I have been infected by the virtumonde trojan and i cant remove it. Not even in safe mode. On my system,its linked to a couple files: nnnk.exe and nnnk.dll. The dll refuses to be deleted. Here is my HJT log. I hope you all can help me out.

Logfile of HijackThis v1.99.1
Scan saved at 2:52:26 AM, on 1/22/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\iolo\Common\Lib\ioloDMVSvc.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray .exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer .exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched .exe
C:\Program Files\Ahead\InCD\InCD .exe
C:\Program Files\Yahoo!\Search Protection\SearchProtection .exe
C:\WINDOWS\system32\ctfmon .exe
C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Christian Rooney\Desktop\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr9/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://us.f822.mail.yahoo.com/ym/ShowFolder?YY=97933&y5beta=yes&ymv=0&y5beta=yes&inc=200&order=down&sort=date&pos=0&view=&head=&box=Inbox
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr9/*http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Happy Valentine's Day,My Babyblues!
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O1 - Hosts: 127.255.255.255 serial.alcohol-soft.com
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [YSearchProtection] "C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKCU\..\Run: [YSearchProtection] C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - %windir%\Network Diagnostic\xpnetdiag.exe (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O11 - Options group: [INTERNATIONAL] International*
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {549F957E-2F89-11D6-8CFE-00C04F52B225} (CMV5 Class) - http://eversave.coupons.smartsource.com/download/cscmv5X.cab
O16 - DPF: {54BE6B6F-3056-470B-97E1-BB92E051B6C4} (DeviceEnum Class) - http://h30155.www3.hp.com/ediags/dd/install/HPDriverDiagnosticsxp2k.cab
O16 - DPF: {E87F6C8E-16C0-11D3-BEF7-009027438003} (Persits Software XUpload) - http://www.auctiva.com/hostedimages/activex/xupload/XUpload.ocx
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iolo DMV Service (ioloDMV) - Unknown owner - C:\Program Files\iolo\Common\Lib\ioloDMVSvc.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe

GrrlPower
Welcome to Safer Networking.

Please read Before You Post (http://forums.spybot.info/showthread.php?t=288)
That said, All advice given by anyone volunteering here, is taken at own risk.
While best efforts are made to assist in removing infections safely, unexpected stuff can happen.


Your version of HJT is outdated, you can uninstall it via the Add Remove Programs in the Control Panel and then download and install the newer version by Trendmicro.

Download Trendmicros Hijackthis (http://www.trendsecure.com/portal/en-US/_download/HJTInstall.exe) to your desktop, double click it to install, follow the prompts and by default it will install in C:\Program Files\Trendmicro\Hijackthis\Highjackthis.exe


Open HJT Scan and Save a Log File, it will open in Notepad
Go to Format and make sure Wordwrap is Unchecked
Go to Edit> Select All.....Edit > Copy and Paste the new log into this thread

DO NOT have HijackThis fix anything yet. Most of what it finds will be harmless or even required.



It looks like you may be infected with the newer version of Vundo which is a file infector, this trojan has infected some of the programs on your system with there own infected file. This is a little difficult to clean and in the end you may have to uninstall and reinstall some programs, but we will know more after you run these programs.


Download VundoFix (http://www.atribune.org/ccount/click.php?id=4 ) to your desktop

Double-click VundoFix.exe to run it.
Click the Scan for Vundo button.
Once it's done scanning, click the Remove Vundo button.
You will receive a prompt asking if you want to remove the files, click YES
Once you click yes, your desktop will go blank as it starts removing Vundo.
When completed, it will prompt that it will reboot your computer, click OK.
Please post the contents of C:\vundofix.txt and a new HiJackThis log in a reply to this thread.

Note: It is possible that VundoFix encountered a file it could not remove. In this case, VundoFix will run on reboot, simply follow the above instructions starting from "Click the Scan for Vundo button" when VundoFix appears upon rebooting.




Download ComboFix from Here (http://www.techsupportforum.com/sectools/sUBs/ComboFix.exe) or Here (http://download.bleepingcomputer.com/sUBs/ComboFix.exe) to your Desktop.

Close all anti virus and anti spyware programs as to not interfere with the scan.
Close all open windows and your browser.
Double click combofix.exe and follow the prompts.
When finished, it shall produce a log for you. Post the Combofix log and a HiJackthis log in your next reply

Note: Do not mouseclick combofix's window while its running. That may cause it to stall


Run vundofix first, then Combofix and then run the New Version of HJT by Trendmicro and post all three log please. They all won't fit in one post so take as many as you need by using the Submit Reply and not start any New Topics

thx for the welcome and sorry about the outdated version of HJT. Here is the new HJT log WITHOUT running anything.

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 7:43:38 AM, on 1/22/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\iolo\Common\Lib\ioloDMVSvc.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Ahead\InCD\InCD .exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched .exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer .exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray .exe
C:\WINDOWS\system32\ctfmon .exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\Christian Rooney\Desktop\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr9/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr9/*http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Happy Valentine's Day,My Babyblues!
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O1 - Hosts: 127.255.255.255 serial.alcohol-soft.com
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [YSearchProtection] "C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKCU\..\Run: [YSearchProtection] C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {549F957E-2F89-11D6-8CFE-00C04F52B225} (CMV5 Class) - http://eversave.coupons.smartsource.com/download/cscmv5X.cab
O16 - DPF: {54BE6B6F-3056-470B-97E1-BB92E051B6C4} (DeviceEnum Class) - http://h30155.www3.hp.com/ediags/dd/install/HPDriverDiagnosticsxp2k.cab
O16 - DPF: {E87F6C8E-16C0-11D3-BEF7-009027438003} (Persits Software XUpload) - http://www.auctiva.com/hostedimages/activex/xupload/XUpload.ocx
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iolo DMV Service (ioloDMV) - Unknown owner - C:\Program Files\iolo\Common\Lib\ioloDMVSvc.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe

--
End of file - 8368 bytes

Here is the log after VundoFix did it's thing.

VundoFix V6.7.7

Checking Java version...

Scan started at 7:49:15 AM 1/22/2008

Listing files found while scanning....

C:\WINDOWS\system32\kknnn.ini
C:\WINDOWS\system32\kknnn.ini2
C:\WINDOWS\system32\nnnkk.dll
C:\WINDOWS\system32\nnnkk.exe
C:\WINDOWS\system32\opnoomj.dll
C:\WINDOWS\system32\rqronli.dll

Beginning removal...

Attempting to delete C:\WINDOWS\system32\kknnn.ini
C:\WINDOWS\system32\kknnn.ini Has been deleted!

Attempting to delete C:\WINDOWS\system32\kknnn.ini2
C:\WINDOWS\system32\kknnn.ini2 Has been deleted!

Attempting to delete C:\WINDOWS\system32\nnnkk.dll
C:\WINDOWS\system32\nnnkk.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\nnnkk.exe
C:\WINDOWS\system32\nnnkk.exe Has been deleted!

Attempting to delete C:\WINDOWS\system32\opnoomj.dll
C:\WINDOWS\system32\opnoomj.dll Has been deleted!

Attempting to delete C:\WINDOWS\system32\rqronli.dll
C:\WINDOWS\system32\rqronli.dll Could not be deleted.

Performing Repairs to the registry.
Done!

Beginning removal...

Attempting to delete C:\WINDOWS\system32\rqronli.dll
C:\WINDOWS\system32\rqronli.dll Has been deleted!

Performing Repairs to the registry.
Done!

The new HJT log after VundoFix

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:41:01 AM, on 1/22/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\iolo\Common\Lib\ioloDMVSvc.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Ahead\InCD\InCD .exe
C:\Program Files\Spybot - Search & Destroy\TeaTimer .exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray .exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched .exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\System32\alg.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Christian Rooney\Desktop\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr9/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr9/*http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Happy Valentine's Day,My Babyblues!
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
F3 - REG:win.ini: load=C:\WINDOWS\system32\nnnkk.exe
O1 - Hosts: 127.255.255.255 serial.alcohol-soft.com
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [YSearchProtection] "C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKCU\..\Run: [YSearchProtection] C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {549F957E-2F89-11D6-8CFE-00C04F52B225} (CMV5 Class) - http://eversave.coupons.smartsource.com/download/cscmv5X.cab
O16 - DPF: {54BE6B6F-3056-470B-97E1-BB92E051B6C4} (DeviceEnum Class) - http://h30155.www3.hp.com/ediags/dd/install/HPDriverDiagnosticsxp2k.cab
O16 - DPF: {E87F6C8E-16C0-11D3-BEF7-009027438003} (Persits Software XUpload) - http://www.auctiva.com/hostedimages/activex/xupload/XUpload.ocx
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iolo DMV Service (ioloDMV) - Unknown owner - C:\Program Files\iolo\Common\Lib\ioloDMVSvc.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe

--
End of file - 8423 bytes

I was wondering where the comboFix log actually is located. The only thing i can find is this:

ComboFix 08-01-21.4 - Christian Rooney 2008-01-22 9:25:55.2 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.13 [GMT -5:00]
Running from: C:\Documents and Settings\Christian Rooney\Desktop\HJT\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

Hi,

It s located here on your C: drive, its a notepad file so open it, select all and copy and then paste it into this thread
C:\ComboFix.txt

That was what I sent you. I dont think the scan finished. it was in the process of deleting all infected files and folders,then windows explorer shut down and i was waiting thinking it was part of the process.But it was taking SO long. After 20 mins I thought the system froze. Does it normally take that long and should i let the system sit when it happens?

You need to disable the Tea Timer in Spybot Search and Destroy or it may prevent the fixes from taking.

1. Run Spybot-S&D in Advanced Mode.
2. If it is not already set to do this Go to the Mode menu select "Advanced Mode"
3. On the left hand side, Click on Tools
4. Then click on the Resident Icon in the List
5. Uncheck "Resident TeaTimer" and OK any prompts.
6. Restart your computer.


Open HijackThis > Do a System Scan Only, close your browser and all open windows including this one, the only program or window you should have open is HijackThis, check the following entries and click on Fix Checked.
F3 - REG:win.ini: load=C:\WINDOWS\system32\nnnkk.exe




Drag Combofix to the trash and download a more current version ( its updated quite regularly )


Download ComboFix from Here (http://www.techsupportforum.com/sectools/sUBs/ComboFix.exe) or Here (http://download.bleepingcomputer.com/sUBs/ComboFix.exe) to your Desktop.

1. Close any open browsers.

2. Close/disable all anti virus and anti malware programs so they do not interfere with the running of ComboFix.


Double click combofix.exe and follow the prompts.
When finished, it shall produce a log for you. Post the Combofix log and a HiJackthis log in your next reply

Note: Do not mouseclick combofix's window while its running. That may cause it to stall

Alright,i got rid of that registry entry via HJT,and ran both ComboFix and HJT. Here are the logs:

ComboFix 08-01-23.1 - Christian Rooney 2008-01-22 23:18:36.4 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.18 [GMT -5:00]
Running from: C:\Documents and Settings\Christian Rooney\Desktop\HJT\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\ctfmon.exe.tmp
C:\WINDOWS\system32\kknnn.ini
C:\WINDOWS\system32\kknnn.ini2
C:\WINDOWS\system32\nnnkk.dll
C:\WINDOWS\system32\nnnkk.exe

.
((((((((((((((((((((((((( Files Created from 2007-12-23 to 2008-01-23 )))))))))))))))))))))))))))))))
.

2008-01-22 23:32 . 2008-01-22 23:32 334,848 --a------ C:\WINDOWS\system32\nnnkk.dll
2008-01-22 11:33 . 2008-01-22 11:33 <DIR> d-------- C:\tmpDownload
2008-01-22 11:29 . 2008-01-22 11:33 <DIR> d-------- C:\Program Files\YoutubeGet
2008-01-22 11:29 . 2008-01-22 11:29 253,952 --a------ C:\WINDOWS\system32\andt.sys
2008-01-22 11:29 . 2008-01-22 11:29 45,056 --a------ C:\WINDOWS\system32\Indt2.sys
2008-01-22 11:29 . 2008-01-22 11:29 32,256 --a------ C:\WINDOWS\system32\routing.exe
2008-01-22 11:29 . 2008-01-22 11:29 40 --a------ C:\WINDOWS\system32\drmgs.sys
2008-01-22 08:47 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\Nircmd.exe
2008-01-22 07:49 . 2008-01-22 08:30 <DIR> d-------- C:\VundoFix Backups
2008-01-22 00:54 . 2008-01-22 23:08 15,360 --a------ C:\WINDOWS\system32\ctfmon .exe
2008-01-21 21:04 . 2008-01-21 21:04 <DIR> d-------- C:\Program Files\Maxis
2008-01-21 20:53 . 2008-01-21 20:53 <DIR> d-------- C:\Program Files\Alcohol Soft
2008-01-21 17:45 . 2008-01-21 17:45 <DIR> d-------- C:\Program Files\Dot1XCfg
2008-01-21 17:39 . 2008-01-21 17:39 36,864 --a------ C:\WINDOWS\mrofinu922.exe.tmp
2008-01-21 14:07 . 2008-01-21 19:49 715,248 --a------ C:\WINDOWS\system32\drivers\sptd.sys
2008-01-20 06:06 . 2008-01-20 06:06 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-01-20 06:06 . 2008-01-20 06:06 1,744 --a------ C:\WINDOWS\system32\d3d9caps.dat
2008-01-20 06:06 . 2008-01-20 06:06 1,409 --a------ C:\WINDOWS\QTFont.for
2008-01-01 17:12 . 2008-01-01 17:12 0 --a------ C:\WINDOWS\PasswordsPlus.INI
2008-01-01 16:52 . 2008-01-01 16:52 72 --a------ C:\WINDOWS\ANS2000.INI
2008-01-01 16:52 . 2008-01-01 16:52 20 --ah----- C:\WINDOWS\akebook.ini
2008-01-01 16:52 . 2008-01-01 16:52 4 --ah----- C:\WINDOWS\a3kebook.ini
2007-12-30 22:56 . 1998-10-01 15:22 299,520 --a------ C:\WINDOWS\uninst.exe
2007-12-29 18:17 . 2007-12-29 18:17 <DIR> d-------- C:\WINDOWS\Cache
2007-12-29 18:17 . 2007-12-31 10:09 <DIR> d-------- C:\Program Files\Coupons
2007-12-25 00:58 . 2007-12-25 00:58 <DIR> d-------- C:\Program Files\QuickTime Alternative
2007-12-25 00:58 . 2007-12-11 10:57 65,536 --a------ C:\WINDOWS\system32\QuickTimeVR.qtx
2007-12-25 00:58 . 2007-12-11 10:57 49,152 --a------ C:\WINDOWS\system32\QuickTime.qts
2007-12-23 13:46 . 2007-12-24 22:29 38 --a------ C:\WINDOWS\avisplitter.INI

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-20 04:59 --------- d-----w C:\Program Files\Azureus
2008-01-05 01:43 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-01-05 01:43 --------- d-----w C:\Program Files\CyberLink DVD Solution
2008-01-05 01:41 --------- d-----w C:\Program Files\Common Files\Adobe
2007-12-23 03:23 --------- d-----w C:\Program Files\Ultra Video Splitter
2007-12-23 02:33 --------- d-----w C:\Program Files\Absolute Video Splitter Joiner
2007-12-22 20:17 --------- d-----w C:\Program Files\K-Lite Codec Pack
2007-12-22 20:00 --------- d-----w C:\Program Files\Common Files\Real
2007-12-19 01:02 39,424 ----a-w C:\WINDOWS\zipinst.exe
2007-12-15 09:11 --------- d-----w C:\Program Files\Common Files\Macrovision Shared
2007-12-15 06:10 --------- d-----w C:\Program Files\LimeWire
2007-12-14 03:10 --------- d-----w C:\Program Files\Common Files\Ahead
2007-12-14 03:07 --------- d-----w C:\Program Files\Nero
2007-12-10 04:30 --------- d-----w C:\Program Files\iolo
2007-12-10 04:04 668,160 ----a-w C:\WINDOWS\is-6SPB2.exe
2007-12-08 07:50 --------- d-----w C:\Program Files\VideoLAN
2007-12-07 23:28 7,680 ----a-w C:\WINDOWS\system32\ff_vfw.dll
2007-12-04 07:33 682,496 ----a-w C:\WINDOWS\system32\divx.dll
2007-11-30 04:30 3,596,288 ----a-w C:\WINDOWS\system32\qt-dx331.dll
2007-11-30 04:28 81,920 ----a-w C:\WINDOWS\system32\dpl100.dll
2007-11-25 20:29 127,034 ------r C:\WINDOWS\bwUnin-8.1.1.50-8876480SL.exe
2007-11-19 01:29 81,920 ------r C:\WINDOWS\bwUnin-6.1.4.36-8876480L.exe
2007-11-07 09:26 721,920 ----a-w C:\WINDOWS\system32\lsasrv.dll
2007-11-03 16:46 363,368 ----a-w C:\WINDOWS\system32\Incinerator.dll
2007-10-29 22:43 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2007-10-27 22:40 227,328 ----a-w C:\WINDOWS\system32\wmasf.dll
2004-10-01 20:00 40,960 ----a-w C:\Program Files\Uninstall_CDS.exe
.

<pre>
----a-w 624,248 2008-01-23 04:32:34 C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray .exe
----a-w 1,397,760 2008-01-23 04:32:35 C:\Program Files\Ahead\InCD\InCD .exe
----a-w 155,648 2008-01-23 04:32:28 C:\Program Files\Common Files\Ahead\Lib\NeroCheck .exe
----a-w 132,496 2008-01-23 04:32:27 C:\Program Files\Java\jre1.6.0_03\bin\jusched .exe
----a-w 1,460,560 2008-01-23 04:03:16 C:\Program Files\Spybot - Search & Destroy\TeaTimer .exe
----a-w 224,248 2008-01-22 07:11:29 C:\Program Files\Yahoo!\Search Protection\SearchProtection .exe
----a-w 15,360 2008-01-23 04:08:38 C:\WINDOWS\system32\ctfmon .exe
</pre>


((((((((((((((((((((((((((((( snapshot@2008-01-22_22.52.53.67 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-01-22 13:48:55 1,413,120 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000001\NTUSER.DAT
+ 2008-01-23 04:16:45 1,413,120 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000001\NTUSER.DAT
- 2008-01-22 13:48:55 1,196,032 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000002\UsrClass.dat
+ 2008-01-23 04:16:46 1,196,032 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000002\UsrClass.dat
- 2008-01-22 13:48:55 4,423,680 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000003\NTUSER.DAT
+ 2008-01-23 04:16:46 4,677,632 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000003\NTUSER.DAT
- 2008-01-22 13:48:55 1,335,296 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000004\UsrClass.dat
+ 2008-01-23 04:16:47 1,335,296 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000004\UsrClass.dat
- 2008-01-22 13:48:55 1,413,120 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000005\NTUSER.DAT
+ 2008-01-23 04:16:47 1,413,120 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000005\NTUSER.DAT
- 2008-01-22 13:48:56 1,196,032 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000006\UsrClass.dat
+ 2008-01-23 04:16:47 1,196,032 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000006\UsrClass.dat
- 2008-01-23 03:47:25 355,328 ----a-w C:\WINDOWS\system32\ctfmon.exe
+ 2004-08-04 12:00:00 15,360 ----a-w C:\WINDOWS\system32\ctfmon.exe
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{392F2B5B-FF0F-4528-95F7-F6421B11EEAF}]
2008-01-22 23:32 334848 --a------ C:\WINDOWS\system32\nnnkk.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"YSearchProtection"="C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe" [ ]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2004-08-04 07:00 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2008-01-22 23:07 475136]
"InCD"="C:\Program Files\Ahead\InCD\InCD.exe" [2008-01-22 23:07 1890816]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2008-01-22 23:33 495104]
"YSearchProtection"="C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe" [ ]
"Acrobat Assistant 8.0"="C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2008-01-22 23:07 969216]

[HKEY_CURRENT_USER\software\microsoft\windows nt\currentversion\windows]
"load"=C:\WINDOWS\system32\nnnkk.exe

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 C:\WINDOWS\system32\nnnkk

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"SpybotSD TeaTimer"=C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe

R2 perfmons;perfmons Service;C:\WINDOWS\system32\perfs.exe [2004-08-04 07:00]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{30803c20-b89a-11dc-bd5f-00e018304548}]
\Shell\AutoRun\command - G:\Autoplay.exe -auto

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-22 23:32:23
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

C:\WINDOWS\system32\kknnn.ini2 319 bytes
C:\WINDOWS\system32\nnnkk.exe 338432 bytes executable

scan completed successfully
hidden files: 2

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\Explorer.EXE [6.00.2900.3156]
-> C:\WINDOWS\system32\nnnkk.dll
.
Completion time: 2008-01-22 23:38:34 - machine was rebooted
ComboFix-quarantined-files.txt 2008-01-23 04:38:23
ComboFix2.txt 2008-01-23 03:54:20
.
2008-01-09 01:40:01 --- E O F ---


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:42:37 PM, on 1/22/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\iolo\Common\Lib\ioloDMVSvc.exe
C:\WINDOWS\system32\perfs.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\routing.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Ahead\InCD\InCD .exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched .exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray .exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\Documents and Settings\Christian Rooney\Desktop\HijackThis.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr9/*http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
F3 - REG:win.ini: load=C:\WINDOWS\system32\nnnkk.exe
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [YSearchProtection] "C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKCU\..\Run: [YSearchProtection] C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {549F957E-2F89-11D6-8CFE-00C04F52B225} (CMV5 Class) - http://eversave.coupons.smartsource.com/download/cscmv5X.cab
O16 - DPF: {54BE6B6F-3056-470B-97E1-BB92E051B6C4} (DeviceEnum Class) - http://h30155.www3.hp.com/ediags/dd/install/HPDriverDiagnosticsxp2k.cab
O16 - DPF: {E87F6C8E-16C0-11D3-BEF7-009027438003} (Persits Software XUpload) - http://www.auctiva.com/hostedimages/activex/xupload/XUpload.ocx
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iolo DMV Service (ioloDMV) - Unknown owner - C:\Program Files\iolo\Common\Lib\ioloDMVSvc.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: perfmons Service (perfmons) - Unknown owner - C:\WINDOWS\system32\perfs.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: Routing Service (Routing) - Unknown owner - C:\WINDOWS\system32\routing.exe
O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe

--
End of file - 7650 bytes

Good Moring,

Sorry to say your infected with a variant of Vundo that is a file infector, :sad: If you look at your combofix log, all the programs and files in the Code box are infected. Its going to take a bit of work to get rid of this.

Make sure you keep your TeaTimer disabled until we are done.


Open HijackThis > Do a System Scan Only, close your browser and all open windows including this one, the only program or window you should have open is HijackThis, check the following entries and click on Fix Checked.

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =

F3 - REG:win.ini: load=C:\WINDOWS\system32\nnnkk.exe

O16 - DPF: {549F957E-2F89-11D6-8CFE-00C04F52B225} (CMV5 Class) - http://eversave.coupons.smartsource....ad/cscmv5X.cab

O23 - Service: perfmons Service (perfmons) - Unknown owner - C:\WINDOWS\system32\perfs.exe
O23 - Service: Routing Service (Routing) - Unknown owner - C:\WINDOWS\system32\routing.exe





Open HJT > Misc Tools > Delete an NT Service
Type in perfmons
Then click on OK, it will ask you to reboot, do so.


Then do the same for this one
Routing





Open Notepad and copy all the text inside the quote box by highlighting it all and pressing CTRL C on your keyboard, then paste it into Notepad. Make sure there is no space above and to the left of File::



File::
C:\WINDOWS\system32\nnnkk.dll
C:\WINDOWS\PasswordsPlus.INI
C:\WINDOWS\ANS2000.INI
C:\WINDOWS\akebook.ini
C:\WINDOWS\a3kebook.ini
C:\WINDOWS\bwUnin-8.1.1.50-8876480SL.exe
C:\WINDOWS\bwUnin-6.1.4.36-8876480L.exe
C:\WINDOWS\system32\perfs.exe
C:\WINDOWS\system32\routing.exe


Folder::
C:\VundoFix Backups

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{392F2B5B-FF0F-4528-95F7-F6421B11EEAF}]

RenV::
----a-w 624,248 2008-01-23 04:32:34 C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray .exe
----a-w 1,397,760 2008-01-23 04:32:35 C:\Program Files\Ahead\InCD\InCD .exe
----a-w 155,648 2008-01-23 04:32:28 C:\Program Files\Common Files\Ahead\Lib\NeroCheck .exe
----a-w 132,496 2008-01-23 04:32:27 C:\Program Files\Java\jre1.6.0_03\bin\jusched .exe
----a-w 1,460,560 2008-01-23 04:03:16 C:\Program Files\Spybot - Search & Destroy\TeaTimer .exe
----a-w 224,248 2008-01-22 07:11:29 C:\Program Files\Yahoo!\Search Protection\SearchProtection .exe
----a-w 15,360 2008-01-23 04:08:38 C:\WINDOWS\system32\ctfmon .exe



Save this as CFScript to your desktop.

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

http://i24.photobucket.com/albums/c30/ken545/CFScript.gif



This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.

Unfortunately its a no-go as far as deleting the NT Service "perfmons" or "routing". HJT says it can not because its still enabled/running. I even tried to kill them through the task manager then delete them with HJT,but it did no good. Theyre running from SOMEWHERE.

Nevermind,I had to disable them through the Admin Tools of the Control Panel.

Here are the logs:

ComboFix 08-01-23.1 - Christian Rooney 2008-01-23 8:51:35.5 - NTFSx86
Running from: C:\Documents and Settings\Christian Rooney\Desktop\HJT\ComboFix.exe
Command switches used :: C:\Documents and Settings\Christian Rooney\Desktop\HJT\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE
C:\WINDOWS\a3kebook.ini
C:\WINDOWS\akebook.ini
C:\WINDOWS\ANS2000.INI
C:\WINDOWS\bwUnin-6.1.4.36-8876480L.exe
C:\WINDOWS\bwUnin-8.1.1.50-8876480SL.exe
C:\WINDOWS\PasswordsPlus.INI
C:\WINDOWS\system32\nnnkk.dll
C:\WINDOWS\system32\perfs.exe
C:\WINDOWS\system32\routing.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\VundoFix Backups
C:\VundoFix Backups\addmorefiles.txt
C:\VundoFix Backups\kknnn.ini.bad
C:\VundoFix Backups\kknnn.ini2.bad
C:\VundoFix Backups\nnnkk.dll.bad
C:\VundoFix Backups\nnnkk.exe.bad
C:\VundoFix Backups\opnoomj.dll.bad
C:\VundoFix Backups\rqronli.dll.bad
C:\WINDOWS\a3kebook.ini
C:\WINDOWS\akebook.ini
C:\WINDOWS\ANS2000.INI
C:\WINDOWS\bwUnin-6.1.4.36-8876480L.exe
C:\WINDOWS\bwUnin-8.1.1.50-8876480SL.exe
C:\WINDOWS\PasswordsPlus.INI
C:\WINDOWS\system32\ctfmon.exe.tmp
C:\WINDOWS\system32\kknnn.ini
C:\WINDOWS\system32\kknnn.ini2
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\nnnkk.dll
C:\WINDOWS\system32\nnnkk.exe
C:\WINDOWS\system32\perfs.exe
C:\WINDOWS\system32\routing.exe

.
((((((((((((((((((((((((( Files Created from 2007-12-23 to 2008-01-23 )))))))))))))))))))))))))))))))
.

2008-01-23 05:44 . 2008-01-23 05:44 <DIR> d-------- C:\Program Files\Destiny
2008-01-22 11:33 . 2008-01-22 11:33 <DIR> d-------- C:\tmpDownload
2008-01-22 11:29 . 2008-01-22 11:33 <DIR> d-------- C:\Program Files\YoutubeGet
2008-01-22 11:29 . 2008-01-22 11:29 253,952 --a------ C:\WINDOWS\system32\andt.sys
2008-01-22 11:29 . 2008-01-22 11:29 45,056 --a------ C:\WINDOWS\system32\Indt2.sys
2008-01-22 11:29 . 2008-01-22 11:29 40 --a------ C:\WINDOWS\system32\drmgs.sys
2008-01-22 08:47 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\Nircmd.exe
2008-01-22 00:54 . 2008-01-23 08:42 15,360 --a--c--- C:\WINDOWS\system32\dllcache\ctfmon.exe
2008-01-22 00:54 . 2008-01-23 09:06 15,360 --a------ C:\WINDOWS\system32\ctfmon.exe
2008-01-21 21:04 . 2008-01-21 21:04 <DIR> d-------- C:\Program Files\Maxis
2008-01-21 20:53 . 2008-01-21 20:53 <DIR> d-------- C:\Program Files\Alcohol Soft
2008-01-21 17:45 . 2008-01-21 17:45 <DIR> d-------- C:\Program Files\Dot1XCfg
2008-01-21 17:39 . 2008-01-21 17:39 36,864 --a------ C:\WINDOWS\mrofinu922.exe.tmp
2008-01-21 14:07 . 2008-01-21 19:49 715,248 --a------ C:\WINDOWS\system32\drivers\sptd.sys
2008-01-20 06:06 . 2008-01-20 06:06 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-01-20 06:06 . 2008-01-20 06:06 1,744 --a------ C:\WINDOWS\system32\d3d9caps.dat
2008-01-20 06:06 . 2008-01-20 06:06 1,409 --a------ C:\WINDOWS\QTFont.for
2007-12-30 22:56 . 1998-10-01 15:22 299,520 --a------ C:\WINDOWS\uninst.exe
2007-12-29 18:17 . 2007-12-29 18:17 <DIR> d-------- C:\WINDOWS\Cache
2007-12-29 18:17 . 2007-12-31 10:09 <DIR> d-------- C:\Program Files\Coupons
2007-12-25 00:58 . 2007-12-25 00:58 <DIR> d-------- C:\Program Files\QuickTime Alternative
2007-12-25 00:58 . 2007-12-11 10:57 65,536 --a------ C:\WINDOWS\system32\QuickTimeVR.qtx
2007-12-25 00:58 . 2007-12-11 10:57 49,152 --a------ C:\WINDOWS\system32\QuickTime.qts
2007-12-23 13:46 . 2007-12-24 22:29 38 --a------ C:\WINDOWS\avisplitter.INI

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-20 04:59 --------- d-----w C:\Program Files\Azureus
2008-01-05 01:43 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-01-05 01:43 --------- d-----w C:\Program Files\CyberLink DVD Solution
2008-01-05 01:41 --------- d-----w C:\Program Files\Common Files\Adobe
2007-12-23 03:23 --------- d-----w C:\Program Files\Ultra Video Splitter
2007-12-23 02:33 --------- d-----w C:\Program Files\Absolute Video Splitter Joiner
2007-12-22 20:17 --------- d-----w C:\Program Files\K-Lite Codec Pack
2007-12-22 20:00 --------- d-----w C:\Program Files\Common Files\Real
2007-12-19 01:02 39,424 ----a-w C:\WINDOWS\zipinst.exe
2007-12-15 09:11 --------- d-----w C:\Program Files\Common Files\Macrovision Shared
2007-12-15 06:10 --------- d-----w C:\Program Files\LimeWire
2007-12-14 03:10 --------- d-----w C:\Program Files\Common Files\Ahead
2007-12-14 03:07 --------- d-----w C:\Program Files\Nero
2007-12-10 04:30 --------- d-----w C:\Program Files\iolo
2007-12-10 04:04 668,160 ----a-w C:\WINDOWS\is-6SPB2.exe
2007-12-08 07:50 --------- d-----w C:\Program Files\VideoLAN
2007-12-07 23:28 7,680 ----a-w C:\WINDOWS\system32\ff_vfw.dll
2007-12-04 07:33 682,496 ----a-w C:\WINDOWS\system32\divx.dll
2007-11-30 04:30 3,596,288 ----a-w C:\WINDOWS\system32\qt-dx331.dll
2007-11-30 04:28 81,920 ----a-w C:\WINDOWS\system32\dpl100.dll
2007-11-07 09:26 721,920 ----a-w C:\WINDOWS\system32\lsasrv.dll
2007-11-03 16:46 363,368 ----a-w C:\WINDOWS\system32\Incinerator.dll
2007-10-29 22:43 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2007-10-27 22:40 227,328 ----a-w C:\WINDOWS\system32\wmasf.dll
2004-10-01 20:00 40,960 ----a-w C:\Program Files\Uninstall_CDS.exe
.

<pre>
----a-w 624,248 2008-01-23 14:06:27 C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray .exe
----a-w 1,397,760 2008-01-23 14:06:26 C:\Program Files\Ahead\InCD\InCD .exe
----a-w 155,648 2008-01-23 14:06:24 C:\Program Files\Common Files\Ahead\Lib\NeroCheck .exe
----a-w 132,496 2008-01-23 14:06:18 C:\Program Files\Java\jre1.6.0_03\bin\jusched .exe
----a-w 224,248 2008-01-23 14:06:21 C:\Program Files\Yahoo!\Search Protection\SearchProtection .exe
</pre>


((((((((((((((((((((((((((((( snapshot@2008-01-22_22.52.53.67 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-01-22 13:48:55 1,413,120 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000001\NTUSER.DAT
+ 2008-01-23 13:50:12 1,413,120 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000001\NTUSER.DAT
- 2008-01-22 13:48:55 1,196,032 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000002\UsrClass.dat
+ 2008-01-23 13:50:12 1,196,032 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000002\UsrClass.dat
- 2008-01-22 13:48:55 4,423,680 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000003\NTUSER.DAT
+ 2008-01-23 13:50:13 4,685,824 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000003\NTUSER.DAT
- 2008-01-22 13:48:55 1,335,296 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000004\UsrClass.dat
+ 2008-01-23 13:50:13 1,335,296 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000004\UsrClass.dat
- 2008-01-22 13:48:55 1,413,120 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000005\NTUSER.DAT
+ 2008-01-23 13:50:13 1,413,120 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000005\NTUSER.DAT
- 2008-01-22 13:48:56 1,196,032 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000006\UsrClass.dat
+ 2008-01-23 13:50:14 1,196,032 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000006\UsrClass.dat
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7D9ECF87-CCBB-46E2-82E3-80D13E02B4A8}]
2008-01-23 09:06 334848 --a------ C:\WINDOWS\system32\nnnkk.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"YSearchProtection"="C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe" [2008-01-23 08:52 588288]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-01-23 08:42 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2008-01-23 08:52 475136]
"InCD"="C:\Program Files\Ahead\InCD\InCD.exe" [2008-01-23 08:52 1890816]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2008-01-23 09:06 495104]
"YSearchProtection"="C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe" [2008-01-23 08:52 588288]
"Acrobat Assistant 8.0"="C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2008-01-23 08:52 969216]

[HKEY_CURRENT_USER\software\microsoft\windows nt\currentversion\windows]
"load"=C:\WINDOWS\system32\nnnkk.exe

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 C:\WINDOWS\system32\nnnkk

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"SpybotSD TeaTimer"=C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{30803c20-b89a-11dc-bd5f-00e018304548}]
\Shell\AutoRun\command - G:\Autoplay.exe -auto

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-23 09:05:39
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

C:\WINDOWS\system32\kknnn.ini 319 bytes
C:\WINDOWS\system32\kknnn.ini2 319 bytes
C:\WINDOWS\system32\nnnkk.dll 334848 bytes executable
C:\WINDOWS\system32\nnnkk.exe 338432 bytes executable

scan completed successfully
hidden files: 4

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\Explorer.EXE [6.00.2900.3156]
-> C:\WINDOWS\system32\nnnkk.dll
.
Completion time: 2008-01-23 9:12:31 - machine was rebooted
ComboFix-quarantined-files.txt 2008-01-23 14:12:18
ComboFix2.txt 2008-01-23 04:38:36
ComboFix3.txt 2008-01-23 03:54:20
.
2008-01-09 01:40:01 --- E O F ---


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 3:18:22 PM, on 1/23/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\iolo\Common\Lib\ioloDMVSvc.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Ahead\InCD\InCD .exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched .exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray .exe
C:\Program Files\Yahoo!\Search Protection\SearchProtection .exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Christian Rooney\Desktop\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr9/*http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
F3 - REG:win.ini: load=C:\WINDOWS\system32\nnnkk.exe
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [YSearchProtection] "C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKCU\..\Run: [YSearchProtection] C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {54BE6B6F-3056-470B-97E1-BB92E051B6C4} (DeviceEnum Class) - http://h30155.www3.hp.com/ediags/dd/install/HPDriverDiagnosticsxp2k.cab
O16 - DPF: {E87F6C8E-16C0-11D3-BEF7-009027438003} (Persits Software XUpload) - http://www.auctiva.com/hostedimages/activex/xupload/XUpload.ocx
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iolo DMV Service (ioloDMV) - Unknown owner - C:\Program Files\iolo\Common\Lib\ioloDMVSvc.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe

--
End of file - 7269 bytes

We need to take another run at it.

Press Ctrl. Alt. Del and open up Task Manager and on the Process Tab, look for this and click on End Process
C:\WINDOWS\system32\nnnkk.exe






Open Notepad and copy all the text inside the quote box by highlighting it all and pressing CTRL C on your keyboard, then paste it into Notepad. Make sure there is no space above and to the left of File::



File::
C:\WINDOWS\system32\nnnkk.exe

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7D9ECF87-CCBB-46E2-82E3-80D13E02B4A8}]
[HKEY_CURRENT_USER\software\microsoft\windows nt\currentversion\windows]
"load"=-

RenV::
----a-w 624,248 2008-01-23 14:06:27 C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray .exe
----a-w 1,397,760 2008-01-23 14:06:26 C:\Program Files\Ahead\InCD\InCD .exe
----a-w 155,648 2008-01-23 14:06:24 C:\Program Files\Common Files\Ahead\Lib\NeroCheck .exe
----a-w 132,496 2008-01-23 14:06:18 C:\Program Files\Java\jre1.6.0_03\bin\jusched .exe
----a-w 224,248 2008-01-23 14:06:21 C:\Program Files\Yahoo!\Search Protection\SearchProtection .exe



Save this as CFScript to your desktop.

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

http://i24.photobucket.com/albums/c30/ken545/CFScript.gif



This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply
together with a new HijackThis log.

Unfortunately,nnnkk.exe has never ran as that file name. I dont see it on the process list and never have:( obviously its running,but not on the list of processes

Just move on with this script.

Open Notepad and copy all the text inside the quote box by highlighting it all and pressing CTRL C on your keyboard, then paste it into Notepad, make sure there is no space before and above File::



File::
C:\WINDOWS\mrofinu922.exe.tmp
C:\WINDOWS\system32\nnnkk.dll
C:\WINDOWS\system32\nnnkk.exe
C:\WINDOWS\system32\kknnn.ini
C:\WINDOWS\system32\kknnn.ini2

Registry::
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{7D9ECF87-CCBB-46E2-82E3-80D13E02B4A8}]
[HKEY_CURRENT_USER\software\microsoft\windows nt\currentversion\windows]
"load"=-

RenV::
----a-w 624,248 2008-01-23 14:06:27 C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray .exe
----a-w 1,397,760 2008-01-23 14:06:26 C:\Program Files\Ahead\InCD\InCD .exe
----a-w 155,648 2008-01-23 14:06:24 C:\Program Files\Common Files\Ahead\Lib\NeroCheck .exe
----a-w 132,496 2008-01-23 14:06:18 C:\Program Files\Java\jre1.6.0_03\bin\jusched .exe
----a-w 224,248 2008-01-23 14:06:21 C:\Program Files\Yahoo!\Search Protection\SearchProtection .exe


Save this as CFScript to your desktop.

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

http://i24.photobucket.com/albums/c30/ken545/CFScript.gif


This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.

Ok,Ken. Here are the two logs you asked for.

ComboFix 08-01-23.1 - Christian Rooney 2008-01-24 4:15:21.6 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.38 [GMT -5:00]
Running from: C:\Documents and Settings\Christian Rooney\Desktop\HJT\ComboFix.exe
Command switches used :: C:\Documents and Settings\Christian Rooney\Desktop\HJT\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!

FILE
C:\WINDOWS\mrofinu922.exe.tmp
C:\WINDOWS\system32\kknnn.ini
C:\WINDOWS\system32\kknnn.ini2
C:\WINDOWS\system32\nnnkk.dll
C:\WINDOWS\system32\nnnkk.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\mrofinu922.exe.tmp
C:\WINDOWS\system32\ctfmon.exe.tmp
C:\WINDOWS\system32\kknnn.ini
C:\WINDOWS\system32\kknnn.ini2
C:\WINDOWS\system32\nnnkk.dll
C:\WINDOWS\system32\nnnkk.exe

.
((((((((((((((((((((((((( Files Created from 2007-12-24 to 2008-01-24 )))))))))))))))))))))))))))))))
.

2008-01-24 04:31 . 2008-01-24 04:31 334,848 --a------ C:\WINDOWS\system32\nnnkk.dll
2008-01-23 20:53 . 2008-01-24 04:04 15,360 --a------ C:\WINDOWS\system32\ctfmon .exe
2008-01-23 20:06 . 2008-01-23 20:06 <DIR> d-------- C:\Program Files\Common Files\ACD Systems
2008-01-23 20:06 . 2008-01-23 20:06 <DIR> d-------- C:\Program Files\ACD Systems
2008-01-23 05:44 . 2008-01-23 05:44 <DIR> d-------- C:\Program Files\Destiny
2008-01-22 11:33 . 2008-01-22 11:33 <DIR> d-------- C:\tmpDownload
2008-01-22 11:29 . 2008-01-22 11:33 <DIR> d-------- C:\Program Files\YoutubeGet
2008-01-22 11:29 . 2008-01-22 11:29 253,952 --a------ C:\WINDOWS\system32\andt.sys
2008-01-22 11:29 . 2008-01-22 11:29 45,056 --a------ C:\WINDOWS\system32\Indt2.sys
2008-01-22 11:29 . 2008-01-22 11:29 40 --a------ C:\WINDOWS\system32\drmgs.sys
2008-01-22 08:47 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\Nircmd.exe
2008-01-22 00:54 . 2008-01-23 08:42 15,360 --a--c--- C:\WINDOWS\system32\dllcache\ctfmon.exe
2008-01-22 00:54 . 2008-01-24 04:31 15,360 --a------ C:\WINDOWS\system32\ctfmon.exe
2008-01-21 21:04 . 2008-01-21 21:04 <DIR> d-------- C:\Program Files\Maxis
2008-01-21 20:53 . 2008-01-21 20:53 <DIR> d-------- C:\Program Files\Alcohol Soft
2008-01-21 17:45 . 2008-01-21 17:45 <DIR> d-------- C:\Program Files\Dot1XCfg
2008-01-21 14:07 . 2008-01-21 19:49 715,248 --a------ C:\WINDOWS\system32\drivers\sptd.sys
2008-01-20 06:06 . 2008-01-20 06:06 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-01-20 06:06 . 2008-01-20 06:06 1,744 --a------ C:\WINDOWS\system32\d3d9caps.dat
2008-01-20 06:06 . 2008-01-20 06:06 1,409 --a------ C:\WINDOWS\QTFont.for
2007-12-30 22:56 . 1998-10-01 15:22 299,520 --a------ C:\WINDOWS\uninst.exe
2007-12-29 18:17 . 2007-12-29 18:17 <DIR> d-------- C:\WINDOWS\Cache
2007-12-29 18:17 . 2007-12-31 10:09 <DIR> d-------- C:\Program Files\Coupons
2007-12-25 00:58 . 2007-12-25 00:58 <DIR> d-------- C:\Program Files\QuickTime Alternative
2007-12-25 00:58 . 2007-12-11 10:57 65,536 --a------ C:\WINDOWS\system32\QuickTimeVR.qtx
2007-12-25 00:58 . 2007-12-11 10:57 49,152 --a------ C:\WINDOWS\system32\QuickTime.qts

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-20 04:59 --------- d-----w C:\Program Files\Azureus
2008-01-05 01:43 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-01-05 01:43 --------- d-----w C:\Program Files\CyberLink DVD Solution
2008-01-05 01:41 --------- d-----w C:\Program Files\Common Files\Adobe
2007-12-23 03:23 --------- d-----w C:\Program Files\Ultra Video Splitter
2007-12-23 02:33 --------- d-----w C:\Program Files\Absolute Video Splitter Joiner
2007-12-22 20:17 --------- d-----w C:\Program Files\K-Lite Codec Pack
2007-12-22 20:00 --------- d-----w C:\Program Files\Common Files\Real
2007-12-19 01:02 39,424 ----a-w C:\WINDOWS\zipinst.exe
2007-12-15 09:11 --------- d-----w C:\Program Files\Common Files\Macrovision Shared
2007-12-15 06:10 --------- d-----w C:\Program Files\LimeWire
2007-12-14 03:10 --------- d-----w C:\Program Files\Common Files\Ahead
2007-12-14 03:07 --------- d-----w C:\Program Files\Nero
2007-12-10 04:30 --------- d-----w C:\Program Files\iolo
2007-12-10 04:04 668,160 ----a-w C:\WINDOWS\is-6SPB2.exe
2007-12-08 07:50 --------- d-----w C:\Program Files\VideoLAN
2007-12-07 23:28 7,680 ----a-w C:\WINDOWS\system32\ff_vfw.dll
2007-12-04 07:33 682,496 ----a-w C:\WINDOWS\system32\divx.dll
2007-11-30 04:30 3,596,288 ----a-w C:\WINDOWS\system32\qt-dx331.dll
2007-11-30 04:28 81,920 ----a-w C:\WINDOWS\system32\dpl100.dll
2007-11-07 09:26 721,920 ----a-w C:\WINDOWS\system32\lsasrv.dll
2007-11-03 16:46 363,368 ----a-w C:\WINDOWS\system32\Incinerator.dll
2007-10-29 22:43 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2007-10-27 22:40 227,328 ----a-w C:\WINDOWS\system32\wmasf.dll
2004-10-01 20:00 40,960 ----a-w C:\Program Files\Uninstall_CDS.exe
.

<pre>
----a-w 624,248 2008-01-24 09:31:26 C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray .exe
----a-w 1,397,760 2008-01-24 09:31:31 C:\Program Files\Ahead\InCD\InCD .exe
----a-w 155,648 2008-01-24 09:31:21 C:\Program Files\Common Files\Ahead\Lib\NeroCheck .exe
----a-w 132,496 2008-01-24 09:31:21 C:\Program Files\Java\jre1.6.0_03\bin\jusched .exe
----a-w 224,248 2008-01-24 09:31:22 C:\Program Files\Yahoo!\Search Protection\SearchProtection .exe
----a-w 15,360 2008-01-24 09:04:07 C:\WINDOWS\system32\ctfmon .exe
</pre>


((((((((((((((((((((((((((((( snapshot@2008-01-22_22.52.53.67 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-01-22 13:48:55 1,413,120 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000001\NTUSER.DAT
+ 2008-01-24 09:12:51 1,413,120 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000001\NTUSER.DAT
- 2008-01-22 13:48:55 1,196,032 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000002\UsrClass.dat
+ 2008-01-24 09:12:51 1,196,032 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000002\UsrClass.dat
- 2008-01-22 13:48:55 4,423,680 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000003\NTUSER.DAT
+ 2008-01-24 09:12:52 4,718,592 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000003\NTUSER.DAT
- 2008-01-22 13:48:55 1,335,296 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000004\UsrClass.dat
+ 2008-01-24 09:12:52 1,335,296 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000004\UsrClass.dat
- 2008-01-22 13:48:55 1,413,120 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000005\NTUSER.DAT
+ 2008-01-24 09:12:53 1,413,120 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000005\NTUSER.DAT
- 2008-01-22 13:48:56 1,196,032 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000006\UsrClass.dat
+ 2008-01-24 09:12:53 1,196,032 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000006\UsrClass.dat
+ 2008-01-24 01:11:08 249,856 ----a-r C:\WINDOWS\Installer\{1A103C8B-3DFA-4F05-BE9B-97B7ECC12925}\ARPPRODUCTICON.exe
+ 2008-01-24 01:11:09 344,064 ----a-r C:\WINDOWS\Installer\{1A103C8B-3DFA-4F05-BE9B-97B7ECC12925}\NewShortcut1_1A103C8B3DFA4F05BE9B97B7ECC12925_1.exe
+ 2008-01-24 01:11:09 344,064 ----a-r C:\WINDOWS\Installer\{1A103C8B-3DFA-4F05-BE9B-97B7ECC12925}\NewShortcut2_1A103C8B3DFA4F05BE9B97B7ECC12925_1.exe
+ 2008-01-24 01:11:08 249,856 ----a-r C:\WINDOWS\Installer\{1A103C8B-3DFA-4F05-BE9B-97B7ECC12925}\NewShortcut5_1A103C8B3DFA4F05BE9B97B7ECC12925.exe
+ 2008-01-24 01:11:09 249,856 ----a-r C:\WINDOWS\Installer\{1A103C8B-3DFA-4F05-BE9B-97B7ECC12925}\NewShortcut6_1A103C8B3DFA4F05BE9B97B7ECC12925.exe
+ 2002-01-05 08:40:20 487,424 ----a-w C:\WINDOWS\system32\msvcp70.dll
+ 2002-01-05 08:37:28 344,064 ----a-w C:\WINDOWS\system32\msvcr70.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{DDAFDC10-E977-4F15-A78F-0D6D459C2E75}]
2008-01-24 04:31 334848 --a------ C:\WINDOWS\system32\nnnkk.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"YSearchProtection"="C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe" [2008-01-24 04:15 588288]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-01-23 08:42 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2008-01-24 04:15 475136]
"InCD"="C:\Program Files\Ahead\InCD\InCD.exe" [2008-01-24 04:15 1890816]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2008-01-24 04:32 495104]
"YSearchProtection"="C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe" [2008-01-24 04:15 588288]
"Acrobat Assistant 8.0"="C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2008-01-24 04:15 969216]

[HKEY_CURRENT_USER\software\microsoft\windows nt\currentversion\windows]
"load"=C:\WINDOWS\system32\nnnkk.exe

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 C:\WINDOWS\system32\nnnkk

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"SpybotSD TeaTimer"=C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{30803c20-b89a-11dc-bd5f-00e018304548}]
\Shell\AutoRun\command - G:\Autoplay.exe -auto

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-24 04:31:18
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

C:\WINDOWS\system32\kknnn.ini2 319 bytes
C:\WINDOWS\system32\nnnkk.exe 338432 bytes executable

scan completed successfully
hidden files: 2

**************************************************************************
.
Completion time: 2008-01-24 4:38:37 - machine was rebooted
ComboFix-quarantined-files.txt 2008-01-24 09:38:23
ComboFix2.txt 2008-01-23 14:12:33
ComboFix3.txt 2008-01-23 04:38:36
ComboFix4.txt 2008-01-23 03:54:20
.
2008-01-09 01:40:01 --- E O F ---

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 4:41:50 AM, on 1/24/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\iolo\Common\Lib\ioloDMVSvc.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched .exe
C:\Program Files\Yahoo!\Search Protection\SearchProtection .exe
C:\Program Files\Ahead\InCD\InCD .exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray .exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\Documents and Settings\Christian Rooney\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr9/*http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
F3 - REG:win.ini: load=C:\WINDOWS\system32\nnnkk.exe
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [YSearchProtection] "C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKCU\..\Run: [YSearchProtection] C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {54BE6B6F-3056-470B-97E1-BB92E051B6C4} (DeviceEnum Class) - http://h30155.www3.hp.com/ediags/dd/install/HPDriverDiagnosticsxp2k.cab
O16 - DPF: {E87F6C8E-16C0-11D3-BEF7-009027438003} (Persits Software XUpload) - http://www.auctiva.com/hostedimages/activex/xupload/XUpload.ocx
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iolo DMV Service (ioloDMV) - Unknown owner - C:\Program Files\iolo\Common\Lib\ioloDMVSvc.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe

--
End of file - 7269 bytes

Hello


Make sure the TeaTimer is disabled


Disable the TeaTimer, you can re enable it when were done if you wish

Run Spybot-S&D in Advanced Mode.
If it is not already set to do this Go to the Mode menu select "Advanced Mode"
On the left hand side, Click on Tools
Then click on the Resident Icon in the List
Uncheck "Resident TeaTimer" and OK any prompts.
Restart your computer.




1. Please download The Avenger (http://swandog46.geekstogo.com/avenger.zip) by Swandog46 to your Desktop. Click on Avenger.zip to open the file Extract avenger.exe to your desktop

2. Copy all the text contained in the code box below to your Clipboard by highlighting it and pressing (Ctrl+C):


Files to Delete:
C:\WINDOWS\system32\nnnkk.dll


Note: the above code was created specifically for this user. If you are not this user, do NOT follow these directions as they could damage the workings of your system.

3. Now, start The Avenger program by clicking on its icon on your desktop.
Under "Script file to execute" choose "Input Script Manually".
Now click on the Magnifying Glass icon which will open a new window titled "View/edit script"
Paste the text copied to clipboard into this window by pressing (Ctrl+V).
Click Done
Now click on the Green Light to begin execution of the script
Answer "Yes" twice when prompted.
4. The Avenger will automatically do the following:
It will Restart your computer. ( In cases where the code to execute contains "Drivers to Unload", The Avenger will actually restart your system twice.)
On reboot, it will briefly open a black command window on your desktop, this is normal.
After the restart, it creates a log file that should open with the results of Avenger’s actions. This log file will be located at C:\avenger.txt
The Avenger will also have backed up all the files, etc., that you asked it to delete, and will have zipped them and moved the zip archives to C:\avenger\backup.zip.
5. Please copy/paste the content of c:\avenger.txt into your reply along with a fresh HJT log by using Add/Reply




Open Notepad and copy all the text inside the quote box by highlighting it all and pressing CTRL C on your keyboard, then paste it into Notepad, make sure there is no space before and above Registry::



Registry::
[HKEY_CURRENT_USER\software\microsoft\windows nt\currentversion\windows]
"load"=-
[-HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{DDAFDC10-E977-4F15-A78F-0D6D459C2E75}]

RenV::
----a-w 624,248 2008-01-24 09:31:26 C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray .exe
----a-w 1,397,760 2008-01-24 09:31:31 C:\Program Files\Ahead\InCD\InCD .exe
----a-w 155,648 2008-01-24 09:31:21 C:\Program Files\Common Files\Ahead\Lib\NeroCheck .exe
----a-w 132,496 2008-01-24 09:31:21 C:\Program Files\Java\jre1.6.0_03\bin\jusched .exe
----a-w 224,248 2008-01-24 09:31:22 C:\Program Files\Yahoo!\Search Protection\SearchProtection .exe
----a-w 15,360 2008-01-24 09:04:07 C:\WINDOWS\system32\ctfmon .exe


Save this as CFScript to your desktop.

Then drag the CFScript into ComboFix.exe as you see in the screenshot below.

http://i24.photobucket.com/albums/c30/ken545/CFScript.gif


This will start ComboFix again. After reboot, (in case it asks to reboot), post the contents of Combofix.txt in your next reply together with a new HijackThis log.

I need to see the Avenger log , the new Combofix log and a new HJT log.

Good Morning,here are the logs.

Logfile of The Avenger version 1, by Swandog46
Running from registry key:
\Registry\Machine\System\CurrentControlSet\Services\kokohxki

*******************

Script file located at: \??\C:\Documents and Settings\rqbbjpyx.txt
Script file opened successfully.

Script file read successfully

Backups directory opened successfully at C:\Avenger

*******************

Beginning to process script file:

File C:\WINDOWS\system32\nnnkk.dll deleted successfully.

Completed script processing.

*******************

Finished! Terminate.


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 8:07:59 AM, on 1/24/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\iolo\Common\Lib\ioloDMVSvc.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched .exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Yahoo!\Search Protection\SearchProtection .exe
C:\Program Files\Ahead\InCD\InCD .exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray .exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\notepad.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\Documents and Settings\Christian Rooney\Desktop\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroDist.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr9/*http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
F3 - REG:win.ini: load=C:\WINDOWS\system32\nnnkk.exe
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [YSearchProtection] "C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKCU\..\Run: [YSearchProtection] C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {54BE6B6F-3056-470B-97E1-BB92E051B6C4} (DeviceEnum Class) - http://h30155.www3.hp.com/ediags/dd/install/HPDriverDiagnosticsxp2k.cab
O16 - DPF: {E87F6C8E-16C0-11D3-BEF7-009027438003} (Persits Software XUpload) - http://www.auctiva.com/hostedimages/activex/xupload/XUpload.ocx
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iolo DMV Service (ioloDMV) - Unknown owner - C:\Program Files\iolo\Common\Lib\ioloDMVSvc.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe

--
End of file - 7343 bytes

And here are the CF and HTJ logs. This trojan is one of the most stubborn I have encountered.

ComboFix 08-01-23.1 - Christian Rooney 2008-01-24 10:38:02.9 - NTFSx86
Running from: C:\Documents and Settings\Christian Rooney\Desktop\HJT\ComboFix.exe
Command switches used :: C:\Documents and Settings\Christian Rooney\Desktop\HJT\CFScript.txt
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\ctfmon.exe.tmp
C:\WINDOWS\system32\kknnn.ini
C:\WINDOWS\system32\kknnn.ini2
C:\WINDOWS\system32\nnnkk.dll
C:\WINDOWS\system32\nnnkk.exe
.
---- Previous Run -------
.
C:\WINDOWS\system32\kknnn.ini
C:\WINDOWS\system32\kknnn.ini2
C:\WINDOWS\system32\nnnkk.dll
C:\WINDOWS\system32\nnnkk.exe

.
((((((((((((((((((((((((( Files Created from 2007-12-24 to 2008-01-24 )))))))))))))))))))))))))))))))
.

2008-01-24 10:56 . 2008-01-24 10:56 338,432 --a------ C:\WINDOWS\system32\nnnkk.exe
2008-01-24 10:55 . 2008-01-24 10:55 334,848 --------- C:\WINDOWS\system32\nnnkk.dll
2008-01-24 10:28 . 2008-01-24 10:28 15,360 --a--c--- C:\WINDOWS\system32\dllcache\ctfmon.exe
2008-01-24 10:28 . 2008-01-24 10:28 15,360 --a------ C:\WINDOWS\system32\ctfmon.exe
2008-01-23 20:06 . 2008-01-23 20:06 <DIR> d-------- C:\Program Files\Common Files\ACD Systems
2008-01-23 20:06 . 2008-01-23 20:06 <DIR> d-------- C:\Program Files\ACD Systems
2008-01-23 05:44 . 2008-01-23 05:44 <DIR> d-------- C:\Program Files\Destiny
2008-01-22 11:33 . 2008-01-22 11:33 <DIR> d-------- C:\tmpDownload
2008-01-22 11:29 . 2008-01-22 11:33 <DIR> d-------- C:\Program Files\YoutubeGet
2008-01-22 11:29 . 2008-01-22 11:29 253,952 --a------ C:\WINDOWS\system32\andt.sys
2008-01-22 11:29 . 2008-01-22 11:29 45,056 --a------ C:\WINDOWS\system32\Indt2.sys
2008-01-22 11:29 . 2008-01-22 11:29 40 --a------ C:\WINDOWS\system32\drmgs.sys
2008-01-22 08:47 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\Nircmd.exe
2008-01-21 21:04 . 2008-01-21 21:04 <DIR> d-------- C:\Program Files\Maxis
2008-01-21 20:53 . 2008-01-21 20:53 <DIR> d-------- C:\Program Files\Alcohol Soft
2008-01-21 17:45 . 2008-01-21 17:45 <DIR> d-------- C:\Program Files\Dot1XCfg
2008-01-21 14:07 . 2008-01-21 19:49 715,248 --a------ C:\WINDOWS\system32\drivers\sptd.sys
2008-01-20 06:06 . 2008-01-20 06:06 54,156 --ah----- C:\WINDOWS\QTFont.qfn
2008-01-20 06:06 . 2008-01-20 06:06 1,744 --a------ C:\WINDOWS\system32\d3d9caps.dat
2008-01-20 06:06 . 2008-01-20 06:06 1,409 --a------ C:\WINDOWS\QTFont.for
2007-12-30 22:56 . 1998-10-01 15:22 299,520 --a------ C:\WINDOWS\uninst.exe
2007-12-29 18:17 . 2007-12-29 18:17 <DIR> d-------- C:\WINDOWS\Cache
2007-12-29 18:17 . 2007-12-31 10:09 <DIR> d-------- C:\Program Files\Coupons
2007-12-25 00:58 . 2007-12-25 00:58 <DIR> d-------- C:\Program Files\QuickTime Alternative
2007-12-25 00:58 . 2007-12-11 10:57 65,536 --a------ C:\WINDOWS\system32\QuickTimeVR.qtx
2007-12-25 00:58 . 2007-12-11 10:57 49,152 --a------ C:\WINDOWS\system32\QuickTime.qts

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-24 11:23 --------- d-----w C:\Program Files\Azureus
2008-01-05 01:43 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-01-05 01:43 --------- d-----w C:\Program Files\CyberLink DVD Solution
2008-01-05 01:41 --------- d-----w C:\Program Files\Common Files\Adobe
2007-12-23 03:23 --------- d-----w C:\Program Files\Ultra Video Splitter
2007-12-23 02:33 --------- d-----w C:\Program Files\Absolute Video Splitter Joiner
2007-12-22 20:17 --------- d-----w C:\Program Files\K-Lite Codec Pack
2007-12-22 20:00 --------- d-----w C:\Program Files\Common Files\Real
2007-12-19 01:02 39,424 ----a-w C:\WINDOWS\zipinst.exe
2007-12-15 09:11 --------- d-----w C:\Program Files\Common Files\Macrovision Shared
2007-12-15 06:10 --------- d-----w C:\Program Files\LimeWire
2007-12-14 03:10 --------- d-----w C:\Program Files\Common Files\Ahead
2007-12-14 03:07 --------- d-----w C:\Program Files\Nero
2007-12-10 04:30 --------- d-----w C:\Program Files\iolo
2007-12-10 04:04 668,160 ----a-w C:\WINDOWS\is-6SPB2.exe
2007-12-08 07:50 --------- d-----w C:\Program Files\VideoLAN
2007-12-07 23:28 7,680 ----a-w C:\WINDOWS\system32\ff_vfw.dll
2007-12-04 07:33 682,496 ----a-w C:\WINDOWS\system32\divx.dll
2007-11-30 04:30 3,596,288 ----a-w C:\WINDOWS\system32\qt-dx331.dll
2007-11-30 04:28 81,920 ----a-w C:\WINDOWS\system32\dpl100.dll
2007-11-07 09:26 721,920 ----a-w C:\WINDOWS\system32\lsasrv.dll
2007-11-03 16:46 363,368 ----a-w C:\WINDOWS\system32\Incinerator.dll
2007-10-29 22:43 1,287,680 ----a-w C:\WINDOWS\system32\quartz.dll
2007-10-27 22:40 227,328 ----a-w C:\WINDOWS\system32\wmasf.dll
2004-10-01 20:00 40,960 ----a-w C:\Program Files\Uninstall_CDS.exe
.

<pre>
----a-w 624,248 2008-01-24 15:55:38 C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray .exe
----a-w 1,397,760 2008-01-24 15:55:35 C:\Program Files\Ahead\InCD\InCD .exe
----a-w 155,648 2008-01-24 15:55:32 C:\Program Files\Common Files\Ahead\Lib\NeroCheck .exe
----a-w 132,496 2008-01-24 15:55:29 C:\Program Files\Java\jre1.6.0_03\bin\jusched .exe
----a-w 224,248 2008-01-24 15:55:33 C:\Program Files\Yahoo!\Search Protection\SearchProtection .exe
</pre>


((((((((((((((((((((((((((((( snapshot@2008-01-22_22.52.53.67 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-01-22 13:48:55 1,413,120 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000001\NTUSER.DAT
+ 2008-01-24 15:36:33 1,413,120 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000001\NTUSER.DAT
- 2008-01-22 13:48:55 1,196,032 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000002\UsrClass.dat
+ 2008-01-24 15:36:33 1,196,032 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000002\UsrClass.dat
- 2008-01-22 13:48:55 4,423,680 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000003\NTUSER.DAT
+ 2008-01-24 15:36:34 4,734,976 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000003\NTUSER.DAT
- 2008-01-22 13:48:55 1,335,296 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000004\UsrClass.dat
+ 2008-01-24 15:36:34 1,335,296 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000004\UsrClass.dat
- 2008-01-22 13:48:55 1,413,120 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000005\NTUSER.DAT
+ 2008-01-24 15:36:34 1,413,120 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000005\NTUSER.DAT
- 2008-01-22 13:48:56 1,196,032 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000006\UsrClass.dat
+ 2008-01-24 15:36:35 1,196,032 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000006\UsrClass.dat
+ 2008-01-24 01:11:08 249,856 ----a-r C:\WINDOWS\Installer\{1A103C8B-3DFA-4F05-BE9B-97B7ECC12925}\ARPPRODUCTICON.exe
+ 2008-01-24 01:11:09 344,064 ----a-r C:\WINDOWS\Installer\{1A103C8B-3DFA-4F05-BE9B-97B7ECC12925}\NewShortcut1_1A103C8B3DFA4F05BE9B97B7ECC12925_1.exe
+ 2008-01-24 01:11:09 344,064 ----a-r C:\WINDOWS\Installer\{1A103C8B-3DFA-4F05-BE9B-97B7ECC12925}\NewShortcut2_1A103C8B3DFA4F05BE9B97B7ECC12925_1.exe
+ 2008-01-24 01:11:08 249,856 ----a-r C:\WINDOWS\Installer\{1A103C8B-3DFA-4F05-BE9B-97B7ECC12925}\NewShortcut5_1A103C8B3DFA4F05BE9B97B7ECC12925.exe
+ 2008-01-24 01:11:09 249,856 ----a-r C:\WINDOWS\Installer\{1A103C8B-3DFA-4F05-BE9B-97B7ECC12925}\NewShortcut6_1A103C8B3DFA4F05BE9B97B7ECC12925.exe
+ 2002-01-05 08:40:20 487,424 ----a-w C:\WINDOWS\system32\msvcp70.dll
+ 2002-01-05 08:37:28 344,064 ----a-w C:\WINDOWS\system32\msvcr70.dll
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{AE77594E-D03D-4C35-BA5B-A94A1AF766CE}]
2008-01-24 10:55 334848 --------- C:\WINDOWS\system32\nnnkk.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"YSearchProtection"="C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe" [2008-01-24 10:38 588288]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-01-24 10:28 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2008-01-24 10:38 475136]
"InCD"="C:\Program Files\Ahead\InCD\InCD.exe" [2008-01-24 10:38 1890816]
"NeroFilterCheck"="C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe" [2008-01-24 10:56 495104]
"YSearchProtection"="C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe" [2008-01-24 10:38 588288]
"Acrobat Assistant 8.0"="C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe" [2008-01-24 10:38 969216]
"combofix"="C:\WINDOWS\system32\cmd.exe" [2004-08-04 07:00 388608]

[HKEY_CURRENT_USER\software\microsoft\windows nt\currentversion\windows]
"load"=C:\WINDOWS\system32\nnnkk.exe

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 C:\WINDOWS\system32\nnnkk

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"SpybotSD TeaTimer"=C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{30803c20-b89a-11dc-bd5f-00e018304548}]
\Shell\AutoRun\command - G:\Autoplay.exe -auto

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-24 10:56:51
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\Explorer.EXE [6.00.2900.3156]
-> C:\WINDOWS\system32\nnnkk.dll
.
Completion time: 2008-01-24 11:02:38 - machine was rebooted [Christian Rooney]
ComboFix-quarantined-files.txt 2008-01-24 16:02:23
ComboFix2.txt 2008-01-24 09:38:40
ComboFix3.txt 2008-01-23 14:12:33
ComboFix4.txt 2008-01-23 04:38:36
ComboFix5.txt 2008-01-23 03:54:20
.
2008-01-09 01:40:01 --- E O F ---


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 11:05:56 AM, on 1/24/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\iolo\Common\Lib\ioloDMVSvc.exe
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\WINDOWS\System32\alg.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe
C:\Program Files\Ahead\InCD\InCD .exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Yahoo!\Search Protection\SearchProtection .exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched .exe
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray .exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Documents and Settings\Christian Rooney\Desktop\HijackThis.exe
C:\WINDOWS\system32\wbem\wmiprvse.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr9/*http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
F3 - REG:win.ini: load=C:\WINDOWS\system32\nnnkk.exe
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe"
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\Program Files\Common Files\Ahead\Lib\NeroCheck.exe
O4 - HKLM\..\Run: [YSearchProtection] "C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe"
O4 - HKLM\..\Run: [Acrobat Assistant 8.0] "C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe"
O4 - HKCU\..\Run: [YSearchProtection] C:\Program Files\Yahoo!\Search Protection\SearchProtection.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O8 - Extra context menu item: Append to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert link target to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://C:\Program Files\Adobe\Acrobat 8.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_03\bin\ssv.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {54BE6B6F-3056-470B-97E1-BB92E051B6C4} (DeviceEnum Class) - http://h30155.www3.hp.com/ediags/dd/install/HPDriverDiagnosticsxp2k.cab
O16 - DPF: {E87F6C8E-16C0-11D3-BEF7-009027438003} (Persits Software XUpload) - http://www.auctiva.com/hostedimages/activex/xupload/XUpload.ocx
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O23 - Service: FLEXnet Licensing Service - Macrovision Europe Ltd. - C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: iolo DMV Service (ioloDMV) - Unknown owner - C:\Program Files\iolo\Common\Lib\ioloDMVSvc.exe
O23 - Service: NBService - Nero AG - C:\Program Files\Nero\Nero 7\Nero BackItUp\NBService.exe
O23 - Service: NMIndexingService - Nero AG - C:\Program Files\Common Files\Ahead\Lib\NMIndexingService.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe

--
End of file - 7270 bytes

Yep,

The thieves that write this garbage are getting more sophisticated all the time. :sad:

There is something on your system preventing the removal of these files .

Please download F-Secure Blacklight (fsbl.exe) (ftp://ftp.f-secure.com/anti-virus/tools/fsbl.exe) and save to your C:\ drive. Open a command window by going to Start > Run and typing: cmd
Copy/paste or type the following in the command window: C:\fsbl.exe /expert
Hit "Enter" to start the program and then close the cmd box.
Accept the user agreement and click "Next".
Click "Scan".
After the scan is complete, click "Next", then "Exit".
BlackLight will create a log in C:\ drive named "fsbl-xxxxxxx.log" (the xxxxxxx will be the date and time of the scan).
The log will have a list of all items found. Do not choose to rename any yet!
I want to see the log first because legitimate items can also be present...like "wbemtest.exe" and "tcptest.exe.
Exit Blacklight and post the contents of the log in your next reply.

Note: If Blacklight does not work, rename fsbl.exe to zsbl.exe and try running it again.


You also have some suspicious files on your Combofix log, but lets see what Blacklight comes up with first.

Here is the log you want,Ken. I hope it helps.

01/25/08 01:14:27 [Info]: BlackLight Engine 1.0.67 initialized
01/25/08 01:14:27 [Info]: OS: 5.1 build 2600 (Service Pack 2)
01/25/08 01:14:27 [Note]: 7019 4
01/25/08 01:14:27 [Note]: 7005 0
01/25/08 01:14:31 [Note]: 7006 0
01/25/08 01:14:31 [Note]: 7022 0
01/25/08 01:14:32 [Note]: 7011 1364
01/25/08 01:14:33 [Note]: 7026 0
01/25/08 01:14:33 [Note]: 7026 0
01/25/08 01:14:43 [Note]: FSRAW library version 1.7.1024
01/25/08 01:25:55 [Note]: 7007 0

Good Morning,

Blacklight searched for hidden files and there were none. All the garbage we are trying to remove may be gone, your combofix log is showing entries from a previous run. Drag Combofix to the trash and do this.



Download ComboFix from Here (http://download.bleepingcomputer.com/sUBs/ComboFix.exe) to your Desktop.

**Note: In the event you already have Combofix, please delete it from your desktop and download this new version . It is important that it is saved directly to your desktop**
--------------------------------------------------------------------

Close any open browsers and make sure you are disconnected from the net. Unplug the cable if need be before running combofix.
WARNING: IF you have not already done so Combofix will disconnect your machine from the Internet when it starts
Please do not re-connect your machine back to the Internet until Combofix has completely finished.

I dont know if it helped or hurt our effort,but the reason there was no hidden files is that I uninstalled ALL programs that had the infected files.(I can replace them)

Here are the CF and HJT logs for your viewing pleasure:D

ComboFix 08-01-23.1C - Christian Rooney 2008-01-25 8:42:25.10 - NTFSx86
Microsoft Windows XP Professional 5.1.2600.2.1252.1.1033.18.8 [GMT -5:00]
Running from: C:\Documents and Settings\Christian Rooney\Desktop\ComboFix.exe
* Created a new restore point

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\ctfmon.exe.tmp
C:\WINDOWS\system32\kknnn.ini
C:\WINDOWS\system32\kknnn.ini2
C:\WINDOWS\system32\mcrh.tmp
C:\WINDOWS\system32\nnnkk.dll
C:\WINDOWS\system32\nnnkk.exe

.
((((((((((((((((((((((((((((((((((((((( Drivers/Services )))))))))))))))))))))))))))))))))))))))))))))))))

.
-------\LEGACY_NPF


((((((((((((((((((((((((( Files Created from 2007-12-25 to 2008-01-25 )))))))))))))))))))))))))))))))
.

2008-01-25 03:02 . 2008-01-25 03:04 <DIR> d-------- C:\Program Files\Microsoft Virtual PC
2008-01-25 02:00 . 2007-09-24 23:31 69,632 --a------ C:\WINDOWS\system32\javacpl.cpl
2008-01-25 01:56 . 2008-01-25 02:00 <DIR> d-------- C:\Program Files\Java
2008-01-25 01:55 . 2008-01-25 01:55 <DIR> d-------- C:\Program Files\Common Files\Java
2008-01-24 22:20 . 2008-01-24 22:20 916,072 --a------ C:\zsbl.exe
2008-01-24 13:14 . 2008-01-24 17:46 15,360 --a------ C:\WINDOWS\system32\ctfmon .exe
2008-01-24 13:03 . 2006-06-03 00:07 176,128 --a------ C:\WINDOWS\nss3.dll
2008-01-24 13:03 . 2006-06-03 00:07 159,232 --a------ C:\WINDOWS\softokn3.dll
2008-01-24 13:03 . 2006-06-03 00:07 73,728 --a------ C:\WINDOWS\nspr4.dll
2008-01-24 13:03 . 2007-06-12 22:25 69,632 --a------ C:\WINDOWS\Projekt1.exe
2008-01-24 13:03 . 2007-03-03 16:00 40,960 --a------ C:\WINDOWS\FirePassword.exe
2008-01-24 13:03 . 2006-06-03 00:07 8,704 --a------ C:\WINDOWS\plc4.dll
2008-01-24 13:03 . 2006-06-03 00:07 6,144 --a------ C:\WINDOWS\plds4.dll
2008-01-24 13:03 . 2008-01-24 13:03 297 --a------ C:\WINDOWS\temp.cfg
2008-01-24 13:03 . 2008-01-24 13:03 53 --a------ C:\WINDOWS\temp.bat
2008-01-24 13:02 . 2008-01-24 13:02 <DIR> d-------- C:\Program Files\IMMonitor
2008-01-24 10:28 . 2008-01-24 10:28 15,360 --a--c--- C:\WINDOWS\system32\dllcache\ctfmon.exe
2008-01-24 10:28 . 2008-01-24 10:28 15,360 --a------ C:\WINDOWS\system32\ctfmon.exe
2008-01-23 20:06 . 2008-01-23 20:06 <DIR> d-------- C:\Program Files\Common Files\ACD Systems
2008-01-23 20:06 . 2008-01-23 20:06 <DIR> d-------- C:\Program Files\ACD Systems
2008-01-23 05:44 . 2008-01-23 05:44 <DIR> d-------- C:\Program Files\Destiny
2008-01-22 11:33 . 2008-01-22 11:33 <DIR> d-------- C:\tmpDownload
2008-01-22 11:29 . 2008-01-24 13:42 <DIR> d-------- C:\Program Files\YoutubeGet
2008-01-22 11:29 . 2008-01-22 11:29 253,952 --a------ C:\WINDOWS\system32\andt.sys
2008-01-22 11:29 . 2008-01-22 11:29 45,056 --a------ C:\WINDOWS\system32\Indt2.sys
2008-01-22 11:29 . 2008-01-22 11:29 40 --a------ C:\WINDOWS\system32\drmgs.sys
2008-01-22 08:47 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\Nircmd.exe
2008-01-21 21:04 . 2008-01-21 21:04 <DIR> d-------- C:\Program Files\Maxis
2008-01-21 20:53 . 2008-01-21 20:53 <DIR> d-------- C:\Program Files\Alcohol Soft
2008-01-21 14:07 . 2008-01-21 19:49 715,248 --a------ C:\WINDOWS\system32\drivers\sptd.sys
2008-01-20 06:06 . 2008-01-20 06:06 1,744 --a------ C:\WINDOWS\system32\d3d9caps.dat
2007-12-30 22:56 . 1998-10-01 15:22 299,520 --a------ C:\WINDOWS\uninst.exe
2007-12-29 18:17 . 2007-12-29 18:17 <DIR> d-------- C:\WINDOWS\Cache
2007-12-29 18:17 . 2007-12-31 10:09 <DIR> d-------- C:\Program Files\Coupons
2007-12-25 00:58 . 2007-12-25 00:58 <DIR> d-------- C:\Program Files\QuickTime Alternative
2007-12-25 00:58 . 2007-12-11 10:57 65,536 --a------ C:\WINDOWS\system32\QuickTimeVR.qtx
2007-12-25 00:58 . 2007-12-11 10:57 49,152 --a------ C:\WINDOWS\system32\QuickTime.qts

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-24 19:06 --------- d-----w C:\Program Files\Common Files\Ahead
2008-01-24 19:00 --------- d-----w C:\Program Files\iolo
2008-01-24 18:55 --------- d-----w C:\Program Files\Common Files\Adobe
2008-01-24 11:23 --------- d-----w C:\Program Files\Azureus
2008-01-05 01:43 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-01-05 01:43 --------- d-----w C:\Program Files\CyberLink DVD Solution
2007-12-23 03:23 --------- d-----w C:\Program Files\Ultra Video Splitter
2007-12-23 02:33 --------- d-----w C:\Program Files\Absolute Video Splitter Joiner
2007-12-22 20:17 --------- d-----w C:\Program Files\K-Lite Codec Pack
2007-12-22 20:00 --------- d-----w C:\Program Files\Common Files\Real
2007-12-19 01:02 39,424 ----a-w C:\WINDOWS\zipinst.exe
2007-12-15 06:10 --------- d-----w C:\Program Files\LimeWire
2007-12-14 03:07 --------- d-----w C:\Program Files\Nero
2007-12-10 04:04 668,160 ----a-w C:\WINDOWS\is-6SPB2.exe
2007-12-08 07:50 --------- d-----w C:\Program Files\VideoLAN
2004-10-01 20:00 40,960 ----a-w C:\Program Files\Uninstall_CDS.exe
.

<pre>
----a-w 624,248 2008-01-24 18:14:19 C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray .exe
----a-w 1,397,760 2008-01-24 18:14:20 C:\Program Files\Ahead\InCD\InCD .exe
----a-w 155,648 2008-01-24 18:14:12 C:\Program Files\Common Files\Ahead\Lib\NeroCheck .exe
----a-w 132,496 2008-01-25 13:53:25 C:\Program Files\Java\jre1.6.0_03\bin\jusched .exe
----a-w 224,248 2008-01-24 19:08:40 C:\Program Files\Yahoo!\Search Protection\SearchProtection .exe
----a-w 15,360 2008-01-24 22:46:24 C:\WINDOWS\system32\ctfmon .exe
</pre>


((((((((((((((((((((((((((((( snapshot@2008-01-22_22.52.53.67 )))))))))))))))))))))))))))))))))))))))))
.
- 2008-01-22 13:48:55 1,413,120 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000001\NTUSER.DAT
+ 2008-01-25 13:40:59 1,413,120 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000001\NTUSER.DAT
- 2008-01-22 13:48:55 1,196,032 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000002\UsrClass.dat
+ 2008-01-25 13:40:59 1,196,032 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000002\UsrClass.dat
- 2008-01-22 13:48:55 4,423,680 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000003\NTUSER.DAT
+ 2008-01-25 13:40:59 1,413,120 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000003\NTUSER.DAT
- 2008-01-22 13:48:55 1,335,296 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000004\UsrClass.dat
+ 2008-01-25 13:41:00 1,196,032 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000004\UsrClass.dat
- 2008-01-22 13:48:55 1,413,120 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000005\NTUSER.DAT
+ 2008-01-25 13:41:00 4,751,360 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000005\NTUSER.DAT
- 2008-01-22 13:48:56 1,196,032 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000006\UsrClass.dat
+ 2008-01-25 13:41:01 1,335,296 ----a-w C:\WINDOWS\erdnt\Hiv-backup\Users\00000006\UsrClass.dat
+ 2008-01-24 01:11:08 249,856 ----a-r C:\WINDOWS\Installer\{1A103C8B-3DFA-4F05-BE9B-97B7ECC12925}\ARPPRODUCTICON.exe
+ 2008-01-24 01:11:09 344,064 ----a-r C:\WINDOWS\Installer\{1A103C8B-3DFA-4F05-BE9B-97B7ECC12925}\NewShortcut1_1A103C8B3DFA4F05BE9B97B7ECC12925_1.exe
+ 2008-01-24 01:11:09 344,064 ----a-r C:\WINDOWS\Installer\{1A103C8B-3DFA-4F05-BE9B-97B7ECC12925}\NewShortcut2_1A103C8B3DFA4F05BE9B97B7ECC12925_1.exe
+ 2008-01-24 01:11:08 249,856 ----a-r C:\WINDOWS\Installer\{1A103C8B-3DFA-4F05-BE9B-97B7ECC12925}\NewShortcut5_1A103C8B3DFA4F05BE9B97B7ECC12925.exe
+ 2008-01-24 01:11:09 249,856 ----a-r C:\WINDOWS\Installer\{1A103C8B-3DFA-4F05-BE9B-97B7ECC12925}\NewShortcut6_1A103C8B3DFA4F05BE9B97B7ECC12925.exe
+ 2008-01-24 18:04:45 9,728 ----a-w C:\WINDOWS\system32\BASSMOD.dll
+ 2007-02-18 05:15:34 232,816 ----a-w C:\WINDOWS\system32\drivers\VMM.sys
+ 2007-01-29 11:20:34 59,280 ----a-w C:\WINDOWS\system32\drivers\VMNetSrv.sys
- 2007-12-16 13:33:49 91,888 ----a-w C:\WINDOWS\system32\FNTCACHE.DAT
+ 2008-01-24 19:12:04 90,296 ----a-w C:\WINDOWS\system32\FNTCACHE.DAT
+ 2002-01-05 08:40:20 487,424 ----a-w C:\WINDOWS\system32\msvcp70.dll
+ 2002-01-05 08:37:28 344,064 ----a-w C:\WINDOWS\system32\msvcr70.dll
+ 2006-11-05 01:25:50 1,321,744 ----a-w C:\WINDOWS\system32\msxml6.dll
+ 2006-10-19 18:33:20 86,728 ----a-w C:\WINDOWS\system32\msxml6r.dll
- 2007-11-20 15:03:21 39,992 ----a-w C:\WINDOWS\system32\perfc009.dat
+ 2008-01-25 08:07:13 40,708 ----a-w C:\WINDOWS\system32\perfc009.dat
- 2007-11-20 15:03:21 311,604 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2008-01-25 08:07:13 313,280 ----a-w C:\WINDOWS\system32\perfh009.dat
+ 2007-01-29 11:20:34 144,800 ----a-w C:\WINDOWS\system32\VMNetSrv.dll
.
-- Snapshot reset to current date --
.
((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_LOCAL_MACHINE\~\Browser Helper Objects\{ADC2CBFA-3339-497C-AB42-2156BA6FDF13}]
2008-01-25 08:53 334848 --a------ C:\WINDOWS\system32\nnnkk.dll

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-01-24 10:28 15360]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"SunJavaUpdateSched"="C:\Program Files\Java\jre1.6.0_03\bin\jusched.exe" [2008-01-25 08:42 475136]

[HKEY_CURRENT_USER\software\microsoft\windows nt\currentversion\windows]
"load"=C:\WINDOWS\system32\nnnkk.exe

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
Authentication Packages REG_MULTI_SZ msv1_0 C:\WINDOWS\system32\nnnkk

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"SpybotSD TeaTimer"=C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{30803c20-b89a-11dc-bd5f-00e018304548}]
\Shell\AutoRun\command - G:\Autoplay.exe -auto

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-25 08:53:09
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

C:\WINDOWS\system32\ctfmon.exe 15360 bytes executable
C:\WINDOWS\system32\kknnn.ini2 319 bytes
C:\WINDOWS\system32\nnnkk.exe 338432 bytes executable

scan completed successfully
hidden files: 3

**************************************************************************
.
--------------------- DLLs Loaded Under Running Processes ---------------------

PROCESS: C:\WINDOWS\Explorer.EXE [6.00.2900.3156]
-> C:\WINDOWS\system32\nnnkk.dll
.
Completion time: 2008-01-25 8:57:47 - machine was rebooted
ComboFix-quarantined-files.txt 2008-01-25 13:57:39
ComboFix2.txt 2008-01-24 16:02:40
ComboFix3.txt 2008-01-24 09:38:40
ComboFix4.txt 2008-01-23 14:12:33
ComboFix5.txt 2008-01-23 04:38:36
.
2008-01-09 01:40:01 --- E O F ---


Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 9:09:03 AM, on 1/25/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\msiexec.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Documents and Settings\Christian Rooney\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr9/*http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
F3 - REG:win.ini: load=C:\WINDOWS\system32\nnnkk.exe
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {54BE6B6F-3056-470B-97E1-BB92E051B6C4} (DeviceEnum Class) - http://h30155.www3.hp.com/ediags/dd/install/HPDriverDiagnosticsxp2k.cab
O16 - DPF: {E87F6C8E-16C0-11D3-BEF7-009027438003} (Persits Software XUpload) - http://www.auctiva.com/hostedimages/activex/xupload/XUpload.ocx
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe

--
End of file - 3764 bytes

And good morning to you too! :greeting:

These may be gone but lets run this tool to make sure.

FYI ... This is how these thieves install infected files on your programs.

C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray .exe <--Infected
C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray.exe <-- Legit

Please download OTMoveIt (http://download.bleepingcomputer.com/oldtimer/OTMoveIt.exe) by OldTimer.


Save it to your desktop.
Please double-click OTMoveIt.exe to run it.
Copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):




C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray .exe
C:\Program Files\Ahead\InCD\InCD .exe
C:\Program Files\Common Files\Ahead\Lib\NeroCheck .exe
C:\Program Files\Java\jre1.6.0_03\bin\jusched .exe
C:\Program Files\Yahoo!\Search Protection\SearchProtection .exe
C:\WINDOWS\system32\ctfmon .exe
C:\WINDOWS\system32\kknnn.ini2
C:\WINDOWS\system32\nnnkk.exe

Return to OTMoveIt, right click on the "Paste List of Files/Folders to be moved" window and choose Paste.
Click the red Moveit! button.
Copy everything on the Results window to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy), and paste it into your next reply.
Close OTMoveIt


If a file or folder cannot be moved immediately you may be asked to reboot the machine to finish the move process. If you are asked to reboot the machine choose Yes.



Drag Combofix to the trash and redownload it and run it again and lets see what it comes up with.

Here are the logs you wanted,Ken. I included a new HJT log just in case it would be useful to you.


File/Folder C:\Program Files\Adobe\Acrobat 8.0\Acrobat\Acrotray .exe not found.
File/Folder C:\Program Files\Ahead\InCD\InCD .exe not found.
File/Folder C:\Program Files\Common Files\Ahead\Lib\NeroCheck .exe not found.
File/Folder C:\Program Files\Java\jre1.6.0_03\bin\jusched .exe not found.
File/Folder C:\Program Files\Yahoo!\Search Protection\SearchProtection .exe not found.
C:\WINDOWS\system32\ctfmon .exe moved successfully.
C:\WINDOWS\system32\kknnn.ini2 moved successfully.
C:\WINDOWS\system32\nnnkk.exe moved successfully.

Created on 01/25/2008 17:47:26


ComboFix 08-01-23.1C - Christian Rooney 2008-01-25 17:51:57.11 - NTFSx86
Running from: C:\Documents and Settings\Christian Rooney\Desktop\ComboFix.exe

WARNING -THIS MACHINE DOES NOT HAVE THE RECOVERY CONSOLE INSTALLED !!
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\WINDOWS\system32\ctfmon.exe.tmp
C:\WINDOWS\system32\kknnn.ini
C:\WINDOWS\system32\kknnn.ini2
C:\WINDOWS\system32\nnnkk.dll
C:\WINDOWS\system32\nnnkk.exe

.
((((((((((((((((((((((((( Files Created from 2007-12-25 to 2008-01-25 )))))))))))))))))))))))))))))))
.

2008-01-25 03:02 . 2008-01-25 03:04 <DIR> d-------- C:\Program Files\Microsoft Virtual PC
2008-01-24 22:20 . 2008-01-24 22:20 916,072 --a------ C:\zsbl.exe
2008-01-24 13:03 . 2006-06-03 00:07 176,128 --a------ C:\WINDOWS\nss3.dll
2008-01-24 13:03 . 2006-06-03 00:07 159,232 --a------ C:\WINDOWS\softokn3.dll
2008-01-24 13:03 . 2006-06-03 00:07 73,728 --a------ C:\WINDOWS\nspr4.dll
2008-01-24 13:03 . 2007-06-12 22:25 69,632 --a------ C:\WINDOWS\Projekt1.exe
2008-01-24 13:03 . 2007-03-03 16:00 40,960 --a------ C:\WINDOWS\FirePassword.exe
2008-01-24 13:03 . 2006-06-03 00:07 8,704 --a------ C:\WINDOWS\plc4.dll
2008-01-24 13:03 . 2006-06-03 00:07 6,144 --a------ C:\WINDOWS\plds4.dll
2008-01-24 13:03 . 2008-01-24 13:03 297 --a------ C:\WINDOWS\temp.cfg
2008-01-24 13:03 . 2008-01-24 13:03 53 --a------ C:\WINDOWS\temp.bat
2008-01-24 10:28 . 2008-01-24 10:28 15,360 --a--c--- C:\WINDOWS\system32\dllcache\ctfmon.exe
2008-01-24 10:28 . 2008-01-24 10:28 15,360 --a------ C:\WINDOWS\system32\ctfmon.exe
2008-01-23 20:06 . 2008-01-23 20:06 <DIR> d-------- C:\Program Files\Common Files\ACD Systems
2008-01-23 20:06 . 2008-01-23 20:06 <DIR> d-------- C:\Program Files\ACD Systems
2008-01-23 05:44 . 2008-01-23 05:44 <DIR> d-------- C:\Program Files\Destiny
2008-01-22 11:33 . 2008-01-22 11:33 <DIR> d-------- C:\tmpDownload
2008-01-22 11:29 . 2008-01-24 13:42 <DIR> d-------- C:\Program Files\YoutubeGet
2008-01-22 11:29 . 2008-01-22 11:29 253,952 --a------ C:\WINDOWS\system32\andt.sys
2008-01-22 11:29 . 2008-01-22 11:29 45,056 --a------ C:\WINDOWS\system32\Indt2.sys
2008-01-22 11:29 . 2008-01-22 11:29 40 --a------ C:\WINDOWS\system32\drmgs.sys
2008-01-22 08:47 . 2000-08-31 08:00 51,200 --a------ C:\WINDOWS\Nircmd.exe
2008-01-21 21:04 . 2008-01-21 21:04 <DIR> d-------- C:\Program Files\Maxis
2008-01-21 20:53 . 2008-01-21 20:53 <DIR> d-------- C:\Program Files\Alcohol Soft
2008-01-21 14:07 . 2008-01-21 19:49 715,248 --a------ C:\WINDOWS\system32\drivers\sptd.sys
2008-01-20 06:06 . 2008-01-20 06:06 1,744 --a------ C:\WINDOWS\system32\d3d9caps.dat
2007-12-30 22:56 . 1998-10-01 15:22 299,520 --a------ C:\WINDOWS\uninst.exe
2007-12-29 18:17 . 2007-12-29 18:17 <DIR> d-------- C:\WINDOWS\Cache
2007-12-29 18:17 . 2007-12-31 10:09 <DIR> d-------- C:\Program Files\Coupons
2007-12-25 00:58 . 2007-12-25 00:58 <DIR> d-------- C:\Program Files\QuickTime Alternative
2007-12-25 00:58 . 2007-12-11 10:57 65,536 --a------ C:\WINDOWS\system32\QuickTimeVR.qtx
2007-12-25 00:58 . 2007-12-11 10:57 49,152 --a------ C:\WINDOWS\system32\QuickTime.qts

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2008-01-25 14:03 --------- d-----w C:\Program Files\Yahoo!
2008-01-24 19:00 --------- d-----w C:\Program Files\iolo
2008-01-24 11:23 --------- d-----w C:\Program Files\Azureus
2008-01-05 01:43 --------- d--h--w C:\Program Files\InstallShield Installation Information
2008-01-05 01:43 --------- d-----w C:\Program Files\CyberLink DVD Solution
2007-12-23 03:23 --------- d-----w C:\Program Files\Ultra Video Splitter
2007-12-23 02:33 --------- d-----w C:\Program Files\Absolute Video Splitter Joiner
2007-12-22 20:17 --------- d-----w C:\Program Files\K-Lite Codec Pack
2007-12-22 20:00 --------- d-----w C:\Program Files\Common Files\Real
2007-12-19 01:02 39,424 ----a-w C:\WINDOWS\zipinst.exe
2007-12-15 06:10 --------- d-----w C:\Program Files\LimeWire
2007-12-10 04:04 668,160 ----a-w C:\WINDOWS\is-6SPB2.exe
2007-12-08 07:50 --------- d-----w C:\Program Files\VideoLAN
2004-10-01 20:00 40,960 ----a-w C:\Program Files\Uninstall_CDS.exe
.

<pre>
----a-w 15,360 2008-01-25 22:42:39 C:\_OTMoveIt\MovedFiles\WINDOWS\system32\ctfmon .exe
</pre>


((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown
REGEDIT4

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ctfmon.exe"="C:\WINDOWS\system32\ctfmon.exe" [2008-01-24 10:28 15360]

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run-]
"SpybotSD TeaTimer"=C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe


[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\explorer\mountpoints2\{30803c20-b89a-11dc-bd5f-00e018304548}]
\Shell\AutoRun\command - G:\Autoplay.exe -auto

.
**************************************************************************

catchme 0.3.1344 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2008-01-25 18:02:55
Windows 5.1.2600 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2008-01-25 18:05:30 - machine was rebooted
ComboFix-quarantined-files.txt 2008-01-25 23:05:19
ComboFix2.txt 2008-01-25 13:57:48
ComboFix3.txt 2008-01-24 16:02:40
ComboFix4.txt 2008-01-24 09:38:40
ComboFix5.txt 2008-01-23 14:12:33
.
2008-01-09 01:40:01 --- E O F ---



Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 6:06:30 PM, on 1/25/2008
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16574)
Boot mode: Normal

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\HPZipm12.exe
C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\wuauclt.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Christian Rooney\Desktop\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://us.rd.yahoo.com/customize/ie/defaults/sb/msgr9/*http://www.yahoo.com/ext/search/search.html
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://us.rd.yahoo.com/customize/ie/defaults/sp/msgr9/*http://www.yahoo.com
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://us.rd.yahoo.com/customize/ie/defaults/su/msgr9/*http://www.yahoo.com
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - URLSearchHook: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: &Yahoo! Toolbar Helper - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O3 - Toolbar: Yahoo! Toolbar - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\PROGRA~1\Yahoo!\Companion\Installs\cpn\yt.dll
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {30528230-99f7-4bb4-88d8-fa1d4f56a2ab} (Installation Support) - C:\Program Files\Yahoo!\Common\Yinsthelper.dll
O16 - DPF: {54BE6B6F-3056-470B-97E1-BB92E051B6C4} (DeviceEnum Class) - http://h30155.www3.hp.com/ediags/dd/install/HPDriverDiagnosticsxp2k.cab
O16 - DPF: {E87F6C8E-16C0-11D3-BEF7-009027438003} (Persits Software XUpload) - http://www.auctiva.com/hostedimages/activex/xupload/XUpload.ocx
O18 - Protocol: bwfile-8876480 - {9462A756-7B47-47BC-8C80-C34B9B80B32B} - C:\Program Files\Logitech\Desktop Messenger\8876480\Program\GAPlugProtocol-8876480.dll
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\system32\HPZipm12.exe
O23 - Service: StarWind AE Service (StarWindServiceAE) - Rocket Division Software - C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe

--
End of file - 3909 bytes

I just finished a scan with S&D,and Virtumonde has been eliminated! you deserve to be :crowned: :D Thank you so much for your help,I GREATLY appreciate it

Hey,

Your log looks fine :bigthumb: Good job following all my instructions. Its been a log hard ride but it looks like we got it.

Time for some housekeeping

Click START then RUN
Now type Combofix /u in the runbox and click OK. Note the space between the X and the U, it needs to be there.


http://i189.photobucket.com/albums/z176/EPL47/CF_Cleanup.png


When shown the disclaimer, Select "2"

The above procedure will:

Delete the following:
ComboFix and its associated files and folders.
VundoFix backups, if present
The C:\Deckard folder, if present
The C:_OtMoveIt folder, if present

Reset the clock settings.
Hide file extensions, if required.
Hide System/Hidden files, if required.
Reset System Restore.


Download CCleaner from here (http://www.ccleaner.com/) to clean temp files from your computer.

Double click on the file to start the installation of the program.
Select your language and click OK, then next.
Read the license agreement and click I Agree.
Click next to use the default install location. Click Install then finish to complete installation.
Double click the CCleaner shortcut on the desktop to start the program.
On the "Windows" tab, under "Internet Explorer," uncheck "Cookies" if you do not want them deleted. (If deleted, you will likely need to reenter your passwords at all sites where a cookie is used to recognize you when you visit).
If you use either the Firefox or Mozilla browsers, the box to uncheck for "Cookies" is on the Applications tab, under Firefox/Mozilla.
Click on the "Options" icon at the left side of the window, then click on "Advanced."
deselect "Only delete files in Windows Temp folders older than 48 hours."
Click on the "Cleaner" icon on the left side of the window, then click Run Cleaner to run the program.
Caution: It is not recommended that you use the "Issues" feature unless you are very familiar with the registry as it has been known to find legitimate items.
After CCleaner has completed its process, click Exit.


*NOTE* CCleaner deletes EVERYTHING out of temp/temporary folders. If you have anything in a temp folder, back it up or move it to a permanent folder prior to running CCleaner!



Malware Complaints (http://malwarecomplaints.info/index.php)
Are you mad ? I mean really mad, seething mad, so mad your ready to spit, mad that you have taken your hard earned dollars to buy a computer only to have some Miscredents, Dirt Bags and Cyber Criminals install a malicious program on your computer without your knowledge or consent. You can post your complaint at the above site. If you live in the U.S.A. you can also report your grievance to your State Attorney Generals Office and the Federal Trade Commission's Bureau of Consumer Protection.


How did I get infected in the first place ? Read these links and find out how to prevent getting infected again.
Tutorial for System Restore (http://www.bleepingcomputer.com/tutorials/tutorial56.html) <-- Do this first to prevent yourself from being reinfected.
WhattheTech (http://forums.whatthetech.com/So_how_did_I_get_infected_in_the_first_place_t57817.html)
TonyKlein CastleCops (http://www.castlecops.com/postlite7736-.html)
Grinler BleepingComputer (http://www.bleepingcomputer.com/forums/topic2520.html)
GeeksTo Go (http://www.geekstogo.com/forum/index.php?autocom=custom&page=How_did_I)
Dslreports (http://www.dslreports.com/faq/10002)



Keep in mind if you install some of these programs. Only ONE Anti Virus and only ONE Firewall is recommended, more is overkill and can cause you problems. You can install all the Spyware programs I have listed without any problems. If you install Spyware Blaster, you can still install Spybot Search and Destroy but do not enable the TeaTimer in Spybot.

Here are some free programs to install, all free and highly regarded by the fine people in the Malware Removal Community

Spybot Search and Destroy 1.5 (http://www.safer-networking.org/en/download/)
Check for Updates/ Immunize and run a Full System Scan on a regular basis. If you install Spyware Blaster ( Recommended ) then do not enable the TeaTimer in Spybot Search and Destroy.

Spyware Blaster (http://www.javacoolsoftware.com/spywareblaster.html) It will prevent most spyware from ever being installed. No scan to run, just update about once a week and enable all protection.

Spyware Guard (http://www.javacoolsoftware.com/spywareguard.html) It offers realtime protection from spyware installation attempts, again, no scan to run, just install it and let it do its thing.

IE-Spyad (http://www.pcworld.com/downloads/file/fid,23332-order,1-page,1-c,antispywaretools/description.html)
IE-Spyad places over 6000 web sites and domains in the IE Restricted list which will severely impair attempts to infect your system. It basically prevents any downloads (cookies etc) from the sites listed, although you will still be able to connect to the sites.

Firefox 2.0.0.6 (http://www.mozilla.org/products/firefox/) It has more features and is a lot more secure than IE. It is a very easy and painless download and install, it will no way interfere with IE, you can use them both.

Zone Alarm (http://www.pcworld.com/downloads/file_description/0,fid,7228,00.asp) Here is a free Firewall from Zone Labs


Glad we could help

Safe Surfn
Ken

Thanks alot for your help Ken. Nice way to kick some malware butt. Very professional and you really are an MVP.

Thank You for the comments,:)

Stay well,
Ken