PDA

View Full Version : Help Me! Help Me! Help Me!



mazindmb
2007-12-16, 02:02
Don't know what is wrong, I've tried running adaware and AVG antivirus as well as Spybot and can't stop these popups from showing up. Check it out!

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:01:09 PM, on 12/15/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Zune\ZuneLauncher.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\?ymantec\m?hta.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\uTorrent\uTorrent.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Anthony\My Documents\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.daemonsearch.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Winamp Toolbar BHO - {25CEE8EC-5730-41bc-8B58-22DDC8AB8C20} - C:\Program Files\Winamp Toolbar\winamptb.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: {768694a7-3cb6-d18a-1534-cafd4ab96f0f} - {f0f69ba4-dfac-4351-a81d-6bc37a496867} - (no file)
O3 - Toolbar: Winamp Toolbar - {EBF2BA02-9094-4c5a-858B-BB198F3D8DE2} - C:\Program Files\Winamp Toolbar\winamptb.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [Zune Launcher] "c:\Program Files\Zune\ZuneLauncher.exe"
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe"
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Pkj] "C:\Program Files\Common Files\?ymantec\m?hta.exe"
O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe"
O4 - HKCU\..\Run: [WinTouch] C:\Documents and Settings\Anthony\Application Data\WinTouch\WinTouch.exe
O4 - HKCU\..\Run: [QdrPack10] "C:\Program Files\QdrPack\QdrPack10.exe"
O4 - Startup: MultiRes
O8 - Extra context menu item: Add to AMV Converter... - C:\Program Files\MP3 Player Utilities 4.07\AMVConverter\grab.html
O8 - Extra context menu item: Add to Anti-Banner - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\ie_banner_deny.htm
O8 - Extra context menu item: Add to Media Manager... - C:\Program Files\MP3 Player Utilities 4.07\MediaManager\grab.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\SCIEPlgn.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15026/CTSUEng.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/us/kavwebscan_unicode.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15028/CTPID.cab
O20 - AppInit_DLLs: C:\PROGRA~1\KASPER~1\KASPER~1.0\adialhk.dll
O20 - Winlogon Notify: pmnkhge - pmnkhge.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Kaspersky Internet Security 7.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
O24 - Desktop Component 0: (no name) - C:\Program Files\Windows Media Player\pronyj.html

--
End of file - 7004 bytes

Kaspersky Log:

-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
Saturday, December 15, 2007 6:41:31 PM
Operating System: Microsoft Windows XP Professional, Service Pack 2 (Build 2600)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 15/12/2007
Kaspersky Anti-Virus database records: 483409
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - My Computer:
A:\
C:\
D:\
E:\
F:\
G:\

Scan Statistics:
Total number of scanned objects: 183182
Number of viruses found: 3
Number of infected objects: 3
Number of suspicious objects: 0
Duration of the scan process: 02:00:20

Infected Object Name / Virus Name / Last Action
C:\Documents and Settings\All Users\Application Data\Kaspersky Lab\AVP7\Report\00a0_Anti_Spam_eventlog.rpt Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Kaspersky Lab\AVP7\Report\00a6_AdBlocker_eventcritlog.rpt Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Kaspersky Lab\AVP7\Report\00a6_AdBlocker_eventlog.rpt Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Kaspersky Lab\AVP7\Report\00a8_PrivacyControl_eventcritlog.rpt Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Kaspersky Lab\AVP7\Report\00a8_PrivacyControl_eventlog.rpt Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Kaspersky Lab\AVP7\Report\00aa_File_Monitoring_eventcritlog.rpt Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Kaspersky Lab\AVP7\Report\00aa_File_Monitoring_eventlog.rpt Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Kaspersky Lab\AVP7\Report\00ab_Mail_Monitoring_eventlog.rpt Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Kaspersky Lab\AVP7\Report\00ac_Web_Monitoring_eventcritlog.rpt Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Kaspersky Lab\AVP7\Report\00ac_Web_Monitoring_eventlog.rpt Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Kaspersky Lab\AVP7\Report\detected.idx Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Kaspersky Lab\AVP7\Report\detected.rpt Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Kaspersky Lab\AVP7\Report\eventlog.rpt Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Kaspersky Lab\AVP7\Report\report.rpt Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr0.dat Object is locked skipped
C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\qmgr1.dat Object is locked skipped
C:\Documents and Settings\All Users\DRM\Cache\Indiv03.tmp Object is locked skipped
C:\Documents and Settings\All Users\DRM\drmstore.hds Object is locked skipped
C:\Documents and Settings\Anthony\Application Data\Aim\vmduomvr\mazindmb\cert8.db Object is locked skipped
C:\Documents and Settings\Anthony\Application Data\Aim\vmduomvr\mazindmb\key3.db Object is locked skipped
C:\Documents and Settings\Anthony\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\Anthony\Local Settings\Application Data\Ahead\Nero Home\bl.db Object is locked skipped
C:\Documents and Settings\Anthony\Local Settings\Application Data\Ahead\Nero Home\bl.db-journal Object is locked skipped
C:\Documents and Settings\Anthony\Local Settings\Application Data\Ahead\Nero Home\is2.db Object is locked skipped
C:\Documents and Settings\Anthony\Local Settings\Application Data\Ahead\Nero Home\is2.db-journal Object is locked skipped
C:\Documents and Settings\Anthony\Local Settings\Application Data\Microsoft\Feeds Cache\index.dat Object is locked skipped
C:\Documents and Settings\Anthony\Local Settings\Application Data\Microsoft\Media Player\CurrentDatabase_360.wmdb Object is locked skipped
C:\Documents and Settings\Anthony\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\Anthony\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\Anthony\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Anthony\Local Settings\History\History.IE5\MSHist012007121520071216\index.dat Object is locked skipped
C:\Documents and Settings\Anthony\Local Settings\Temporary Internet Files\AntiPhishing\B3BB5BBA-E7D5-40AB-A041-A5B1C0B26C8F.dat Object is locked skipped
C:\Documents and Settings\Anthony\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\Anthony\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\Anthony\NTUSER.DAT.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\LocalService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\LocalService\ntuser.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Cookies\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Application Data\Microsoft\Windows\UsrClass.dat.LOG Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\Documents and Settings\NetworkService\NTUSER.DAT Object is locked skipped
C:\Documents and Settings\NetworkService\ntuser.dat.LOG Object is locked skipped
C:\Program Files\mIRC\mirc.exe Infected: not-a-virus:Client-IRC.Win32.mIRC.621 skipped
C:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped
C:\System Volume Information\_restore{F9EE15C9-80E7-436E-AA68-69841E0BB821}\RP10\A0000498.dll Infected: not-a-virus:AdTool.Win32.WhenU.r skipped
C:\System Volume Information\_restore{F9EE15C9-80E7-436E-AA68-69841E0BB821}\RP10\A0000499.exe Infected: not-a-virus:AdTool.Win32.WhenU.s skipped
C:\System Volume Information\_restore{F9EE15C9-80E7-436E-AA68-69841E0BB821}\RP22\change.log Object is locked skipped
C:\WINDOWS\Debug\PASSWD.LOG Object is locked skipped
C:\WINDOWS\SchedLgU.Txt Object is locked skipped
C:\WINDOWS\SoftwareDistribution\EventCache\{BB12874F-591D-41EA-A277-1029B8C0881E}.bin Object is locked skipped
C:\WINDOWS\SoftwareDistribution\ReportingEvents.log Object is locked skipped
C:\WINDOWS\Sti_Trace.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\edb.log Object is locked skipped
C:\WINDOWS\system32\CatRoot2\tmp.edb Object is locked skipped
C:\WINDOWS\system32\config\AppEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\default Object is locked skipped
C:\WINDOWS\system32\config\default.LOG Object is locked skipped
C:\WINDOWS\system32\config\ODiag.evt Object is locked skipped
C:\WINDOWS\system32\config\OSession.evt Object is locked skipped
C:\WINDOWS\system32\config\SAM Object is locked skipped
C:\WINDOWS\system32\config\SAM.LOG Object is locked skipped
C:\WINDOWS\system32\config\SecEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SECURITY Object is locked skipped
C:\WINDOWS\system32\config\SECURITY.LOG Object is locked skipped
C:\WINDOWS\system32\config\software Object is locked skipped
C:\WINDOWS\system32\config\software.LOG Object is locked skipped
C:\WINDOWS\system32\config\SysEvent.Evt Object is locked skipped
C:\WINDOWS\system32\config\SYSTEM Object is locked skipped
C:\WINDOWS\system32\config\system.LOG Object is locked skipped
C:\WINDOWS\system32\config\systemprofile\Cookies\index.dat Object is locked skipped
C:\WINDOWS\system32\config\systemprofile\Local Settings\History\History.IE5\index.dat Object is locked skipped
C:\WINDOWS\system32\config\systemprofile\Local Settings\Temporary Internet Files\Content.IE5\index.dat Object is locked skipped
C:\WINDOWS\system32\drivers\fidbox.dat Object is locked skipped
C:\WINDOWS\system32\drivers\fidbox.idx Object is locked skipped
C:\WINDOWS\system32\drivers\fidbox2.dat Object is locked skipped
C:\WINDOWS\system32\drivers\fidbox2.idx Object is locked skipped
C:\WINDOWS\system32\drivers\sptd.sys Object is locked skipped
C:\WINDOWS\system32\h323log.txt Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.BTR Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\INDEX.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING.VER Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING1.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\MAPPING2.MAP Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.DATA Object is locked skipped
C:\WINDOWS\system32\wbem\Repository\FS\OBJECTS.MAP Object is locked skipped
C:\WINDOWS\Temp\PR63.tmp Object is locked skipped
C:\WINDOWS\wiadebug.log Object is locked skipped
C:\WINDOWS\wiaservc.log Object is locked skipped
C:\WINDOWS\WindowsUpdate.log Object is locked skipped
D:\System Volume Information\MountPointManagerRemoteDatabase Object is locked skipped

Scan process completed.

Edit.
Previous topic now closed: http://forums.spybot.info/showthread.php?p=145360

"BEFORE you POST"(READ this Procedure BEFORE Requesting Assistance) (http://forums.spybot.info/showthread.php?t=288)

Please do not start more than one topic for the same computer, during the same period. It will either be removed, or merged with your original thread.

Shaba
2007-12-16, 12:25
Hi mazindmb

1. Download combofix from any of these links and save it to Desktop:
Link 1 (http://download.bleepingcomputer.com/sUBs/ComboFix.exe)
Link 2 (http://www.forospyware.com/sUBs/ComboFix.exe)
Link 3 (http://subs.geekstogo.com/ComboFix.exe)

**Note: It is important that it is saved directly to your desktop**

2. Double click combofix.exe & follow the prompts.
3. When finished, it shall produce a log for you (C:\ComboFix.txt). Post that log in your next reply

Note:
Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.

Post:

- a fresh HijackThis log
- combofix report

mazindmb
2007-12-16, 20:02
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 1:00:55 PM, on 12/16/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Zune\ZuneLauncher.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\AIM\aim.exe
C:\Documents and Settings\Anthony\My Documents\HJT\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.daemonsearch.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Winamp Toolbar BHO - {25CEE8EC-5730-41bc-8B58-22DDC8AB8C20} - C:\Program Files\Winamp Toolbar\winamptb.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: {768694a7-3cb6-d18a-1534-cafd4ab96f0f} - {f0f69ba4-dfac-4351-a81d-6bc37a496867} - (no file)
O3 - Toolbar: Winamp Toolbar - {EBF2BA02-9094-4c5a-858B-BB198F3D8DE2} - C:\Program Files\Winamp Toolbar\winamptb.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [Zune Launcher] "c:\Program Files\Zune\ZuneLauncher.exe"
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe"
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [Pkj] "C:\Program Files\Common Files\?ymantec\m?hta.exe"
O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe"
O4 - HKCU\..\Run: [QdrPack10] "C:\Program Files\QdrPack\QdrPack10.exe"
O4 - Startup: MultiRes
O8 - Extra context menu item: Add to AMV Converter... - C:\Program Files\MP3 Player Utilities 4.07\AMVConverter\grab.html
O8 - Extra context menu item: Add to Anti-Banner - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\ie_banner_deny.htm
O8 - Extra context menu item: Add to Media Manager... - C:\Program Files\MP3 Player Utilities 4.07\MediaManager\grab.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\SCIEPlgn.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15026/CTSUEng.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/us/kavwebscan_unicode.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15028/CTPID.cab
O20 - AppInit_DLLs: C:\PROGRA~1\KASPER~1\KASPER~1.0\adialhk.dll
O20 - Winlogon Notify: pmnkhge - pmnkhge.dll (file missing)
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Kaspersky Internet Security 7.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe

--
End of file - 6633 bytes

mazindmb
2007-12-16, 20:02
ComboFix 07-12-16.3 - Anthony 2007-12-16 12:40:48.1 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1307 [GMT -5:00]
Running from: C:\Documents and Settings\Anthony\Desktop\ComboFix.exe
* Created a new restore point
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\Anthony\Application Data\WinTouch
C:\Documents and Settings\Anthony\Application Data\WinTouch\wintouch.cfg
C:\Documents and Settings\Anthony\Application Data\WinTouch\WinTouch.exe
C:\Documents and Settings\Anthony\Application Data\WinTouch\WTUninstaller.exe
C:\Documents and Settings\Anthony\Start Menu\Programs\Internet Speed Monitor
C:\Documents and Settings\Anthony\Start Menu\Programs\Internet Speed Monitor\Check Now.lnk
C:\Documents and Settings\Anthony\Start Menu\Programs\Internet Speed Monitor\Uninstall.lnk
C:\Documents and Settings\Anthony\Start Menu\Programs\Outerinfo
C:\Documents and Settings\Anthony\Start Menu\Programs\Outerinfo\Terms.lnk
C:\Documents and Settings\Anthony\Start Menu\Programs\Outerinfo\Uninstall.lnk
C:\Program Files\Common Files\ymante~1
C:\Program Files\Common Files\ymante~1\m?hta.exe
C:\Program Files\crosof~1.net
C:\Program Files\Insider
C:\Program Files\Insider\UnInstall.exe
C:\Program Files\ISM
C:\Program Files\ISM\Uninstall.exe
C:\Program Files\outerinfo
C:\Program Files\outerinfo\FF\chrome.manifest
C:\Program Files\outerinfo\FF\components\OuterinfoAds.xpt
C:\Program Files\outerinfo\FF\install.rdf
C:\Program Files\outerinfo\Terms.rtf
C:\Program Files\QdrDrive
C:\Program Files\QdrDrive\qdrloader.exe
C:\Program Files\QdrPack
C:\Program Files\QdrPack\dicts.gz
C:\Program Files\QdrPack\trgts.gz
C:\Program Files\QdrPack\zhydupd.exe
C:\Program Files\Windows Media Player\pronyj.html
C:\WINDOWS\asks~1
C:\WINDOWS\asks~1\?asks\
C:\WINDOWS\b148.exe
C:\WINDOWS\cookies.ini
C:\WINDOWS\system32\wnsinticom.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_CMDSERVICE
-------\LEGACY_NETWORK_MONITOR


((((((((((((((((((((((((( Files Created from 2007-11-16 to 2007-12-16 )))))))))))))))))))))))))))))))
.

2007-12-15 16:38 . 2007-12-15 16:38 2,238 --a------ C:\WINDOWS\system32\ClickToFindandFixErrors_US.ico
2007-12-13 09:43 . 2007-12-13 09:43 <DIR> d-------- C:\Program Files\PowerISO
2007-12-12 19:27 . 2007-12-12 19:27 <DIR> d-------- C:\Program Files\Lavasoft
2007-12-12 19:27 . 2007-12-12 19:27 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-12-12 19:25 . 2007-12-12 19:25 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-12-12 18:52 . 2007-12-14 15:40 2,538 --a------ C:\WINDOWS\system32\ebay.ico
2007-12-12 18:42 . 2007-12-12 18:42 43 --a------ C:\WINDOWS\acdt-pid70.exe
2007-12-12 18:27 . 2007-12-12 18:27 <DIR> d-------- C:\Program Files\Kaspersky Lab
2007-12-12 18:27 . 2007-12-16 12:57 6,411,808 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2007-12-12 18:27 . 2007-12-12 18:44 90,980 --a------ C:\WINDOWS\system32\drivers\klin.dat
2007-12-12 18:27 . 2007-12-16 12:53 87,968 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx
2007-12-12 18:27 . 2007-12-12 18:44 85,860 --a------ C:\WINDOWS\system32\drivers\klick.dat
2007-12-12 18:27 . 2007-12-16 12:54 23,328 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.dat
2007-12-12 18:27 . 2007-12-16 12:53 3,236 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.idx
2007-12-12 18:17 . 2007-12-12 18:17 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab Setup Files
2007-12-12 16:52 . 2007-12-12 16:52 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-12-12 16:52 . 2007-12-16 12:57 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2007-12-12 16:45 . 2007-12-12 16:45 <DIR> d-------- C:\Program Files\Trend Micro
2007-12-12 16:29 . 2007-12-12 16:29 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Office Genuine Advantage
2007-12-12 11:35 . 2007-12-12 11:35 592 --a------ C:\WINDOWS\chgkey.vbs
2007-12-12 11:34 . 2007-12-12 19:32 <DIR> d--hs---- C:\WINDOWS\QW50aG9ueSBMaVBldHJp
2007-12-11 21:26 . 2007-12-12 13:24 915,601 --ahs---- C:\WINDOWS\system32\slvlkeae.ini
2007-12-11 09:20 . 2007-12-11 09:20 912,017 --ahs---- C:\WINDOWS\system32\nehpbibx.ini
2007-12-10 09:17 . 2007-12-12 14:28 447,933 --ahs---- C:\WINDOWS\system32\kjjlm.ini2
2007-12-10 09:17 . 2007-12-12 14:30 447,933 --ahs---- C:\WINDOWS\system32\kjjlm.ini
2007-12-09 21:45 . 2007-12-09 21:45 685,816 --a------ C:\WINDOWS\system32\drivers\sptd.sys
2007-12-09 11:21 . 2007-12-09 11:21 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Yahoo! Companion
2007-12-08 21:50 . 2007-12-08 21:50 <DIR> d-------- C:\Program Files\K-Lite Codec Pack
2007-12-08 21:13 . 2007-12-08 21:36 23,392 --a------ C:\WINDOWS\system32\nscompat.tlb
2007-12-08 21:13 . 2007-12-08 21:36 16,832 --a------ C:\WINDOWS\system32\amcompat.tlb
2007-12-08 20:11 . 2007-12-08 20:11 <DIR> d-------- C:\Program Files\Realtek AC97
2007-12-07 21:51 . 2004-09-15 21:10 516,096 --a------ C:\WINDOWS\system32\ati2sgag.exe
2007-12-07 21:40 . 2007-12-07 21:40 <DIR> d-------- C:\Program Files\Yahoo!
2007-12-07 21:40 . 2007-12-07 21:40 <DIR> d-------- C:\Program Files\CCleaner
2007-12-07 21:29 . 2007-12-07 21:29 <DIR> d-------- C:\Program Files\ATI Technologies
2007-12-07 21:26 . 2007-12-12 11:55 112 --a------ C:\WINDOWS\WININIT.INI
2007-12-07 17:37 . 2007-12-07 17:37 0 --a------ C:\WINDOWS\ativpsrm.bin
2007-12-07 17:35 . 2007-12-07 17:35 <DIR> d-------- C:\Documents and Settings\Anthony\Application Data\Cakewalk
2007-12-07 17:07 . 2007-12-10 10:16 118,784 --a------ C:\WINDOWS\dsdxirmv.exe
2007-12-07 17:00 . 2004-04-13 14:48 233,472 --a------ C:\WINDOWS\system32\REX Shared Library.dll
2007-12-07 16:59 . 2006-11-30 15:49 368,640 --a------ C:\WINDOWS\system32\ReWire.dll
2007-12-07 16:58 . 2007-12-07 17:06 <DIR> d-------- C:\Program Files\Cakewalk
2007-12-07 16:58 . 2007-12-07 17:07 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Cakewalk
2007-12-07 16:49 . 2007-12-08 18:51 <DIR> d-------- C:\Program Files\MultiRes
2007-12-07 16:48 . 2007-12-07 16:48 <DIR> d-------- C:\Program Files\Radeon Omega Drivers
2007-12-07 16:48 . 2007-12-08 18:45 451,072 --a------ C:\WINDOWS\Radeon Omega Drivers v3.8.421 Uninstall.exe
2007-12-07 16:16 . 2007-04-16 15:28 577,536 --a------ C:\WINDOWS\soun45c.rra
2007-12-05 00:21 . 2007-12-05 00:21 <DIR> d-------- C:\Program Files\1964
2007-12-04 01:09 . 2007-12-08 19:04 <DIR> d-------- C:\Program Files\Project64 1.6
2007-12-02 11:26 . 2007-12-02 11:26 <DIR> d-------- C:\Program Files\Red Kawa
2007-12-01 21:48 . 2007-12-01 21:48 <DIR> d-------- C:\Program Files\Xilisoft
2007-12-01 21:02 . 2007-12-01 21:02 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\DivX
2007-12-01 20:55 . 2007-12-08 22:13 <DIR> d-------- C:\Program Files\TVersity Codec Pack
2007-12-01 20:54 . 2007-12-01 20:54 <DIR> d-------- C:\Program Files\TVersity
2007-12-01 20:48 . 2007-12-01 20:48 <DIR> d-------- C:\Program Files\QT Lite
2007-12-01 20:48 . 2007-10-19 20:16 65,536 --a------ C:\WINDOWS\system32\QuickTimeVR.qtx
2007-12-01 20:48 . 2007-10-19 20:16 49,152 --a------ C:\WINDOWS\system32\QuickTime.qts
2007-12-01 20:47 . 2007-12-01 20:47 <DIR> d-------- C:\Program Files\Real Alternative
2007-12-01 20:46 . 2007-12-01 20:46 <DIR> d-------- C:\Program Files\Haali
2007-12-01 20:29 . 2007-12-01 20:29 <DIR> d-------- C:\Program Files\LightningWare
2007-12-01 20:24 . 2007-12-01 20:24 <DIR> d-------- C:\Program Files\TagRename
2007-11-30 23:06 . 2007-11-30 23:06 <DIR> d-------- C:\Program Files\Common Files\NSV
2007-11-26 18:11 . 2007-11-26 18:11 <DIR> d-------- C:\Program Files\Acoustica Shared Effects
2007-11-26 18:11 . 2007-11-28 16:28 <DIR> d-------- C:\Program Files\Acoustica Mixcraft 3
2007-11-26 18:11 . 2007-11-26 18:11 <DIR> d-------- C:\Documents and Settings\Anthony\Application Data\Acoustica
2007-11-26 18:11 . 2007-08-07 11:32 57,344 --a------ C:\WINDOWS\system32\Wnaspint.dll
2007-11-24 12:30 . 2007-11-24 12:30 <DIR> d-------- C:\Program Files\uTorrent
2007-11-24 12:29 . 2007-12-16 00:41 <DIR> d-------- C:\Documents and Settings\Anthony\Application Data\uTorrent
2007-11-17 21:54 . 2007-05-16 16:45 3,497,832 --a------ C:\WINDOWS\system32\d3dx9_34.dll
2007-11-17 21:54 . 2007-05-16 16:45 1,124,720 --a------ C:\WINDOWS\system32\D3DCompiler_34.dll
2007-11-17 21:54 . 2007-05-16 16:45 443,752 --a------ C:\WINDOWS\system32\d3dx10_34.dll
2007-11-17 21:54 . 2007-06-20 20:46 266,088 --a------ C:\WINDOWS\system32\xactengine2_8.dll
2007-11-17 21:54 . 2007-06-20 20:45 18,280 --a------ C:\WINDOWS\system32\x3daudio1_2.dll
2007-11-17 21:36 . 2007-11-17 21:36 <DIR> d-------- C:\Documents and Settings\Anthony\Application Data\InstallShield
2007-11-17 21:18 . 2007-11-17 21:30 <DIR> d-------- C:\Documents and Settings\Anthony\Application Data\My Games
2007-11-17 18:14 . 2007-11-17 18:14 <DIR> d-------- C:\Program Files\Firaxis Games

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-12 21:49 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2007-12-12 21:12 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-12-10 14:14 --------- d-----w C:\Program Files\DAEMON Tools
2007-12-09 02:48 --------- d-----w C:\Program Files\DivX
2007-12-09 02:19 --------- d-----w C:\Program Files\Windows Media Connect 2
2007-12-08 02:21 --------- d-----w C:\Program Files\Steam
2007-12-07 21:46 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2007-12-07 02:51 --------- d-----w C:\Documents and Settings\Anthony\Application Data\Azureus
2007-12-02 01:48 --------- d-----w C:\Documents and Settings\Anthony\Application Data\Apple Computer
2007-12-02 01:48 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer
2007-12-02 01:33 --------- d-----w C:\Program Files\Microsoft Silverlight
2007-11-21 23:14 --------- d-----w C:\Program Files\mIRC
2007-11-18 02:41 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-11-15 19:52 --------- d-----w C:\Program Files\Maxis
2007-11-15 03:45 --------- d-----w C:\Documents and Settings\All Users\Application Data\SimCity Societies
2007-11-15 03:23 --------- d-----w C:\Program Files\Electronic Arts
2007-11-13 12:09 --------- d-----w C:\Program Files\Zune
2007-11-13 12:07 0 ---ha-w C:\WINDOWS\system32\drivers\Msft_Kernel_zumbus_01005.Wdf
2007-11-13 10:25 20,480 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
2007-11-11 06:38 --------- d-----w C:\Documents and Settings\All Users\Application Data\Trymedia
2007-11-09 05:21 --------- d-----w C:\Program Files\eMule
2007-11-07 00:10 245,664 ----a-w C:\WINDOWS\system32\ZuneWlanCfgSvc.exe
2007-11-07 00:09 80,288 ----a-w C:\WINDOWS\system32\ZuneIpTransport.dll
2007-11-07 00:09 72,608 ----a-w C:\WINDOWS\system32\ZuneUsbTransport.dll
2007-11-07 00:09 59,296 ----a-w C:\WINDOWS\system32\ZuneBusEnum.exe
2007-11-07 00:09 45,472 ----a-w C:\WINDOWS\system32\ZuneUsbConnection.dll
2007-11-07 00:09 155,552 ----a-w C:\WINDOWS\system32\ZuneMTPZ.dll
2007-11-06 23:58 40,832 ----a-w C:\WINDOWS\system32\drivers\zumbus.sys
2007-11-03 22:41 --------- d-----w C:\Program Files\Soulseek
2007-11-03 22:28 --------- d-----w C:\Program Files\WMSDV
2007-10-29 22:35 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2007-10-29 02:31 --------- d-----w C:\Program Files\EphPod
2007-10-29 02:29 --------- d-----w C:\Program Files\OpenOffice.org 2.2
2007-10-28 16:50 --------- d-----w C:\Program Files\BitPim
2007-10-27 22:40 222,720 ----a-w C:\WINDOWS\system32\wmasf.dll
2007-10-27 05:20 --------- d-----w C:\Documents and Settings\Anthony\Application Data\OpenOffice.org2
2007-10-23 22:00 --------- d-----w C:\Program Files\HP
2007-10-19 16:41 --------- d-----w C:\Program Files\Winamp Remote
2007-10-19 16:41 --------- d-----w C:\Documents and Settings\All Users\Application Data\OrbNetworks
2007-10-19 15:17 --------- d-----w C:\Program Files\Winamp
2007-10-19 15:12 --------- d-----w C:\Program Files\Winamp Toolbar
2007-10-19 15:12 --------- d-----w C:\Documents and Settings\All Users\Application Data\Winamp Toolbar
2007-10-18 17:48 1,419,232 ----a-w C:\WINDOWS\system32\WdfCoInstaller01005.dll
2007-09-29 04:21 9,854,976 ----a-w C:\WINDOWS\system32\atioglx2.dll
2007-09-29 04:07 356,352 ----a-w C:\WINDOWS\system32\ATIDEMGX.dll
2007-09-29 04:06 268,800 ----a-w C:\WINDOWS\system32\ati2dvag.dll
2007-09-29 03:58 43,520 ----a-w C:\WINDOWS\system32\ati2edxx.dll
2007-09-29 03:58 26,112 ----a-w C:\WINDOWS\system32\Ati2mdxx.exe
2007-09-29 03:58 143,360 ----a-w C:\WINDOWS\system32\atipdlxx.dll
2007-09-29 03:58 122,880 ----a-w C:\WINDOWS\system32\Oemdspif.dll
2007-09-29 03:57 122,880 ----a-w C:\WINDOWS\system32\ati2evxx.dll
2007-09-29 03:56 483,328 ----a-w C:\WINDOWS\system32\ati2evxx.exe
2007-09-29 03:55 53,248 ----a-w C:\WINDOWS\system32\ATIDDC.DLL
2007-09-29 03:49 307,200 ----a-w C:\WINDOWS\system32\atiiiexx.dll
2007-09-29 03:47 172,032 ----a-w C:\WINDOWS\system32\atiok3x2.dll
2007-09-29 03:36 1,593,600 ----a-w C:\WINDOWS\system32\ativvaxx.dll
2007-09-29 03:23 5,435,392 ----a-w C:\WINDOWS\system32\atioglxx.dll
2007-09-29 03:22 376,832 ----a-w C:\WINDOWS\system32\atikvmag.dll
2007-09-29 03:20 17,408 ----a-w C:\WINDOWS\system32\atitvo32.dll
2007-09-29 03:14 499,712 ----a-w C:\WINDOWS\system32\ati2cqag.dll
2007-09-28 22:07 3,596,288 ----a-w C:\WINDOWS\system32\qt-dx331.dll
2007-09-28 22:05 81,920 ----a-w C:\WINDOWS\system32\dpl100.dll
2007-09-28 22:05 739,840 ----a-w C:\WINDOWS\system32\divx.dll
2007-07-02 19:39 24,192 ----a-w C:\Documents and Settings\Anthony\usbsermptxp.sys
2007-07-02 19:39 22,768 ----a-w C:\Documents and Settings\Anthony\usbsermpt.sys
2006-02-19 07:28 12,288 ----a-w C:\WINDOWS\Fonts\RandFont.dll
2005-07-29 21:24 472 --sha-r C:\WINDOWS\QW50aG9ueSBMaVBldHJp\kqcXu36Rym1gup15xJLD.vbs
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{25CEE8EC-5730-41bc-8B58-22DDC8AB8C20}]
2007-10-04 15:06 1135968 --a------ C:\Program Files\Winamp Toolbar\winamptb.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{f0f69ba4-dfac-4351-a81d-6bc37a496867}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{EBF2BA02-9094-4C5A-858B-BB198F3D8DE2}
{EF99BD32-C1FB-11D2-892F-0090271D4F88}

[HKEY_CLASSES_ROOT\clsid\{ebf2ba02-9094-4c5a-858b-bb198f3d8de2}]
[HKEY_CLASSES_ROOT\WINAMPTB.AOLToolBand.1]
[HKEY_CLASSES_ROOT\TypeLib\{538CD77C-BFDD-49b0-9562-77419CAB89D1}]
[HKEY_CLASSES_ROOT\WINAMPTB.AOLToolBand]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{EBF2BA02-9094-4C5A-858B-BB198F3D8DE2}"= C:\Program Files\Winamp Toolbar\winamptb.dll [2007-10-04 15:06 1135968]

[HKEY_CLASSES_ROOT\clsid\{ebf2ba02-9094-4c5a-858b-bb198f3d8de2}]
[HKEY_CLASSES_ROOT\WINAMPTB.AOLToolBand.1]
[HKEY_CLASSES_ROOT\TypeLib\{538CD77C-BFDD-49b0-9562-77419CAB89D1}]
[HKEY_CLASSES_ROOT\WINAMPTB.AOLToolBand]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2006-11-16 18:04]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 18:56]
"Pkj"="C:\Program Files\Common Files\?ymantec\m?hta.exe" []
"DAEMON Tools"="C:\Program Files\DAEMON Tools\daemon.exe" [2007-12-06 07:06]
"QdrPack10"="C:\Program Files\QdrPack\QdrPack10.exe" []

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 00:11]
"Zune Launcher"="c:\Program Files\Zune\ZuneLauncher.exe" [2007-11-06 19:09]
"AtiPTA"="atiptaxx.exe" [2006-02-21 20:05 C:\WINDOWS\system32\atiptaxx.exe]
"SoundMan"="SOUNDMAN.EXE" [2007-04-16 15:28 C:\WINDOWS\soundman.exe]
"PWRISOVM.EXE"="C:\Program Files\PowerISO\PWRISOVM.EXE" [2007-08-06 19:05]
"AVP"="C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe" [2007-06-28 12:51]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\pmnkhge]
pmnkhge.dll

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=C:\PROGRA~1\KASPER~1\KASPER~1.0\adialhk.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Photosmart Premier Fast Start.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Photosmart Premier Fast Start.lnk
backup=C:\WINDOWS\pss\HP Photosmart Premier Fast Start.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2007-10-10 18:51 39792 --a------ C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]
C:\Program Files\AIM6\aim6.exe /d locale=en-US ee://aol/imApp

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools]
C:\Program Files\DAEMON Tools\daemon.exe -lang 1033

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2007-05-08 15:24 54840 --a------ C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
C:\Program Files\Messenger\msmsgs.exe /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2006-01-12 14:40 155648 --a------ C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
C:\Program Files\QuickTime\QTTask.exe -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
C:\Program Files\Steam\Steam.exe -silent

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2006-12-15 02:23 75520 --a------ C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe

R3 klim5;Kaspersky Anti-Virus NDIS Filter;C:\WINDOWS\system32\DRIVERS\klim5.sys
S3 motmodem;Motorola USB CDC ACM Driver;C:\WINDOWS\system32\DRIVERS\motmodem.sys

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6cde9962-5401-11dc-8433-000fea4777f8}]
\Shell\AutoRun\command - G:\LaunchU3.exe -a

.
Contents of the 'Scheduled Tasks' folder
"2007-12-07 01:09:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-16 12:56:05
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-12-16 12:58:12 - machine was rebooted
.
2007-12-11 21:11:32 --- E O F ---

Shaba
2007-12-16, 20:10
Hi

Do you recognize this?

C:\WINDOWS\chgkey.vbs

mazindmb
2007-12-16, 22:28
Hi

Do you recognize this?

C:\WINDOWS\chgkey.vbsyes, i reinstalled my OS so many times that my key expired.

Shaba
2007-12-17, 11:17
Hi

Thanks for info.

Open notepad and copy/paste the text in the quotebox below into it:


File::
C:\WINDOWS\system32\slvlkeae.ini
C:\WINDOWS\system32\nehpbibx.ini
C:\WINDOWS\system32\kjjlm.ini2
C:\WINDOWS\system32\kjjlm.ini

Folder::
C:\WINDOWS\QW50aG9ueSBMaVBldHJp

Registry::
[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"Pkj"=-
"QdrPack10"=-

[-HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\pmnkhge]


Save this as "CFScript"

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

http://img.photobucket.com/albums/v666/sUBs/CFScript.gif

This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.

Combofix should never take more that 20 minutes including the reboot if malware is detected.
If it does, open Task Manager then Processes tab (press ctrl, alt and del at the same time) and end any processes of findstr, find, sed or swreg, then combofix should continue.
If that happened we want to know, and also what process you had to end.

mazindmb
2007-12-17, 22:45
ComboFix 07-12-17.1 - Anthony 2007-12-17 15:30:35.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.1442 [GMT -5:00]
Running from: C:\Documents and Settings\Anthony\Desktop\ComboFix.exe
Command switches used :: C:\Documents and Settings\Anthony\Desktop\CFScript.txt
* Created a new restore point

FILE
C:\WINDOWS\system32\kjjlm.ini
C:\WINDOWS\system32\kjjlm.ini2
C:\WINDOWS\system32\nehpbibx.ini
C:\WINDOWS\system32\slvlkeae.ini
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\QW50aG9ueSBMaVBldHJp
C:\WINDOWS\QW50aG9ueSBMaVBldHJp\kqcXu36Rym1gup15xJLD.vbs
C:\WINDOWS\system32\kjjlm.ini
C:\WINDOWS\system32\kjjlm.ini2
C:\WINDOWS\system32\nehpbibx.ini
C:\WINDOWS\system32\slvlkeae.ini

.
((((((((((((((((((((((((( Files Created from 2007-11-17 to 2007-12-17 )))))))))))))))))))))))))))))))
.

2007-12-16 15:28 . 2007-12-16 15:29 <DIR> d-------- C:\Program Files\SpywareBlaster
2007-12-15 16:38 . 2007-12-15 16:38 2,238 --a------ C:\WINDOWS\system32\ClickToFindandFixErrors_US.ico
2007-12-13 09:43 . 2007-12-13 09:43 <DIR> d-------- C:\Program Files\PowerISO
2007-12-12 19:27 . 2007-12-12 19:27 <DIR> d-------- C:\Program Files\Lavasoft
2007-12-12 19:27 . 2007-12-12 19:27 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Lavasoft
2007-12-12 19:25 . 2007-12-12 19:25 <DIR> d-------- C:\Program Files\Common Files\Wise Installation Wizard
2007-12-12 18:52 . 2007-12-14 15:40 2,538 --a------ C:\WINDOWS\system32\ebay.ico
2007-12-12 18:42 . 2007-12-12 18:42 43 --a------ C:\WINDOWS\acdt-pid70.exe
2007-12-12 18:27 . 2007-12-12 18:27 <DIR> d-------- C:\Program Files\Kaspersky Lab
2007-12-12 18:27 . 2007-12-17 15:35 6,720,032 --ahs---- C:\WINDOWS\system32\drivers\fidbox.dat
2007-12-12 18:27 . 2007-12-12 18:44 90,980 --a------ C:\WINDOWS\system32\drivers\klin.dat
2007-12-12 18:27 . 2007-12-16 12:53 87,968 --ahs---- C:\WINDOWS\system32\drivers\fidbox.idx
2007-12-12 18:27 . 2007-12-12 18:44 85,860 --a------ C:\WINDOWS\system32\drivers\klick.dat
2007-12-12 18:27 . 2007-12-17 15:35 33,312 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.dat
2007-12-12 18:27 . 2007-12-16 12:53 3,236 --ahs---- C:\WINDOWS\system32\drivers\fidbox2.idx
2007-12-12 18:17 . 2007-12-12 18:17 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab Setup Files
2007-12-12 16:52 . 2007-12-12 16:52 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-12-12 16:52 . 2007-12-16 12:57 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2007-12-12 16:45 . 2007-12-12 16:45 <DIR> d-------- C:\Program Files\Trend Micro
2007-12-12 16:29 . 2007-12-12 16:29 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Office Genuine Advantage
2007-12-12 11:35 . 2007-12-12 11:35 592 --a------ C:\WINDOWS\chgkey.vbs
2007-12-09 21:45 . 2007-12-09 21:45 685,816 --a------ C:\WINDOWS\system32\drivers\sptd.sys
2007-12-09 11:21 . 2007-12-09 11:21 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Yahoo! Companion
2007-12-08 21:50 . 2007-12-08 21:50 <DIR> d-------- C:\Program Files\K-Lite Codec Pack
2007-12-08 21:13 . 2007-12-08 21:36 23,392 --a------ C:\WINDOWS\system32\nscompat.tlb
2007-12-08 21:13 . 2007-12-08 21:36 16,832 --a------ C:\WINDOWS\system32\amcompat.tlb
2007-12-08 20:11 . 2007-12-08 20:11 <DIR> d-------- C:\Program Files\Realtek AC97
2007-12-07 21:51 . 2004-09-15 21:10 516,096 --a------ C:\WINDOWS\system32\ati2sgag.exe
2007-12-07 21:40 . 2007-12-07 21:40 <DIR> d-------- C:\Program Files\Yahoo!
2007-12-07 21:40 . 2007-12-07 21:40 <DIR> d-------- C:\Program Files\CCleaner
2007-12-07 21:29 . 2007-12-07 21:29 <DIR> d-------- C:\Program Files\ATI Technologies
2007-12-07 21:26 . 2007-12-12 11:55 112 --a------ C:\WINDOWS\WININIT.INI
2007-12-07 17:37 . 2007-12-07 17:37 0 --a------ C:\WINDOWS\ativpsrm.bin
2007-12-07 17:35 . 2007-12-07 17:35 <DIR> d-------- C:\Documents and Settings\Anthony\Application Data\Cakewalk
2007-12-07 17:07 . 2007-12-10 10:16 118,784 --a------ C:\WINDOWS\dsdxirmv.exe
2007-12-07 17:00 . 2004-04-13 14:48 233,472 --a------ C:\WINDOWS\system32\REX Shared Library.dll
2007-12-07 16:59 . 2006-11-30 15:49 368,640 --a------ C:\WINDOWS\system32\ReWire.dll
2007-12-07 16:58 . 2007-12-07 17:06 <DIR> d-------- C:\Program Files\Cakewalk
2007-12-07 16:58 . 2007-12-07 17:07 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Cakewalk
2007-12-07 16:49 . 2007-12-08 18:51 <DIR> d-------- C:\Program Files\MultiRes
2007-12-07 16:48 . 2007-12-07 16:48 <DIR> d-------- C:\Program Files\Radeon Omega Drivers
2007-12-07 16:48 . 2007-12-08 18:45 451,072 --a------ C:\WINDOWS\Radeon Omega Drivers v3.8.421 Uninstall.exe
2007-12-07 16:16 . 2007-04-16 15:28 577,536 --a------ C:\WINDOWS\soun45c.rra
2007-12-05 00:21 . 2007-12-05 00:21 <DIR> d-------- C:\Program Files\1964
2007-12-04 01:09 . 2007-12-08 19:04 <DIR> d-------- C:\Program Files\Project64 1.6
2007-12-02 11:26 . 2007-12-02 11:26 <DIR> d-------- C:\Program Files\Red Kawa
2007-12-01 21:48 . 2007-12-01 21:48 <DIR> d-------- C:\Program Files\Xilisoft
2007-12-01 21:02 . 2007-12-01 21:02 <DIR> d-------- C:\Documents and Settings\LocalService\Application Data\DivX
2007-12-01 20:55 . 2007-12-08 22:13 <DIR> d-------- C:\Program Files\TVersity Codec Pack
2007-12-01 20:54 . 2007-12-01 20:54 <DIR> d-------- C:\Program Files\TVersity
2007-12-01 20:48 . 2007-12-01 20:48 <DIR> d-------- C:\Program Files\QT Lite
2007-12-01 20:48 . 2007-10-19 20:16 65,536 --a------ C:\WINDOWS\system32\QuickTimeVR.qtx
2007-12-01 20:48 . 2007-10-19 20:16 49,152 --a------ C:\WINDOWS\system32\QuickTime.qts
2007-12-01 20:47 . 2007-12-01 20:47 <DIR> d-------- C:\Program Files\Real Alternative
2007-12-01 20:46 . 2007-12-01 20:46 <DIR> d-------- C:\Program Files\Haali
2007-12-01 20:29 . 2007-12-01 20:29 <DIR> d-------- C:\Program Files\LightningWare
2007-12-01 20:24 . 2007-12-01 20:24 <DIR> d-------- C:\Program Files\TagRename
2007-11-30 23:06 . 2007-11-30 23:06 <DIR> d-------- C:\Program Files\Common Files\NSV
2007-11-26 18:11 . 2007-11-26 18:11 <DIR> d-------- C:\Program Files\Acoustica Shared Effects
2007-11-26 18:11 . 2007-11-28 16:28 <DIR> d-------- C:\Program Files\Acoustica Mixcraft 3
2007-11-26 18:11 . 2007-11-26 18:11 <DIR> d-------- C:\Documents and Settings\Anthony\Application Data\Acoustica
2007-11-26 18:11 . 2007-08-07 11:32 57,344 --a------ C:\WINDOWS\system32\Wnaspint.dll
2007-11-24 12:30 . 2007-11-24 12:30 <DIR> d-------- C:\Program Files\uTorrent
2007-11-24 12:29 . 2007-12-16 21:41 <DIR> d-------- C:\Documents and Settings\Anthony\Application Data\uTorrent
2007-11-17 21:54 . 2007-05-16 16:45 3,497,832 --a------ C:\WINDOWS\system32\d3dx9_34.dll
2007-11-17 21:54 . 2007-05-16 16:45 1,124,720 --a------ C:\WINDOWS\system32\D3DCompiler_34.dll
2007-11-17 21:54 . 2007-05-16 16:45 443,752 --a------ C:\WINDOWS\system32\d3dx10_34.dll
2007-11-17 21:54 . 2007-06-20 20:46 266,088 --a------ C:\WINDOWS\system32\xactengine2_8.dll
2007-11-17 21:54 . 2007-06-20 20:45 18,280 --a------ C:\WINDOWS\system32\x3daudio1_2.dll
2007-11-17 21:36 . 2007-11-17 21:36 <DIR> d-------- C:\Documents and Settings\Anthony\Application Data\InstallShield
2007-11-17 21:18 . 2007-11-17 21:30 <DIR> d-------- C:\Documents and Settings\Anthony\Application Data\My Games
2007-11-17 18:14 . 2007-11-17 18:14 <DIR> d-------- C:\Program Files\Firaxis Games

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-12-12 21:49 --------- d-----w C:\Documents and Settings\All Users\Application Data\Microsoft Help
2007-12-12 21:12 --------- d-----w C:\Documents and Settings\All Users\Application Data\Spybot - Search & Destroy
2007-12-10 14:14 --------- d-----w C:\Program Files\DAEMON Tools
2007-12-09 02:48 --------- d-----w C:\Program Files\DivX
2007-12-09 02:19 --------- d-----w C:\Program Files\Windows Media Connect 2
2007-12-08 02:21 --------- d-----w C:\Program Files\Steam
2007-12-07 21:46 --------- d-----w C:\Documents and Settings\All Users\Application Data\Viewpoint
2007-12-07 02:51 --------- d-----w C:\Documents and Settings\Anthony\Application Data\Azureus
2007-12-02 01:48 --------- d-----w C:\Documents and Settings\Anthony\Application Data\Apple Computer
2007-12-02 01:48 --------- d-----w C:\Documents and Settings\All Users\Application Data\Apple Computer
2007-12-02 01:33 --------- d-----w C:\Program Files\Microsoft Silverlight
2007-11-21 23:14 --------- d-----w C:\Program Files\mIRC
2007-11-18 02:41 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-11-15 19:52 --------- d-----w C:\Program Files\Maxis
2007-11-15 03:45 --------- d-----w C:\Documents and Settings\All Users\Application Data\SimCity Societies
2007-11-15 03:23 --------- d-----w C:\Program Files\Electronic Arts
2007-11-13 12:09 --------- d-----w C:\Program Files\Zune
2007-11-13 12:07 0 ---ha-w C:\WINDOWS\system32\drivers\Msft_Kernel_zumbus_01005.Wdf
2007-11-13 10:25 20,480 ----a-w C:\WINDOWS\system32\drivers\secdrv.sys
2007-11-11 06:38 --------- d-----w C:\Documents and Settings\All Users\Application Data\Trymedia
2007-11-09 05:21 --------- d-----w C:\Program Files\eMule
2007-11-07 00:10 245,664 ----a-w C:\WINDOWS\system32\ZuneWlanCfgSvc.exe
2007-11-07 00:09 80,288 ----a-w C:\WINDOWS\system32\ZuneIpTransport.dll
2007-11-07 00:09 72,608 ----a-w C:\WINDOWS\system32\ZuneUsbTransport.dll
2007-11-07 00:09 59,296 ----a-w C:\WINDOWS\system32\ZuneBusEnum.exe
2007-11-07 00:09 45,472 ----a-w C:\WINDOWS\system32\ZuneUsbConnection.dll
2007-11-07 00:09 155,552 ----a-w C:\WINDOWS\system32\ZuneMTPZ.dll
2007-11-06 23:58 40,832 ----a-w C:\WINDOWS\system32\drivers\zumbus.sys
2007-11-03 22:41 --------- d-----w C:\Program Files\Soulseek
2007-11-03 22:28 --------- d-----w C:\Program Files\WMSDV
2007-10-29 22:35 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2007-10-29 02:31 --------- d-----w C:\Program Files\EphPod
2007-10-29 02:29 --------- d-----w C:\Program Files\OpenOffice.org 2.2
2007-10-28 16:50 --------- d-----w C:\Program Files\BitPim
2007-10-27 22:40 222,720 ----a-w C:\WINDOWS\system32\wmasf.dll
2007-10-27 05:20 --------- d-----w C:\Documents and Settings\Anthony\Application Data\OpenOffice.org2
2007-10-23 22:00 --------- d-----w C:\Program Files\HP
2007-10-19 16:41 --------- d-----w C:\Program Files\Winamp Remote
2007-10-19 16:41 --------- d-----w C:\Documents and Settings\All Users\Application Data\OrbNetworks
2007-10-19 15:17 --------- d-----w C:\Program Files\Winamp
2007-10-19 15:12 --------- d-----w C:\Program Files\Winamp Toolbar
2007-10-19 15:12 --------- d-----w C:\Documents and Settings\All Users\Application Data\Winamp Toolbar
2007-10-18 17:48 1,419,232 ----a-w C:\WINDOWS\system32\WdfCoInstaller01005.dll
2007-09-29 04:21 9,854,976 ----a-w C:\WINDOWS\system32\atioglx2.dll
2007-09-29 04:07 356,352 ----a-w C:\WINDOWS\system32\ATIDEMGX.dll
2007-09-29 04:06 268,800 ----a-w C:\WINDOWS\system32\ati2dvag.dll
2007-09-29 03:58 43,520 ----a-w C:\WINDOWS\system32\ati2edxx.dll
2007-09-29 03:58 26,112 ----a-w C:\WINDOWS\system32\Ati2mdxx.exe
2007-09-29 03:58 143,360 ----a-w C:\WINDOWS\system32\atipdlxx.dll
2007-09-29 03:58 122,880 ----a-w C:\WINDOWS\system32\Oemdspif.dll
2007-09-29 03:57 122,880 ----a-w C:\WINDOWS\system32\ati2evxx.dll
2007-09-29 03:56 483,328 ----a-w C:\WINDOWS\system32\ati2evxx.exe
2007-09-29 03:55 53,248 ----a-w C:\WINDOWS\system32\ATIDDC.DLL
2007-09-29 03:49 307,200 ----a-w C:\WINDOWS\system32\atiiiexx.dll
2007-09-29 03:47 172,032 ----a-w C:\WINDOWS\system32\atiok3x2.dll
2007-09-29 03:36 1,593,600 ----a-w C:\WINDOWS\system32\ativvaxx.dll
2007-09-29 03:23 5,435,392 ----a-w C:\WINDOWS\system32\atioglxx.dll
2007-09-29 03:22 376,832 ----a-w C:\WINDOWS\system32\atikvmag.dll
2007-09-29 03:20 17,408 ----a-w C:\WINDOWS\system32\atitvo32.dll
2007-09-29 03:14 499,712 ----a-w C:\WINDOWS\system32\ati2cqag.dll
2007-09-28 22:07 3,596,288 ----a-w C:\WINDOWS\system32\qt-dx331.dll
2007-09-28 22:05 81,920 ----a-w C:\WINDOWS\system32\dpl100.dll
2007-09-28 22:05 739,840 ----a-w C:\WINDOWS\system32\divx.dll
2007-07-02 19:39 24,192 ----a-w C:\Documents and Settings\Anthony\usbsermptxp.sys
2007-07-02 19:39 22,768 ----a-w C:\Documents and Settings\Anthony\usbsermpt.sys
2006-02-19 07:28 12,288 ----a-w C:\WINDOWS\Fonts\RandFont.dll
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{25CEE8EC-5730-41bc-8B58-22DDC8AB8C20}]
2007-10-04 15:06 1135968 --a------ C:\Program Files\Winamp Toolbar\winamptb.dll

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{f0f69ba4-dfac-4351-a81d-6bc37a496867}]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\Toolbar]
{EBF2BA02-9094-4C5A-858B-BB198F3D8DE2}
{EF99BD32-C1FB-11D2-892F-0090271D4F88}

[HKEY_CLASSES_ROOT\clsid\{ebf2ba02-9094-4c5a-858b-bb198f3d8de2}]
[HKEY_CLASSES_ROOT\WINAMPTB.AOLToolBand.1]
[HKEY_CLASSES_ROOT\TypeLib\{538CD77C-BFDD-49b0-9562-77419CAB89D1}]
[HKEY_CLASSES_ROOT\WINAMPTB.AOLToolBand]

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser]
"{EBF2BA02-9094-4C5A-858B-BB198F3D8DE2}"= C:\Program Files\Winamp Toolbar\winamptb.dll [2007-10-04 15:06 1135968]

[HKEY_CLASSES_ROOT\clsid\{ebf2ba02-9094-4c5a-858b-bb198f3d8de2}]
[HKEY_CLASSES_ROOT\WINAMPTB.AOLToolBand.1]
[HKEY_CLASSES_ROOT\TypeLib\{538CD77C-BFDD-49b0-9562-77419CAB89D1}]
[HKEY_CLASSES_ROOT\WINAMPTB.AOLToolBand]

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}"="C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe" [2006-11-16 18:04]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-03 18:56]
"DAEMON Tools"="C:\Program Files\DAEMON Tools\daemon.exe" [2007-12-06 07:06]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2007-09-25 00:11]
"Zune Launcher"="c:\Program Files\Zune\ZuneLauncher.exe" [2007-11-06 19:09]
"AtiPTA"="atiptaxx.exe" [2006-02-21 20:05 C:\WINDOWS\system32\atiptaxx.exe]
"SoundMan"="SOUNDMAN.EXE" [2007-04-16 15:28 C:\WINDOWS\soundman.exe]
"PWRISOVM.EXE"="C:\Program Files\PowerISO\PWRISOVM.EXE" [2007-08-06 19:05]
"AVP"="C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe" [2007-06-28 12:51]

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\windows]
"AppInit_DLLs"=C:\PROGRA~1\KASPER~1\KASPER~1.0\adialhk.dll

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^HP Photosmart Premier Fast Start.lnk]
path=C:\Documents and Settings\All Users\Start Menu\Programs\Startup\HP Photosmart Premier Fast Start.lnk
backup=C:\WINDOWS\pss\HP Photosmart Premier Fast Start.lnkCommon Startup

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Adobe Reader Speed Launcher]
2007-10-10 18:51 39792 --a------ C:\Program Files\Adobe\Reader 8.0\Reader\Reader_sl.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Aim6]
C:\Program Files\AIM6\aim6.exe /d locale=en-US ee://aol/imApp

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\DAEMON Tools]
C:\Program Files\DAEMON Tools\daemon.exe -lang 1033

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\HP Software Update]
2007-05-08 15:24 54840 --a------ C:\Program Files\HP\HP Software Update\HPWuSchd2.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MSMSGS]
C:\Program Files\Messenger\msmsgs.exe /background

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\NeroFilterCheck]
2006-01-12 14:40 155648 --a------ C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\QuickTime Task]
C:\Program Files\QuickTime\QTTask.exe -atboottime

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Steam]
C:\Program Files\Steam\Steam.exe -silent

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SunJavaUpdateSched]
2006-12-15 02:23 75520 --a------ C:\Program Files\Java\jre1.5.0_11\bin\jusched.exe

R3 klim5;Kaspersky Anti-Virus NDIS Filter;C:\WINDOWS\system32\DRIVERS\klim5.sys [2007-04-04 14:58]
S3 motmodem;Motorola USB CDC ACM Driver;C:\WINDOWS\system32\DRIVERS\motmodem.sys [2007-06-18 14:18]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{6cde9962-5401-11dc-8433-000fea4777f8}]
\Shell\AutoRun\command - G:\LaunchU3.exe -a

.
Contents of the 'Scheduled Tasks' folder
"2007-12-07 01:09:01 C:\WINDOWS\Tasks\AppleSoftwareUpdate.job"
- C:\Program Files\Apple Software Update\SoftwareUpdate.exe
.
**************************************************************************

catchme 0.3.1333 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-12-17 15:36:07
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

? [12752]
? [13320]
? [13444]
? [12692]
? [12992]

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-12-17 15:36:34
C:\ComboFix2.txt ... 2007-12-16 12:58
.
2007-12-11 21:11:32 --- E O F ---

mazindmb
2007-12-17, 22:46
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:44:00 PM, on 12/17/2007
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
C:\WINDOWS\system32\Ati2evxx.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Zune\ZuneLauncher.exe
C:\WINDOWS\SOUNDMAN.EXE
C:\Program Files\PowerISO\PWRISOVM.EXE
C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe
C:\Program Files\DAEMON Tools\daemon.exe
C:\Program Files\Common Files\Ahead\Lib\NMIndexStoreSvr.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.daemonsearch.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
O2 - BHO: Yahoo! Toolbar Helper - {02478D38-C3F9-4EFB-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelper.dll
O2 - BHO: Winamp Toolbar BHO - {25CEE8EC-5730-41bc-8B58-22DDC8AB8C20} - C:\Program Files\Winamp Toolbar\winamptb.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O2 - BHO: {768694a7-3cb6-d18a-1534-cafd4ab96f0f} - {f0f69ba4-dfac-4351-a81d-6bc37a496867} - (no file)
O3 - Toolbar: Winamp Toolbar - {EBF2BA02-9094-4c5a-858B-BB198F3D8DE2} - C:\Program Files\Winamp Toolbar\winamptb.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [Zune Launcher] "c:\Program Files\Zune\ZuneLauncher.exe"
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [SoundMan] SOUNDMAN.EXE
O4 - HKLM\..\Run: [PWRISOVM.EXE] C:\Program Files\PowerISO\PWRISOVM.EXE
O4 - HKLM\..\Run: [AVP] "C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe"
O4 - HKCU\..\Run: [BgMonitor_{79662E04-7C6C-4d9f-84C7-88D8A56B10AA}] "C:\Program Files\Common Files\Ahead\Lib\NMBgMonitor.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [DAEMON Tools] "C:\Program Files\DAEMON Tools\daemon.exe"
O4 - Startup: MultiRes
O8 - Extra context menu item: Add to AMV Converter... - C:\Program Files\MP3 Player Utilities 4.07\AMVConverter\grab.html
O8 - Extra context menu item: Add to Anti-Banner - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\ie_banner_deny.htm
O8 - Extra context menu item: Add to Media Manager... - C:\Program Files\MP3 Player Utilities 4.07\MediaManager\grab.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Web Anti-Virus statistics - {1F460357-8A94-4D71-9CA3-AA4ACF32ED8E} - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\SCIEPlgn.dll
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MICROS~3\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\Office12\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {0A5FD7C5-A45C-49FC-ADB5-9952547D5715} (Creative Software AutoUpdate) - http://www.creative.com/su/ocx/15026/CTSUEng.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/us/kavwebscan_unicode.cab
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (YInstStarter Class) - C:\Program Files\Yahoo!\Common\yinsthelper.dll
O16 - DPF: {F6ACF75C-C32C-447B-9BEF-46B766368D29} (Creative Software AutoUpdate Support Package) - http://www.creative.com/su/ocx/15028/CTPID.cab
O20 - AppInit_DLLs: C:\PROGRA~1\KASPER~1\KASPER~1.0\adialhk.dll
O23 - Service: Ad-Aware 2007 Service (aawservice) - Lavasoft AB - C:\Program Files\Lavasoft\Ad-Aware 2007\aawservice.exe
O23 - Service: Ati HotKey Poller - ATI Technologies Inc. - C:\WINDOWS\system32\Ati2evxx.exe
O23 - Service: ATI Smart - Unknown owner - C:\WINDOWS\system32\ati2sgag.exe
O23 - Service: Kaspersky Internet Security 7.0 (AVP) - Kaspersky Lab - C:\Program Files\Kaspersky Lab\Kaspersky Internet Security 7.0\avp.exe

--
End of file - 6419 bytes

Shaba
2007-12-18, 14:24
Hi

Looks much better :)

Please run this online scan:

Panda ActiveScan (http://www.pandasoftware.com/activescan/com/activescan_principal.htm)

Once you are on the Panda site, click the Scan your PC button
A new window will open...click the Check Now button
Enter your Country
Enter your State/Province
Enter your e-mail address and click send
Select either Home User or Company
Click the big Scan Now button
If it wants to install an ActiveX component allow it
It will start downloading the files it requires for the scan (Note: It may take a couple of minutes)
When download is complete, click on Local Disks to start the scan
When the scan completes, if anything malicious is detected, click the See Report button, then Save Report and save it to a convenient location.

Post the contents of the Panda scan report, along with a new HijackThis Log

Shaba
2007-12-25, 12:08
Due to the lack of feedback this Topic is closed.

If you need this topic reopened, please request this by sending the moderating team
a PM with the address of the thread. This applies only to the original topic starter.

If it had been 10 days or more since your last post, and especially if the helper assisting you posted a response to that post to which you did not reply, the topic will not be reopened.

In that situation, if you still require help, it would be best to start a new topic and include a fresh HijackThis log with a link to your original thread.

Everyone else please begin a New Topic.