PDA

View Full Version : Also having trouble getting rid of trojan.win32.obfuscated.kp


InfestedToo
2007-11-13, 06:53
I read the previous thread started by user "Infested". I am also struggling with pop-ups caused by trojan.win32.obfuscated.kp.

I followed the final steps listed and am still having problems. Any and all help is greatly appreciated, here are the three logs:


VundoFix V6.5.11

Checking Java version...

Java version is 1.5.0.2
Old versions of java are exploitable and should be removed.

Java version is 1.5.0.7
Old versions of java are exploitable and should be removed.

Scan started at 11:17:35 PM 11/12/2007

Listing files found while scanning....

C:\WINDOWS\system32\ooeacc.dll

Beginning removal...

Performing Repairs to the registry.
Done!


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:51:52 PM, on 11/12/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16544)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Viewpoint\Common\ViewpointService.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\HiJackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.espn.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R3 - URLSearchHook: (no name) - _{A8B28872-3324-4CD2-8AA3-7D555C872D96} - (no file)
O2 - BHO: (no name) - {183807B8-BC07-48A2-8DAD-ABC96FA6C7A8} - C:\WINDOWS\SYSTEM32\hgghgdc.dll (file missing)
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: {0510f85d-05fb-8a98-e154-9ba0faa79d57} - {75d97aaf-0ab9-451e-89a8-bf50d58f0150} - C:\WINDOWS\system32\dmrmnpem.dll
O2 - BHO: (no name) - {86D2214A-42AE-4582-9C8B-E339A9BFEAD0} - (no file)
O2 - BHO: (no name) - {9B8CDB51-E8C6-40D7-9EC5-AFFC2EA6FCF4} - (no file)
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar5.dll
O2 - BHO: Google Toolbar Notifier BHO - {AF69DE43-7D58-4638-B6FA-CE66B5AD205D} - C:\Program Files\Google\GoogleToolbarNotifier\2.0.301.7164\swg.dll
O2 - BHO: (no name) - {AFD6662B-5ACD-454F-B6C1-F8162E183A17} - (no file)
O2 - BHO: (no name) - {D4C11D05-A04F-4E70-B256-D40C33DB610B} - (no file)
O2 - BHO: (no name) - {E3CC887F-30D1-43A1-9E7F-9D512D193149} - (no file)
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar5.dll
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime Alternative\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe"
O4 - HKLM\..\Run: [444ede73] rundll32.exe "C:\WINDOWS\system32\bhevgdpr.dll",b
O4 - HKCU\..\Run: [EPSON Stylus CX4600 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9AA.EXE /P26 "EPSON Stylus CX4600 Series" /M "Stylus CX4600" /EF "HKCU"
O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\SCIEPlgn.dll
O9 - Extra button: Related - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm (file missing)
O9 - Extra 'Tools' menuitem: Show &Related Links - {c95fe080-8f5d-11d2-a20b-00aa003c157a} - C:\WINDOWS\web\related.htm (file missing)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {01111F00-3E00-11D2-8470-0060089874ED} (Support.com Installer) - http://supportsoft.adelphia.net/sdccommon/download/tgctlins.cab
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - http://activation.rr.com/install/downloads/tgctlcm.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall60.trendmicro.com/housecall/xscan60.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/english/kavwebscan_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft.com/fwlink/?linkid=39204
O16 - DPF: {215B8138-A3CF-44C5-803F-8226143CFC0A} (Trend Micro ActiveX Scan Agent 6.6) - http://housecall65.trendmicro.com/housecall/applet/html/native/x86/win32/activex/hcImpl.cab
O16 - DPF: {30528230-99F7-4BB4-88D8-FA1D4F56A2AB} (YInstStarter Class) - http://us.dl1.yimg.com/download.yahoo.com/dl/yinst/yinst_current.cab
O16 - DPF: {405BBF5B-2FD8-4614-AC51-D8566F635B94} (SafeWallet Class) - http://idsm.citadelprocessing.com/SafeCommon/downloads/WalletCab.CAB
O16 - DPF: {4A3CF76B-EC7A-405D-A67D-8DC6B52AB35B} (QDiagAOLCCUpdateObj Class) - http://aolcc.aol.com/computercheckup/qdiagcc.cab
O16 - DPF: {5E936384-B736-4A9E-AA93-832CA59FDCEC} (InstallShield Setup Player V11) - http://epson.synovate.com/epson/setup.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupdate.microsoft.com/v5consumer/V5Controls/en/x86/client/wuweb_site.cab?1096528277717
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.microsoft.com/microsoftupdate/v6/V5Controls/en/x86/client/muweb_site.cab?1175279986828
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai.net/7/840/537/2004061001/housecall.trendmicro.com/housecall/xscan53.cab
O16 - DPF: {9FC5238F-12C4-454F-B1B5-74599A21DE47} (Webshots Photo Uploader) - http://community.webshots.com/html/WSPhotoUploader.CAB
O16 - DPF: {CA034DCC-A580-4333-B52F-15F98C42E04C} (Downloader Class) - http://www.stopzilla.com/_download/Auto_Installer/dwnldr_ext.cab
O20 - Winlogon Notify: hgghgdc - C:\WINDOWS\
O20 - Winlogon Notify: laaeydno - C:\WINDOWS\SYSTEM32\laaeydno.dll
O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\\aolserv.exe
O23 - Service: Kaspersky Anti-Virus 7.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe
O23 - Service: Google Updater Service (gusvc) - Google - C:\Program Files\Google\Common\Google Updater\GoogleUpdaterService.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: InCD File System Service (InCDsrv) - AHEAD Software - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iPod Service - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Viewpoint Manager Service - Viewpoint Corporation - C:\Program Files\Viewpoint\Common\ViewpointService.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe

--
End of file - 7743 bytes
InfestedToo
2007-11-13, 06:55
And the combofix log:

ComboFix 07-11-08.1 - John 2007-11-12 23:34:32.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.231 [GMT -5:00]
Running from: C:\Documents and Settings\John\Local Settings\Temporary Internet Files\Content.IE5\9D2KF308\ComboFix[1].exe
* Created a new restore point
.

Unable to gain System Privileges

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Start Menu\Live Safety Center.lnk
C:\Documents and Settings\All Users\Start Menu\Online Security Guide.lnk
C:\Documents and Settings\John\Application Data\Sskdmns.dll
C:\Documents and Settings\John\Desktop\Live Safety Center.lnk
C:\Documents and Settings\John\Desktop\Online Security Guide.lnk
C:\Documents and Settings\John\Favorites\Online Security Guide.lnk
C:\Program Files\pslister
C:\WINDOWS\cookies.ini
C:\WINDOWS\system32\bang-006.ico
C:\WINDOWS\system32\guard.tmp
C:\WINDOWS\system32\laaeydno.dllbox
C:\WINDOWS\system32\qtutv.bak1
C:\WINDOWS\system32\qtutv.bak2
C:\WINDOWS\system32\qtutv.ini
C:\WINDOWS\system32\qtutv.ini2
C:\WINDOWS\system32\qtutv.tmp
C:\WINDOWS\system32\vtutq.dll
C:\WINDOWS\system32\zxdnt3d.cfg

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_DOMAINSERVICE
-------\LEGACY_WINDOWS_OVERLAY_COMPONENTS
-------\DomainService


((((((((((((((((((((((((( Files Created from 2007-10-13 to 2007-11-13 )))))))))))))))))))))))))))))))
.

2007-11-12 23:33 145,984 --a------ C:\WINDOWS\system32\laaeydno.dll
2007-11-12 23:33 145,984 --a------ C:\WINDOWS\system32\hxrsbxmd.dll
2007-11-12 23:31 51,200 --a------ C:\WINDOWS\NirCmd.exe
2007-11-12 23:27 81,472 --a------ C:\WINDOWS\system32\dmrmnpem.dll
2007-11-12 23:25 89,664 --a------ C:\WINDOWS\system32\bhevgdpr.dll
2007-11-12 23:25 71,232 --a------ C:\WINDOWS\system32\hhexymqd.exe
2007-11-12 23:17 <DIR> d-------- C:\VundoFix Backups
2007-11-12 23:07 115,712 --a------ C:\Program Files\VundoFix.exe
2007-11-12 22:31 <DIR> d-------- C:\PERepairData
2007-11-12 22:31 <DIR> d-------- C:\Documents and Settings\John\Application Data\Spybot - Search & Destroy
2007-11-12 22:02 81,472 --a------ C:\WINDOWS\system32\cciirvwm.dll
2007-11-12 21:56 89,664 --a------ C:\WINDOWS\system32\ujosamca.dll
2007-11-12 21:46 81,472 --a------ C:\WINDOWS\system32\gmugewdn.dll
2007-11-12 21:32 81,472 --a------ C:\WINDOWS\system32\fpxkkfxt.dll
2007-11-12 20:52 89,664 --a------ C:\WINDOWS\system32\ramdqvvh.dll
2007-11-12 20:46 81,472 --a------ C:\WINDOWS\system32\hufyoaxo.dll
2007-11-12 19:09 401,720 --a------ C:\Program Files\HiJackThis.exe
2007-11-12 19:04 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-11-12 19:03 7,467,056 --a------ C:\Program Files\spybotsd15.exe
2007-11-12 18:15 81,472 --a------ C:\WINDOWS\system32\ofkfsixs.dll
2007-11-12 14:25 82,061 --a------ C:\WINDOWS\system32\drivers\klick.dat
2007-11-12 14:25 81,549 --a------ C:\WINDOWS\system32\drivers\klin.dat
2007-11-12 14:22 <DIR> d-------- C:\Program Files\Kaspersky Lab
2007-11-12 14:22 2,112,800 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2007-11-12 14:22 26,656 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.dat
2007-11-12 14:21 <DIR> d-------- C:\KAV
2007-11-12 14:21 24,760,584 --a------ C:\kav7.0.0.125en.exe
2007-11-12 02:19 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-11-12 02:19 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2007-11-12 01:40 6,021,960 --a------ C:\Program Files\Firefox Setup 2.0.0.9.exe
2007-11-11 18:14 79,936 --a------ C:\WINDOWS\system32\fbftqulp.dll
2007-11-02 00:46 <DIR> d-------- C:\WINFTP
2007-10-27 17:49 12,160 --a------ C:\WINDOWS\system32\drivers\mouhid.sys
2007-10-27 17:49 12,160 --a--c--- C:\WINDOWS\system32\dllcache\mouhid.sys
2007-10-16 01:27 <DIR> d-------- C:\WINDOWS\Replay Media Catcher
2007-10-16 01:27 <DIR> d-------- C:\Program Files\Replay Media Catcher

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-13 04:42 3,548 --sha-w C:\WINDOWS\system32\drivers\fidbox2.idx
2007-11-13 04:42 29,348 --sha-w C:\WINDOWS\system32\drivers\fidbox.idx
2007-11-13 02:08 --------- d-----w C:\Documents and Settings\John\Application Data\BSplayer
2007-11-13 00:10 7,826 ----a-w C:\Program Files\hijackthis.log
2007-11-12 23:53 --------- d-----w C:\Program Files\America Online 9.0
2007-11-12 23:53 --------- d-----w C:\Program Files\AIM
2007-11-12 07:21 --------- d-----w C:\Documents and Settings\John\Application Data\OpenOffice.org2
2007-11-11 08:01 --------- d-----w C:\Program Files\Poker Tracker V2
2007-11-10 14:55 --------- d-----w C:\Program Files\PokerStars
2007-11-08 08:56 --------- d-----w C:\Program Files\Full Tilt Poker
2007-11-05 19:27 --------- d-----w C:\Program Files\Poker Tracker Omaha
2007-10-22 05:34 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-10-16 07:08 --------- d-----w C:\Program Files\WMR11
2007-10-16 06:38 --------- d-----w C:\Program Files\Windows Media Connect 2
2007-09-25 10:53 359,808 ----a-w C:\WINDOWS\system32\drivers\TCPIP.SYS.ORIGINAL
2007-09-25 10:53 359,808 ----a-w C:\WINDOWS\system32\drivers\TCPIP.SYS
2007-09-25 10:51 4,301,387 ----a-w C:\Program Files\Shareaza_2.2.5.0.exe
2007-09-25 10:51 --------- d-----w C:\Program Files\Shareaza
2007-09-25 10:51 --------- d-----w C:\Documents and Settings\John\Application Data\Shareaza
2007-09-23 15:36 --------- d-----w C:\Documents and Settings\All Users\Application Data\sentinel
2007-01-31 09:51 36,808,256 ----a-w C:\Program Files\iTunesSetup.exe
2006-05-17 06:20 17 ----a-w C:\Program Files\d.bat
2006-03-20 20:37 5,689,344 ----a-w C:\Program Files\mplayerc.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{183807B8-BC07-48A2-8DAD-ABC96FA6C7A8}]
C:\WINDOWS\SYSTEM32\hgghgdc.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{75d97aaf-0ab9-451e-89a8-bf50d58f0150}]
2007-11-12 23:27 81472 --a------ C:\WINDOWS\system32\dmrmnpem.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{86D2214A-42AE-4582-9C8B-E339A9BFEAD0}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{9B8CDB51-E8C6-40D7-9EC5-AFFC2EA6FCF4}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{AFD6662B-5ACD-454F-B6C1-F8162E183A17}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{D4C11D05-A04F-4E70-B256-D40C33DB610B}]

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{E3CC887F-30D1-43A1-9E7F-9D512D193149}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"QuickTime Task"="C:\Program Files\QuickTime Alternative\qttask.exe" [2006-10-25 18:58]
"AVP"="C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe" [2007-06-28 12:51]
"444ede73"="C:\WINDOWS\system32\bhevgdpr.dll" [2007-11-12 23:25]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"EPSON Stylus CX4600 Series"="C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9AA.exe" []
"swg"="C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe" [2007-09-11 00:10]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 02:56]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks]
"{183807B8-BC07-48A2-8DAD-ABC96FA6C7A8}"= C:\WINDOWS\SYSTEM32\hgghgdc.dll [ ]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\hgghgdc]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\laaeydno]
laaeydno.dll 2007-11-12 23:33 145984 C:\WINDOWS\system32\laaeydno.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Authentication Packages"= msv1_0 C:\WINDOWS\system32\vtutq.dll
"Notification Packages"= scecli scecli

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Adobe Reader Speed Launch.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Adobe Reader Speed Launch.lnk
backup=C:\WINDOWS\pss\Adobe Reader Speed Launch.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^America Online 9.0 Tray Icon.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\America Online 9.0 Tray Icon.lnk
backup=C:\WINDOWS\pss\America Online 9.0 Tray Icon.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^hhlugh.exe]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\hhlugh.exe
backup=C:\WINDOWS\pss\hhlugh.exeCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^Microsoft Office.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\Microsoft Office.lnk
backup=C:\WINDOWS\pss\Microsoft Office.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^svchost.exe]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\svchost.exe
backup=C:\WINDOWS\pss\svchost.exeCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^taskmgr.exe]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\taskmgr.exe
backup=C:\WINDOWS\pss\taskmgr.exeCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^ulxpk.exe]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ulxpk.exe
backup=C:\WINDOWS\pss\ulxpk.exeCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^xxih.exe]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\xxih.exe
backup=C:\WINDOWS\pss\xxih.exeCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^John^Start Menu^Programs^Startup^AdDestroyer.lnk]
path=C:\Documents and Settings\John\Start Menu\Programs\Startup\AdDestroyer.lnk
backup=C:\WINDOWS\pss\AdDestroyer.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^John^Start Menu^Programs^Startup^OpenOffice.org 2.0.lnk]
path=C:\Documents and Settings\John\Start Menu\Programs\Startup\OpenOffice.org 2.0.lnk
backup=C:\WINDOWS\pss\OpenOffice.org 2.0.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^John^Start Menu^Programs^Startup^Think-Adz.lnk]
path=C:\Documents and Settings\John\Start Menu\Programs\Startup\Think-Adz.lnk
backup=C:\WINDOWS\pss\Think-Adz.lnkStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\444ede73]
rundll32.exe "C:\WINDOWS\system32\jbqdwuhd.dll",b

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ACTX1]
C:\WINDOWS\v1201.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Photo Downloader]
"C:\Program Files\Adobe\Photoshop Album Starter Edition\3.2\Apps\apdproxy.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
"C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]


[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AOL Spyware Protection]
"C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\APVXDWIN]
"C:\Program Files\Panda Software\Panda Antivirus 2007\APVXDWIN.EXE" /s

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AVP]
"C:\Program Files\Kaspersky Lab\Kaspersky Anti-Virus 7.0\avp.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BJCFD]
C:\Program Files\BroadJump\Client Foundation\CFD.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\CMFibula]
"C:\Program Files\CMFibula\CMFibula.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ctfmon.exe]
C:\WINDOWS\system32\ctfmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\cuqgdv]
C:\WINDOWS\system32\cdmodx.exe reg_run

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\defender]
C:\\dfndrff_16.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DIGServices]
C:\Program Files\ESPNRunTime\DIGServices.exe /brand=ESPN /priority=0 /poll=24

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DIGStream]
C:\Program Files\DIGStream\digstream.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\epcrmon]
C:\Program Files\EPSON\epcrmon\epcrmon.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EPSON Stylus CX4600 Series]
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATI9AA.EXE /P26 "EPSON Stylus CX4600 Series" /O6 "USB001" /M "Stylus CX4600"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\EPSON Stylus CX4800 Series]
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_FATIADA.EXE /P26 "EPSON Stylus CX4800 Series" /O6 "USB001" /M "Stylus CX4800"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ExploreUpdSched]
C:\WINDOWS\system32\lwinlpex.exe GEN001

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\eZWO]
C:\PROGRA~1\Web Offer\wo.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\gcasServ]
"C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\googletalk]
C:\Program Files\Google\Google Talk\googletalk.exe /autostart

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ikqz]
C:\PROGRA~1\COMMON~1\ikqz\ikqzm.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\InCD]
C:\Program Files\Ahead\InCD\InCD.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\iTunesHelper]
"C:\Program Files\iTunes\iTunesHelper.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\KernelFaultCheck]
%systemroot%\system32\dumprep 0 -k

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\keyboard]
C:\\kybrdff_16.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Lexmark 5200 series]
"C:\Program Files\Lexmark 5200 series\lxbtbmgr.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Load]
???

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Logitech Utility]
Logi_MwX.Exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ms051954811460]
C:\WINDOWS\ms051954811460.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MsgCenterExe]
"C:\Program Files\Common Files\Real\Update_OB\RealOneMessageCenter.exe" -osboot

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
"C:\Program Files\Messenger\msmsgs.exe" /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Narrator]
C:\WINDOWS\system32\wwkiaw.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroCheck]
C:\WINDOWS\System32\\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\newname]
C:\\nwnmff_16.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NvCplDaemon]
RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\nwiz]
nwiz.exe /install

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\p2p networking]
p2pnetworking.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\pccguide.exe]
"C:\Program Files\Trend Micro\Internet Security 2007\pccguide.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\PSLister]
"C:\Program Files\PSLister\PSLister.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
"C:\Program Files\QuickTime Alternative\qttask.exe" -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\RealTray]
C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Run]
???
InfestedToo
2007-11-13, 06:56
[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SESync]
"C:\Program Files\SED\SED.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Shell]
"C:\Program Files\Common Files\Microsoft Shared\Web Folders\ibm00001.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpybotSD TeaTimer]
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
C:\Program Files\Java\jre1.5.0_07\bin\jusched.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SurfSideKick 3]
C:\Program Files\SurfSideKick 3\Ssk.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\swg]
C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TheMonitor]
C:\WINDOWS\Duce6.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updateMgr]
"C:\Program Files\Adobe\Acrobat 7.0\Reader\AdobeUpdateManager.exe" AcRdB7_0_8 -reboot 1

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UserFaultCheck]
%systemroot%\system32\dumprep 0 -u

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VBouncer]
C:\PROGRA~1\VBouncer\VirtualBouncer.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WhenUSave]
"C:\Program Files\Save\Save.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinampAgent]
C:\Program Files\Winamp\winampa.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\winsync]
C:\WINDOWS\system32\wwkiaw.exe reg_run

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WorkFlo]
D:\Install\WorkFlow.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\wqc17088]
RUNDLL32.EXE wef50a50.dll,n 0041708400000003ef50a50

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\wwffhzvA]
C:\WINDOWS\wwffhzvA.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\xrwhf]
C:\WINDOWS\system32\cdmodx.exe reg_run

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\zBrowser Launcher]
C:\Program Files\Logitech\iTouch\iTouch.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\services]
"TrkWks"=2 (0x2)
"iPod Service"=3 (0x3)
"AOL ACS"=2 (0x2)

R2 SetupNT;SetupNT;C:\WINDOWS\system32\SetupNT.sys
R3 klim5;Kaspersky Anti-Virus NDIS Filter;C:\WINDOWS\system32\DRIVERS\klim5.sys


[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\7b37f4c3-da65-492b-ae81-2981aed630f3]
C:\WINDOWS\system32\hhqzih.exe
.
**************************************************************************

catchme 0.3.1250 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-12 23:43:29
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-11-12 23:45:47 - machine was rebooted
.
--- E O F ---
InfestedToo
2007-11-13, 23:49
Someone please help! The pop-ups and other problems are getting worse.