE - (no file)
O2 - BHO: (no name) - {1FFD75BE-29C8-489A-A1A4-77523DD47266} - \
O8 - Extra context menu item: &Search - http://bar.mywebsearch.com/menusearc...p=ZRxdm185XXUS
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} - http://software-dl.real.com/1243ffc4...p/RdxIE601.cab
O16 - DPF: {75D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin.SecureControl) - http://secure2.comned.com/signuptemp...veSecurity.cab
O16 - DPF: {8F24DE00-0D66-4F93-9405-3F21E97AFFA6} (TestingCtl Control) - http://esb.alcena.com/ESBBundleInstaller2.ocx
O16 - DPF: {F0BC061F-DAF9-4533-8011-53BCB4C10307} (Installations Assistent) - http://install.stardialer.de/InstallationsAssistent.ocx


If you or your system admonistrator didn't set the following policy, please fix the following entry:

O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel present

Fix the following if you uninstalled wildTangent:

O16 - DPF: {65E7DB1D-0101-4100-BD66-C5C78C917F93} - http://install.wildtangent.com/bgn/p...im/install.cab

Close your browsers and all open windows except for HijackThis, then click "Fix checked". Exit HijackThis.



Combofix Deletions
Right click on your desktop, select "new" then choose "New text Document"
Name it as "Combofix-Do"
Copy and paste the text inside the code box below to Combofix-Do.txt


File::
C:\WINDOWS\system32\ojvpvghq.exe
C:\WINDOWS\bxxs5.dll
C:\My Shared Folder\Biko.exe

Folder::
C:\Program Files\CSBB
C:\Program Files\BullsEye Network
C:\Program Files\Viewpoint (include this line if you uninstalled Viewpoint)
C:\Program Files\WildTangent (include this line if you uninstalled Wildtangent)

Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BullsEye Network]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\bxxs5]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CSV7P87]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Microsoft Tray]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ViewMgr] (include this line if you uninstalled Viewpoint)
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WildTangent CDA] (include this line if you uninstalled Wildtangent)

Save it.
Drag and drop Combofix-do.txt to your copy of combofix.
You can take a look at the image below if you're unsure on how to do it.
http://img407.imageshack.us/img407/4396/combodomm9.gif
Combofix wil restart your machine then it will produce a log afterwards.
Please post the contents of that log along with a fresh HijackThis log.


I would like you to scan a few files for me.

Please go HERE (http://virusscan.jotti.org/). Click browse then, navigate to this file:

C:\Program Files\TTC.dll

Then click submit.

Please post the results to your next reply.

If Jotti is too busy, you can go HERE (www.virustotal.com) and do the same as above.

On your next reply, please include a fresh HijackThis log, results of the jotti scan, combofix log and a description on how your machine is running.

Moebius
2007-07-03, 16:29
Spybot detected this a couple of days before, but it couldnt fix.
Posting HijackThis log (renamed HijackThis_v2.exe into something.exe):


Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 15:21:13, on 03/07/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Archivos de programa\Avast4\aswUpdSv.exe
C:\Archivos de programa\Avast4\ashServ.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\system32\LEXPPS.EXE
C:\Archivos de programa\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\rqkalvbb.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wwSecure.exe
C:\Archivos de programa\Avast4\ashMaiSv.exe
C:\Archivos de programa\Avast4\ashWebSv.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\rundll32.exe
C:\ARCHIV~1\Avast4\ashDisp.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Archivos de programa\Picasa2\PicasaMediaDetector.exe
C:\Archivos de programa\ATI Technologies\ATI.ACE\cli.exe
C:\Archivos de programa\HP\HP Software Update\HPWuSchd2.exe
C:\Archivos de programa\Google\Google Desktop Search\GoogleDesktop.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Archivos de programa\Spybot - Search & Destroy\TeaTimer.exe
C:\ARCHIV~1\HEWLET~1\Toolbox\STATUS~1\STATUS~1.EXE
C:\Archivos de programa\Google\Google Desktop Search\GoogleDesktop.exe
C:\Archivos de programa\Hewlett-Packard\Toolbox\jre\bin\javaw.exe
C:\Archivos de programa\ATI Technologies\ATI.ACE\cli.exe
C:\Archivos de programa\ATI Technologies\ATI.ACE\cli.exe
C:\Archivos de programa\Outlook Express\msimn.exe
C:\WINDOWS\system32\osyvklnk.exe
C:\Archivos de programa\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Archivos de programa\Adobe\Reader 8.0\Reader\AcroRd32.exe
C:\Archivos de programa\Internet Explorer\iexplore.exe
C:\Archivos de programa\Spybot - Search & Destroy\SpybotSD.exe
C:\Documents and Settings\E\Mis documentos\SOMETHING.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.google.es/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Constantino Moreira S.A.
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName = Vínculos
O1 - Hosts: 128.100.96.241 NPI15C6CB
O2 - BHO: Aplicación auxiliar de vínculos de Adobe PDF Reader - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Archivos de programa\Archivos comunes\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\ARCHIV~1\SPYBOT~1\SDHelper.dll
O2 - BHO: (no name) - {5ADF3862-9E2E-4ad3-86F7-4510E6550CD0} - C:\WINDOWS\system32\ylhfnvsn.dll
O2 - BHO: (no name) - {640D0632-8402-4A06-BECF-329A57937490} - C:\WINDOWS\system32\awvts.dll
O2 - BHO: (no name) - {CFDE1CF9-75B3-4B1E-B9A7-B5FB88A171E6} - C:\WINDOWS\system32\opnmlki.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [avast!] C:\ARCHIV~1\Avast4\ashDisp.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [Picasa Media Detector] C:\Archivos de programa\Picasa2\PicasaMediaDetector.exe
O4 - HKLM\..\Run: [ATICCC] "C:\Archivos de programa\ATI Technologies\ATI.ACE\cli.exe" runtime -Delay
O4 - HKLM\..\Run: [HP Software Update] "C:\Archivos de programa\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [Google Desktop Search] "C:\Archivos de programa\Google\Google Desktop Search\GoogleDesktop.exe" /startup
O4 - HKLM\..\Run: [TomcatStartup 2.5] C:\Archivos de programa\Hewlett-Packard\Toolbox\hpbpsttp.exe
O4 - HKLM\..\Run: [GPLv3] rundll32.exe "C:\WINDOWS\system32\vwkkotlb.dll",realset
O4 - HKLM\..\RunOnce: [SpybotSnD] "C:\Archivos de programa\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Archivos de programa\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKUS\S-1-5-19\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SERVICIO LOCAL')
O4 - HKUS\S-1-5-20\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Servicio de red')
O4 - HKUS\S-1-5-18\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\Run: [CTFMON.EXE] C:\WINDOWS\system32\CTFMON.EXE (User 'Default user')
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Archivos de programa\HP\Digital Imaging\bin\hpqtra08.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: E&xportar a Microsoft Excel - res://C:\ARCHIV~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Referencia - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\ARCHIV~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe (file missing)
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Archivos de programa\Messenger\msmsgs.exe (file missing)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{4492F9DD-6837-485B-B506-5AF475B49673}: NameServer = 62.151.2.8
O17 - HKLM\System\CS2\Services\Tcpip\..\{4492F9DD-6837-485B-B506-5AF475B49673}: NameServer = 62.151.2.8
O17 - HKLM\System\CS3\Services\Tcpip\..\{4492F9DD-6837-485B-B506-5AF475B49673}: NameServer = 62.151.2.8
O20 - AppInit_DLLs: C:\ARCHIV~1\Google\GOOGLE~2\GOEC62~1.DLL
O20 - Winlogon Notify: awvts - C:\WINDOWS\system32\awvts.dll
O20 - Winlogon Notify: opnmlki - C:\WINDOWS\SYSTEM32\opnmlki.dll
O22 - SharedTaskScheduler: Precargador Browseui - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\system32\browseui.dll
O22 - SharedTaskScheduler: Demonio de caché de las categorías de componente - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\system32\browseui.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Archivos de programa\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Archivos de programa\Avast4\aswUpdSv.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Archivos de programa\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Archivos de programa\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Archivos de programa\Avast4\ashWebSv.exe
O23 - Service: Servicio del administrador de discos lógicos (dmadmin) - Unknown owner - C:\WINDOWS\System32\dmadmin.exe
O23 - Service: DomainService - - C:\WINDOWS\system32\rqkalvbb.exe
O23 - Service: Registro de sucesos (Eventlog) - Unknown owner - C:\WINDOWS\system32\services.exe
O23 - Service: GoogleDesktopManager - Google - C:\Archivos de programa\Google\Google Desktop Search\GoogleDesktop.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Archivos de programa\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: Servicio COM de grabación de CD de IMAPI (ImapiService) - Unknown owner - C:\WINDOWS\system32\imapi.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Escritorio remoto compartido de NetMeeting (mnmsrvc) - Unknown owner - C:\WINDOWS\system32\mnmsrvc.exe
O23 - Service: Plug and Play (PlugPlay) - Unknown owner - C:\WINDOWS\system32\services.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Administrador de sesión de Ayuda de escritorio remoto (RDSessMgr) - Unknown owner - C:\WINDOWS\system32\sessmgr.exe
O23 - Service: Tarjeta inteligente (SCardSvr) - Unknown owner - C:\WINDOWS\System32\SCardSvr.exe
O23 - Service: Registros y alertas de rendimiento (SysmonLog) - Unknown owner - C:\WINDOWS\system32\smlogsvc.exe
O23 - Service: Instantáneas de volumen (VSS) - Unknown owner - C:\WINDOWS\System32\vssvc.exe
O23 - Service: Adaptador de rendimiento de WMI (WmiApSrv) - Unknown owner - C:\WINDOWS\system32\wbem\wmiapsrv.exe
O23 - Service: Servicio de uso compartido de red del Reproductor de Windows Media (WMPNetworkSvc) - Unknown owner - C:\Archivos de programa\Windows Media Player\WMPNetwk.exe
O23 - Service: Washer AutoComplete (wwSecSvc) - Webroot Software, Inc. - C:\WINDOWS\system32\wwSecure.exe

--
End of file - 9552 bytes

And waiting for your instructions to save me...

Regards

Moebius
2007-07-03, 16:32
Please delete this post, I made a mistake, but I cant edit my posts

Underd0g
2007-07-04, 03:43
Actually my computer hasn't had the pop ups coming up every five minutes. The computer has speed up so it takes less time. On Side Note, None of those things you have told me to uninstall have been on my list.

(TTC.dll file)
Scan taken on 04 Jul 2007 00:31:15 (GMT)
A-Squared
Found Adware.Win32.TTC.b
AntiVir
Found ADSPY/TTC.B.1
ArcaVir
Found Adware.Ttc.B
Avast
Found nothing
AVG Antivirus
Found nothing
BitDefender
Found Adware.TTC.B
ClamAV
Found nothing
Dr.Web
Found Adware.Websearch
F-Prot Antivirus
Found nothing
F-Secure Anti-Virus
Found not-a-virus:AdWare.Win32.TTC.b (4, 1, 400)
Fortinet
Found Adware/TTC
Kaspersky Anti-Virus
Found not-a-virus:AdWare.Win32.TTC.b
NOD32
Found nothing
Norman Virus Control
Found nothing
Panda Antivirus
Found nothing
Rising Antivirus
Found nothing
VirusBuster
Found Adware.TTC.B
VBA32
Found AdWare.Win32.TTC.b

-----------------

"JDay" - 2007-07-03 20:17:44 - ComboFix 07-06-27.7 - Service Pack 2 NTFS
Command switches used :: C:\Documents and Settings\JDay\Desktop\Combofix-Do.txt


( Other Deletions )


C:\Program Files\CSBB
C:\Program Files\CSBB\control.dat
C:\Program Files\CSBB\csbb_checks.dat
C:\Program Files\CSBB\csbb_dictionary.bin
C:\Program Files\CSBB\csbb_mpu_mirrors.bin
C:\Program Files\CSBB\csbb_mpu_rules.dat
C:\Program Files\CSBB\csbb_promos.bin
C:\Program Files\CSBB\csbb_ron_campaigns.bin
C:\Program Files\CSBB\csbb_ron_rules.dat
C:\Program Files\CSBB\csbb_ron_sbday.dat
C:\Program Files\CSBB\csbb_ron_sbhour.dat
C:\Program Files\CSBB\csbb_ss_edomains.bin
C:\Program Files\CSBB\csbb_ss_idomains.bin
C:\Program Files\CSBB\csbb_ss_rules.dat
C:\Program Files\CSBB\csbb_tsb_campaigns.bin
C:\Program Files\CSBB\csbb_tsb_edomains.bin
C:\Program Files\CSBB\csbb_tsb_patterns.bin
C:\Program Files\CSBB\csbb_tsb_rules.dat
C:\Program Files\CSBB\csbb_tsb_sbday.dat
C:\Program Files\CSBB\csbb_tsb_sbhour.dat
C:\Program Files\CSBB\csbb_usb_campaigns.bin
C:\Program Files\CSBB\csbb_usb_patterns.bin
C:\Program Files\CSBB\csbb_usb_rules.dat
C:\Program Files\CSBB\csbb_usb_sbday.dat
C:\Program Files\CSBB\csbb_usb_sbhour.dat
C:\Program Files\CSBB\csie_ron_sbday.dat
C:\Program Files\CSBB\csie_ron_sbhour.dat
C:\Program Files\CSBB\CSLDRUPDATER.DLL
C:\Program Files\CSBB\CSTMINST.DLL
C:\Program Files\CSBB\CSTVINST.DLL
C:\WINDOWS\system32\ojvpvghq.exe


( Files Created from 2007-06-04 to 2007-07-04 )


2007-07-02 16:33 49,152 --a------ C:\WINDOWS\nircmd.exe
2007-06-29 04:40 <DIR> d-------- C:\WINDOWS\Prefetch
2007-06-28 16:37 <DIR> d-------- C:\WINDOWS\provisioning
2007-06-28 16:37 <DIR> d-------- C:\WINDOWS\peernet
2007-06-28 16:31 <DIR> d-------- C:\WINDOWS\ServicePackFiles
2007-06-28 12:39 <DIR> d--h-c--- C:\WINDOWS\$SQLUninstallMDAC28-KB911562-x86-ENU$
2007-06-28 00:51 <DIR> d-------- C:\Program Files\RarZilla Free Unrar
2007-06-28 00:29 53,248 --a------ C:\WINDOWS\system32\Process.exe
2007-06-28 00:29 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2007-06-28 00:29 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2007-06-17 14:33 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Windows Genuine Advantage
2007-06-16 23:48 95,872 --a------ C:\WINDOWS\system32\AvastSS.scr
2007-06-16 23:48 43,176 --a------ C:\WINDOWS\system32\drivers\aswTdi.sys
2007-06-16 23:48 26,888 --a------ C:\WINDOWS\system32\drivers\aavmker4.sys
2007-06-16 23:48 23,416 --a------ C:\WINDOWS\system32\drivers\aswRdr.sys
2007-06-16 23:47 94,552 --a------ C:\WINDOWS\system32\drivers\aswmon2.sys
2007-06-16 23:47 85,952 --a------ C:\WINDOWS\system32\drivers\aswmon.sys
2007-06-16 23:47 745,600 --a------ C:\WINDOWS\system32\aswBoot.exe
2007-06-16 23:47 <DIR> d-------- C:\Program Files\Alwil Software
2007-06-16 18:26 <DIR> d-------- C:\Temp
2007-06-14 07:54 163,840 --a------ C:\Program Files\TTC.dll


( Find3M Report )

2007-07-02 19:47:57 -------- d-----w C:\Program Files\Messenger
2007-06-28 20:37:25 -------- d-----w C:\Program Files\Movie Maker
2007-06-28 20:30:11 -------- d-----w C:\Program Files\Windows NT
2007-06-17 17:05:32 -------- d-----w C:\Program Files\CA
2007-06-17 02:58:34 -------- d-----w C:\DOCUME~1\JDay\APPLIC~1\AdobeUM
2007-05-16 15:12:02 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
2007-04-25 14:21:15 144,896 ----a-w C:\WINDOWS\system32\schannel.dll
2007-04-18 16:12:23 2,854,400 ----a-w C:\WINDOWS\system32\msi.dll
2007-04-17 02:47:36 33,624 ----a-w C:\WINDOWS\system32\wups.dll
2007-04-17 02:45:54 1,710,936 ----a-w C:\WINDOWS\system32\wuaueng.dll
2007-04-17 02:45:48 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll
2007-04-17 02:45:42 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll
2007-04-17 02:45:36 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll
2007-04-17 02:45:28 92,504 ----a-w C:\WINDOWS\system32\cdm.dll
2007-04-17 02:45:20 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe
2007-04-17 02:45:20 43,352 ----a-w C:\WINDOWS\system32\wups2.dll


( Reg Loading Points )


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{0549E6CB-9985-42F6-8FD6-4EC017E6AAE1}=C:\Program Files\Surfapps.com\PopThis! Free Version\PopThis.dll [2003-12-19 11:52]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}=C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll [2006-01-12 21:38]
{53707962-6F74-2D53-2644-206D7942484F}=C:\PROGRA~1\SPYBOT~1\SDHelper.dll [2005-05-31 01:04]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2005-04-20 17:37]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2004-12-18 00:20]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2006-05-07 12:36]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-04-30 11:42]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 12:24]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^JDay^Start Menu^Programs^Startup^PowerReg Scheduler V3.exe]
path=C:\Documents and Settings\JDay\Start Menu\Programs\Startup\PowerReg Scheduler V3.exe
backup=C:\WINDOWS\pss\PowerReg Scheduler V3.exeStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AIM]
C:\Program Files\AIM\aim.exe -cnetwait.odl

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
C:\WINDOWS\System32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EssSpkPhone]
essspk.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroCheck]
C:\WINDOWS\System32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ViewMgr]
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WhatPulse]
C:\PROGRA~1\WHATPU~1\WHATPU~1.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WildTangent CDA]
RUNDLL32.exe "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll",cdaEngineMain

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet


**************************************************************************

catchme 0.3.721 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-07-03 20:21:20
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

disk error: C:\WINDOWS\

please note that you need administrator rights to perform deep scan
**************************************************************************

Completion time: 2007-07-03 20:22:57
C:\ComboFix-quarantined-files.txt ... 2007-07-03 20:22
C:\ComboFix2.txt ... 2007-07-02 17:16

--- E O F ---

-------------------------------------

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 8:42:03 PM, on 7/3/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Reality Fusion\Reality Fusion GameCam SE\Program\RFTRay.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\explorer.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Documents and Settings\JDay\Desktop\HJT\HiJackThis_v2.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: PopThis BHO - {0549E6CB-9985-42F6-8FD6-4EC017E6AAE1} - C:\Program Files\Surfapps.com\PopThis! Free Version\PopThis.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Reality Fusion GameCam SE.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {91663649-416A-42A5-8E54-B63C1ECA0548} - C:\Program Files\Surfapps.com\PopThis! Free Version\PopThis.dll
O9 - Extra 'Tools' menuitem: PopThis! Options... - {91663649-416A-42A5-8E54-B63C1ECA0548} - C:\Program Files\Surfapps.com\PopThis! Free Version\PopThis.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: Yahoo! Pool 2 - http://download2.games.yahoo.com/games/clients/y/poti_x.cab
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {4F5E4276-C120-11D6-A1FD-00508B9D48EA} (dldisplay Class) - http://www.gamehouse.com/ghdlctl.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/20040427/qtinstall.info.apple.com/saba/us/win/QuickTimeInstaller.exe
O16 - DPF: {65E7DB1D-0101-4100-BD66-C5C78C917F93} - http://install.wildtangent.com/bgn/partners/aolim/install.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} - http://www.nick.com/common/groove/gx/GrooveAX25.cab
O16 - DPF: {D6FCA8ED-4715-43DE-9BD2-2789778A5B09} (NPKCX Control) - http://guard.gunbound.net/nProtect/keyCrypt/npkcx.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite.net/detection/ITDetector.cab
O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! Webcam Viewer Wrapper) - http://chat.yahoo.com/cab/yvwrctl.cab
O16 - DPF: {EFAEF0E4-F044-4D57-9900-1C3FF18524C9} (AV Class) - http://www.pcpitstop.com/antivirus/PitPav.cab
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: npkcsvc - INCA Internet Co., Ltd. - C:\WINDOWS\System32\npkcsvc.exe

--
End of file - 5373 bytes

Angelfire777
2007-07-04, 12:28
Hi,

*Open HijackThis > choose Scan Only > Place a checkmark in the boxes beside these entries in bold.

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O16 - DPF: {65E7DB1D-0101-4100-BD66-C5C78C917F93} - http://install.wildtangent.com/bgn/p...im/install.cab

Close your browsers and all open windows except for HijackThis, then click "Fix checked". Exit HijackThis.

Delete your current copy of Combo-do.txt ..

Combofix Deletions
Right click on your desktop, select "new" then choose "New text Document"
Name it as "Combofix-Do"
Copy and paste the text inside the code box below to Combofix-Do.txt


File::
C:\Program Files\TTC.dll

Folder::
C:\Program Files\Viewpoint
C:\Program Files\WildTangent

Registry::
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ViewMgr]
[-HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WildTangent CDA]

Save it.
Drag and drop Combofix-do.txt to your copy of combofix.
You can take a look at the image below if you're unsure on how to do it.
http://img407.imageshack.us/img407/4396/combodomm9.gif
Combofix wil restart your machine then it will produce a log afterwards.
Please post the contents of that log along with a fresh HijackThis log.

Underd0g
2007-07-04, 22:37
"JDay" - 2007-07-04 8:03:19 - ComboFix 07-06-27.7 - Service Pack 2 NTFS
Command switches used :: C:\Documents and Settings\JDay\Desktop\Combofix-Do.txt


( Other Deletions )


C:\Program Files\TTC.dll


( Files Created from 2007-06-04 to 2007-07-04 )


2007-07-02 16:33 49,152 --a------ C:\WINDOWS\nircmd.exe
2007-06-29 04:40 <DIR> d-------- C:\WINDOWS\Prefetch
2007-06-28 16:37 <DIR> d-------- C:\WINDOWS\provisioning
2007-06-28 16:37 <DIR> d-------- C:\WINDOWS\peernet
2007-06-28 16:31 <DIR> d-------- C:\WINDOWS\ServicePackFiles
2007-06-28 12:39 <DIR> d--h-c--- C:\WINDOWS\$SQLUninstallMDAC28-KB911562-x86-ENU$
2007-06-28 00:51 <DIR> d-------- C:\Program Files\RarZilla Free Unrar
2007-06-28 00:29 53,248 --a------ C:\WINDOWS\system32\Process.exe
2007-06-28 00:29 51,200 --a------ C:\WINDOWS\system32\dumphive.exe
2007-06-28 00:29 288,417 --a------ C:\WINDOWS\system32\SrchSTS.exe
2007-06-17 14:33 <DIR> d-------- C:\DOCUME~1\ALLUSE~1\APPLIC~1\Windows Genuine Advantage
2007-06-16 23:48 95,872 --a------ C:\WINDOWS\system32\AvastSS.scr
2007-06-16 23:48 43,176 --a------ C:\WINDOWS\system32\drivers\aswTdi.sys
2007-06-16 23:48 26,888 --a------ C:\WINDOWS\system32\drivers\aavmker4.sys
2007-06-16 23:48 23,416 --a------ C:\WINDOWS\system32\drivers\aswRdr.sys
2007-06-16 23:47 94,552 --a------ C:\WINDOWS\system32\drivers\aswmon2.sys
2007-06-16 23:47 85,952 --a------ C:\WINDOWS\system32\drivers\aswmon.sys
2007-06-16 23:47 745,600 --a------ C:\WINDOWS\system32\aswBoot.exe
2007-06-16 23:47 <DIR> d-------- C:\Program Files\Alwil Software
2007-06-16 18:26 <DIR> d-------- C:\Temp


( Find3M Report )

2007-07-02 19:47:57 -------- d-----w C:\Program Files\Messenger
2007-06-28 20:37:25 -------- d-----w C:\Program Files\Movie Maker
2007-06-28 20:30:11 -------- d-----w C:\Program Files\Windows NT
2007-06-17 17:05:32 -------- d-----w C:\Program Files\CA
2007-06-17 02:58:34 -------- d-----w C:\DOCUME~1\JDay\APPLIC~1\AdobeUM
2007-05-16 15:12:02 683,520 ----a-w C:\WINDOWS\system32\inetcomm.dll
2007-04-25 14:21:15 144,896 ----a-w C:\WINDOWS\system32\schannel.dll
2007-04-18 16:12:23 2,854,400 ----a-w C:\WINDOWS\system32\msi.dll
2007-04-17 02:47:36 33,624 ----a-w C:\WINDOWS\system32\wups.dll
2007-04-17 02:45:54 1,710,936 ----a-w C:\WINDOWS\system32\wuaueng.dll
2007-04-17 02:45:48 549,720 ----a-w C:\WINDOWS\system32\wuapi.dll
2007-04-17 02:45:42 325,976 ----a-w C:\WINDOWS\system32\wucltui.dll
2007-04-17 02:45:36 203,096 ----a-w C:\WINDOWS\system32\wuweb.dll
2007-04-17 02:45:28 92,504 ----a-w C:\WINDOWS\system32\cdm.dll
2007-04-17 02:45:20 53,080 ----a-w C:\WINDOWS\system32\wuauclt.exe
2007-04-17 02:45:20 43,352 ----a-w C:\WINDOWS\system32\wups2.dll


( Reg Loading Points )


*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects]
{0549E6CB-9985-42F6-8FD6-4EC017E6AAE1}=C:\Program Files\Surfapps.com\PopThis! Free Version\PopThis.dll [2003-12-19 11:52]
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}=C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll [2006-01-12 21:38]
{53707962-6F74-2D53-2644-206D7942484F}=C:\PROGRA~1\SPYBOT~1\SDHelper.dll [2005-05-31 01:04]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="C:\Program Files\QuickTime\qttask.exe" [2005-04-20 17:37]
"iTunesHelper"="C:\Program Files\iTunes\iTunesHelper.exe" [2004-12-18 00:20]
"TkBellExe"="C:\Program Files\Common Files\Real\Update_OB\realsched.exe" [2006-05-07 12:36]
"avast!"="C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe" [2007-04-30 11:42]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"MSMSGS"="C:\Program Files\Messenger\msmsgs.exe" [2004-10-13 12:24]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^JDay^Start Menu^Programs^Startup^PowerReg Scheduler V3.exe]
path=C:\Documents and Settings\JDay\Start Menu\Programs\Startup\PowerReg Scheduler V3.exe
backup=C:\WINDOWS\pss\PowerReg Scheduler V3.exeStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AIM]
C:\Program Files\AIM\aim.exe -cnetwait.odl

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
C:\WINDOWS\System32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EssSpkPhone]
essspk.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroCheck]
C:\WINDOWS\System32\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WhatPulse]
C:\PROGRA~1\WHATPU~1\WHATPU~1.EXE

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WildTangent CDA]
RUNDLL32.exe "C:\Program Files\WildTangent\Apps\CDA\cdaEngine0400.dll",cdaEngineMain

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet


**************************************************************************

catchme 0.3.721 W2K/XP/Vista - userland rootkit detector by Gmer, http://www.gmer.net
Rootkit scan 2007-07-04 08:07:07
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

disk error: C:\WINDOWS\

please note that you need administrator rights to perform deep scan
**************************************************************************

Completion time: 2007-07-04 8:08:45
C:\ComboFix-quarantined-files.txt ... 2007-07-04 08:08
C:\ComboFix2.txt ... 2007-07-03 20:22
C:\ComboFix3.txt ... 2007-07-02 17:16

--- E O F ---

----------------------------------

Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 3:36:21 PM, on 7/4/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Reality Fusion\Reality Fusion GameCam SE\Program\RFTRay.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\explorer.exe
C:\PROGRA~1\MOZILL~1\FIREFOX.EXE
C:\Documents and Settings\JDay\Desktop\HJT\HiJackThis_v2.exe

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
O2 - BHO: PopThis BHO - {0549E6CB-9985-42F6-8FD6-4EC017E6AAE1} - C:\Program Files\Surfapps.com\PopThis! Free Version\PopThis.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Reality Fusion GameCam SE.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {91663649-416A-42A5-8E54-B63C1ECA0548} - C:\Program Files\Surfapps.com\PopThis! Free Version\PopThis.dll
O9 - Extra 'Tools' menuitem: PopThis! Options... - {91663649-416A-42A5-8E54-B63C1ECA0548} - C:\Program Files\Surfapps.com\PopThis! Free Version\PopThis.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: Yahoo! Pool 2 - http://download2.games.yahoo.com/games/clients/y/poti_x.cab
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {4F5E4276-C120-11D6-A1FD-00508B9D48EA} (dldisplay Class) - http://www.gamehouse.com/ghdlctl.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/20040427/qtinstall.info.apple.com/saba/us/win/QuickTimeInstaller.exe
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} - http://www.nick.com/common/groove/gx/GrooveAX25.cab
O16 - DPF: {D6FCA8ED-4715-43DE-9BD2-2789778A5B09} (NPKCX Control) - http://guard.gunbound.net/nProtect/keyCrypt/npkcx.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite.net/detection/ITDetector.cab
O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! Webcam Viewer Wrapper) - http://chat.yahoo.com/cab/yvwrctl.cab
O16 - DPF: {EFAEF0E4-F044-4D57-9900-1C3FF18524C9} (AV Class) - http://www.pcpitstop.com/antivirus/PitPav.cab
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: npkcsvc - INCA Internet Co., Ltd. - C:\WINDOWS\System32\npkcsvc.exe

--
End of file - 5258 bytes

Angelfire777
2007-07-05, 12:49
Hi, there are some entries that are a bit stubborn:fear:

You may want to print these instructions here or save them in notepad since you'll work offline.

Reboot into Safe Mode.

To enter Safe Mode..

Click Start > Turn Off Computer > Restart > Tap F8 key just before Windows starts to load, > This will bring up a Menu > Use your keyboard to scroll to Safe Mode> Hit enter.


Open HijackThis > choose Scan Only > Place a checkmark in the boxes beside these entries in bold.

R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank

Close your browsers and all open windows except for HijackThis, then click "Fix checked". Exit HijackThis.


Click start > run > copy and paste:

reg delete "HKLM\software\microsoft\shared tools\msconfig\startupreg\WildTangent CDA" /f

Reboot to normal mode and post a fresh HijackThis log please.

Underd0g
2007-07-06, 00:35
Logfile of Trend Micro HijackThis v2.0.0 (BETA)
Scan saved at 5:34:35 PM, on 7/5/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
C:\Program Files\Alwil Software\Avast4\ashServ.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\LEXPPS.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
C:\Program Files\Reality Fusion\Reality Fusion GameCam SE\Program\RFTRay.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\JDay\Desktop\HJT\HiJackThis_v2.exe

O2 - BHO: PopThis BHO - {0549E6CB-9985-42F6-8FD6-4EC017E6AAE1} - C:\Program Files\Surfapps.com\PopThis! Free Version\PopThis.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [avast!] C:\PROGRA~1\ALWILS~1\Avast4\ashDisp.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Adobe Reader Speed Launch.lnk = C:\Program Files\Adobe\Acrobat 7.0\Reader\reader_sl.exe
O4 - Global Startup: Reality Fusion GameCam SE.lnk = ?
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~4\Office10\EXCEL.EXE/3000
O9 - Extra button: (no name) - {91663649-416A-42A5-8E54-B63C1ECA0548} - C:\Program Files\Surfapps.com\PopThis! Free Version\PopThis.dll
O9 - Extra 'Tools' menuitem: PopThis! Options... - {91663649-416A-42A5-8E54-B63C1ECA0548} - C:\Program Files\Surfapps.com\PopThis! Free Version\PopThis.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: Yahoo! Pool 2 - http://download2.games.yahoo.com/games/clients/y/poti_x.cab
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/viewers/ipixx.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {4F5E4276-C120-11D6-A1FD-00508B9D48EA} (dldisplay Class) - http://www.gamehouse.com/ghdlctl.cab
O16 - DPF: {62475759-9E84-458E-A1AB-5D2C442ADFDE} - http://a1540.g.akamai.net/7/1540/52/20040427/qtinstall.info.apple.com/saba/us/win/QuickTimeInstaller.exe
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {77E32299-629F-43C6-AB77-6A1E6D7663F6} - http://www.nick.com/common/groove/gx/GrooveAX25.cab
O16 - DPF: {D6FCA8ED-4715-43DE-9BD2-2789778A5B09} (NPKCX Control) - http://guard.gunbound.net/nProtect/keyCrypt/npkcx.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} (iTunesDetector Class) - http://ax.phobos.apple.com.edgesuite.net/detection/ITDetector.cab
O16 - DPF: {E504EE6E-47C6-11D5-B8AB-00D0B78F3D48} (Yahoo! Webcam Viewer Wrapper) - http://chat.yahoo.com/cab/yvwrctl.cab
O16 - DPF: {EFAEF0E4-F044-4D57-9900-1C3FF18524C9} (AV Class) - http://www.pcpitstop.com/antivirus/PitPav.cab
O22 - SharedTaskScheduler: Browseui preloader - {438755C2-A8BA-11D1-B96B-00A0C90312E1} - C:\WINDOWS\System32\browseui.dll
O22 - SharedTaskScheduler: Component Categories cache daemon - {8C7461EF-2B13-11d2-BE35-3078302C2030} - C:\WINDOWS\System32\browseui.dll
O23 - Service: avast! iAVS4 Control Service (aswUpdSv) - ALWIL Software - C:\Program Files\Alwil Software\Avast4\aswUpdSv.exe
O23 - Service: avast! Antivirus - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashServ.exe
O23 - Service: avast! Mail Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashMaiSv.exe
O23 - Service: avast! Web Scanner - ALWIL Software - C:\Program Files\Alwil Software\Avast4\ashWebSv.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: npkcsvc - INCA Internet Co., Ltd. - C:\WINDOWS\System32\npkcsvc.exe

--
End of file - 5236 bytes

Angelfire777
2007-07-06, 17:09
Congratulations! Your log looks clean!

This is a good time to clear your existing system restore points and establish a new clean restore point:
Go to Start > All Programs > Accessories > System Tools > System Restore

Select Create a restore point, and Ok it.

Next, go to Start > Run and type in cleanmgr

Select the More options tab

Choose the option to clean up system restore and OK it.

This will remove all restore points except the new one you just created.
______________________
Here are some free programs I recommend that could help you improve your pc's security.

Firewall Application - Although Windows Xp comes with a firewall, you should not rely on it because the Windows Firewall can only filter incoming data; outgoing traffic is not controlled, meaning that malware/viruses that are present in your computer can access the internet with no restrictions. There are several other Firewall that can protect you better by filtering incoming and outgoing data. Make sure you get only one of these.

» ZoneAlarm (http://www.zonelabs.com)
» Kerio (http//www.sunbelt-software.com/Kerio-Download.cfm)

Install SpyWare Blaster
~You can download it from here (http://www.javacoolsoftware.com/spywareblaster.html)
~You can read the tutorial on how to use Spyware Blaster here (http://www.bleepingcomputer.com/tutorials/tutorial49.html)

Install WinPatrol
~You can download it from here (http://www.winpatrol.com/download.html)
~You can get some information about how WinPatrol works here (http://www.winpatrol.com/features.html)

IESpyAds
~You can download it from here (http://www.spywarewarrior.com/uiuc/resource.htm#IESPYAD)
~If you want to know how IEspyads work you can take a look at it here (http://www.bleepingcomputer.com/tutorials/tutorial53.html)
~Please note that IESpyAds only works with Internet Explorer.

Note: Make sure you update your Antivirus programs and other security products regularly to avoid new threats that could infect your system.

Please check out Tony Klein's article "How did I get infected in the first place?" (http://castlecops.com/t7736-So_how_did_I_get_infected_in_the_first_place.html)

Happy safe surfing!

Underd0g
2007-07-07, 01:15
Thank you for all the help. I really appreciate it.

Angelfire777
2007-07-07, 06:32
It was my pleasure:)

Angelfire777
2007-07-08, 13:14
Glad we could be of assistance :bigthumb:

Since the problem has been resolved, this topic is now closed and archived. If you need it re-opened please send me a private message (pm) and provide a link to the thread. Applies only to the original poster, anyone else with similar problems please start a new topic.